AZ-305: Bonus Links

Notes and links on the most important topics for the exam.

• Access Policy for Blob Service gives an additional level of control over SASs.
• Access Reviews can be created for security groups to trigger periodic (self-)review.
• Access Reviews support managing user and guest user access
• Access Reviews: what are they?
• Always Encrypted ensures the database (storage) engine cannot decrypt data, only the owning application can.
• Always On with a Distributed Network Name (DNN) supports fast failover with minimal costs.
• App Roles UI allows setting up app roles, Token Configuration can configure actual claims.
• App Service Plans usually incur more minimal costs than App Service Environments (ASEs).
• Application Registration can be used in combination with Delegated Permissions
• Availability Group creation is the first step in migrating SQL database from on-premise AG to the cloud. Next, use Azure Migrate to complete the migration.
• Azure Advisor: personalized cloud consultant to help optimize Azure deployments.
• Azure API Management (APIM) set to “external” makes things available over the internet without needing a VPN.
• Azure API Management allows configuring external OAuth2 providers (see also the API Management overview page)
• Azure API Management can handle JWT validation and IP filtering.
• Azure API Management with VNet (Premium Tier) allows AKS and VM integration with private IP address and mutual TLS, rate limiting, etc.
• Azure App Service has OS functionality such as file access and application event log (and is a low-cost solution).
• Azure App Service supports Java applications and can run multiple instances scaled based on load, with minimum administrative effort.
• Azure Application Gateway with Web Application Firewall (WAF) supports things like OWASP (e.g. SQL injection) protection.
• Azure Application Gateway works in one region only
• Azure Application Insights can be enabled without code changes.
• Azure Batch low-priority virtual machines (legacy offering) is a cheap option for small dev workloads.
• Azure Batch supports Message Passing Interface (MPI) for multi-instance tasks, and Parallel Task Execution when needed.
• Azure Blob Storage is great for media files (e.g. video)
• Azure Blob Storage supports Customer-managed keys for encryption
• Azure Blueprints are different from ARM templates because they remain connected to deployed resources.
• Azure Blueprints allows us to define a repeatable set of Azure resources. (It’ll be deprecated per 2026 though.)
• Azure Blueprints can be defined at a Root Management Group if you desire, but assignment ultimately comes down to Subscriptions even if it’t still associated with a Management Group.
• Azure CLI can be used for on-demand evaluation scans (see also these docs); Azure Activity Logs have diagnostic settings to take further action.
• Azure Container Apps support Autoscaling.
• Azure Container Registry Premium SKU supports geo-replicated images.
• Azure Container Registry allows for lifecycle management of container images.
• Azure Cosmos DB - PostgreSQL is relational (SQL based) and supports geo-replication
• Azure Cosmos DB NoSQL supports SQL (you read that right), while staying low-latency.
• Azure Cosmos DB Resource Tokens combined with IAM role assignments allow for granular user access.
• Azure Cosmos DB SQL API supports multi-region writes replication protocol with low latency.
• Azure Cosmos DB allows for Managed Private Endpoints to securely send data to e.g. Azure Synapse.
• Azure Cosmos DB gives SLA-backed speed and throughput as a storage solution.
• Azure Cosmos DB supports multi-region writes.
• Azure Cosmos DB with Multi-Region Writes writes data to the zone of a service but can be read across regions.
• Azure CycleCloud supports orchestrating and managing High Performance Computing (HPC) environments.
• Azure Data Factory pipelines can integrate services through messages.
• Azure Data Factory allows creation of Data Flows.
• Azure Data Factory can load data into Azure Data Lake Storage Gen2 also if data comes from an Oracle Database directly.
• Azure Data Factory Copy Data Tool supports moving Blob Storage data to SQL Databases.
• Azure Data Factory could continuously integrate data from Blob Storage into e.g. a Azure SQL Database.
• Azure Data Factory supports running SSIS in Azure.
• Azure Data Factory is an Extract, Transform, Load (ETL) tool.
• Azure Data Lake Analytics with U-SQL is a (per 2024 deprecated!) storage and analytics combo supporting Petabytes of data.
