AZ-305 Designing Azure Infrastructure Solutions - Practice Test 1

Azure Monitor with Log Analytics workspace is the recommended centralized logging and monitoring solution in Azure. It enables collection of logs and metrics from multiple Azure resources, supports powerful Kusto Query Language (KQL) queries, and integrates with Azure Dashboards and Workbooks for visualization. Event Hubs is for streaming data ingestion, not querying. Blob Storage lacks query capabilities, and SQL Database is not designed for log analytics at scale. See more: Logging and Monitoring

The best approach combines Log Analytics for near real-time querying and alerting on configuration changes with a Storage Account using immutable blob storage (WORM policies) for 7-year regulatory retention. Activity Log alone in storage does not enable near real-time alerting. Azure Monitor alerts on individual resources would be difficult to manage at scale. Azure Policy enforces compliance but does not provide the auditing and retention capabilities required. See more: Logging and Monitoring

Workspace-based Application Insights resources connected to a centralized Log Analytics workspace provide distributed tracing with correlation across regions through shared workspace queries. Setting retention to 2 years on the workspace meets the retention requirement. Azure Monitor alert rules with action groups can trigger Logic Apps for automated remediation workflows. Separate workspaces per region would complicate cross-region correlation. A single Application Insights resource with default retention does not meet 2-year requirements. Event Grid with Functions does not provide distributed tracing. See more: Logging and Monitoring

Azure AD Application Proxy supports header-based SSO for legacy on-premises applications while Azure AD handles modern cloud applications natively. This combination provides a unified identity experience. Azure AD B2C is for customer-facing applications, not internal SSO. AD FS is legacy and does not simplify the architecture. Azure Front Door is a networking service, not an identity solution. See more: Authentication and Authorization

Microsoft Entra ID (formerly Azure AD) with the Microsoft identity platform is the standard identity solution for corporate users who already have Microsoft 365 credentials. It supports OpenID Connect and OAuth 2.0 for modern authentication. Azure AD B2C is for consumer/customer-facing scenarios. AD FS is legacy and unnecessary when Azure AD is available. Key Vault stores secrets, not user identities. See more: Authentication and Authorization

The client credentials flow is designed for service-to-service (daemon) applications that access resources using application permissions granted by an administrator, rather than delegated user permissions. Authorization code flow with PKCE is for user-interactive scenarios. Implicit grant flow is deprecated for most scenarios. Device code flow is for devices without a browser. See more: Authentication and Authorization

Azure AD B2C with custom policies (Identity Experience Framework) is the correct choice for customer-facing (CIAM) scenarios requiring federation with social and national identity providers, per-region custom branding, step-up authentication for high-risk transactions, and progressive profiling to collect user attributes over multiple sessions. Azure AD is for workforce identities, not customer-facing scenarios at this scale. Guest accounts do not support custom branding or progressive profiling. AD FS is on-premises and legacy. See more: Design Authentication

In a Zero Trust authentication model, Conditional Access policies are the policy engine that evaluates conditions (location, device compliance, risk level) before granting access, and MFA enforcement adds explicit verification. Together, they ensure that users must prove their identity and meet compliance conditions. NSGs are network-layer controls, not authentication controls. DDoS Protection is for availability, not identity verification. See more: Design Authentication

AKS-managed Azure AD integration enables developers to authenticate using their Azure AD credentials. Enabling Azure RBAC for Kubernetes authorization allows you to map Azure AD groups to Kubernetes RBAC roles, providing unified access management. Local accounts are less secure and harder to manage. Shared certificates do not support per-user access control. SSH access to nodes is for administration, not application-level RBAC. See more: Design Authentication

Azure RBAC (Role-Based Access Control) is the recommended way to control access to Key Vault data plane operations. You assign the Key Vault Secrets Officer role to Security Admins for full management, and Key Vault Secrets User role to developers for read-only access. Azure Policy enforces governance rules but is not for fine-grained data access control. NSGs are network-level controls. SAS tokens are for Azure Storage, not Key Vault. See more: Design Authorization

Assigning the Network Contributor role at the management group level gives the Network team permissions to manage virtual networks and related networking resources across all subscriptions in the hierarchy, without granting compute resource permissions. The Contributor role is too broad. Assigning per subscription is viable but not the most efficient approach. Azure AD custom roles apply to Azure AD operations, not Azure resource management (you would need a custom Azure role instead, but the built-in Network Contributor already fits). See more: Design Authorization

