Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design infrastructure solutions practice sets

AZ-305 Design infrastructure solutions • Complete Question Bank

AZ-305 Design infrastructure solutions — All Questions With Answers

Complete AZ-305 Design infrastructure solutions question bank — all 0 questions with answers and detailed explanations.

292
Questions
Free
No signup
Certifications/AZ-305/Practice Test/Design infrastructure solutions/All Questions
Question 1hardmultiple choice
Review the full routing breakdown →

A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?

Question 2mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is deploying a web application on Azure App Service. They need to guarantee that all traffic from the internet goes through a Web Application Firewall (WAF) before reaching the app. The solution must be cost-effective for a single application. Which Azure service should they place in front of the App Service?

Question 3easymultiple choice
Review the full routing breakdown →

A company has multiple Azure subscriptions and on-premises data centers connected via ExpressRoute. They want to centralize connectivity to the internet and enforce a single web filtering and security policy for all outbound internet traffic from Azure VMs. Which Azure networking architecture should they implement?

Question 4easymultiple choice
Read the full VPN explanation →

A company has multiple branch offices and needs to connect them to Azure and to each other using a scalable, managed solution that simplifies network architecture. The solution should support automatic routing and integration with ExpressRoute and VPN. Which Azure service should they use?

Question 5hardmultiple choice
Read the full Design infrastructure solutions explanation →

A company runs a high-performance computing (HPC) workload on Azure that requires extremely low latency (under 10 microseconds) between multiple VMs for MPI communication. The VMs are part of a single job and must be placed together to minimize network latency. Which VM deployment option should they use?

Question 6mediummultiple choice
Review the full routing breakdown →

A company is deploying an internal web application on Azure VMs. The application requires SSL offloading, session stickiness, and URL-based routing (e.g., /api/* to one backend, /app/* to another). The solution must operate within a single Azure region and must not be exposed to the public internet. Which Azure load balancing solution should they use?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company is developing a containerized microservices application. They want to minimize operational overhead for managing orchestration. The application has a low-to-medium traffic pattern that can spike unpredictably. They need fast scaling and pay-per-second billing. Which Azure compute service should they use?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company has two on-premises data centers and an Azure subscription. They need to connect each data center to Azure with a private, high-bandwidth, and reliable connection. They also want a low-cost backup connection for each data center in case the primary connection fails. Which combination of connectivity options should they recommend?

Question 9hardmultiple choice
Review the full routing breakdown →

A company is designing a hub-spoke network topology across multiple Azure regions. They plan to deploy a third-party network virtual appliance (NVA) in the hub for traffic inspection. They require that all traffic between spokes in different regions must be routed through the hub NVA, and they want to minimize the number of peered connections. Which solution should they implement?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on Azure. The web tier must be accessible from the internet. The application tier and database tier must be isolated within the virtual network and not directly accessible from the internet. The solution must provide SSL termination, URL-based routing, and Web Application Firewall (WAF) capabilities. Which Azure service should they use to expose the web tier?

Question 11easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must be isolated within the virtual network. The solution must provide SSL termination, web application firewall (WAF) capabilities, and URL-based routing. Which Azure service should they use to expose the web tier?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A global company is deploying a microservices application on AKS clusters in multiple Azure regions. They need to provide a single endpoint for users worldwide with SSL offloading, web application firewall, and URL path-based routing to the nearest healthy AKS cluster. They also need global load balancing with automatic failover. Which Azure service should they use?

Question 13hardmultiple choice
Read the full Design infrastructure solutions explanation →

A company has a hub-spoke network topology in Azure. They have multiple spoke VNets connected to a hub VNet via peering. They need to ensure that all east-west traffic between spoke VNets goes through a network virtual appliance (NVA) in the hub for inspection. Additionally, all outbound internet traffic from spoke VMs must use a single public IP address. What should they configure?

Question 14easymultiple choice
Read the full Design infrastructure solutions explanation →

A company needs to provide secure remote administration access to Azure virtual machines for their IT team. The VMs are in a virtual network with no public IP addresses. The IT team uses browsers to connect. The solution should not require any custom software on the client machines. Which Azure service should they use?

Question 15mediummultiple choice
Review the full routing breakdown →

A company has an Azure SQL Database that they need to access from an on-premises data center over ExpressRoute. They want to use a private IP address to connect to the database, ensuring traffic never traverses the public internet. Which Azure service should they use?

Question 16easymultiple choice
Read the full Design infrastructure solutions explanation →

A company plans to deploy a stateless web application on Azure virtual machines. They want to ensure that the application remains available in the event of a hardware failure within a single Azure datacenter. The VMs must be placed in a way that ensures they are on different physical servers and racks, but are still within the same datacenter. Which deployment strategy should they use?

Question 17easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a web application that must be accessible from the internet. The application is hosted on Azure virtual machines in a virtual network. The solution must provide SSL termination, web application firewall (WAF) protection, and URL path-based routing (e.g., /api/* to one backend pool, /app/* to another). The web tier must not be directly exposed to the internet. Which Azure load balancing solution should they use?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

A company has an on-premises data center and wants to connect it to Azure to extend their network. They require a dedicated, private, high-bandwidth connection that is not routed over the public internet. They also want a lower-cost backup connection for redundancy in case the primary connection fails. Which combination of connectivity options should they implement?

Question 19mediummultiple choice
Review the full routing breakdown →

A company deploys a web application on Azure VMs across multiple availability zones in a region. They need to distribute incoming traffic across VMs in all zones, maintain session persistence, and support SSL offloading and URL-based routing (e.g., /api/* to one pool, /app/* to another). Which Azure load balancing solution should they use?

Question 20hardmultiple choice
Read the full Design infrastructure solutions explanation →

A company has multiple Azure VNets deployed in a hub-spoke topology. They want to inspect all outbound internet traffic from spoke VMs using a central firewall and ensure that traffic from all VNets goes through the firewall before reaching the internet. They also need to log all outbound connections. Which architecture should they implement?

Question 21easymultiple choice
Read the full Design infrastructure solutions explanation →

A company plans to deploy a web application on Azure virtual machines. They want to protect against a datacenter failure within a region. The VMs must be distributed across multiple physically separate locations with independent power, cooling, and networking. Which deployment option should they use?

Question 22hardmultiple choice
Read the full NAT/PAT explanation →

A global e-commerce company deploys its web application on Azure Kubernetes Service (AKS) clusters in multiple Azure regions. They need a single global endpoint for users, with SSL offloading, web application firewall (WAF) protection, and URL path-based routing to the nearest healthy AKS cluster. Which Azure service should they use?

Question 23easymultiple choice
Read the full VPN explanation →

A company has an on-premises data center and wants to connect it to Azure with a dedicated, private network connection that is not routed over the public internet. They also need a higher service-level agreement (SLA) compared to VPN-based connections. Which Azure service should they use?

Question 24mediummultiple choice
Read the full VPN explanation →

A company has deployed several Azure VMs that do not have public IP addresses. Administrators need to securely connect to these VMs using RDP and SSH from the internet over a browser without deploying a jump box or managing VPN connections. The solution must use Microsoft Entra ID authentication for single sign-on. Which Azure service should they use?

Question 25mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company has an Azure virtual network (VNet) in the East US region hosting a web application. They need to securely connect to an on-premises data center in the same region using a dedicated, private network connection with high throughput and low latency. They also need a backup connection for redundancy in case the primary connection fails. Which connectivity solution should they implement?

Question 26easymultiple choice
Read the full Design infrastructure solutions explanation →

A company deploys a web application in two Azure regions for high availability. They need to automatically direct users to the nearest healthy region based on geographic location and endpoint health. Which Azure service should they use?

Question 27easymultiple choice
Read the full Design infrastructure solutions explanation →

A company deploys a web application on Azure VMs within a single region. They need to distribute incoming HTTP traffic across multiple VMs, offload SSL encryption, and maintain session persistence (sticky sessions) for user sessions. Which Azure load balancing solution should they use?

Question 28hardmultiple choice
Review the full routing breakdown →

A company deploys Azure VNets in multiple regions and has on-premises data centers. They need to connect all VNets to each other and to on-premises sites using the Microsoft global network for optimal routing. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

Question 29easymultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) in different regions. They want to connect all VNets to each other securely over the Microsoft backbone network, and also connect to their on-premises data center via ExpressRoute. What is the simplest Azure solution to enable connectivity between all VNets and on-premises?

Question 30easymultiple choice
Read the full Design infrastructure solutions explanation →

A company deploys a web application across multiple Azure VMs in a single region. They want to distribute incoming HTTP traffic evenly across the VMs, offload SSL encryption, and provide a fixed public IP address for clients. Which Azure load balancing solution should they use?

Question 31easymultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) in different Azure regions and an on-premises data center connected via ExpressRoute. They want to connect all VNets to each other and to the on-premises network securely over the Microsoft global backbone. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

Question 32easymultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on multiple Azure VMs. They need to distribute incoming HTTP traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

Question 33easymultiple choice
Read the full Design infrastructure solutions explanation →

A company runs a web application on Azure VMs in a single region. The application must scale out automatically based on CPU utilization. The VMs are behind an Azure Load Balancer. Which Azure service should they use to automatically add or remove VMs based on demand?

