Azure Well-Architected Framework & Cloud Adoption Framework for Databases
Why WAF & CAF Matter for DP-300β
DP-300 tests database-specific decisions within the broader Azure architecture context. WAF tells you how to build it right, CAF tells you how to get there.
Cloud Adoption Framework (CAF)
Strategy β Plan β Ready β Migrate β Innovate β Govern β Manage
Well-Architected Framework (WAF)
Reliability β’ Security β’ Cost Optimization β’ Performance β’ Operational Excellence
Azure Well-Architected Framework β The 5 Pillars for Databasesβ
Pillar 1: Reliabilityβ
Goal: Database can withstand failures and recover within acceptable RTO/RPO.
Reliability Decisions
Service Tier
GP: 99.99% SLA, ~30s failover
BC: 99.995% SLA, ~5-10s failover (zone-redundant)
Cross-Region DR
Failover Groups: auto failover + single endpoint
Geo-Replication: manual, up to 4 replicas
Backup Strategy
PITR: 7-35 days
LTR: up to 10 years
GRS: cross-region backup
| Reliability Checklist | Azure SQL DB | MI | SQL VM |
|---|---|---|---|
| Automated backups | β Built-in | β Built-in | β With IaaS Agent |
| Zone redundancy | β GP + BC | β GP + BC | Via Availability Zones |
| Cross-region DR | Failover Groups | Failover Groups | AG async replica |
| Auto failover | β Failover Groups | β Failover Groups | β AG + WSFC |
| Connection retry logic | Required in app | Required in app | Required in app |
π― Exam Focus
Reliability on exam: "Design for failure" β always implement connection retry logic with exponential backoff. Transient faults are expected in Azure SQL. Use SqlConnection with ConnectRetryCount and ConnectRetryInterval.
Pillar 2: Securityβ
Goal: Protect data at rest, in transit, and in use. Least-privilege access.
Security β Defense in Depth
Network
Private Endpoint, NSG, Firewall
Identity
Entra ID, MFA, Managed Identity
Data
TDE, Always Encrypted, RLS, Masking
Monitoring
Defender, Auditing, Purview, CDC
| Security Checkpoint | Best Practice | Anti-Pattern |
|---|---|---|
| Network | Private Endpoint + disable public access | Allow all Azure services (0.0.0.0) |
| Authentication | Entra ID + Managed Identity | SQL auth with passwords in code |
| Authorization | Least privilege, custom roles | db_owner for all users |
| Encryption at rest | TDE (default) + BYOK for compliance | Disable TDE |
| Encryption in transit | TLS 1.2 enforced | Allow TLS 1.0 |
| Sensitive data | Always Encrypted for PII | Store PII in plaintext |
| Auditing | Log Analytics + Storage | Auditing disabled |
Pillar 3: Cost Optimizationβ
Goal: Maximize value, minimize waste.
Cost Optimization Strategies
Azure Hybrid Benefit
Up to 55% savings with existing SQL licenses
Reserved Capacity
1yr: ~30%, 3yr: ~55% savings on committed use
Serverless
$0 compute when idle β perfect for dev/test
Elastic Pools
Share resources across DBs β 30-60% savings
Right-Sizing
Monitor usage, scale down β 20-50% savings
Tier Optimization
GP vs BC β don't overpay for unneeded perf
| Strategy | Savings | When to Use |
|---|---|---|
| Azure Hybrid Benefit | Up to 55% | You have SQL Server licenses with SA |
| AHB + Reserved (3yr) | Up to 80% | Long-term production workloads |
| Serverless | Pay only when active | Dev/test, intermittent workloads |
| Elastic Pools | 30-60% vs individual DBs | Multi-tenant SaaS |
| Right-sizing | 20-50% | Over-provisioned databases |
| GP instead of BC | ~50-60% | When < 2ms latency isn't needed |
π― Exam Focus
Exam cost questions: "Minimize cost for a database that's idle 18 hours/day" β Serverless. "Existing SQL licenses" β AHB + vCore. "50 tenant databases with variable load" β Elastic Pool. "Long-term production" β Reserved Capacity.
