Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-305DomainsDesign infrastructure solutions
AZ-305Free — No Signup

Design infrastructure solutions

Practice AZ-305 Design infrastructure solutions questions with full explanations on every answer.

292questions

Start practicing

Design infrastructure solutions — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

AZ-305 Domains

Design identity, governance, and monitoring solutionsDesign data storage solutionsDesign business continuity solutionsDesign infrastructure solutions

Practice Design infrastructure solutions questions

10Q20Q30Q50Q

All AZ-305 Design infrastructure solutions questions (292)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?

2

A company is deploying a web application on Azure App Service. They need to guarantee that all traffic from the internet goes through a Web Application Firewall (WAF) before reaching the app. The solution must be cost-effective for a single application. Which Azure service should they place in front of the App Service?

3

A company has multiple Azure subscriptions and on-premises data centers connected via ExpressRoute. They want to centralize connectivity to the internet and enforce a single web filtering and security policy for all outbound internet traffic from Azure VMs. Which Azure networking architecture should they implement?

4

A company has multiple branch offices and needs to connect them to Azure and to each other using a scalable, managed solution that simplifies network architecture. The solution should support automatic routing and integration with ExpressRoute and VPN. Which Azure service should they use?

5

A company runs a high-performance computing (HPC) workload on Azure that requires extremely low latency (under 10 microseconds) between multiple VMs for MPI communication. The VMs are part of a single job and must be placed together to minimize network latency. Which VM deployment option should they use?

6

A company is deploying an internal web application on Azure VMs. The application requires SSL offloading, session stickiness, and URL-based routing (e.g., /api/* to one backend, /app/* to another). The solution must operate within a single Azure region and must not be exposed to the public internet. Which Azure load balancing solution should they use?

7

A company is developing a containerized microservices application. They want to minimize operational overhead for managing orchestration. The application has a low-to-medium traffic pattern that can spike unpredictably. They need fast scaling and pay-per-second billing. Which Azure compute service should they use?

8

A company has two on-premises data centers and an Azure subscription. They need to connect each data center to Azure with a private, high-bandwidth, and reliable connection. They also want a low-cost backup connection for each data center in case the primary connection fails. Which combination of connectivity options should they recommend?

9

A company is designing a hub-spoke network topology across multiple Azure regions. They plan to deploy a third-party network virtual appliance (NVA) in the hub for traffic inspection. They require that all traffic between spokes in different regions must be routed through the hub NVA, and they want to minimize the number of peered connections. Which solution should they implement?

10

A company is deploying a multi-tier web application on Azure. The web tier must be accessible from the internet. The application tier and database tier must be isolated within the virtual network and not directly accessible from the internet. The solution must provide SSL termination, URL-based routing, and Web Application Firewall (WAF) capabilities. Which Azure service should they use to expose the web tier?

11

A company is deploying a multi-tier web application on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must be isolated within the virtual network. The solution must provide SSL termination, web application firewall (WAF) capabilities, and URL-based routing. Which Azure service should they use to expose the web tier?

12

A global company is deploying a microservices application on AKS clusters in multiple Azure regions. They need to provide a single endpoint for users worldwide with SSL offloading, web application firewall, and URL path-based routing to the nearest healthy AKS cluster. They also need global load balancing with automatic failover. Which Azure service should they use?

13

A company has a hub-spoke network topology in Azure. They have multiple spoke VNets connected to a hub VNet via peering. They need to ensure that all east-west traffic between spoke VNets goes through a network virtual appliance (NVA) in the hub for inspection. Additionally, all outbound internet traffic from spoke VMs must use a single public IP address. What should they configure?

14

A company needs to provide secure remote administration access to Azure virtual machines for their IT team. The VMs are in a virtual network with no public IP addresses. The IT team uses browsers to connect. The solution should not require any custom software on the client machines. Which Azure service should they use?

15

A company has an Azure SQL Database that they need to access from an on-premises data center over ExpressRoute. They want to use a private IP address to connect to the database, ensuring traffic never traverses the public internet. Which Azure service should they use?

16

A company plans to deploy a stateless web application on Azure virtual machines. They want to ensure that the application remains available in the event of a hardware failure within a single Azure datacenter. The VMs must be placed in a way that ensures they are on different physical servers and racks, but are still within the same datacenter. Which deployment strategy should they use?

17

A company is deploying a web application that must be accessible from the internet. The application is hosted on Azure virtual machines in a virtual network. The solution must provide SSL termination, web application firewall (WAF) protection, and URL path-based routing (e.g., /api/* to one backend pool, /app/* to another). The web tier must not be directly exposed to the internet. Which Azure load balancing solution should they use?

18

A company has an on-premises data center and wants to connect it to Azure to extend their network. They require a dedicated, private, high-bandwidth connection that is not routed over the public internet. They also want a lower-cost backup connection for redundancy in case the primary connection fails. Which combination of connectivity options should they implement?

19

A company deploys a web application on Azure VMs across multiple availability zones in a region. They need to distribute incoming traffic across VMs in all zones, maintain session persistence, and support SSL offloading and URL-based routing (e.g., /api/* to one pool, /app/* to another). Which Azure load balancing solution should they use?

20

A company has multiple Azure VNets deployed in a hub-spoke topology. They want to inspect all outbound internet traffic from spoke VMs using a central firewall and ensure that traffic from all VNets goes through the firewall before reaching the internet. They also need to log all outbound connections. Which architecture should they implement?

21

A company plans to deploy a web application on Azure virtual machines. They want to protect against a datacenter failure within a region. The VMs must be distributed across multiple physically separate locations with independent power, cooling, and networking. Which deployment option should they use?

22

A global e-commerce company deploys its web application on Azure Kubernetes Service (AKS) clusters in multiple Azure regions. They need a single global endpoint for users, with SSL offloading, web application firewall (WAF) protection, and URL path-based routing to the nearest healthy AKS cluster. Which Azure service should they use?

23

A company has an on-premises data center and wants to connect it to Azure with a dedicated, private network connection that is not routed over the public internet. They also need a higher service-level agreement (SLA) compared to VPN-based connections. Which Azure service should they use?

24

A company has deployed several Azure VMs that do not have public IP addresses. Administrators need to securely connect to these VMs using RDP and SSH from the internet over a browser without deploying a jump box or managing VPN connections. The solution must use Microsoft Entra ID authentication for single sign-on. Which Azure service should they use?

25

A company has an Azure virtual network (VNet) in the East US region hosting a web application. They need to securely connect to an on-premises data center in the same region using a dedicated, private network connection with high throughput and low latency. They also need a backup connection for redundancy in case the primary connection fails. Which connectivity solution should they implement?

26

A company deploys a web application in two Azure regions for high availability. They need to automatically direct users to the nearest healthy region based on geographic location and endpoint health. Which Azure service should they use?

27

A company deploys a web application on Azure VMs within a single region. They need to distribute incoming HTTP traffic across multiple VMs, offload SSL encryption, and maintain session persistence (sticky sessions) for user sessions. Which Azure load balancing solution should they use?

28

A company deploys Azure VNets in multiple regions and has on-premises data centers. They need to connect all VNets to each other and to on-premises sites using the Microsoft global network for optimal routing. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

29

A company has multiple Azure virtual networks (VNets) in different regions. They want to connect all VNets to each other securely over the Microsoft backbone network, and also connect to their on-premises data center via ExpressRoute. What is the simplest Azure solution to enable connectivity between all VNets and on-premises?

30

A company deploys a web application across multiple Azure VMs in a single region. They want to distribute incoming HTTP traffic evenly across the VMs, offload SSL encryption, and provide a fixed public IP address for clients. Which Azure load balancing solution should they use?

31

A company has multiple Azure virtual networks (VNets) in different Azure regions and an on-premises data center connected via ExpressRoute. They want to connect all VNets to each other and to the on-premises network securely over the Microsoft global backbone. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

32

A company deploys a web application on multiple Azure VMs. They need to distribute incoming HTTP traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

33

A company runs a web application on Azure VMs in a single region. The application must scale out automatically based on CPU utilization. The VMs are behind an Azure Load Balancer. Which Azure service should they use to automatically add or remove VMs based on demand?

34

A company deploys a web application on multiple Azure VMs in a single region. They need to distribute incoming HTTP and HTTPS traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

35

A company deploys a web application across multiple Azure VMs in a single region. They need to distribute incoming HTTP traffic, offload SSL termination, and perform URL-based routing to different backend pools (e.g., /images to one pool, /api to another). Which Azure load balancing solution should they use?

