This chapter covers the Azure Well-Architected Framework (WAF) and its five pillars: Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency. Understanding the WAF is critical for the AZ-305 exam because it underpins all design decisions for Azure solutions—approximately 15-20% of exam questions directly reference or require application of the five pillars. You will be tested on defining each pillar, identifying its key principles, and applying them to scenario-based questions. This chapter provides a deep dive into each pillar, including specific Azure services, design patterns, and trade-offs, preparing you to answer both theoretical and practical questions.
Jump to a section
Imagine you are an architect designing a custom house for a client. The house must be built on a solid foundation that ensures it stands for decades without collapsing (Reliability). The design must be efficient, using materials wisely and minimizing waste, so the client doesn't overspend on construction or energy bills (Cost Optimization). The house must be safe: fire alarms, secure doors, and a layout that prevents accidents and keeps out intruders (Security). It must be easy to maintain and upgrade, with accessible plumbing, electrical panels, and modular rooms that can adapt as the family grows (Operational Excellence). Finally, the house must handle changes in load—like adding a second floor or hosting a large party—without creaking or failing (Performance Efficiency). Each pillar is not optional; skipping one leads to a flawed house. Similarly, the Azure Well-Architected Framework's five pillars are interdependent. A secure workload that is unreliable is useless; a reliable workload that costs too much is unsustainable. The architect uses best practices, standards, and checks at each stage, just as Azure architects use the framework to design, assess, and improve cloud workloads. The blueprint (the framework) guides every decision, from material selection (service choices) to structural calculations (sizing and scaling), ensuring the final house meets the client's needs across all dimensions.
What is the Azure Well-Architected Framework?
The Azure Well-Architected Framework (WAF) is a set of guiding tenets that Microsoft created to help architects build high-quality, resilient, and efficient cloud workloads. It consists of five pillars: Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency. The framework is not a checklist but a mindset—a set of design principles and trade-offs that must be balanced. For the AZ-305 exam, you must not only know the definitions but also how to apply them to real-world scenarios. The exam expects you to recommend Azure services and configurations that align with these pillars.
Why the WAF Exists
Cloud architectures differ from on-premises designs. In on-premises, you control the physical hardware and network, so reliability and security are built into the infrastructure. In the cloud, you share responsibility with Microsoft. The WAF helps you design for that shared responsibility model. For example, you cannot assume the network is secure just because it's in Azure—you must configure network security groups (NSGs), Azure Firewall, and encryption. Similarly, you cannot assume a virtual machine will always run—you must design for availability using availability sets, availability zones, or paired regions.
How the WAF Works Internally
The WAF is not a service you deploy; it is a framework you apply during the design and review phases. It provides: - Design Principles: For each pillar, there are 5-7 principles (e.g., for Reliability: 'Design for business continuity', 'Design for recovery'). - Checklists: Microsoft publishes review checklists for each pillar (e.g., the Azure Architecture Center). - Trade-off Guidance: The framework acknowledges that pillars conflict. For example, adding redundancy (Reliability) increases cost (Cost Optimization). The architect must balance these. - Assessment Tool: The Azure Well-Architected Review (a tool in the Azure portal) allows you to assess your workload against each pillar and get recommendations.
Key Components, Values, Defaults, and Timers
Each pillar has specific Azure services and configurations that are commonly tested:
Reliability:
Availability Zones: Provide 99.99% uptime for VMs by placing replicas in separate physical zones within a region. Default: 3 zones per supported region.
Availability Sets: Provide 99.95% uptime by placing VMs in different fault domains (up to 3) and update domains (up to 20).
Azure Site Recovery: RPO as low as 30 seconds, RTO typically minutes to hours.
Azure Backup: Default retention for daily backup is 30 days, can be extended to 99 years.
Security:
Azure Security Center (now Microsoft Defender for Cloud): Provides a secure score (0-100) based on controls.
Azure Firewall: Stateful firewall with default deny-all policy.
Network Security Groups (NSGs): Default allow all outbound, deny all inbound; can override.
Azure Key Vault: Standard tier supports secrets, keys, and certificates; Premium adds HSM-backed keys.