PIM role settings allow you to configure all the specified requirements directly: require approval for activation with designated approvers, require justification, set maximum activation duration to 4 hours, and configure notification recipients for the security team. Default PIM settings do not include approval or justification by default. Conditional Access controls sign-in conditions, not role activation. Access reviews audit existing assignments but do not control the activation process. See more: Design Authorization

Azure Policy with Deny effect is the correct governance tool for enforcing mandatory tags and restricting resource types. A policy requiring tags will block resource creation if the CostCenter or Environment tag is missing. A separate policy denying Public IP resource type on production subscriptions prevents public IP creation. Automation runbooks are reactive, not preventive. Blueprints are for environment setup, not ongoing enforcement. ARM templates do not prevent creation through other methods like the portal. See more: Design Governance

Management groups provide a hierarchy above subscriptions where Azure Policy assignments are automatically inherited by all child subscriptions, including new ones. Azure Blueprints provide subscription-level scaffolding (resource groups, RBAC, policies) that can be assigned at the management group level. DevOps pipelines require manual or triggered execution for each new subscription. Azure Lighthouse is for cross-tenant management. ARM templates need explicit deployment. See more: Design Governance

The built-in "Allowed locations" Azure Policy restricts where resources can be deployed. Assigning it with West Europe and North Europe as allowed values will deny resource creation in any other region. Network rules control traffic, not resource deployment locations. RBAC does not control region restrictions. You cannot remove regions from a subscription. See more: Design Governance

Azure Cosmos DB is the only Azure service that natively supports multi-region writes, guarantees single-digit millisecond latency, offers five well-defined consistency levels, and handles schema-flexible document data with the NoSQL (formerly SQL) API. Azure SQL Database supports geo-replication but only single-region writes. PostgreSQL read replicas are read-only in secondary regions. Table Storage does not provide multi-region writes or tunable consistency. See more: Data Management Strategy

Auto-failover groups provide automatic failover with near-zero RPO using asynchronous replication, and they expose read-write and read-only listener endpoints that redirect connections automatically during failover, so application connection strings do not need to change. The read-only listener endpoint directs reporting traffic to the secondary, offloading production. Active geo-replication requires manual failover and application connection string updates. Point-in-time restore has much higher RPO and RTO. Log shipping is not a native Azure SQL Database feature. See more: Data Management Strategy

Azure Data Lake Storage Gen2 provides cost-effective storage for large volumes of semi-structured data. Azure Synapse Analytics serverless SQL pools allow ad-hoc T-SQL queries directly against files in the data lake without provisioning infrastructure, and support external tables or OPENROWSET to join with data in Azure SQL Database. Importing 5 TB daily into SQL Database is cost-prohibitive. Cosmos DB is not optimized for large-scale batch analytics. HDInsight adds cluster management overhead and does not natively support T-SQL joins with SQL Database. See more: Data Management Strategy

Always Encrypted ensures that sensitive data is encrypted at the column level and the encryption keys are only accessible to the application, not DBAs. This means DBAs can perform their management tasks but never see plaintext values. TDE encrypts data at rest but DBAs with query access can still see plaintext data. Dynamic Data Masking can be bypassed by users with UNMASK permission and does not encrypt the underlying data. Row-Level Security controls which rows are visible, not which column values. See more: Data Protection Strategy

Azure Key Vault is the dedicated Azure service for securely storing and managing secrets, encryption keys, and certificates. It provides access control through RBAC, audit logging, and HSM-backed key protection. App Configuration is for feature flags and non-sensitive settings. Blob Storage is for general file storage. Azure AD manages identities, not application secrets. See more: Data Protection Strategy

Customer-managed keys (CMK) stored in Azure Key Vault Managed HSM provide FIPS 140-2 Level 3 validated key storage with full customer control over rotation, revocation, and auditing. The Standard tier of Key Vault only provides FIPS 140-2 Level 1 (software-based) protection. Microsoft-managed keys do not give customers control. Client-side encryption shifts key management to the application, which may not meet the HSM requirement. See more: Data Protection Strategy

