AZ-305 Azure Solutions Architect Expert learning pathways (part 1)
AZ-305 Azure Solutions Architect Expert is a Role-Based Expert certification from Microsoft that has the AZ-104 Microsoft Certified: Azure Administrator certification as a prerequisite and it covers 4 majors topics:
- Design identity, governance, and monitoring solutions (25–30%)
- Design business continuity solutions (15–20%)
- Design data storage solutions (20–25%)
- Design infrastructure solutions (30–35%)
Based on Microsoft's description of the Solution Architect Expert, as a Microsoft Azure solutions architect, you advise stakeholders and translate business requirements into designs for Azure solutions that align with the Azure Well-Architected Framework and Cloud Adoption Framework for Azure.
You can use the Cloud Adoption Framework for Azure (CAF) to identify where you are in your digital transformation journey and determine why you want to move to the cloud. It is an 8 step methodology (strategy, plan, ready, migrate, innovate, govern, manage, secure) that allows you to create a cloud adoption plan and align your strategy for business, people and technology. Reading through it made me realize the shift in mindset that's needed when transitioning from a Software Developer or Azure Admin to a Solution Architect role.
In it's 1700+ pages, CAF puts emphasis on building a cloud adoption strategy that aligns with business goals, it is accompanied by an actionable mission statement and it is visible to the major business stakeholders. It advises you to take inventory of your digital estate (and think about the 5 Rs of rationalization - out of which I have applied Rebuild on the photo gallery app), establish a structure where people are accountable for cloud adoption and governance, adapt existing skills, roles, and processes to support the new environment.
I particularly find interesting the idea of implementing landing zones (and using subscriptions as units of management) and the usage of accelerators and assessment tools (like the Strategic Migration Assessment and Readiness tool) to help you apply you cloud adoption strategy. It advises you to consult the Microsoft cloud security benchmark documentation to find out about the available security features and recommended optimal configuration for Azure services. It guides you to think about Zero Trust guidance and the CIA Triad model in your overall security posture.
The Azure Well-Architected Framework (WAF) helps you design, build and continuously improve a secure, reliable, and efficient app. It provides architectural guidance across 5 pillars: Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency.
Each pillar comes with it's set of design principles, checklist, tradeoffs and design patterns. What is fascinating about these pillars is their interplay with the other pillars, how every decision is a tradeoff in areas in which you want to optimize one of the pillars. For example, optimizing costs comes with tradeoffs in security, scalability, resilience and operability. If you want to deploy the minimum number of right-sized resources, favour lack of tooling and resources diversity and focus on a minimum number of delivery activities (all part of the cost optimization pillar) you will have to take into account the reduced resiliency (Reliability), reduced security controls (Security), reduced observability (Operational Excellence) and lack of optimization over time (Performance Efficiency). The pillars of WAF are represented in a comprehensive catalog of patterns, one of which I have applied myself to optimize spending.
The Design identity, governance, and monitoring solutions learning path starts by highlighting how governance is most beneficial when scaling engineering teams working in Azure and the number of subscriptions to manage. Also when regulatory requirements must be enforced and standards must be followed for all cloud resources. Essentially, you define an Azure hierarchy and then you apply governance strategies (like policies and tags) to it. It talks about design principles for management groups, subscriptions, resource groups and resources.
Governance also covers AZ Policy, RBAC and AZ landing zones. Design for identity and access management (IAM) covers Microsoft Entra ID as a solution that combines core directory services, application access management and identity protection, Microsoft Entra B2B to support business-to-business operations and Azure AD B2C to support business-to-consumer operations.
As part of Entra Id, you can use Conditional access as a zero-trust policy enforcement engine, Entra ID Protection to detect, investigate and remediate identity-based risks. If you want to make sure that the correct users have the correct access to the correct resources you can use Access Reviews which are similar to approval workflows for group membership, access to enterprise apps and role assignments.
Defining the access policy and the permissions for an user or app is done through a service principal and you can eliminate the need to manage credentials through managed identities. If you need to store and handle secrets, encryption keys and certificates, you can use Azure Key Vault.
