Practice Scenarios

AzureArchitectureAdvancedGuided

Design a 3-tier app across 5 Azure subscriptions

Architect a production-ready 3-tier web application using Azure multi-subscription best practices: separate subscriptions for management, logging, connectivity, non-prod, and production workloads.

Multi-subscription strategy and Azure Management Groups

Centralized logging and security governance

Environment separation (dev/stage/prod)

AWSReliabilityAdvancedGuided

Build a multi-region disaster recovery setup on AWS

Implement a warm-standby DR strategy: Aurora Global Database cross-region replication, Route 53 health-check failover, and S3 cross-region replication — with a documented RTO/RPO.

RTO vs RPO trade-offs for warm standby, pilot light, and active-active

Aurora Global Database replication and manual failover

Route 53 health checks and DNS failover routing policy

AWSCI/CDIntermediateGuided

Ship a containerised app from GitHub to ECS with zero-downtime deployments

Build a full CI/CD pipeline: GitHub Actions builds and scans a Docker image, pushes to ECR, and deploys to ECS Fargate using a rolling update strategy with ALB health-check gating.

GitHub Actions workflow: build, test, scan, push, deploy

ECR image lifecycle policies and image scanning with Trivy

ECS rolling deployment: minimum healthy percent and maximum percent

Kubernetes RBAC: ClusterRole, Role, RoleBinding scoped by namespace

GCPK8sAdvancedGuided

Harden a GKE cluster: RBAC, Network Policies, and Workload Identity

Lock down a Google Kubernetes Engine cluster using least-privilege RBAC, deny-all NetworkPolicies, Workload Identity for pod-level GCP permissions, and Binary Authorization to block unsigned images.

NetworkPolicy deny-all baseline + explicit allow rules

Workload Identity: bind a K8s ServiceAccount to a GCP IAM SA (no key files)

SLI vs SLO vs SLA — what each one means in practice

MultiSREAdvancedGuided

Define SLOs and wire up golden-signal alerts for a production service

Apply the SRE model end-to-end: define SLIs/SLOs for a user-facing API, create error-budget burn-rate alerts, and build a dashboard showing the four golden signals (latency, traffic, errors, saturation).

Error budget: how many bad requests you can tolerate per month

Burn-rate alerting: fast burn (critical) vs slow burn (warning)

AWSMessagingIntermediateGuided

Build a resilient event-driven order processing system with SQS and DLQ

Design and implement an order processing pipeline using SQS FIFO queues for deduplication, Lambda consumers with idempotent handlers, SNS fan-out for downstream notifications, and a Dead Letter Queue for failed messages.

SQS FIFO vs Standard: ordering guarantees and deduplication IDs

Idempotent Lambda consumers: handling at-least-once delivery correctly

Dead Letter Queue: how to catch, inspect, and reprocess failed messages

Chaos engineering principles: hypothesis-driven experiments, blast radius control

AWSSREAdvancedGuided

Run your first chaos engineering experiment with AWS Fault Injection Simulator

Design a hypothesis, inject CPU stress and network latency into a production-like environment using AWS FIS, observe how your application behaves, and use the results to improve resilience before a real failure happens.

AWS FIS actions: EC2 CPU stress, network latency injection, instance termination

Stop conditions: automatically halt experiments when SLO thresholds breach

6 steps~63 min+200 XPStart

AWSDatabaseAdvancedGuided

Migrate a PostgreSQL database to Aurora with zero downtime using DMS

Perform a live database migration from a self-managed PostgreSQL instance to Amazon Aurora PostgreSQL using AWS DMS — with full-load, ongoing replication, and a carefully staged cutover that keeps your app live throughout.

