AZ-305: Designing Microsoft Azure Infrastructure Solutions

Comprehensive Practice Assessment Q&A Study Guide

Compiled from 4 practice assessment attempts (650 questions reviewed, deduplicated)

Table of Contents

1. Identity & Authentication
2. Governance & Management
3. Monitoring & Logging
4. Relational Data Storage
5. Non-Relational Data Storage
6. Data Integration & Analytics
7. Backup & Disaster Recovery
8. High Availability & SLA
9. Compute Solutions
10. Networking
11. Migration
12. Messaging & Caching

1. Identity & Authentication

Q: Azure AD Pass-through Authentication

Scenario: You have an on-premises datacenter connected to Azure. You need an authentication solution that never stores password hashes in the cloud and uses minimum administrative effort.

Answer: Azure AD Pass-through Authentication

Why: Pass-through Authentication sends authentication to on-premises servers without storing hashes in the cloud. Azure AD DS stores password hashes in Azure datacenters. AD Connect stores hashes of the password hash. AD FS requires a lot of administrative effort.

Q: Azure AD Connect for Directory Sync

Scenario: You have an on-premises AD DS domain and deploy a new Azure AD tenant. You need to sync changes to users between the two directories.

Answer: Azure AD Connect

Why: Azure AD Connect is designed to sync users and devices between Azure AD and AD DS domains. Azure Data Sync is for data, not directories. Azure AD B2B is for external identities. DirSync is deprecated.

Q: Conditional Access for MFA

Scenario: You need to ensure that when users authenticate from an unknown device, they are required to use MFA.

Answer: Conditional Access

Why: Conditional Access allows you to create policies to enforce MFA based on different scenarios (device, location, risk). Windows Hello for Business, FIDO2 security keys, and AD FS do not provide device-based MFA enforcement.

Q: Conditional Access Attributes

Scenario: You want to conditionally restrict access to resources based on attributes using Conditional Access in Azure AD. Which three attributes can you apply conditions to?

Answer: IP address, sign-in risk, device state

Why: Conditional Access supports conditions based on user/group, application, device state, IP range, and sign-in risk.

Q: Azure AD B2C Features

Scenario: You plan to use Azure AD B2C for user authentication. Which two statements are accurate?

Answer:

1. Customer identities are stored in a separate tenant
2. Customers can use a social media account for authentication

Why: Azure AD B2C uses a separate Azure AD directory/tenant. Customers are NOT guest users (that's B2B). Customers can use social media as identity providers.

Q: Azure AD B2C User Flows

Scenario: You plan to use Azure AD B2C as the directory for members. Which two user flows should you include for member onboarding?

Answer: Sign-in flow + Sign-up flow

Why: Users need to sign up to the system, then be able to sign in.

Q: Microsoft Authenticator for Cross-Platform MFA

Scenario: Users need MFA across multiple platforms (Windows, iOS, Android). Which MFA option should you use?

Answer: Microsoft Authenticator app

Why: Microsoft Authenticator works across all platforms. Windows Hello and FIDO2 keys have limited platform support.

Q: System-Assigned Managed Identities

Scenario: You need identities for Azure VMs that are removed when VMs are deleted and cannot be shared among multiple VMs.

Answer: System-assigned managed identities

Why: System-assigned identities are created per resource and deleted with the resource. User-assigned identities can be shared. Azure AD users/groups require manual deletion.

Q: User-Assigned Managed Identity for Shared Access

Scenario: Three web servers need the same identity to authenticate to Azure AD. What should they use?

Answer: A user-assigned managed identity

Why: User-assigned managed identities can be applied to multiple resources and automate credential rotation. System-assigned identities are per-resource. Service principals have expiring secrets.

Q: Azure AD Application Proxy

Scenario: You need to use Azure AD to authenticate remote users accessing applications on-premises.

Answer: Azure AD Application Proxy

Why: Application Proxy allows on-premises applications to use tokens from Azure AD. Windows Hello is for MFA on Windows. AD Connect syncs password hashes. Azure AD DS is a managed AD in the cloud.

Q: Service Principal Authentication Objects

Scenario: An application must authenticate directly with Azure AD using a service principal. Which three objects must it present?

Answer: Tenant ID, Client ID, Client secret

Why: Tenant ID and Client ID identify the application. Client secret proves authorized use. Application object ID and Key Vault object ID are not required.

Q: Azure Key Vault Secrets

Scenario: App1 must access a stored password when connecting to Service1. Which Key Vault object type should you create?

Answer: Secret

Why: In Key Vault: Secrets store tokens, passwords, certificates, and API keys. Keys store encryption keys. Certificates store TLS/SSL certificates.

Q: Azure Key Vault Premium for FIPS Compliance

Scenario: You need a key management solution that is FIPS 140-2 Level 2 compliant, cost-optimized, and fully managed.

Answer: Azure Key Vault Premium

Why: Key Vault Premium is FIPS 140-2 Level 2 and fully managed. Key Vault Standard is NOT Level 2. Managed HSM is Level 3 but more expensive. Self-hosted HSM is not fully managed.

Q: AKS Contributor Role

Scenario: A user needs to view and modify AKS roles within a cluster, following least privilege.

Answer: Azure Kubernetes Service Contributor

Why: Contributors can change roles and bindings. Cluster Admin only lists admin credentials. RBAC Writer cannot modify role bindings. Cluster User only lists user credentials.

2. Governance & Management

Q: Resource Groups for RBAC

Scenario: You have a VNet, VMSS, and SQL VMs. You need to provide management rights to different teams with minimum effort.

