AZ-305 Practice Test 4 – 50 Questions and Answers (Azure Solutions Architect Expert)

AZ-305 Practice Test 4: 50 Questions and Answers for Azure Solutions Architect Expert

Practice AZ-305 questions covering identity, governance, monitoring, data storage, business continuity, and Azure infrastructure solution design. Select your answers, review the explanations, and track your progress in the Learning Dashboard.

Exam: AZ-305Questions: 52Recommended score: 70%+Time: 90 minutes

Before you start

This practice test includes single-choice, multiple-response, and true/false questions. When a question requires more than one answer, the question text tells you exactly how many answers to choose.

AZ-305 practice test questions

Question 1: Which Azure AD feature allows organizations to control access to resources based on device compliance and user risk level?

The correct answer is Conditional Access.

Conditional Access in Azure AD enforces access policies based on conditions like user risk, sign-in risk, device state, and location. It integrates with Microsoft Intune for device compliance checks. Administrators can require MFA or block access dynamically. It enables adaptive access aligned with zero-trust principles. Conditional Access reduces exposure to identity threats while maintaining productivity. It ensures that only trusted users and devices can access sensitive resources across hybrid environments.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 2: Which service allows security administrators to investigate alerts, incidents, and user activity anomalies across Azure and Microsoft 365?

The correct answer is Microsoft Defender for Cloud Apps.

It provides cloud access security broker (CASB) functionality for visibility and control over data movement across SaaS applications. Administrators can monitor usage patterns, investigate anomalies, and enforce session controls. It integrates with Conditional Access for real-time enforcement. Defender for Cloud Apps improves compliance by detecting risky behaviors. It extends governance across both managed and unmanaged applications. This helps secure identities and data in cloud-first organizations.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 3: What is the purpose of Azure AD Administrative Units?

The correct answer is Delegate administrative permissions to subsets of users.

Administrative Units in Azure AD allow scoping of administrative roles to specific groups or users, enabling granular delegation in large organizations. This reduces unnecessary global permissions and follows least privilege principles. They are often used to assign local helpdesk roles or departmental admins. Administrative Units simplify decentralized management of users and groups. They enhance governance without increasing risk exposure. Proper configuration ensures secure and efficient identity operations.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 4: Which two Azure services provide insight into performance metrics and operational health of Azure resources? Choose 2 answers.

The correct answers are Azure Monitor and Application Insights.

Azure Monitor collects and correlates metrics and logs from across the environment, while Application Insights focuses on application-level telemetry. Combined, they offer full-stack observability and proactive alerting. Application Insights provides distributed tracing and dependency analysis for developers. Azure Monitor integrates with dashboards, workbooks, and alerts for continuous visibility. Together they ensure performance and reliability. These services are core to designing an enterprise-grade monitoring solution.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 5: Which two solutions are best suited for automating compliance enforcement and consistent policy deployment across Azure environments? Choose 2 answers.

The correct answers are Azure Blueprints and Azure Policy.

Azure Policy enforces configuration rules to ensure resources stay compliant, while Blueprints package policies, role assignments, and templates for consistent deployment. Blueprints simplify environment provisioning across multiple subscriptions. Policies can audit or automatically remediate noncompliance. Both tools reduce configuration drift and strengthen governance. They align with regulatory standards and internal best practices. Using them ensures continuous compliance across hybrid or multi-tenant Azure estates.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 6: Which Azure AD capability detects leaked credentials and blocks compromised sign-ins automatically?

The correct answer is Identity Protection.

It monitors authentication signals to detect risky sign-ins and compromised credentials. It can automatically enforce actions like MFA challenges or account blocking. Identity Protection integrates with Conditional Access for real-time mitigation. It uses machine learning to identify suspicious patterns. The service provides detailed reports for security investigation. Using Identity Protection strengthens the organization’s resilience against account takeover attacks. It is essential for proactive identity defense in the cloud.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 7: Azure Management Groups allow you to apply RBAC and policies across multiple subscriptions in a hierarchical structure.