Question 34mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on multiple Azure VMs in a single region. They need to distribute incoming HTTP and HTTPS traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

Question 35mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application across multiple Azure VMs in a single region. They need to distribute incoming HTTP traffic, offload SSL termination, and perform URL-based routing to different backend pools (e.g., /images to one pool, /api to another). Which Azure load balancing solution should they use?

Question 36mediummultiple choice
Review the full routing breakdown →

A company has Azure virtual networks (VNets) in three different Azure regions and an on-premises data center connected via ExpressRoute. They need to connect all VNets to each other and to on-premises over the Microsoft global backbone. They also require centralized management of routing and the ability to enforce security policies such as forced tunneling for internet-bound traffic. Which Azure service should they use?

Question 37easymultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on Azure VMs. They need to distribute incoming HTTP and HTTPS traffic based on the URL path: requests to /api/* go to one VM pool, requests to /images/* go to another pool. They also need to offload SSL/TLS termination. Which Azure load balancing solution should they use?

Question 38hardmultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) spread across three Azure regions (West US, East US, and West Europe). They also have an on-premises network connected to East US via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. They require centralized management of routing and the ability to enforce security policies such as forcing all internet-bound traffic from any VNet to pass through a central firewall in East US. Which Azure solution should they implement?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on Azure VMs across multiple availability zones in the East US region. They need to distribute incoming HTTPS traffic across the VMs, offload SSL termination, and ensure that client requests from the same user session are sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

Question 40easymultiple choice
Review the full routing breakdown →

A company has Azure virtual networks (VNets) in three different Azure regions (West US, East US, and West Europe). They also have an on-premises data center connected to the East US region via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. The solution must support transitive routing between all sites and provide centralized management of connectivity and routing policies. Which Azure service should they use?

Question 41easymultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on multiple Azure virtual machines (VMs) in a single region. The application receives HTTP and HTTPS traffic. They need to distribute the traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Additionally, they need to route requests based on URL paths (e.g., /api/* to one pool, /images/* to another). Which Azure load balancing solution should they use?

Question 42easymultiple choice
Read the full Design infrastructure solutions explanation →

A company has an Azure API Management instance deployed in the internal virtual network (VNet) mode. They want to securely expose their backend APIs to external partners over the internet. External partners need to authenticate using OAuth2 tokens. The company also wants to enforce rate limits (throttling) per subscription, cache responses, and enable CORS. Which Azure service should they use to expose the APIs?

Question 43easymultiple choice
Read the full Design infrastructure solutions explanation →

A company has virtual machines in Azure that need to be grouped across multiple fault domains and update domains to ensure high availability. They plan to deploy three VMs running the same application tier. Which Azure feature should they use to provide redundancy within a single region?

Question 44mediummultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) in different regions connected via VNet peering. They also have an on-premises data center connected to Azure via ExpressRoute. They need to provide internet-bound traffic from all Azure VNets through a single, centralized network virtual appliance (NVA) in the hub VNet for security inspection. They also need to ensure that traffic between VNets and on-premises is routed optimally without going through the internet. Which Azure solution should they implement?

Question 45mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones in the East US region. The application receives HTTPS traffic. They need to distribute incoming traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

Question 46mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to deploy a web application on Azure virtual machines (VMs). The application experiences variable traffic patterns, so the company needs to automatically add or remove VM instances based on CPU utilization. They also want the application to remain highly available even if an Azure datacenter fails. Which combination of Azure services should they use?

Question 47mediummultiple choice
Review the full routing breakdown →

A global e-commerce company runs a web application in multiple Azure regions. They need to distribute incoming HTTPS traffic across regional deployments to provide low latency and high availability. The solution must support SSL offloading, Web Application Firewall (WAF) policies, and content caching to reduce backend load. They also need to route users to the nearest healthy backend region. Which Azure service should they use?

Question 48easymultiple choice
Read the full Design infrastructure solutions explanation →

A company has deployed Azure virtual machines without public IP addresses. They need to provide secure RDP and SSH access to these VMs for administrators from the corporate network (on-premises). The solution must integrate with Microsoft Entra ID for authentication and support multi-factor authentication (MFA). It must not require any public endpoint exposure on the VMs. Which Azure service should they use?

Question 49mediummultiple choice
Open the full BGP breakdown →

A company has headquarters and multiple branch offices worldwide, each with its own on-premises network. They want to connect all these sites to Azure and to each other over a single, centrally managed solution. They need high bandwidth connectivity for site-to-site traffic, support for both VPN and ExpressRoute connections, and automatic routing management without the complexity of configuring multiple VPN tunnels or BGP manually. Which Azure service should they use?

Question 50easymultiple choice
Review the full routing breakdown →

A company has multiple virtual networks in different Azure regions. They need to connect all VNets together securely over the Microsoft backbone. They also need to connect to an on-premises data center via ExpressRoute. The solution should support transitive routing between all connected networks. Which Azure service should they use?

Question 51easymultiple choice
Read the full Design infrastructure solutions explanation →

A company wants to run a containerized application on Azure without managing virtual machines. They need automatic scaling, load balancing, and rolling updates. Which Azure compute service should they choose?

Question 52hardmultiple choice
Read the full DNS explanation →

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center. They need to implement a hub-and-spoke topology where the hub VNet hosts shared services like firewalls and DNS. All traffic between spokes, and between spokes and on-premises, must be routed through the hub for inspection. Additionally, spoke VNets must not be able to directly communicate with each other. Which Azure networking solution should they implement to meet these requirements with minimal administrative overhead?

Question 53easymultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on multiple Azure VMs within an availability set. They need to distribute incoming HTTP traffic evenly across the VMs and provide health probe monitoring. The solution must support SSL termination and source IP affinity (session persistence). Which Azure load balancing solution should they choose?

Question 54mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones. The application needs to automatically distribute incoming HTTPS traffic, offload SSL/TLS termination, and provide session persistence. Additionally, the solution must include a Web Application Firewall (WAF) to protect against common web vulnerabilities. Which Azure load balancing solution should they use?

Question 55hardmultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?

Question 56mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company wants to deploy containerized microservices on Azure without managing virtual machines. The solution must support automatic scaling based on demand, built-in load balancing, rolling updates for zero-downtime deployments, and a fully managed platform. Which Azure compute service should they choose?

Question 57hardmultiple choice
Read the full NAT/PAT explanation →

A company deploys a multi-tier web application on Azure VMs across availability zones. The web tier must have SSL termination, session persistence, and health probe monitoring. Additionally, all traffic must be inspected by a central firewall for compliance. The solution must be highly available. Which combination of Azure services should they implement?

Question 58easymultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on Azure VMs in a single region. They need to distribute incoming HTTPS traffic across multiple VMs, offload SSL termination, and provide session persistence. Which Azure load balancing solution should they choose?

Question 59mediummultiple choice
Read the full DNS explanation →

A company plans to deploy multiple virtual machines (VMs) across two Azure regions for high availability. The VMs will host a stateless web application that must be accessible via a single DNS endpoint. The solution must automatically route traffic to the nearest region with available capacity and provide failover if a region becomes unhealthy. Which Azure service should they use to meet these requirements?

Question 60mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a containerized application on Azure Kubernetes Service (AKS). They need to expose the application to the internet and provide TLS termination. The solution must also include a Web Application Firewall (WAF) to protect against common attacks. Which Azure service should they use as the ingress controller?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

A company plans to deploy a multi-tier application on Azure. The web tier requires SSL termination and health probes. The application tier must be isolated from the internet. The database tier requires high availability. They want to minimize administrative overhead and use Azure native services. Which architecture should they recommend?

Question 62mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on Azure VMs in an availability set. They need to expose the application to the internet with SSL termination and health probes. Additionally, they need to protect against DDoS attacks and common web vulnerabilities. Which Azure service should they use?

Question 63mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a containerized microservices application on Azure Kubernetes Service (AKS). They need to expose the application to the internet with TLS termination and provide a single endpoint for multiple services. The solution must also include a Web Application Firewall (WAF). Which Azure service should they use as the ingress controller?

Question 64easymultiple choice
Read the full Design infrastructure solutions explanation →

A company plans to deploy a web application on Azure VMs across multiple availability zones. They need to distribute incoming HTTP traffic across the VMs and provide health probes. Which Azure load balancing solution should they use?

Question 65mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company has multiple on-premises sites and Azure VNets in different regions. They need to connect all networks with a single mesh topology, ensuring that any network can communicate with any other network directly. They also want to minimize administrative overhead. Which Azure service should they use?

Question 66easymultiple choice
Read the full NAT/PAT explanation →

A company deploys a web application on Azure VMs across availability zones. They need to distribute HTTPS traffic, offload SSL termination, and maintain session persistence. They do not require traffic inspection. Which Azure load balancing solution should they use?

Question 67easymultiple choice
Read the full Design infrastructure solutions explanation →

A company deploys a stateless web application on Azure VMs in a single region. They need to distribute incoming HTTP traffic across multiple VMs and perform health checks. The solution should be highly available within the region. Which Azure load balancing solution should they use?

