AZ-305 Designing Azure Infrastructure Solutions - Practice Test 3

Application Map in Application Insights provides a visual topology showing all components and their dependencies, request rates, and failure rates. It enables end-to-end correlation across multi-tier applications. Metrics Explorer (A) shows individual metrics. Alerts (B) trigger on conditions. Service Health (D) shows Azure platform issues. See more: Logging and Monitoring

Entitlement Management access packages allow you to define bundles of resources with specific access, automatic expiration, and approval workflows for external users. Conditional Access (A) controls sign-in policies. B2C (C) is for customer identity. Application Proxy (D) publishes on-premises apps. See more: Authentication and Authorization

Windows Hello for Business provides passwordless authentication using biometrics (fingerprint, facial recognition) or a PIN tied to the device. Password Protection (B) prevents weak passwords. Smart Lockout (C) prevents brute force. Identity Protection (D) detects risky sign-ins. See more: Design Authentication

Azure Policy with a deny effect at the management group scope prevents specific resource types from being created across all subscriptions within that management group. RBAC deny (A) is not user-configurable. Resource locks (B) prevent modification/deletion, not creation of new types. Conditional Access (C) controls sign-in. See more: Design Governance

A polyglot persistence approach uses the best database for each workload: Azure SQL Database for complex joins and ACID transactions, and Cosmos DB for flexible-schema document data. Using only Cosmos DB (A) sacrifices relational features. SQL alone (B) lacks flexible schema. Table Storage (D) lacks both. See more: Data Management Strategy

TDE with customer-managed keys (BYOK) stores the TDE protector in Azure Key Vault under the organization's control. Service-managed keys (A) are controlled by Microsoft. Always Encrypted (C) protects specific columns in use. Dynamic Data Masking (D) hides data from non-privileged users but doesn't encrypt. See more: Data Protection Strategy

Azure Monitor metric alerts can be configured on DTU percentage for Azure SQL Database, triggering notifications when the threshold is exceeded. Advisor (B) provides recommendations, not real-time alerts. Service Health (C) monitors Azure platform status. SQL Server Profiler (D) is an on-premises tool. See more: Monitoring Strategy for the Data Platform

Azure Site Recovery provides continuous replication with RPO as low as a few seconds and automated failover with RTO in minutes. Daily backups (A) have RPO of 24 hours. Scheduled image copy (B) does not meet 5-minute RPO. GRS disk storage (D) alone does not provide VM failover orchestration. See more: Site Recovery Strategy

Auto-failover groups provide automatic geo-failover with a read-write listener endpoint that automatically routes to the primary. Elastic pools (A) pool DTUs. Zone-redundant (C) survives zone failure, not region failure. Hyperscale (D) is a performance tier, not a failover mechanism. See more: High Availability

Archive tier offers the lowest storage cost for data that is rarely accessed and can tolerate retrieval latency of hours. It is ideal for long-term retention (7 years). Hot (A) and Cool (B) are more expensive. Cold (C) is cheaper than Cool but more expensive than Archive. See more: Data Archiving Strategy

Azure Container Apps provides serverless container hosting with per-service scaling, Dapr integration, and KEDA-based autoscaling, minimizing infrastructure management. VMSS (B) requires VM management. Batch (C) is for HPC jobs. Service Fabric (D) has more operational overhead. See more: Design Deployments

Azure Migrate: Discovery and Assessment discovers on-premises servers, assesses Azure readiness, provides right-sizing, and estimates costs before migration. Server Migration (A) is for the actual migration. Database Migration Service (B) is for databases. Cost Management (D) tracks existing Azure costs. See more: Design Migrations

Azure API Management provides a unified API gateway with rate limiting, OAuth2 validation, throttling, request/response transformation, and developer portal. Front Door (A) is global load balancing. Application Gateway (C) is Layer 7 LB without API policies. Traffic Manager (D) is DNS-based routing. See more: API Integration Strategy

Azure Blob Storage is optimized for storing massive amounts of unstructured data such as images, videos, and documents. Table Storage (B) is for structured NoSQL data. Queue Storage (C) is for messaging. Azure Files (D) is for SMB file shares. See more: Storage Strategy

Azure Batch with low-priority VMs provides massive parallel compute at significantly reduced cost (up to 80% discount). VMs are provisioned only when needed. App Service (A) is not for HPC. AKS reserved (B) pays for always-on capacity. Permanent VMs (C) waste resources. See more: Compute Strategy

Global VNet peering connects VNets across Azure regions using the Microsoft backbone network with low latency and high bandwidth. VPN Gateway (A) encrypts traffic but adds latency. CDN (B) is for static content. DNS private zones (D) resolve names, not route traffic. See more: Networking Strategy