AWS DMS: replication instance, endpoints, and task configuration

Full-load + CDC: catch up existing data then stream ongoing changes

Pre-migration assessment: schema compatibility checks with SCT

Istio control plane: Istiod and sidecar injection per namespace

AzureK8sAdvancedGuided

Deploy a service mesh on AKS with Istio mTLS and traffic shaping

Install Istio on Azure Kubernetes Service, enforce mutual TLS between all services, implement a canary deployment using VirtualService traffic weights, and observe service-to-service traffic through Kiali.

mTLS peer authentication: STRICT mode prevents unencrypted service calls

Traffic management: VirtualService + DestinationRule for canary releases

Pub/Sub push vs pull subscriptions and message acknowledgement

GCPDataAdvancedGuided

Build a real-time data pipeline: Pub/Sub to Dataflow to BigQuery

Stream events from a Pub/Sub topic through a Dataflow (Apache Beam) pipeline that filters, enriches, and windows the data, landing it in BigQuery for real-time analytics — the same pattern used by Google, Spotify, and Twitter.

Apache Beam pipeline concepts: PCollection, transforms, windowing

Dataflow autoscaling and watermarks for late-arriving events

MultiFinOpsIntermediateGuided

Cut your cloud bill by 40% with right-sizing and Reserved Instance analysis

Run a structured cost optimization audit: identify over-provisioned instances with CloudWatch metrics, model Reserved Instance savings, set up budget alerts, and implement an automatic stop/start schedule for non-production resources.

AWS Cost Explorer and Compute Optimizer: interpreting right-sizing recommendations

Reserved Instances vs Savings Plans: which gives more flexibility

Idle resource detection: EC2, RDS, EBS volumes with 0 IOPS

MultiSecurityIntermediateGuided

Harden a containerised application: image scanning, secrets, and runtime policies

Apply defence-in-depth to a Docker-based application: remove root privilege, use distroless base images, scan for CVEs in CI, manage secrets with Vault/Secrets Manager, and enforce a runtime security policy with Falco.

Distroless and minimal base images: what attack surface looks like in a 3MB image

Running containers as non-root: why UID 0 in a container is still dangerous

CVE scanning in CI: Trivy integration and blocking on CRITICAL severity

AWSArchitectureAdvancedGuided

Design an active-active multi-region architecture on AWS

Go beyond DR: build an architecture where both us-east-1 and eu-west-1 serve live user traffic simultaneously using Route 53 latency routing, DynamoDB Global Tables, and a conflict-resolution strategy for writes.

Active-active vs active-passive: the CAP theorem trade-off in practice

DynamoDB Global Tables: multi-region replication and last-write-wins conflict resolution

Route 53 latency-based routing: users are sent to the nearest healthy region

AWSComputeIntermediateGuided

Scale an application automatically under real load with EC2 Auto Scaling

Configure an Auto Scaling Group with target tracking (CPU 50%) and scheduled scaling for predictable peaks, then validate it by running a k6 load test that triggers both scale-out and scale-in events.

Target tracking vs step scaling: when to use each policy

Warm-up period and cooldown: preventing scale thrash between up and down events

Scheduled scaling: pre-warming capacity for known traffic spikes (Black Friday pattern)

MultiIaCIntermediateGuided

Provision a production AWS environment with Terraform and remote state

Write reusable Terraform modules to provision a VPC, security groups, and EC2 instances — using an S3 + DynamoDB remote backend for team-safe state locking and Terraform workspaces to manage dev and prod from one codebase.

Remote state: why local state is dangerous in teams and how S3 + DynamoDB solves it

Modules: how to write a reusable VPC module with input variables and outputs

Workspaces: one codebase, two environments (dev and prod), zero duplication

AWSSecurityIntermediateGuided

Protect a web application from attacks with CloudFront and AWS WAF

Place AWS WAF in front of your application via CloudFront: enable Managed Rule Groups (SQLi, XSS, bad bots), add a custom rate-limit rule to stop brute-force attacks, geo-restrict access, and query the WAF logs with Athena.