Application Insights collects telemetry from Azure Functions including error rates and response times, and you can create alert rules with specific thresholds (error rate above 5%, response time above 3 seconds). Azure Monitor action groups define the notification channels (email, SMS, webhook) and are attached to alert rules to notify the platform team. Service Health alerts are for Azure platform-level issues, not application metrics. Advisor provides optimization recommendations, not real-time alerting. See more: Monitoring Data Platform

Microsoft Defender for Cloud provides unified security posture management (CSPM) with a secure score, regulatory compliance dashboards, and threat detection across Azure, on-premises (via Azure Arc), and multi-cloud environments (via native AWS and GCP connectors). It provides actionable security recommendations. Azure Monitor is for operational monitoring, not security posture. Sentinel is a SIEM/SOAR but not a CSPM tool. Azure Policy only covers Azure resources and does not provide threat detection. See more: Monitoring Data Platform

Application Insights supports custom metrics (trackMetric) and custom events (trackEvent) alongside standard performance metrics. Azure Workbooks provides rich interactive reports that combine metrics, logs, and text, and these can be shared through Azure Dashboards with fine-grained access control. Data Explorer and Power BI add complexity. Event Hubs with SQL and Blob Storage with Power BI require significant custom development for what Application Insights provides natively. See more: Monitoring Data Platform

Azure Site Recovery (ASR) provides disaster recovery for Azure VMs by continuously replicating them to a secondary Azure region. During a regional outage, you can failover to the secondary region with minimal data loss. Azure Backup is for data backup and restore, not live replication. Traffic Manager routes traffic but does not replicate VMs. Load Balancer distributes traffic within a region. See more: Site Recovery Strategy

Azure Site Recovery provides continuous replication with RPO typically under 15 minutes and supports recovery plans that orchestrate multi-tier failover within the RTO target. Test failover creates VMs in an isolated network so you can validate the DR plan without affecting production. GRS backups have much higher RPO and RTO. Snapshots every 15 minutes are not practical at scale. Active-active is over-engineering for a DR scenario with 2-hour RTO tolerance. See more: Site Recovery Strategy

Azure Site Recovery supports both VMware-to-Azure and Azure-to-Azure replication scenarios. During migration, ASR protects on-premises VMware VMs with DR to Azure. After the workloads are migrated to Azure VMs, you reconfigure ASR to replicate Azure-to-Azure for cross-region DR. Azure Backup does not provide near-real-time replication. Manual export/import is slow and availability sets are for in-region availability. Third-party solutions add licensing cost and complexity. See more: Site Recovery Strategy

For 99.99% availability that survives a complete region failure, an active-active multi-region architecture is required. Azure Front Door provides global load balancing with automatic failover. Zone-redundant resources in each region protect against datacenter failures. Cosmos DB with multi-region writes ensures data availability and minimal data loss during region failures. A single-region deployment, even with availability zones, only provides 99.95-99.99% and cannot survive a full region outage. ASR has failover time that violates 99.99% SLA. VMSS does not automatically coordinate cross-region deployment. See more: High Availability

Azure SQL Database Premium and Business Critical service tiers support zone-redundant configuration, which distributes database replicas across multiple availability zones within a region. This provides a 99.995% SLA. The Basic tier does not support zone redundancy. General Purpose with locally redundant storage keeps all replicas in a single zone. Hyperscale with a single replica does not provide zone-redundant high availability. See more: High Availability

Zone redundancy on the App Service plan distributes instances across multiple Availability Zones (separate datacenters) within a region. If one datacenter fails, the instances in other zones continue serving traffic. Auto-scaling in the same datacenter does not protect against datacenter failure. Deployment slots are for release management. CDN caches content at edge locations but does not provide compute high availability. See more: High Availability

Lifecycle management policies automate tier transitions: Hot for the first 90 days (frequent access), Cool from 90 days to 1 year (infrequent access, retrieval within hours), and Archive after 1 year (rare access, retrieval within 15 hours meets the rehydration time). Immutable storage policies with time-based retention ensure legal compliance for the full 8-year period. Hot tier for all data is expensive. Delete and re-upload is unnecessary with lifecycle policies. Azure Files Premium is cost-prohibitive for archival. See more: Data Archiving Strategy