Azure Monitor Agent (AMA) collects logs from both Azure and on-premises servers into Log Analytics. Microsoft Sentinel then uses the Log Analytics data for SIEM/SOAR threat detection and investigation. Advisor (A) gives recommendations. App Insights SDK (C) is for application telemetry. Traffic Analytics (D) is network-focused. See more: Logging and Monitoring

Cloud Sync uses lightweight provisioning agents that don't require a dedicated server, supporting multiple disconnected AD forests. Device writeback (B), Exchange hybrid (C), and ADFS federation (D) are currently only supported by the classic Azure AD Connect. See more: Design Authentication

A Conditional Access policy targeting the Microsoft Azure Management cloud app with MFA as a grant control enforces MFA for all Azure portal access, regardless of device or network. Per-user MFA (A) lacks granular control. Identity Protection (B) is risk-based. PIM (C) controls role activation. See more: Design Authorization

Template Specs are versioned ARM templates stored in Azure that can be shared via RBAC. Teams can deploy them without access to the underlying template code. Blueprints (A) are being deprecated. Pipeline templates (B) require Azure DevOps. Linked templates (D) require storage account management. See more: Design Governance

Azure Cache for Redis provides sub-millisecond latency in-memory data store ideal for high-throughput key-value lookups. SQL Hyperscale (A) has higher latency. Cosmos DB (C) provides single-digit millisecond, not sub-millisecond. PostgreSQL (D) is not designed for this throughput pattern. See more: Data Management Strategy

A ReadOnly lock prevents both deletion and modification of the resource. A Delete lock (B) only prevents deletion but allows modifications. Azure Policy (C) prevents non-compliant deployments. RBAC deny (D) is not user-configurable. See more: Data Protection Strategy

Tiering DR strategies matches the protection level to the RPO requirement: ASR for near-zero RPO workloads (continuous replication) and Azure Backup for 24-hour RPO workloads (daily backups). Uniform approaches (A, B, C) over-spend on non-critical workloads. See more: Site Recovery Strategy

Standard Load Balancer supports zone-redundant frontend IPs and can distribute traffic across VMs in multiple availability zones. Basic LB (A) does not support zones. Application Gateway v1 (B) does not support zones. Traffic Manager (D) is DNS-level, not zone-aware LB. See more: High Availability

Blob Storage lifecycle management policies define rules to automatically transition blobs between tiers and delete them based on age. Logic Apps (A), Automation (C), and Functions (D) would work but require custom development and maintenance. See more: Data Archiving Strategy

Bicep is a declarative, type-safe domain-specific language that compiles to ARM templates. It provides modularity, IntelliSense, and simpler syntax. Azure CLI (B) and PowerShell (C) are imperative. Terraform (D) is multi-cloud but not native ARM. See more: Design Deployments

Azure SQL Managed Instance has near 100% compatibility with on-premises SQL Server, supporting CLR assemblies, cross-database queries, linked servers, and SQL Agent. SQL Database (A) doesn't support CLR. PostgreSQL (B) and Cosmos DB (C) are different engines. See more: Design Migrations

rate-limit-by-key limits the call rate per specified key (e.g., subscription key) within a time window. ip-filter (A) restricts by IP address. quota-by-key (B) limits total calls over a longer period. validate-jwt (D) validates tokens. See more: API Integration Strategy

ZRS replicates data synchronously across three availability zones in the primary region. LRS (A) replicates within a single datacenter. GRS (C) adds geo-redundancy but uses LRS locally. RA-GZRS (D) adds both zone and geo redundancy with read access. See more: Storage Strategy

Azure Virtual Desktop (formerly Windows Virtual Desktop) provides Windows 11 multi-session with Office 365, load balancing, FSLogix user profiles, and simplified management. Individual VMs with RDP (B) don't scale. App Service (C) is for web apps. ACI (D) is for containers. See more: Compute Strategy

Microsoft Entra Application Proxy uses connectors that make outbound connections only (no inbound ports), securely publishing on-premises web apps to external users via Entra ID. ExpressRoute (A) is private connectivity. Front Door (B) requires public endpoints. Firewall (C) is for network security. See more: Networking Strategy

The Perf table in Log Analytics stores performance counter data from VMs, including CPU, memory, disk, and network metrics. AzureActivity (A) logs management operations. SecurityEvent (B) logs security events. Heartbeat (D) shows connectivity status only. See more: Logging and Monitoring

A multi-tenant app registration allows users from any Azure AD tenant to sign in. Single-tenant (A) only allows one tenant. B2C (C) is for consumer identity. Personal accounts (D) don't support organizational identities. See more: Design Authentication