The correct answer is True.

Azure Management Groups help organize multiple subscriptions into a logical hierarchy for unified access control and policy management. Role assignments and policies applied at a higher management group level automatically inherit to child groups and subscriptions. This simplifies governance at enterprise scale. It ensures consistent compliance across departments or business units. Management Groups integrate with Blueprints and Policy for automated deployment governance. They are fundamental for multi-subscription management in Azure.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 8: Azure Lighthouse enables customers to securely delegate management of their subscriptions to service providers or other tenants.

The correct answer is True.

Azure Lighthouse provides cross-tenant management through delegated access, enabling service providers or enterprise teams to manage resources without transferring ownership. It uses Azure RBAC for precise control over delegated actions. All activities are logged for transparency and audit. It improves scalability for MSPs and multi-tenant organizations. Lighthouse integrates with Policy and Monitor for consistent operations. It helps maintain control and compliance while outsourcing management responsibilities securely.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 9: Azure Policy cannot perform automatic remediation of non-compliant resources.

The correct answer is False.

Azure Policy supports automatic remediation actions for non-compliant resources through deployIfNotExists or modify policy effects. Administrators can trigger remediation tasks to bring resources back into compliance. These actions can apply missing tags, enforce encryption, or adjust configurations automatically. Automated remediation reduces manual intervention and drift. It ensures ongoing alignment with governance rules. Proper use of Policy effects ensures continuous compliance and operational efficiency across Azure environments.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 10: Which service should you use to automatically collect, analyze, and visualize security alerts from multiple Azure and hybrid environments?

The correct answer is Microsoft Sentinel.

It aggregates security telemetry from Azure, Microsoft 365, and external sources to provide a unified view of threats. Sentinel uses built-in AI analytics to detect anomalies and prioritize alerts. It can trigger automated incident responses via playbooks. The service integrates tightly with Defender for Cloud and Logic Apps. It enhances incident visibility and shortens response times. Sentinel is essential for a proactive, cloud-native SIEM and SOAR solution within enterprise architectures.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 11: Which two Azure services can help implement least privilege and just-in-time access for administrators? Choose 2 answers.

The correct answers are Privileged Identity Management and Access Reviews.

PIM allows time-bound elevation of privileges with approval workflows and MFA requirements. Access Reviews periodically audit role assignments to remove unnecessary access. Together they support continuous enforcement of least privilege principles. They reduce insider risk and misconfiguration exposure. Both integrate with Azure AD audit logs for tracking. Implementing them helps ensure that only authorized personnel retain privileged access when needed. They are essential tools in identity governance frameworks.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 12: Which Azure service provides real-time insights into operational issues and dependencies in distributed cloud applications?

The correct answer is Application Insights.

It is part of Azure Monitor and provides deep visibility into application performance. It collects request rates, response times, exceptions, and dependency telemetry. Developers can visualize distributed traces to identify performance bottlenecks. It integrates with Log Analytics for advanced queries. Application Insights supports both .NET and open-source frameworks. It enables proactive detection of anomalies. Using it ensures high availability and optimized end-user experience across complex distributed systems.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 13: Which Azure service can you use to define alert rules that automatically trigger remediation actions using Logic Apps or automation runbooks?

The correct answer is Azure Monitor Alerts.

It allows administrators to define conditions based on metrics or logs and trigger automated responses. Alerts can invoke Logic Apps, Automation Runbooks, or ITSM connectors. They provide near real-time detection of performance or availability issues. Integration with Action Groups centralizes notification management. Monitor Alerts ensure proactive operational maintenance and quick response. They are vital for enforcing reliability and compliance across production environments.

Related Microsoft Learn topic

AZ-305 study guide on Microsoft Learn

Question 14: Which Azure database service is best suited for globally distributed applications that require multi-master writes and tunable consistency levels?

The correct answer is Azure Cosmos DB.