Azure Blob Storage immutable storage with a time-based retention policy in locked mode creates a WORM (Write Once, Read Many) state. Once locked, the retention interval cannot be shortened and data cannot be modified or deleted until the retention period expires, even by storage account administrators or Microsoft support. Soft delete allows recovery of deleted data but does not prevent deletion. RBAC deny assignments and Azure Policy can be modified by privileged users. See more: Data Archiving Strategy

Azure Blob Storage Archive tier provides the lowest-cost storage for petabyte-scale data with acceptable retrieval latency (up to 15 hours for standard rehydration). LRS (Locally Redundant Storage) keeps data within a single region. Blob versioning provides an audit trail. Immutable storage legal hold policies prevent deletion during active investigations regardless of other retention policies. Azure Policy enforces regional deployment. Data Lake Gen2 does not support Archive tier. Managed Disks are not designed for document archival. SQL Database is not cost-effective for petabyte-scale document storage. See more: Data Archiving Strategy

Deployment slots allow you to deploy to a staging slot, route a percentage of production traffic to it for validation (canary testing), and then swap slots for a zero-downtime cutover. If issues are found, you can swap back instantly. Stopping the service causes downtime. Manual approval gates do not validate with live traffic. Creating a new App Service and updating DNS involves DNS propagation delays and is not instant. See more: Design Deployments

ARM templates (JSON) and Bicep templates are Azure's native declarative Infrastructure as Code tools. They define the desired state of infrastructure and Azure Resource Manager handles the deployment. Bicep is a domain-specific language that compiles to ARM template JSON with a simpler syntax. Azure CLI and Azure PowerShell are imperative scripting tools that execute commands step by step, not declarative IaC. See more: Design Deployments

Kubernetes RollingUpdate strategy incrementally replaces old pods with new ones. Combined with readiness probes, Kubernetes ensures new pods are healthy before continuing the rollout. If a readiness probe fails, the rollout pauses automatically. maxUnavailable and maxSurge control the pace. Recreate strategy causes downtime by terminating all old pods first. Manual approval is not automatic. Two clusters for blue-green is over-engineered for this scenario. See more: Design Deployments

Azure Migrate with Azure SQL Assessment discovers SQL Server instances, assesses compatibility with each Azure SQL target, recommends the best-fit Azure SQL deployment option, identifies migration blockers, and provides cost estimates. This should be the first step before migration. Database Migration Service performs the actual migration but does not help with target selection and assessment. SSMS backup/restore is a manual migration method. The Pricing Calculator does not assess compatibility. See more: Design Migrations

For a legacy monolithic Java application with deep WebLogic dependencies (JMS, JDBC pooling, JNDI, clustering), the lift-and-shift approach using WebLogic on Azure VMs from the Marketplace is the fastest path with minimal code changes. Azure provides pre-configured WebLogic Marketplace images that simplify the setup. This enables a phased modernization approach. Refactoring to microservices requires significant time and effort. App Service does not support WebLogic-specific features. Azure Functions is for event-driven workloads, not monolithic applications. See more: Design Migrations

Azure Synapse Analytics dedicated SQL pool is the cloud-native replacement for on-premises data warehouses, supporting T-SQL, stored procedures, and massive parallel processing. Azure Data Factory handles the large-scale data movement with built-in connectors to common on-premises data warehouse systems. Stored procedures can be converted with some modifications. Azure SQL Database is not designed for 50 TB data warehouse workloads. Blob Storage with Databricks loses the SQL-based stored procedure ecosystem. Cosmos DB is not a data warehouse platform. See more: Design Migrations

Azure API Management (APIM) provides a full API gateway with rate limiting (throttling policies), subscription key management for API access, and a built-in developer portal where partners can discover, test, and subscribe to APIs. Application Gateway is a Layer 7 load balancer without API management capabilities. Front Door is a global CDN and load balancer. Load Balancer operates at Layer 4 and does not understand HTTP/API traffic. See more: API Integration Strategy

Azure Service Bus Topics with subscriptions implement the publish-subscribe pattern where a single message published to a topic is delivered to multiple subscribers (inventory, shipping, notification services). Each subscription receives its own copy. Queue Storage delivers each message to a single consumer. Event Hubs is optimized for high-throughput telemetry streaming, not enterprise messaging patterns. Direct HTTP calls create tight coupling and do not provide message persistence or pub-sub capabilities. See more: API Integration Strategy

