AZ-305 Practice Test 3 – 50 Questions and Answers (Azure Solutions Architect Expert)

AZ-305 Practice Test 3: 50 Questions and Answers for Azure Solutions Architect Expert

Practice AZ-305 questions covering identity, governance, monitoring, data storage, business continuity, and Azure infrastructure solution design. Select your answers, review the explanations, and track your progress in the Learning Dashboard.

Exam: AZ-305Questions: 50Recommended score: 70%+Time: 90 minutes

Before you start

This practice test includes single-choice, multiple-response, and true/false questions. When a question requires more than one answer, the question text tells you exactly how many answers to choose.

AZ-305 practice test questions

Question 1: Which Azure feature enforces compliance by automatically deploying required configurations when resources are created?

The correct answer is Azure Policy DeployIfNotExists.

This effect ensures that specific configurations or dependent resources are automatically deployed if they do not already exist when a resource is created or updated. It helps enforce organizational compliance without manual intervention. DeployIfNotExists allows policy-driven automation, enabling remediation at scale. It is often used alongside initiatives for centralized governance. This mechanism ensures alignment with standards across multiple subscriptions. Implementing this effect provides both consistency and compliance in Azure environments.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 2: Which Azure service integrates with Log Analytics to analyze telemetry across applications and infrastructure?

The correct answer is Azure Monitor.

Azure Monitor provides comprehensive observability by collecting metrics, logs, and traces from applications, infrastructure, and services. It integrates seamlessly with Log Analytics to enable advanced queries, dashboards, and alerts. Azure Monitor helps identify performance bottlenecks, detect anomalies, and optimize resource usage. It centralizes monitoring data across distributed systems for unified insight. This integration is essential for maintaining system health and performance visibility. Organizations use it to drive proactive operations management in Azure.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 3: What is the primary purpose of Azure AD Conditional Access policies?

The correct answer is To enforce access controls based on conditions.

Azure AD Conditional Access provides a dynamic way to control sign-ins using contextual signals like user risk, device compliance, and location. Policies can require MFA, restrict legacy authentication, or block risky sessions. Conditional Access combines security and usability by applying policies only when necessary. It is key in implementing zero-trust security models in Azure environments. This conditional enforcement prevents unauthorized access while maintaining user productivity. It integrates with Identity Protection to assess risk in real time.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 4: Which service enables centralized management and monitoring of Azure policies across multiple tenants?

The correct answer is Azure Lighthouse.

Azure Lighthouse allows service providers or enterprise IT teams to manage multiple tenants or subscriptions securely and centrally. It supports cross-tenant policy management, monitoring, and access control through delegated permissions. Lighthouse uses Azure Resource Manager templates to onboard environments with precise access scopes. It enhances scalability for managed service operations. This capability simplifies large-scale governance scenarios. It is especially useful for MSPs or enterprises managing multiple business units or subsidiaries in Azure.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 5: Which two Azure AD features reduce identity compromise through continuous risk assessment? Choose 2 answers.

The correct answers are Identity Protection and Conditional Access.

Azure AD Identity Protection detects risky sign-ins and users, using behavioral analytics and threat intelligence. Conditional Access responds dynamically to risk levels by applying additional authentication or blocking access. Together, they deliver adaptive, real-time defense against compromised credentials. These capabilities align with zero-trust principles. They provide visibility into identity-based threats across the tenant. Implementing them reduces exposure to phishing and credential abuse.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 6: Which two Azure services assist with defining and auditing organizational standards at scale? Choose 2 answers.

The correct answers are Azure Policy and Azure Blueprints.

Azure Policy enforces configuration rules, auditing resource compliance across environments. Azure Blueprints packages policies, RBAC assignments, and templates into versioned definitions for repeatable deployments. These tools enable organizations to standardize deployments across subscriptions and tenants. They simplify compliance reporting and remediation workflows. Together, they establish a foundation for governance as code. Using them ensures consistent, auditable infrastructure governance.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 7: Which two features support governance through inheritance from higher levels in Azure’s resource hierarchy? Choose 2 answers.

The correct answers are Management Groups and Subscriptions.