Cosmos DB provides global distribution with multi-region writes, ensuring low-latency data access worldwide. It offers five tunable consistency levels to balance performance and data accuracy. This flexibility enables developers to choose the optimal trade-off for each workload. Cosmos DB supports multiple APIs, including SQL, Cassandra, and MongoDB. Its high availability and scalability make it ideal for mission-critical, distributed applications.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 15: Which feature allows you to enforce data immutability to meet regulatory compliance requirements in Azure Blob Storage?

The correct answer is Immutable Blob Storage.

This feature enforces write-once-read-many (WORM) policies to prevent data from being modified or deleted during the retention period. It supports legal hold and time-based retention modes. Immutable storage ensures compliance with standards like SEC 17a-4(f) and HIPAA. It is often used for audit logs, transaction records, and financial data. Configuring immutability helps organizations protect data integrity and meet regulatory obligations.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 16: Which Azure storage service provides native integration with Hadoop and Spark for big data analytics workloads?

The correct answer is Azure Data Lake Storage Gen2.

It combines the scalability of object storage with the hierarchical namespace of file systems. ADLS Gen2 integrates directly with analytics frameworks like Hadoop and Spark. It supports role-based access control and POSIX-style ACLs. The service enables high-throughput parallel processing for massive data volumes. It’s the preferred foundation for enterprise-grade data lakes and modern analytics pipelines.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 17: Which two mechanisms enhance durability and fault tolerance of data in Azure Storage? Choose 2 answers.

The correct answers are Zone-redundant storage (ZRS) and Geo-zone-redundant storage (GZRS).

ZRS replicates data synchronously across multiple datacenters in the same region, while GZRS extends replication to a paired region asynchronously. Both provide high durability and protection from datacenter failures. They improve resilience without manual configuration. These redundancy options are key to meeting stringent SLA and disaster recovery requirements for critical workloads.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 18: Which two Azure services allow secure network-level access to data without exposing it to the public internet? Choose 2 answers.

The correct answers are Private Endpoints and Service Endpoints.

Private Endpoints connect your storage resources to your virtual network via private IPs, while Service Endpoints extend VNet identity to PaaS services. Both approaches prevent data exposure through public routes. Private Endpoints offer the strongest isolation, as traffic remains entirely within the Microsoft backbone. Implementing these options enhances network security and compliance for storage accounts.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 19: Which Azure feature enables fast, temporary storage for high-performance computing workloads running on virtual machines?

The correct answer is Ultra Disk Storage.

It provides extremely low latency and high throughput for data-intensive workloads. Ultra Disks allow performance tuning of IOPS and throughput independently of capacity. They are ideal for mission-critical databases, SAP HANA, and high-frequency trading systems. Unlike ephemeral or temporary disks, Ultra Disks maintain persistence and reliability. They ensure predictable performance at scale for I/O-heavy workloads.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 20: Azure Blob Storage supports automatic encryption of data at rest using Microsoft-managed keys by default.

The correct answer is True.

Azure Storage automatically encrypts all data at rest using Microsoft-managed keys. Customers can optionally configure customer-managed keys stored in Azure Key Vault for additional control. This encryption is transparent and does not affect performance. It helps meet compliance requirements like GDPR and ISO 27001. Encryption at rest ensures that data remains protected even if physical media is compromised.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 21: Azure File Sync replicates file shares from Azure Files to on-premises servers for backup purposes only.

The correct answer is False.

Azure File Sync enables bidirectional synchronization between on-premises Windows Servers and Azure Files. It allows local caching of frequently accessed files while keeping the full dataset in Azure. This improves performance and reduces storage costs. File Sync is not just for backup—it supports hybrid file sharing and disaster recovery. It’s ideal for organizations transitioning from on-premises to cloud-based file storage.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 22: Which two options can optimize costs for data stored in Azure Blob Storage? Choose 2 answers.

The correct answers are Use lifecycle management rules and Move infrequently accessed data to Cool or Archive tiers.