36

A company has Azure virtual networks (VNets) in three different Azure regions and an on-premises data center connected via ExpressRoute. They need to connect all VNets to each other and to on-premises over the Microsoft global backbone. They also require centralized management of routing and the ability to enforce security policies such as forced tunneling for internet-bound traffic. Which Azure service should they use?

37

A company deploys a web application on Azure VMs. They need to distribute incoming HTTP and HTTPS traffic based on the URL path: requests to /api/* go to one VM pool, requests to /images/* go to another pool. They also need to offload SSL/TLS termination. Which Azure load balancing solution should they use?

38

A company has multiple Azure virtual networks (VNets) spread across three Azure regions (West US, East US, and West Europe). They also have an on-premises network connected to East US via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. They require centralized management of routing and the ability to enforce security policies such as forcing all internet-bound traffic from any VNet to pass through a central firewall in East US. Which Azure solution should they implement?

39

A company deploys a web application on Azure VMs across multiple availability zones in the East US region. They need to distribute incoming HTTPS traffic across the VMs, offload SSL termination, and ensure that client requests from the same user session are sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

40

A company has Azure virtual networks (VNets) in three different Azure regions (West US, East US, and West Europe). They also have an on-premises data center connected to the East US region via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. The solution must support transitive routing between all sites and provide centralized management of connectivity and routing policies. Which Azure service should they use?

41

A company deploys a web application on multiple Azure virtual machines (VMs) in a single region. The application receives HTTP and HTTPS traffic. They need to distribute the traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Additionally, they need to route requests based on URL paths (e.g., /api/* to one pool, /images/* to another). Which Azure load balancing solution should they use?

42

A company has an Azure API Management instance deployed in the internal virtual network (VNet) mode. They want to securely expose their backend APIs to external partners over the internet. External partners need to authenticate using OAuth2 tokens. The company also wants to enforce rate limits (throttling) per subscription, cache responses, and enable CORS. Which Azure service should they use to expose the APIs?

43

A company has virtual machines in Azure that need to be grouped across multiple fault domains and update domains to ensure high availability. They plan to deploy three VMs running the same application tier. Which Azure feature should they use to provide redundancy within a single region?

44

A company has multiple Azure virtual networks (VNets) in different regions connected via VNet peering. They also have an on-premises data center connected to Azure via ExpressRoute. They need to provide internet-bound traffic from all Azure VNets through a single, centralized network virtual appliance (NVA) in the hub VNet for security inspection. They also need to ensure that traffic between VNets and on-premises is routed optimally without going through the internet. Which Azure solution should they implement?

45

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones in the East US region. The application receives HTTPS traffic. They need to distribute incoming traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

46

A company wants to deploy a web application on Azure virtual machines (VMs). The application experiences variable traffic patterns, so the company needs to automatically add or remove VM instances based on CPU utilization. They also want the application to remain highly available even if an Azure datacenter fails. Which combination of Azure services should they use?

47

A global e-commerce company runs a web application in multiple Azure regions. They need to distribute incoming HTTPS traffic across regional deployments to provide low latency and high availability. The solution must support SSL offloading, Web Application Firewall (WAF) policies, and content caching to reduce backend load. They also need to route users to the nearest healthy backend region. Which Azure service should they use?

48

A company has deployed Azure virtual machines without public IP addresses. They need to provide secure RDP and SSH access to these VMs for administrators from the corporate network (on-premises). The solution must integrate with Microsoft Entra ID for authentication and support multi-factor authentication (MFA). It must not require any public endpoint exposure on the VMs. Which Azure service should they use?

49

A company has headquarters and multiple branch offices worldwide, each with its own on-premises network. They want to connect all these sites to Azure and to each other over a single, centrally managed solution. They need high bandwidth connectivity for site-to-site traffic, support for both VPN and ExpressRoute connections, and automatic routing management without the complexity of configuring multiple VPN tunnels or BGP manually. Which Azure service should they use?

50

A company has multiple virtual networks in different Azure regions. They need to connect all VNets together securely over the Microsoft backbone. They also need to connect to an on-premises data center via ExpressRoute. The solution should support transitive routing between all connected networks. Which Azure service should they use?

51

A company wants to run a containerized application on Azure without managing virtual machines. They need automatic scaling, load balancing, and rolling updates. Which Azure compute service should they choose?

52

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center. They need to implement a hub-and-spoke topology where the hub VNet hosts shared services like firewalls and DNS. All traffic between spokes, and between spokes and on-premises, must be routed through the hub for inspection. Additionally, spoke VNets must not be able to directly communicate with each other. Which Azure networking solution should they implement to meet these requirements with minimal administrative overhead?

53

A company deploys a web application on multiple Azure VMs within an availability set. They need to distribute incoming HTTP traffic evenly across the VMs and provide health probe monitoring. The solution must support SSL termination and source IP affinity (session persistence). Which Azure load balancing solution should they choose?

54

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones. The application needs to automatically distribute incoming HTTPS traffic, offload SSL/TLS termination, and provide session persistence. Additionally, the solution must include a Web Application Firewall (WAF) to protect against common web vulnerabilities. Which Azure load balancing solution should they use?

55

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?

56

A company wants to deploy containerized microservices on Azure without managing virtual machines. The solution must support automatic scaling based on demand, built-in load balancing, rolling updates for zero-downtime deployments, and a fully managed platform. Which Azure compute service should they choose?

57

A company deploys a multi-tier web application on Azure VMs across availability zones. The web tier must have SSL termination, session persistence, and health probe monitoring. Additionally, all traffic must be inspected by a central firewall for compliance. The solution must be highly available. Which combination of Azure services should they implement?

58

A company deploys a web application on Azure VMs in a single region. They need to distribute incoming HTTPS traffic across multiple VMs, offload SSL termination, and provide session persistence. Which Azure load balancing solution should they choose?

59

A company plans to deploy multiple virtual machines (VMs) across two Azure regions for high availability. The VMs will host a stateless web application that must be accessible via a single DNS endpoint. The solution must automatically route traffic to the nearest region with available capacity and provide failover if a region becomes unhealthy. Which Azure service should they use to meet these requirements?

60

A company deploys a containerized application on Azure Kubernetes Service (AKS). They need to expose the application to the internet and provide TLS termination. The solution must also include a Web Application Firewall (WAF) to protect against common attacks. Which Azure service should they use as the ingress controller?

61

A company plans to deploy a multi-tier application on Azure. The web tier requires SSL termination and health probes. The application tier must be isolated from the internet. The database tier requires high availability. They want to minimize administrative overhead and use Azure native services. Which architecture should they recommend?

62

A company deploys a web application on Azure VMs in an availability set. They need to expose the application to the internet with SSL termination and health probes. Additionally, they need to protect against DDoS attacks and common web vulnerabilities. Which Azure service should they use?

63

A company deploys a containerized microservices application on Azure Kubernetes Service (AKS). They need to expose the application to the internet with TLS termination and provide a single endpoint for multiple services. The solution must also include a Web Application Firewall (WAF). Which Azure service should they use as the ingress controller?

64

A company plans to deploy a web application on Azure VMs across multiple availability zones. They need to distribute incoming HTTP traffic across the VMs and provide health probes. Which Azure load balancing solution should they use?

65

A company has multiple on-premises sites and Azure VNets in different regions. They need to connect all networks with a single mesh topology, ensuring that any network can communicate with any other network directly. They also want to minimize administrative overhead. Which Azure service should they use?

66

A company deploys a web application on Azure VMs across availability zones. They need to distribute HTTPS traffic, offload SSL termination, and maintain session persistence. They do not require traffic inspection. Which Azure load balancing solution should they use?

67

A company deploys a stateless web application on Azure VMs in a single region. They need to distribute incoming HTTP traffic across multiple VMs and perform health checks. The solution should be highly available within the region. Which Azure load balancing solution should they use?

68

A company plans to migrate a legacy web application to Azure. The application runs on multiple Windows virtual machines (VMs) in an availability set. The VMs must be exposed to the internet via a single endpoint that performs SSL termination and health checks. The load-balancing solution must preserve the original client IP address for logging purposes. Which Azure service should the company use?

69

A hub-and-spoke Azure network must centralize outbound inspection and still allow spokes to resolve private endpoint DNS names. Which two components are commonly required? (Choose 2.)

70

A company is designing a virtual network architecture for a three-tier application (web, application, database). They want network isolation between tiers and secure access from the internet to the web tier only. Which Azure networking solution should they use?

71

A company needs to connect its on-premises data center to Azure for hybrid workloads. The connection must be private, dedicated, and provide guaranteed bandwidth. Which Azure service should they use?

72

A company is designing hub-and-spoke networking. Spoke VNets must use a central Azure Firewall for outbound internet traffic. Which two configurations are required?