Management groups sit at the top of Azure’s governance hierarchy, allowing policies and RBAC roles to propagate downward. Subscriptions inherit governance settings, ensuring consistent control. This hierarchical model allows centralized oversight and decentralized execution. It simplifies governance across large organizations with multiple teams or regions. Policies and access configurations can cascade automatically. Proper use of hierarchy ensures scalability and control in enterprise Azure environments.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 8: Azure AD Connect supports pass-through authentication, federation, and password hash synchronization.

The correct answer is True.

Azure AD Connect bridges on-premises Active Directory with Azure AD for hybrid identity. It supports three primary authentication methods: password hash synchronization, pass-through authentication, and federation with AD FS. These methods provide flexibility based on security and infrastructure needs. Password hash synchronization simplifies user logins without on-prem dependencies. Pass-through authentication validates passwords against the local directory in real time. Federation enables advanced scenarios like single sign-on using existing AD FS infrastructure.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 9: Azure Monitor allows you to collect both platform and custom metrics from applications.

The correct answer is True.

Azure Monitor collects data from Azure resources, operating systems, and custom applications. It includes both platform metrics and telemetry generated via SDKs or APIs. This flexibility provides end-to-end observability. Custom metrics extend visibility beyond default data points. These metrics integrate with alerts, dashboards, and Log Analytics. Azure Monitor thus supports full-stack performance optimization and incident detection. It is foundational for proactive monitoring and automation.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 10: Activity logs in Azure Monitor are retained indefinitely by default.

The correct answer is False.

By default, Azure Activity Logs are retained for 90 days. To retain them longer, administrators must export logs to a Storage Account, Event Hub, or Log Analytics workspace. This ensures historical data availability for audits and compliance. Retention settings must align with organizational and regulatory requirements. Indefinite retention can be costly and unnecessary. Using diagnostic settings to route logs ensures durability. Proper log management balances visibility, compliance, and cost efficiency.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 11: Which feature provides just-in-time role activation to minimize standing administrative privileges?

The correct answer is Privileged Identity Management.

PIM enables just-in-time activation for privileged roles in Azure AD and Azure resources. It requires approval and supports time-limited assignments with MFA enforcement. This minimizes security exposure from standing permissions. PIM provides audit logs and alerts for role activations and changes. It enforces least privilege principles dynamically. Integrating it with Conditional Access further strengthens role security. PIM is essential for managing critical administrative roles securely.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 12: Which Azure solution helps manage non-Azure servers and Kubernetes clusters with policy and compliance visibility?

The correct answer is Azure Arc.

Azure Arc extends Azure management and governance capabilities to resources running outside Azure, such as on-premises or other cloud providers. It enables applying Azure Policy, RBAC, and monitoring to hybrid resources. Arc bridges governance gaps across hybrid and multi-cloud environments. It integrates with Azure Monitor and Defender for Cloud. Arc-managed servers and clusters appear as native Azure resources. It unifies compliance, configuration, and visibility across heterogeneous environments.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 13: Which Azure AD feature ensures users only retain access to what they need through periodic access certification?

The correct answer is Access Reviews.

This feature allows organizations to review and certify user access to resources, groups, and applications periodically. Access Reviews reduce privilege sprawl and enforce the principle of least privilege. They can be automated and delegated to resource owners or managers. Integration with entitlement management enhances lifecycle governance. Regular reviews help maintain compliance with internal and external requirements. Access Reviews are crucial for maintaining secure and current access assignments. They integrate with reports for auditing and accountability.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 14: Which service provides built-in recommendations to improve performance, security, and cost optimization?

The correct answer is Azure Advisor.

Azure Advisor analyzes your deployments and usage patterns to recommend optimizations across cost, performance, availability, and security. It uses telemetry from Azure Monitor and resource configuration data to generate insights. The recommendations are actionable and prioritized. Advisor integrates with Azure Policy for governance enforcement. It is an essential tool for operational excellence in cloud environments. Following its recommendations helps maintain a secure, efficient, and cost-effective Azure footprint.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 15: Which Azure storage option is best suited for large analytical datasets requiring hierarchical namespace and big data processing?

The correct answer is Azure Data Lake Storage Gen2.

