AZ-305 Designing Azure Infrastructure Solutions - Practice Test 2

Application Insights with distributed tracing provides end-to-end correlation across microservices using correlation IDs. It natively supports latency percentile tracking (P50, P95, P99), automatic dependency mapping, and alert rules based on error rate thresholds. While Log Analytics can query logs, Application Insights is purpose-built for application performance monitoring (APM) scenarios and integrates seamlessly with AKS through the OpenTelemetry collector. See more: Logging and Monitoring

Azure AD B2B collaboration allows you to invite external users who authenticate using their own organization's Azure AD credentials. This eliminates the need to create and manage separate accounts. B2B supports self-service sign-up, access reviews, and conditional access policies for guest users. B2C is designed for consumer-facing applications, not business partner scenarios. See more: Authentication and Authorization

Azure AD B2C is designed for consumer-facing applications with millions of external users. It supports custom user flows for multi-step registration, API connectors for custom validation (such as patient ID verification), and custom branding. B2C can scale to millions of users and supports social and local account sign-up. Azure AD B2B is for business partner collaboration, not consumer-facing scenarios. See more: Design Authentication

Azure AD dynamic groups automatically add and remove members based on attribute rules such as department. By assigning RBAC roles (e.g., Storage Blob Data Reader) to these dynamic groups on the appropriate storage containers, new employees automatically inherit the correct permissions when their department attribute is set. This approach is scalable, auditable, and follows least-privilege principles without manual intervention. See more: Design Authorization

Azure Policy with a Deny effect evaluates resource properties at deployment time and blocks deployments that do not meet the defined rules. You can create a policy that requires specific tags (like cost center) and assign it across multiple subscriptions via a management group. This is the most direct and reliable way to enforce tag compliance. Azure Blueprints can include policies but is being deprecated in favor of direct policy management. See more: Design Governance

Azure Cache for Redis is ideal for caching frequently read, infrequently updated data like a product catalog. A read-through or cache-aside pattern offloads 20x read spikes from the database to the cache layer, which can handle millions of requests per second with sub-millisecond latency. This is more cost-effective than scaling the database, and the data refresh frequency (few times per day) aligns well with cache invalidation patterns. See more: Data Management Strategy

Customer-managed keys (CMK) stored in Azure Key Vault allow the agency to maintain full control over encryption keys. With purge protection enabled, keys cannot be permanently deleted prematurely. The agency can revoke access to encrypted data at any time by disabling or deleting the key in Key Vault, which immediately renders the blob data inaccessible. This meets the requirement for sole key management while leveraging Azure's encryption infrastructure. See more: Data Protection Strategy

Azure Stream Analytics provides real-time processing of telemetry streams and has built-in anomaly detection capabilities using machine learning models. Azure Data Explorer (ADX) is optimized for large-scale time-series data ingestion and analysis, making it ideal for long-term storage of IoT telemetry and powering historical trend dashboards with near-instant query response times. Azure Event Grid is event-driven (not suitable for high-volume telemetry streaming), and Azure Monitor Metrics has retention limits that make it unsuitable for long-term IoT data storage. See more: Monitoring Data Platform

Azure Site Recovery (ASR) provides continuous replication of Azure VMs to a secondary region with an RPO (Recovery Point Objective) of typically seconds to minutes, meeting the 5-minute data loss requirement. ASR supports automated failover with recovery plans that can bring systems online within the 30-minute RTO (Recovery Time Objective). Azure Backup is designed for data protection, not rapid failover. Hourly snapshots would exceed the 5-minute RPO requirement. See more: Site Recovery Strategy

Enabling zone redundancy on the App Service plan distributes instances across multiple Availability Zones within a region. This ensures that if a single datacenter (zone) fails, the application continues to run on instances in other zones. This is the simplest approach as it requires only a configuration change on the App Service plan. Deploying to a single zone would not protect against datacenter failure. See more: High Availability

Lifecycle management policies can automatically transition blobs between tiers based on age. Moving to Cool tier after 90 days reduces costs for infrequently accessed data while keeping retrieval within hours. Moving to Archive tier after 2 years provides the lowest storage cost, and the Archive tier rehydration time (up to 15 hours for standard priority) fits within the 48-hour retrieval window. Moving directly to Archive after 90 days would not meet the 12-hour retrieval requirement for videos between 90 days and 2 years. See more: Data Archiving Strategy