Lifecycle management policies can automatically transition or delete data based on age or access frequency. Cool and Archive tiers offer significantly lower storage costs for less frequently used data. These optimizations help reduce total cost of ownership without compromising availability. Intelligent tiering is a core part of sustainable cloud cost management.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 23: Which Azure database solution offers automatic patching, scaling, and built-in high availability for relational workloads?

The correct answer is Azure SQL Database.

It is a fully managed relational database service offering automatic updates, scaling, and 99.99% availability SLAs. It includes built-in security, threat detection, and automated backups. Elastic pools allow sharing of compute resources across databases for cost efficiency. Azure SQL Database supports business continuity with geo-replication and failover groups. It’s ideal for transactional workloads requiring high reliability and minimal maintenance overhead.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 24: Which Azure service is best suited for event-driven data ingestion before storing it in Data Lake or Synapse Analytics?

The correct answer is Azure Event Hubs.

Event Hubs is a high-throughput data ingestion service capable of streaming millions of events per second. It acts as a front door for big data pipelines, feeding services like Azure Stream Analytics, Synapse, or Data Lake. It supports real-time analytics and replay of event data. Event Hubs enables scalable, low-latency data processing for IoT and telemetry workloads. It’s an essential building block for modern analytics architectures.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 25: Azure Storage accounts cannot be configured to require secure (HTTPS) connections only.

The correct answer is False.

Azure Storage supports an option to enforce HTTPS-only connections, ensuring that all data in transit is encrypted. This setting blocks insecure HTTP requests automatically. Enforcing HTTPS prevents data exposure to man-in-the-middle attacks. It is considered a baseline security configuration for production environments. Enabling secure transfer is recommended for all Azure Storage accounts to protect data integrity.

Related Microsoft Learn topic

Azure storage architecture guidance

Question 26: Which Azure service provides automated backup and long-term retention for Azure virtual machines and on-premises servers?

The correct answer is Azure Backup.

Azure Backup provides a centralized solution for protecting data in the cloud and on-premises environments. It automatically handles scheduling, retention, and encryption of backup data. You can back up VMs, files, and SQL databases with application-consistent recovery points. The service uses Recovery Services vaults to store backups securely. It supports long-term retention and complies with major regulatory standards. This makes it essential for business continuity and disaster recovery strategies.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 27: Which Azure feature allows you to replicate Azure VMs to another region for disaster recovery?

The correct answer is Azure Site Recovery.

Azure Site Recovery replicates workloads running on Azure VMs or on-premises servers to a secondary Azure region. In the event of an outage, you can fail over to the secondary region and continue operations. It supports both planned and unplanned failovers. Site Recovery also automates replication policies, recovery plans, and testing. This minimizes downtime and data loss while ensuring compliance with business continuity objectives.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 28: Which metric defines the maximum amount of time your business can tolerate an outage before significant impact?

The correct answer is RTO.

RTO measures the maximum acceptable downtime after a failure before normal operations must be restored. It helps determine the appropriate disaster recovery strategy, infrastructure design, and automation level. Shorter RTO values require more resilient systems and higher costs. RPO, on the other hand, measures how much data loss is acceptable. Understanding both RTO and RPO helps balance availability, performance, and cost for business continuity planning.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 29: Which two features help ensure high availability for Azure SQL Database? Choose 2 answers.

The correct answers are Active geo-replication and Auto-failover groups.

Active geo-replication maintains readable secondary databases in different regions to protect against outages. Auto-failover groups automate failover and connection management across regions. Both ensure minimal downtime and continuous data availability. These features complement built-in automatic backups and SLA-backed availability. They are essential components of a robust SQL business continuity strategy. Using both ensures seamless failover with minimal administrative intervention.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 30: Which service allows organizations to recover individual files, folders, or entire virtual machines from a point-in-time snapshot?

The correct answer is Azure Backup.

