πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-400 Domain 3
Domain 3 β€” Module 6 of 13 46%
12 of 25 overall

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces
Domain 3: Design and Implement Build and Release Pipelines Premium ⏱ ~12 min read

Pipeline Agents: Self-Hosted, Hybrid & VM Templates

Choose between Microsoft-hosted and self-hosted agents. Design agent infrastructure for cost, connectivity, licensing, and hybrid scenarios including VM templates and air-gapped environments.

What are pipeline agents and runners?

β˜• Simple explanation

Think of construction workers on a building site.

The architect (your YAML pipeline) draws the blueprints, but someone has to actually hammer the nails and lay the bricks. Those are the construction workers β€” your agents.

You have two options: hire temporary workers from a staffing agency (Microsoft-hosted agents) β€” they show up clean every morning and leave at night, no maintenance needed. Or you hire permanent staff (self-hosted agents) β€” they know your building site, have specialized tools, and can access restricted areas, but you’re responsible for paying them and keeping their skills up to date.

Most teams use agency workers (hosted agents) for standard jobs and permanent staff (self-hosted) only when they need something the agency can’t provide β€” like access to a private network or specialized hardware.

Agents (Azure DevOps) and runners (GitHub Actions) are the machines that execute your pipeline steps. The choice between hosted and self-hosted agents is one of the most impactful infrastructure decisions in a DevOps pipeline, affecting cost, security, performance, and maintenance burden.

The AZ-400 exam expects you to evaluate agent options across five dimensions: cost, tool selection, licensing, connectivity, and maintainability. You also need to design for complex scenarios β€” hybrid pipelines that span cloud and on-premises, VM Scale Set agents for elastic capacity, and air-gapped environments with no internet access.

Microsoft-hosted vs self-hosted

Hosted agents for simplicity and clean state; self-hosted for private network access, custom hardware, and cost control at scale
FactorMicrosoft-Hosted Agents / GitHub-Hosted RunnersSelf-Hosted Agents / Self-Hosted Runners
ProvisioningFresh VM spun up per job β€” clean environment every timePersistent machine β€” you install, configure, and maintain it
MaintenanceZero β€” Microsoft/GitHub handles OS updates, tool updates, patchingFull responsibility β€” you manage OS patches, agent updates, tool installations
CostFree tier included (Azure: 1 parallel job, 1800 min/month; GitHub: 2000 min/month). Pay for extra parallelism.No per-minute cost β€” but you pay for the VM/hardware, electricity, and maintenance time
Network accessPublic internet only β€” cannot reach private VNets or on-prem resources without extra configCan access private networks, on-prem databases, internal APIs, air-gapped environments
PerformanceStandard VM sizes (2 vCPU, 7 GB RAM typical). GitHub Larger Runners offer up to 64 vCPU.Any hardware you choose β€” GPU machines, high-memory VMs, dedicated build servers
Clean stateGuaranteed clean β€” VM is destroyed after each job (no leftover state)Persistent β€” can cache dependencies, but risks stale state, leftover files, security residue
SoftwarePre-installed tools (major SDKs, Docker, etc.) β€” updated weeklyYou install exactly what you need β€” can include proprietary tools and licensed software
ScalabilityAutomatic β€” more jobs = more VMs, limited by your parallel job quotaManual β€” add more machines, or use VM Scale Sets / auto-scaling runner groups for elastic scaling

When to choose self-hosted

Self-hosted agents add maintenance complexity. Only use them when hosted agents genuinely can’t meet your requirements:

