AZ-400 - Design and Implement Infrastructure as Code
1. Infrastructure as Code (IaC) Concepts
Infrastructure as Code is the practice of managing and provisioning infrastructure through machine-readable definition files rather than manual configuration. IaC enables version control, repeatability, consistency, and automated testing of infrastructure deployments.
Declarative vs Imperative
IaC Approaches
Declarative (desired state) approaches describe what the infrastructure should look like. The tool determines how to reach that state. Examples: ARM templates, Bicep, Terraform. Imperative approaches specify the exact commands to execute in order. Examples: Azure CLI scripts, PowerShell scripts. Declarative is generally preferred for IaC because it is idempotent and self-documenting.
2. ARM Templates
Azure Resource Manager (ARM) templates are JSON files that define Azure resources declaratively. They are processed by the ARM API, which orchestrates the deployment of resources in the correct order based on dependencies.
Template Structure
ARM Template Sections
An ARM template contains: $schema (template version), contentVersion (template versioning), parameters (input values at deployment), variables (computed values), functions (user-defined functions), resources (Azure resources to deploy), and outputs (return values). Templates support conditional deployment with the condition property and iteration with copy loops.
Linked and Nested Templates
Linked templates are separate template files referenced via URLs, enabling modular reuse. They must be accessible via a public URL or SAS token. Nested templates are defined inline within the parent template. Linked templates are preferred for large deployments because they promote modularity and can be independently tested. Template specs can be stored files as Azure resources for versioned, shared templates.
Deployment Modes
Incremental vs Complete
Incremental mode (default) adds or updates resources defined in the template but leaves existing resources unchanged. Complete mode deletes resources in the resource group that are not defined in the template. Complete mode should be used cautiously as it can inadvertently remove resources. Use what-if operations to preview changes before deployment.
3. Bicep
Bicep Overview
Bicep is a domain-specific language (DSL) for deploying Azure resources. It compiles to ARM JSON templates. Bicep offers a cleaner syntax than raw ARM JSON, with features like type safety, module support, automatic dependency management, and IntelliSense in VS Code. Bicep is the recommended authoring language for ARM deployments.
4. Terraform
Terraform is a multi-cloud IaC tool by HashiCorp that uses HashiCorp Configuration Language (HCL). It supports Azure through the AzureRM provider.
Terraform Workflow
Core Commands
terraform init initializes the working directory and downloads providers. terraform plan creates an execution plan showing what changes will be made. terraform apply applies changes to reach the desired state. terraform destroy removes all managed resources. Terraform maintains state in a state file that maps configuration to real-world resources.
Remote State Management
Terraform state should be stored remotely for team collaboration. Azure Storage with a blob container and state locking (via Azure Storage blob leases) is the recommended backend for Azure deployments. Remote state enables team members to share state, prevents concurrent modifications, and provides state history.
Terraform in Azure Pipelines
Pipeline Integration
Terraform can be run in Azure Pipelines using the Terraform extension from the marketplace or shell script tasks. Best practices include: storing Terraform files in source control, running terraform plan in a PR pipeline for review, using approval gates before terraform apply, and storing the plan file as a pipeline artifact for consistent apply operations.
5. YAML-Based IaC Pipelines
IaC Pipeline Patterns
A typical IaC pipeline includes: Linting (validate template syntax), Validation (dry-run deployment), What-if / Plan (preview changes), Approval gate (manual review of changes), and Deploy (apply changes). For ARM/Bicep, use the AzureResourceManagerTemplateDeployment task. For Terraform, use init/plan/apply steps. Store IaC code alongside application code for unified PR reviews.
6. Desired State Configuration (DSC)
PowerShell DSC
DSC is a management platform in PowerShell for configuring and maintaining the state of machines. DSC configurations are declarative PowerShell scripts that define what software should be installed, what services should run, and what settings should be applied. Azure Automation State Configuration provides a cloud-based DSC pull server for managing DSC across Azure VMs, on-premises machines, and other cloud providers.
7. VM Extensions and Scale Sets
VM Extensions
Azure VM Extensions
VM extensions are small applications that provide post-deployment configuration and automation on Azure VMs. Key extensions include: Custom Script Extension (run scripts on VMs), DSC Extension (apply DSC configurations), Azure Monitor Agent (collect telemetry), and Azure Disk Encryption (encrypt VM disks with BitLocker/DM-Crypt). Extensions can be deployed via ARM templates, Azure CLI, or Azure PowerShell.
VM Scale Sets (VMSS)
VMSS and IaC
VM Scale Sets automatically create and manage a group of identical VMs. VMSS supports autoscaling based on metrics, schedules, or custom rules. For image management, use Azure Compute Gallery (formerly Shared Image Gallery) to create versioned golden images. Custom Script Extension or cloud-init can configure VMs at scale during provisioning. VMSS update policies control how instances receive updates: Automatic, Manual, or Rolling.
← Back to AZ-400 Preparation Topics