Answer: Create a different resource group for each solution component

Why: RBAC can be assigned at resource group level without extra components. Tags don't directly support RBAC. Separate management groups/subscriptions require VNet peering.

Q: Azure Policy with Audit Effect

Scenario: You need to verify which resources don't have tags without blocking users from creating new resources.

Answer: Azure policies with an audit effect

Why: Audit effect runs policies but doesn't block non-compliant creation. Disabled effect won't run policies. Delete/read-only locks prevent deletion/creation.

Q: Management Groups for Auto Policy Assignment

Scenario: You need to ensure new subscriptions have policies assigned automatically at creation.

Answer: Create different management groups for production and development. Assign policies to the management groups.

Why: Management groups ensure policies apply to any new subscription placed in them. Resource groups and subscriptions don't handle new subscriptions. Blueprints aren't applied automatically.

Q: Root Management Group for Compliance

Scenario: Single engineering team, single subscription, VMs must comply with banking standards. Why apply policies at tenant root level?

Answer: Complying with banking standards (regulatory compliance)

Why: Regulatory requirements are primary drivers for governance.

Q: Flat Management Group Hierarchies

Scenario: Complex department structure (Organization > Country > State > Region > City > Team) with management groups at each level. Structure is difficult to manage. What to restructure first?

Answer: Management group hierarchy

Why: Management group hierarchies should be no more than 3-4 levels deep. Seven levels creates significant complexity.

Q: Tags for Cost Management

Scenario: You need cost reporting by department while minimizing the number of subscriptions.

Answer: Create a tag for each resource

Why: Cost center tags enable cost tracking per resource across any number of subscriptions. Creating management groups or subscriptions per department requires at least one subscription each.

3. Monitoring & Logging

Q: NSG Flow Logs for IP Traffic

Scenario: You need to log IP traffic information in and out of a virtual network.

Answer: Network Security Group (NSG) flow logs

Why: NSG flow logs log IP traffic. Activity logs cover control plane events only. Application Insights logs application data. Storage Analytics covers storage accounts only.

Q: Live Stream Logs CLI Command

Scenario: You need to live stream log events for an App Service web app.

Answer: az webapp log tail -g rg1 -n app1

Why: log tail starts live streaming. log show shows configurations. scan start starts a scan. scan list-result shows scan results.

Q: Verbose Logging Level

Scenario: You need to capture trace and debug events for an application.

Answer: Verbose logging level

Why: Verbose captures the most detailed events including trace and debug. Information, Warning, and Error levels miss lower-level events.

Q: Application Insights for User Behavior

Scenario: You need to monitor user behavior and analyze how users interact with your application.

Answer: Application Insights

Why: Application Insights tracks user behavior, page views, and usage patterns. Log Analytics is for infrastructure logs. Azure Monitor Metrics tracks performance counters.

Q: Resource-Context Access Mode

Scenario: Logs from SQL databases in RG1 are sent to a Log Analytics workspace using resource-context access mode. What permissions does a user need to review the database logs?

Answer: Read access to RG1

Why: In resource-context mode, read access to the resource (or resource group) is sufficient. Contributor access is too many permissions. Reader access to the workspace gives access to other resources' logs too.

Q: Diagnostic Data Storage Requirements

Scenario: Store VNet diagnostics with high-speed access, 5-year retention, immutable logs, auto-destroy after 5 years. Which three options?

Answer: Time-based retention policies + Legal hold policies + Premium Blob Storage

Why: Legal hold and time-based retention ensure immutability and timed destruction. Premium Blob Storage provides high-speed access. Archive/Cool tiers don't support high-speed access.

4. Relational Data Storage

Q: SQL Standard S3 for Columnstore

Scenario: You need an Azure SQL Database with 3 IOPS per DTU, columnstore indexing, optimized for costs.

Answer: Standard S3

Why: Basic and Standard S2 don't support columnstore. Standard S3 supports columnstore and is cheaper than Premium.

Q: SQL Server on Azure VMs for SSIS/SSAS/SSRS

Scenario: Migrate on-premises SQL Server with SSIS, SSAS, and SSRS to Azure.

Answer: SQL Server on Azure Virtual Machines

Why: SQL Server on Azure VMs is the only option maintaining all four services. SQL MI and Azure SQL Database don't support SSIS/SSAS/SSRS.

Q: vCore Serverless for Auto-Pause

Scenario: You need an Azure SQL Database that stops the database service when there are no requests.

Answer: vCore-based with serverless compute

Why: Serverless compute auto-pauses when idle. DTU-based and vCore provisioned don't stop the service.

Q: Azure SQL Database for Spatial Data

Scenario: You need a database with spatial data capabilities and lower administration than Managed Instance.

Answer: Azure SQL Database

Why: Azure SQL Database supports spatial data types with less administrative overhead than Managed Instance.

Q: Storage-Optimized VM for xp_cmdshell + High I/O

Scenario: SQL Server uses xp_cmdshell commands, CPU is 45%, disk I/O is 98%. What deployment option?

Answer: Azure Storage-optimized virtual machine

Why: xp_cmdshell requires OS-level access (VM needed). High disk I/O (98%) means storage optimization is key.

5. Non-Relational Data Storage

Q: Azure Cosmos DB for Cassandra + SQL APIs

Scenario: Applications need to access data using both Apache Cassandra API and SQL API.

Answer: Azure Cosmos DB

Why: Cosmos DB supports multiple APIs: SQL, Cassandra, MongoDB, Table, Gremlin. Other Azure DB services don't support Cassandra.

Q: Azure Cosmos DB for MongoDB Migration

Scenario: Migrate an on-premises MongoDB app to Azure with minimal code changes, needing global distribution and automated failover.

