SkarpChapter 16 of 20
Infrastructure as Code and Deployment Consistency with ARM and Bicep
Look at how defining your infrastructure as code with templates and Bicep helps you deploy consistent, repeatable environments across subscriptions and regions.
Why Infrastructure as Code Matters in Azure
From Clicks to Code
Portal, PowerShell, and CLI are great for learning, but manual clicks are hard to repeat and audit at scale. Infrastructure as Code (IaC) solves this by defining infrastructure in files.
What IaC Means
With IaC you describe what you want (for example, a storage account and web app) in a template. Azure reads the template and creates or updates resources to match it.
Why IaC for Governance
IaC improves consistency, supports Azure Policy, tags, and RBAC, and reduces configuration drift so dev, test, and production stay aligned across subscriptions and regions.
Exam Focus
For AZ-900, you must conceptually understand why IaC matters, how Azure Resource Manager (ARM) coordinates deployments, and where templates are preferable to manual portal work.
Azure Resource Manager: The Deployment Engine
ARM as the Management Layer
Azure Resource Manager (ARM) is the management layer for Azure. All actions from portal, PowerShell, CLI, or templates go through ARM.
Resources, Groups, and RBAC
ARM manages Azure resources in resource groups and subscriptions and provides role-based access control (RBAC) for fine-grained authorization.
Declarative Deployments
ARM takes a declarative template (JSON or Bicep), compares desired state to current state, and creates, updates, or deletes resources to match the template.
Why This Matters for the Exam
Know that ARM is the central deployment engine and that ARM templates and Bicep are authoring options that describe what ARM should deploy.
Infrastructure as Code in Azure: Big Picture
Where IaC Fits
ARM templates and Bicep are part of Azure management tools, alongside portal, PowerShell, and CLI, but they focus on automation and standardization.
Key IaC Benefits
IaC gives consistency across environments, version control, repeatability and speed, and documentation by default through your templates.
Architecture Stack
Physical: regions, region pairs, datacenters. Logical: resources, resource groups, subscriptions. Management: ARM. IaC: templates and Bicep on top.
Governance Connection
Azure Policy, locks, and tags work best with IaC, where every deployment goes through a consistent, reviewable template.
ARM Templates vs Bicep: Conceptual Comparison
Two IaC Options
Azure supports ARM templates (JSON) and Bicep as ways to define infrastructure for Azure Resource Manager.
ARM Templates
ARM templates are JSON-based, very explicit and powerful, but often verbose and harder for humans to read at scale.
Bicep
Bicep is a domain-specific language with concise, readable syntax that compiles down to standard ARM JSON templates.
Exam Clues
Easier, more readable ARM-based IaC usually points to Bicep; references to JSON templates point to classic ARM templates.
Side-by-Side: Simple ARM Template and Bicep
You do not need to memorize syntax for AZ-900, but seeing a simple example helps you recognize these files on the exam.
Below is a minimal storage account deployment in ARM JSON and Bicep. Focus on visual differences, not every keyword.
Real-World Scenario: Consistent Environments Across Regions
Campaign Scenario
A company needs the same small web app stack in two regions. Manual portal work risks different SKUs, names, and missing tags.
Template-Based Solution
Define App Service, Web App, and Storage in a template, parameterize region and environment, and deploy to each region with different parameters.
Visualizing Consistency
One template at the top, two arrows to two resource groups in different regions, each ending up with identical resource types and settings.
Exam Pattern
Requirements like identical dev/test/prod or multi-region consistency strongly hint that template-based deployment is preferred over manual portal work.
Thought Exercise: Manual vs Template Deployment
University Scenario
You must deploy an App Service plan, two Web Apps, and an Azure SQL Database to dev, test, and prod environments.
Portal-Only Approach
Consider how many separate deployments and configuration steps you'd need in the portal and how hard it is to keep environments identical.
Template Approach
Think about what you could parameterize in a template (environment, SKU, region) and how many times you would reuse that same file.
Governance Angle
Reflect on how IaC plus version control helps demonstrate to auditors that test and production follow the same baseline configuration.
Template-Based Deployments Across Subscriptions and Scopes
Deployment Scopes
ARM and Bicep can deploy at resource group, subscription, and management group scopes, not just individual resources.
Cross-Subscription Consistency
A central team can reuse the same template across multiple subscriptions and regions to standardize resource group layouts and settings.
Governance Benefits
Templates help avoid unique 'snowflake' environments and make it easy to roll out new standards by redeploying updated templates.
Exam Hint
Phrases like standardizing multiple subscriptions or applying a baseline often point toward using templates at subscription or management group scope.
Check Understanding: IaC and ARM Basics
Answer this question to confirm you understand the core IaC concepts in Azure.
