AZ-305 Designing Azure Infrastructure Solutions - Practice Test 4

Application Insights with distributed tracing correlates requests across microservice boundaries, showing end-to-end transaction views and identifying bottlenecks. Container Insights (A) monitors infrastructure. Workbooks (B) are dashboards. Network Watcher (C) monitors network connectivity. See more: Logging and Monitoring

Azure AD B2B collaboration allows external users to access your resources using their own organizational identity and MFA. B2C (B) is for consumer applications. Domain Services (C) provides legacy AD features. Pass-through auth (D) is for on-prem to Azure AD sync. See more: Authentication and Authorization

App Service TLS/SSL settings allow enabling client certificate (mutual TLS/mTLS) authentication, requiring clients to present certificates validated against trusted CAs. Front Door WAF (A) filters HTTP threats. Key Vault (B) stores certificates. APIM (D) adds an extra layer. See more: Design Authentication

PIM role settings include activation maximum duration (in hours), which controls how long a role remains active after activation. Notification settings (A) control alerts. Access reviews (C) check for stale assignments. Conditional Access (D) controls sign-in conditions. See more: Design Authorization

Azure Policy can enforce naming conventions (using pattern matching) and require specific tags on resources. Non-compliant resources are denied at deployment. Administrative Units (A) organize Azure AD. ARM templates (B) define infrastructure. Cost Management (C) tracks spending. See more: Design Governance

Cosmos DB supports multi-region writes with guaranteed single-digit millisecond latency and configurable consistency levels including session consistency. Azure SQL (A) supports active geo-replication but not multi-write. MySQL replicas (B) are read-only. Managed Instance (D) has single-write primary. See more: Data Management Strategy

Microsoft Purview Data Map provides unified data governance with automatic data discovery, classification, and labeling across multiple Azure data sources using MIP sensitivity labels. AIP client (A) is for Office documents. Security Center (C) focuses on security posture. Monitor (D) is for telemetry. See more: Data Protection Strategy

Availability tests send HTTP requests from multiple Azure datacenters worldwide and alert when responses fail or exceed latency thresholds. Live Metrics (B) shows real-time data. Smart Detection (C) identifies anomalies. Usage Analytics (D) tracks user behavior. See more: Monitoring Strategy for the Data Platform

Test failover in ASR creates VMs in an isolated virtual network for DR testing without affecting production replication or systems. Planned failover (A) actually switches production. Forced failover (B) is for emergencies. Reprotect (C) reverses replication direction after failover. See more: Site Recovery Strategy

99.99% uptime requires multi-region deployment with global load balancing. A single region App Service SLA is 99.95% maximum. Azure Front Door distributes traffic and fails over between regions. Free tier (A) has no SLA. Single Standard (B) maxes at 99.95%. Basic (D) doesn't support zones. See more: High Availability

Blue-green deployment creates an entirely new environment (green) alongside the current one (blue), then switches traffic. The old environment is destroyed afterward. Rolling updates (A) modify in place. Canary (C) routes partial traffic. Feature flags (D) toggle code paths. See more: Design Deployments

Azure HDInsight provides managed clusters of Apache Hadoop, Spark, Hive, and other open-source frameworks, making it the closest lift-and-shift path. Databricks (B) is Spark-optimized but not Hadoop-compatible. Data Factory (C) is ETL. Stream Analytics (D) is for real-time streaming. See more: Design Migrations

Azure Service Bus queues with sessions provide FIFO ordering and at-most-once/exactly-once processing semantics. Event Grid (A) is event-driven routing. Event Hubs (B) is for streaming telemetry. Queue Storage (C) doesn't guarantee FIFO or exactly-once. See more: API Integration Strategy

Azure Files provides SMB file shares with Azure AD DS identity-based authentication for seamless access from domain-joined VMs. Blob NFS (A) uses NFS, not SMB. Managed Disks (B) are single-VM. NetApp Files (C) supports SMB but uses AD, not native Azure AD integration. See more: Storage Strategy

Azure Functions Consumption plan scales to zero, charges per execution, and handles unpredictable traffic automatically. App Service Standard (A) always has a running instance. VMSS (C) has minimum instance counts. AKS (D) requires always-running nodes. See more: Compute Strategy

Azure Firewall provides FQDN-based filtering for outbound traffic, threat intelligence-based filtering, and TLS inspection. NSGs (B) filter by IP/port only, not domain. DDoS (C) protects inbound. Private Link (D) provides private connectivity to services. See more: Networking Strategy