Question 68easymultiple choice
Read the full NAT/PAT explanation →

A company plans to migrate a legacy web application to Azure. The application runs on multiple Windows virtual machines (VMs) in an availability set. The VMs must be exposed to the internet via a single endpoint that performs SSL termination and health checks. The load-balancing solution must preserve the original client IP address for logging purposes. Which Azure service should the company use?

Question 69mediummulti select
Read the full DNS explanation →

A hub-and-spoke Azure network must centralize outbound inspection and still allow spokes to resolve private endpoint DNS names. Which two components are commonly required? (Choose 2.)

Question 70easymultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a virtual network architecture for a three-tier application (web, application, database). They want network isolation between tiers and secure access from the internet to the web tier only. Which Azure networking solution should they use?

Question 71easymultiple choice
Read the full Design infrastructure solutions explanation →

A company needs to connect its on-premises data center to Azure for hybrid workloads. The connection must be private, dedicated, and provide guaranteed bandwidth. Which Azure service should they use?

Question 72hardmulti select
Read the full Design infrastructure solutions explanation →

A company is designing hub-and-spoke networking. Spoke VNets must use a central Azure Firewall for outbound internet traffic. Which two configurations are required?

Question 73mediummultiple choice
Read the full Design infrastructure solutions explanation →

An on-premises datacenter must connect privately to Azure with predictable bandwidth and avoid traversal of the public internet. Which connectivity option should be recommended?

Question 74mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing private access to a PaaS database from workloads in a VNet. The database should not be reachable over its public endpoint. What should be recommended?

Question 75mediumdrag order
Read the full Design infrastructure solutions explanation →

Drag and drop the steps to set up Azure Private Link for an Azure SQL Database into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 76mediumdrag order
Read the full Design infrastructure solutions explanation →

Drag and drop the steps to set up Azure Key Vault for storing secrets and access them from an Azure function into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 77mediummatching
Read the full Design infrastructure solutions explanation →

Match each Azure identity service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud-based identity and access management

Customer identity and access management for apps

Managed domain services like LDAP and Kerberos

Role-based access control for Azure resources

Policy-based evaluation to enforce access controls

Question 78mediummatching
Read the full Design infrastructure solutions explanation →

Match each Azure monitoring service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collect, analyze, and act on telemetry

Query and analyze log data

Application performance monitoring (APM)

Personalized recommendations for best practices

Personalized alerts for service issues

Question 79easymultiple choice
Read the full Design infrastructure solutions explanation →

Your company plans to migrate an on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. Which Azure storage solution should you recommend?

Question 80mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a disaster recovery solution for a critical application hosted in Azure VMs. The primary region is East US. The application requires a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 15 minutes. Which Azure service should you use to replicate the VMs?

Question 81hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a hybrid identity solution for a company with 5,000 on-premises users. The company wants to use Microsoft Entra ID for single sign-on and self-service password reset. They also need to synchronize user passwords to the cloud. Which feature should you enable to ensure password changes on-premises are immediately propagated to Microsoft Entra ID?

Question 82mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a network topology for a multi-tier application in Azure. The application has a web tier, an API tier, and a database tier. You need to ensure that the web tier can communicate with the API tier, and the API tier can communicate with the database tier, but the web tier cannot directly access the database tier. Which Azure networking solution should you implement?

Question 83easymultiple choice
Read the full Design infrastructure solutions explanation →

Your company has an Azure subscription with multiple virtual networks (VNets) in different regions. You need to ensure that resources in all VNets can communicate with each other privately over the Microsoft backbone network. Which Azure solution should you implement?

Question 84hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a storage strategy for a data analytics solution that processes large volumes of streaming data. The data must be stored in a cost-effective manner with low latency for hot data and infrequent access for cold data after 30 days. The solution must support both batch and interactive queries. Which combination of Azure storage services should you recommend?

Question 85mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is deploying a web application on Azure App Service. The application must be able to read secrets from Azure Key Vault without storing credentials in application code. Which feature should you enable?

Question 86hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a backup strategy for Azure VMs running critical business applications. The solution must support application-consistent backups and allow for restoration to a different region. Which Azure service and configuration should you use?

Question 87easymultiple choice
Read the full Design infrastructure solutions explanation →

Your organization has a policy that all administrative access to Azure resources must be performed using just-in-time (JIT) access. Which Azure service allows you to enable JIT VM access?

Question 88mediummulti select
Read the full Design infrastructure solutions explanation →

You are designing a solution to monitor and analyze security events across your Azure environment. Which TWO Azure services should you include in your design to provide centralized logging and threat detection? (Choose two.)

Question 89hardmulti select
Read the full Design infrastructure solutions explanation →

Your company plans to migrate a large number of on-premises virtual machines to Azure. You need to assess the current environment and migrate the workloads with minimal downtime. Which THREE Azure services or tools should you use? (Choose three.)

Question 90easymulti select
Read the full Design infrastructure solutions explanation →

You are designing a highly available architecture for a web application that runs on Azure VMs. The solution must distribute incoming traffic across multiple VMs in an availability set. Which TWO Azure components should you include? (Choose two.)

Question 91mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are an Azure administrator. You attempt to create a new virtual machine with size Standard_DS2_v2 in a subscription where the above Azure Policy is assigned. What will happen?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "Microsoft.Compute/virtualMachines/size",
          "notIn": ["Standard_D2s_v3", "Standard_D4s_v3", "Standard_D8s_v3"]
        }
      }
    },
    "parameters": {}
  }
}
```
Question 92hardmultiple choice
Read the full Design infrastructure solutions explanation →

You execute the above PowerShell script to create a Windows VM in Azure. After the script completes, you try to RDP to the public IP address but the connection fails. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
$rg = 'myResourceGroup'
$location = 'eastus'
$vnetName = 'myVNet'
$subnetName = 'mySubnet'
$publicIPName = 'myPublicIP'
$nsgName = 'myNSG'
$nicName = 'myNIC'
$vmName = 'myVM'
$vmSize = 'Standard_DS2_v2'
$adminUsername = 'azureuser'
$adminPassword = 'P@ssw0rd123!'

New-AzResourceGroup -Name $rg -Location $location
$subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix '10.0.1.0/24'
$vnet = New-AzVirtualNetwork -ResourceGroupName $rg -Location $location -Name $vnetName -AddressPrefix '10.0.0.0/16' -Subnet $subnet
$publicIP = New-AzPublicIpAddress -ResourceGroupName $rg -Location $location -AllocationMethod Static -Name $publicIPName
$nsgRule = New-AzNetworkSecurityRuleConfig -Name 'RDP' -Protocol Tcp -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $rg -Location $location -Name $nsgName -SecurityRules $nsgRule
$nic = New-AzNetworkInterface -ResourceGroupName $rg -Location $location -Name $nicName -SubnetId $subnet.Id -PublicIpAddressId $publicIP.Id -NetworkSecurityGroupId $nsg.Id
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize $vmSize
Set-AzVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmName -Credential (New-Object System.Management.Automation.PSCredential ($adminUsername, (ConvertTo-SecureString $adminPassword -AsPlainText -Force)))
New-AzVM -ResourceGroupName $rg -Location $location -VM $vmConfig
```
Question 93easymultiple choice
Read the full Design infrastructure solutions explanation →

You run the above KQL query in Azure Monitor Logs. What does the query return?

Exhibit

Refer to the exhibit.

```sql
-- Kusto Query Language (KQL) query
AzureActivity
| where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE'
| where ActivityStatusValue == 'Succeeded'
| summarize count() by Caller, bin(TimeGenerated, 1h)
```
Question 94mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a multi-region disaster recovery solution for Azure VMs. They need to ensure that if the primary region fails, VMs can be failed over to a secondary region with minimal data loss. The application writes data to Azure SQL Database and Azure Files. Which Azure service should they use to meet the recovery point objective (RPO) of 5 seconds for the SQL Database?

Question 95easymultiple choice
Read the full NAT/PAT explanation →

A company is migrating on-premises applications to Azure. They require that all traffic between Azure resources and on-premises resources traverse a private connection. They also want to reduce the attack surface by eliminating exposure of management endpoints over the internet. Which solution should they implement?

Question 96hardmultiple choice
Read the full Design infrastructure solutions explanation →

A company has multiple Azure subscriptions and wants to enforce consistent network policies across all VNets. They need to ensure that all traffic going out to the internet is inspected by a central firewall. The solution must be scalable and support multiple regions. What should they implement?

Question 97mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a solution for storing sensitive documents in Azure Blob Storage. They require that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they want to prevent any accidental deletion of the key vault and its keys. Which combination of actions should they take?

Question 98easymultiple choice
Read the full Design infrastructure solutions explanation →

A company needs to implement a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The company has on-premises Active Directory Domain Services (AD DS). They want to synchronize identities to the cloud while also enabling password writeback for self-service password reset. Which Azure service should they use?

Question 99hardmultiple choice
Read the full NAT/PAT explanation →

A company is planning to migrate a legacy application to Azure VMs. The application requires a static IP address for licensing purposes. The VM must be highly available within a single region. Which combination of Azure resources should they use?