73

An on-premises datacenter must connect privately to Azure with predictable bandwidth and avoid traversal of the public internet. Which connectivity option should be recommended?

74

A company is designing private access to a PaaS database from workloads in a VNet. The database should not be reachable over its public endpoint. What should be recommended?

75

Drag and drop the steps to set up Azure Private Link for an Azure SQL Database into the correct order.

76

Drag and drop the steps to set up Azure Key Vault for storing secrets and access them from an Azure function into the correct order.

77

Match each Azure identity service to its description.

78

Match each Azure monitoring service to its function.

79

Your company plans to migrate an on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. Which Azure storage solution should you recommend?

80

You are designing a disaster recovery solution for a critical application hosted in Azure VMs. The primary region is East US. The application requires a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 15 minutes. Which Azure service should you use to replicate the VMs?

81

You are designing a hybrid identity solution for a company with 5,000 on-premises users. The company wants to use Microsoft Entra ID for single sign-on and self-service password reset. They also need to synchronize user passwords to the cloud. Which feature should you enable to ensure password changes on-premises are immediately propagated to Microsoft Entra ID?

82

You are designing a network topology for a multi-tier application in Azure. The application has a web tier, an API tier, and a database tier. You need to ensure that the web tier can communicate with the API tier, and the API tier can communicate with the database tier, but the web tier cannot directly access the database tier. Which Azure networking solution should you implement?

83

Your company has an Azure subscription with multiple virtual networks (VNets) in different regions. You need to ensure that resources in all VNets can communicate with each other privately over the Microsoft backbone network. Which Azure solution should you implement?

84

You are designing a storage strategy for a data analytics solution that processes large volumes of streaming data. The data must be stored in a cost-effective manner with low latency for hot data and infrequent access for cold data after 30 days. The solution must support both batch and interactive queries. Which combination of Azure storage services should you recommend?

85

Your company is deploying a web application on Azure App Service. The application must be able to read secrets from Azure Key Vault without storing credentials in application code. Which feature should you enable?

86

You are designing a backup strategy for Azure VMs running critical business applications. The solution must support application-consistent backups and allow for restoration to a different region. Which Azure service and configuration should you use?

87

Your organization has a policy that all administrative access to Azure resources must be performed using just-in-time (JIT) access. Which Azure service allows you to enable JIT VM access?

88

You are designing a solution to monitor and analyze security events across your Azure environment. Which TWO Azure services should you include in your design to provide centralized logging and threat detection? (Choose two.)

89

Your company plans to migrate a large number of on-premises virtual machines to Azure. You need to assess the current environment and migrate the workloads with minimal downtime. Which THREE Azure services or tools should you use? (Choose three.)

90

You are designing a highly available architecture for a web application that runs on Azure VMs. The solution must distribute incoming traffic across multiple VMs in an availability set. Which TWO Azure components should you include? (Choose two.)

91

You are an Azure administrator. You attempt to create a new virtual machine with size Standard_DS2_v2 in a subscription where the above Azure Policy is assigned. What will happen?

92

You execute the above PowerShell script to create a Windows VM in Azure. After the script completes, you try to RDP to the public IP address but the connection fails. What is the most likely reason?

93

You run the above KQL query in Azure Monitor Logs. What does the query return?

94

A company is designing a multi-region disaster recovery solution for Azure VMs. They need to ensure that if the primary region fails, VMs can be failed over to a secondary region with minimal data loss. The application writes data to Azure SQL Database and Azure Files. Which Azure service should they use to meet the recovery point objective (RPO) of 5 seconds for the SQL Database?

95

A company is migrating on-premises applications to Azure. They require that all traffic between Azure resources and on-premises resources traverse a private connection. They also want to reduce the attack surface by eliminating exposure of management endpoints over the internet. Which solution should they implement?

96

A company has multiple Azure subscriptions and wants to enforce consistent network policies across all VNets. They need to ensure that all traffic going out to the internet is inspected by a central firewall. The solution must be scalable and support multiple regions. What should they implement?

97

A company is designing a solution for storing sensitive documents in Azure Blob Storage. They require that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they want to prevent any accidental deletion of the key vault and its keys. Which combination of actions should they take?

98

A company needs to implement a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The company has on-premises Active Directory Domain Services (AD DS). They want to synchronize identities to the cloud while also enabling password writeback for self-service password reset. Which Azure service should they use?

99

A company is planning to migrate a legacy application to Azure VMs. The application requires a static IP address for licensing purposes. The VM must be highly available within a single region. Which combination of Azure resources should they use?

100

A company is designing a containerized application on Azure Kubernetes Service (AKS). They need to ensure that the control plane is managed by Microsoft and that the worker nodes are isolated to a single tenant. They also require that the worker nodes be automatically patched for security updates. Which AKS node pool type should they use?

101

A company is using Azure SQL Database for a critical application. They need to ensure that the database is automatically backed up and that backups are retained for 35 days. What should they configure?

102

A company is deploying a web application on Azure App Service. The application must authenticate users with their Microsoft Entra ID credentials. The development team wants to use the Microsoft Authentication Library (MSAL) for authentication. Which App Service authentication feature should they use to simplify integration?

103

A company is designing a backup strategy for Azure resources. They have the following resources: Azure VMs, Azure SQL Database, and Azure Files shares. They need to meet the following requirements: 1) Backup of VMs must be application-consistent. 2) SQL Database backups must be retained for 10 years. 3) Azure Files backups must support soft delete. Which THREE services or features should they use?

104

A company is designing a network architecture for a three-tier application hosted on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must not have direct internet access. They also need to encrypt traffic between tiers. Which TWO solutions should they implement?

105

A company is planning to migrate on-premises SQL Server databases to Azure. They want to minimize administrative overhead and ensure high availability with automatic failover. Which TWO Azure SQL deployment options should they consider?

106

A company is designing a hybrid network solution connecting an on-premises data center to Azure. They require high availability with active-active routing and need to support up to 10 Gbps throughput. Which Azure service should they include in the design?

107

A multinational corporation needs to design a global DNS solution for Azure resources. They require automatic failover across Azure regions and low-latency responses based on the client's geographic location. The solution must also support custom domains without exposing the underlying Azure public IP addresses. Which combination of Azure services should they use?

108

A company is migrating a legacy application to Azure VMs. The application requires a static IP address that does not change if the VM is stopped and started. Which type of IP address should they assign to the VM?

109

A company is designing a disaster recovery solution for Azure VMs running a critical application. They need a Recovery Time Objective (RTO) of less than 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The solution should be cost-effective and allow testing without affecting production. Which Azure service should they use?

110

An organization is designing a storage solution for Azure VMs running a database that requires low latency and high IOPS. The data is critical and must be durable with automatic replication across multiple datacenters in the same region. Which Azure managed disk type and redundancy option should they choose?

111

A company needs to provide secure access to Azure resources for remote employees. They want to enforce multi-factor authentication and conditional access policies. The solution should not require a VPN connection. Which Azure service should they implement?

112

A company is designing an Azure Kubernetes Service (AKS) cluster for a microservices application. They need to ensure that pods can securely access Azure resources such as Azure Key Vault and Azure SQL Database without using service principals or connection strings. Which AKS feature should they enable?

113

A financial services company must store sensitive customer data in Azure Blob Storage. The data must be encrypted at rest using a customer-managed key stored in a hardware security module (HSM). The key must be automatically rotated every 90 days. Which combination of Azure services and features should they use?

114

A company is deploying a web application that must scale out automatically based on CPU usage. The application runs on Azure App Service. Which Azure feature should they configure?

115

Which TWO Azure services can be used to provide a fully managed DNS solution that supports custom domains and DNSSEC?

116

Which THREE considerations are important when designing a highly available Azure SQL Database solution?

117

Which TWO Azure networking services provide DDoS protection at the application layer (Layer 7)?

118

Your company plans to migrate on-premises SQL Server databases to Azure. The databases require high availability with automatic failover to a secondary region in the event of a regional outage. The solution must minimize data loss and support read-only queries on the secondary replica. Which Azure service should you use?

119

You are designing a networking solution for a multi-tier application in Azure. The front-end web tier must be accessible from the internet, while the back-end database tier must only be accessible from the web tier. You need to minimize management overhead and ensure that the back-end tier is not directly reachable from the internet. What should you use?

120

Your organization has a large number of virtual machines running in Azure. You need to centrally manage backup policies, monitor backup jobs, and ensure compliance with retention requirements. Which Azure service should you use?

121

You are designing an identity solution for a multinational corporation that uses Microsoft Entra ID. The company has a complex organizational structure with multiple subsidiaries. You need to ensure that users from one subsidiary cannot access resources in another subsidiary unless explicitly granted. The solution must minimize administrative overhead. What should you use?