Answer: Azure Cosmos DB

Why: Cosmos DB is multi-model (SQL, MongoDB, Table, Gremlin APIs) with global distribution and automated failover. The MongoDB API avoids significant code redevelopment.

Q: Cosmos DB for Read-Write Replicas

Scenario: You need read and write region replicas with eventual consistency for non-relational data.

Answer: Azure Cosmos DB

Why: Cosmos DB provides read-write replicas across regions with eventual consistency. SQL Database, Synapse, and SQL MI don't offer this.

Q: Azure Data Lake Storage for Unstructured Data + GRS

Scenario: Storage optimized for unstructured data with geo-redundant storage support.

Answer: Azure Data Lake Storage

Why: Data Lake Storage is optimized for unstructured data and provides GRS.

Q: Data Lake Storage for JSON + Failover + Cost Minimization

Scenario: Optimize for JSON data, support region failover, minimize costs.

Answer: Azure Data Lake Storage

Why: Data Lake is cheaper than Cosmos DB. While Cosmos DB is better for JSON specifically, Data Lake handles unstructured data with GRS at lower cost.

Q: Default ACL for Inherited Permissions

Scenario: Ensure a predefined ACL is used for all new files and folders in a folder named root.

Answer: Create a default ACL for root

Why: Default ACL defines permissions for new child objects. Access ACL only changes the ACL for the object itself, not children.

Q: Data Lake ACL-Only Access Control

Scenario: Ensure users can only access Data Lake folders/files based on access ACLs.

Answer: Ensure users are NOT assigned to Reader, Contributor, or Owner roles

Why: These RBAC roles bypass ACLs for read rights. Removing them ensures ACLs are always evaluated.

Q: Azure Files for NFS on Linux

Scenario: Store documents accessed by Linux clients using the NFS protocol.

Answer: Azure Files

Why: Azure Files directly supports NFS protocol. Blob Storage doesn't support NFS directly. Table storage is for key/value pairs.

Q: Azure NetApp Files for SMB+NFS Interoperability

Scenario: Migrate a file server with Unix (NFS) and Windows (SMB) clients requiring interoperability.

Answer: Azure NetApp Files

Why: Azure NetApp Files supports concurrent SMB and NFS with interoperability. Azure Files doesn't offer cross-protocol interoperability.

Q: Storage Accounts Per Region

Scenario: Four countries, need single policy, low IO latency, minimize costs. How many storage accounts?

Answer: 4

Why: One storage account per region/country for low latency. A single policy can cover all four. More storage accounts don't increase costs significantly.

Q: Premium Tier for Lowest Latency Azure Files

Scenario: Recommend the storage tier for Azure Files with the lowest possible latency.

Answer: Premium

Why: Azure Files has four tiers: Premium, Transaction optimized, Hot, Cool. Premium provides the lowest latency.

Q: LRS for Recreatable Files

Scenario: Store files that can be easily recreated, minimize storage cost.

Answer: Locally-redundant storage (LRS)

Why: LRS is the least expensive option. Best for recreatable files where high redundancy isn't needed.

Q: GZRS for Highest Durability

Scenario: Design file storage with highest durability, available during zone or region failure.

Answer: Geo-zone-redundant storage (GZRS)

Why: GZRS provides both zone and region redundancy for highest durability. LRS is zone-level only. ZRS is region-level. GRS covers region but not zone failure.

Q: RA-GZRS for Readable Copy in Another Region

Scenario: No data loss if region fails, readable copy always available in another region, minimize storage costs.

Answer: Read-access geo-zone-redundant storage (RA-GZRS)

Why: Region redundancy needs geo-replication. Read access to secondary region requires the RA- prefix.

Q: Cool Tier for Rarely Accessed Files

Scenario: Files accessed rarely but must be recoverable within 10 minutes.

Answer: Cool access tier

Why: Cool tier is cheaper for infrequent access. Archive tier has hours of rehydration delay. Hot tier is unnecessarily expensive. Cool meets the 10-minute recovery requirement.

6. Data Integration & Analytics

Q: Azure Data Factory for Data Integration

Scenario: Combine data from SQL Server and CSV, aggregate, save as JSON in Azure Storage.

Answer: Azure Data Factory

Why: Data Factory runs data integration pipelines. Cosmos DB doesn't execute integration pipelines. Analysis Services handles data warehouses. SQL MI is a database engine.

Q: Azure Synapse Analytics

Scenario: Design a data analysis solution that allows data transformation, links to Power BI, and performs near real-time log analysis.

Answer: Azure Synapse Analytics

Why: Synapse provides all three capabilities. Data Factory can't do real-time analysis. Cosmos DB and SQL MI don't support near real-time analysis.

Q: SSIS Migration Options

Scenario: Migrate SSIS packages from on-premises to Azure. Which two options?

Answer: SQL Server on Azure Virtual Machines + Azure Data Factory

Why: SQL Server on VMs can run SSIS natively. Data Factory supports SSIS integration runtime. Other Azure SQL options don't support SSIS.

Q: Synapse Self-Hosted IR Can't Be Shared

Scenario: Synapse Analytics pipeline uses self-hosted IR on a single on-premises VM. Need to create a new Synapse workspace with access to the same data.

Answer: Migrate the pipelines to Azure Data Factory

Why: Synapse doesn't support sharing self-hosted integration runtimes. Data Factory supports shared self-hosted IRs.

Q: Synapse Link for Cosmos DB

Scenario: Real-time analytics on Azure Cosmos DB data.