As a monitoring and logging solution you can use Azure Monitor and its rich set of features like Log Analytics workspaces to manager log data, Azure Workbooks for data analysis and creation of rich visual reports, Azure Insights that contains a set of services for identifying performance issues, like App Insights which is the APM offering for live web applications.
For big data analytics you can use Azure Data Explorer, an end-2-end solution for data ingestion, query, visualization and management.
The Design business continuity solutions learning path covers HADR (high-availability and disaster recovery) and backup solutions in Azure.
In order to design HADR strategies, you must first know the costs of downtime and measure it against your HARD solution. Define your Recovery Time Objective (RTO) (the max amount of time available to bring resources online after an outage or problem) at component level and for your entire architecture. Think of RTO and Recovery Point Objective (RPO) (max amount of data loss that the business is willing to accept) for both HA and DR scenarios. You have more flexibility for Iaas offerings and less complexity for Paas offerings.
Iaas offerings include Always On Availability Group, Always On Failover Cluster Instance, Log Shipping and Azure Site Recovery for SQL Server on Azure VMs, Availability sets, Availabilty Zones and Azure Site Recovery for Azure VMs.
Paas offerings for Azure SQL Database (ASDb) and Azure SQL Database Managed Instances include active geo-replication (ASDb only) and autofailover groups. Azure Database for MySQL offers a SLA of 99.99 with built-in failover at node-level. Azure Database for PostgreSQL is similar to MySQL with the addition of Citus, a scale-out hyperscale solution. For both these offerings consider implementing retry logic in your cloud applications, to handle any transient failures.
Hybrid solutions for HADR are IaaS-based and one of the most important aspects of such a solution is networking (ExpressRoute, S2S VPN).
You can use the Azure Backup Service as a backup and recovery solution to help you meet your recovery requirements. In order to define these requirements you must first know what are your workloads and their usage patterns (in both critical and non-critical periods). Define your SLAs based on the Mean Time to Recovery (MMTR) (average downtime duration post-failure) and Mean Time Between Failures (MTBF) (how long a component can reasonably expect to last between outages) resilience metrics and conduct a risk assessment to help you determine the values of the RTO and RPO recovery metrics. You can combine Azure Backup with Azure Site Recovery for a BCDR solution. You can reduce RTO by integrating Azure Site Recovery with Azure Traffic Manager.
The Design data storage solutions learning path covers data solution for non-relational storage, relation storage, and data integration. You need to determine the type of data storage that you implement based on the structure of your data and how data is going to be accessed.
Non-relational storage covers unstructured data (a mix of information without a clear relationship, like photos, video, text files, word docs, etc) and Azure Storage is Microsoft's cloud storage solution that hosts the data services covered by learning path. You need to create an Azure storage account which contains all of the Azure Storage data objects: blobs, files, queues, tables. Persistent managed and unmanaged disks are stored as virtual hard disks(VHDs) in Azure storage accounts as well.
When you need to analyze and partition your unstructed data, you should consider the following:
| Consider | Recommendations |
|---|---|
| Location | Locate data storage close to where it's most frequently used. |
| Compliance | You might require different storage accounts to meet the different requirements. |
| Costs | By creating multiple storage accounts, you can better control the overall costs. Account settings influence cost. |
| Redundancy | Partition your data into critical and noncritical categories. Replicate locally and regionally accordingly. |
| Data Sensitivity | You can enable virtual networks for proprietary data and not for public data. |
| Data Isolation | Segregate regulatory and compliance data, or local policies by using multiple storage accounts. |
| Security | Grant limited access to Azure Storage resources. Use SAS with limited validity. Use firewall policies and rules, service endpoints or private links. Always require secure transfer. Store customer-managed keys in Azure Key Vault. |
The following table describes the services covered by the data storage solution for non-relational data:
| Service | Description | Recommendations |
|---|---|---|
| Azure Blob Storage | Object storage solution optimized for storing massive amounts of unstructured data such as text, binary data, documents, media files, and application backups. Use for serving images or documents directly to browsers, storing files for distributed access, streaming video and audio, logging, backup, and big data analytics. | Consider the blob access tier that satisfies storage availability, latency and cost requirements. Consider immutable storage for business-critical data. |
