Every architecture decision in Azure must balance four pillars:

1. Security

• Protect identity → MFA, Conditional Access, PIM.

• Protect data → Encryption at rest (TDE, ADE, SSE), Encryption in transit (TLS/VPN).

• Protect secrets → Key Vault.

• Protect apps → App Gateway WAF, DDoS.

2. Scalability

• Scale up → Bigger VM size.

• Scale out → VM Scale Sets, AKS pods, App Service instances.

• Auto-scale → Based on CPU, memory, or demand metrics.

3. Reliability & High Availability

• Availability Sets (rack-level resilience).

• Availability Zones (datacenter-level resilience).

• Geo-redundancy (cross-region failover).

• Load balancing (L4 vs L7).

• Disaster Recovery (ASR).

4. Cost Optimization

• Use reserved instances for steady workloads.

• Spot VMs for fault-tolerant jobs.

• Right-size storage tiers (Hot, Cool, Archive).

• Set budgets and alerts.

Confusion Buster 🚨

• Don’t confuse availability (system stays up) with disaster recovery (system recovers after going down).

• Don’t assume “best design” always means most expensive — exam often expects you to optimize costs while meeting requirements.

Example Scenario

A startup runs an app that:

• Must scale during flash sales.

• Needs 99.99% uptime.

• Has a limited budget.

➡️ Correct Design:

• Deploy web tier in VM Scale Sets across Availability Zones.

• Use App Gateway with WAF for front-end.

• Enable auto-scaling rules.

• Use Spot VMs for background jobs.

Exam Tip

When two answers look correct, pick the one that:

• Meets requirements (security, uptime, compliance).

• Is cost-optimized.

• Uses PaaS/serverless over IaaS if possible.

What to Expect in the Exam

• “Company needs 99.99% uptime for VMs.” → Availability Zones.

• “Which principle ensures system continues to function during hardware failure?” → Reliability/HA.

• “How to reduce cost of steady-state workloads?” → Reserved Instances.