It combines the scalability and low-cost benefits of Azure Blob Storage with a hierarchical namespace that enables high-performance analytics. Data Lake Storage Gen2 is optimized for big data workloads like Spark, Synapse, and HDInsight. It supports POSIX-style ACLs for granular access control. Its hierarchical namespace improves performance for file-based operations and metadata queries. It integrates seamlessly with Azure Active Directory for authentication. It is the foundation for enterprise-scale data lakes and analytics pipelines in Azure.

Related Microsoft Learn topic

Azure Storage documentation

Question 16: Which service provides globally distributed, multi-model database support with guaranteed low latency?

The correct answer is Azure Cosmos DB.

It offers multi-model NoSQL database support with APIs for SQL, MongoDB, Cassandra, Gremlin, and Table. Cosmos DB guarantees single-digit millisecond latency for reads and writes backed by SLAs. It provides global distribution across multiple Azure regions with automatic failover. It supports tunable consistency levels to balance performance and accuracy. Built-in partitioning ensures horizontal scalability for massive workloads. It integrates natively with Azure Functions and Synapse for real-time analytics. Cosmos DB is ideal for mission-critical, globally distributed applications.

Related Microsoft Learn topic

Azure Storage documentation

Question 17: What Azure feature allows automatic failover of a SQL Database to a secondary region during regional outages?

The correct answer is Auto-failover Groups.

This feature provides automated and transparent failover for multiple databases in Azure SQL Database or Managed Instance. It uses paired regions for geographic redundancy and business continuity. The failover process redirects connections to the secondary endpoint seamlessly. It reduces downtime and manual intervention during disasters. Auto-failover Groups support both read-write and read-only connections. They complement active geo-replication for full continuity strategies. Implementing them ensures minimal service interruption for critical applications.

Related Microsoft Learn topic

Azure Storage documentation

Question 18: Which two mechanisms protect data in Azure Storage from accidental or malicious deletion? Choose 2 answers.

The correct answers are Soft Delete and Blob Versioning.

Soft Delete retains deleted blobs for a defined retention period, allowing recovery if deletions occur accidentally. Blob Versioning automatically creates previous versions when blobs are overwritten or deleted. Together, they provide layered protection for data integrity. These features reduce the risk of data loss due to user or application errors. They integrate with lifecycle policies for automated cleanup. Both are essential components of a secure, resilient storage design. Organizations use them to align with backup and compliance strategies.

Related Microsoft Learn topic

Azure Storage documentation

Question 19: Which two redundancy models provide cross-regional protection for Azure Storage? Choose 2 answers.

The correct answers are Geo-Redundant Storage (GRS) and Read-Access Geo-Redundant Storage (RA-GRS).

GRS replicates data asynchronously to a paired region for disaster recovery. RA-GRS extends GRS by providing read access to the secondary region. These redundancy models protect against regional outages. They are critical for business continuity and compliance in regulated industries. The data is stored multiple times across geographically separated facilities. Selecting the right redundancy option balances cost and resiliency. These models ensure your data remains available even during catastrophic regional failures.

Related Microsoft Learn topic

Azure Storage documentation

Question 20: Azure Files supports Active Directory Domain Services for access control using NTFS permissions.

The correct answer is True.

Azure Files integrates with on-premises Active Directory or Azure AD DS to support Kerberos authentication and NTFS ACLs. This allows administrators to control file access with existing identities and groups. It supports single sign-on and domain-based access. This integration simplifies hybrid file share deployments. It enables secure migrations for legacy workloads without changing authentication methods. Azure Files is ideal for lift-and-shift scenarios requiring shared file access. This feature unifies cloud storage with enterprise identity frameworks.

Related Microsoft Learn topic

Azure Storage documentation

Question 21: Immutable Blob Storage allows data to be deleted or modified before its retention period expires.

The correct answer is False.

Immutable Blob Storage enforces write-once-read-many (WORM) behavior to prevent data modification or deletion during a retention period. It supports both time-based and legal-hold retention modes. This ensures compliance with regulations such as SEC or GDPR. It is particularly valuable for audit logs, financial data, or records retention. Once locked, data cannot be altered until the policy expires. This feature enhances the integrity of sensitive information. It is widely adopted in regulated industries for compliance assurance.

Related Microsoft Learn topic

Azure Storage documentation

Question 22: Which Azure feature helps optimize costs by automatically moving blobs between tiers based on access patterns?

The correct answer is Lifecycle Management Rules.