122

You are designing a storage solution for a healthcare application that stores patient records. The solution must meet the following requirements: - Support for both structured and unstructured data. - Provide low-latency access to frequently accessed data. - Automatically move cold data to a lower-cost tier. - Encrypt data at rest using customer-managed keys. Which combination of Azure services should you recommend?

123

Your company has a hybrid identity environment with Microsoft Entra ID and an on-premises Active Directory. You need to enable single sign-on (SSO) for users accessing Microsoft 365 applications from domain-joined devices. Which authentication method should you configure?

124

You are designing a containerized microservices application on Azure Kubernetes Service (AKS). The application must scale automatically based on HTTP traffic. You need to minimize cost by scaling down to zero pods when there is no traffic. Which scaling solution should you use?

125

Your company has a large number of IoT devices sending telemetry to Azure IoT Hub. The data must be processed in near real-time to detect anomalies and trigger alerts. Additionally, the processed data must be stored in a time-series database for historical analysis. Which combination of Azure services should you recommend?

126

You need to design a solution to store configuration data for a cloud-native application. The configuration must be centrally managed, versioned, and accessible to multiple services without hard-coding values. Which Azure service should you use?

127

Your company plans to migrate a legacy on-premises application to Azure. The application has a monolithic architecture and requires low-latency access to a shared file system. You need to choose a migration strategy that minimizes changes to the application code. Which TWO options should you recommend? (Choose two.)

128

You are designing a disaster recovery (DR) solution for a critical application hosted on Azure VMs. The solution must meet the following requirements: - Recovery Point Objective (RPO) of 15 minutes. - Recovery Time Objective (RTO) of 1 hour. - Automatically fail over to a secondary region in the event of a regional outage. - Support for non-disruptive DR testing. Which THREE components should you include in the solution? (Choose three.)

129

Your company is designing a new application that will run on Azure VMs. The application must be highly available across two Azure regions. You need to ensure that the application can automatically fail over if a regional outage occurs. Which THREE components should you include in the architecture? (Choose three.)

130

Your company has a critical application running on Azure Virtual Machines that processes financial transactions. You need to ensure that the application remains available during an Azure region failure. The application is stateless and can scale horizontally. What is the most cost-effective design to meet the availability requirement?

131

You are designing a storage solution for a new application that will store large binary files (up to 5 TB each) and require high throughput for sequential reads. The data is accessed infrequently but must be retained for 7 years for compliance. Which Azure storage solution should you recommend?

132

Your organization is migrating a legacy on-premises application to Azure. The application uses a proprietary authentication protocol that is not supported by Microsoft Entra ID. You need to integrate the application with Microsoft Entra ID without modifying the application code. What should you do?

133

You need to design a networking solution for a multi-tier application that includes a web front-end, an API layer, and a database. The web and API tiers must be accessible from the internet, while the database tier must be isolated. What is the most secure and efficient design?

134

Your company is deploying a new application that uses Azure Cosmos DB for globally distributed low-latency reads and writes. The application must be highly available with a recovery point objective (RPO) of less than 5 seconds and recovery time objective (RTO) of less than 1 second in case of a regional outage. Which Cosmos DB configuration should you recommend?

135

You are designing a backup and disaster recovery strategy for an Azure SQL Database instance that runs a critical business application. The database is 500 GB and experiences high transaction rates. The recovery point objective (RPO) is 1 minute and recovery time objective (RTO) is 1 hour. What should you recommend?

136

Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to access cloud applications using their on-premises credentials, and also enables single sign-on (SSO) for legacy on-premises applications that do not support modern authentication protocols. What should you recommend?

137

You need to design a monitoring solution for a set of Azure virtual machines running a business-critical application. The solution must provide centralized log management, enable real-time analysis of security events, and support custom alerts for anomalous behavior. Which Azure service should you use?

138

Your company is planning to migrate a large number of on-premises servers to Azure. The migration must be completed within 3 months. You need to assess the current on-premises environment and recommend the most appropriate Azure VM sizes and costs. What should you do?

139

You are reviewing a network security group (NSG) rule for a subnet that hosts web servers. The subnet's address space is 10.0.1.0/24. What is the effect of this rule?

140

You are an Azure administrator. The above Azure Policy definition is assigned to a subscription. A developer tries to deploy a Virtual Machine with SKU Standard_DS2_v2. What will happen?

141

You executed the above Azure CLI commands. The remote VNet (yourVNet) has address space 10.1.0.0/16. What is the result?

142

You are designing a highly available architecture for a stateful application running on Azure Virtual Machines. The application requires a shared storage solution that supports concurrent read/write access from multiple VMs, and must be resilient to zone failures. Which TWO Azure solutions meet these requirements? (Choose TWO.)

143

Your organization is designing a data platform for real-time analytics on streaming data from IoT devices. The solution must ingest millions of events per second, process the data with low latency, and store results in a format optimized for analytical queries. Which THREE Azure services should you include in the design? (Choose THREE.)

144

You need to design a solution to securely connect an on-premises data center to Azure for hybrid workloads. The connection must be private, use the internet for transport, and provide high availability. Which TWO Azure services should you consider? (Choose TWO.)

145

A multinational company plans to deploy a new application on Azure. The application must comply with GDPR and requires data residency in the EU. The solution should minimize latency for users in Europe and provide disaster recovery across regions. Which Azure architecture should the company implement?

146

You need to design a virtual network architecture for a three-tier application in Azure. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of Azure services should you use?

147

A company runs a critical application on Azure VMs in a single region. They need to improve availability to meet an SLA of 99.99% while minimizing costs. The application is stateless and can run on multiple VMs. Which solution should you recommend?

148

Your company has an Azure subscription with multiple virtual networks connected via VNet peering. You need to design a solution to allow VMs in different peered VNets to resolve each other's private IP addresses using custom DNS suffixes. The solution must minimize administrative overhead. What should you implement?

149

A company plans to migrate on-premises SQL Server databases to Azure. They need to minimize changes to existing applications and want to use the latest features of SQL Server. Which Azure data service should they use?

150

Your company has a hybrid identity environment using Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to authenticate to Azure services using their on-premises credentials and enforce conditional access policies for sensitive applications. The solution must support multi-factor authentication (MFA) using the Microsoft Authenticator app. Which components should you include?

151

You are designing a storage solution for a media company that needs to store large video files (up to 50 GB each) and serve them to a global audience with low latency. The solution must be cost-effective and support resumable uploads. Which Azure storage solution should you recommend?

152

A company wants to implement a backup strategy for their Azure virtual machines. They need to retain backups for 7 years for compliance and ensure backups are encrypted at rest. Which solution should you recommend?

153

You need to design a network topology for a global e-commerce platform on Azure. The solution must provide low-latency access to static content and protect the backend APIs from DDoS attacks. The backend APIs are deployed in multiple regions behind an internal load balancer. Which services should you use?

154

Which TWO services should you use to design a highly available and scalable web application on Azure that runs on Linux containers and requires automatic scaling based on HTTP traffic? (Choose two.)

155

Which THREE components are required to implement a hybrid cloud solution that extends on-premises Active Directory to Azure and provides single sign-on (SSO) to cloud applications? (Choose three.)

156

Which TWO Azure services can be used to implement a serverless event-driven architecture that processes messages from a queue and stores results in a database? (Choose two.)

157

You are designing a solution to securely store secrets, keys, and certificates for a cloud application. Which Azure service should you use?

158

Your company has a global application deployed across multiple Azure regions. You need to design a disaster recovery solution that meets a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The solution should use Azure-native services and minimize costs. Which option should you choose?

159

You are designing a network architecture for a three-tier application hosted in Azure. The front-end tier must be accessible from the internet, the business tier must only communicate with the front-end tier, and the data tier must only communicate with the business tier. You need to minimize exposure and use Azure-native services. Which combination of services should you use?

160

Your company is migrating on-premises virtual machines to Azure. You need to assess the current environment and get a cost estimate for Azure. Which tool should you use?

161

You are designing a solution to provide high availability for a critical application running on Azure Virtual Machines. The virtual machines must be placed on physically separate hardware and have guaranteed availability during Azure maintenance events. Which option meets these requirements?

162

Your organization has a hybrid identity solution using Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to use their on-premises credentials to authenticate to cloud applications, but you want to avoid synchronizing password hashes to the cloud. Which authentication method should you choose?

163

You need to design a storage solution for unstructured data that requires low latency (single-digit milliseconds) for frequently accessed files and must support NFS and SMB protocols. Which Azure storage solution should you recommend?

164

Your company is deploying a web application that experiences unpredictable traffic spikes. You need to ensure the application can handle sudden increases in load automatically without manual intervention and minimize costs during low traffic periods. Which Azure service should you use?