• Azure Data Lake Storage Gen2 supports Hadoop Distributed File System (HDFS).
• Azure Data Lake Storage Gen2 supports big data ingestion; Azure SQL Hyperscale supports huge relational databases up to 100TB.
• Azure Data Lake Storage supports ACL’s (e.g. Blob Storage doesn’t)
• Azure Data Migration Assistant can migrate SQL to SQL and the Azure Cosmos DB Migration Tool can do so targeting Cosmos.
• Azure Data Studio can migrate on-premises SQL Server to Managed Instances with minimal downtime.
• Azure Database Migration Service can do offline on-premises to Azure SQL Managed Instance migrations.
• Azure DNS Private Resolver can help forward DNS requests to an Azure-provided DNS.
• Azure Event Hubs can be connected to Azure Functions, see e.g. tutorial on streaming Azure AD audit logs to event hub and Azure Functions triggered from Event Hubs
• Azure File Share with Azure File Sync allows for high availability also for situations with multiple on-premises data centers.
• Azure Files with Azure File Sync can replicate files between on-premises and Azure.
• Azure Firewall Manager has a known issue where “Base policies must be in same region as local policy”.
• Azure Front Door with Azure Storage Blobs can be combined.
• Azure Front Door can protect against OWASP vulnerabilities when using Web Application Firewall (WAF).
• Azure Front Door Premium supports Private Links.
• Azure Front Door could direct traffic between two Azure Kubernetes Service (AKS) Clusters. The AKS ingress controller is good for networks inside clusters.
• Azure Front Door does HTTP(S) global traffic routing (also to AKS clusters), and in each AKS cluster Azure Application Gateway can route traffic to individual pods.
• Azure Functions Premium (and Dedicated) support 30+ minutes of timeout, Premium also supports Event Driven scaling.
• Azure Functions Premium Plan support C# code to have Virtual Network Connectivity.
• Azure Gateway Load Balancer can balance load between multiple NVA’s with minimal administrative effort.
• Azure Hybrid Benefit (use on-premises license for Azure discounts) is supported for vCore Azure SQL and Managed Instances only.
• Azure Import/Export allows securely importing large amounts of data in Azure by shipping disk drives to an Azure datacenter. Azure Data Factory can also be used to copy lots of data to the cloud.
• Azure Key Vault Access Policies determine whether give security principals can perform operations on Key Vault items..
• Azure Key Vault failover goes to a “Paired” region (and Delete operations are then temporarily not available).
• Azure Key Vault secrets as if they were Application Settings (requires only “Get” permission)
• Azure Key Vault Secrets are used for passwords, connection strings, and API keys; Managed Service Identities (now known as just Managed Identities) can be used to give a VM access to a service like Key Vault.
• Azure Key Vault backup restoration must be in the same geography.
• Azure Kubernetes Horizontal Pod Autoscaler (HPA) can help with scaling.
• Azure Kubernetes KEDA supports event-driven autoscaling similar to how Azure Functions scale.
• Azure Kubernetes Service (AKS) has Cluster Autoscaler that supports Windows nodes.
• Azure Kubernetes Service (AKS) with API Management (APIM) and MTLS requires an ingress controller.
• Azure Lighthouse can connect logs cross-tenant, the Azure Monitor Agent supports Data Collection Rules (DCRs).
• Azure Load Balancer does not support rate-limiting.
• Azure Log Analytics tracks subscription-level events
• Azure Log Analytics can be used to report on Azure Resource Manager (ARM) resource deployments.
• Azure Logic Apps can be scheduled on periodic (e.g. hourly) triggers to do a maintenance task using e.g. Powershell.
• Azure Logic Apps combined with Azure Functions allows you to automate workflows that include human interaction (e.g. approvals).
• Azure Migrate Appliance for VMware helps discover and assess machines and migrate machines using agentless migration.
• Azure Migrate Projects is used to store discovery, assessment, and migration metadata.
• Azure Migrate has tooling for VMWare migrations.