Question 100mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a containerized application on Azure Kubernetes Service (AKS). They need to ensure that the control plane is managed by Microsoft and that the worker nodes are isolated to a single tenant. They also require that the worker nodes be automatically patched for security updates. Which AKS node pool type should they use?

Question 101easymultiple choice
Read the full Design infrastructure solutions explanation →

A company is using Azure SQL Database for a critical application. They need to ensure that the database is automatically backed up and that backups are retained for 35 days. What should they configure?

Question 102mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is deploying a web application on Azure App Service. The application must authenticate users with their Microsoft Entra ID credentials. The development team wants to use the Microsoft Authentication Library (MSAL) for authentication. Which App Service authentication feature should they use to simplify integration?

Question 103hardmulti select
Read the full Design infrastructure solutions explanation →

A company is designing a backup strategy for Azure resources. They have the following resources: Azure VMs, Azure SQL Database, and Azure Files shares. They need to meet the following requirements: 1) Backup of VMs must be application-consistent. 2) SQL Database backups must be retained for 10 years. 3) Azure Files backups must support soft delete. Which THREE services or features should they use?

Question 104mediummulti select
Read the full Design infrastructure solutions explanation →

A company is designing a network architecture for a three-tier application hosted on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must not have direct internet access. They also need to encrypt traffic between tiers. Which TWO solutions should they implement?

Question 105easymulti select
Read the full Design infrastructure solutions explanation →

A company is planning to migrate on-premises SQL Server databases to Azure. They want to minimize administrative overhead and ensure high availability with automatic failover. Which TWO Azure SQL deployment options should they consider?

Question 106mediummultiple choice
Review the full routing breakdown →

A company is designing a hybrid network solution connecting an on-premises data center to Azure. They require high availability with active-active routing and need to support up to 10 Gbps throughput. Which Azure service should they include in the design?

Question 107hardmultiple choice
Read the full DNS explanation →

A multinational corporation needs to design a global DNS solution for Azure resources. They require automatic failover across Azure regions and low-latency responses based on the client's geographic location. The solution must also support custom domains without exposing the underlying Azure public IP addresses. Which combination of Azure services should they use?

Question 108easymultiple choice
Read the full Design infrastructure solutions explanation →

A company is migrating a legacy application to Azure VMs. The application requires a static IP address that does not change if the VM is stopped and started. Which type of IP address should they assign to the VM?

Question 109mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a disaster recovery solution for Azure VMs running a critical application. They need a Recovery Time Objective (RTO) of less than 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The solution should be cost-effective and allow testing without affecting production. Which Azure service should they use?

Question 110hardmultiple choice
Read the full Design infrastructure solutions explanation →

An organization is designing a storage solution for Azure VMs running a database that requires low latency and high IOPS. The data is critical and must be durable with automatic replication across multiple datacenters in the same region. Which Azure managed disk type and redundancy option should they choose?

Question 111easymultiple choice
Read the full VPN explanation →

A company needs to provide secure access to Azure resources for remote employees. They want to enforce multi-factor authentication and conditional access policies. The solution should not require a VPN connection. Which Azure service should they implement?

Question 112mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing an Azure Kubernetes Service (AKS) cluster for a microservices application. They need to ensure that pods can securely access Azure resources such as Azure Key Vault and Azure SQL Database without using service principals or connection strings. Which AKS feature should they enable?

Question 113hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company must store sensitive customer data in Azure Blob Storage. The data must be encrypted at rest using a customer-managed key stored in a hardware security module (HSM). The key must be automatically rotated every 90 days. Which combination of Azure services and features should they use?

Question 114easymultiple choice
Read the full Design infrastructure solutions explanation →

A company is deploying a web application that must scale out automatically based on CPU usage. The application runs on Azure App Service. Which Azure feature should they configure?

Question 115mediummulti select
Read the full DNS explanation →

Which TWO Azure services can be used to provide a fully managed DNS solution that supports custom domains and DNSSEC?

Question 116hardmulti select
Read the full Design infrastructure solutions explanation →

Which THREE considerations are important when designing a highly available Azure SQL Database solution?

Question 117mediummulti select
Read the full Design infrastructure solutions explanation →

Which TWO Azure networking services provide DDoS protection at the application layer (Layer 7)?

Question 118mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company plans to migrate on-premises SQL Server databases to Azure. The databases require high availability with automatic failover to a secondary region in the event of a regional outage. The solution must minimize data loss and support read-only queries on the secondary replica. Which Azure service should you use?

Question 119hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a networking solution for a multi-tier application in Azure. The front-end web tier must be accessible from the internet, while the back-end database tier must only be accessible from the web tier. You need to minimize management overhead and ensure that the back-end tier is not directly reachable from the internet. What should you use?

Question 120easymultiple choice
Read the full Design infrastructure solutions explanation →

Your organization has a large number of virtual machines running in Azure. You need to centrally manage backup policies, monitor backup jobs, and ensure compliance with retention requirements. Which Azure service should you use?

Question 121mediummultiple choice
Read the full NAT/PAT explanation →

You are designing an identity solution for a multinational corporation that uses Microsoft Entra ID. The company has a complex organizational structure with multiple subsidiaries. You need to ensure that users from one subsidiary cannot access resources in another subsidiary unless explicitly granted. The solution must minimize administrative overhead. What should you use?

Question 122hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a storage solution for a healthcare application that stores patient records. The solution must meet the following requirements: - Support for both structured and unstructured data. - Provide low-latency access to frequently accessed data. - Automatically move cold data to a lower-cost tier. - Encrypt data at rest using customer-managed keys. Which combination of Azure services should you recommend?

Question 123easymultiple choice
Read the full Design infrastructure solutions explanation →

Your company has a hybrid identity environment with Microsoft Entra ID and an on-premises Active Directory. You need to enable single sign-on (SSO) for users accessing Microsoft 365 applications from domain-joined devices. Which authentication method should you configure?

Question 124mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a containerized microservices application on Azure Kubernetes Service (AKS). The application must scale automatically based on HTTP traffic. You need to minimize cost by scaling down to zero pods when there is no traffic. Which scaling solution should you use?

Question 125hardmultiple choice
Read the full network assurance explanation →

Your company has a large number of IoT devices sending telemetry to Azure IoT Hub. The data must be processed in near real-time to detect anomalies and trigger alerts. Additionally, the processed data must be stored in a time-series database for historical analysis. Which combination of Azure services should you recommend?

Question 126easymultiple choice
Read the full NAT/PAT explanation →

You need to design a solution to store configuration data for a cloud-native application. The configuration must be centrally managed, versioned, and accessible to multiple services without hard-coding values. Which Azure service should you use?

Question 127mediummulti select
Read the full Design infrastructure solutions explanation →

Your company plans to migrate a legacy on-premises application to Azure. The application has a monolithic architecture and requires low-latency access to a shared file system. You need to choose a migration strategy that minimizes changes to the application code. Which TWO options should you recommend? (Choose two.)

Question 128hardmulti select
Read the full Design infrastructure solutions explanation →

You are designing a disaster recovery (DR) solution for a critical application hosted on Azure VMs. The solution must meet the following requirements: - Recovery Point Objective (RPO) of 15 minutes. - Recovery Time Objective (RTO) of 1 hour. - Automatically fail over to a secondary region in the event of a regional outage. - Support for non-disruptive DR testing. Which THREE components should you include in the solution? (Choose three.)

Question 129easymulti select
Read the full Design infrastructure solutions explanation →

Your company is designing a new application that will run on Azure VMs. The application must be highly available across two Azure regions. You need to ensure that the application can automatically fail over if a regional outage occurs. Which THREE components should you include in the architecture? (Choose three.)

Question 130mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company has a critical application running on Azure Virtual Machines that processes financial transactions. You need to ensure that the application remains available during an Azure region failure. The application is stateless and can scale horizontally. What is the most cost-effective design to meet the availability requirement?

Question 131easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a storage solution for a new application that will store large binary files (up to 5 TB each) and require high throughput for sequential reads. The data is accessed infrequently but must be retained for 7 years for compliance. Which Azure storage solution should you recommend?

Question 132hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your organization is migrating a legacy on-premises application to Azure. The application uses a proprietary authentication protocol that is not supported by Microsoft Entra ID. You need to integrate the application with Microsoft Entra ID without modifying the application code. What should you do?

Question 133easymultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a networking solution for a multi-tier application that includes a web front-end, an API layer, and a database. The web and API tiers must be accessible from the internet, while the database tier must be isolated. What is the most secure and efficient design?

Question 134mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is deploying a new application that uses Azure Cosmos DB for globally distributed low-latency reads and writes. The application must be highly available with a recovery point objective (RPO) of less than 5 seconds and recovery time objective (RTO) of less than 1 second in case of a regional outage. Which Cosmos DB configuration should you recommend?

Question 135mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a backup and disaster recovery strategy for an Azure SQL Database instance that runs a critical business application. The database is 500 GB and experiences high transaction rates. The recovery point objective (RPO) is 1 minute and recovery time objective (RTO) is 1 hour. What should you recommend?

Question 136hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to access cloud applications using their on-premises credentials, and also enables single sign-on (SSO) for legacy on-premises applications that do not support modern authentication protocols. What should you recommend?

