This chapter covers platform engineering on Azure, a critical approach for enabling developer productivity while maintaining governance and operational consistency. For the AZ-305 exam, this topic falls under Domain: Infrastructure, Objective 4.4 (Design and implement a platform engineering strategy). Expect 5–10% of exam questions to touch on platform engineering concepts, including platform vs. application teams, internal developer platforms (IDPs), and Azure-specific services like Azure DevOps, Azure Policy, and Azure Blueprints. Understanding this chapter is essential for designing scalable, secure, and efficient Azure solutions.
Jump to a section
Imagine a factory that produces custom furniture. Without platform engineering, each craftsman (developer) must source raw wood, design the blueprint, set up the saw, and handle finishing—resulting in chaos and wasted effort. Platform engineering is like building an automated assembly line. First, you design a standard set of workstations (platform services) with pre-configured tools (CI/CD pipelines), quality checks (policy enforcement), and material handling (infrastructure provisioning). Each workstation is fully documented and tested. When a craftsman wants to build a chair, they simply submit a ticket (pull request) specifying the chair type (application template). The assembly line automatically pulls the right wood (provisions a VM), cuts it to shape (deploys code), applies varnish (configures monitoring), and inspects the result (runs compliance checks). The craftsman never touches the raw materials directly. The factory floor manager (platform team) continuously improves the assembly line, adding new workstations (services) and optimizing throughput (performance). Developers gain speed and consistency, while the platform team ensures governance and security across all products. This mirrors Azure's platform engineering: a shared internal platform (e.g., Azure DevOps, Bicep templates, Azure Policy) abstracts underlying complexity, enforces standards, and enables self-service for application teams.
What is Platform Engineering and Why Does It Exist?
Platform engineering is the practice of building and maintaining an internal developer platform (IDP) that provides a curated set of tools, services, and workflows for application teams. It emerged to solve the friction between development speed and operational stability. In traditional setups, developers waste time on infrastructure configuration, security compliance, and deployment pipelines—tasks that are repetitive and error-prone. Platform engineering centralizes these concerns into a shared platform, enabling self-service while enforcing organizational standards.
On Azure, platform engineering involves creating a thin layer of abstraction over Azure's native services, often using Infrastructure as Code (IaC), CI/CD pipelines, and policy enforcement. The platform team (sometimes called Cloud Center of Excellence) builds and maintains this layer, while application teams consume it through simple interfaces like pull requests or CLI commands.
How Platform Engineering Works Internally
At its core, platform engineering on Azure follows a three-tier architecture:
Infrastructure Tier: Azure resources (VMs, databases, networking) provisioned via IaC (Bicep, ARM, Terraform).
Platform Tier: A set of services that abstract the infrastructure, including CI/CD pipelines, secret management, monitoring, and policy enforcement.
Application Tier: The code and configuration that application teams deploy, typically containerized or serverless.
The platform tier is the key differentiator. It includes: - Source Control: Azure Repos or GitHub for storing code and IaC templates. - CI/CD: Azure Pipelines or GitHub Actions for building, testing, and deploying. - Policy Enforcement: Azure Policy to ensure compliance (e.g., only certain VM SKUs allowed). - Secret Management: Azure Key Vault for storing secrets, with access policies. - Monitoring: Azure Monitor, Application Insights, and Log Analytics for observability. - Service Catalog: A curated list of approved services and templates, often implemented via Azure Blueprints or Bicep modules.
When a developer wants to deploy a new application, they interact with the platform through a self-service portal (e.g., Azure DevOps Service Hooks or a custom portal). The platform validates the request against policies, provisions infrastructure, deploys code, and configures monitoring—all without manual intervention.
Key Components, Values, Defaults, and Timers
Azure DevOps is the most common platform engineering tool on Azure. Key components: - Azure Repos: Git repositories for source code. Default branch protection rules can enforce pull request reviews. - Azure Pipelines: YAML-based CI/CD. Default agent pool: ubuntu-latest. Timeout: 60 minutes per job (can be increased to 360 minutes). - Azure Artifacts: Package management. Default retention: 30 days for packages. - Azure Test Plans: Manual and exploratory testing.