This feature uses defined policies to transition blobs between Hot, Cool, and Archive tiers based on last access or modification time. It also supports automatic deletion after a specified duration. Lifecycle rules reduce storage costs without manual intervention. They help maintain compliance with data retention policies. Administrators can configure rules at the container or storage account level. The system enforces them automatically across all matching objects. It is a best practice for large-scale, cost-optimized data storage management.

Related Microsoft Learn topic

Azure Storage documentation

Question 23: Which database service supports built-in high availability with zone-redundant configurations?

The correct answer is Azure SQL Database.

It provides built-in high availability through zone-redundant deployment options in supported regions. Each database is automatically replicated across availability zones for fault isolation. The platform manages failover transparently, ensuring minimal downtime. This eliminates the need for complex clustering configurations. Zone redundancy complements automated backups and geo-replication. It is ideal for business-critical workloads requiring 99.995% availability. Using this configuration enhances fault tolerance and service reliability in Azure SQL Database.

Related Microsoft Learn topic

Azure Storage documentation

Question 24: Which two features of Azure Cosmos DB help meet strict performance and scalability SLAs? Choose 2 answers.

The correct answers are Request Units (RUs) and Partition Keys.

Request Units quantify performance in Cosmos DB, defining the throughput allocated for operations. Partition Keys enable horizontal scaling by distributing data across logical partitions. Together, they ensure predictable performance and elasticity. Proper partition key design prevents hot spots and latency issues. These mechanisms align with Cosmos DB’s SLA-backed guarantees for throughput and latency. Configuring them effectively is essential for scaling globally distributed workloads. They are core to achieving consistent, high-performance database operations.

Related Microsoft Learn topic

Azure Storage documentation

Question 25: Azure SQL Database supports Always Encrypted for protecting sensitive data at the client level.

The correct answer is True.

Always Encrypted secures data by encrypting sensitive columns at the client-side using keys stored externally. SQL Server or Azure SQL never sees the plaintext data or encryption keys. This ensures end-to-end protection even from database administrators. Always Encrypted supports deterministic and randomized encryption modes. It complies with data privacy regulations like GDPR. It integrates with Azure Key Vault for key management. This feature is vital for protecting confidential data within multi-tenant and regulated environments.

Related Microsoft Learn topic

Azure Storage documentation

Question 26: Which Azure feature provides automated protection for virtual machines through periodic application-consistent backups?

The correct answer is Azure Backup.

It offers a managed backup solution for Azure and on-premises workloads. Azure Backup captures application-consistent snapshots and stores them securely in Recovery Services vaults. It automates scheduling, retention, and encryption of backup data. The service supports virtual machines, databases, and files. It provides long-term retention for compliance requirements. Backups can be encrypted both in transit and at rest. Azure Backup simplifies business continuity with centralized management and minimal operational overhead.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 27: What is the primary objective of Recovery Time Objective (RTO)?

The correct answer is Specifies target duration to restore services.

RTO measures the acceptable time window to bring systems and applications back online after an outage. It helps organizations design appropriate recovery strategies. A shorter RTO requires more automation, replication, and cost investment. RTO complements Recovery Point Objective (RPO), which defines acceptable data loss. Together, they form the foundation of business continuity planning. Understanding RTO ensures proper selection of backup and replication solutions. It directly influences infrastructure design and disaster recovery policies.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 28: Which Azure service provides automated replication and orchestrated failover for entire workloads between regions or datacenters?

The correct answer is Azure Site Recovery.

It replicates workloads running on physical servers, virtual machines, or Azure VMs to a secondary location. During outages, failover can be triggered manually or automatically. The service orchestrates recovery workflows to minimize downtime. It integrates with Azure Automation for customized failover actions. ASR supports replication across regions or between on-premises and Azure environments. It simplifies disaster recovery planning with built-in testing capabilities. Using ASR ensures resilience against site-level disruptions and compliance with recovery objectives.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 29: Which two features of Azure SQL Database support disaster recovery and high availability? Choose 2 answers.

The correct answers are Active Geo-Replication and Auto-Failover Groups.