Question 137easymultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a monitoring solution for a set of Azure virtual machines running a business-critical application. The solution must provide centralized log management, enable real-time analysis of security events, and support custom alerts for anomalous behavior. Which Azure service should you use?

Question 138mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is planning to migrate a large number of on-premises servers to Azure. The migration must be completed within 3 months. You need to assess the current on-premises environment and recommend the most appropriate Azure VM sizes and costs. What should you do?

Question 139hardmultiple choice
Review the full subnetting walkthrough →

You are reviewing a network security group (NSG) rule for a subnet that hosts web servers. The subnet's address space is 10.0.1.0/24. What is the effect of this rule?

Exhibit

Refer to the exhibit.

```json
{
  "Name": "Allow specific traffic",
  "Priority": 100,
  "Direction": "Inbound",
  "Access": "Allow",
  "SourceAddressPrefixes": ["10.0.1.0/24"],
  "DestinationAddressPrefixes": ["*"],
  "DestinationPortRanges": ["80", "443"],
  "Protocol": "TCP"
}
```
Question 140mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are an Azure administrator. The above Azure Policy definition is assigned to a subscription. A developer tries to deploy a Virtual Machine with SKU Standard_DS2_v2. What will happen?

Exhibit

Refer to the exhibit.

```json
{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/virtualMachines/sku.name",
          "like": "Standard_DS*"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}
Question 141hardmultiple choice
Read the full Design infrastructure solutions explanation →

You executed the above Azure CLI commands. The remote VNet (yourVNet) has address space 10.1.0.0/16. What is the result?

Network Topology
az network vnet createname myVNetresource-group myRGaddress-prefixname mySubnet2vnet-name myVNetname myPeeringsubnet-name mySubnetremote-vnet /subscriptions/.../resourceGroups/yourRG/providers/Microsoft.Network/virtualNetworks/yourVNetsubnet-prefixallow-vnet-accessRefer to the exhibit.```
Question 142mediummulti select
Read the full Design infrastructure solutions explanation →

You are designing a highly available architecture for a stateful application running on Azure Virtual Machines. The application requires a shared storage solution that supports concurrent read/write access from multiple VMs, and must be resilient to zone failures. Which TWO Azure solutions meet these requirements? (Choose TWO.)

Question 143hardmulti select
Read the full Design infrastructure solutions explanation →

Your organization is designing a data platform for real-time analytics on streaming data from IoT devices. The solution must ingest millions of events per second, process the data with low latency, and store results in a format optimized for analytical queries. Which THREE Azure services should you include in the design? (Choose THREE.)

Question 144easymulti select
Read the full Design infrastructure solutions explanation →

You need to design a solution to securely connect an on-premises data center to Azure for hybrid workloads. The connection must be private, use the internet for transport, and provide high availability. Which TWO Azure services should you consider? (Choose TWO.)

Question 145mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company plans to deploy a new application on Azure. The application must comply with GDPR and requires data residency in the EU. The solution should minimize latency for users in Europe and provide disaster recovery across regions. Which Azure architecture should the company implement?

Question 146easymultiple choice
Read the full NAT/PAT explanation →

You need to design a virtual network architecture for a three-tier application in Azure. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of Azure services should you use?

Question 147hardmultiple choice
Read the full Design infrastructure solutions explanation →

A company runs a critical application on Azure VMs in a single region. They need to improve availability to meet an SLA of 99.99% while minimizing costs. The application is stateless and can run on multiple VMs. Which solution should you recommend?

Question 148mediummultiple choice
Read the full DNS explanation →

Your company has an Azure subscription with multiple virtual networks connected via VNet peering. You need to design a solution to allow VMs in different peered VNets to resolve each other's private IP addresses using custom DNS suffixes. The solution must minimize administrative overhead. What should you implement?

Question 149easymultiple choice
Read the full Design infrastructure solutions explanation →

A company plans to migrate on-premises SQL Server databases to Azure. They need to minimize changes to existing applications and want to use the latest features of SQL Server. Which Azure data service should they use?

Question 150hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your company has a hybrid identity environment using Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to authenticate to Azure services using their on-premises credentials and enforce conditional access policies for sensitive applications. The solution must support multi-factor authentication (MFA) using the Microsoft Authenticator app. Which components should you include?

Question 151mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a storage solution for a media company that needs to store large video files (up to 50 GB each) and serve them to a global audience with low latency. The solution must be cost-effective and support resumable uploads. Which Azure storage solution should you recommend?

Question 152easymultiple choice
Read the full Design infrastructure solutions explanation →

A company wants to implement a backup strategy for their Azure virtual machines. They need to retain backups for 7 years for compliance and ensure backups are encrypted at rest. Which solution should you recommend?

Question 153hardmultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a network topology for a global e-commerce platform on Azure. The solution must provide low-latency access to static content and protect the backend APIs from DDoS attacks. The backend APIs are deployed in multiple regions behind an internal load balancer. Which services should you use?

Question 154mediummulti select
Read the full Design infrastructure solutions explanation →

Which TWO services should you use to design a highly available and scalable web application on Azure that runs on Linux containers and requires automatic scaling based on HTTP traffic? (Choose two.)

Question 155hardmulti select
Read the full Design infrastructure solutions explanation →

Which THREE components are required to implement a hybrid cloud solution that extends on-premises Active Directory to Azure and provides single sign-on (SSO) to cloud applications? (Choose three.)

Question 156easymulti select
Read the full Design infrastructure solutions explanation →

Which TWO Azure services can be used to implement a serverless event-driven architecture that processes messages from a queue and stores results in a database? (Choose two.)

Question 157easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a solution to securely store secrets, keys, and certificates for a cloud application. Which Azure service should you use?

Question 158mediummultiple choice
Read the full NAT/PAT explanation →

Your company has a global application deployed across multiple Azure regions. You need to design a disaster recovery solution that meets a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The solution should use Azure-native services and minimize costs. Which option should you choose?

Question 159hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a network architecture for a three-tier application hosted in Azure. The front-end tier must be accessible from the internet, the business tier must only communicate with the front-end tier, and the data tier must only communicate with the business tier. You need to minimize exposure and use Azure-native services. Which combination of services should you use?

Question 160easymultiple choice
Read the full Design infrastructure solutions explanation →

Your company is migrating on-premises virtual machines to Azure. You need to assess the current environment and get a cost estimate for Azure. Which tool should you use?

Question 161mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a solution to provide high availability for a critical application running on Azure Virtual Machines. The virtual machines must be placed on physically separate hardware and have guaranteed availability during Azure maintenance events. Which option meets these requirements?

Question 162hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your organization has a hybrid identity solution using Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to use their on-premises credentials to authenticate to cloud applications, but you want to avoid synchronizing password hashes to the cloud. Which authentication method should you choose?

Question 163easymultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a storage solution for unstructured data that requires low latency (single-digit milliseconds) for frequently accessed files and must support NFS and SMB protocols. Which Azure storage solution should you recommend?

Question 164mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is deploying a web application that experiences unpredictable traffic spikes. You need to ensure the application can handle sudden increases in load automatically without manual intervention and minimize costs during low traffic periods. Which Azure service should you use?

Question 165hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a governance strategy for multiple Azure subscriptions. You need to ensure that all resources in a specific subscription are deployed only in the West US region. Additionally, any new resource group must contain a tag named 'Environment' with a value of 'Production'. What combination of Azure Policy initiatives should you assign?

Question 166mediummulti select
Read the full Design infrastructure solutions explanation →

Which TWO of the following are valid design considerations for implementing Azure SQL Database geo-replication? (Choose two.)

Question 167hardmulti select
Read the full Design infrastructure solutions explanation →

Which THREE of the following are valid methods to secure access to Azure Storage accounts? (Choose three.)

Question 168easymulti select
Read the full Design infrastructure solutions explanation →

Which TWO of the following are benefits of using Azure Policy? (Choose two.)

Question 169mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You are reviewing an ARM template that deploys a virtual network with two subnets. Subnet-b includes a delegation to Microsoft.Web/serverFarms. What is the purpose of this delegation?

Exhibit

{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Network/virtualNetworks",
          "apiVersion": "2021-02-01",
          "name": "vnet-01",
          "location": "[resourceGroup().location]",
          "properties": {
            "addressSpace": {
              "addressPrefixes": [
                "10.0.0.0/16"
              ]
            },
            "subnets": [
              {
                "name": "subnet-a",
                "properties": {
                  "addressPrefix": "10.0.0.0/24"
                }
              },
              {
                "name": "subnet-b",
                "properties": {
                  "addressPrefix": "10.0.1.0/24",
                  "delegations": [
                    {
                      "name": "delegation",
                      "properties": {
                        "serviceName": "Microsoft.Web/serverFarms"
                      }
                    }
                  ]
                }
              }
            ]
          }
        }
      ]
    },
    "parameters": {}
  }
}
Question 170hardmultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You are reviewing the properties of an Azure Storage account. The encryption section shows keySource as Microsoft.Keyvault and infrastructureEncryption enabled. What does infrastructureEncryption mean in this context?

Exhibit

{
  "properties": {
    "provisioningState": "Succeeded",