Azure Policy enforces governance. Key elements: - Policy Definition: JSON that specifies conditions and effects (e.g., deny, audit, append). - Initiative: A group of policy definitions. - Assignment: Scope (management group, subscription, resource group). - Evaluation: Triggered on resource creation/update or every 24 hours (compliance scan). Default compliance scan interval: 24 hours.
Azure Blueprints (legacy, being replaced by Deployment Stacks) package artifacts like policies, role assignments, and ARM templates. Each blueprint has a version and can be assigned to subscriptions.
Bicep is a domain-specific language for Azure IaC. Key features: - Modules: Reusable templates. Default parameters can be overridden. - Deployment: Uses Azure Resource Manager (ARM) under the hood. Default deployment mode: incremental. - Linting: Built-in linter catches errors before deployment.
Azure Key Vault stores secrets, keys, and certificates. Default access policies: no one has access until granted. Soft-delete retention: 90 days (default, configurable from 7 to 90 days).
Azure Monitor collects metrics and logs. Default data retention: 30 days for metrics, 31 days for logs (can be extended to 730 days for logs with additional cost).
Configuration and Verification Commands
Deploy a Bicep template:
az deployment group create --resource-group myRG --template-file main.bicepCreate a policy assignment:
az policy assignment create --name 'allowed-locations' --policy 'e56962a6-4747-49cd-b67b-bf8b01975c4c' --params '{"listOfAllowedLocations":{"value":["eastus","westus"]}}'List policy compliance states:
az policy state list --resource-group myRGCreate an Azure DevOps pipeline from YAML:
# azure-pipelines.yml
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- script: echo Hello, world!
displayName: 'Run a one-line script'Verify pipeline run:
az pipelines run --name 'myPipeline' --org 'https://dev.azure.com/myorg' --project 'myProject'Interaction with Related Technologies
Platform engineering integrates with: - Azure Active Directory (Azure AD): Authentication and authorization for the platform. Managed identities allow pipelines to access resources securely. - Azure Container Registry (ACR): Stores container images built by CI/CD pipelines. Platform policies can enforce image scanning. - Azure Kubernetes Service (AKS): Common deployment target. Platform provides Helm charts or Kubernetes manifests as part of the service catalog. - GitHub Actions: Alternative to Azure Pipelines. Integration via GitHub Apps and Azure AD. - Terraform: Alternative IaC tool. Azure supports Terraform via Azure Backend (state storage in Azure Storage). - Service Now: Often used for change management integration, triggering approvals before deployment.
The platform team must design for these integrations, ensuring consistent identity management (managed identities, service principals) and policy enforcement across the stack.
Define platform requirements
Begin by gathering requirements from application teams and stakeholders. Identify common patterns: typical application stack (e.g., .NET on AKS), security constraints (e.g., HIPAA), and compliance needs (e.g., only deploy in approved regions). Define the golden path—the recommended way to build and deploy applications. This step sets the scope for the platform: which services will be abstracted, which policies enforced, and what self-service capabilities are needed. Document these in a platform charter that aligns with organizational goals. This step is critical; skipping it leads to a platform that developers avoid.
Design the platform architecture
Architect the platform tier using Azure services. Choose a CI/CD tool (Azure Pipelines or GitHub Actions). Design IaC templates (Bicep modules) for common resources: VNet, AKS cluster, App Service plan. Define policy initiatives (e.g., allowed locations, required tags). Plan secret management with Key Vault. Design monitoring and alerting with Azure Monitor and Application Insights. Create a service catalog using Azure Blueprints or Bicep modules stored in a registry (e.g., Azure Container Registry for Bicep). The architecture must be modular and versioned to allow iterative improvements.