Cost Optimization:
Azure Reservations: 1-year or 3-year terms; savings up to 72% for VMs.
Azure Hybrid Benefit: Use on-premises Windows Server/SQL Server licenses to save up to 40%.
Azure Cost Management: Provides budgets (monthly, quarterly, yearly) and alerts.
Operational Excellence:
Azure Policy: Built-in policies like 'Allowed locations' or 'Require SQL Server 12.0'.
Azure Blueprints: Package policies, RBAC, and resource groups into a single deployable artifact.
Azure Monitor: Default metrics retention 93 days; logs retention adjustable from 30 days to 2 years.
Performance Efficiency:
Azure Load Balancer: Distributes traffic; default probe interval 5 seconds, unhealthy threshold 2 consecutive failures.
Azure Traffic Manager: DNS-based routing; supports priority, weighted, performance, geographic, and multi-value.
Azure Cosmos DB: Guarantees <10 ms latency for reads and <15 ms for writes at the 99th percentile.
Configuration and Verification Commands
While the AZ-305 is a design exam, you may need to know how to validate configurations. Key commands include:
- Azure CLI:
- az vm availability-set create – to create an availability set.
- az network nsg rule create – to create a security rule.
- az monitor metrics list – to retrieve metrics.
- PowerShell:
- New-AzAvailabilitySet – create availability set.
- Get-AzMetric – retrieve metrics.
- Azure Portal:
Navigate to 'Advisor' for cost, security, reliability, performance, and operational excellence recommendations.
Use 'Well-Architected Review' under 'Azure Advisor' to assess workload.
How the WAF Interacts with Related Technologies
The WAF is closely tied to the Microsoft Cloud Adoption Framework (CAF). The CAF provides guidance on the overall cloud adoption journey (strategy, planning, readiness, adoption, governance, management), while the WAF focuses on the technical architecture of a workload. The exam may ask you to distinguish between the two: CAF is about process and governance; WAF is about design. Additionally, the WAF informs Azure Advisor recommendations. Advisor automatically analyzes your deployed resources and provides best practice recommendations across the five pillars. For example, if you have a VM without an availability set, Advisor flags it under 'Reliability'. Understanding this relationship helps you answer scenario questions where you need to recommend a corrective action.
Detailed Pillar Breakdown
#### Reliability Pillar Reliability is the ability of a system to recover from failures and continue to function. Key design principles: - Design for business continuity: Use multiple regions, availability zones, or availability sets. - Design for recovery: Implement backup and disaster recovery with defined RPO and RTO. - Design for failure: Assume components will fail; use circuit breakers, retry policies, and graceful degradation. - Design for self-healing: Use health probes, auto-scaling, and automated failover. - Design for capacity: Plan for scale; use elasticity.
Key Azure services: - Azure Site Recovery: Replicates VMs to a secondary region; supports VMware, Hyper-V, and physical servers. - Azure Backup: Backs up VMs, SQL Server, SAP HANA, and files; supports long-term retention. - Traffic Manager: DNS-level load balancing with automatic failover. - Azure Load Balancer: Layer 4 load balancing; supports HA ports. - Azure Application Gateway: Layer 7 load balancing with WAF.
Common exam scenario: A company needs 99.99% uptime for a two-tier application. The recommended solution is to deploy VMs across availability zones within a region, use Azure Load Balancer to distribute traffic, and configure Azure Site Recovery to a paired region for disaster recovery. Traps: Candidates may choose availability sets (99.95%) or single-region deployment with multiple VMs but no zones.
#### Security Pillar Security is about protecting data, systems, and assets. Key principles: - Protect data at rest and in transit: Use encryption (Azure Storage Service Encryption, TLS, Azure Disk Encryption). - Manage identities: Use Azure AD, managed identities, and RBAC. - Secure the network: Use NSGs, Azure Firewall, DDoS protection, and private endpoints. - Protect against threats: Use Microsoft Defender for Cloud, Sentinel, and Azure Security Center. - Audit and monitor: Use Azure Policy, Azure Monitor, and Activity Logs.
