Course Content
Exam Overview & Fundamentals
This module introduces you to the AZ-305: Designing Microsoft Azure Infrastructure Solutions exam and sets the foundation for your learning journey. You’ll understand the exam structure, the skills measured, and how this certification differs from AZ-104. We’ll also explore the role of a Solution Architect vs an Azure Administrator, highlighting the shift from hands-on implementation to high-level design and decision-making. Finally, you’ll review the core design principles — security, scalability, reliability, and cost optimization — that guide every architecture decision in Azure. By completing this module, you’ll have a clear view of what to expect in the exam and the mindset needed to think like an Azure Solutions Architect.
0/3
AZ-305 Exam Overview & Skills Measured
Role of a Solution Architect vs Administrator
Core Design Principles
Designing Identity & Access Solutions
Identity is the foundation of every Azure solution. In this module, you’ll learn how to design secure, scalable, and flexible identity and access strategies that align with the Zero Trust model. We’ll cover how to structure Entra ID (formerly Azure AD), apply Conditional Access, integrate on-premises Active Directory, and secure privileged roles with Privileged Identity Management (PIM). You’ll also explore role-based access control (RBAC) to ensure least-privilege access and see how Azure Key Vault can be used to protect application secrets, keys, and certificates. By the end of this module, you’ll be able to: Design an enterprise-grade identity solution in Azure. Apply Conditional Access and MFA for secure authentication. Plan hybrid identity integration using AD Connect, PTA, or ADFS. Control and review privileged access with PIM. Implement RBAC at the right scope for proper governance. Secure secrets and encryption keys using Key Vault. This module is heavily tested on the exam, often through scenario-based case studies, making it a critical area to master for your AZ-305 success.
0/6
Entra ID (Azure AD) Design Principles
Conditional Access, MFA, and Zero Trust
Hybrid Identity (AD Connect, ADFS, Cloud Sync)
Privileged Identity Management (PIM) & Just-in-Time Access
RBAC Design Best Practices
Designing Key Vault Solutions
Designing Identity & Access Solutions
Description Identity is the foundation of Azure security and governance. In this module, you’ll learn how to design enterprise-grade identity and access strategies using Microsoft Entra ID (formerly Azure AD). You’ll explore how to apply Conditional Access and MFA, integrate on-premises Active Directory, secure privileged roles with Privileged Identity Management (PIM), and enforce Role-Based Access Control (RBAC) across different scopes. We’ll also dive into Azure Key Vault, which protects secrets, keys, and certificates, ensuring applications and workloads meet compliance and security requirements. By mastering this module, you’ll be equipped to design identity solutions that follow the Zero Trust model and meet both business and regulatory needs. What Will I Learn? How to structure and design Entra ID tenants for internal, partner, and customer access. Designing Conditional Access policies and MFA enforcement to reduce sign-in risks. Choosing the right hybrid identity solution (AD Connect, PTA, ADFS, or Cloud Sync). Securing privileged roles with PIM and enabling just-in-time access. Applying RBAC at management group, subscription, resource group, and resource scope. Designing Key Vault solutions for managing secrets, keys, and certificates securely.
0/4
Management Groups & Subscription Strategy
Azure Policy & Initiatives in Design
Blueprints vs Landing Zones
Resource Groups, Tags & Locks
Designing Governance Solutions
Description Governance is critical for managing Azure environments at scale. Without clear governance, organizations risk inconsistent security, cost overruns, and compliance failures. In this module, you’ll learn how to design effective governance strategies using management groups, subscriptions, policies, and initiatives. We’ll also compare Blueprints vs Landing Zones to understand how Azure provides ready-made frameworks for consistent deployments. Finally, we’ll cover resource-level governance with Resource Groups, Tags, and Locks, which ensure resources are organized, classified, and protected from accidental deletion. By mastering these concepts, you’ll be able to design governance solutions that balance flexibility, compliance, and manageability across large enterprise environments. What Will I Learn? How to structure subscriptions using Management Groups for enterprise-wide governance. Best practices for subscription strategies across departments and environments. How to design and apply Azure Policies to enforce compliance and consistency. The role of Policy Initiatives for bundling related compliance requirements. When to use Blueprints vs Landing Zones for enterprise deployments. How to apply Resource Groups, Tags, and Locks for resource organization and protection.