App Service deployment slots support traffic routing, allowing you to direct a configurable percentage of production traffic to a staging slot. This enables canary testing with real production traffic. If issues are detected, you can instantly route 100% traffic back to the production slot (rollback) or proceed with a slot swap to promote the new version. This is the most integrated and cost-effective approach for App Service deployments. See more: Design Deployments

Azure Database Migration Service (DMS) supports online (minimal downtime) migration of SQL Server databases to Azure SQL. Combined with Azure Migrate, it provides compatibility assessment to identify issues before migration begins. DMS handles the continuous data sync during migration, reducing cutover time to minutes. BACPAC export/import requires downtime proportional to database size, making it impractical for large databases. Data Factory is not designed for schema-aware database migration. See more: Design Migrations

Azure API Management (APIM) is purpose-built as an API gateway that provides a single entry point for backend APIs. It natively supports rate limiting (throttling policies), request/response transformation via policies, API versioning and revision management, developer portal for documentation, and analytics. Application Gateway and Front Door are load balancers/CDNs that lack API-specific management features like payload transformation and versioning. See more: API Integration Strategy

For simple key-value pair access with 100,000 reads per second and single-digit millisecond latency requirements, Azure Cache for Redis is the optimal choice. Redis is an in-memory data store designed exactly for this access pattern - high-throughput key-value reads with sub-millisecond latency. With data persistence enabled, it also handles durability. While Cosmos DB also offers low latency, Redis is more cost-effective for pure key-value workloads at this scale. See more: Storage Strategy

Azure Batch is designed specifically for large-scale parallel batch processing workloads. It provides automatic scheduling of tasks across a managed pool of compute nodes, supports auto-scaling based on workload size (handling 500 to 50,000 files), and offers low-priority (Spot) nodes at up to 80% discount. Azure Functions has a 5-minute default timeout on Consumption plans and is not ideal for compute-intensive image processing. Azure Batch handles job orchestration, retry logic, and node management automatically. See more: Compute Strategy

Since the company already has an ExpressRoute circuit, using ExpressRoute private peering provides a dedicated, encrypted private connection between the Azure VNet and on-premises network. By enabling VNet integration on the web application (App Service), the app can route traffic through the VNet and reach the on-premises Oracle database via ExpressRoute without exposing it to the public internet. This is the most straightforward and performant approach given the existing infrastructure. See more: Networking Strategy

This architecture addresses all three requirements cost-effectively. Log Analytics provides 30-day interactive retention for the development team's debugging needs. Microsoft Sentinel running on top of the security log data provides real-time threat detection with analytics rules. Archiving all logs to immutable blob storage (with WORM policies) satisfies the 7-year tamper-proof retention requirement at the lowest cost tier. A single Log Analytics workspace with 7-year retention would be extremely expensive at 500 GB/day. See more: Logging and Monitoring

Conditional Access is the zero-trust policy engine that evaluates multiple signals (device compliance, location, risk level) to make access decisions. However, the real-time risk assessment (low/medium risk levels) is provided by Azure AD Identity Protection, which feeds risk signals into Conditional Access policies. Together, they enforce the zero-trust model: Identity Protection detects risk in real time, and Conditional Access enforces the access decision based on all conditions. PIM manages privileged roles but does not evaluate device compliance or location. See more: Authentication and Authorization

Azure AD B2C with Identity Experience Framework (IEF) custom policies supports dynamic identity provider discovery, where new IdPs can be configured through metadata without code changes. IEF custom policies allow complex authentication orchestration including tenant isolation by routing users to the correct IdP based on their email domain. This is the foundation for enterprise-grade SaaS multi-tenancy. The standard B2C user flows (option A) lack dynamic IdP discovery, while multi-tenant Azure AD does not support non-Azure AD identity providers natively. See more: Design Authentication

The Virtual Machine Contributor built-in role grants permissions to manage virtual machines but does not grant permissions to manage virtual networks, storage accounts, or other resources not directly part of the VM resource. This follows the principle of least privilege by providing only the permissions needed for VM administration. Using broader roles like Contributor or Owner and then trying to restrict them adds unnecessary complexity. See more: Design Authorization