Azure Backup supports granular recovery of individual files and folders from VM-level backups. It provides application-consistent snapshots for workloads like SQL Server and Exchange. Recovery points can be retained based on defined policies for days, months, or years. Administrators can restore directly to the original location or an alternate region. This flexibility ensures minimal data loss during incidents. Azure Backup is a foundational component for protecting workloads in Azure and hybrid environments.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 31: Which two Azure services help maintain application availability during regional outages? Choose 2 answers.

The correct answers are Azure Traffic Manager and Azure Front Door.

Azure Traffic Manager provides DNS-based load balancing across multiple regions to redirect users during regional failures. Azure Front Door operates at Layer 7, offering global HTTP(S) routing, caching, and automatic failover. Together, they maintain application availability and performance worldwide. Both integrate with health probes for automatic endpoint selection. These services are key to achieving active-active or active-passive redundancy across regions.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 32: Azure Backup allows you to use your own encryption keys stored in Azure Key Vault to protect backup data.

The correct answer is True.

Azure Backup supports customer-managed keys (CMKs) stored in Azure Key Vault. This provides full control over encryption and key rotation policies. CMKs enhance compliance with security and data governance requirements. Organizations can disable or revoke keys if data must be made inaccessible. Using CMKs strengthens security posture beyond the default Microsoft-managed encryption. It is a best practice for regulated industries handling sensitive data.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 33: Azure Site Recovery automatically performs failback to the primary region after recovery is complete.

The correct answer is False.

While Azure Site Recovery automates replication and failover, failback is a manual operation. Administrators must initiate the process to reverse replication and restore workloads to the primary region. This allows testing and validation before resuming production operations. Automatic failback is intentionally avoided to prevent data inconsistency or loss. Planning and validating failback steps are essential parts of any disaster recovery procedure.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 34: Which Azure SQL feature provides automatic, application-transparent failover between paired databases across regions?

The correct answer is Auto-failover groups.

Auto-failover groups manage connectivity and replication between a primary and secondary database automatically. They simplify disaster recovery by using a single read-write listener endpoint. Failover occurs seamlessly during outages without changing application connection strings. This reduces downtime and operational complexity. Auto-failover groups are essential for critical production systems requiring minimal disruption.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 35: Azure Backup data stored in Recovery Services vaults is replicated to ensure durability even if a datacenter fails.

The correct answer is True.

Azure Backup stores data in Recovery Services vaults, which use geo-redundant storage (GRS) by default. This replicates data to a paired Azure region, protecting against regional outages. Customers can choose locally redundant storage (LRS) for lower-cost, single-region scenarios. Replication ensures 99.999999999% durability of stored data. This design is critical for compliance, long-term retention, and disaster recovery planning.

Related Microsoft Learn topic

Azure reliability and disaster recovery guidance

Question 36: Which Azure service allows you to deploy and manage containerized applications without managing Kubernetes clusters?

The correct answer is Azure Container Instances.

ACI allows you to quickly run containers on demand without managing infrastructure or orchestrators. It supports Linux and Windows containers and integrates with virtual networks for secure connectivity. It’s ideal for burst workloads, event-driven jobs, or batch processing. Unlike AKS, ACI eliminates the need for cluster management and scaling configuration. It provides true serverless container execution for fast, cost-efficient deployments.

Related Microsoft Learn topic

Azure Architecture Center

Question 37: Which Azure feature allows traffic distribution to multiple app instances based on geographic user location?

The correct answer is Azure Traffic Manager.

It provides DNS-based global load balancing, directing users to the nearest or healthiest endpoint based on policies like geographic, priority, or performance routing. Traffic Manager improves user experience by minimizing latency. It also supports automatic failover during regional outages. Because it operates at the DNS level, it works across Azure, hybrid, and on-premises endpoints. It’s commonly paired with Azure Front Door for complete global traffic management.

Related Microsoft Learn topic

Azure Architecture Center

Question 38: Which service provides a fully managed platform for running web APIs with built-in scaling and CI/CD integration?

The correct answer is Azure App Service.