165

You are designing a governance strategy for multiple Azure subscriptions. You need to ensure that all resources in a specific subscription are deployed only in the West US region. Additionally, any new resource group must contain a tag named 'Environment' with a value of 'Production'. What combination of Azure Policy initiatives should you assign?

166

Which TWO of the following are valid design considerations for implementing Azure SQL Database geo-replication? (Choose two.)

167

Which THREE of the following are valid methods to secure access to Azure Storage accounts? (Choose three.)

168

Which TWO of the following are benefits of using Azure Policy? (Choose two.)

169

Refer to the exhibit. You are reviewing an ARM template that deploys a virtual network with two subnets. Subnet-b includes a delegation to Microsoft.Web/serverFarms. What is the purpose of this delegation?

170

Refer to the exhibit. You are reviewing the properties of an Azure Storage account. The encryption section shows keySource as Microsoft.Keyvault and infrastructureEncryption enabled. What does infrastructureEncryption mean in this context?

171

Refer to the exhibit. You have an Azure Storage account with the settings shown. A developer reports that they cannot access the storage account from their Azure VM that is connected to subnet-a. The VM's subnet ID matches the one in the rule. What is the most likely cause of the issue?

172

Your organization has a hybrid identity infrastructure with Microsoft Entra ID Connect Sync. You plan to enable Microsoft Entra ID Seamless Single Sign-On (Seamless SSO) for domain-joined Windows devices. What is the minimum requirement for the on-premises Active Directory forest functional level?

173

You are designing a disaster recovery strategy for an Azure virtual machine running a SQL Server Always On availability group. The primary region is East US, and the secondary region is West US. You need to ensure minimal data loss and automatic failover. Which Azure service should you use for cross-region replication of the managed disks?

174

Your company deploys a line-of-business application on Azure App Service. The application requires custom domain names and SSL/TLS certificates. You need to ensure that the application can be accessed via a custom domain with HTTPS. What should you configure in the App Service?

175

You are designing a solution to store sensitive documents in Azure Blob Storage. The data must be encrypted at rest and access must be audited. You need to ensure that the encryption keys are managed by your organization and that access to the keys is logged. Which combination of Azure services should you use?

176

You are designing a microservices architecture on Azure Kubernetes Service (AKS). The solution must handle traffic spikes by automatically scaling pods based on CPU utilization. Additionally, you need to minimize cost by scaling down nodes when not in use. Which two features should you implement? (Choose two.)

177

Your organization uses Microsoft Purview to govern data assets across Azure SQL Database, Azure Data Lake Storage, and on-premises SQL Server. You need to ensure that sensitive data such as credit card numbers are automatically detected and classified. What should you configure in Microsoft Purview?

178

You need to design a solution to store log data from multiple Azure services. The data must be retained for 7 years for compliance purposes and should be queryable for analysis. Which Azure service should you use as the primary storage for these logs?

179

You are designing a network architecture for a multi-tier application. The front-end tier is an Azure Application Gateway that routes traffic to a web app on Azure App Service. The back-end tier is an Azure SQL Database. You need to ensure that all traffic between the Application Gateway and the web app remains within the Azure backbone network, and that the web app can only be accessed through the Application Gateway. What should you configure?

180

Your company plans to migrate on-premises file servers to Azure. The solution must support SMB protocol and integrate with Microsoft Entra ID for authentication. You need to choose a service that provides fully managed file shares accessible from multiple Azure regions. Which Azure service should you use?

181

You are designing a backup strategy for Azure virtual machines. The solution must support application-consistent backups for SQL Server databases running on the VMs. You need to ensure that backups are taken every 4 hours and retained for 30 days. What should you configure in Azure Backup?

182

You are designing a solution to grant external partners access to specific Azure resources. The partners must authenticate using their own corporate credentials. You need to manage their access centrally. Which Microsoft Entra ID feature should you use?

183

Your organization is deploying a critical application on Azure virtual machines. You need to ensure that the VMs are distributed across multiple fault domains and update domains within an availability set. You create an availability set with 3 fault domains and 5 update domains. How many VMs can you add to this availability set to maximize fault tolerance?

184

Your company is designing a multi-region disaster recovery solution for a mission-critical application using Azure SQL Database. The application requires read-scale in the secondary region and must support automatic failover with no data loss. Which Azure SQL Database offering should you recommend?

185

A company is planning to migrate its on-premises Active Directory to Microsoft Entra ID. They have a complex on-premises infrastructure with multiple forests and over 50,000 users. They need to synchronize identities and enable single sign-on (SSO) for Office 365. What should you recommend?

186

Your organization is designing a solution to capture and analyze IoT data from millions of devices. The solution must ingest data at high velocity, store the data for long-term analytics, and provide real-time dashboards. Which combination of Azure services should you recommend?

187

Your company is designing a hybrid network architecture to connect an on-premises data center to Azure. The requirements include: high availability, low latency, and cost optimization. Which TWO options should you recommend?

188

A multinational corporation is designing a backup and disaster recovery strategy for Azure IaaS VMs. The solution must support cross-region failover, meet a recovery point objective (RPO) of 15 minutes, and a recovery time objective (RTO) of 1 hour. Which THREE options should you include in the design?

189

Your organization is implementing a security strategy for Azure resources. You need to enforce consistent security policies across all subscriptions and ensure compliance with regulatory standards. Which TWO services should you use?

190

Refer to the exhibit. You are an Azure administrator. You assign this policy definition to a subscription. A developer attempts to deploy a virtual machine with SKU Standard_DS1_v2. What is the outcome?

191

Refer to the exhibit. You deploy this ARM template to a resource group in the East US region. You specify the parameter storageAccountType as 'Standard_GRS'. Which of the following is true about the deployed storage account?

192

Refer to the exhibit. You are analyzing Azure VM performance using Azure Monitor Logs. You run the KQL query shown. What is the purpose of the 'take 10' operator?

193

Your company is migrating a legacy application to Azure. The application uses a proprietary database that requires file-level access to data files. You need to minimize changes to the application. Which Azure storage solution should you recommend?

194

A company is designing a solution for a global e-commerce platform that requires low-latency access to product catalog data from multiple regions. The data is read-heavy with occasional updates. The solution must support automatic scaling and provide high availability. Which Azure service should you recommend?

195

Your organization needs to provide temporary, limited-privilege access to Azure resources for external auditors. The access must be time-bound and require approval from a manager. Which Azure feature should you use?

196

A company is designing a data warehouse solution in Azure. The solution must support petabyte-scale data, high-performance queries, and integration with Power BI. The data includes both structured and semi-structured data. Which THREE services should you recommend?

197

Your company is deploying a critical application on Azure VMs. The application requires a static private IP address that does not change even if the VM is stopped and deallocated. The VM must be placed in an availability zone for high availability. Which networking approach should you use?

198

Your organization is building a serverless application that processes events from Azure Event Hubs and stores results in Azure Cosmos DB. The processing logic must be scalable and cost-effective, with no idle costs. Which compute service should you use?

199

You are designing a disaster recovery solution for an Azure IaaS workload. The application runs on Azure VMs in a single region and requires a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 4 hours. Which of the following is the most cost-effective approach to meet these requirements?

200

You are designing a landing zone in Azure for a regulated financial services company. They require that all storage accounts be restricted to specific virtual networks and have encryption using customer-managed keys (CMK). Additionally, they want to ensure that any storage account creation outside of the approved network boundaries is prevented. Which combination of Azure Policy and Network Security controls should you recommend?

201

A company plans to migrate an on-premises application with strict low-latency requirements to Azure. The application must communicate with an Azure SQL Database. Which of the following is the best design to minimize latency?

202

You are designing a compute solution for a batch processing workload that runs once per day for about 30 minutes. The workload is CPU-intensive and can be parallelized. The team wants to minimize cost while ensuring the job completes within 2 hours. Which of the following is the most cost-effective solution?

203

You are designing a connectivity solution for a hybrid network. The company has an on-premises network connected to an Azure virtual network via ExpressRoute. They also have a site-to-site VPN to the same Azure virtual network as a backup. When the ExpressRoute connection fails, traffic should automatically fail over to the VPN. How should you configure the routes to ensure automatic failover?

204

You need to design a storage solution for an application that stores large amounts of unstructured data that is accessed frequently for the first 30 days, then rarely after that. Compliance requirements mandate that data be retained for 7 years. Which of the following is the most cost-effective storage solution?

205

You are designing an authentication solution for a mobile application that uses Azure AD B2C (now Microsoft Entra External ID). The application needs to support social logins (Google, Facebook) and also allow users to sign in with their corporate Microsoft Entra ID accounts. Which of the following identity providers should you configure?

