You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
In the previous lessons, we explored each pillar of the Azure Well-Architected Framework, the tools available for assessment, and common anti-patterns. This final lesson brings everything together with a practical, step-by-step approach to assessing and improving a real workload.
Applying the Well-Architected Framework to a workload follows a structured process:
Clearly define what you are assessing. A workload is a collection of Azure resources that work together to deliver a business capability. Examples:
Define the boundary — what is included and what is not. Include all dependent services, data stores, networking components, and identity infrastructure.
An effective assessment requires input from multiple perspectives:
| Role | Contribution |
|---|---|
| Solution Architect | Overall design decisions and tradeoffs |
| Developers | Application code patterns, error handling, testing |
| Operations / SRE | Monitoring, alerting, incident response, deployment |
| Security | Identity, access control, data protection, threat detection |
| Product / Business | Business requirements, SLA needs, budget constraints |
Work through each pillar systematically. For each pillar, ask the key questions and document your current state.
| Question | Current State | Gap | Priority |
|---|---|---|---|
| Have you defined SLA, RTO, and RPO targets? | |||
| Are production resources deployed across Availability Zones? | |||
| Do you have automated backups with tested restores? | |||
| Is retry logic with exponential backoff implemented for all external calls? | |||
| Do you have a multi-region failover strategy for critical workloads? | |||
| Do health probes verify end-to-end application health? | |||
| Have you conducted a failure mode analysis? | |||
| Have you performed disaster recovery drills in the last 6 months? |
| Question | Current State | Gap | Priority |
|---|---|---|---|
| Is MFA enabled for all users? | |||
| Are managed identities used instead of credentials in code? | |||
| Are secrets stored in Azure Key Vault? | |||
| Are PaaS services accessed through Private Endpoints? | |||
| Is RBAC applied with least privilege at the narrowest scope? | |||
| Is Microsoft Defender for Cloud enabled with a good Secure Score? | |||
| Is network traffic segmented with NSGs and firewall rules? | |||
| Are data encrypted at rest and in transit? |
| Question | Current State | Gap | Priority |
|---|---|---|---|
| Have you right-sized all compute resources based on usage data? | |||
| Are Reserved Instances or Savings Plans used for stable workloads? | |||
| Are development environments shut down outside business hours? | |||
| Are orphaned resources (unattached disks, unused IPs) cleaned up? | |||
| Are budgets and alerts configured in Azure Cost Management? | |||
| Is a tagging strategy enforced with Azure Policy? | |||
| Are storage lifecycle policies configured for blob data? | |||
| Do you review Azure Advisor cost recommendations weekly? |
| Question | Current State | Gap | Priority |
|---|---|---|---|
| Is all infrastructure defined as code (Bicep, Terraform, ARM)? | |||
| Are deployments automated through CI/CD pipelines? | |||
| Is monitoring configured with metrics, logs, and traces? | |||
| Are alerts actionable with runbooks for common scenarios? | |||
| Do you conduct blameless post-incident reviews? | |||
| Are secrets and configuration centralised (Key Vault, App Configuration)? | |||
| Are safe deployment strategies used (blue-green, canary, feature flags)? | |||
| Is there an incident response plan with defined roles? |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.