CloudFront as a security boundary: blocking attacks at the edge before they reach origin

AWS Managed Rule Groups: AWSManagedRulesCommonRuleSet, SQLi, KnownBadInputs

Rate-based rules: block IPs sending more than N requests per 5 minutes

App Service Plans: which tier supports deployment slots (Standard and above)

AzureCI/CDBeginnerGuided

Deploy to Azure App Service with staging slots and zero-downtime swaps

Host a web application on Azure App Service, create a staging deployment slot, deploy the new version there first for smoke testing, then swap it to production with zero downtime using App Service warm-up.

Deployment slots: staging and production as independent but linked environments

Slot-sticky settings: keep production DB connection strings separate from staging

6 steps~38 min+150 XPStart

GCPServerlessBeginnerGuided

Deploy a production-ready containerised API to Google Cloud Run

Package a REST API in Docker, push it to Artifact Registry, deploy to Cloud Run with secret injection from Secret Manager, configure traffic splitting for canary releases, and set concurrency limits for cost control.

Cloud Run vs Cloud Functions: when a container beats a function

Secret Manager integration: inject secrets as env vars at runtime — no key files

Traffic splitting: gradual canary rollout (10% to 50% to 100%) without redeploying

6 steps~38 min+150 XPStart

AWSDatabaseIntermediateGuided

Scale read-heavy workloads with RDS PostgreSQL read replicas

Add read replicas to an RDS PostgreSQL instance to horizontally scale SELECT queries, route reads to replicas and writes to the primary via your application connection pool, and monitor replication lag to detect when a replica falls behind.

RDS read replicas: asynchronous streaming replication and eventual consistency

Read/write splitting: why all writes must go to primary, reads can go to replicas

Replication lag: the CloudWatch metric to watch and the threshold that signals a problem

AWSSecurityIntermediateGuided

Auto-remediate cloud threats with GuardDuty and Lambda in 60 seconds

Enable Amazon GuardDuty, wire EventBridge to route HIGH-severity findings to a Lambda that automatically isolates the compromised EC2 instance — replacing its security groups with a forensic deny-all group and snapshotting its disk for analysis.

GuardDuty finding types: credential theft, C2 communication, recon, data exfiltration

EventBridge integration: route specific finding severity levels to remediation targets

Automated isolation: remove instance from security groups without terminating it

Managed node groups vs self-managed: why managed is the right default

AWSK8sIntermediateGuided

Stand up a production-grade EKS cluster with IRSA and the AWS Load Balancer Controller

Create an EKS cluster with managed node groups in private subnets, configure IAM Roles for Service Accounts (IRSA) so pods get least-privilege AWS access, install the AWS Load Balancer Controller, and auto-provision an ALB from a Kubernetes Ingress resource.

IRSA: per-pod AWS permissions without instance-level IAM roles or stored key files

AWS Load Balancer Controller: Kubernetes Ingress → ALB provisioned automatically

AzureMessagingIntermediateGuided

Build event-driven workflows with Azure Service Bus topics and Azure Functions

Create a Service Bus topic with multiple subscriptions for fan-out messaging, build Azure Functions triggered per subscription, enforce ordered processing with sessions, and handle poison messages via the Dead Letter Queue.

Service Bus topics vs queues: when fan-out requires a topic with subscriptions

Subscription filters: SQL expressions to route messages to specific consumers

Message sessions: guarantee ordered processing per session ID (e.g. per customer)

GCPDatabaseIntermediateGuided

Set up a highly available Cloud SQL database with private IP and failover

Create a Cloud SQL PostgreSQL instance with High Availability (synchronous standby in a different zone), connect exclusively over a private IP via the Cloud SQL Auth Proxy, validate automatic failover by triggering zone simulation.

HA configuration: primary instance with synchronous standby in a different zone

Private IP: no public internet exposure, connect through VPC only

Cloud SQL Auth Proxy: encrypted IAM-authenticated tunnel without opening firewall ports

AWSArchitectureIntermediateGuided

Orchestrate a distributed transaction with AWS Step Functions and the Saga pattern

Implement the Saga pattern for a distributed order: Step Functions orchestrates five Lambda steps (reserve inventory, charge payment, schedule delivery) and automatically runs compensating transactions to roll back completed steps when any step fails.