Answer: Azure Synapse Link

Why: Synapse Link provides a no-ETL integration between Cosmos DB and Synapse Analytics for real-time analysis.

7. Backup & Disaster Recovery

Q: Recovery Services Vault for Azure Files

Scenario: Automatically back up an Azure file share. Where to store backups?

Answer: Recovery Services vault

Why: Azure Files is a supported data source for Recovery Services vaults.

Q: Azure SQL Database Automated Backups

Scenario: Recover a database to a specific point in time for up to 31 days, minimize costs.

Answer: Use Azure SQL Database automated backups

Why: Standard automated backups provide PITR for up to 35 days at no extra cost. Elastic jobs don't provide PITR. LTR is for >35 days and costs more.

Q: Azure Backup for VMs

Scenario: Back up Windows and Linux VMs with minimal extra infrastructure.

Answer: Azure Backup

Why: Azure Backup supports both Windows and Linux VMs. MARS agent only works on Windows. DPM and MABS require extra infrastructure.

Q: MARS Agent on DPM Server

Scenario: On-premises DPM backs up Windows VMs. Need to copy backups to Azure with minimum effort.

Answer: Install the MARS agent on the DPM server

Why: MARS on DPM copies backups to Recovery Services vaults. Replacing DPM, deploying DPM in Azure, or deploying MARS to the network all require more change.

Q: Snapshot Tier for Backup (Max 5 Days)

Scenario: VM1 needs 4-day retention with fast recovery. VM2 needs 30 days. VM3 needs 365 days. Which VMs should use snapshot tier?

Answer: VM1 only

Why: Snapshot tier stores data locally for a maximum of 5 days. Longer retention requires vault tier.

Q: Key Vault Soft Delete + Purge Protection

Scenario: Ensure that Key Vault secrets/keys can be recovered if accidentally deleted.

Answer: Enable soft delete and purge protection

Why: Soft delete allows recovery of deleted items. Purge protection prevents permanent deletion during the retention period.

8. High Availability & SLA

Q: Availability Zones for Datacenter Failure

Scenario: Ensure solution is available if a datacenter within an Azure region fails, minimize costs.

Answer: Availability zones

Why: Availability zones provide redundancy within a region across datacenters. Availability sets don't protect against zone failure. Traffic Manager requires multi-region setup (more expensive).

Q: Traffic Manager for Region Failure (Non-HTTP)

Scenario: Highly available solution accessed via TCP port 8080 on VMs. Must survive Azure region failure.

Answer: Azure Traffic Manager

Why: Traffic Manager supports non-HTTP protocols and provides multi-region failover. Front Door only load balances web (HTTP/HTTPS) traffic.

Q: Composite SLA Calculation

Scenario: Calculate the composite SLA for chained services (e.g., 99.9% × 99.999% × 99.99%).

Answer: Multiply individual SLAs: 99.9% × 99.999% × 99.99% = 99.889%

Why: Composite SLA is the product of individual service SLAs.

Q: Premium V2 P1v2 for Zone-Redundant App Service

Scenario: Ensure a web app is available across zones in a single Azure region. Minimize costs.

Answer: Dedicated compute Premium V2 P1v2

Why: Only Premium V2 and Premium V3 are zone redundant. P1v2 is the cheapest option.

Q: SLA 99.999% Challenge

Scenario: Current SLA is 99.99%. Users want 99.999%. What is the biggest challenge?

Answer: How long it takes to detect outages

Why: At very tight SLAs, detecting outages quickly enough becomes the primary challenge. Recovery automation is usually available. Resource reliability is generally adequate.

9. Compute Solutions

Q: Proximity Placement Groups for Lowest Latency

Scenario: Frontend and backend each in their own VMSS. Ensure lowest latency communication.

Answer: Proximity placement groups

Why: Proximity groups deploy VMs close together for lower latency. Availability sets/zones separate resources. NSGs are for security rules.

Q: App Service Shared Tier for Low-Usage Apps

Scenario: Low-usage ASP.NET web app, minimize costs, needs to be highly available and managed.

Answer: Azure App Service plan in the Shared tier

Why: Shared tier is the most cost-optimized managed service. Isolated tier and AKS/ACS clusters are more expensive.

Q: Azure Functions Consumption Plan Timeout

Scenario: Three processes: PHP 4min, PHP 15min, C# 44min. Which can use Azure Functions Consumption plan?

Answer: Process1 only (4 minutes)

Why: Consumption plan has a default timeout of 5 minutes, extendable to 10 minutes max. Process2 (15min) and Process3 (44min) exceed this.

Q: Deployment Slots for Quick Rollback

Scenario: Web app deployed through Dev → UAT → Production. Need to quickly switch back to previous code version.

Answer: Deployment slots

Why: Deployment slots allow instant swapping between environments. Front Door, Traffic Manager, and DNS-based solutions depend on cache/TTL delays.

Q: Logic Apps for Long-Running Processes

Scenario: Download data requiring SOAP calls, ~20 minutes, minimize development and admin effort.

Answer: Azure Logic Apps

Why: Logic Apps support long-running processes (20+ min) with minimal code. Azure Functions timeout at 5-10 min on Consumption plan. Logic Apps also minimize development effort.

Q: Load Balancer + VMSS for CPU-Based Autoscaling

Scenario: Stateless application, auto-scale VMs based on CPU usage.

Answer: A load balancer with a virtual machine scale set

Why: VMSS enables autoscaling. Load balancer with regular VMs doesn't provide autoscaling. App Service and API Management can't run VMs.

Q: ARM Templates for Portal-Based Deployment

Scenario: Deploy 6 VMs, 2 load balancers, 2 storage accounts. Users must enter parameters in the Azure portal.