• Azure Migrate includes tools to move VM’s from on-premises to Azure.
• Azure Monitor Activity Log for resource deployment history.
• Azure Monitor Data Collection Endpoints can ingest data into Azure Monitor. KQL can transform JSON-formatted logs.
• Azure Monitor Workspace: you can collect all logs in one workspace, or multiple if you prefer.
• Azure MySQL General Purpose is needed for high availability, the Burstable tier won’t cut it.
• Azure Page Blobs support up to 8 TB files.
• Azure Policies to enforce tagging rules: improve governance of resources.
• Azure Policy “DeployIfNotExists” executes a template deployment when a condition is met; remediation requires Role Based Access Control (RBAC) role(s) required to remediate.
• Azure Policy “Modify” is used to add, update, or remove properties or tags; Contributor role for automation is good to apply such effects.
• Azure Policy allows limiting App Service instances to specific Azure regions.
• Azure Policy allows limiting regions and VM sizes.
• Azure Policy with Tags could be used to organize resources by e.g. departments.
• Azure Policy can assigned to any scope of resources that Azure supports (management groups, subscriptions, resource groups, or individual resources).
• Azure Policy can be used to e.g. ensure Transparent Data Encryption (TDE) is enabled, steps are: (1) Azure Policy Definition deployIfNotExists, (2) Policy Assignment, (3) Invoke remediation task.
• Azure Queue Storage supports messages in any format for asynchronously communicating e.g. order transaction information.
• Azure Resource Mover moves resources between regions and resource groups.
• Azure roles for External Guest Users, see also the B2B collaboration overview
• Azure Service Bus Queues with Sessions enabled support the FIFO pattern.
• Azure Service Bus Topics support multiple subscribers if different services need to listen for messages.
• Azure Service Bus supports XML messages and asynchronous communication between cloud services.
• Azure Service Fabric is a distributed platform to manage microservices and containers.
• Azure Site Recovery has good RTO and RPO for e.g. a Virtual Machine running SQL Server.
• Azure Site Recovery provides fail over to another data center; Azure Backup can backup entire VM’s.
• Azure SQL (elastic pool) has a 99.99% SLA and supports “Reserved Capacity”.
• Azure SQL Always Encrypted is great for keeping PII safe.
• Azure SQL Audit Information must be stored in the same Storage region.
• Azure SQL Database for MySQL supports geo-redundant backup based failover with reasonable RPO and RTO.
• Azure SQL Database Premium and Business Critical support zone redundancy, Basic and Standard don’t.
• Azure SQL Database Premium (DTU) supports zone-redundant availability, failover with replicas, and is cheaper than hyperscale. (Managed Instances do not support Zone Redundancy.)
• Azure SQL Database Serverless supports General Purpose Tier
• Azure SQL Database Serverless supports zone redundancy for minimal costs.
• Azure SQL Database in General Purpose Tier supports paying for compute per second.
• Azure SQL Database with Hyperscale supports databases up to 100TB.
• Azure SQL Long Term Retention allows a configurable retention policy of up to 10 years.
• Azure SQL Managed Instance supports Auto-failover to another Azure region
• Azure SQL Managed Instance supports distributed transactions with minimal administrative effort.
• Azure SQL Managed Instance supports CLR and is great for “lift and shift” migrations.
• Azure SQL with vCore purchasing supports hybrid (combining licenses) and with an Elastic Pool you can have automatic scaling options too.
• Azure SQLInsights Retention can be used for blob storage in days. Using Azure Log Analytics the maximum retention is 730 days.
• Azure Storage “Archive” Tier has a latency of “hours” but is cheapest for storage that is infrequently used.
• Azure Storage Block Blob Storage (a premium service) allows for high-performance workloads. Blobs allow for time-based retention policies if needed.
• Azure Storage Failover steps include configuring e.g. GRS, initiating a failover, and afterwards configuring GRS again to go back to the old situation.
• Azure Storage File Shares Premium is for transaction intensive loads with minimal latency and supports ZRS.
• Azure Storage General Purpose V2 with Hierarchical Namespaces support storage with subfolders at large scale.