Your organization wants dev, test, and production environments to use identical Azure configurations, and they want to track all changes in source control. Which Azure approach best meets this requirement?
- Create all resources manually in the Azure portal and export a list of resources to Excel
- Use Azure Resource Manager templates or Bicep files stored in a source control system to deploy environments
- Rely only on Azure Policy to automatically create missing resources when needed
- Use Azure Command-Line Interface (CLI) interactively for each deployment without scripts
Show Answer
Answer: B) Use Azure Resource Manager templates or Bicep files stored in a source control system to deploy environments
ARM templates and Bicep files are Infrastructure as Code. They can be stored in source control, redeployed consistently to dev/test/prod, and reviewed for changes. The portal and interactive CLI are manual and hard to keep in sync. Azure Policy enforces rules but does not fully define and deploy entire environments on its own.
Check Understanding: ARM Templates vs Bicep
Test your ability to distinguish ARM templates from Bicep in exam-style wording.
A team wants a more human-readable way to define Azure infrastructure while still using Azure Resource Manager for deployments. Which option should they choose?
- Classic Azure Service Management (ASM) templates
- Azure Resource Manager JSON templates only
- Bicep, which compiles to Azure Resource Manager templates
- Azure portal dashboards
Show Answer
Answer: C) Bicep, which compiles to Azure Resource Manager templates
Bicep is a domain-specific language that offers a more concise, readable syntax for defining Azure resources. It compiles down to standard ARM JSON templates, which Azure Resource Manager then deploys. ASM is legacy, pure JSON templates are less readable, and dashboards are for visualization, not IaC.
Key Term Review: ARM, Bicep, and IaC
Use these flashcards to reinforce the most important terms from this module.
- Infrastructure as Code (IaC)
- A practice where you define and manage infrastructure (such as networks, VMs, and services) using machine-readable definition files instead of manual configuration, enabling consistent, repeatable deployments.
- Azure Resource Manager (ARM)
- The deployment and management service for Azure that provides a management layer to create, update, and delete resources in your Azure account, and that all tools (portal, CLI, PowerShell, templates) use.
- ARM template
- A JSON file that defines Azure resources and their configuration in a declarative way for Azure Resource Manager to deploy.
- Bicep
- A domain-specific language for Azure that provides a more concise and readable way to define infrastructure as code, which then compiles to ARM JSON templates.
- Declarative deployment
- An approach where you specify the desired end state of your infrastructure, and the platform (ARM) figures out the necessary create, update, or delete operations to reach that state.
- Idempotent deployment
- A deployment that can be run multiple times and still produce the same end result, without creating duplicate resources or unexpected changes.
- Template parameters
- Values you can pass into an ARM template or Bicep file (such as region, environment name, or SKU) so that the same template can be reused in different environments.
- Template scope (resource group vs subscription)
- The level at which a template is applied: resource group scope targets resources within a specific resource group, while subscription scope can create resource groups, policies, and RBAC assignments across the subscription.
Recognizing Exam Scenarios for Template-Based Deployment
When Templates Shine
Look for clues like multi-region or multi-subscription deployments, identical dev/test/prod, source control, or complex automated environments.
When Portal or Scripts Fit
Portal suits simple, one-off tasks. PowerShell and CLI are good for scripted commands but are less declarative than templates.
Governance Synergy
IaC works together with Azure Policy, RBAC, and tags to define, enforce, and control standards across your Azure estate.
Next in Your Study Path
As you take the next diagnostic or mock exam, flag questions about repeatability and standardization; they often target ARM/Bicep template-based deployments.
Key Terms
- Bicep
- A domain-specific language for Azure that provides a more concise and readable way to define infrastructure as code, which then compiles to ARM JSON templates.
- ARM template
- A JSON file that defines Azure resources and their configuration in a declarative way for Azure Resource Manager to deploy.
- Deployment scope
- The level at which a template is applied, such as resource group, subscription, or management group.
- Template parameter
- An input value for an ARM template or Bicep file (such as region, environment name, or SKU) that allows the same template to be reused in different environments.
- Idempotent deployment
- A deployment that can be run multiple times and still produce the same end result, without creating duplicate resources or unexpected changes.
- Declarative deployment
- An approach where you specify the desired end state of your infrastructure, and the platform figures out the necessary operations to reach that state.
- Azure Resource Manager (ARM)
- The deployment and management service for Azure that provides a management layer to create, update, and delete resources in your Azure account, and that all tools (portal, CLI, PowerShell, templates) use.
- Infrastructure as Code (IaC)
- A practice where you define and manage infrastructure using machine-readable definition files instead of manual configuration, enabling consistent, repeatable deployments.