While preparing for the AZ-305, many candidates struggle with designing highly available, scalable monitoring architectures. In the enterprise world, this decision often hinges on balancing centralized operational visibility with low latency and governance requirements. Let’s drill into a simulated migration scenario.
The Scenario #
Tailspin Manufacturing operates a global IT estate consisting of 300 Windows Server 2019 virtual machines distributed across several Azure regions and some on-premises datacenters connected via Azure Arc. The IT Operations team needs to implement a centralized monitoring solution to aggregate all system event warning logs from these VMs into a single pane of glass for proactive alerting and compliance auditing. The solution must support both cloud and hybrid workloads and integrate seamlessly with existing governance controls.
Key Requirements #
Design a scalable, enterprise-grade system that collects and consolidates all Windows event warning logs from these 300 VMs into a centralized monitoring platform. The solution should minimize operational overhead and leverage Azure-native components aligned with Microsoft’s Cloud Adoption Framework.
The Options #
- A) Log Analytics workspace
- B) Azure Monitor agent
- C) Azure Activity Logs
- D) Storage account
- E) Event Hubs
- F) Application Insights
Correct Answer #
A) Log Analytics workspace
B) Azure Monitor agent
The Architect’s Analysis #
Correct Answer #
Options A and B: Use a Log Analytics workspace for centralized log storage and querying, combined with Azure Monitor agents installed on all VMs to collect the Windows event logs.
Step-by-Step Winning Logic #
Centralized monitoring is a cornerstone of Operational Excellence and Reliability, two key pillars in Microsoft’s Well-Architected Framework (WAF). Deploying Azure Monitor agents ensures deep integration with the Azure Monitor platform, enabling consistent collection of system events across hybrid machines. The Log Analytics workspace provides a scalable repository with flexible query and alerting capabilities, managed through Azure governance policies ensuring compliance and cost control. This choice supports hybrid environments including VMs connected via Azure Arc.
The Trap (Distractor Analysis) #
- Why not C) Azure Activity Logs?
Activity Logs capture control-plane events (like resource creation) but do not collect guest OS logs such as Windows event warnings from VMs. - Why not D) Storage Account?
While raw logs could be dumped into storage, this lacks query capabilities, alerting, and centralized dashboarding features, increasing operational complexity. - Why not E) Event Hubs?
Event Hubs is a data ingestion pipeline but is not a monitoring repository. It would require additional processing layers to analyze event logs. - Why not F) Application Insights?
Application Insights focuses on application performance telemetry and code-level diagnostics, not system event logs at the OS level.
The Architect Blueprint #
Diagram illustrating how Azure Monitor Agent installed on each VM sends logs into a centralized Log Analytics workspace.
Diagram Note: Azure Monitor agent collects Windows event warnings from both cloud VMs and Azure Arc connected servers feeding into a single Log Analytics workspace for unified monitoring.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) Log Analytics WS | Medium | Moderate (varies by data volume) | Scalable, central repository with query & alerting, governable | Data ingestion costs; needs agent/configuration |
| B) Azure Monitor Agent | Low | Included with monitoring | Native integration, supports hybrid VMs & Azure Arc | Requires installation/configuration on each VM |
| C) Azure Activity Logs | Low | Included | No-cost resource-level logs | Does not capture guest OS logs; limited use for system event monitoring |
| D) Storage Account | Low | Low | Cheap storage for raw data | No query or alert features; high operational overhead |
| E) Event Hubs | Medium | Moderate to high | Event streaming and ingestion platform | Requires extra processing pipeline |
| F) Application Insights | Medium | Moderate to high | App-focused monitoring and diagnostics | Not designed for OS-level logs; irrelevant for event logs |
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always pick Log Analytics and Azure Monitor agent when the question asks for guest OS level monitoring and centralized log analysis.”
Real World #
In a practical enterprise hybrid scenario, combining Azure Monitor agent with Log Analytics workspace simplifies governance via Azure Policy and integrates well with Azure Sentinel for advanced Security Operations monitoring—extending beyond mere IT operations into security posture management.