Implement the platform foundation
Deploy the core platform components: a management group hierarchy for policy assignments, a subscription for platform services (e.g., shared Key Vault, shared ACR), and a DevOps project with repositories for IaC and application code. Implement CI/CD pipelines that deploy the platform itself (infrastructure as code for the platform). Configure Azure Policy assignments at the management group level to enforce tagging, allowed locations, and SKU restrictions. Enable Azure Monitor and Log Analytics workspaces. This step creates the 'factory floor' that application teams will use.
Create the developer self-service interface
Build a self-service portal or extend existing tools (e.g., Azure DevOps Service Hooks, GitHub Actions) to allow developers to request new projects or deployments. This could be a simple template repository with a README that guides developers through a pull request workflow. More advanced setups use Azure DevOps Extensions or a custom web app that calls Azure REST APIs. The interface should present the golden path: select an application type, provide parameters, and trigger deployment. The platform validates inputs against policies and deploys the approved stack.
Establish observability and feedback loops
Implement monitoring for both the platform and the applications running on it. Use Azure Monitor to track platform metrics (pipeline success rate, policy violations) and application metrics (response times, error rates). Set up dashboards and alerts for platform health. Collect feedback from application teams via surveys or regular meetings. Use this feedback to iterate on the platform—add new services, update templates, relax or tighten policies. This step ensures the platform evolves with user needs and remains relevant.
Enterprise Scenario 1: Financial Services Compliance
A large bank needed to deploy hundreds of microservices across multiple Azure regions while adhering to PCI DSS and SOC 2. The platform team built an internal developer platform using Azure DevOps and Bicep. They created a Bicep module registry with pre-approved configurations for VNets, NSGs, and AKS clusters. Azure Policy enforced that all resources had mandatory tags (cost center, environment) and that only certain VM SKUs (e.g., D-series for production) were allowed. The CI/CD pipeline included automated security scanning (SonarQube, Trivy) and required two approvals for production deployments. Key Vault stored database credentials and API keys, with access policies tied to managed identities. The platform reduced new service deployment time from weeks to hours. Common misconfiguration: developers tried to bypass the platform by creating resources directly via portal, leading to policy violation alerts and manual remediation. The platform team added deny effects for critical policies to prevent this.
Enterprise Scenario 2: E-commerce Platform Scaling
An e-commerce company experienced rapid growth and needed to standardize deployment across multiple product teams. They adopted GitHub Actions as their CI/CD tool and Terraform for IaC. The platform team created a set of Terraform modules (stored in a private module registry) for App Service, Cosmos DB, and Redis Cache. GitHub Actions workflows included a step that called the Azure REST API to create a deployment stack (preview) for each environment. Azure Policy enforced that all App Service plans had minimum of two instances for production. The platform used Azure Front Door for global load balancing and Azure Monitor for unified logging. During Black Friday, the platform auto-scaled based on custom metrics. A common issue was that teams would modify the Terraform state manually, causing drift. The platform team implemented state locking and periodic drift detection using Azure Policy's audit effect.
Performance and Scale Considerations
Platform engineering must handle thousands of deployments per day. Key considerations: - Pipeline agents: Use Microsoft-hosted agents for standard builds, but self-hosted agents for compliance-sensitive workloads. Scale set agents can handle burst loads. - Policy evaluation: Azure Policy evaluation adds latency (a few seconds per resource). For high-throughput scenarios, use audit effect instead of deny to avoid blocking deployments. - Secret management: Key Vault has throttling limits (e.g., 10,000 operations per second per vault). Use caching or multiple vaults for high-volume scenarios. - IaC state: For Terraform, use Azure Storage with blob leasing for state locking. For Bicep, ARM handles state implicitly.
When misconfigured, platforms can become bottlenecks. Overly restrictive policies frustrate developers and lead to shadow IT. Insufficient testing of templates causes deployment failures. Lack of feedback loops results in a platform that doesn't meet user needs. Successful platform engineering requires continuous iteration and a strong partnership between platform and application teams.