Answer: ARM templates

Why: ARM templates can be saved in the portal for reuse with user-specified parameters. CLI, Terraform, and PowerShell can't accept parameters via the portal.

10. Networking

Q: Azure Front Door for Caching + SSL + Latency Routing

Scenario: Cache static objects, terminate SSL close to users, route to lowest latency region.

Answer: Azure Front Door

Why: Front Door provides all three features. Traffic Manager doesn't cache or terminate SSL. Application Gateway terminates SSL but not close to users. Load Balancer does none.

Q: Azure Traffic Manager for Failover + Geographic Routing

Scenario: Available if region fails, route users to closest region.

Answer: Azure Traffic Manager

Why: Traffic Manager provides failover and geographic routing. API Management, Load Balancer, and Application Gateway don't provide these.

Q: ExpressRoute Premium Direct

Scenario: Global connectivity with MACSEC encryption for high-security environments.

Answer: ExpressRoute Premium Direct

Why: ExpressRoute Direct supports MACSEC encryption. Premium enables global reach across regions.

Q: Multiple VNets Required

Scenario: When do you need multiple virtual networks? (Choose 3)

Answer:

1. Deploying resources to multiple subscriptions
2. Organizational security requirements
3. Deploying Azure SQL Managed Instance

Why: VNets can't span subscriptions. SQL MI deploys its own VNet. Security may require isolation/segmentation.

Q: VNet Peering or VPN Gateways for Cross-Subscription

Scenario: Two subscriptions need a single logical virtual network.

Answer: Peered virtual networks OR VPN gateways

Why: VNets can't span subscriptions. Peering and VPN gateways connect VNets across subscriptions.

Q: NSG or NVA for Intra-VNet Traffic Filtering

Scenario: Filter traffic between resources in a single virtual network.

Answer: Network security group (NSG) OR network virtual appliance (NVA)

Why: Both can filter network traffic within a VNet. Front Door and Traffic Manager route incoming traffic, not internal.

Q: Private Links for Cross-Tenant Access

Scenario: Application on load-balanced VMs needs to be accessible from other Azure tenants, isolated from public internet, shared without additional configurations.

Answer: Private links

Why: Private Link exposes services to other tenants via private endpoints. VNet peering and VPNs require extra configuration per tenant.

11. Migration

Q: Azure Database Migration Service

Scenario: Automate migration of Amazon RDS to Azure SQL MI using PowerShell, minimize tools and downtime.

Answer: Azure Database Migration Service

Why: DMS can be automated via PowerShell. Azure Data Studio extension requires extra software and can't be automated with PowerShell. Bulk copy and Import/Export need downtime.

Q: Oracle WebLogic on AKS

Scenario: Host Oracle WebLogic application in Azure.

Answer: Azure Kubernetes Service (AKS)

Why: WebLogic is supported on AKS. Not supported on App Service, Service Fabric, or API Management.

Q: CAF Migration Phases

Scenario: Which three phases in the Microsoft Cloud Adoption Framework migration plan?

Answer: Assess, Deploy, Release

Q: CAF Adopt Phase for Innovation

Scenario: Which CAF phase covers implementation of innovative solutions?

Answer: Adopt

Why: The adopt phase includes both migration and innovation stages.

Q: Rebuild Strategy for Legacy Apps

Scenario: Critical web app with limited functionality, nearing end-of-support tech, complex/difficult codebase.

Answer: Rebuild

Why: Complex, difficult-to-understand code can't easily be refactored. End-of-support tech makes lift-and-shift short-lived. Rebuild with modern tech enables fast enhancements.

Q: Migration Tools

Scenario: Which two tools automate creation of Azure resources for migration?

Answer: Azure Database Migration Service + Azure Migrate

Why: DMS handles database migration. Azure Migrate creates required resources for many services. Azure Spring Apps is for Spring Boot. App Configuration is for feature flags.

12. Messaging & Caching

Q: Azure Service Bus for Polling-Based Messaging

Scenario: Applications need to communicate using a polling mechanism with a fully managed service.

Answer: Azure Service Bus

Why: Service Bus uses pub/sub with polling. Event Hubs uses push for streaming. Event Grid uses triggers (push). Kafka on HDInsight is not fully managed.

Q: Service Bus Topics for Message Filtering

Scenario: Microservices using Service Bus. Subscribers should only receive relevant messages.

Answer: Topics

Why: Subscribers subscribe to topics containing only relevant messages, avoiding irrelevant message processing.

Q: Azure Cache for Redis for Static Content

Scenario: Web app with large static HTML headers/footers. Improve responsiveness.

Answer: Azure Cache for Redis

Why: Redis caching eliminates overhead of constantly generating static content. Traffic Manager, deployment slots, and Load Balancer don't address responsiveness.

Quick Reference: Key Decision Points

Study Tip: Focus on understanding WHY each answer is correct and why alternatives are wrong. The exam tests decision-making, not just knowledge of services.

Additional Questions (from Attempts #4-13)

Q: SQL CLR Integration Migration

Scenario: You have a Microsoft SQL Server application that uses SQL common language runtime (CLR) integration. You need to migrate to Azure with minimum ongoing administration costs.

Answer: Azure SQL Managed Instance

Why: SQL Managed Instance supports SQL CLR and avoids general administrative overhead. Azure SQL Database does NOT support SQL CLR integration. SQL Server on Azure VMs supports CLR but has higher admin overhead. Cosmos DB for NoSQL does not support SQL CLR.

Q: Azure Event Grid for Log Analytics Function Triggers

Scenario: You are designing a solution that will call an Azure function every time a log entry is created in Log Analytics. You need a fully managed service.