0/4
Azure Monitor & Metrics Design
Log Analytics Workspace Strategy
Application Insights for Modern Apps
Sentinel vs Defender for Cloud in Solution Design
Designing Monitoring & Logging Solutions
Description Visibility and security are critical to designing reliable cloud environments. In this module, you’ll learn how to design monitoring, logging, and security monitoring solutions using Azure’s core observability services. We’ll start with Azure Monitor, the central platform for metrics and alerts, and then explore how to design Log Analytics Workspaces for centralized log collection and compliance. You’ll also learn how to use Application Insights to track application performance and user behavior, and how to design security monitoring with Microsoft Sentinel and Microsoft Defender for Cloud. By the end of this module, you’ll know how to design monitoring and logging solutions that provide operational visibility, improve performance, and strengthen security across enterprise Azure environments. What Will I Learn? How to design Azure Monitor solutions for metrics, logs, alerts, and insights. Best practices for Log Analytics Workspace design, retention, and access. How to use KQL queries to analyze log data. Designing Application Insights for distributed applications and performance tracking. When to use Microsoft Defender for Cloud for posture management and workload protection. When to use Microsoft Sentinel for SIEM/SOAR across Azure, hybrid, and multi-cloud.
0/8
Choosing Between Blob, File, Table, and Queue Storage
Storage Redundancy & Performance Tiers (LRS, ZRS, GRS, RA-GRS)
Azure SQL Database vs Managed Instance vs SQL on VMs
Cosmos DB Design Patterns & Use Cases
Azure Storage Security & Encryption (SAS, RBAC, CMK, Encryption-at-Rest)
Backup, Recovery & Archival Storage Design
Hybrid Storage with Azure File Sync & StorSimple
Exam Tips & Common Pitfalls for Storage
Designing Networking Solutions
Description Networking is the backbone of any Azure solution. Without proper design, even well-architected applications can face latency, security gaps, or connectivity failures. In this module, you’ll learn how to design networking strategies that ensure secure, scalable, and resilient connectivity across Azure, on-premises, and hybrid environments. We’ll cover Virtual Network design, VNet peering and hub-and-spoke architecture, hybrid connectivity with VPN and ExpressRoute, and network security controls such as NSGs, Azure Firewall, and Private Endpoints. You’ll also learn how to design for scalability with load balancers, Front Door, and CDN, while balancing cost and performance. By the end of this module, you’ll be able to design networking solutions that meet enterprise needs for isolation, security, performance, and global reach. What Will I Learn? Best practices for designing Virtual Networks (VNets) and subnets. How to design VNet peering and use hub-and-spoke models for scalability. Hybrid connectivity options: VPN Gateway vs ExpressRoute. Designing network security using NSGs, Azure Firewall, and Private Endpoints. How to use Azure Load Balancer, Application Gateway, Front Door, and CDN for availability and performance. Strategies to avoid IP overlap, routing conflicts, and single points of failure.
0/6
Virtual Network (VNet) Design Principles
VNet Peering & Hub-and-Spoke Architecture
Hybrid Connectivity – VPN Gateway vs ExpressRoute
Network Security – NSGs, Azure Firewall, Private Endpoints
Load Balancing & Global Distribution (Load Balancer, Application Gateway, Front Door, CDN)
Exam Tips & Common Pitfalls for Networking
Designing Compute Solutions
Description Compute is at the heart of every Azure workload. Whether it’s running virtual machines, scaling containerized workloads, or hosting modern serverless applications, choosing the right compute option is critical for cost, performance, and reliability. In this module, you’ll explore how to design compute solutions in Azure across multiple models: Virtual Machines (VMs) for traditional workloads. App Services for managed web hosting. Azure Functions for serverless event-driven applications. AKS (Azure Kubernetes Service) and containers for microservices and modern distributed architectures. VM Scale Sets and Autoscaling for elasticity. You’ll also learn when to use Platform-as-a-Service (PaaS) vs Infrastructure-as-a-Service (IaaS), how to implement availability and resilience across regions, and how to design application architectures that integrate APIs, messaging, and caching. By the end of this module, you’ll know how to design compute environments that are resilient, scalable, cost-optimized, and aligned with business requirements. What Will I Learn? When to use Virtual Machines vs App Services vs Functions vs Containers/AKS. How to design VM Scale Sets and use autoscaling for elastic workloads. Designing availability and resiliency using Availability Zones and paired regions. Best practices for serverless architectures (Functions, Logic Apps, Event Grid). Designing containerized solutions with AKS and ACR (Azure Container Registry). How to integrate compute with APIs, messaging (Service Bus/Event Grid), and caching (Azure Redis) in application architecture. Trade-offs between IaaS, PaaS, and serverless compute models in Azure.
0/6
Virtual Machines & Scale Sets Design Principles
App Services & PaaS Compute Design
Serverless Computing (Azure Functions, Logic Apps, Event Grid)
Containers & AKS (Azure Kubernetes Service)
Designing Application Architecture (APIs, Messaging, Caching, Config Management)
Exam Tips & Common Pitfalls for Compute
Designing Business Continuity Solutions
Description Business continuity is about ensuring your applications and data remain available, recoverable, and resilient even in the face of failures — whether they are system crashes, natural disasters, or accidental deletions. In Azure, this means designing for backup, disaster recovery, and high availability using the right mix of services and architectural patterns. In this module, you’ll learn how to design continuity strategies for Azure workloads, including Azure Backup, Site Recovery (ASR), storage redundancy models, database replication, and geo-distribution. We’ll also explore how to define and design around Recovery Time Objective (RTO) and Recovery Point Objective (RPO), ensuring that business needs align with technical capabilities. By the end of this module, you’ll be able to design resilient architectures that protect data, minimize downtime, and ensure applications can recover quickly in the event of outages. What Will I Learn? Core concepts of business continuity, RTO, and RPO. How to design backup strategies with Azure Backup and Recovery Services Vaults. Disaster Recovery planning with Azure Site Recovery (ASR). High availability patterns using Availability Zones, paired regions, and geo-redundant storage. Database replication and failover options (SQL Always On, Cosmos DB multi-region, etc.). Designing resilient applications with traffic failover (Traffic Manager, Front Door). Best practices for testing failover and recovery plans in Azure.
0/6
Understanding RTO, RPO, and High Availability Concepts
Designing Backup Strategies with Azure Backup
Designing Disaster Recovery with Azure Site Recovery (ASR)
Database Replication & Geo-Redundancy (SQL, Cosmos DB, Storage)
Designing Traffic Failover & Global Distribution (Traffic Manager, Front Door, Load Balancers)
Exam Tips & Common Pitfalls for Business Continuity
Designing Identity, Security & Governance Solutions
Description Identity and governance are the cornerstones of secure cloud adoption. Without proper access control, policy enforcement, and security management, even well-architected workloads can become vulnerable. In this module, you’ll learn how to design Azure solutions that use Microsoft Entra ID (formerly Azure AD) for authentication, Role-Based Access Control (RBAC) for authorization, and Azure Key Vault for securing secrets. We’ll also cover governance tools like Management Groups, Subscriptions, and Resource Groups, along with Azure Policy, Blueprints, and Cost Management to enforce compliance and track cloud spending. Finally, you’ll learn how to integrate monitoring, logging, and security services like Azure Monitor, Defender for Cloud, and Sentinel to build a comprehensive governance and security framework. By the end of this module, you’ll be able to design architectures that are secure, compliant, and well-governed, meeting both technical and regulatory requirements. What Will I Learn? How to design identity solutions with Microsoft Entra ID, hybrid identity, and guest access (B2B). How to apply Role-Based Access Control (RBAC) for least-privilege access. Securing secrets and certificates using Azure Key Vault. Designing governance with Management Groups, Subscriptions, and Resource Groups. Enforcing compliance with Azure Policy and Blueprints. Designing for cost management and tagging strategies. Integrating monitoring and logging using Azure Monitor, Activity Logs, and Log Analytics. Enhancing security posture with Defender for Cloud and Sentinel SIEM/SOAR.