It supports hosting of web applications and APIs with automatic scaling, custom domains, and SSL. Developers can deploy directly from Azure DevOps or GitHub for continuous integration. It supports multiple runtimes such as .NET, Java, Node.js, and Python. Built-in features include authentication, backup, and staging slots. Azure App Service is ideal for developers seeking a managed PaaS environment for scalable, secure web APIs.

Related Microsoft Learn topic

Azure Architecture Center

Question 39: Which two features increase virtual machine availability within a single Azure region? Choose 2 answers.

The correct answers are Availability Sets and Availability Zones.

Availability Sets protect against localized failures by distributing VMs across fault and update domains in the same datacenter. Availability Zones go further, placing resources in separate physical datacenters within a region. Together, they ensure resilience against both hardware and datacenter-level failures. These are critical design patterns for high-availability infrastructure. Microsoft guarantees higher SLA when these mechanisms are used appropriately.

Related Microsoft Learn topic

Azure Architecture Center

Question 40: Which two Azure services can provide application-level load balancing with SSL termination? Choose 2 answers.

The correct answers are Azure Application Gateway and Azure Front Door.

Application Gateway operates at Layer 7, offering path-based routing, WAF, and SSL termination within a region. Azure Front Door extends these capabilities globally, providing edge-based acceleration and automatic failover. Both services terminate SSL/TLS connections, offloading that task from backend servers. They improve both security and performance. Using them together enables hybrid, multi-region, or global web architectures.

Related Microsoft Learn topic

Azure Architecture Center

Question 41: Which Azure service enables private connectivity to Azure PaaS services through a private IP address?

The correct answer is Azure Private Link.

It connects Azure services like Storage, SQL Database, or Key Vault directly to your virtual network using private IPs. Traffic remains on the Microsoft backbone, preventing exposure to the public internet. Private Link supports both Microsoft and partner services. It enhances data security, compliance, and traffic control. This approach aligns with zero-trust principles and reduces data exfiltration risks.

Related Microsoft Learn topic

Azure Architecture Center

Question 42: Azure Load Balancer operates at the application layer (Layer 7) of the OSI model.

The correct answer is False.

Azure Load Balancer operates at Layer 4 (transport layer), distributing TCP and UDP traffic across healthy backend instances. It supports inbound NAT, outbound SNAT, and health probes. For application-layer routing, Azure Application Gateway or Front Door should be used. Load Balancer focuses on network performance and connection-level balancing. It’s ideal for scenarios like virtual machine scaling or internal service distribution.

Related Microsoft Learn topic

Azure Architecture Center

Question 43: Azure Bastion allows administrators to connect to virtual machines through the Azure portal without assigning public IPs.

The correct answer is True.

Azure Bastion provides browser-based RDP and SSH access to VMs directly from the Azure portal. It eliminates the need for public IP addresses, reducing attack surface. Connections occur over SSL within the Azure network. Bastion integrates with Network Security Groups for controlled access. It’s essential for secure remote administration in zero-trust environments. This minimizes exposure while maintaining management capabilities.

Related Microsoft Learn topic

Azure Architecture Center

Question 44: Which Azure networking feature allows communication between two VNets in different regions using Microsoft’s backbone network?

The correct answer is VNet Peering.

VNet Peering connects virtual networks for low-latency, high-bandwidth communication. When configured globally, it allows cross-region traffic over the Microsoft backbone. It enables resources to communicate as if they were in the same network. Peering supports both same-region and global scenarios. It simplifies architecture for multi-region applications and hybrid designs without VPN overhead.

Related Microsoft Learn topic

Azure Architecture Center

Question 45: Which two Azure services provide network-level traffic filtering to control inbound and outbound communication? Choose 2 answers.

The correct answers are Network Security Groups and Azure Firewall.

NSGs enforce stateful traffic rules at subnet or NIC level. Azure Firewall provides centralized traffic filtering, FQDN filtering, and threat intelligence integration. Combined, they establish a layered security model for Azure networks. This defense-in-depth approach controls both internal and external traffic. Implementing both is standard practice for securing enterprise workloads.