Key services: - Azure Active Directory: Identity provider; supports MFA, conditional access. - Azure RBAC: Role-based access control; built-in roles like Contributor, Reader, Owner. - Azure Policy: Enforces compliance rules; e.g., require encryption. - Azure Key Vault: Stores secrets, keys, and certificates. - Azure Firewall: Stateful firewall with threat intelligence. - DDoS Protection: Basic (free) or Standard ($2,944/month + data processing).
Common exam scenario: A company must encrypt all data at rest and in transit for a healthcare application. Solution: Use Azure Disk Encryption for VMs, enable TLS 1.2 for web traffic, and use Azure Storage Service Encryption for blobs. Also, restrict network access using NSGs and Azure Firewall. Trap: Candidates may forget to enable encryption for managed disks or assume that Azure automatically encrypts all data (it does for storage, but not for VMs by default).
#### Cost Optimization Pillar Cost Optimization is about minimizing waste and maximizing value. Principles: - Plan and budget: Use Azure Cost Management, budgets, and alerts. - Choose the right resources: Right-size VMs, use reserved instances, and take advantage of Azure Hybrid Benefit. - Optimize storage: Use tiered storage (hot, cool, archive) and life cycle management. - Manage licenses: Use Azure Hybrid Benefit for Windows Server and SQL Server. - Monitor and improve: Use Advisor cost recommendations.
Key services: - Azure Reservations: 1-year or 3-year; applicable to VMs, SQL Database, Cosmos DB, etc. - Azure Spot VMs: Up to 90% discount; can be evicted with 30-second notice. - Azure Cost Management: Provides cost analysis, budgets, and recommendations. - Azure Advisor: Offers cost recommendations like 'Shut down idle VMs' or 'Resize underutilized VMs'.
Common exam scenario: A company has predictable workloads that run 24/7. They should purchase Azure Reserved Instances for VMs to save up to 72%. Trap: Candidates may recommend Spot VMs, but those are for interruptible workloads, not 24/7 production.
#### Operational Excellence Pillar Operational Excellence focuses on operations processes, automation, and monitoring. Principles: - Standardize and automate: Use ARM templates, Azure DevOps, and Azure Automation. - Monitor and alert: Use Azure Monitor, Application Insights, and Log Analytics. - Manage changes: Use Azure Policy and Blueprints to enforce standards. - Document and train: Maintain runbooks and training. - Deploy with confidence: Use staging environments and canary deployments.
Key services: - Azure Policy: Enforce compliance; e.g., 'Allowed locations' or 'Require tag'. - Azure Blueprints: Deploy consistent environments. - Azure Monitor: Collects metrics and logs; creates alerts. - Azure Automation: Runbooks, update management, and configuration management. - Azure DevOps: CI/CD pipelines, boards, and repos.
Common exam scenario: A company wants to ensure all resources in a subscription are tagged with a cost center. Solution: Use Azure Policy to require a tag on new resources. Trap: Candidates may suggest RBAC, but RBAC controls access, not compliance.
#### Performance Efficiency Pillar Performance Efficiency is the ability to scale and meet user demands. Principles: - Scale horizontally: Use scale sets, load balancers, and auto-scaling. - Scale vertically: Resize VMs or databases. - Optimize data access: Use caching (Azure Redis Cache), CDN (Azure CDN), and data partitioning. - Monitor performance: Use Azure Monitor metrics and Application Insights. - Choose the right compute: Use Azure Functions for event-driven, AKS for containers, etc.
Key services: - Azure Load Balancer: Distributes traffic; supports HA ports. - Azure Application Gateway: Layer 7 load balancing; URL-based routing. - Azure Traffic Manager: DNS-level routing. - Azure Redis Cache: In-memory cache; standard tier up to 53 GB. - Azure CDN: Global content delivery; standard tier from Microsoft or Akamai. - Azure Virtual Machine Scale Sets: Auto-scaling based on metrics.
Common exam scenario: An e-commerce site experiences traffic spikes on Black Friday. Solution: Use VMSS with auto-scaling based on CPU or memory, and Azure Load Balancer to distribute traffic. Trap: Candidates may recommend vertical scaling (resize VMs), but horizontal scaling is more cost-effective and resilient.