AZ-305 Exam Focus on Platform Engineering
The AZ-305 exam tests platform engineering under Objective 4.4: Design and implement a platform engineering strategy. Key sub-objectives include:
Design an internal developer platform (IDP) using Azure DevOps, Azure Policy, and IaC.
Define platform vs. application team responsibilities.
Design for self-service and governance.
Integrate with existing CI/CD and monitoring tools.
Common Wrong Answers and Why Candidates Choose Them
'Use Azure Blueprints for all platform engineering' – Candidates see Blueprints as the 'packaging' tool, but Microsoft is deprecating Blueprints in favor of Deployment Stacks and Bicep modules. Blueprints are still valid but not the recommended modern approach.
'Platform team should manage all resources directly' – This contradicts the self-service principle. The platform team builds the platform; application teams deploy their own resources via the platform.
'Azure Policy can only be applied at subscription scope' – Policy can be applied at management group, subscription, resource group, or individual resource scope. Management group is the most common for enterprise governance.
'GitHub Actions cannot integrate with Azure AD' – GitHub Actions supports Azure AD authentication via OpenID Connect, eliminating the need for static secrets.
Specific Numbers and Terms That Appear on the Exam
Policy evaluation: Every 24 hours for compliance scan; real-time on resource creation/update.
Key Vault soft-delete retention: 90 days default.
Azure Pipelines job timeout: 60 minutes default.
Bicep deployment mode: Incremental (default) vs. complete.
Management group hierarchy: Up to 6 levels deep (excluding root).
Edge Cases and Exceptions
Policy exemption: Resources can be exempted from policy evaluation for a specified period (e.g., during migration).
Deployment Stacks: Newer than Blueprints; allow managing resources as a group and can be locked to prevent accidental deletion.
Azure DevOps variable groups: Can be linked to Key Vault for dynamic secret retrieval.
Platform engineering for non-Azure resources: Azure Arc extends policy and governance to on-premises and multi-cloud.
How to Eliminate Wrong Answers
If an answer suggests manual steps for application teams (e.g., 'developers must create VNets manually'), it's wrong—platform engineering emphasizes automation.
If an answer uses 'Azure Blueprints' as the only tool, it may be outdated; consider Deployment Stacks.
If an answer ignores policy enforcement, it's likely incorrect because governance is central to platform engineering.
Always look for the answer that balances self-service with governance, using IaC and policy.
Platform engineering creates an internal developer platform (IDP) that abstracts infrastructure and enforces governance.
Azure Policy assigns at management group for enterprise-wide governance; evaluation occurs every 24 hours and on resource changes.
Bicep is the recommended IaC tool for Azure; modules enable reusable, versioned templates.
Azure DevOps and GitHub Actions are common CI/CD tools for platform engineering; both support Azure AD integration.
Key Vault soft-delete retention defaults to 90 days; configure access policies carefully.
Platform team builds and maintains the platform; application teams use self-service to deploy their workloads.
Azure Blueprints are legacy; prefer Deployment Stacks and Bicep modules for packaging platform components.
Policy exemption allows temporary bypass of policies for specific resources during migrations.
These come up on the exam all the time. Here's how to tell them apart.
Azure DevOps
Integrated with Azure Boards, Repos, and Artifacts.
Uses YAML for pipelines, with built-in support for Azure deployments.
Supports self-hosted agents with full control over agent software.
Variable groups can be linked to Azure Key Vault for secrets.
Mature enterprise features like release gates and manual approval flows.
GitHub Actions
Tightly integrated with GitHub repositories.
Uses YAML for workflows, with a large marketplace of actions.
Supports self-hosted runners, but Microsoft-hosted runners have more limitations.
Secrets are stored in GitHub secrets or can be fetched from Azure Key Vault via actions.
Simpler syntax and community-driven actions; less built-in Azure integration.
Mistake
Platform engineering is the same as DevOps.
Correct
DevOps is a culture and set of practices for collaboration between development and operations. Platform engineering is a specific implementation that builds a shared platform to enable DevOps at scale. DevOps can exist without a platform, but platform engineering often includes DevOps practices.