A metric alert with a static threshold monitors the response time metric, evaluating every minute with a 5-minute aggregation window. Activity log alerts (A) detect management operations. Service Health (B) monitors Azure platform. Log alerts (D) work but are more complex for this scenario. See more: Logging and Monitoring

FIDO2 security keys are portable, roaming authenticators that work across multiple devices without being tied to a specific machine. Windows Hello TPM (A) is device-specific. Authenticator push (C) requires a phone. SMS (D) is less secure and device-dependent. See more: Design Authentication

Resource owners or direct managers have the best context to determine whether access is still needed. Subscription owners (B) may not know individual access needs. Microsoft support (C) doesn't review access. Global Admin (D) creates bottleneck and lacks context. See more: Design Authorization

Cost Management budgets can trigger action groups when thresholds are reached, which in turn can invoke an Azure Automation runbook to shut down resource groups. Advisor (A) only recommends. Policy (B) doesn't handle spending. Reserved Instances (C) are for commitment discounts. See more: Design Governance

Lambda architecture combines a speed layer (for real-time analytics) and a batch layer (for historical processing), merging results in a serving layer. CQRS (A) separates reads/writes. Event Sourcing (B) stores state changes. Microservices (D) is an app architecture. See more: Data Management Strategy

Always Encrypted keeps data encrypted at rest, in transit, and in use. The column master key resides in the client application, so DBAs cannot decrypt. TDE (A) encrypts at rest but DBAs can still read data. DDM (C) masks display. RLS (D) filters rows. See more: Data Protection Strategy

Azure Monitor metric alerts on the Normalized RU Consumption metric provide real-time alerting when RU usage approaches or exceeds provisioned throughput. Change feed (B) tracks data changes. Advisor (C) gives recommendations. Diagnostic logs (D) are for post-analysis. See more: Monitoring Strategy for the Data Platform

The ASR configuration server orchestrates replication and the process server compresses and encrypts data before sending to Azure, minimizing bandwidth. Azure Monitor agent (A) collects logs. AD Connect (B) syncs identities. DevOps agent (C) runs pipelines. See more: Site Recovery Strategy

Business Critical tier with zone-redundant deployment places replicas across availability zones with automatic failover. Basic (A) has no zone redundancy. General Purpose (B) uses remote storage. Hyperscale with no replicas (D) has no zone protection. See more: High Availability

Azure Data Lake Storage Gen2 is built on GPv2 with Hierarchical Namespace (HNS) enabled, providing efficient directory operations, POSIX-style ACLs, and integration with big data frameworks. GPv2 without HNS (A) uses flat namespace. Premium Block Blobs (C) are for high-performance scenarios. Classic (D) is deprecated. See more: Storage Strategy

Azure Container Apps has built-in KEDA support for autoscaling based on various event sources including queue lengths, HTTP traffic, and custom metrics. ACI (B) doesn't support KEDA. App Service (C) has limited autoscaling triggers. Batch (D) is for HPC. See more: Compute Strategy

Azure Virtual Network Encryption encrypts traffic between VMs in the same VNet transparently at the network layer. NSGs (A) filter traffic. DDoS (B) protects against volumetric attacks. Service endpoints (C) route traffic to Azure services. See more: Networking Strategy

The workspace() function in KQL enables cross-workspace queries, allowing you to query data from multiple Log Analytics workspaces in a single query. Data Explorer (A) is a separate service. Metrics Explorer (B) is for metrics. Lighthouse (D) enables cross-tenant management but not direct query joining. See more: Logging and Monitoring

SSPR authentication methods settings allow you to configure the number of methods required (1 or 2) and which methods are available (phone, email, security questions, app notification, etc.). Conditional Access (A) controls sign-in. RBAC (C) manages permissions. PIM (D) manages privileged roles. See more: Authentication and Authorization

Database-per-tenant provides physical isolation with separate databases while sharing compute resources via elastic pools for cost optimization. Shared database with RLS (B) is logical isolation. Shared schema (C) uses column-level isolation. Single database (D) has no isolation. See more: Data Management Strategy

Auto-failover groups provide a readable secondary endpoint that can serve read-only queries for reporting workloads while also serving as a DR target. Backup restore (A, B) creates a new database. Point-in-time restore (C) is for data recovery, not ongoing reads. See more: Site Recovery Strategy

GitOps uses Git as the source of truth for infrastructure definitions, with CI/CD pipelines automatically deploying changes after code review. Monitoring (A) tracks production. Testing (B) validates code. CI only (D) doesn't include deployment. See more: Design Deployments