| Azure Files | Fully managed file shares in the cloud accessible via SMB, NFS protocols, and Azure Files REST API. Ideal for replacing on-premises file servers, supporting "lift and shift" of applications to the cloud, and simplifying cloud development with shared application settings. | Choose a performance tier based on usage patterns (latency sensitivity, IOPS and throughput requirements, workload duration and frequency, workload parallelization, API operation distribution). |
| Azure Managed Disks | Block-level storage volumes managed by Azure for use with Azure Virtual Machines, offering high durability and availability. Recommended for simplified and scalable VM deployment, integration with availability sets, and when high durability (99.999% availability) is required. | Encryption options are available (ADE, SSE, Encryption at host). Consider throughput, IOPS and data caching. |
Relational data storage covers structured data (stored in a relational format that has a shared schema, often stored in a database table). Data storage solution for relational data fall under the umbrella of the Azure SQL family of services and the three products are summarized below:
| Service | Description | Recommendations |
|---|---|---|
| Azure SQL Database | Fully managed PaaS database engine based on the latest stable version of SQL Server, offering high availability, automated backups, and performance optimization. Use for modern cloud applications, processing both relational and non-relational data, and when you need the latest SQL Server features without overhead for patching or upgrading. | Microsoft recommends vCore pricing for greater control over your compute costs, but DTU pricing is an easy, preconfigured purchase option. Consider SQL Database elastic pools for managing and scaling multiple databases with varying and unpredictable usage demands. |
| Azure SQL Managed Instance | Intelligent, scalable cloud database service combining broad SQL Server compatibility with PaaS benefits, designed for high availability and business continuity. Recommended for business-critical applications, when you need to ensure data is never lost due to failures, and when you want to enable transparent geo-failover of multiple databases. | Use instance-scoped features of Azure SQL Managed Instance like Service Broker, CLR, SQL Server Agent, and Linked servers. Migrate your relational and structured data to Azure without rearchitecting your applications. Add scalability for your instance by enabling vCores mode. |
| SQL Server on Azure VMs | Full SQL Server instance running on Azure Virtual Machines, offering maximum control over the database engine and VM. Best for legacy applications, custom application development, large-scale enterprise solutions, and when you need full control over security, compliance, and database configurations. | Use the automated management features of SQL Server for your virtual machines. Exercise the Azure Hybrid Benefit for existing on-premises Windows Server and SQL Server licenses. |
When you recommend a solution for relational data, think of the following:
| Consider | Recommendation |
|---|---|
| Scalability | Choose between vCore and DTO models. Use elastic database pools. Implement vertical or horizontal scaling. |
| Availability | SQL Databases in General Purpose (or Standard tier) have similar failover to a failover cluster instance (FCI). SQL Databases in Business Critical (or Premium tier) is similar to deploying an Always On availability group behind the scenes. |
| Data Security | Think of encryption for the three basic states of data: data ar rest (Transparent Data Encryption), data in motion (SSL/TLS), data in process (Dynamic Data Masking). |
When it comes to the ingestion, processing, and analysis of data that's too large and complex for traditional database systems, Azure offers a set of services that serve distinct but complementary roles in modern data architectures. The following table lists their purpose and use cases:
| Service | Primary Role | Key Strengths |
|---|---|---|
| Azure Data Factory | Data Orchestration | Hybrid ETL, SSIS migration, SaaS integration. |
| Azure Data Lake Storage | Storage | Scalability, security, cost-effective tiering. |
| Azure Databricks | Analytics & AI | ML, LLMs, Spark-based lakehouse. |
| Azure Synapse Analytics | Unified Analytics | Real-time SQL queries, Power BI integration. |
| Azure Stream Analytics | Real-time Analytics | Low-latency processing, SQL-like query language. |
These services are often used together to create end-to-end data solutions, with ADLS as the storage layer, ADF for pipeline orchestration, Databricks for advanced processing, and Synapse for enterprise-scale analytics. By including Stream Analytics, organizations can address both batch and real-time analytics needs within the Azure ecosystem, enabling a wide range of data processing scenarios from historical analysis to instantaneous insights.
The remaining 3 learning pathways are covered in part 2, part 3 and part 4 of this article.