206

You are designing a logging and monitoring solution for a multi-region application. The application is deployed in three Azure regions. Security requirements mandate that all authentication and authorization logs be retained for 7 years. Logs must be queryable centrally from a single location. What is the most cost-effective way to meet these requirements?

207

You are designing a high-availability solution for a stateless web application running on Azure VMs. The solution must provide automatic failover to another region in the event of a regional outage. Which Azure service should you use to distribute traffic across regions?

208

Which TWO of the following are valid considerations when designing a SQL Server Always On availability group in Azure VMs? (Choose two.)

209

Which THREE of the following are best practices for securing an Azure Kubernetes Service (AKS) cluster? (Choose three.)

210

Which TWO of the following are valid data storage solutions for an Azure-based microservices architecture that requires high throughput and low latency? (Choose two.)

211

Your company is migrating a legacy on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. The solution must be highly available within a single Azure region and must not require the application to be modified. Which Azure service should you recommend?

212

A multinational corporation is designing a hub-spoke network topology in Azure to connect multiple on-premises sites and Azure regions. The hub contains Azure Firewall and Azure Bastion. Spokes are in different regions and need to communicate with each other through the hub. The solution must minimize latency and cost. What should you configure?

213

You are designing a disaster recovery solution for a critical application running in Azure. The application uses Azure SQL Database. The recovery point objective (RPO) is 5 seconds, and the recovery time objective (RTO) is 30 minutes. Which Azure SQL Database configuration should you recommend?

214

A company is designing a solution to store and analyze petabytes of IoT sensor data. The data is written once, rarely accessed, and must be retained for 10 years for compliance. The data must be queryable using SQL. Which combination of Azure services would be MOST cost-effective?

215

Your company has a web application deployed on Azure App Service that experiences periodic traffic spikes. You need to ensure the application scales out quickly without manual intervention. The solution must minimize cost during low-traffic periods. What should you configure?

216

Refer to the exhibit. The JSON shows role assignments for user1. The role definition IDs are: b24988ac-6180-42a0-ab88-20f7382dd24c = Key Vault Secrets User, 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 = Reader. User1 reports being unable to list secrets in the key vault 'vault-prod' using Azure CLI. What is the most likely cause?

217

You are designing a solution to securely store and manage secrets for multiple applications deployed in Azure. The solution must support automated rotation of secrets and provide audit logging. Which Azure service should you use?

218

A healthcare organization needs to store patient health records in Azure. The data must be encrypted at rest and in transit. The organization requires a customer-managed key (CMK) with automatic key rotation every 90 days. The solution must support Azure SQL Database and Azure Blob Storage. Which key management solution should you recommend?

219

Your company has Azure virtual machines running a critical application. You need to back up these VMs daily and retain backups for 7 years. The solution must be cost-effective and support application-consistent backups. What should you use?

220

You are designing a solution to monitor a hybrid environment consisting of Azure VMs and on-premises servers. The solution must provide centralized log analytics, security threat detection, and the ability to run custom queries across all logs. Which TWO Azure services should you include? (Choose two.)

221

A global e-commerce company is designing a highly available application on Azure. The application uses Azure SQL Database and requires that in the event of a regional outage, failover to a secondary region occurs automatically without manual intervention. The solution must minimize data loss. Which THREE components should be included? (Choose three.)

222

You are designing a network architecture for a three-tier application in Azure. The web tier must be accessible from the internet. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier. Which TWO Azure services should you use to enforce these network rules? (Choose two.)

223

Refer to the exhibit. The ARM template provisions a VM. The deployment succeeds but the VM fails to start. What is the most likely cause?

224

Refer to the exhibit. A custom role is created. A user assigned this role reports being unable to view the VM's boot diagnostics in the Azure portal. What is the most likely reason?

225

You are a solutions architect for a financial services company. The company is deploying a new critical application on Azure that processes sensitive customer transactions. The application consists of an ASP.NET Core web app (Azure App Service), a REST API (Azure Kubernetes Service), and an Azure SQL Database. The requirements are: - All data at rest must be encrypted using customer-managed keys (CMK) stored in a managed HSM. - All network traffic between components must be encrypted and traverse the Microsoft backbone network. - The web app must be protected against common web attacks (SQL injection, XSS). - The solution must automatically scale the API based on CPU utilization. - All API calls must be authenticated using OAuth 2.0 with Microsoft Entra ID. - Logs from all components must be sent to a central Log Analytics workspace for analysis. - The solution must have a recovery time objective (RTO) of 1 hour and recovery point objective (RPO) of 5 minutes for the database. Which combination of Azure services should you recommend to meet ALL requirements?

226

A company is designing a multi-region disaster recovery solution for a mission-critical application hosted on Azure VMs. The application requires synchronous replication of storage and automatic failover with no data loss. The recovery time objective (RTO) is 15 minutes, and the recovery point objective (RPO) is 0. Which Azure service should the company use?

227

A healthcare organization is migrating a regulatory-compliant application to Azure. The application must be isolated from the internet and accessible only from on-premises networks via a private IP address. The solution must minimize latency and maximize throughput for large data transfers. Which Azure networking solution should the organization implement?

228

A company plans to deploy a web application on Azure App Service that will be accessed by users worldwide. The application must have a single endpoint and use Azure Web Application Firewall (WAF) policies. Which Azure service should be placed in front of the App Service to meet these requirements?

229

A company is designing a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The solution must support legacy authentication protocols for on-premises apps and modern authentication for cloud apps. Which Azure service should the company use?

230

A financial services company is designing a data platform on Azure that must comply with strict regulatory requirements. The platform will store sensitive customer data in Azure SQL Database. The company needs to prevent data exfiltration and ensure that only authorized Microsoft Entra ID users can access the data. The solution must also encrypt data at rest and in transit. Which combination of Azure services should the company implement?

231

A company is deploying a new application on Azure Kubernetes Service (AKS). The application requires persistent storage that can be dynamically provisioned and accessed by multiple pods simultaneously. Which Azure storage solution should the company use?

232

A company is designing a backup strategy for a critical Azure SQL Database. The database is used in a production environment and the company requires the ability to restore to any point within the last 35 days with a maximum granularity of 5 minutes. Which backup configuration should the company choose?

233

A multinational organization is designing a Microsoft 365 deployment for 10,000 users. The organization requires that all users have a consistent experience and that desktop settings follow users across devices. The solution must also support offline access to files and automatic sync. Which Microsoft 365 service should the organization use?

234

A company is designing a serverless architecture for a real-time data processing pipeline. The pipeline ingests data from IoT devices, processes the data using Azure Functions, and stores the results in Azure Cosmos DB. The solution must scale automatically and minimize cold starts. Which Azure service should the company use to trigger the Azure Functions?

235

Refer to the exhibit. You are analyzing a deployment of Azure Storage account with customer-managed key encryption. The deployment fails with an error indicating that the key vault is not accessible. Which of the following is the most likely cause?

236

A company is designing a highly available architecture for a web application on Azure VMs. The solution must protect against both planned and unplanned downtime and provide automatic failover. Which TWO Azure services should the company use together? (Choose two.)

237

A company is designing a backup and disaster recovery solution for an on-premises SQL Server database that will be migrated to Azure. The solution must meet the following requirements: 1) Point-in-time restore up to 30 days. 2) Cross-region restore in case of a regional disaster. 3) Long-term retention of backups for 7 years for compliance. Which THREE Azure services or features should the company use? (Choose three.)

238

A company is designing an identity and access management solution for a multi-cloud environment that includes Azure, AWS, and SaaS applications. The company wants to provide single sign-on (SSO) and enforce conditional access policies across all cloud resources. The solution must support automated user provisioning and deprovisioning. Which THREE Azure services should the company use? (Choose three.)

239

A company is planning to migrate its on-premises data center to Azure. The company has 50 virtual machines (VMs) running Windows Server and Linux, along with several physical servers hosting legacy applications. The company wants to minimize administrative overhead and use Azure-native services as much as possible. The migration must be performed with minimal downtime and the company wants to assess the readiness of their on-premises environment. They also need to replicate data to Azure for disaster recovery. Which combination of Azure services should the company use to assess, migrate, and replicate?

240

A large enterprise is designing a data analytics platform in Azure that will ingest terabytes of data daily from multiple sources, including IoT devices, social media feeds, and internal databases. The data must be stored in a raw format for future processing, and then transformed and aggregated for reporting. The company requires low-latency querying for real-time dashboards and the ability to run complex batch analytics using Spark. The solution must also provide a unified data governance layer for cataloging and lineage tracking. Which combination of Azure services should the company choose to meet all these requirements with minimal operational overhead?