Azure Data Factory provides managed data movement with scheduling, monitoring, and direct AWS S3 to Blob Storage connectors. Data Box (A) is for offline physical transfer. AzCopy (C) is manual CLI. Storage Explorer (D) is a GUI tool without scheduling. See more: Design Migrations

Event Grid provides push-based, near-real-time event delivery for Blob Storage events (created, deleted) with retry and dead-lettering. Queue polling (B) adds latency. Timer trigger (C) is not event-driven. Logic Apps schedule (D) is polling-based. See more: API Integration Strategy

Azure Data Box provides physical storage devices shipped to your location, loaded with data, and shipped to Azure for import. It's ideal for large data transfers when bandwidth is limited. AzCopy (A) and ADF (B) require network. ExpressRoute (D) alone doesn't move data. See more: Storage Strategy

Azure Container Instances supports Windows containers with GPU resources without infrastructure management. Container Apps (A) doesn't support Windows containers with GPU. App Service (B) has limited GPU support. Functions (C) doesn't support GPU. See more: Compute Strategy

Azure Private Link with Private Endpoints assigns a private IP from your VNet to the PaaS service, completely removing public endpoint exposure. Service endpoints (A) route traffic over backbone but the service still has a public endpoint. NSGs (C) filter IP/port. Firewall (D) filters traffic. See more: Networking Strategy

Named locations define trusted IP address ranges or countries that can be referenced in Conditional Access policies. Device compliance (B) checks device health. Session controls (C) limit sessions. Client apps (D) filter by app type. See more: Design Authorization

Azure Dev/Test subscription offers provide discounted rates for development and testing, including no license costs for Windows VMs and reduced rates for other services. Tags (A) help identify but don't reduce cost. Reservations (B) are for production commitments. Separate tenant (C) adds complexity. See more: Design Governance

Azure Key Vault provides centralized secret management with automatic rotation, and managed identities allow applications to access secrets without any credentials in code. App Configuration (A) is for feature flags. SAS (B) is storage-specific. Client secrets (D) still require secret storage. See more: Data Protection Strategy

The JavaScript SDK collects client-side telemetry including page load times, AJAX performance, and browser exceptions from the user's browser. Server-side SDK (A) monitors backend. Profiler (C) analyzes code-level performance. Snapshot Debugger (D) captures exception snapshots. See more: Monitoring Strategy for the Data Platform

System-assigned managed identity is created and deleted with the resource, automatically managed by Azure with no credential maintenance. User-assigned (B) is independent and shared across resources. Service principals (C, D) require credential management. See more: Authentication and Authorization

Legal hold policies prevent data deletion indefinitely until all holds are cleared, regardless of retention policies. They are used for litigation or investigation holds. Soft delete (A) allows recovery. Time-based (B) has an expiry. Versioning (C) tracks changes. See more: Data Archiving Strategy

Canary deployment gradually shifts traffic (e.g., 5%, 25%, 50%, 100%) while monitoring health metrics, allowing quick rollback if issues arise. Blue-green (A) does instant swap. Rolling (B) replaces instances sequentially. Recreate (D) stops old before starting new. See more: Design Deployments

Azure Database for PostgreSQL Flexible Server provides full PostgreSQL compatibility with cost-effective pricing, burstable compute tiers, and managed service benefits. SQL Database (A) requires SQL Server syntax. Cosmos DB (C) is NoSQL. SQL Server VM (D) requires SQL licensing. See more: Design Migrations

The json-to-xml policy in the inbound section converts the JSON request body to XML before forwarding to the backend. xml-to-json (B) does the opposite. set-body outbound (C) transforms responses. rewrite-uri (D) changes URL path. See more: API Integration Strategy

RA-GRS (Read-Access Geo-Redundant Storage) replicates to a secondary region and provides read access to the secondary at all times. LRS (A) is single datacenter. GRS (B) replicates but doesn't allow reads from secondary. ZRS (D) is zone-redundant in one region. See more: Storage Strategy

Azure Virtual WAN provides managed hub-and-spoke architecture with transitive routing, integrated VPN/ExpressRoute, and Azure Firewall. VNet peering (A) requires manual routing. DNS Resolver (C) handles DNS. Route Server (D) enables BGP routing with NVAs. See more: Networking Strategy

Azure Policy with the allowed locations constraint prevents resources from being deployed outside specified regions, enforcing data residency. RBAC (B) controls who can do what. Conditional Access (C) controls sign-in. Cost Management (D) tracks spending. See more: Design Governance