Answer: Azure Event Grid

Why: Event Grid uses a triggering mechanism for events (push model). Kafka on HDInsight is not fully managed. Service Bus uses pub/sub with polling. Event Hubs uses push for streaming but is designed for high-throughput event ingestion, not event-driven triggers.

Q: IoT Device Data Streaming to Power BI

Scenario: You are creating a Power BI dashboard to monitor IoT breathing machines. Each machine has wireless connectivity. Azure Stream Analytics will populate a streaming dataset in Power BI. To which service should the machines send data?

Answer: Azure Event Hubs

Why: Event Hubs is designed for large-volume event ingestion from internet-connected devices. It is also a good source of event data for Stream Analytics, which can then populate a streaming dataset in Power BI.

Q: Azure AD B2C User Flows for Member Onboarding

Scenario: Your organization operates an online membership system using Azure AD B2C. You need to automate member onboarding processes.

Answer: Sign-in flow + Sign-up flow

Why: You need user flows so users can sign up to your systems and then sign in. Password reset and profile editing are separate flows not needed for onboarding.

Q: Management Groups for Auto-Assigning Policies to New Subscriptions

Scenario: You need to ensure that new subscriptions have policies assigned automatically at creation for production and development environments.

Answer: Create different management groups for production and development. Assign the policies to the management groups.

Why: Policies assigned to management groups are automatically inherited by new subscriptions placed in those groups. Creating resource groups or subscriptions and assigning policies doesn't auto-apply to NEW subscriptions. Blueprints are not applied automatically.

Q: Always Encrypted for Azure SQL Database

Scenario: You have an App Service web app writing to Azure SQL Database with Always Encrypted. What two actions are needed?

Answer: Store keys in Azure Key Vault + Change the connection string used by the application

Why: You need to change the connection string to use Always Encrypted and access keys from Key Vault. Changing SSL settings only handles in-transit encryption, not Always Encrypted.

Q: Azure SQL Database HA - Storage + Processing Layer

Scenario: You need high availability for both storage AND processing layers of Azure SQL Database, minimizing costs.

Answer: Premium tier

Why: Only Premium, Business Critical, and Hyperscale tiers provide HA at the processing level as well as storage level. Premium is the cheapest of these three.

Q: Active/Passive with Hot Standby for Geo-Replicated SQL

Scenario: Web app with geo-replicated Azure SQL DB in two regions. Need to minimize downtime with HA design.

Answer: Active/passive with hot standby

Why: Because SQL DB doesn't support active/active (multi-write), you must use active/passive. Hot standby provides fastest recovery. Cold standby is cheaper but slower. Backup/restore doesn't minimize downtime.

Q: Azure Queue Storage vs Service Bus for Large Message Volumes

Scenario: Large-scale microservices app with 10 million unprocessed messages at 32 KB each. Messages processed once then deleted.

Answer: Azure Queue Storage

Why: 10 million × 32 KB = ~320 GB, which exceeds the 80 GB limit for Service Bus. Queue Storage can handle this volume. Key decision factor is total data volume.

Q: Log Analytics Dedicated Cluster for High-Volume Ingestion

Scenario: Log Analytics workspace ingesting ~8 TB of logs per day. Single query must correlate all logs. What should you do first?

Answer: Create a dedicated cluster

Why: When ingesting >4 TB/day, provision a dedicated cluster (ideally same region as monitored resources). Multiple workspaces break single-query correlation. Basic Logs don't support analytics/alerts.

Q: Conditional Access Attributes

Scenario: Restrict access to Azure resources based on attributes using Conditional Access. Which three attributes can you apply conditions to?

Answer: IP address, sign-in risk, device state

Why: Conditional Access supports: user/group, application, device state, IP range, and sign-in risk. It does NOT condition on resource type or subscription.

Q: SLA 99.999% - Biggest Challenge

Scenario: Current SLA is 99.99%. Business wants 99.999%. What's the biggest challenge?

Answer: How long it takes to detect outages

Why: At very tight SLAs, detecting outages fast enough is the hardest part. Recovery automation and resource reliability are usually adequate. 99.999% allows only ~5 min downtime/year.

Q: Diagnostics Storage with Immutability Requirements

Scenario: Store VNet diagnostics for 5 years. Need: high-speed access, immutable logs, auto-destroy after 5 years. Which three options?

Answer: Time-based retention policies + Legal hold policies + Premium Blob Storage

Why: Legal hold + time-based retention = immutable storage. Premium Blob = high-speed access. Archive/Cool tiers don't provide high-speed access. Time-based retention handles auto-deletion after period.

Q: Komprise Elastic Data Migration for Archive Tier

Scenario: Migrate files from on-premises share to Azure Blob Storage Archive tier.

Answer: Komprise Elastic Data Migration

Why: Only Komprise supports Archive tier. Azure File Sync only supports Azure Files. Datadobi and Data Dynamics only support Hot/Cool tiers, not Archive.

Q: CAF Adopt Phase Covers Innovation

Scenario: Which Cloud Adoption Framework phase covers implementation of innovative new solutions?

Answer: Adopt phase

Why: The Adopt phase comprises both migration AND innovation stages. Strategy defines goals, Plan organizes, Ready prepares environment, Govern/Manage handle ongoing operations.

Q: Azure Service Bus for Polling-Based Messaging

Scenario: Different applications need to communicate using a polling mechanism. Need a fully managed service.