Pillar 4: Performance Efficiencyβ
Goal: Right resources for the workload, scale efficiently.
| Performance Decision | Options | Decision Factor |
|---|---|---|
| Compute model | DTU vs vCore, Provisioned vs Serverless | Predictable vs variable workload |
| Service tier | GP vs BC vs Hyperscale | Latency requirements, DB size |
| Read scale | BC read replica, Geo-rep secondary, Named replica | Offload reporting/analytics |
| Caching | Azure Cache for Redis | Hot data, session state |
| Indexing | Automatic tuning, manual design | Query patterns |
| Partitioning | Table partitioning, sharding | Very large tables (100M+ rows) |
Pillar 5: Operational Excellenceβ
Goal: Automate operations, monitor proactively, respond to incidents.
Infrastructure as Code
Bicep / Terraform / ARM
CI/CD for Schema
DACPAC / SqlPackage / Flyway
Monitoring
Azure Monitor + Log Analytics
Query Store + Alerts
Automation
Elastic Jobs / Runbooks
Azure Functions
Incident Response
Runbooks + Action Groups
PagerDuty / ServiceNow
π’ Real-World DBA Note
Oracle DBA parallel: WAF Operational Excellence = your Oracle ITIL practices (change management, incident management, capacity planning) translated to Azure-native tools. IaC replaces manual portal clicks. CI/CD for schema = Oracle Liquibase/Flyway. Monitoring = OEM β Azure Monitor.
Cloud Adoption Framework β Database Migration Journeyβ
The 7 Phasesβ
CAF β The 7 Phases
1. Strategy
Why migrate?
Business goals
2. Plan
Assess databases
Prioritize waves
3. Ready
Landing zone
VNet, KV, Policy
4. Migrate
Execute migration
DMS, MI Link, LRS
5. Innovate
Modernize
AI, real-time
6. Govern
Policies
Compliance
7. Manage
Operations
Monitor, patch
Phase 1: Strategy β Define Motivationsβ
| Motivation | Database Impact |
|---|---|
| Cost savings | Eliminate Oracle/SQL licensing costs β Azure PaaS |
| Data center exit | All databases must migrate β assess MI vs SQL DB vs VM |
| End of support | SQL 2012/2014 β migrate for security patches |
| Performance | On-prem hardware limits β Azure elastic scaling |
| Innovation | AI/ML capabilities, vector search, Copilot integration |
Phase 2: Plan β Assess & Prioritizeβ
Assessment Flow
Discover
Azure Migrate
Find all databases
Assess
DMA / SSMA
Compatibility, blockers
Size
SKU Recommender
Right-size target
Prioritize
Wave planning
Low-risk first
Wave planning strategy:
- Wave 1: Dev/test, non-critical databases (learn the process)
- Wave 2: Standard production databases (MI lift-and-shift)
- Wave 3: Complex databases with dependencies (custom migration)
- Wave 4: Mission-critical databases (last, with proven playbook)
Phase 3: Ready β Landing Zoneβ
A landing zone is the pre-configured Azure environment databases land in.
Database Landing Zone Components
VNet + Subnets
MI subnet (/27+), PE subnet, App subnet
Key Vault
TDE keys, connection strings, secrets
Log Analytics
Monitoring workspace for all databases
Azure Policy
Enforce TDE, auditing, min TLS 1.2
Tags
Environment, owner, cost center
Resource Groups
Per environment: dev / staging / prod
π― Exam Focus
Landing zone essentials for databases: 1) VNet with dedicated MI subnet (/27+) and PE subnet. 2) Key Vault for secrets/keys. 3) Log Analytics for monitoring. 4) Azure Policy to enforce security baselines (TDE on, auditing on, min TLS 1.2).
Phase 4: Migrate β Executeβ
See the Migration Strategy page for detailed migration methods (DMS, MI Link, LRS, BACPAC).