The built-in Azure Policy "Allowed locations" restricts which Azure regions resources can be deployed to. By assigning this policy at the management group level, it is inherited by all 15 subscriptions, ensuring consistent enforcement across all business units. This is the standard approach for data residency compliance. RBAC controls who can do what, not where resources are deployed. Subscription defaults do not prevent deployment to other regions. See more: Design Governance

This design matches each service to its optimal use case. Azure Cosmos DB with session consistency is ideal for the read-heavy, eventually consistent product catalog with global distribution. Azure Cache for Redis provides sub-millisecond latency for user session data (key-value access pattern). Azure SQL Database provides full ACID compliance and strong consistency required for financial transactions. Using Cosmos DB with strong consistency for financial transactions sacrifices its distributed performance advantages and may not meet all ACID requirements that SQL provides natively. See more: Data Management Strategy

Always Encrypted ensures that sensitive data is encrypted at the column level, and the encryption keys are managed by the application, not the database server. This means database administrators (who have server-level access) can perform management tasks but cannot decrypt the actual column data because they do not possess the column master key. TDE encrypts data at rest but does not prevent DBAs from reading data. Dynamic Data Masking can be bypassed by users with certain permissions. See more: Data Protection Strategy

Azure Managed Grafana integrates natively with Azure Monitor and supports data sources from on-premises (via Prometheus, InfluxDB) and third-party SaaS applications through its extensive plugin ecosystem. Grafana provides advanced custom visualizations, team-based dashboards with folder permissions, and role-based access control. Azure Monitor workbooks are limited to Azure data sources, Power BI is more suited for business analytics, and Azure Dashboards have limited customization capabilities. See more: Monitoring Data Platform

Azure Front Door performs health-based routing and can fail over instantly (no DNS TTL dependency) because it acts as a reverse proxy - client connections go to Front Door, which routes to healthy backends. Azure Container Registry (ACR) geo-replication automatically syncs container images across regions, ensuring the secondary AKS cluster always has access to the latest images. Traffic Manager relies on DNS TTL for failover (causing the 15-minute delay), and ASR does not support AKS natively. See more: Site Recovery Strategy

To achieve 99.995% availability and protect against both zone-level and region-level failures, you need both zone redundancy (protects against datacenter failures within a region) and a failover group (protects against entire region outages). The Business Critical tier with zone redundancy provides an SLA of 99.995%. The auto-failover group adds automatic geo-failover capability with a read-write listener endpoint that automatically routes to the current primary, minimizing application changes during failover. See more: High Availability

Immutable blob storage with time-based retention policies ensures documents cannot be modified or deleted for the specified 10-year period, meeting legal compliance requirements (WORM - Write Once, Read Many). Lifecycle management policies then automatically transition documents to the Archive tier after 3 years when they are rarely accessed, significantly reducing storage costs. The combination of immutability and lifecycle management provides both compliance and cost optimization. See more: Data Archiving Strategy

Flagger is a progressive delivery operator for Kubernetes that automates the entire canary deployment lifecycle. It integrates with Application Insights to query real-time metrics (error rates, latency), automatically shifts traffic to the canary in increments, and promotes or rolls back based on configurable metric thresholds without manual intervention. Standard Kubernetes rolling updates do not support metric-based automated rollback, and manual approval gates contradict the requirement for automated promotion/rollback. See more: Design Deployments

Azure Migrate provides a centralized hub for discovering, assessing, and migrating on-premises workloads to Azure. The discovery and assessment tool automatically discovers VMware VMs, collects performance data (CPU, memory, disk, network), evaluates Azure readiness, provides right-sizing recommendations based on actual utilization, and generates cost estimates. The TCO Calculator provides cost estimates but not readiness assessment. Azure Advisor only works for resources already in Azure. See more: Design Migrations

Azure Service Bus Topics implement the publish-subscribe pattern where a single message (order placed event) is delivered to multiple subscriptions (inventory, email, analytics). Each subscription operates independently, so a failure in one does not affect others. Azure Functions triggered by each subscription process events independently with built-in retry logic and dead-letter queue support. Queue Storage is point-to-point (one consumer per message). A sequential Logic Apps workflow would mean one system failure blocks the others. See more: API Integration Strategy