Active Geo-Replication creates up to four readable secondary replicas in other regions for resilience and load balancing. Auto-Failover Groups manage automatic failover of multiple databases with minimal downtime. Both features ensure high availability and continuity during outages. They work together to meet RTO and RPO targets. These mechanisms simplify failover configuration and testing. Implementing them is essential for mission-critical workloads. They protect data integrity and maintain service availability across regional boundaries.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 30: Which two features in Azure Key Vault enhance recoverability and prevent permanent loss of secrets? Choose 2 answers.

The correct answers are Soft Delete and Purge Protection.

Soft Delete retains deleted keys, secrets, and certificates for a defined period, allowing recovery before permanent deletion. Purge Protection prevents any forced deletion while Soft Delete is enabled. These two mechanisms safeguard against accidental or malicious loss of data. They ensure compliance with retention requirements for sensitive assets. Administrators can recover vault objects easily during incidents. Together, they provide layered protection and operational resilience. Enabling both is a best practice for business-critical key management.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 31: Azure Backup can back up data directly to Azure Storage accounts without using a Recovery Services vault.

The correct answer is False.

Azure Backup uses Recovery Services vaults as the central management and storage layer for backup data. It does not store backups directly in arbitrary Storage Accounts. The vault provides encryption, retention management, and lifecycle policies. This design ensures consistent recovery operations across workloads. Using the vault abstracts complexity and improves reliability. It also supports role-based access control for backup operations. Vault-based management is crucial for consistent and auditable backup management across environments.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 32: Geo-redundant Storage (GRS) automatically replicates data to a secondary region paired with the primary region.

The correct answer is True.

GRS replicates data asynchronously to a secondary Azure region that is paired with the primary region. This ensures geographic redundancy and resilience against regional failures. Data replication is managed automatically by Azure. The secondary copy becomes available for read access if RA-GRS is enabled. GRS is ideal for compliance and disaster recovery strategies. It provides durability even in catastrophic outages. It is one of the simplest and most cost-effective mechanisms for cross-region data protection in Azure.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 33: Which Azure service ensures that DNS traffic is automatically directed to healthy endpoints during failover events?

The correct answer is Azure Traffic Manager.

It uses DNS-based load balancing to route client requests to the most appropriate endpoint based on health and performance. During outages, Traffic Manager detects failures through health probes and redirects traffic automatically. It supports multiple routing methods such as performance, priority, and geographic. It is a key component in cross-region disaster recovery architectures. Traffic Manager integrates with App Services, VMs, and custom endpoints. It provides seamless failover while maintaining user experience globally.

Related Microsoft Learn topic

Azure Site Recovery overview

Question 34: Which Azure service allows you to run containerized applications without managing servers or orchestrators?

The correct answer is Azure Container Instances.

It provides a fast, serverless way to run containers in Azure without requiring you to manage clusters or infrastructure. You can deploy containers directly using images from Azure Container Registry or Docker Hub. ACI is ideal for event-driven workloads, short-lived jobs, and simple API hosting. It supports environment variables, secrets, and persistent storage. The service scales quickly and integrates with virtual networks for secure communication. Using ACI reduces operational overhead compared to full orchestration platforms like AKS.

Related Microsoft Learn topic

Azure Architecture Center

Question 35: Which Azure networking feature routes traffic privately between PaaS services and virtual networks?

The correct answer is Private Endpoints.

They extend your virtual network by mapping PaaS resources to private IP addresses, ensuring that all traffic remains within the Azure backbone. This eliminates exposure to the public internet, improving security and compliance. Private Endpoints support services like Storage, SQL Database, and Key Vault. They integrate with DNS zones for seamless name resolution. This model helps prevent data exfiltration and simplifies network architecture. Private connectivity through endpoints is essential for zero-trust network design in Azure.

Related Microsoft Learn topic

Azure Architecture Center

Question 36: Which Azure feature enables you to deploy infrastructure as code using declarative templates?

The correct answer is Azure Resource Manager Templates.

ARM templates define infrastructure in JSON or Bicep syntax, allowing consistent, repeatable deployments across environments. They support parameterization, dependencies, and conditional logic. Deployments through ARM ensure idempotency—running them multiple times yields the same result. Templates integrate with Azure Policy and RBAC for governance. Using ARM templates helps standardize environments across teams and subscriptions. They are the foundation for infrastructure as code practices in Azure.