Mistake
Azure Blueprints are the only way to package platform components.
Correct
Azure Blueprints are legacy and being replaced by Deployment Stacks and Bicep modules. Deployment Stacks offer better lifecycle management and can be locked to prevent deletion. Bicep modules are more flexible for IaC.
Mistake
The platform team should manage all Azure resources directly.
Correct
The platform team builds and maintains the platform (templates, policies, pipelines). Application teams deploy their own resources using the platform's self-service capabilities. Direct management by the platform team creates a bottleneck and defeats self-service.
Mistake
Azure Policy can only be applied at subscription scope.
Correct
Azure Policy can be assigned at management group, subscription, resource group, or individual resource scope. Management group assignments are inherited by all child subscriptions, making them ideal for enterprise governance.
Mistake
Platform engineering requires a separate, custom portal.
Correct
A custom portal is optional. Many organizations use Azure DevOps, GitHub, or even a simple pull-request workflow as the self-service interface. The key is providing a curated path, not necessarily a new UI.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The platform team (often called Cloud Center of Excellence) designs, builds, and maintains the internal developer platform. This includes creating IaC templates, configuring CI/CD pipelines, defining Azure Policy assignments, and managing shared services like Key Vault and Azure Monitor. The application team consumes the platform to deploy and manage their applications. They interact with the platform through self-service interfaces (e.g., pull requests, CLI commands) and typically do not need direct access to Azure subscriptions. This separation ensures consistency and governance while enabling developer autonomy.
Microsoft recommends Deployment Stacks over Blueprints for new projects. Deployment Stacks allow you to manage a collection of Azure resources as a single unit, with the ability to lock resources to prevent deletion. They also support incremental and complete deployment modes. Blueprints are still supported but are not receiving new features. For exam purposes, know that Blueprints are legacy and Deployment Stacks are the modern alternative. However, some exam questions may still reference Blueprints, so understand both.
Azure Policy evaluates resources against policy definitions and applies effects like deny, audit, or append. In platform engineering, policies are typically assigned at the management group level to apply to all subscriptions. Common policies include restricting allowed VM SKUs, enforcing tagging requirements, and requiring certain resource types. Policy evaluation occurs in real time when a resource is created or updated, and a full compliance scan runs every 24 hours. Policies can be exempted for specific resources during migrations.
Yes. Many organizations use existing tools like Azure DevOps or GitHub as the self-service interface. For example, a developer can create a new application by submitting a pull request to a repository that contains a Bicep template and a pipeline definition. The pipeline automatically validates and deploys the infrastructure. This approach leverages familiar tools and avoids the cost of building a custom portal. The key is providing a clear 'golden path' with templates and documentation.
Common pitfalls include: (1) Building an overly complex platform that developers find hard to use, leading to shadow IT. (2) Not involving application teams in the design, resulting in a platform that doesn't meet their needs. (3) Overly restrictive policies that block legitimate deployments, causing frustration. (4) Lack of versioning and testing for IaC templates, leading to broken deployments. (5) Ignoring feedback loops; the platform must evolve based on user input. Successful platform engineering requires iterative development and strong collaboration.
Azure Arc extends Azure management capabilities to on-premises, multi-cloud, and edge environments. In a platform engineering context, Azure Arc allows you to apply the same policies, IaC, and monitoring to non-Azure resources. For example, you can assign Azure Policy to Arc-enabled servers to enforce configuration standards. This enables a consistent platform across hybrid environments. For the exam, understand that Azure Arc is a key enabler for platform engineering beyond Azure.
IaC is the foundation of platform engineering. It allows the platform team to define infrastructure in declarative templates (Bicep, ARM, Terraform) that are version-controlled and tested. IaC ensures repeatable, consistent deployments and enables self-service: application teams can deploy infrastructure by providing parameters to a template. IaC also integrates with CI/CD pipelines for automated testing and deployment. Without IaC, platform engineering would be manual and error-prone.
You've just covered Platform Engineering on Azure — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?