Defender for Cloud JIT VM access locks down management ports using NSG rules and opens them temporarily on user request with approval workflows. Bastion (B) provides secure RDP/SSH but doesn't close ports dynamically. Firewall (C) is general network security. NSG flow logs (D) monitor traffic. See more: Design Authorization

Cosmos DB supports customer-managed keys stored in Azure Key Vault, giving your organization control over the encryption key lifecycle including rotation. Service-managed (A) is Microsoft-controlled. Client-side (B) adds complexity. Disk Encryption (C) is for VM disks. See more: Data Protection Strategy

Azure Policy tracks compliance across subscriptions and Azure Monitor can alert on policy state change events. App Insights (A) is for application monitoring. Advisor (B) gives recommendations. Security Center free (D) provides basic posture but not custom compliance alerting. See more: Monitoring Strategy for the Data Platform

Azure paired regions provide geographical separation within the same geography, aligned with data residency boundaries, and prioritized recovery during widespread outages. Different continent (A) adds too much latency. Same region zones (C) won't survive region failure. ASR doesn't auto-select (D). See more: Site Recovery Strategy

Premium SSD with a zone-redundant deployment (VM in availability zones) provides the 99.99% SLA for a single VM. Standard HDD (B) gets 99.5% SLA. Availability sets (C) get 99.95%. Ultra Disk without redundancy (D) gets lower SLA. See more: High Availability

DTU tiers are differentiated primarily by IO throughput, number of concurrent sessions/requests, and maximum database size. Premium provides the highest IO performance. Number of tables (A), backup size (B), and portal visuals (C) are not tier-selection criteria. See more: Data Management Strategy

Azure Policy with deny effect at management group scope proactively prevents non-compliant storage accounts from being created or modified. Emails (A) are not enforceable. Scripts (B) are reactive. Advisor (D) only recommends, doesn't enforce. See more: Design Governance

Microsoft Defender for SQL includes Advanced Threat Protection (detecting anomalous activities including data exfiltration) and data discovery and classification for sensitive data labeling. Auditing (A) logs but doesn't alert on threats. TDE (C) encrypts at rest. DDM (D) masks display data. See more: Data Protection Strategy

Deployment slots allow you to deploy to a staging slot, warm it up, then swap with production instantly. Rollback is as simple as swapping back. GitHub deployment (B) doesn't provide instant swap. Azure DevOps (C) orchestrates but relies on slots for zero-downtime. FTP (D) causes downtime. See more: Design Deployments

Azure Front Door provides global load balancing with latency-based routing, automatic failover, and Layer 7 features. Traffic Manager (C) also routes by performance but operates at DNS level with slower failover. Load Balancer (A) is regional L4. Application Gateway (B) is regional L7. See more: Networking Strategy

Contributor allows full resource management but cannot assign roles (no Microsoft.Authorization/*/Write). Owner (A) includes role assignment. Reader (B) is read-only. User Access Administrator (D) can only manage role assignments. See more: Authentication and Authorization

Azure Synapse Analytics provides dedicated and serverless SQL pools, Spark integration, petabyte-scale analytics, and T-SQL compatibility in a unified platform. SQL Hyperscale (A) is OLTP. Data Factory (C) is ETL. HDInsight (D) is open-source analytics without native T-SQL. See more: Data Management Strategy

Azure Event Hubs is designed for high-throughput real-time data ingestion from IoT devices with millions of events per second, supporting message routing and multiple consumers. Service Bus (B) is for enterprise messaging. Blob Storage (C) is not real-time. Queue Storage (D) has limited throughput. See more: Storage Strategy

Azure Machine Learning compute clusters with auto-scale (min 0 nodes) scale down to zero when idle, paying only for the hours used. Reserved VMs (A) pay 24/7. App Service (B) doesn't support GPU. Functions (D) doesn't support GPU workloads. See more: Compute Strategy

Azure ExpressRoute provides a private, dedicated connection between on-premises infrastructure and Azure with predictable latency, higher bandwidth, and no public internet traversal. Site-to-site VPN (A) goes over the internet. Point-to-site (C) is for individual devices. CDN (D) caches content. See more: Networking Strategy

Immutable blob storage with a locked time-based retention policy provides WORM (Write Once Read Many) compliance. Once locked, data cannot be modified or deleted until the retention period expires. Soft delete (A) allows recovery but not immutability. Versioning (B) tracks changes. Backup (C) is for recovery. See more: Data Archiving Strategy

Management groups provide hierarchical organization above subscriptions, enabling centralized policy and RBAC governance while allowing business units to manage their own subscriptions. Single subscription (A) limits isolation. Separate tenants (B) adds complexity. Resource groups (D) are below subscriptions. See more: Design Migrations