Azure Event Grid natively integrates with Azure Blob Storage to publish events on blob creation. An Azure Function triggered by the Event Grid event processes the file metadata and sends it via HTTPS webhook to the SaaS platform. Both Event Grid and Azure Functions are serverless. Data Factory is for data movement and ETL, not event-driven workflows. A VM adds infrastructure management overhead. Service Bus requires a listener application, adding complexity. See more: API Integration Strategy

Azure Blob Storage Hot tier provides cost-effective storage for frequently accessed large-scale data. RA-GRS (Read-Access Geo-Redundant Storage) provides high availability with read access from the secondary region. Azure CDN caches content at global edge locations for low-latency delivery worldwide. Anonymous blob access supports public content scenarios. Azure Files Premium is designed for file shares, not large-scale blob content. Data Lake Gen2 adds cost from hierarchical namespace without benefit for video serving. Managed Disks are for VM storage, not content distribution. See more: Storage Strategy

Azure Files Premium provides SMB file shares with SSD-backed performance exceeding 100 MB/s throughput. It supports identity-based authentication through Azure AD Domain Services or on-premises Active Directory, and provides encryption at rest (SSE) and in transit (SMB encryption). NFS protocol does not support Windows SMB clients. Azure NetApp Files Ultra tier would work but is more expensive and complex than needed. Shared disks require cluster-aware file systems and do not support SMB natively. See more: Storage Strategy

GRS and GZRS replicate data to a secondary region, providing protection against a complete regional outage. GRS replicates three copies in the primary region (LRS) plus three copies in the secondary region. GZRS combines zone-redundant storage in the primary region (ZRS) with geo-replication to the secondary region. LRS keeps all copies in a single datacenter. ZRS distributes across availability zones within one region but does not protect against regional failures. See more: Storage Strategy

Azure Functions Consumption plan charges only for actual execution time, making it the most cost-effective during low-traffic periods. It scales automatically to handle traffic spikes. For latency-sensitive API paths, a Premium plan with pre-warmed instances eliminates cold start delays. VMs have the highest baseline cost. App Service Premium tier has a fixed minimum cost. AKS adds management complexity and baseline node costs even during low traffic. See more: Compute Strategy

Azure Container Instances provide per-second billing with no infrastructure to manage. Using Azure Automation or a scheduled workflow to spin up containers only during business hours and tear them down afterward ensures zero cost outside those hours. The resources meet the 8 vCPU and 32 GB RAM requirement. Dedicated VMs running 24/7 waste money on idle hours. App Service plan does not scale down to zero cost. Azure Functions Consumption plan has a maximum execution time limit and memory constraints that would not support large compilation tasks. See more: Compute Strategy

Azure Virtual WAN with secured virtual hubs provides managed hub-and-spoke networking at scale. It supports automatic transitive routing between spokes (no custom UDRs needed), integrated Azure Firewall for centralized security inspection (via Firewall Manager), native ExpressRoute gateway integration, and global transit connectivity between hubs across regions. Managing 50 spokes with manual VNet peering and UDRs would be extremely complex. VPN site-to-site between hubs adds latency and management burden. Private Link is for accessing PaaS services privately, not inter-VNet routing. See more: Networking Strategy

Azure Front Door combines a global load balancer, WAF (Web Application Firewall) for protection against SQL injection, XSS, and bot attacks, built-in DDoS protection, and CDN capabilities for global content caching, all in one service. Application Gateway with WAF v2 provides WAF but is regional, not global, and does not include CDN. Load Balancer operates at Layer 4 and does not understand HTTP attacks. Traffic Manager is DNS-based and does not inspect traffic. See more: Networking Strategy

Azure Private Endpoints create a private IP address in your VNet for the PaaS service, making it accessible only from within the VNet. Private DNS Zones resolve the standard DNS names (e.g., mydb.database.windows.net) to the private IP address, so applications work without connection string changes. Service Endpoints keep traffic on the Azure backbone but the PaaS service still has a public IP. NSGs control traffic between subnets but do not affect PaaS connectivity. Azure Firewall can filter outbound traffic but does not make PaaS services private. See more: Networking Strategy