Trade-offs and Balancing Pillars
The exam often tests your ability to balance pillars. For example:
Reliability vs. Cost: Adding redundancy increases cost. You might choose availability sets (99.95%) over availability zones (99.99%) if the cost difference is significant.
Security vs. Performance: Encryption adds overhead. You might choose to encrypt only sensitive data, not all data.
Operational Excellence vs. Cost: Automation saves time but incurs initial development cost.
When answering scenario questions, always consider the trade-offs. The best answer is not always the most reliable or most secure; it is the one that meets the business requirements within constraints.
Assess Current Workload
Begin by identifying the workload to be designed or reviewed. Gather business requirements: uptime SLA, RPO/RTO, security compliance (e.g., HIPAA, PCI DSS), budget, and performance needs. Use the Azure Well-Architected Review tool in the portal to get a baseline score for each pillar. This tool asks a series of questions (e.g., 'Do you have a disaster recovery plan?') and assigns a maturity score. The output provides a list of recommendations. This step is crucial because it sets the context for all subsequent design decisions. For example, if the workload requires 99.99% uptime, you must plan for availability zones and disaster recovery, which increases cost and complexity.
Design for Reliability
Based on the assessment, design the reliability architecture. Start with the compute layer: choose between availability sets (for VMs within a datacenter) or availability zones (for VMs across separate physical locations). For mission-critical workloads, use availability zones and pair the region with a secondary region for disaster recovery. Implement Azure Site Recovery for VM replication (RPO as low as 30 seconds) and Azure Backup for data protection. For stateless tiers, use Azure Load Balancer with health probes (probe interval: 5 seconds, unhealthy threshold: 2 consecutive failures). For stateful tiers, use Azure SQL Database with active geo-replication or Cosmos DB with multi-region writes. Ensure all dependencies (e.g., databases, storage) are also designed for high availability. For example, use Azure Storage with geo-redundant storage (GRS) for blob data.
Design for Security
Next, apply security controls. Use Azure AD for identity and access management. Enable MFA for all users. Use managed identities for Azure resources to avoid storing credentials. Implement RBAC with least privilege: assign built-in roles like 'Reader' for monitoring, 'Contributor' for developers, and 'Owner' for administrators. Use Azure Policy to enforce security rules: e.g., require HTTPS on storage accounts, require encryption on SQL databases. Secure the network: use NSGs to filter traffic (default deny inbound, allow outbound). Use Azure Firewall for centralized control and threat intelligence. For data protection, enable Azure Disk Encryption for VMs (uses BitLocker for Windows, DM-Crypt for Linux). Use Azure Key Vault to store secrets and keys. Enable Microsoft Defender for Cloud to get a secure score and recommendations.
Design for Cost Optimization
Now, optimize costs without sacrificing reliability or security. Right-size VMs using Azure Advisor recommendations (e.g., if CPU utilization is below 5% for 7 days, consider downsizing). Purchase Azure Reserved Instances for VMs that run 24/7 (1-year or 3-year terms). Use Azure Hybrid Benefit if you have on-premises Windows Server or SQL Server licenses. For non-production or interruptible workloads, use Azure Spot VMs. Implement auto-scaling to match demand: use VMSS with scale-out based on CPU > 75% for 5 minutes, scale-in based on CPU < 25% for 10 minutes. Use Azure Cost Management to set budgets and alerts (e.g., alert when spending exceeds 80% of budget). For storage, use tiered storage: hot for frequently accessed data, cool for infrequent (30-day minimum), archive for rarely accessed (180-day minimum). Use lifecycle management policies to automatically move blobs between tiers.
Design for Operational Excellence
Focus on operations and automation. Use ARM templates or Bicep to define infrastructure as code. Store templates in Azure DevOps or GitHub and use CI/CD pipelines for deployment. Use Azure Policy to enforce tagging (e.g., cost center, environment). Use Azure Blueprints to package policies, RBAC, and resource groups. Implement monitoring with Azure Monitor: collect metrics (retention 93 days), logs (retention 30-730 days), and create alerts (e.g., 'CPU > 90% for 5 minutes' sends email). Use Application Insights for application performance monitoring. Use Azure Automation for update management: schedule patching for VMs using Update Management. Create runbooks for common tasks (e.g., restart VM). Document everything using runbooks and training materials. Use Azure Advisor to get operational excellence recommendations (e.g., 'Enable auto-management for VMs').