241

Your organization plans to migrate a legacy on-premises application that uses a proprietary authentication mechanism to Azure. The application must run as a virtual machine and must not require any code changes. You need to design an identity solution that integrates with the application without modifying it. What should you use?

242

A company uses Azure Firewall to secure outbound traffic from a hub virtual network. The security team reports that some traffic is bypassing the firewall because of asymmetric routing. You need to design a solution to force all outbound traffic through the firewall. What should you implement?

243

You are designing a backup strategy for Azure virtual machines that must support application-consistent backups and be capable of restoring to a different Azure region. Which solution should you use?

244

Your company has a hybrid network with multiple on-premises sites connected to Azure via ExpressRoute. You need to design a DNS resolution strategy that allows Azure resources to resolve on-premises hostnames and on-premises clients to resolve Azure hostnames. The solution must minimize administrative overhead. What should you use?

245

You are designing a solution for a critical application that requires low latency between multiple Azure regions. The application must handle failover automatically if a region becomes unavailable. You need to distribute traffic across regions and ensure that users are directed to the closest healthy endpoint. What should you implement?

246

You need to design a storage solution for a data lake that will store petabytes of structured and unstructured data. The data must be accessible from Azure Databricks and Azure Machine Learning. The solution must optimize costs by automatically moving data to cooler tiers when access frequency decreases. Which Azure storage solution should you use?

247

Your organization has a containerized application running on Azure Kubernetes Service (AKS). You need to design a solution to securely store and manage secrets (e.g., database passwords, API keys) that the application consumes. The solution must integrate with AKS and support automatic rotation of secrets. What should you use?

248

You are designing a disaster recovery solution for a multi-tier application. The application consists of a web tier, an application tier, and a database tier running SQL Server on Azure VMs. The RPO must be 5 seconds, and the RTO must be 15 minutes. You need to recommend a SQL Server availability solution that meets these requirements. What should you use?

249

You are designing a web application that will be hosted on Azure App Service. The application must authenticate users from your company's Microsoft Entra ID tenant. You need to implement authentication without writing any authentication code. What should you use?

250

Your company is designing a hybrid network architecture that connects multiple on-premises sites to Azure. You need to ensure high availability and redundancy for the connection. Which TWO solutions should you recommend? (Choose two.)

251

You are designing a governance and compliance solution for a large Azure environment with multiple subscriptions. The solution must enforce tagging policies, restrict resource types, and ensure compliance with regulatory standards. Which THREE Azure services or features should you use? (Choose three.)

252

Your organization is migrating a legacy application to Azure that requires Windows authentication and a fixed IP address. The application will run on an Azure VM. You need to design a networking solution that ensures the VM retains its IP address even after a reboot and that the application can be reached by on-premises users using its hostname. Which TWO actions should you take? (Choose two.)

253

Refer to the exhibit. You are assigned an Azure policy that restricts resource group locations to eastus, westus, and centralus. A user attempts to create a resource group in 'eastus2' and receives a denial. The user argues that there are existing resources in 'eastus2' and that the policy should allow it. What is the best course of action to allow the resource group creation while maintaining compliance?

254

Refer to the exhibit. You run the Azure Resource Graph query shown. A colleague asks why the query returns no results even though there are VMs in the subscription. The VMs use managed disks with Premium_LRS. What is the most likely reason for the empty result set?

255

Your company is designing a new cloud-native application on Azure that consists of multiple microservices running on Azure Kubernetes Service (AKS). The application must be accessible from the internet via a custom domain name (app.contoso.com) and must support SSL/TLS termination. You need to design a secure ingress solution that provides Web Application Firewall (WAF) capabilities, SSL offloading, and automatic scaling. The solution should also support path-based routing to different microservices (e.g., /api, /web). You have the following options: Option A: Deploy an Azure Application Gateway v2 with WAF in front of the AKS cluster. Configure Application Gateway Ingress Controller (AGIC) to route traffic to the services. Option B: Deploy an Azure Load Balancer with a public IP and install an NGINX ingress controller on AKS. Configure SSL termination on NGINX and use a third-party WAF. Option C: Deploy an Azure Front Door with WAF policy in front of the AKS cluster. Use Azure Private Link to connect Front Door to the internal load balancer of AKS. Option D: Deploy an Azure API Management instance with WAF and expose the microservices through API endpoints. Use Azure Application Gateway as a reverse proxy. Which option best meets the requirements for a high-performance, integrated, and managed solution with minimal operational overhead?

256

Your company has a multi-region Azure deployment with virtual networks in East US and West Europe connected via a hub-and-spoke topology. You need to ensure that all traffic between the spokes is routed through a centralized firewall in the hub. The hub uses Azure Firewall. Currently, spoke-to-spoke traffic is not being inspected. What should you configure?

257

Your organization is migrating an on-premises application to Azure. The application consists of a load-balanced web tier and a backend SQL Server database. The web tier requires session persistence (sticky sessions) and SSL offload. You need to design a solution that meets these requirements with minimal operational overhead. Which Azure service should you use for the web tier load balancing?

258

You are designing a disaster recovery strategy for an Azure virtual machine running a critical application. The VM is in the East US region. Your recovery point objective (RPO) is 15 minutes, and your recovery time objective (RTO) is 1 hour. Which Azure service should you use to replicate the VM to the West US region?

259

Refer to the exhibit. You are reviewing an Azure Policy definition that your team plans to assign. The policy is intended to deny the deployment of virtual networks and virtual machines if they do not have an NSG attached with a rule named containing 'Allow'. However, the policy is not working as expected. What is the most likely reason?

260

Your company has an Azure subscription that contains a hub virtual network and multiple spoke virtual networks connected via VNet peering. You need to ensure that all traffic between spokes is routed through a network virtual appliance (NVA) in the hub. The NVA is configured with IP forwarding enabled. What should you configure in the spoke virtual networks?

261

You need to design a storage solution for a new application that requires low-latency access to frequently accessed data and also needs to archive data that is older than 90 days to the most cost-effective storage tier. Which Azure storage account type and tier configuration should you recommend?

262

Your company is designing a hybrid identity solution that will allow users to authenticate to Azure resources using their on-premises Active Directory credentials. The solution must support multi-factor authentication (MFA) and conditional access policies. Which TWO components should you include?

263

You are designing a network architecture for a critical application that spans multiple Azure regions. The application requires low-latency communication between regions and must maintain connectivity even if an entire region fails. You need to recommend a solution that provides cross-region connectivity with automatic failover. Which TWO options meet the requirements?

264

You are designing a backup and disaster recovery strategy for a SQL Server database hosted on an Azure virtual machine. The database is critical and has a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 4 hours. Which THREE services should you include in the solution?

265

Your organization needs to ensure that all Azure resources are compliant with corporate security policies. You need to design a solution that can enforce policies at scale, audit compliance, and automatically remediate non-compliant resources. Which THREE Azure services should you include?

266

Your company, Contoso Ltd., operates a global e-commerce platform hosted on Azure. The architecture consists of: (1) A web front-end running on Azure App Service in multiple regions (East US, West Europe, Southeast Asia). (2) A microservices backend running on Azure Kubernetes Service (AKS) in East US. (3) A SQL Database in East US with geo-replication to West Europe and Southeast Asia for read scaling. (4) Azure Redis Cache for session state. (5) Azure Front Door for global load balancing. The platform experiences periodic traffic spikes, and during a recent spike, users reported slow page loads and intermittent errors. The operations team observed that the SQL Database in East US reached 100% DTU consumption, causing timeouts. The geo-replicated databases in other regions were underutilized. The application logic is read-heavy but also writes to a separate write-only table. You need to design a solution to improve scalability and reduce database load. The solution must: minimize latency for users, ensure write consistency, and handle traffic spikes without over-provisioning. What should you do?

267

Your organization is migrating a legacy on-premises application to Azure. The application uses a monolithic architecture and requires high availability. The application tier runs on Windows Server and uses a SQL Server database. You need to design a migration strategy that minimizes changes to the application code while maximizing availability. The application can be stateless if session state is externalized. You have the following requirements: (1) The application must be resilient to Azure region failures. (2) The database must have an RPO of 5 minutes and RTO of 1 hour. (3) The migration must be completed within 6 months. (4) The solution should use platform-as-a-service (PaaS) services where possible to reduce operational overhead. Which approach should you recommend?

268

Your company is designing a new application that will process large volumes of streaming data from IoT devices. The data will be ingested, processed in near real-time, and stored for long-term analytics. You need to design a solution that meets the following requirements: (1) Ingest up to 1 million events per second. (2) Process events with a latency of less than 10 seconds. (3) Store processed data for 7 years for compliance. (4) Enable ad-hoc querying of the stored data. Which combination of Azure services should you recommend?