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyVaultProperties": {
        "keyUri": "https://mykeyvault.vault.azure.net/keys/mykey/abc123",
        "currentVersionedKeyIdentifier": "https://mykeyvault.vault.azure.net/keys/mykey/abc123",
        "lastKeyRotationTimestamp": "2025-03-15T10:00:00Z"
      },
      "infrastructureEncryption": "Enabled"
    },
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "1.2"
  }
}
Question 171mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You have an Azure Storage account with the settings shown. A developer reports that they cannot access the storage account from their Azure VM that is connected to subnet-a. The VM's subnet ID matches the one in the rule. What is the most likely cause of the issue?

Exhibit

{
  "properties": {
    "sku": {
      "name": "Standard_GRS"
    },
    "kind": "StorageV2",
    "accessTier": "Hot",
    "supportsHttpsTrafficOnly": true,
    "networkRuleSet": {
      "defaultAction": "Deny",
      "virtualNetworkRules": [
        {
          "id": "/subscriptions/.../subnets/subnet-a",
          "action": "Allow"
        }
      ]
    }
  }
}
Question 172mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your organization has a hybrid identity infrastructure with Microsoft Entra ID Connect Sync. You plan to enable Microsoft Entra ID Seamless Single Sign-On (Seamless SSO) for domain-joined Windows devices. What is the minimum requirement for the on-premises Active Directory forest functional level?

Question 173hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a disaster recovery strategy for an Azure virtual machine running a SQL Server Always On availability group. The primary region is East US, and the secondary region is West US. You need to ensure minimal data loss and automatic failover. Which Azure service should you use for cross-region replication of the managed disks?

Question 174easymultiple choice
Read the full Design infrastructure solutions explanation →

Your company deploys a line-of-business application on Azure App Service. The application requires custom domain names and SSL/TLS certificates. You need to ensure that the application can be accessed via a custom domain with HTTPS. What should you configure in the App Service?

Question 175mediummultiple choice
Read the full NAT/PAT explanation →

You are designing a solution to store sensitive documents in Azure Blob Storage. The data must be encrypted at rest and access must be audited. You need to ensure that the encryption keys are managed by your organization and that access to the keys is logged. Which combination of Azure services should you use?

Question 176hardmulti select
Read the full Design infrastructure solutions explanation →

You are designing a microservices architecture on Azure Kubernetes Service (AKS). The solution must handle traffic spikes by automatically scaling pods based on CPU utilization. Additionally, you need to minimize cost by scaling down nodes when not in use. Which two features should you implement? (Choose two.)

Question 177mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your organization uses Microsoft Purview to govern data assets across Azure SQL Database, Azure Data Lake Storage, and on-premises SQL Server. You need to ensure that sensitive data such as credit card numbers are automatically detected and classified. What should you configure in Microsoft Purview?

Question 178easymultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a solution to store log data from multiple Azure services. The data must be retained for 7 years for compliance purposes and should be queryable for analysis. Which Azure service should you use as the primary storage for these logs?

Question 179hardmultiple choice
Review the full routing breakdown →

You are designing a network architecture for a multi-tier application. The front-end tier is an Azure Application Gateway that routes traffic to a web app on Azure App Service. The back-end tier is an Azure SQL Database. You need to ensure that all traffic between the Application Gateway and the web app remains within the Azure backbone network, and that the web app can only be accessed through the Application Gateway. What should you configure?

Question 180mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company plans to migrate on-premises file servers to Azure. The solution must support SMB protocol and integrate with Microsoft Entra ID for authentication. You need to choose a service that provides fully managed file shares accessible from multiple Azure regions. Which Azure service should you use?

Question 181hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a backup strategy for Azure virtual machines. The solution must support application-consistent backups for SQL Server databases running on the VMs. You need to ensure that backups are taken every 4 hours and retained for 30 days. What should you configure in Azure Backup?

Question 182easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a solution to grant external partners access to specific Azure resources. The partners must authenticate using their own corporate credentials. You need to manage their access centrally. Which Microsoft Entra ID feature should you use?

Question 183mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your organization is deploying a critical application on Azure virtual machines. You need to ensure that the VMs are distributed across multiple fault domains and update domains within an availability set. You create an availability set with 3 fault domains and 5 update domains. How many VMs can you add to this availability set to maximize fault tolerance?

Question 184mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is designing a multi-region disaster recovery solution for a mission-critical application using Azure SQL Database. The application requires read-scale in the secondary region and must support automatic failover with no data loss. Which Azure SQL Database offering should you recommend?

Question 185easymultiple choice
Read the full Design infrastructure solutions explanation →

A company is planning to migrate its on-premises Active Directory to Microsoft Entra ID. They have a complex on-premises infrastructure with multiple forests and over 50,000 users. They need to synchronize identities and enable single sign-on (SSO) for Office 365. What should you recommend?

Question 186hardmultiple choice
Read the full NAT/PAT explanation →

Your organization is designing a solution to capture and analyze IoT data from millions of devices. The solution must ingest data at high velocity, store the data for long-term analytics, and provide real-time dashboards. Which combination of Azure services should you recommend?

Question 187mediummulti select
Read the full Design infrastructure solutions explanation →

Your company is designing a hybrid network architecture to connect an on-premises data center to Azure. The requirements include: high availability, low latency, and cost optimization. Which TWO options should you recommend?

Question 188hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation is designing a backup and disaster recovery strategy for Azure IaaS VMs. The solution must support cross-region failover, meet a recovery point objective (RPO) of 15 minutes, and a recovery time objective (RTO) of 1 hour. Which THREE options should you include in the design?

Question 189easymulti select
Read the full Design infrastructure solutions explanation →

Your organization is implementing a security strategy for Azure resources. You need to enforce consistent security policies across all subscriptions and ensure compliance with regulatory standards. Which TWO services should you use?

Question 190hardmultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You are an Azure administrator. You assign this policy definition to a subscription. A developer attempts to deploy a virtual machine with SKU Standard_DS1_v2. What is the outcome?

Exhibit

{
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Compute/virtualMachines"
    },
    "then": {
      "effect": "deny",
      "details": {
        "field": "Microsoft.Compute/virtualMachines/sku.name",
        "notIn": ["Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2"]
      }
    }
  }
}
Question 191easymultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You deploy this ARM template to a resource group in the East US region. You specify the parameter storageAccountType as 'Standard_GRS'. Which of the following is true about the deployed storage account?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_ZRS",
        "Premium_LRS"
      ]
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2023-01-01",
      "name": "[format('storage{0}', uniqueString(resourceGroup().id))]",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "StorageV2"
    }
  ]
}
Question 192mediummultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You are analyzing Azure VM performance using Azure Monitor Logs. You run the KQL query shown. What is the purpose of the 'take 10' operator?

Exhibit

{
  "query": "AzureMetrics | where ResourceId contains '/virtualMachines' | where MetricName == 'Percentage CPU' | summarize AvgCPU = avg(Average) by bin(TimeGenerated, 1h), Resource | order by TimeGenerated asc | take 10"
}
Question 193mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is migrating a legacy application to Azure. The application uses a proprietary database that requires file-level access to data files. You need to minimize changes to the application. Which Azure storage solution should you recommend?

Question 194hardmultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a solution for a global e-commerce platform that requires low-latency access to product catalog data from multiple regions. The data is read-heavy with occasional updates. The solution must support automatic scaling and provide high availability. Which Azure service should you recommend?

Question 195easymultiple choice
Read the full Design infrastructure solutions explanation →

Your organization needs to provide temporary, limited-privilege access to Azure resources for external auditors. The access must be time-bound and require approval from a manager. Which Azure feature should you use?

Question 196hardmulti select
Read the full Design infrastructure solutions explanation →

A company is designing a data warehouse solution in Azure. The solution must support petabyte-scale data, high-performance queries, and integration with Power BI. The data includes both structured and semi-structured data. Which THREE services should you recommend?

Question 197hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your company is deploying a critical application on Azure VMs. The application requires a static private IP address that does not change even if the VM is stopped and deallocated. The VM must be placed in an availability zone for high availability. Which networking approach should you use?

Question 198mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your organization is building a serverless application that processes events from Azure Event Hubs and stores results in Azure Cosmos DB. The processing logic must be scalable and cost-effective, with no idle costs. Which compute service should you use?

Question 199mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a disaster recovery solution for an Azure IaaS workload. The application runs on Azure VMs in a single region and requires a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 4 hours. Which of the following is the most cost-effective approach to meet these requirements?

Question 200hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a landing zone in Azure for a regulated financial services company. They require that all storage accounts be restricted to specific virtual networks and have encryption using customer-managed keys (CMK). Additionally, they want to ensure that any storage account creation outside of the approved network boundaries is prevented. Which combination of Azure Policy and Network Security controls should you recommend?

Question 201easymultiple choice
Read the full Design infrastructure solutions explanation →

A company plans to migrate an on-premises application with strict low-latency requirements to Azure. The application must communicate with an Azure SQL Database. Which of the following is the best design to minimize latency?