0/6
Designing Identity with Entra ID (Users, Groups, Guest Access, Hybrid Identity)
Role-Based Access Control (RBAC) & Least Privilege Design
Securing Secrets & Certificates with Azure Key Vault
Governance with Management Groups, Subscriptions & Resource Groups
Azure Policy, Blueprints & Cost Governance
Monitoring, Security Posture & SIEM (Defender for Cloud & Sentinel)
Designing Migration Solutions
Description Migration is a critical phase of cloud adoption. Most organizations don’t start fresh in Azure — they move existing workloads, applications, and data from on-premises or other clouds. Poorly designed migrations can lead to downtime, data loss, cost overruns, and compliance issues. In this module, you’ll learn how to design end-to-end migration strategies in Azure, including workload assessments, migration tools, and modernization patterns. We’ll cover Azure Migrate as the central migration hub, explore migration strategies such as Rehost, Refactor, Rearchitect, and Rebuild, and review workload-specific migration considerations (VMs, databases, web apps, storage). You’ll also learn how to design migrations for compliance, minimal downtime, and business continuity, ensuring organizations move to Azure securely and efficiently. What Will I Learn? The Azure Migrate framework: discovery, assessment, and migration. Migration strategies: Rehost (lift & shift), Refactor, Rearchitect, Rebuild. How to migrate VMs and applications with minimal downtime. Database migration tools: Azure Database Migration Service (DMS), SQL Managed Instance migration. Storage migration approaches: File shares to Azure Files or Blob storage. Modernization opportunities during migration (serverless, PaaS adoption). Designing for compliance and governance during migration. Ensuring continuity with hybrid and phased migration approaches.
0/5
Azure Migrate Framework (Discovery, Assessment, Migration)
Migration Strategies (Rehost, Refactor, Rearchitect, Rebuild)
Workload-Specific Migrations (VMs, Databases, Web Apps, Storage)
Hybrid & Phased Migration Approaches
Exam Tips & Common Pitfalls in Migration
Designing Monitoring & Optimization Solutions
Description Migrating to Azure is only the beginning — the real challenge is ensuring workloads remain healthy, cost-efficient, and performant over time. Without proper monitoring and optimization, resources may become underutilized, overspend budgets, or suffer downtime unnoticed. In this module, you’ll learn how to design end-to-end monitoring, alerting, and optimization solutions using Azure’s native tools. We’ll cover Azure Monitor, Log Analytics, and Application Insights for observability, along with alerts, dashboards, and KQL queries for troubleshooting. You’ll also explore cost and performance optimization strategies, such as Autoscaling, Azure Advisor recommendations, Reserved Instances, Spot VMs, and performance tuning for apps and databases. The focus is on creating proactive, automated monitoring frameworks that align with business SLAs while controlling cloud spend. What Will I Learn? Core monitoring architecture with Azure Monitor, Metrics, and Activity Logs. How to use Log Analytics and KQL queries for deep insights. Application monitoring with Application Insights (APM, dependencies, telemetry). Building dashboards, alerts, and action groups for proactive response. Designing automated remediation with Logic Apps & Automation Runbooks. Cost optimization strategies: Azure Advisor, Reserved Instances, Spot VMs. Performance optimization strategies for compute, storage, and databases. Best practices for SLA alignment, alert fatigue reduction, and governance integration.
0/6
Azure Monitor, Metrics & Logs – Foundation of Monitoring
Log Analytics & KQL (Deep Insights & Querying Telemetry)
Application Insights (APM, Dependencies, Telemetry)
Alerts, Dashboards & Automated Response
Cost & Performance Optimization Strategies
Exam Tips & Common Pitfalls for Monitoring & Optimization
Designing Governance, Compliance & Identity Protection Solutions