Design for Performance Efficiency
Finally, ensure the workload can scale. For compute, use VMSS with auto-scaling based on metrics (CPU, memory, or custom). For web tiers, use Azure App Service with auto-scale (scale out based on requests per second). For databases, use Azure SQL Database with DTU/vCore scaling or Cosmos DB with autoscale (RU/s). Use caching: Azure Redis Cache for frequently accessed data (e.g., session state, database query results). Use Azure CDN for static content (e.g., images, CSS). Use Azure Load Balancer or Application Gateway for traffic distribution. For global reach, use Azure Traffic Manager with performance routing to direct users to the nearest endpoint. Monitor performance using Azure Monitor metrics: set alerts for response time > 500 ms or error rate > 1%. Use Application Insights to identify slow dependencies. Consider using Azure Functions for event-driven workloads that scale to zero when idle.
Enterprise Scenario 1: E-commerce Platform
A large e-commerce company moves its on-premises application to Azure. The workload is a three-tier web application with a frontend, backend, and SQL database. The SLA requirement is 99.99% uptime. The company has a moderate budget and expects traffic spikes during holiday seasons.
Solution: - Reliability: Deploy VMs across three availability zones in the primary region. Use Azure Load Balancer (Standard SKU) with health probes to distribute traffic. Use Azure SQL Database with active geo-replication to a secondary region (paired region like East US 2). Use Azure Site Recovery to replicate VMs to the secondary region for disaster recovery with an RPO of 15 minutes and RTO of 1 hour. - Security: Use Azure AD for authentication, enable MFA for admin accounts. Use NSGs to restrict inbound traffic to only the load balancer and backend subnet. Use Azure Firewall for outbound traffic filtering. Enable encryption at rest (Azure Disk Encryption for VMs, TDE for SQL Database) and in transit (TLS 1.2). Use Azure Key Vault to store connection strings and certificates. - Cost Optimization: Purchase 3-year Reserved Instances for the VM sizes used (Standard_D4s_v3). Use Azure Hybrid Benefit for Windows Server licenses. Use Azure Cost Management budgets with alerts at 80% and 100%. Use auto-scaling for the frontend tier to handle spikes, scaling out based on CPU > 70% for 5 minutes. - Operational Excellence: Use ARM templates for deployment. Use Azure DevOps for CI/CD. Use Azure Policy to enforce tagging (CostCenter, Environment). Use Azure Monitor with Log Analytics for centralized logging. Set up alerts for high error rates and low disk space. - Performance Efficiency: Use Azure Redis Cache for session state. Use Azure CDN for static assets. Use Azure Traffic Manager with performance routing to direct users to the closest region. Use VMSS with auto-scaling for the frontend and backend tiers.
What goes wrong when misconfigured: If availability zones are not used, a single datacenter outage brings down the entire application. If backups are not configured, data loss can be permanent. If NSGs are too permissive, the application is vulnerable to attacks. If cost management is ignored, the company can overspend by 50% or more.
Enterprise Scenario 2: Healthcare Application
A healthcare provider needs to deploy a HIPAA-compliant application in Azure. The application stores patient records and must be highly available. The budget is less flexible due to compliance costs.
Solution: - Reliability: Use availability sets (since zones may not be available in all regions, and cost is a concern). Use Azure SQL Database with failover groups to a secondary region. Use Azure Backup with geo-redundant storage for long-term retention (7 years per HIPAA). - Security: Use Azure AD with conditional access policies (require MFA for clinical staff). Use Azure Policy to enforce HIPAA controls (e.g., require encryption, audit SQL servers). Use Azure Disk Encryption for all VMs. Use Azure Key Vault with soft-delete enabled. Use Azure Sentinel for security information and event management (SIEM). - Cost Optimization: Use Azure Reserved Instances for VMs. Use Azure Hybrid Benefit for SQL Server. Use Azure Cost Management to track spending by department. - Operational Excellence: Use Azure Blueprints to deploy a compliant environment. Use Azure Automation for update management. Use Azure Monitor with diagnostic settings to send logs to Log Analytics. - Performance Efficiency: Use Azure SQL Database with DTU-based purchasing model (since workload is predictable). Use Azure Redis Cache for patient lookup queries.