ScenarioWhy Self-HostedExample
Private network accessPipeline needs to reach resources in a VNet, on-prem network, or behind a firewallDeploy to a database on a private VNet, access an on-prem API
Specialized hardwareBuild requires GPU, ARM architecture, or high-memory machinesML model training, iOS builds on macOS, large Java builds needing 32+ GB RAM
Licensed softwareBuild tools require per-machine licenses that can’t be installed on ephemeral VMsLicensed static analysis tools, commercial compilers
Long-running jobsJobs that exceed hosted agent time limits (6 hours for Azure, 6 hours for GitHub)Large monorepo builds, extensive integration test suites
Air-gapped environmentsNo internet access allowed β€” government or defence mandateClassified systems, SCIF environments
Cost optimisation at scaleOrganisation runs thousands of pipeline minutes daily β€” self-hosted VMs are cheaper than per-minute billingLarge enterprise with 50+ concurrent builds
πŸ’‘ Scenario: Dr. Amira's air-gapped defence pipeline

πŸ›οΈ Dr. Amira Hassan is designing a CI/CD pipeline for Major Collins’s classified logistics system. The build environment is in a SCIF (Sensitive Compartmented Information Facility) with zero internet access.

Constraints:

  • No outbound internet β€” cannot use Microsoft-hosted agents or pull packages from public registries
  • All tools must be pre-installed on the agent machines
  • Agent machines must be domain-joined and meet STIG compliance

Amira’s design:

  1. Self-hosted agents on hardened Windows Server VMs inside the classified network
  2. Pre-baked VM template (golden image) with all build tools (.NET SDK, Node.js, test frameworks) pre-installed and validated
  3. Private Azure Artifacts feed mirrored from an internet-connected staging area β€” packages are scanned, approved, and transferred to the air-gapped network via a data diode
  4. Agent pools β€” separate pools for build agents (4 VMs) and deployment agents (2 VMs in the production network segment)
  5. Template refresh β€” quarterly rebuild of the golden image with updated tools, validated by Marcus (audit) before deployment

Farah (junior consultant) asks: β€œWhy not just allow outbound HTTPS for package downloads?” Major Collins: β€œBecause the network classification prohibits ANY outbound traffic. Period.”

Agent pools and runner groups

Azure DevOps β€” agent pools

Agent pools group agents for assignment to pipelines:

Pool TypeDescriptionUse Case
Azure Pipelines (hosted)Microsoft-managed hosted agentsDefault for most pipelines
DefaultDefault pool for self-hosted agentsSimple self-hosted setups
Custom poolsNamed pools you create (e.g., β€œLinux-Build”, β€œWindows-Deploy”)Segmenting agents by OS, capability, network zone, or team

Pipelines reference pools with the pool: keyword:

pool:
  name: 'Linux-Build'
  demands:
    - docker
    - Agent.OS -equals Linux

Demands allow you to match jobs to agents with specific capabilities β€” installed software, OS type, or custom labels.

GitHub Actions β€” runner groups

Runner groups are available on GitHub Enterprise:

  • Group self-hosted runners by team, department, or environment
  • Control which repositories can use which runner groups
  • Apply organisation-level policies

Standard (non-Enterprise) accounts use labels to target specific runners:

runs-on: [self-hosted, linux, gpu]

VM Scale Set agents (Azure DevOps)

For elastic self-hosted capacity, Azure DevOps integrates with Azure VM Scale Sets:

  • Azure DevOps manages scaling β€” spins up VMs when jobs queue, shuts them down when idle
  • VMs use a custom image (your golden image with pre-installed tools)
  • Configure min/max agent count and idle timeout
  • Combines the cost advantage of self-hosted (no per-minute charge) with the elasticity of hosted agents

GitHub Larger Runners

GitHub offers larger runners as a middle ground:

  • GitHub-managed (no maintenance) but with more resources (up to 64 vCPU, 256 GB RAM)
  • Available on Team and Enterprise plans
  • Can be assigned static IP ranges for firewall allowlisting
  • GPU runners available for ML/AI workloads

Hybrid architectures

Many organisations need both hosted and self-hosted agents in the same pipeline. A common pattern:

Stage 1: Build (Microsoft-hosted)
  β†’ Compile code, run unit tests, publish artefacts
  β†’ Clean environment, no special access needed

Stage 2: Integration Test (self-hosted in VNet)
  β†’ Run tests against private database, internal APIs
  β†’ Requires VNet connectivity

Stage 3: Deploy (self-hosted in production network)
  β†’ Deploy to production servers behind firewall
  β†’ Requires production network access

Each stage specifies a different pool: β€” the pipeline orchestration handles passing artefacts between stages.