Saga pattern: why distributed transactions need compensating actions instead of 2PC

Step Functions states: Task, Choice, Parallel, Catch, and Retry

Compensating transactions: each forward step must have a corresponding rollback action

AzureDatabaseAdvancedGuided

Build a globally distributed database with Azure Cosmos DB multi-region writes

Configure Cosmos DB for multi-region writes, design a partition key for even data distribution, test all five consistency levels, implement conflict resolution for simultaneous writes in two regions, and stream changes via Change Feed.

Consistency levels: Strong, Bounded Staleness, Session, Consistent Prefix, Eventual

Multi-region writes: any region accepts writes, conflicts resolved automatically

Partition key design: the single most important performance decision in Cosmos DB

6 steps~63 min+200 XPStart

GCPSecurityIntermediateGuided

Protect a GCP application from DDoS and web attacks with Cloud Armor

Deploy Cloud Armor in front of a Global HTTP(S) Load Balancer: enable OWASP Top 10 preconfigured rules, create a custom rate-limit rule, enable Adaptive Protection for ML-based DDoS detection, and query blocked requests in BigQuery.

Cloud Armor vs firewall rules: WAF at the global load balancer vs VPC firewall

Preconfigured WAF rules: ModSecurity CRS signatures for SQLi, XSS, RFI

Rate-based banning: block IPs exceeding a request threshold over a rolling window

KEDA architecture: ScaledObject, external metrics API, and the scaler plugins

AWSK8sAdvancedGuided

Event-driven pod autoscaling based on SQS queue depth with KEDA

Install KEDA on Kubernetes and define a ScaledObject that adds worker pods when an SQS queue grows and removes them (to zero) when it drains — achieving event-driven autoscaling that CPU-based HPA alone cannot provide.

SQS scaler: targetQueueLength as the trigger (messages per replica)

Scale-to-zero: KEDA reduces Deployment replicas to 0 when the queue is empty

6 steps~63 min+200 XPStart

AzureNetworkingIntermediateGuided

Accelerate and protect a global web app with Azure Front Door and WAF

Set up Azure Front Door as your global entry point: route users to the nearest healthy backend, cache static assets at the edge, enforce WAF policies to block OWASP threats, and configure health probes for automatic failover between regions.

Azure Front Door vs Azure CDN: when global routing intelligence justifies Front Door

Origin groups and load balancing: weighted routing and priority-based failover

Rules Engine: rewrite URLs, redirect HTTP to HTTPS, set cache-control headers at the edge

AWSCachingIntermediateGuided

Eliminate database bottlenecks with Amazon ElastiCache Redis caching

Deploy ElastiCache Redis in cluster mode, implement the cache-aside pattern in your application, add TTL jitter to prevent cache stampede, tune the eviction policy for cost control, and verify cache hit rate exceeds 90% under load.

Cache-aside vs write-through vs write-behind: choosing the right pattern

ElastiCache cluster mode: data sharded across multiple Redis nodes for horizontal scale

TTL jitter: why uniform TTL expiry causes stampede and how randomisation fixes it

AWSSecurityAdvancedGuided

Respond to a simulated cloud security incident using AWS native tools

Work through a realistic incident response exercise: a GuardDuty finding shows an EC2 instance communicating with a C2 server. Contain it, capture forensic evidence, trace the attack in CloudTrail, and produce a post-incident report.

Incident response phases: Detect, Contain, Eradicate, Recover, Post-Incident

EC2 isolation: replace security groups without terminating — preserve evidence

EBS forensic snapshot: capture disk state before any cleanup

AzureObservabilityIntermediateGuided

Build end-to-end Azure observability with Monitor, Log Analytics, and Workbooks

Instrument an Azure application end-to-end: Application Insights for request telemetry, Log Analytics for centralised logs, metric and log query alerts with dynamic thresholds, Action Groups for Slack and PagerDuty routing, and a Workbook dashboard for on-call.