Answer: Azure Service Bus

Why: Service Bus uses pub/sub with polling. Event Grid uses push/triggering. Event Hubs uses push for streaming. Kafka on HDInsight is not fully managed. Key differentiator: polling = Service Bus, push events = Event Grid, streaming = Event Hubs.

Q: Stream Analytics for Real-Time Event Hub to PowerBI

Scenario: Retrieve GPS data from Event Hubs and send live filtered data to a PowerBI dashboard.

Answer: Azure Stream Analytics

Why: Stream Analytics processes live streams with filtering, directly linking to PowerBI. SQL Database stores but doesn't stream. Data Factory transforms but doesn't do continuous live jobs. Event Grid doesn't filter or link directly to PowerBI.

Q: ExpressRoute + VPN Gateway for Hybrid Connectivity

Scenario: Connect on-premises network to Azure. Which two services?

Answer: ExpressRoute + Azure VPN Gateway

Why: ExpressRoute = high-speed private connection (no public internet). VPN Gateway = tunnel over public internet. VPN Gateway can serve as backup for ExpressRoute. Virtual Network peering is for Azure-to-Azure only.

Q: Azure Front Door for Web App Optimization

Scenario: Optimize internet connectivity to web app. Requirements: cache static objects, SSL termination close to user, route to lowest latency region.

Answer: Azure Front Door

Why: Front Door provides all three: caching, SSL termination at edge (close to users), and latency-based routing. Traffic Manager doesn't cache or terminate SSL. Application Gateway terminates SSL but not close to users. Load Balancer does none of these.

Q: IoT Devices → Event Hubs → Stream Analytics → PowerBI Pipeline

Scenario: Breathing machines with wireless connectivity send monitoring data. Stream Analytics populates PowerBI dashboard. Where should devices send data?

Answer: Azure Event Hubs

Why: Event Hubs is designed for large numbers of events from internet-connected devices. Devices send to Event Hubs, which feeds Stream Analytics, which populates PowerBI. Devices should NOT send directly to Stream Analytics — Event Hubs is the ingestion layer.

Q: SQL Managed Instance for SQL CLR Integration

Scenario: SQL Server app uses SQL CLR (common language runtime) integration. Migrate to Azure with minimum admin costs.

Answer: Azure SQL Managed Instance

Why: SQL Managed Instance supports SQL CLR integration. Azure SQL Database does NOT support SQL CLR. SQL Server on VMs supports it but has highest admin overhead. Cosmos DB doesn't support SQL CLR at all.

Q: Data Lake ACLs — Remove RBAC Roles to Enforce ACLs

Scenario: Design access control for Azure Data Lake Storage. Users must only access folders/files based on access ACLs.

Answer: Ensure users are NOT assigned to Reader, Contributor, or Owner roles

Why: If users have Reader/Contributor/Owner RBAC roles, those roles bypass ACL evaluation for read access. To enforce ACL-based access control, users must not have these built-in roles assigned.

Q: Cool Tier for Rarely Accessed Files with 10-Minute Recovery

Scenario: Download files daily from SFTP, store for 1 year. Rarely needed but must be available within 10 minutes. Minimize costs.

Answer: Cool storage tier

Why: Archive tier has lowest cost but rehydration takes hours (cannot meet 10-minute requirement). Cool tier is next cheapest and provides immediate access. Hot tier is more expensive than necessary.

Q: Logic Apps for Long SOAP-Based Scheduled Processes

Scenario: Download employee risk data from SaaS via SOAP web calls daily. Process takes ~20 minutes. Minimize dev time and admin effort.

Answer: Azure Logic Apps

Why: 20-minute duration exceeds Azure Functions Consumption plan timeout (5-10 min). Logic Apps handles long-running workflows, supports SOAP connectors, minimizes development effort with visual designer, and runs on schedule.

Q: AKS Contributor Role for Viewing and Modifying Roles

Scenario: User needs to view and modify AKS roles within a cluster. Follow least privilege.

Answer: Azure Kubernetes Service Contributor

Why: Contributors can change roles and bindings. RBAC Writer cannot modify roles/role bindings. Cluster Admin only lists admin credentials. Cluster User only lists user credentials. Key distinction: Contributor = modify roles, Writer = modify resources but not roles.

Q: Regulatory Compliance as Primary Driver for Governance

Scenario: Single engineering team, single subscription, VMs must comply with banking standards. Why apply policies at tenant root level?

Answer: Complying with banking standards (regulatory requirements)

Why: Regulatory requirements are the primary driver for governance at root level. Subscription structure, number of teams, or VM consistency are secondary considerations. Regulatory compliance drives the need for organization-wide policies.

Q: Azure Backup vs MARS Agent for VM Backup

Scenario: Back up Windows AND Linux VMs in Azure. Minimize extra infrastructure.

Answer: Azure Backup

Why: Azure Backup backs up entire VMs (both Windows and Linux). MARS agent ONLY works on Windows VMs. DPM and MABS require extra infrastructure. Key distinction: Azure Backup = full VM (Win+Linux), MARS = Windows files/folders only.

Q: System-Assigned vs User-Assigned Managed Identities

Scenario: Identity solution for VMs. Identities must be removed when VMs are deleted. Identities cannot be shared among multiple VMs.

Answer: System-assigned managed identities

Why: System-assigned identities are tied to the resource lifecycle — auto-deleted when the VM is deleted, and cannot be shared. User-assigned identities can be shared across resources and persist independently. Key distinction: system = 1:1 with resource, auto-delete; user = reusable, manually managed.

Q: Synapse Shared Self-Hosted IR Limitation → Data Factory

Scenario: Single on-premises VM hosts self-hosted integration runtime for Synapse. Need a second Synapse workspace with access to same on-premises SQL servers.