Related Microsoft Learn topic

Azure Architecture Center

Question 37: Which service provides HTTP-based global load balancing with SSL offloading and application-layer routing?

The correct answer is Azure Front Door.

It is a global, layer-7 load balancer that optimizes traffic through Microsoft's edge network. Front Door offers SSL termination, web application firewall (WAF), caching, and dynamic site acceleration. It routes traffic based on URL path or host header and provides instant failover between regions. Unlike Application Gateway, Front Door operates globally at the DNS edge. It is ideal for multi-region web apps requiring low latency and high availability. Its integrated security features improve both performance and protection for global applications.

Related Microsoft Learn topic

Azure Architecture Center

Question 38: Which two services provide distributed denial-of-service (DDoS) protection in Azure? Choose 2 answers.

The correct answers are Azure DDoS Protection Standard and Azure Front Door.

DDoS Protection Standard provides automatic mitigation at the network edge for volumetric and protocol attacks on public endpoints. Azure Front Door adds global edge protection with web application firewall and rate limiting at layer 7. Together, they create multi-layer defense against denial-of-service threats. DDoS metrics integrate with Azure Monitor for insights and alerts. These solutions complement each other in hybrid architectures. Using them together ensures end-to-end network resilience and threat prevention.

Related Microsoft Learn topic

Azure Architecture Center

Question 39: Which two options improve reliability for Azure Virtual Machines running a web tier? Choose 2 answers.

The correct answers are Availability Sets and Availability Zones.

Availability Sets distribute VMs across fault and update domains within a datacenter to reduce impact from hardware or maintenance failures. Availability Zones deploy VMs across separate datacenters within a region to protect against regional datacenter outages. Both improve redundancy and uptime. Combined, they deliver high SLA guarantees for critical applications. Implementing these mechanisms aligns with Azure’s best practices for resilience. They form the foundation of fault-tolerant infrastructure design.

Related Microsoft Learn topic

Azure Architecture Center

Question 40: Which two Azure services can automate scaling based on demand metrics? Choose 2 answers.

The correct answers are Azure Virtual Machine Scale Sets and Azure App Service.

VM Scale Sets automatically add or remove VM instances based on CPU, memory, or custom metrics. Azure App Service scales web applications horizontally or vertically according to demand. Both support scheduled and metric-based autoscaling rules. They help maintain performance while controlling costs. These capabilities are integral for elastic, cloud-native architectures. Proper scaling ensures availability during peak loads and cost efficiency during low demand.

Related Microsoft Learn topic

Azure Architecture Center

Question 41: Which two components are required for secure hybrid connectivity between Azure and on-premises networks? Choose 2 answers.

The correct answers are VPN Gateway and ExpressRoute.

VPN Gateway creates encrypted tunnels over the internet between on-premises devices and Azure VNets. ExpressRoute provides a dedicated, private connection over Microsoft’s backbone network. Both ensure secure and reliable hybrid communication. VPNs are ideal for quick deployments, while ExpressRoute suits enterprise-grade performance needs. Combining both offers flexibility and redundancy. They integrate with Azure Firewall and NSGs for layered protection. These are cornerstone services for hybrid cloud architectures.

Related Microsoft Learn topic

Azure Architecture Center

Question 42: Which Azure compute option is optimized for event-driven, pay-per-execution workloads?

The correct answer is Azure Functions.

This serverless compute platform executes code in response to triggers without provisioning or managing servers. It scales automatically based on event volume. Functions integrate with numerous Azure services like Event Grid, Storage, and Service Bus. They support multiple languages and flexible hosting plans. Billing is based solely on execution time and resources used. This makes Functions ideal for microservices, automation tasks, and real-time data processing. Its lightweight design enables rapid development of modern event-driven applications.

Related Microsoft Learn topic

Azure Architecture Center

Question 43: Which Azure service provides a fully managed platform for hosting APIs securely and at scale?

The correct answer is Azure API Management.

It provides a gateway to publish, secure, and monitor APIs for internal and external consumers. It supports rate limiting, authentication, caching, and transformation policies. The service includes a developer portal and analytics dashboards. API Management integrates with Azure AD, OAuth, and custom identity providers. It helps organizations enforce governance and protect backend services. It scales globally through multi-region deployment. API Management is a critical component for building secure, modern API ecosystems.