Azure Monitor data sources: VM metrics, App Insights telemetry, Activity Log

Metric alerts vs log query alerts: latency differences and when to use each

Dynamic thresholds: auto-learn traffic baselines to reduce alert fatigue

GCPDatabaseIntermediateGuided

Build a real-time collaborative app backend with Google Cloud Firestore

Use Firestore as a real-time database: design a document schema with subcollections for per-user isolation, write Security Rules that enforce access control, implement real-time listeners, and handle offline persistence for mobile clients.

Firestore data model: documents, collections, and subcollections vs flat structure

Security Rules: match paths, request.auth.uid conditions, and field-level validation

Real-time listeners: onSnapshot vs one-time get and when each is appropriate

AWSDatabaseIntermediateGuided

Design a DynamoDB single-table model for a multi-entity SaaS application

Apply single-table design to store Users, Organisations, Memberships, and Subscriptions in one DynamoDB table — define access patterns first, use composite keys and GSIs for all query shapes, and enable TTL for automatic session expiry.

Access-pattern-first design: list every query before designing the schema

Single-table design: co-locate related entities for efficient reads without JOINs

Composite primary key: PK = entity type + ID, SK = relationship or metadata

AWSServerlessIntermediateGuided

Make serverless functions production-ready with AWS Lambda Powertools

Use Lambda Powertools to add structured JSON logging, custom CloudWatch metrics via EMF, distributed X-Ray tracing, and a DynamoDB-backed idempotency layer — transforming a black-box Lambda into a fully observable, production-grade function.

Structured logging: why JSON logs are 10x easier to query than plain text in CloudWatch

Embedded Metrics Format (EMF): publish business metrics from Lambda without a metrics agent

X-Ray tracing: visualise the full call graph through API Gateway, Lambda, and DynamoDB

AzureCI/CDIntermediateGuided

Build a complete Azure DevOps CI/CD pipeline from code commit to AKS

Wire a multi-stage Azure Pipelines YAML that builds a Docker image, runs tests and SAST scanning, pushes to Azure Container Registry, and deploys to AKS via Helm — with human approval gates between staging and production.

Azure Pipelines YAML: multi-stage pipeline with build, test, and deploy stages

Service connections: how Azure Pipelines authenticates to ACR and AKS securely

Helm charts: parameterise Kubernetes deployments across environments

GCPSecurityAdvancedGuided

Prevent data exfiltration with GCP VPC Service Controls security perimeter

Define a VPC Service Controls perimeter around BigQuery and Cloud Storage: even users with valid IAM permissions cannot access these services from outside the perimeter, and data cannot be copied to external projects — closing the insider-threat exfiltration path.

VPC SC vs IAM: why a second perimeter layer is needed even with perfect IAM

Access policy and service perimeter: organisation-level resource defining the boundary

Dry-run mode: test perimeter rules without blocking traffic first

S3 versioning and KMS encryption for state storage

AWSIaCIntermediateGuided

Set Up Terraform Remote State with S3 and DynamoDB Locking

Store Terraform state remotely in S3 with DynamoDB-backed state locking to prevent concurrent apply conflicts in a team environment.

DynamoDB table for distributed locking

Terraform backend configuration and migration

5 steps~45 min+200 XPStart

AWSSREAdvancedGuided

Design SLOs and Configure Burn Rate Alerts in CloudWatch

Define a 99.9% availability SLO for an API, calculate error budgets, and configure fast-burn and slow-burn CloudWatch alarms to detect budget exhaustion before users notice.