Description As organizations expand their cloud footprint, ensuring governance, compliance, and identity protection becomes critical. Without strong guardrails, workloads may violate regulatory requirements, data may leak, and privileged accounts may be exploited. This module focuses on designing solutions that maintain control, compliance, and security across Azure environments. You’ll learn how to use Azure Policy, Blueprints, and Management Groups for governance, integrate compliance frameworks (ISO, HIPAA, NIST) into your designs, and implement identity protection strategies with Microsoft Entra (Azure AD). We’ll also explore Defender for Cloud, Purview, and Sentinel for regulatory compliance, data governance, and security incident monitoring — ensuring your designs align with enterprise security and compliance needs. What Will I Learn? How to enforce governance controls using Management Groups, Subscriptions, and Resource Groups. Designing policy-driven compliance with Azure Policy & Blueprints. Applying regulatory compliance frameworks (ISO, HIPAA, PCI DSS, NIST). Using Microsoft Purview for data governance and sensitivity labeling. Designing identity protection with Entra ID features: Conditional Access, Identity Protection, MFA, and PIM. Leveraging Defender for Cloud for compliance assessments and recommendations. Integrating Sentinel for security incident response and compliance reporting. Best practices for aligning governance with cost, security, and performance objectives.
0/7
Governance Frameworks – Management Groups, Subscriptions & Policies
Compliance with Policies & Blueprints (Regulatory Frameworks)
Governance Controls & Data Security in Azure
Identity Protection with Conditional Access, MFA & PIM
Security Posture & Compliance with Defender for Cloud & Sentinel
Tagging, Cost Governance & Resource Locks
Exam Tips & Common Pitfalls in Governance & Identity Protection
Designing Resiliency & High Availability Solutions
Description Even the best cloud solutions will fail if they don’t account for resiliency and high availability (HA). Outages can happen at the VM, datacenter, or even regional level — and architects must design for continuity by ensuring workloads can recover quickly and stay online. In this module, you’ll learn how to design resilient architectures that use Availability Sets, Availability Zones, Load Balancers, Traffic Manager, and Front Door to provide redundancy and fault tolerance. We’ll also cover resiliency in databases (SQL Auto-Failover Groups, Cosmos DB multi-region), storage replication (LRS, ZRS, GRS, RA-GRS), and application patterns that support scale and failover. The focus is on designing for failure, minimizing downtime, and aligning designs with business SLAs for mission-critical workloads. What Will I Learn? Core resiliency concepts: fault domains, update domains, redundancy models. Designing intra-region availability with Availability Sets & Availability Zones. Designing inter-region resiliency with Paired Regions, Traffic Manager, Front Door. Load balancing strategies at Layer 4 (Azure Load Balancer) and Layer 7 (Application Gateway, Front Door). Resiliency in databases with SQL Auto-Failover Groups and Cosmos DB global distribution. Storage redundancy options: LRS, ZRS, GRS, RA-GRS and when to use each. Designing resilient apps using retry logic, queues, and decoupled architectures. Best practices for aligning designs with RTO, RPO, and SLA requirements.
0/6
Availability Sets & Availability Zones (Intra-Region Resiliency)
Load Balancing Strategies (Azure Load Balancer, Application Gateway, Front Door, Traffic Manager)
Database & Storage Resiliency (SQL Auto-Failover, Cosmos DB, GRS, RA-GRS)
Application Resiliency Patterns (Retry Logic, Queues, Decoupling, Circuit Breakers)
Designing Global Resiliency with Region Pairs, Traffic Manager & Front Door
Exam Tips & Common Pitfalls in Resiliency & High Availability
Designing Data Storage & Database Solutions
Description Every application relies on data, and designing the right storage and database architecture is critical for scalability, performance, security, and cost optimization. In Azure, architects must choose the correct storage service (Blob, Files, Tables, Queues) and the right database solution (SQL Database, SQL Managed Instance, Cosmos DB, PostgreSQL/MySQL) based on workload requirements. This module focuses on designing data storage and database solutions that meet business requirements for availability, consistency, security, and cost. You’ll explore partitioning, indexing, sharding, replication, and global distribution, as well as encryption and backup strategies to safeguard data. By the end of this module, you’ll be able to evaluate trade-offs between different Azure storage/database options and align them with enterprise-grade workloads. What Will I Learn? Core Azure storage services: Blob, File, Table, Queue storage. Choosing between SQL Database, SQL Managed Instance, and VMs with SQL Server. When to use Cosmos DB for globally distributed, low-latency applications. Partitioning, indexing, and sharding strategies for performance scaling. Database replication, read replicas, and Auto-Failover Groups. Data encryption at rest and in transit (TDE, Always Encrypted, Key Vault). Backup and restore strategies across storage and databases. Trade-offs: relational vs non-relational, structured vs unstructured storage. Cost optimization: storage tiers (hot, cool, archive), reserved capacity, serverless DB tiers.