• Azure Storage Hot Tier access has low access costs. Container Access Policy can force WORM (Write Once Read Many) state with Time-based retention policies.
• Azure Storage Premium Block Blobs support Time-based retention policies and support ZRS when needed.
• Azure Storage Premium Block Blobs is useful for transaction intensive scenarios (Azure Blob Storage e.g. on Standard General Purpose V2 supports max 500 requests per second).
• Azure Synapse Analytics with Dedicated SQL pool allows parallel processing, for OLAP use Azure Analysis Services.
• Azure Synapse Analytics has a Serverless SQL pool which allows you to query data in place without the need to copy or load data into a specialized store.
• Azure Synapse link for Cosmos DB “enables customers to run near real-time analytics over their operational data with full performance isolation from their transactional workloads”.
• Azure Synapse Pipelines support ETL, if it lands in a Synapse Workspace you can use Azure Data Share to provide others restricted access.
• Azure Synapse supports Private Endpoints when using a Dedicated Virtual Network (see also Azure Synapse Security docs).
• Azure Table Storage supports REST API and allows for Geo-Redundant Storage (GRS) if needed.
• Azure Time Series Insights (deprecated!) and Azure Cosmos DB SQL API support storing and querying large streams of data.
• Azure Traffic Manager Profiles support Priority Traffic Routing with backups when primary destination fails.
• Azure Traffic Manager can provide redundancy if a region fails by directing traffic to another region.
• Azure Traffic Manager does not support rate-limiting.
• Azure Virtual Machines “B-series” are “burstable” allowing you to “build up credits” during low utilization periods.
• Azure Virtual Machines of DS series (in fact: most series) support SR-IOV (Accelerated Networking).
• Azure Virtual WAN SKU of Standard (not basic) supports ExpressRoute.
• Azure Virtual WAN with *Secured Virtual Hub** supports Point-to-Site VPN, ExpressRoute, transitive routing, and FQDN filtering.
• Blob Snapshots can save point-in-time versions on-demand thus saving storage space over Blob Versioning which uses space for each write being done.
• Block Blobs support Point-in-time Restore (it requires enabling Change Feed).
• Border Gateway Protocol (BGP) in Virtual Networks allows great routing of traffic when on-premises machines are also involved.
• Budgets can be combined with Resource Tags to group and allocate costs.
• Commitment Pricing Tier for a Workspace can save money from 100GB per day ingested over pay-as-you-go tier.
• Configure Supported Account Types to include users from any organizational directory if you need to.
• Configuring Supported Account Types also allows users from one directory to authenticate against apps in another tenant.
• Data Gateway with a Connection Gateway Resource would allow a Logic App to access on-premises servers.
• Databricks Tiers and Credential passthrough (legacy) docs - Premium Tier only
• Dedicated SQL Pool is good for Hash-distributed tables; querying and updating Delta Lake requires Apache Spark Pools.
• Dependency Agent in Azure Monitoring: data about processes running on VM’s.
• Deployment Slots allow staging of a new app version before swapping it into production.
• Domain Controllers in an Azure Virtual Network can extend an on-premises Active Directory domain to Azure.
• Dynamic Data Masking can mask parts of a data field (e.g. show last characters only).
• Dynamic Data Masking limits sensitive data exposure by masking it to non-privileged users.
• Enterprise Applications is what you need to set up to allow remote users access on-premises applications
• Event Hubs Capture writes data in Avro format that in turn requires e.g. Azure Data Lake Storage Gen2 for storage.
• ExpressRoute association to Virtual WAN requires at least “Standard” SKU.
• Gateway Subnet recommended size is /27 (32 IP’s - 5 for fixed stuff) or larger (e.g. /26 or /25).
• Host Caching for Storage of SQL Server Data Disks: set None for Transaction Logs disk, and ReadOnly for Data disks.
• Host Groups can be set up 1 per zone for fault isolation and high availability.
• Hyperscale with a single Azure SQL database supports multiple read replicas
• IP flow verify overview: Azure Network Watcher feature to check if packets are allowed or denied to or from Azure VM’s.