SLI and SLO design from ALB metrics

Error budget calculation from SLO targets

CloudWatch metric math for success ratio

5 steps~60 min+250 XPStart

AWSK8sAdvancedGuided

Autoscale Kubernetes Pods Based on SQS Queue Depth with KEDA

Install KEDA on EKS, configure IAM roles for service accounts (IRSA), and create a ScaledObject that scales worker pods from zero to N based on SQS queue depth.

KEDA installation with Helm on EKS

IAM Roles for Service Accounts (IRSA) for KEDA

ScaledObject and TriggerAuthentication YAML

4 steps~57 min+250 XPStart

AWSCI/CDIntermediateGuided

Optimize GitHub Actions: Caching, Parallelism, and Affected-Only Builds

Cut CI pipeline time from 15 minutes to under 5 minutes using actions/cache for node_modules, parallel job splitting, and path filters to skip unnecessary runs.

actions/cache with lock-file hash keys for node_modules

Parallel jobs with job dependencies using needs

Path filters to skip CI on docs-only PRs

AWSFinOpsIntermediateGuided

Run Fault-Tolerant Workloads on EC2 Spot Instances with Auto-Restart

Use Spot Instances for batch processing workloads with EventBridge-triggered Lambda auto-restart, cutting compute costs by 70-90% compared to On-Demand pricing.

EC2 Spot Fleet with capacity-optimized allocation

EventBridge rule for Spot interruption detection

Lambda function to restart workload on new instance

AWSReliabilityAdvancedGuided

Configure Route 53 Health Checks and Automated Failover

Set up Route 53 health checks on primary and secondary ALBs with automatic DNS failover, achieving sub-90-second recovery when the primary region becomes unhealthy.

Route 53 health checks for ALB endpoints

Failover routing policy (primary/secondary)

TTL strategy for fast failover propagation

3 steps~54 min+250 XPStart

AWSSecurityAdvancedGuided

Sign Container Images with Cosign and Enforce Signatures in Kubernetes

Use Sigstore Cosign for keyless container image signing in GitHub Actions CI, then enforce signature verification with a Kyverno ClusterPolicy that blocks unsigned images.

Cosign keyless signing with GitHub OIDC in CI

Image signature verification from ECR

Kyverno admission controller installation

4 steps~57 min+250 XPStart

AWSObservabilityIntermediateGuided

Deploy Prometheus with AlertManager and PagerDuty Integration

Install kube-prometheus-stack via Helm on Kubernetes, write PromQL alerting rules for error rate and latency, and route critical alerts to PagerDuty with inhibition to prevent alert storms.

kube-prometheus-stack Helm installation

ServiceMonitor for custom application metrics

PromQL alerting rules for error rate and P99 latency

AWSFinOpsIntermediateGuided

Identify and Eliminate AWS Cost Waste: Right-sizing and Idle Resources

Use AWS Cost Explorer, Compute Optimizer, and CloudWatch metrics to identify EC2 over-provisioning, idle resources, and S3 storage waste — then automate the fixes.

Cost Explorer for identifying top cost drivers

Compute Optimizer for right-sizing recommendations

Identifying idle EC2 instances from CloudWatch metrics

AWSReliabilityAdvancedGuided

Build Warm Standby DR with RDS Cross-Region Read Replica

Create an RDS cross-region read replica in us-west-2, monitor replica lag with CloudWatch alarms, and practice the full promotion procedure to validate your RTO.

RDS cross-region read replica creation

ReplicaLag CloudWatch alarm for DR readiness

Route 53 CNAME for database endpoint abstraction

3 steps~54 min+250 XPStart

AWSK8sIntermediateGuided

Right-size Kubernetes Pods with Resource Requests/Limits and VPA

Identify OOMKilled and CPU-throttled pods, install the Vertical Pod Autoscaler in Recommendation mode, apply its suggestions, and configure namespace LimitRanges to enforce defaults.

Diagnosing OOMKilled and CPU throttle events from kubectl

VPA installation in Recommendation mode

Applying VPA recommendations to resource manifests