269

Your company is expanding its Azure presence to a new region in Asia. You need to design a network connectivity solution between the on-premises data center in New York and the new Azure region in Singapore. The solution must provide high bandwidth, low latency, and high availability. The company already has an ExpressRoute circuit to the East US region. You want to use that circuit to extend connectivity to Singapore if possible. The budget allows for additional ExpressRoute circuits if needed. What should you recommend?

270

Your organization is designing a secure microservices architecture using Azure Kubernetes Service (AKS). The application must be compliant with PCI DSS, which requires strict network segmentation and encryption of data at rest and in transit. You need to design a solution that meets these requirements while minimizing operational overhead. The AKS cluster will be deployed in a virtual network. The application consists of multiple microservices that need to communicate with each other and with an Azure SQL Database. Some microservices are public-facing. Which design should you recommend?

271

Your company is migrating a critical application to Azure and needs to design a highly available and disaster recovery solution. The application runs on Azure VMs with SQL Server Always On Availability Groups. You need to ensure that the database remains available even during a regional outage. Which TWO options should you include in the design? (Choose two.)

272

A multinational corporation is designing a hybrid identity solution using Microsoft Entra ID. The company has multiple on-premises Active Directory forests with complex trust relationships. They require that users can authenticate to both cloud and on-premises resources using the same credentials, and they want to minimize changes to the existing infrastructure. Which THREE components should be part of the solution? (Choose three.)

273

A company is designing a storage solution for a new application that will store large amounts of unstructured data, such as images and videos. The data must be highly durable and available, and the solution should minimize costs for infrequently accessed data. Which TWO storage options should be recommended? (Choose two.)

274

You are designing a network topology for a global e-commerce company that operates multiple web applications. The company has three main offices (New York, London, Tokyo) connected via ExpressRoute to Azure. Users access the applications through a public endpoint. The company requires that traffic be routed to the nearest healthy application instance based on geographic location, and that the solution provide automatic failover if an entire region goes down. Additionally, the company wants to protect against DDoS attacks at the network layer. You need to recommend a solution that meets these requirements while minimizing cost. What should you include in the design?

275

A healthcare organization is migrating its on-premises applications to Azure. The applications use custom authentication and authorization logic and require low latency between application tiers. The organization needs to ensure that the applications can scale out dynamically based on user demand, and that costs are minimized by only paying for resources when they are used. The applications are expected to have variable traffic patterns, with peak usage during business hours and low usage at night. You need to design a compute solution that meets these requirements. What should you recommend?

276

You are designing a backup and disaster recovery solution for a financial services company. The company has a critical application running on Azure VMs with premium SSDs. The RPO for the application is 15 minutes, and the RTO is 1 hour. The application data is stored on a separate managed disk with a premium SSD. The company wants to ensure that backups are cost-effective and do not impact application performance. You need to recommend a backup strategy. What should you do?

277

A small business is moving its on-premises file server to Azure. The company has 50 users and stores approximately 500 GB of data, which includes documents and spreadsheets. The users need to access the files from their Windows laptops both at the office and remotely. The company wants to minimize costs while ensuring that files are always available and secure. You need to recommend a storage solution. What should you recommend?

278

A manufacturing company is designing an IoT solution to monitor equipment in real-time. Thousands of sensors send telemetry data every second. The data must be ingested, processed, and stored for analysis. The solution must handle high throughput and provide low-latency analytics. Additionally, the company wants to use Azure Machine Learning to predict equipment failures based on historical data. You need to design a data pipeline that meets these requirements. What should you include in the design?

279

A government agency is designing a solution to store sensitive citizen data. The data must be encrypted at rest and in transit. The agency requires that the encryption keys be managed by the agency and stored in a hardware security module (HSM). Additionally, the solution must comply with regulatory requirements that mandate customer-managed keys. You need to recommend a key management solution. What should you recommend?

280

A media company is building a video streaming platform on Azure. The platform will store original high-definition videos and convert them to multiple resolutions for distribution. The company needs a cost-effective storage solution for the original videos, which are accessed infrequently but must be instantly available when needed. The converted videos will be served to end users globally and must be cached at edge locations for low latency. You need to design a storage and content delivery solution. What should you recommend?

281

A large enterprise is designing a hybrid network architecture. The company has an on-premises data center connected to Azure via ExpressRoute. They want to extend their on-premises network to Azure by using a site-to-site VPN as a backup connection. The company has multiple VNets in Azure that need to communicate with each other and with the on-premises network. The solution must be highly available and provide redundancy for the ExpressRoute connection. You need to recommend a network connectivity design. What should you include?

282

A startup is building a web application that will be used by a small number of users initially but is expected to grow rapidly. The application runs on Linux and uses a PostgreSQL database. The company wants to minimize operational overhead and costs during the early stages. You need to recommend a platform as a service (PaaS) solution for both the application and the database. What should you recommend?

283

A company is designing a disaster recovery solution for a critical application that runs on Azure VMs in a single region. The RTO is 4 hours, and the RPO is 1 hour. The application uses Azure SQL Database. The company wants to minimize the cost of the disaster recovery solution while meeting the RTO and RPO. You need to recommend a solution. What should you recommend?

284

A company is designing a solution for a data analytics workload. The company receives streaming data from multiple sources, including IoT devices and social media feeds. The data must be ingested, processed in real-time, and stored for historical analysis. The company also wants to use Power BI to create real-time dashboards from the streaming data. You need to recommend a data pipeline architecture. What should you include?

285

Your company is migrating a legacy on-premises application to Azure. The application requires persistent storage for configuration files that must be accessible from multiple virtual machines in a virtual network. The storage must be accessible only from within the virtual network and should not be exposed to the internet. Which Azure storage solution should you use?

286

A multinational corporation is designing a disaster recovery strategy for a critical application running on Azure VMs. The application must have a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The primary region is East US, and the secondary region is West US. The solution must minimize costs while meeting the requirements. What should you recommend?

287

You are designing a cloud-native application that will run on Azure Kubernetes Service (AKS). The application needs to authenticate users and manage access to resources. Which identity service should you use?

288

Your company has an Azure subscription that contains several virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with a baseline security policy that includes specific registry key settings. The solution must automatically remediate non-compliant settings without manual intervention. What should you use?

289

A healthcare organization is deploying a new application on Azure that will handle Protected Health Information (PHI). The application must be compliant with HIPAA. The security team requires encryption at rest and in transit, and the ability to audit access to the data. The solution should minimize administrative overhead. Which storage solution should you recommend?

290

Your organization is planning to migrate a large number of on-premises file servers to Azure. The data includes millions of small files. You need to select a storage solution that supports SMB protocol and can handle high file counts. Which TWO Azure services meet these requirements?

291

A company is designing a hybrid network architecture that connects an on-premises data center to Azure. The requirements include high availability (99.99% SLA), low latency, and the ability to use existing MPLS connections. Which THREE Azure connectivity options should be considered?

292

Your company, Contoso Ltd., is migrating its on-premises e-commerce application to Azure. The application consists of a web frontend, an API layer, and a SQL Server database. The migration must meet the following requirements: - The web frontend must automatically scale out based on CPU utilization. - The API layer must be stateless and scale out based on request count. - The database must be a managed service with high availability and disaster recovery across Azure regions. - All components must be secured using Azure Firewall and Web Application Firewall (WAF). - The solution must minimize operational overhead. You propose the following architecture: - Azure App Service for the web frontend with autoscaling rules based on CPU. - Azure Functions for the API layer (stateless, scaling based on request count). - Azure SQL Database with active geo-replication for the database. - Azure Front Door with WAF policies for global load balancing and security. - Azure Firewall to control outbound traffic. Which component of this design should be reconsidered to better meet the requirement to minimize operational overhead?

Practice all 292 Design infrastructure solutions questions

Other AZ-305 exam domains

Design identity, governance, and monitoring solutionsDesign data storage solutionsDesign business continuity solutions

Frequently asked questions

What does the Design infrastructure solutions domain cover on the AZ-305 exam?

The Design infrastructure solutions domain covers the key concepts tested in this area of the AZ-305 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all AZ-305 domains — no account required.

How many Design infrastructure solutions questions are in the AZ-305 question bank?

The Courseiva AZ-305 question bank contains 292 questions in the Design infrastructure solutions domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Design infrastructure solutions for AZ-305?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Design infrastructure solutions questions for AZ-305?

Yes — the session launcher on this page draws questions exclusively from the Design infrastructure solutions domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your AZ-305 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-104AZ-500AZ-400