What goes wrong: If encryption is not enabled on all data at rest, the application fails HIPAA audit. If backups are not retained for 7 years, compliance is violated. If RBAC is not configured properly, unauthorized users may access patient data.
Enterprise Scenario 3: Global Media Streaming Service
A media company wants to stream video content globally with low latency and high availability. The workload is stateless and uses Azure CDN extensively.
Solution: - Reliability: Use Azure Front Door for global load balancing and failover. Use multiple origin servers in different regions (e.g., West Europe, East Asia). Use Azure Storage with geo-redundant storage for video files. - Security: Use Azure CDN with token authentication to prevent unauthorized access. Use Azure WAF with Front Door to block SQL injection and XSS. Use managed identities for access to storage. - Cost Optimization: Use Azure CDN Standard from Microsoft (pay-as-you-go). Use Azure Spot VMs for transcoding jobs (interruptible). Use Azure Reservations for VMs that run 24/7. - Operational Excellence: Use Azure DevOps for CI/CD of the streaming application. Use Azure Monitor to track CDN metrics (e.g., cache hit ratio, bandwidth). - Performance Efficiency: Use Azure CDN to cache video content at edge locations. Use Azure Media Services for encoding and packaging. Use Azure Traffic Manager with performance routing.
What goes wrong: If CDN is not configured properly, users experience buffering. If security is lax, content can be stolen. If cost optimization is ignored, CDN egress costs can skyrocket.
What AZ-305 Tests on This Topic
AZ-305 objective 1.3 is 'Design for identity, governance, and monitoring', but the Well-Architected Framework is tested throughout the exam. Specifically, you will encounter questions that require you to:
Identify which pillar a given scenario addresses (e.g., 'Your application must recover within 1 hour' → Reliability).
Recommend Azure services based on pillar requirements (e.g., 'You need to reduce costs' → Reserved Instances or Azure Hybrid Benefit).
Balance trade-offs between pillars (e.g., 'You need high availability but have a limited budget' → choose availability sets over zones).
Apply the WAF to design a solution that meets business requirements.
Common Wrong Answers and Why Candidates Choose Them
Overusing availability zones: Candidates often choose availability zones for every workload. However, zones are not supported in all regions, and they increase cost. The exam may present a scenario where availability sets (99.95%) are sufficient and more cost-effective.
Confusing Azure Policy with RBAC: Candidates often think Azure Policy controls access. In reality, Policy enforces compliance rules (e.g., require encryption), while RBAC controls who can access resources. A question might ask 'How to ensure all VMs are tagged' – the answer is Azure Policy, not RBAC.
Choosing the most expensive security option: For example, enabling Azure Disk Encryption for all VMs when only sensitive data needs encryption. The exam tests cost-awareness: you should encrypt only what is necessary.
Ignoring trade-offs: A question may ask for a solution that meets both high availability and low cost. The correct answer may involve using availability sets (cheaper) instead of availability zones (more expensive), even though zones offer higher uptime.
Misunderstanding Azure Hybrid Benefit: Candidates think it applies to all Microsoft licenses, but it only applies to Windows Server and SQL Server. Also, it requires Software Assurance or subscription licenses.
Specific Numbers, Values, and Terms on the Exam
Availability sets: 3 fault domains, 20 update domains (default).
Availability zones: Up to 3 per region; 99.99% SLA for VMs.
Azure Site Recovery: RPO as low as 30 seconds, RTO typically 1 hour.
Azure Backup: Default retention 30 days; long-term retention up to 99 years.
Azure Reservations: 1-year or 3-year terms; up to 72% savings.
Azure Hybrid Benefit: Up to 40% savings for Windows Server and SQL Server.
Azure Policy: Over 500 built-in policies.
Azure Advisor: Updates every 24 hours.
Azure Monitor metrics retention: 93 days.
Azure Log Analytics retention: 30 days to 2 years.