• Just-in-time (JIT) VM access: to lock inbound traffic unless specifically needed. Conditional Access can add e.g. MFA requirements.
• Log Analytics workspaces can receive log data from for example an Azure Monitor Agent on a guest operating system.
• Managed Identities (System-assigned) allow resources to connect to other services with very little administrative effort.
• Managed Identities (System-assigned) prevent reuse of credentials between services.
• Managed Identities (User-assigned) can be assigned to multiple resources.
• Microsoft Entra (Azure AD) Application Proxy can be used for remote access to on-premises applications
• Microsoft Entra (Azure AD) Application Proxy with AD Enterprise Application can be extended with Conditional Access for e.g. MFA requirements.
• Microsoft Entra (Azure AD) B2B supports guest accounts to allow users from one tenant to sign in with their own identity and get roles in another tenant.
• Microsoft Entra (Azure AD) Connect Health supports email alerts.
• Microsoft Entra (Azure AD) Domain Services for hybrid organizations allows for LDAP queries from cloud to on-premises.
• Microsoft Entra (Azure AD) Enterprise Applications can help set up SSO.
• Microsoft Entra (Azure AD) Entitlement Management ensures guest (external) users can access resources appropriately.
• Microsoft Entra (Azure AD) Identity Protection helps roll-out of MFA.
• Microsoft Entra (Azure AD) Privileged Identity Management (PIM) to manage, control, and monitor access to important resources; Managed Identities allow e.g. app services to access Azure Key Vaults;
• Microsoft Entra (Azure AD) can be used to protect an API in Azure API Management configure Azure API Management to validate JWTs
• Microsoft Entra (Azure AD) can generate OAuth2 tokens which can be validated by Web API’s themselves.
• Microsoft Entra (Azure AD) supports registering applications, Application Management and Conditional Access (and its common decision points)
• Microsoft Entra Client Credentials Flow (OAuth2) is for service-to-service communication, the Azure Instance Metadata Service (IMDS) can be used to get one
• Microsoft Entra Entitlement Management allows sharing access to things with people outside your organization.
• Microsoft Entra Identity Governance can be used to set up automated governance tasks.
• Microsoft Entra MFA has Grant Control on Conditional Access Policies to finalize MFA setup.
• Microsoft Entra Password-based single sign-on can be used in Azure AD Application Registration if really needed.
• Premium SSD’s for Virtual Machines support 20,000 IOPS (Ultra disks 160,000 but are more expensive).
• Private Endpoints allow clients on a VNet to securely access data.
• Private Endpoints can be used if an ExpressRoute is involved.
• Recovery Services Vault (and you can protect destination resources with a Resource Guard).
• Resource Group location is where its metadata is stored, resources in that group can have a different location.
• Self-hosted Integration Runtimes.
• Service Principals are needed for on-premises apps authenticating to Azure resources.
• Shared Access Signatures (SAS)
• SQLInsights can send logs to workspaces, hubs, or archive to storage.
• Standard (not Premium!) Storage can be used for Lifecycle Management and tiers; Premium (not Standard!) supports File Shares.
• Synthetic Transaction Monitoring will work with Application Insights
• Syslog table shows Linux events in Azure Monitor, and Event table shows Windows event logs in Azure Monitor.
• System-assigned Managed Identities minimize administrative effort usually, e.g. when Azure Functions need to query Log Analytics.
• Traffic Analytics: visualize network activity, identify hot spots, etc.
• Transparent Data Encryption (TDE) supports up to RSA 3072 for maximum encryption strength.
• User Administrator can create users and reset passwords, Helpdesk administrators can reset passwords but not create users
• User Delegation SAS only can be used to secure access to blobs; for file shares Microsoft Entra (Azure AD) Identities for access is a secure option when using SMB.
• vCore-based General Purpose tier gives good scaling options and is reasonably priced.
• Virtual Machine Scale Sets must be created with one per Host Group zone.
• Virtual Nodes allow AKS with Linux nodes to quickly provision while scaling.