Question 202hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a compute solution for a batch processing workload that runs once per day for about 30 minutes. The workload is CPU-intensive and can be parallelized. The team wants to minimize cost while ensuring the job completes within 2 hours. Which of the following is the most cost-effective solution?

Question 203mediummultiple choice
Read the full VPN explanation →

You are designing a connectivity solution for a hybrid network. The company has an on-premises network connected to an Azure virtual network via ExpressRoute. They also have a site-to-site VPN to the same Azure virtual network as a backup. When the ExpressRoute connection fails, traffic should automatically fail over to the VPN. How should you configure the routes to ensure automatic failover?

Question 204easymultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a storage solution for an application that stores large amounts of unstructured data that is accessed frequently for the first 30 days, then rarely after that. Compliance requirements mandate that data be retained for 7 years. Which of the following is the most cost-effective storage solution?

Question 205mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing an authentication solution for a mobile application that uses Azure AD B2C (now Microsoft Entra External ID). The application needs to support social logins (Google, Facebook) and also allow users to sign in with their corporate Microsoft Entra ID accounts. Which of the following identity providers should you configure?

Question 206hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a logging and monitoring solution for a multi-region application. The application is deployed in three Azure regions. Security requirements mandate that all authentication and authorization logs be retained for 7 years. Logs must be queryable centrally from a single location. What is the most cost-effective way to meet these requirements?

Question 207easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a high-availability solution for a stateless web application running on Azure VMs. The solution must provide automatic failover to another region in the event of a regional outage. Which Azure service should you use to distribute traffic across regions?

Question 208mediummulti select
Read the full Design infrastructure solutions explanation →

Which TWO of the following are valid considerations when designing a SQL Server Always On availability group in Azure VMs? (Choose two.)

Question 209hardmulti select
Read the full Design infrastructure solutions explanation →

Which THREE of the following are best practices for securing an Azure Kubernetes Service (AKS) cluster? (Choose three.)

Question 210easymulti select
Read the full Design infrastructure solutions explanation →

Which TWO of the following are valid data storage solutions for an Azure-based microservices architecture that requires high throughput and low latency? (Choose two.)

Question 211mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is migrating a legacy on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. The solution must be highly available within a single Azure region and must not require the application to be modified. Which Azure service should you recommend?

Question 212hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing a hub-spoke network topology in Azure to connect multiple on-premises sites and Azure regions. The hub contains Azure Firewall and Azure Bastion. Spokes are in different regions and need to communicate with each other through the hub. The solution must minimize latency and cost. What should you configure?

Question 213easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a disaster recovery solution for a critical application running in Azure. The application uses Azure SQL Database. The recovery point objective (RPO) is 5 seconds, and the recovery time objective (RTO) is 30 minutes. Which Azure SQL Database configuration should you recommend?

Question 214hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a solution to store and analyze petabytes of IoT sensor data. The data is written once, rarely accessed, and must be retained for 10 years for compliance. The data must be queryable using SQL. Which combination of Azure services would be MOST cost-effective?

Question 215easymultiple choice
Read the full Design infrastructure solutions explanation →

Your company has a web application deployed on Azure App Service that experiences periodic traffic spikes. You need to ensure the application scales out quickly without manual intervention. The solution must minimize cost during low-traffic periods. What should you configure?

Question 216mediummultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. The JSON shows role assignments for user1. The role definition IDs are: b24988ac-6180-42a0-ab88-20f7382dd24c = Key Vault Secrets User, 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 = Reader. User1 reports being unable to list secrets in the key vault 'vault-prod' using Azure CLI. What is the most likely cause?

Exhibit

{
  "roleAssignments": [
    {
      "principalId": "user1@contoso.com",
      "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
      "scope": "/subscriptions/1234-5678/resourceGroups/rg-prod/providers/Microsoft.KeyVault/vaults/vault-prod"
    },
    {
      "principalId": "user1@contoso.com",
      "roleDefinitionId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "scope": "/subscriptions/1234-5678/resourceGroups/rg-prod"
    }
  ]
}
Question 217mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a solution to securely store and manage secrets for multiple applications deployed in Azure. The solution must support automated rotation of secrets and provide audit logging. Which Azure service should you use?

Question 218hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization needs to store patient health records in Azure. The data must be encrypted at rest and in transit. The organization requires a customer-managed key (CMK) with automatic key rotation every 90 days. The solution must support Azure SQL Database and Azure Blob Storage. Which key management solution should you recommend?

Question 219easymultiple choice
Read the full Design infrastructure solutions explanation →

Your company has Azure virtual machines running a critical application. You need to back up these VMs daily and retain backups for 7 years. The solution must be cost-effective and support application-consistent backups. What should you use?

Question 220mediummulti select
Read the full Design infrastructure solutions explanation →

You are designing a solution to monitor a hybrid environment consisting of Azure VMs and on-premises servers. The solution must provide centralized log analytics, security threat detection, and the ability to run custom queries across all logs. Which TWO Azure services should you include? (Choose two.)

Question 221hardmulti select
Read the full Design infrastructure solutions explanation →

A global e-commerce company is designing a highly available application on Azure. The application uses Azure SQL Database and requires that in the event of a regional outage, failover to a secondary region occurs automatically without manual intervention. The solution must minimize data loss. Which THREE components should be included? (Choose three.)

Question 222easymulti select
Read the full Design infrastructure solutions explanation →

You are designing a network architecture for a three-tier application in Azure. The web tier must be accessible from the internet. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier. Which TWO Azure services should you use to enforce these network rules? (Choose two.)

Question 223hardmultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. The ARM template provisions a VM. The deployment succeeds but the VM fails to start. What is the most likely cause?

Exhibit

{
  "parameters": { "vmName": { "value": "prod-vm-001" } },
  "resources": [
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2023-03-01",
      "name": "[parameters('vmName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "hardwareProfile": { "vmSize": "Standard_D2s_v3" },
        "storageProfile": {
          "osDisk": { "createOption": "fromImage", "managedDisk": { "storageAccountType": "Premium_LRS" } },
          "dataDisks": [
            { "createOption": "empty", "diskSizeGB": 1023, "lun": 0, "managedDisk": { "storageAccountType": "StandardSSD_LRS" } }
          ]
        },
        "osProfile": {
          "computerName": "[parameters('vmName')]",
          "adminUsername": "azureuser",
          "adminPassword": "Password123!"
        },
        "networkProfile": {
          "networkInterfaces": [
            { "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), '-nic'))]" }
          ]
        }
      }
    }
  ]
}
Question 224mediummultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. A custom role is created. A user assigned this role reports being unable to view the VM's boot diagnostics in the Azure portal. What is the most likely reason?

Exhibit

{
  "roleDefinition": {
    "Name": "Custom VM Operator",
    "Actions": [
      "Microsoft.Compute/virtualMachines/start/action",
      "Microsoft.Compute/virtualMachines/restart/action",
      "Microsoft.Compute/virtualMachines/deallocate/action",
      "Microsoft.Compute/virtualMachines/read"
    ],
    "NotActions": [],
    "AssignableScopes": ["/subscriptions/1234-5678"]
  }
}
Question 225hardmultiple choice
Read the full NAT/PAT explanation →

You are a solutions architect for a financial services company. The company is deploying a new critical application on Azure that processes sensitive customer transactions. The application consists of an ASP.NET Core web app (Azure App Service), a REST API (Azure Kubernetes Service), and an Azure SQL Database. The requirements are:

- All data at rest must be encrypted using customer-managed keys (CMK) stored in a managed HSM. - All network traffic between components must be encrypted and traverse the Microsoft backbone network. - The web app must be protected against common web attacks (SQL injection, XSS). - The solution must automatically scale the API based on CPU utilization. - All API calls must be authenticated using OAuth 2.0 with Microsoft Entra ID. - Logs from all components must be sent to a central Log Analytics workspace for analysis. - The solution must have a recovery time objective (RTO) of 1 hour and recovery point objective (RPO) of 5 minutes for the database.

Which combination of Azure services should you recommend to meet ALL requirements?

Question 226mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a multi-region disaster recovery solution for a mission-critical application hosted on Azure VMs. The application requires synchronous replication of storage and automatic failover with no data loss. The recovery time objective (RTO) is 15 minutes, and the recovery point objective (RPO) is 0. Which Azure service should the company use?

Question 227hardmultiple choice
Read the full Design infrastructure solutions explanation →

A healthcare organization is migrating a regulatory-compliant application to Azure. The application must be isolated from the internet and accessible only from on-premises networks via a private IP address. The solution must minimize latency and maximize throughput for large data transfers. Which Azure networking solution should the organization implement?

Question 228easymultiple choice
Read the full Design infrastructure solutions explanation →

A company plans to deploy a web application on Azure App Service that will be accessed by users worldwide. The application must have a single endpoint and use Azure Web Application Firewall (WAF) policies. Which Azure service should be placed in front of the App Service to meet these requirements?

Question 229mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The solution must support legacy authentication protocols for on-premises apps and modern authentication for cloud apps. Which Azure service should the company use?

Question 230hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company is designing a data platform on Azure that must comply with strict regulatory requirements. The platform will store sensitive customer data in Azure SQL Database. The company needs to prevent data exfiltration and ensure that only authorized Microsoft Entra ID users can access the data. The solution must also encrypt data at rest and in transit. Which combination of Azure services should the company implement?

Question 231easymultiple choice