0/6
Core Azure Storage Services (Blob, File, Table, Queue)
Relational Database Options (SQL Database, Managed Instance, SQL on VMs)
Cosmos DB & NoSQL Global Distribution
Partitioning, Scaling & Performance Tuning in Azure Databases
Encryption, Backup & Restore Strategies in Azure Databases & Storage
Exam Tips & Common Pitfalls in Data Storage & Database Design
Designing Application Integration Solutions
Description Modern cloud solutions rarely operate in isolation. Applications must communicate, share data, and trigger events across distributed systems. Azure provides a rich set of messaging, eventing, and API management services to build scalable, loosely coupled, and resilient integrations. This module covers the design of application integration patterns using Azure Service Bus, Event Grid, Event Hubs, and API Management. You’ll learn when to use message queues vs event streams, how to implement publish/subscribe patterns, and how to expose APIs securely to internal and external consumers. By the end of this module, you’ll be able to design integration architectures that support decoupling, real-time eventing, big data ingestion, and secure API management, while aligning with enterprise governance and performance requirements. What Will I Learn? The difference between messaging vs eventing in application design. How to design reliable messaging with Azure Service Bus (queues, topics, dead-lettering). Event-driven integration using Azure Event Grid (serverless, push model). Large-scale data ingestion with Azure Event Hubs. Secure and manage APIs with Azure API Management (APIM). Integration patterns: publish/subscribe, fan-out, request/reply, async decoupling. Choosing the right service based on requirements (latency, reliability, scale). Security and governance in integration: authentication, throttling, API gateways. Best practices for building scalable and decoupled architectures.
0/6
Azure Service Bus (Queues, Topics, Dead-Lettering)
Azure Event Grid (Serverless Eventing & Pub/Sub)
Azure Event Hubs (Streaming & Telemetry Ingestion)
Azure API Management (APIM – Secure API Gateway & Integration)
Integration Patterns & Best Practices (Pub/Sub, Fan-Out, Request/Reply, Decoupling)
Exam Tips & Common Pitfalls in Application Integration
Designing Security & Compliance Solutions (Advanced)
Description Security and compliance are enterprise-critical when designing Azure solutions. While earlier modules covered basics like RBAC, MFA, and Azure Policy, this advanced module dives deeper into encryption, networking security, zero trust, threat protection, and compliance frameworks. You’ll learn how to design solutions that protect workloads against data breaches, insider threats, and external attacks, while also ensuring compliance with regulations such as HIPAA, GDPR, PCI DSS, ISO 27001, and NIST. This module emphasizes defense-in-depth — securing identities, data, networks, and workloads with layered Azure services such as Key Vault, Private Endpoints, NSGs, Azure Firewall, DDoS Protection, Microsoft Defender for Cloud, and Microsoft Sentinel. What Will I Learn? Advanced identity security beyond MFA (Conditional Access, Identity Protection, PIM). Network security: NSGs, ASGs, Azure Firewall, Private Endpoints, and DDoS Protection. Encryption best practices for data at rest, in transit, and in use (TDE, Always Encrypted, Key Vault, Confidential Computing). Designing Zero Trust architectures in Azure. Integrating Defender for Cloud for compliance scoring and recommendations. Using Microsoft Sentinel for threat detection and automated incident response. Mapping Azure security services to compliance frameworks (HIPAA, GDPR, PCI DSS, ISO, NIST). Best practices for securing hybrid/multi-cloud environments with Azure Arc.
0/6
Advanced Identity Security (Conditional Access, Identity Protection, PIM)
Network Security (NSGs, ASGs, Azure Firewall, Private Endpoints, DDoS Protection)
Data Encryption & Key Vault (TDE, Always Encrypted, CMK, Confidential Computing)
Zero Trust & Defense-in-Depth Design in Azure
Defender for Cloud & Microsoft Sentinel (Threat Protection & Compliance Monitoring)
Compliance & Governance Frameworks (ISO, HIPAA, PCI DSS, GDPR, NIST) + Exam Pitfalls
Exam Preparation, Scenarios & Common Pitfalls
0/1
Exam Preparation, Scenarios & Common Pitfalls
Survey
0/1
Survey
AZ-305: Designing Microsoft Azure Infrastructure Solutions