πŸ’‘ Exam tip: agent decision framework

When the exam presents an agent selection scenario, evaluate in this order:

  1. Network β€” does the pipeline need access to private resources? If yes, self-hosted is likely required.
  2. Software β€” does the build need licensed or proprietary tools? If yes, self-hosted with pre-installed tools.
  3. Hardware β€” does the build need GPU, ARM, or high-memory? If yes, self-hosted or GitHub Larger Runners.
  4. Time β€” does the job exceed the 6-hour hosted limit? If yes, self-hosted.
  5. Cost β€” at scale (thousands of minutes/day), self-hosted VMs can be cheaper than per-minute billing.
  6. If none of the above apply β€” use Microsoft-hosted / GitHub-hosted. Simpler, cleaner, zero maintenance.

The exam strongly favours hosted agents as the default answer unless the scenario specifically requires self-hosted features.

Question

What are the top three reasons to choose self-hosted agents over hosted?

Click or press Enter to reveal answer

Answer

1) Private network access β€” reaching resources in a VNet, on-prem network, or behind a firewall. 2) Specialized software β€” licensed tools that can't be installed on ephemeral VMs. 3) Custom hardware β€” GPU, ARM, or high-memory machines. Default to hosted unless a specific constraint requires self-hosted.

Click to flip back
Question

What are Azure DevOps VM Scale Set agents?

Click or press Enter to reveal answer

Answer

Self-hosted agents backed by Azure VM Scale Sets. Azure DevOps manages scaling β€” spins up VMs when pipeline jobs queue, shuts them down when idle. VMs use a custom golden image with pre-installed tools. Combines cost advantage of self-hosted (no per-minute charge) with elasticity of hosted (automatic scale-up/down).

Click to flip back
Question

What are 'demands' in Azure DevOps agent pools?

Click or press Enter to reveal answer

Answer

Demands are capabilities that a job requires from an agent. Jobs declare demands (e.g., 'docker', 'Agent.OS -equals Linux') and Azure DevOps matches them to agents that have those capabilities. Capabilities can be system-detected (OS, installed tools) or user-defined (custom labels). Jobs only run on agents meeting all demands.

Click to flip back
Question

What is a hybrid pipeline architecture?

Click or press Enter to reveal answer

Answer

A pipeline that uses different agent types at different stages. Example: Build stage on Microsoft-hosted agents (clean, no special access), integration test stage on self-hosted agents in a VNet (private database access), deploy stage on self-hosted agents in the production network. Each stage specifies a different pool. Artefacts are passed between stages.

Click to flip back

Knowledge check

Knowledge Check

Dr. Amira's defence client requires builds to run in a network with zero internet access. All tools must be pre-installed and agents must meet STIG compliance. Which agent strategy should she recommend?
Knowledge Check

Kai's startup runs 200 pipeline minutes per month across 3 repositories on GitHub. All builds are standard Node.js projects with no special requirements. Which runner strategy minimises cost and maintenance?
Knowledge Check

Nadia's pipeline at Meridian Insurance needs to: (1) build code without special access, (2) run integration tests against a private SQL database in a VNet, and (3) deploy to on-prem servers. What agent architecture should she use?

🎬 Video coming soon

Next up: Multi-Stage Pipelines β€” design reusable templates, configure variables and variable groups, and implement environment-based approvals for enterprise deployment workflows.

← Previous

GitHub Actions: Workflows from Scratch

Next β†’

Multi-Stage Pipelines: Templates, Variables & Approvals

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.