RBAC and Azure Policy are tested most. RBAC = who can do what (assign roles to identities). Azure Policy = what is allowed to be deployed (enforce compliance). Owner = full access + manage access. Contributor = full access, cannot manage access. Reader = read only. Policy effects: Deny blocks resource creation; Audit creates a compliance report but doesn't block; DeployIfNotExists auto-deploys a required resource if missing.

• Azure AD: users, groups, external identities, dynamic membership
• RBAC: built-in roles (Owner/Contributor/Reader), custom roles, scope (MG→Sub→RG→Resource)
• Azure AD Connect: sync on-prem AD to Azure AD, password hash sync vs pass-through auth
• Multi-Factor Authentication (MFA) and Conditional Access policies
• Azure Policy: effect types (Deny, Audit, DeployIfNotExists, AuditIfNotExists)
• Management Groups and subscription structure for governance at scale
• Cost Management: budgets, alerts, cost analysis views

Storage redundancy options are reliably tested — know the acronyms: LRS = 3 copies in one datacenter; ZRS = 3 copies across 3 availability zones (same region); GRS = 6 copies across 2 regions (async); GZRS = ZRS + GRS combined. Cold tier was added between Cool and Archive — minimum 90 days. Archive requires rehydration (hours to 15 days) before data can be read.

• Storage account types: General Purpose v2 (recommended), Premium Block Blobs, Premium File Shares
• Blob storage: access tiers (Hot/Cool/Cold/Archive), lifecycle management policies
• Azure Files: SMB and NFS shares, Azure File Sync for hybrid scenarios
• Storage redundancy: LRS (single datacenter), ZRS (3 zones), GRS (secondary region), GZRS
• Storage security: private endpoints, service endpoints, SAS tokens, storage account keys vs Azure AD auth
• Azure Import/Export and Data Box for large offline data migrations

Availability Sets = spread VMs across fault domains and update domains within one datacenter — protects against hardware failures and planned maintenance. Availability Zones = spread VMs across physically separate datacentres in a region — higher SLA (99.99% vs 99.95%). Deployment slots in App Service allow zero-downtime deployment by swapping staging and production.

• Virtual Machines: sizes, availability sets vs availability zones (SLA difference), proximity placement groups
• VM Scale Sets (VMSS): autoscaling, uniform vs flexible orchestration
• Azure App Service: plans (Free/Basic/Standard/Premium/Isolated), deployment slots, autoscale
• Azure Container Instances (ACI) for simple containerised tasks
• Azure Kubernetes Service (AKS): node pools, cluster upgrades, Horizontal Pod Autoscaler
• ARM templates and Bicep for infrastructure as code

Private endpoints vs service endpoints: Service endpoints route traffic to the Azure service over the Azure backbone but the service is still accessible from other networks. Private endpoints give the Azure service a private IP in your VNet — the service is accessible ONLY through that private IP. For troubleshooting: NSG flow logs + Network Watcher IP flow verify are the first tools to reach for.

• VNet design: address spaces, subnets, service endpoints vs private endpoints
• Network Security Groups (NSGs): inbound/outbound rules, priority, association to subnets and NICs
• Azure DNS: public zones, private zones, DNS resolution in VNets
• VNet peering: global peering, non-transitive routing, UDRs for hub-spoke
• VPN Gateway: site-to-site (IPsec), point-to-site, VNet-to-VNet
• Azure Load Balancer (L4) vs Application Gateway (L7) vs Azure Front Door (global)
• Network Watcher: IP flow verify, next hop, connection troubleshoot

Azure Backup and Site Recovery are distinct: Azure Backup = protects data (snapshots, files, VMs, databases). Azure Site Recovery = protects entire workloads by replicating VMs to a secondary region for DR failover. Diagnostic settings are required to route VM metrics and logs to Log Analytics — they are not enabled by default.

• Azure Monitor: metrics, logs, action groups, alert rules
• Log Analytics workspace: Kusto Query Language (KQL) basics, diagnostic settings
• Azure Backup: Recovery Services vault, backup policies, instant restore
• Azure Site Recovery (ASR): replication, failover, failback for DR
• Azure Update Manager: patch compliance, update deployments
• Azure Advisor: cost, security, reliability, operational excellence, performance recommendations