Why Log Analytics & KQL?

Metrics give you what is happening right now, but for troubleshooting, auditing, and root-cause analysis, you need deep insights from logs. That’s where Log Analytics and Kusto Query Language (KQL) come in.

They allow you to query, correlate, and visualize telemetry data from Azure resources, applications, and hybrid environments.

Log Analytics Overview

Definition:
A feature of Azure Monitor that provides a centralized workspace for storing and analyzing logs using KQL.

Sources of Logs:

  • Azure Activity Logs (who created/deleted resources).

  • Resource Logs (VM events, NSG flow logs, database queries).

  • Application Insights telemetry.

  • Security & compliance logs (via Defender for Cloud, Sentinel).

KQL (Kusto Query Language) Basics

1. Structure

  • SQL-like but optimized for log/time-series data.

  • Example:

 
AzureActivity
| where OperationName == "Delete Virtual Machine"
| project ResourceGroup, Caller, TimeGenerated

2. Common Operators

  • where → filter data.

  • project → select columns.

  • summarize → aggregate results.

  • join → combine logs from multiple tables.

  • render → visualize (chart, timechart, pie).

3. Example Queries

  • Find top 5 VMs with highest CPU:

 
Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize AvgCPU = avg(CounterValue) by Computer
| top 5 by AvgCPU

  • Detect failed logins:

 
SigninLogs
| where ResultType != 0
| summarize count() by UserPrincipalName, ResultType

Best Practices

  • Use separate workspaces per environment (Dev, Prod) but centralize queries via dashboards.

  • Set retention policies → avoid unnecessary storage costs.

  • Save frequent queries as workbooks or dashboards for visualization.

  • Combine Log Analytics with Alerts → proactive notifications.

Example Enterprise Scenario

A financial services company requires:

  • Detect unusual admin logins.

  • Track VM CPU usage trends over 30 days.

  • Investigate network traffic from unknown IP ranges.

Correct design:

  • Send Entra ID sign-in logs to Log Analytics.

  • Run KQL query to detect abnormal login attempts.

  • Collect VM Perf counters to analyze CPU usage.

  • Use NSG flow logs for traffic monitoring.

Confusion Buster

  • Metrics vs KQL Logs

    • Metrics = real-time performance (numbers).

    • Logs = historical + contextual data (events).

  • Log Analytics vs Sentinel

    • Log Analytics = query engine.

    • Sentinel = SIEM built on top of Log Analytics.

  • Retention vs Export

    • Retention = keep logs in workspace.

    • Export = send logs to external SIEM or storage.

Exam Tips

  • “Which query language is used in Log Analytics?” → KQL.

  • “Which tool helps investigate failed login attempts?” → Log Analytics with KQL.

  • “Which service correlates NSG flow logs with traffic analysis?” → Log Analytics.

  • “Which feature stores logs for historical analysis?” → Log Analytics Workspace.

What to Expect in the Exam

  • Direct Q: “Which language is used in Azure Monitor Log Analytics?” → KQL.

  • Scenario Q: “Company wants to investigate who deleted a VM.” → Query Activity Logs in Log Analytics.

  • Scenario Q: “Company wants to visualize CPU usage trend for last month.” → KQL query with timechart.

  • Trick Q: “KQL and SQL are interchangeable.” → False.

Previous
Next