Phase 5: Innovate β Modernizeβ
| Innovation | What It Means |
|---|---|
| PaaS migration | SQL VM β MI or SQL DB (reduce management overhead) |
| AI integration | Add vector search, Copilot, Azure OpenAI to SQL workloads |
| Real-time analytics | Add Synapse Link or Fabric mirroring |
| Event-driven | CDC β Event Hub β real-time processing |
| Global distribution | Failover Groups + read replicas across regions |
Phase 6: Govern β Policies & Complianceβ
| Governance Control | Azure Implementation |
|---|---|
| Enforce encryption | Azure Policy: TDE must be enabled |
| Enforce auditing | Azure Policy: Auditing must be enabled |
| Enforce network security | Policy: Public access disabled, PE required |
| Cost management | Budgets + Cost Management alerts |
| Naming convention | Policy: Require tags, naming pattern |
| Data classification | Purview: Auto-classify sensitive data |
| Compliance | Defender for SQL: Vulnerability Assessment |
Phase 7: Manage β Ongoing Operationsβ
| Operations Area | Tools |
|---|---|
| Monitoring | Azure Monitor, Query Store, Intelligent Insights |
| Backup/Restore | Automated backups, LTR, geo-restore |
| Patching | Automatic (PaaS) or Update Management (VM) |
| Performance | Automatic tuning, index maintenance, stats |
| Security | Defender scans, audit reviews, access reviews |
| Cost | Advisor recommendations, Reserved Capacity |
| Incident response | Action Groups β email/SMS/Teams/PagerDuty |
WAF Assessment for Azure SQL β Quick Checklistβ
Use this checklist to score your database deployment against WAF pillars:
| # | Check | Pillar | Status |
|---|---|---|---|
| 1 | Zone-redundant deployment enabled? | Reliability | β |
| 2 | Cross-region DR (Failover Group or Geo-Rep)? | Reliability | β |
| 3 | Connection retry logic in application? | Reliability | β |
| 4 | Backup retention configured (7-35 days)? | Reliability | β |
| 5 | LTR configured for compliance? | Reliability | β |
| 6 | Private Endpoint enabled, public access disabled? | Security | β |
| 7 | Entra ID authentication (no SQL auth)? | Security | β |
| 8 | TDE enabled with BYOK? | Security | β |
| 9 | Auditing β Log Analytics? | Security | β |
| 10 | Defender for SQL enabled? | Security | β |
| 11 | Data classified (PII labeled)? | Security | β |
| 12 | Azure Hybrid Benefit applied? | Cost | β |
| 13 | Reserved Capacity for production? | Cost | β |
| 14 | Serverless for dev/test? | Cost | β |
| 15 | Right-sized (not over-provisioned)? | Cost | β |
| 16 | Query Store enabled and reviewed? | Performance | β |
| 17 | Automatic tuning on? | Performance | β |
| 18 | Index maintenance scheduled? | Performance | β |
| 19 | Statistics up to date? | Performance | β |
| 20 | Infrastructure as Code (Bicep/Terraform)? | Operations | β |
| 21 | CI/CD for schema changes? | Operations | β |
| 22 | Alert rules configured? | Operations | β |
| 23 | Tags applied (env, owner, cost center)? | Operations | β |
| 24 | Maintenance window configured? | Operations | β |
π’ Real-World DBA Note
Use this checklist with your DCSA customers. Walk through it during discovery calls β it immediately surfaces gaps and creates action items. Customers respect structured assessments over ad-hoc recommendations.
Flashcardsβ
What are the 5 WAF pillars?
Click to reveal answer
1) Reliability 2) Security 3) Cost Optimization 4) Performance Efficiency 5) Operational Excellence. For databases, each pillar maps to specific Azure SQL features and configurations.
1 / 7
Quizβ
A database must have 99.995% SLA with zone-redundant deployment. Which service tier and configuration should you use?