Related Microsoft Learn topic

Azure Architecture Center

Question 44: Which networking service allows you to define and enforce inbound and outbound security rules for subnets and NICs?

The correct answer is Network Security Groups.

NSGs control network traffic within virtual networks using rule-based access control. Rules can be applied at subnet or network interface level to permit or deny traffic. NSGs evaluate rules based on priority, direction, and protocol. They work alongside Application Security Groups for simplified management. NSGs are fundamental to implementing segmentation and zero-trust network principles. They integrate with Azure Monitor for flow log analysis. Properly configured NSGs form the first line of defense in network security.

Related Microsoft Learn topic

Azure Architecture Center

Question 45: Azure Load Balancer operates at Layer 4 and distributes TCP/UDP traffic based on health probes.

The correct answer is True.

Azure Load Balancer functions at the transport layer, distributing TCP and UDP traffic evenly among healthy instances. It uses health probes to detect the availability of backend services. The load balancer supports both internal and public scenarios. It enables scaling and redundancy for applications and services. Layer 4 operation provides minimal latency and high throughput. It works seamlessly with Virtual Machine Scale Sets for autoscaling. This service ensures consistent performance and reliability for networked applications.

Related Microsoft Learn topic

Azure Architecture Center

Question 46: Azure Firewall cannot inspect outbound traffic from virtual networks.

The correct answer is False.

Azure Firewall inspects and filters both inbound and outbound traffic. It is a fully stateful network security service supporting application, network, and NAT rules. Outbound filtering helps prevent data exfiltration and control internet access. It integrates with threat intelligence for blocking known malicious IPs and domains. Azure Firewall scales automatically to handle large traffic volumes. It provides centralized policy management for multiple VNets. Outbound inspection is a key capability in enforcing enterprise security posture.

Related Microsoft Learn topic

Azure Architecture Center

Question 47: Virtual Network Peering allows seamless communication between VNets with low latency and no bandwidth restrictions.

The correct answer is True.

Virtual Network Peering connects two or more VNets to enable direct, private communication across the Azure backbone. The connection uses Microsoft’s internal network, providing low latency and high bandwidth. Peered networks appear as part of the same fabric for routing. It supports cross-subscription and cross-region scenarios. Peering traffic does not traverse the public internet, ensuring security. It is ideal for multi-tier or hub-and-spoke architectures. Peering simplifies connectivity without needing VPN or gateways.

Related Microsoft Learn topic

Azure Architecture Center

Question 48: Azure Bastion provides secure SSH and RDP access to VMs directly through the Azure portal without exposing public IPs.

The correct answer is True.

Azure Bastion is a managed jump-host service that allows secure remote access to virtual machines directly in the Azure portal. It removes the need for public IP addresses or inbound ports. Connections are made over SSL through the browser, reducing attack surface exposure. Bastion supports both RDP and SSH protocols. It integrates with Azure RBAC and NSGs for fine-grained control. It simplifies secure administrative access for hybrid and production environments. Using Bastion aligns with zero-trust security principles.

Related Microsoft Learn topic

Azure Architecture Center

Question 49: Which Azure tool provides recommendations to improve performance, security, and cost efficiency of deployed resources?

The correct answer is Azure Advisor.

It analyzes resource configurations and usage telemetry to suggest optimizations for cost, security, reliability, and performance. Recommendations include resizing underutilized VMs, enabling backup, and securing open ports. Advisor integrates with Azure Policy for enforcement and tracking. It helps maintain compliance with operational best practices. Reports can be automated via REST APIs or exported to dashboards. Regularly reviewing Advisor insights enhances operational efficiency and cost savings.

Related Microsoft Learn topic

Azure Architecture Center

Question 50: Which compute service allows you to run large-scale parallel and batch computing jobs efficiently?

The correct answer is Azure Batch.

It manages and schedules compute-intensive workloads across pools of VMs. Developers can submit batch or parallel jobs without managing infrastructure manually. Azure Batch automatically scales resources to meet workload demand. It integrates with job scheduling, task retry logic, and container execution. It supports rendering, simulations, and data transformations. The service separates workload management from hardware configuration. Batch computing provides cost-effective elasticity for processing large datasets or compute-heavy applications.

Related Microsoft Learn topic

Azure Architecture Center

Comments