Answer: Migrate the pipelines to Azure Data Factory

Why: Azure Synapse Analytics does NOT support sharing self-hosted integration runtimes between workspaces. Data Factory supports both the pipelines AND shared self-hosted IRs. SSIS IR is not needed for this scenario.

Q: SQL Server xp_cmdshell → VMs Required (OS Access)

Scenario: SQL Server uses xp_cmdshell for OS commands. Average disk I/O is 98%. Migrate to Azure.

Answer: Azure Storage-optimized virtual machine

Why: xp_cmdshell requires OS-level access, which means you MUST use SQL Server on VMs (not SQL Database or Managed Instance). Given 98% disk I/O, storage-optimized VMs (Lsv2) provide the best performance. Key rule: OS-level access = VMs only.

Q: JSON Data + Failover + Minimize Costs = Data Lake (NOT Cosmos DB)

Scenario: Data storage optimized for JSON, supports failover to different region, minimize costs.

Answer: Azure Data Lake Storage

Why: While Cosmos DB handles JSON and failover, it is FAR more expensive. Data Lake Storage handles unstructured data (including JSON), supports GRS for failover, and costs much less. Key trap: Don't pick Cosmos DB when "minimize costs" is a requirement — Data Lake is the budget option.

Q: When Do You Need Multiple Virtual Networks?

Scenario: Identify three requirements that force multiple VNets.

Answer: (1) Deploying resources to multiple subscriptions, (2) Organizational security requirements, (3) Deploying Azure SQL Managed Instance

Why: VNets can span resource groups but NOT subscriptions. SQL Managed Instance deploys its own VNet. Security isolation may require separate VNets. Key traps: multiple resource groups ≠ multiple VNets, SLAs ≠ multiple VNets.

Q: Service Principal Authentication — Three Required Objects

Scenario: App must authenticate directly with Azure AD using a service principal.

Answer: Tenant ID + Client ID + Client Secret

Why: Tenant ID identifies the directory, Client ID identifies the app registration, Client Secret proves authorization. Application object ID and Key Vault object ID are NOT required for authentication.

Q: Default ACL for Data Lake Folder Inheritance

Scenario: Ensure a predefined ACL applies to ALL new files and folders in a root folder.

Answer: Create a default ACL for the root folder

Why: Default ACLs define the ACL template inherited by new child objects. Access ACLs only apply to the object itself, not children. Creating access ACLs per folder doesn't cover new files in root. Key distinction: default ACL = inheritance template, access ACL = direct permissions.

Q: TCP (Non-HTTP) Traffic + Region Failure = Traffic Manager (NOT Front Door)

Scenario: Highly available load-balanced solution accessed via TCP port 8080. Must survive Azure region failure.

Answer: Azure Traffic Manager

Why: Traffic Manager works with ANY protocol (TCP, HTTP, etc.) and provides multi-region failover. Front Door ONLY works with web traffic (HTTP/HTTPS). Availability zones only protect within a region, not across regions. Key rule: non-HTTP traffic + region failover = Traffic Manager.

Q: Rebuild vs Rearchitect Migration Strategy

Scenario: Critical web app with end-of-support tech, complex/hard-to-understand code, slow to enhance.

Answer: Rebuild

Why: When the codebase is too complex to refactor and technologies are end-of-support, rebuild from scratch with modern tech. Rearchitect implies modifying existing code (not viable with complex legacy). Lift-and-shift preserves the dying tech. Key distinction: rebuild = start fresh, rearchitect = modify existing architecture.

Q: Key Vault Object Types — Secret vs Key vs Certificate

Scenario: Store a password securely in Azure Key Vault.

Answer: Create a secret

Why: In Key Vault: Secrets = passwords, tokens, API keys, connection strings. Keys = encryption keys only. Certificates = TLS/SSL certificates. Common trap: don't confuse "key" (encryption) with "secret" (password/token).

Q: SQL Database Standard S3 — Cheapest Tier with Columnstore Indexing

Scenario: SQL Database needs 3 IOPS per DTU, columnstore indexing, minimize costs.

Answer: Standard S3

Why: Basic and Standard S2 do NOT support columnstore indexing. Standard S3 is the cheapest tier that does. Premium also supports it but is more expensive. Key fact: Standard S3 = minimum tier for columnstore indexing in DTU model.

Q: Cosmos DB Continuous Backup — 30-Day Self-Service PITR

Scenario: Cosmos DB for MongoDB API, restore to any point in time from last 30 days, self-service.

Answer: Continuous backup mode in Cosmos DB

Why: Continuous backup provides self-service point-in-time restore for up to 30 days. Periodic backup mode has minimum 1-hour intervals (not any point in time) and requires a support ticket. Azure Backup and MARS do NOT support Cosmos DB. Key trap: don't pick Azure Backup for Cosmos DB.

Q: Migration Automation Tools — Azure Migrate + DMS

Scenario: Many workloads to migrate, need to automate creation of Azure resources.

Answer: Azure Migrate + Azure Database Migration Service (DMS)

Why: Azure Migrate creates required Azure resources for many services. DMS handles database migration. Azure Spring Apps is for Spring Boot apps only. Azure App Configuration is for feature flags/config, not migration.

Q: Cross-Subscription VNet Connectivity — Peering or VPN Gateway

Scenario: Two subscriptions (Sub1, Sub2) need a single logical virtual network.

Answer: VNet peering OR VPN gateways

Why: VNets cannot span subscriptions. To connect VNets across subscriptions, use either peering (lower latency, uses Azure backbone) or VPN gateways (encrypted tunnel). Both are valid complete solutions.