Edge Cases and Exceptions
Regions without availability zones: Some regions (e.g., UK South, Canada Central) do not support availability zones. In such cases, use availability sets or paired regions for disaster recovery.
Azure Policy for deletion: Azure Policy cannot prevent deletion of resources; it only audits or denies creation/modification. To prevent deletion, use Azure locks.
Cost Management for subscriptions: Cost Management works at the subscription level; for enterprise agreements, you need to use the EA portal.
Azure Security Center vs. Defender for Cloud: Azure Security Center is now Microsoft Defender for Cloud. The free tier provides secure score and recommendations; the paid tier adds workload protection.
How to Eliminate Wrong Answers
Read the question carefully: Identify the primary requirement (e.g., cost, security, reliability). Then eliminate answers that violate that requirement.
Look for trade-offs: If the question mentions 'budget constraints', eliminate expensive options like availability zones or premium storage.
Check for compliance: If the question mentions HIPAA or PCI DSS, eliminate answers that do not include encryption or auditing.
Use the shared responsibility model: If the question asks about security of the OS, remember that the customer is responsible for patching and configuring the OS, not Microsoft.
Match the pillar: If the question is about 'reducing downtime', the answer should be a reliability service (e.g., Azure Site Recovery), not a security service.
The Azure Well-Architected Framework has five pillars: Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency.
Reliability pillar focuses on availability, disaster recovery, and self-healing; key services include Availability Zones, Azure Site Recovery, and Azure Backup.
Security pillar focuses on identity, encryption, network security, and threat protection; key services include Azure AD, Azure Policy, Azure Firewall, and Microsoft Defender for Cloud.
Cost Optimization pillar focuses on right-sizing, reservations, and hybrid benefits; key services include Azure Reservations, Azure Hybrid Benefit, and Azure Cost Management.
Operational Excellence pillar focuses on automation, monitoring, and compliance; key services include Azure Policy, Azure Blueprints, Azure Monitor, and Azure Automation.
Performance Efficiency pillar focuses on scaling, caching, and load balancing; key services include VMSS, Azure Load Balancer, Azure Redis Cache, and Azure CDN.
The WAF is not a checklist but a set of trade-offs; always balance pillars based on business requirements.
Azure Advisor provides recommendations across all five pillars and updates every 24 hours.
The Well-Architected Review tool in the Azure portal helps assess workload maturity against the pillars.
Availability sets offer 99.95% SLA; availability zones offer 99.99% SLA; choose based on cost and region support.
These come up on the exam all the time. Here's how to tell them apart.
Availability Sets
Provides up to 99.95% SLA for VMs.
Uses fault domains (3) and update domains (20) within a single datacenter.
Protects against hardware failures and planned maintenance within a datacenter.
No additional cost for the availability set itself; you pay for VMs.
Limited to single region; does not protect against datacenter-level failures.
Availability Zones
Provides up to 99.99% SLA for VMs.
Uses physically separate zones (3) within a region, each with independent power, cooling, and networking.
Protects against entire datacenter failures.
No additional cost for zones; you pay for VMs and inter-zone data transfer.
Not available in all regions; requires zone support for the VM SKU.
Mistake
The Azure Well-Architected Framework is a set of mandatory rules that must be followed exactly.
Correct
The WAF is a set of guiding principles and best practices, not a rigid set of rules. It provides design considerations and trade-offs. Architects should apply the principles based on the specific workload requirements, business constraints, and risk tolerance. There is no 'one-size-fits-all' solution.
Mistake
Availability zones provide the same level of protection as a multi-region deployment.
Correct
Availability zones protect against datacenter failures within a single region, but they do not protect against a region-wide disaster (e.g., natural disaster, regional outage). For full disaster recovery, you need a multi-region deployment using Azure Site Recovery or active geo-replication. Availability zones offer 99.99% SLA, while multi-region can achieve higher but with added complexity and cost.
Mistake
Azure Policy can prevent deletion of resources.
Correct
Azure Policy can evaluate and enforce compliance on resource properties during creation or update, but it cannot prevent deletion. To prevent accidental deletion, you must use Azure locks (CanNotDelete or ReadOnly) at the resource group or resource level. Policy is for governance (tags, locations, SKU sizes), not for resource protection.