Azure Blob Storage is purpose-built for storing large amounts of unstructured data (images, videos, documents). It integrates natively with Azure CDN for content delivery, supports HTTP-based access for web applications, and can scale to petabytes. The Hot tier is appropriate when files are frequently accessed (served to users). Azure Files is for file share scenarios (SMB/NFS), Managed Disks are for VM storage, and Table Storage is for structured NoSQL data. See more: Storage Strategy

Azure Functions on a Premium plan supports execution durations up to 60 minutes (handling 30-90 second processing), provides pre-warmed instances for fast scale-out during bursts, and scales to zero during quiet periods (you pay only for active instances). The storage queue trigger provides reliable message-based processing with automatic retry. The Consumption plan has a 5-minute default timeout. App Service always incurs costs even during quiet periods. VMSS lacks the serverless pay-per-use model. See more: Compute Strategy

Azure Virtual WAN with secured hubs provides a managed hub infrastructure that automatically handles routing between spokes, regions, and on-premises via ExpressRoute. Azure Firewall Manager enables centralized security policy across all hubs. The routing intent feature automatically programs routes to direct inter-spoke and internet-bound traffic through Azure Firewall without manually managing UDRs. This addresses the routing complexity issue that makes traditional hub-and-spoke unmanageable at scale with 20+ VNets across 4 regions. See more: Networking Strategy

Azure Monitor Container Insights provides native monitoring for AKS including pod state changes and node metrics. Metric alerts can detect conditions like CrashLoopBackOff within minutes. Action groups support webhook actions that integrate with both Slack (incoming webhooks) and PagerDuty (Events API). This provides a fully managed solution without the operational overhead of running self-managed Prometheus infrastructure. The 2-minute alerting requirement is met by near-real-time metric alerts. See more: Logging and Monitoring

System-assigned managed identities eliminate the need for any stored credentials. Azure automatically manages the identity lifecycle, handles token acquisition and rotation, and the credentials never appear in code or configuration files. You assign RBAC roles to the managed identity for each target resource (Key Vault access policies, Storage Blob Data roles, SQL Database user). This fully satisfies the security mandate to eliminate stored credentials. Key Vault still requires credentials to access it initially, and client secrets are still stored credentials. See more: Authentication and Authorization

Conditional Access provides the granular policy engine needed for this scenario. Named locations define the corporate network (by IP ranges), allowing policies to require MFA only when users are outside the trusted network. Authentication strengths can define different MFA requirements. A separate policy targeting the contractors group enforces full MFA regardless of location. Per-user MFA is a legacy approach that lacks the granularity of location-based and group-based conditions. See more: Design Authentication

Azure AD Privileged Identity Management (PIM) addresses all four requirements: 1) Just-in-time activation requires administrators to request time-limited access with a business justification, 2) Eligible role assignments eliminate standing access (roles are not active until explicitly activated), 3) Approval workflows can be configured to require security team member approval before activation, 4) Break-glass (emergency access) accounts are dedicated accounts excluded from PIM and Conditional Access, providing access when the approval workflow or PIM is unavailable. See more: Design Authorization

Azure Arc extends Azure management and governance to resources running outside of Azure, including AWS. With Azure Arc, you can apply Azure Policy to AWS resources, manage resource inventory through a single pane of glass, and enforce compliance across both clouds. While Defender for Cloud provides security posture management across clouds and Cost Management handles cost analysis, Azure Arc provides the broadest governance capability for multi-cloud resource management with policy enforcement. See more: Design Governance

Azure Synapse Analytics workspaces per hospital provide logical data isolation. Each workspace can use hospital-specific customer-managed keys (CMKs) for encryption at rest. Workspaces can be deployed in country-specific regions for data residency. Synapse serverless SQL pools can query across workspaces and storage accounts for aggregate analytics without copying data. This architecture provides isolation, per-hospital encryption, data residency, and cross-hospital analytics capabilities. See more: Data Management Strategy

Tokenization replaces sensitive card data with non-reversible tokens throughout the application stack - in databases, logs, and traces. The actual payment card data is stored only in the Azure Payment HSM, which is a FIPS 140-2 Level 3 certified hardware security module. Even if the application database, logs, or traces are breached, the tokens are meaningless without access to the HSM's detokenization capability. This is the gold standard for PCI DSS compliance as it reduces the PCI scope of the entire application. See more: Data Protection Strategy