Related Microsoft Learn topic

Azure Architecture Center

Question 46: Which two Azure components can automate infrastructure provisioning and configuration using templates or scripts? Choose 2 answers.

The correct answers are Azure Resource Manager templates and Azure Bicep.

ARM templates provide declarative infrastructure-as-code capabilities, allowing consistent deployment across environments. Bicep is a modern language that simplifies ARM template syntax and improves readability. Both support version control and automation pipelines. They integrate with Azure DevOps and GitHub Actions. Using IaC ensures repeatable, traceable, and compliant infrastructure deployments at scale.

Related Microsoft Learn topic

Azure Architecture Center

Question 47: Azure Virtual Machine Scale Sets automatically distribute instances across update and fault domains for high availability.

The correct answer is True.

VM Scale Sets are designed to distribute instances across update and fault domains to minimize downtime. This ensures that maintenance or hardware failures affect only a subset of instances. Scale Sets support autoscaling based on performance metrics and can integrate with load balancers for balanced traffic. They simplify large-scale, resilient VM deployments. Using them aligns with cloud-native scalability and redundancy principles.

Related Microsoft Learn topic

Azure Architecture Center

Question 48: Which Azure networking service provides DDoS protection for resources exposed to the internet?

The correct answer is Azure DDoS Protection.

It provides always-on network traffic monitoring and automatic mitigation against distributed denial-of-service attacks. DDoS Protection integrates with Virtual Networks and supports both basic and standard tiers. The standard tier offers adaptive tuning based on traffic patterns. It’s designed to protect public endpoints such as App Gateways, Load Balancers, and VMs. Implementing DDoS Protection ensures network-level resilience against volumetric attacks.

Related Microsoft Learn topic

Azure Architecture Center

Question 49: Which Azure compute option is most suitable for microservices and event-driven serverless applications?

The correct answer is Azure Functions.

Functions provide serverless computing for executing event-driven workloads without managing servers. They scale automatically based on demand and support triggers from multiple sources like queues, HTTP, or Event Hubs. Functions are billed per execution, making them cost-efficient for intermittent workloads. They are ideal for microservices, data processing, and automation. Their integration with other Azure services simplifies event orchestration.

Related Microsoft Learn topic

Azure Architecture Center

Question 50: Which two services provide insights and observability for Azure infrastructure performance? Choose 2 answers.

The correct answers are Azure Monitor and Azure Log Analytics.

Azure Monitor aggregates metrics and logs from all Azure resources, while Log Analytics enables advanced queries and alerting. Together, they support visualization through dashboards and integration with Application Insights. They enable proactive monitoring and troubleshooting. These tools form the foundation for observability in Azure architectures. Consistent monitoring ensures compliance with SLA and performance goals.

Related Microsoft Learn topic

Azure Architecture Center

Question 51: Azure ExpressRoute connections are always encrypted by default.

The correct answer is False.

ExpressRoute provides private connectivity between on-premises and Azure over a dedicated circuit but does not include encryption by default. Encryption can be added using IPsec or additional security layers if required. The primary purpose of ExpressRoute is to improve reliability, performance, and security through isolation from the public internet. For end-to-end encryption, organizations should combine it with VPN or application-level security mechanisms.

Related Microsoft Learn topic

Azure Architecture Center

Question 52: Which Azure service provides governance control by grouping related resources into logical containers with assigned policies and RBAC?

The correct answer is Management Groups.

They allow hierarchical organization of multiple subscriptions for unified policy and access control. Policies and RBAC roles assigned at a management group level propagate to all child subscriptions. This provides consistent governance across the enterprise. Resource Groups, by contrast, organize individual resources within a subscription. Management Groups are essential for enterprise-scale Azure environments managing complex governance models.

Related Microsoft Learn topic

Azure Architecture Center

Comments