Mistake
All Azure services are automatically encrypted at rest.
Correct
While many Azure services (e.g., Azure Storage, Azure SQL Database) enable encryption by default, some services require manual configuration. For example, Azure Virtual Machines do not have disk encryption enabled by default; you must enable Azure Disk Encryption (using BitLocker or DM-Crypt) or use server-side encryption with customer-managed keys. Always verify encryption settings for each service.
Mistake
Azure Hybrid Benefit can be used for any Microsoft product.
Correct
Azure Hybrid Benefit is specifically for Windows Server and SQL Server licenses with Software Assurance or subscription licenses. It does not apply to other Microsoft products like Office 365, Visual Studio, or System Center. The benefit allows you to use your on-premises licenses in Azure to reduce costs, but you must have eligible licenses.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Cloud Adoption Framework (CAF) provides guidance on the overall cloud adoption journey, including strategy, planning, readiness, adoption, governance, and management. It is focused on the process of moving to the cloud. The Well-Architected Framework (WAF) is focused on the technical design of a workload once it is in the cloud. CAF answers 'how to adopt the cloud'; WAF answers 'how to design a well-architected workload'. For the exam, know that CAF is about governance and process, while WAF is about architecture and design.
Choose availability zones if you need 99.99% uptime and your region supports zones. Zones protect against datacenter failures, but they incur inter-zone data transfer costs. Choose availability sets if 99.95% is sufficient, or if zones are not available in your region. Availability sets are free and protect against hardware failures and maintenance within a datacenter. For disaster recovery, you must use a secondary region regardless of whether you use sets or zones. On the exam, if cost is a constraint, lean toward availability sets; if maximum uptime is required, lean toward zones.
The default retention for daily backup points is 30 days. You can modify this to a maximum of 99 years for daily, weekly, monthly, or yearly retention. For example, you can set a retention policy to keep daily backups for 7 days, weekly for 4 weeks, monthly for 12 months, and yearly for 5 years. The exam may test that long-term retention is configurable up to 99 years. Also, note that backup data is stored in the Recovery Services vault, which can be geo-redundant (GRS) or locally redundant (LRS).
Azure Policy is used to enforce rules and compliance on resources, such as requiring a specific tag, location, or SKU size. It evaluates resources during creation, update, and periodically (audit). Azure RBAC controls who can access resources and what actions they can perform (e.g., read, write, delete). They work together: Policy ensures resources are compliant, RBAC ensures only authorized users can manage them. On the exam, if the question is about 'ensuring resources are tagged', the answer is Azure Policy. If it's about 'granting access to a virtual machine', the answer is RBAC.
Azure Site Recovery (ASR) is a disaster recovery solution that replicates virtual machines and physical servers to a secondary region. It provides failover and failback capabilities with a low RPO (as low as 30 seconds) and RTO (typically minutes to hours). Azure Backup is a backup service that creates recovery points of data (VMs, files, databases) and stores them in a Recovery Services vault. It is designed for long-term retention and granular recovery (file-level). ASR is for full server recovery during a disaster; Backup is for restoring data from a specific point in time. They can be used together: Backup for daily backups, ASR for failover.
The best way is to purchase Azure Reserved Instances (RI) for 1-year or 3-year terms, which can save up to 72% compared to pay-as-you-go. You can also use Azure Hybrid Benefit if you have eligible Windows Server or SQL Server licenses. Additionally, right-size VMs based on actual utilization (use Azure Advisor recommendations). For non-production workloads, consider using Spot VMs (up to 90% discount) but be aware they can be evicted. On the exam, if the workload is predictable and runs continuously, recommend Reserved Instances.
The Azure Well-Architected Review is a tool in the Azure portal (under Azure Advisor) that helps you assess your workload against the five pillars. You answer a set of questions about your workload (e.g., 'Do you have a disaster recovery plan?'), and the tool generates a maturity score and recommendations. It is not a deployment tool; it is an assessment tool. You can use it during the design phase or to review existing workloads. The exam may ask you to recommend using the Well-Architected Review to identify gaps in a workload.
You've just covered Azure Well-Architected Framework: Five Pillars — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?