Azure Cost Management allows you to create budgets for subscriptions and configure alert conditions at specified thresholds (such as 80% of the budget). When spending reaches the threshold, email notifications are automatically sent to configured recipients. This is the purpose-built feature for cost monitoring and budget alerts. Azure Monitor alerts do not directly track billing, and Advisor provides optimization recommendations rather than budget threshold notifications. See more: Monitoring Data Platform

For SAP HANA disaster recovery, the recommended approach is HANA System Replication (HSR) in asynchronous mode for cross-region database replication, as it provides database-aware replication with minimal RPO. Azure Site Recovery handles the application tier VMs. ASR alone is not recommended for HANA database VMs because it performs block-level replication that may not ensure database consistency for an 8 TB in-memory database. Azure Backup's restore time for 8 TB would exceed the 4-hour RTO. ZRS only provides zone redundancy, not region redundancy. See more: Site Recovery Strategy

Achieving 99.999% uptime (approximately 5 minutes of downtime per year) requires active-active multi-region deployment where all regions simultaneously serve traffic. Azure Front Door provides instant failover without DNS propagation delay. Azure Cosmos DB with multi-region writes eliminates the database as a single point of failure - writes can continue in any region during a regional outage. Active-passive adds failover delay that erodes the SLA, and single-region cannot survive a regional failure. Note: Cosmos DB multi-region writes use multi-master replication with conflict resolution, which is compatible with bounded staleness or session consistency for this pattern. See more: High Availability

Azure SQL long-term retention (LTR) allows you to retain full database backups for up to 10 years in Azure Blob Storage. LTR policies let you configure weekly, monthly, and yearly backup retention schedules. The backups are automatically stored in cost-effective storage and can be used to restore a database to any point covered by the LTR policy. Short-term retention only supports up to 35 days, which does not meet the 5-year requirement. See more: Data Archiving Strategy

Bicep is the recommended Infrastructure as Code (IaC) language for Azure that compiles to ARM templates. Storing Bicep files in Git provides source control and change tracking. Environment-specific parameter files allow the same templates to deploy to dev, staging, and production with appropriate settings. CI/CD pipelines ensure repeatable deployments. Bicep deployments are idempotent by design - deploying the same template multiple times produces the same result. CLI scripts are imperative and not inherently idempotent. See more: Design Deployments

Azure App Service on Windows supports .NET Framework applications with Windows-specific features like Registry access and COM components. This is a PaaS migration that requires minimal code changes (rehost/lift-and-shift) while eliminating infrastructure management. Linux-based services cannot support Windows-specific features. AKS with Windows nodes adds unnecessary complexity for a straightforward web application migration. Azure Functions is designed for event-driven workloads, not traditional web applications. See more: Design Migrations

Azure API Management provides all required capabilities: OAuth 2.0 authentication through policies, a built-in developer portal with interactive API documentation (based on OpenAPI specs), product-level quotas and rate limiting per subscription key, and self-service developer registration. Developers can sign up on the portal, browse API documentation, obtain subscription keys, and test APIs interactively. No other Azure service provides this complete API management lifecycle. See more: API Integration Strategy

Azure Data Lake Storage Gen2 (ADLS Gen2) combines Azure Blob Storage scalability with a hierarchical namespace (file system semantics). The hierarchical namespace enables POSIX-style ACLs at the folder and file level, which is critical for Hadoop-compatible ETL pipelines. ADLS Gen2 integrates with Azure Synapse for both Spark-based batch processing and serverless SQL queries over Parquet, CSV, and JSON files. Standard Blob Storage does not support hierarchical namespace or POSIX ACLs, making fine-grained access control at the file level impractical. See more: Storage Strategy

Azure Application Gateway supports multi-site listeners that route traffic based on the host header (custom domain per tenant). Each listener can have its own WAF policy for per-tenant traffic inspection and filtering, and path-based routing rules can direct tenant traffic to specific backends. This provides network-level tenant isolation without requiring separate App Service deployments. Azure Load Balancer operates at Layer 4 and cannot inspect HTTP headers or host names. Traffic Manager is DNS-based and does not provide traffic inspection. See more: Networking Strategy