Read the full Design infrastructure solutions explanation →

A company is deploying a new application on Azure Kubernetes Service (AKS). The application requires persistent storage that can be dynamically provisioned and accessed by multiple pods simultaneously. Which Azure storage solution should the company use?

Question 232mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a backup strategy for a critical Azure SQL Database. The database is used in a production environment and the company requires the ability to restore to any point within the last 35 days with a maximum granularity of 5 minutes. Which backup configuration should the company choose?

Question 233hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is designing a Microsoft 365 deployment for 10,000 users. The organization requires that all users have a consistent experience and that desktop settings follow users across devices. The solution must also support offline access to files and automatic sync. Which Microsoft 365 service should the organization use?

Question 234mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a serverless architecture for a real-time data processing pipeline. The pipeline ingests data from IoT devices, processes the data using Azure Functions, and stores the results in Azure Cosmos DB. The solution must scale automatically and minimize cold starts. Which Azure service should the company use to trigger the Azure Functions?

Question 235hardmultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You are analyzing a deployment of Azure Storage account with customer-managed key encryption. The deployment fails with an error indicating that the key vault is not accessible. Which of the following is the most likely cause?

Exhibit

{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyVaultProperties": {
        "keyUri": "https://mykeyvault.vault.azure.net/keys/mykey/abc123",
        "identity": {
          "userAssignedIdentity": "/subscriptions/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/mysi"
        }
      }
    }
  }
}
Question 236mediummulti select
Read the full Design infrastructure solutions explanation →

A company is designing a highly available architecture for a web application on Azure VMs. The solution must protect against both planned and unplanned downtime and provide automatic failover. Which TWO Azure services should the company use together? (Choose two.)

Question 237mediummulti select
Read the full Design infrastructure solutions explanation →

A company is designing a backup and disaster recovery solution for an on-premises SQL Server database that will be migrated to Azure. The solution must meet the following requirements: 1) Point-in-time restore up to 30 days. 2) Cross-region restore in case of a regional disaster. 3) Long-term retention of backups for 7 years for compliance. Which THREE Azure services or features should the company use? (Choose three.)

Question 238hardmulti select
Read the full Design infrastructure solutions explanation →

A company is designing an identity and access management solution for a multi-cloud environment that includes Azure, AWS, and SaaS applications. The company wants to provide single sign-on (SSO) and enforce conditional access policies across all cloud resources. The solution must support automated user provisioning and deprovisioning. Which THREE Azure services should the company use? (Choose three.)

Question 239mediummultiple choice
Read the full NAT/PAT explanation →

A company is planning to migrate its on-premises data center to Azure. The company has 50 virtual machines (VMs) running Windows Server and Linux, along with several physical servers hosting legacy applications. The company wants to minimize administrative overhead and use Azure-native services as much as possible. The migration must be performed with minimal downtime and the company wants to assess the readiness of their on-premises environment. They also need to replicate data to Azure for disaster recovery. Which combination of Azure services should the company use to assess, migrate, and replicate?

Question 240hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise is designing a data analytics platform in Azure that will ingest terabytes of data daily from multiple sources, including IoT devices, social media feeds, and internal databases. The data must be stored in a raw format for future processing, and then transformed and aggregated for reporting. The company requires low-latency querying for real-time dashboards and the ability to run complex batch analytics using Spark. The solution must also provide a unified data governance layer for cataloging and lineage tracking. Which combination of Azure services should the company choose to meet all these requirements with minimal operational overhead?

Question 241mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your organization plans to migrate a legacy on-premises application that uses a proprietary authentication mechanism to Azure. The application must run as a virtual machine and must not require any code changes. You need to design an identity solution that integrates with the application without modifying it. What should you use?

Question 242hardmultiple choice
Review the full routing breakdown →

A company uses Azure Firewall to secure outbound traffic from a hub virtual network. The security team reports that some traffic is bypassing the firewall because of asymmetric routing. You need to design a solution to force all outbound traffic through the firewall. What should you implement?

Question 243easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a backup strategy for Azure virtual machines that must support application-consistent backups and be capable of restoring to a different Azure region. Which solution should you use?

Question 244mediummultiple choice
Read the full DNS explanation →

Your company has a hybrid network with multiple on-premises sites connected to Azure via ExpressRoute. You need to design a DNS resolution strategy that allows Azure resources to resolve on-premises hostnames and on-premises clients to resolve Azure hostnames. The solution must minimize administrative overhead. What should you use?

Question 245hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a solution for a critical application that requires low latency between multiple Azure regions. The application must handle failover automatically if a region becomes unavailable. You need to distribute traffic across regions and ensure that users are directed to the closest healthy endpoint. What should you implement?

Question 246easymultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a storage solution for a data lake that will store petabytes of structured and unstructured data. The data must be accessible from Azure Databricks and Azure Machine Learning. The solution must optimize costs by automatically moving data to cooler tiers when access frequency decreases. Which Azure storage solution should you use?

Question 247mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your organization has a containerized application running on Azure Kubernetes Service (AKS). You need to design a solution to securely store and manage secrets (e.g., database passwords, API keys) that the application consumes. The solution must integrate with AKS and support automatic rotation of secrets. What should you use?

Question 248hardmultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a disaster recovery solution for a multi-tier application. The application consists of a web tier, an application tier, and a database tier running SQL Server on Azure VMs. The RPO must be 5 seconds, and the RTO must be 15 minutes. You need to recommend a SQL Server availability solution that meets these requirements. What should you use?

Question 249easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a web application that will be hosted on Azure App Service. The application must authenticate users from your company's Microsoft Entra ID tenant. You need to implement authentication without writing any authentication code. What should you use?

Question 250mediummulti select
Read the full Design infrastructure solutions explanation →

Your company is designing a hybrid network architecture that connects multiple on-premises sites to Azure. You need to ensure high availability and redundancy for the connection. Which TWO solutions should you recommend? (Choose two.)

Question 251hardmulti select
Read the full Design infrastructure solutions explanation →

You are designing a governance and compliance solution for a large Azure environment with multiple subscriptions. The solution must enforce tagging policies, restrict resource types, and ensure compliance with regulatory standards. Which THREE Azure services or features should you use? (Choose three.)

Question 252mediummulti select
Read the full Design infrastructure solutions explanation →

Your organization is migrating a legacy application to Azure that requires Windows authentication and a fixed IP address. The application will run on an Azure VM. You need to design a networking solution that ensures the VM retains its IP address even after a reboot and that the application can be reached by on-premises users using its hostname. Which TWO actions should you take? (Choose two.)

Question 253hardmultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You are assigned an Azure policy that restricts resource group locations to eastus, westus, and centralus. A user attempts to create a resource group in 'eastus2' and receives a denial. The user argues that there are existing resources in 'eastus2' and that the policy should allow it. What is the best course of action to allow the resource group creation while maintaining compliance?

Exhibit

{
  "policy": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Allowed locations for resource groups",
    "description": "This policy enables you to restrict the locations your organization can specify when creating resource groups. Use to enforce your geo-compliance requirements.",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "location",
            "notIn": ["eastus", "westus", "centralus"]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {
      "listOfAllowedLocations": {
        "type": "Array",
        "metadata": {
          "description": "The list of allowed locations for resource groups.",
          "displayName": "Allowed locations",
          "strongType": "location"
        },
        "defaultValue": ["eastus", "westus", "centralus"]
      }
    }
  }
}
Question 254mediummultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You run the Azure Resource Graph query shown. A colleague asks why the query returns no results even though there are VMs in the subscription. The VMs use managed disks with Premium_LRS. What is the most likely reason for the empty result set?

Exhibit

{
  "query": "Resources\n| where type == 'microsoft.compute/virtualmachines'\n| where properties.storageProfile.osDisk.managedDisk.storageAccountType == 'Premium_LRS'\n| project name, location, resourceGroup, properties.storageProfile.osDisk.diskSizeGB\n| order by diskSizeGB desc\n| limit 10"
}
Question 255hardmultiple choice
Read the full NAT/PAT explanation →

Your company is designing a new cloud-native application on Azure that consists of multiple microservices running on Azure Kubernetes Service (AKS). The application must be accessible from the internet via a custom domain name (app.contoso.com) and must support SSL/TLS termination. You need to design a secure ingress solution that provides Web Application Firewall (WAF) capabilities, SSL offloading, and automatic scaling. The solution should also support path-based routing to different microservices (e.g., /api, /web). You have the following options: Option A: Deploy an Azure Application Gateway v2 with WAF in front of the AKS cluster. Configure Application Gateway Ingress Controller (AGIC) to route traffic to the services. Option B: Deploy an Azure Load Balancer with a public IP and install an NGINX ingress controller on AKS. Configure SSL termination on NGINX and use a third-party WAF. Option C: Deploy an Azure Front Door with WAF policy in front of the AKS cluster. Use Azure Private Link to connect Front Door to the internal load balancer of AKS. Option D: Deploy an Azure API Management instance with WAF and expose the microservices through API endpoints. Use Azure Application Gateway as a reverse proxy. Which option best meets the requirements for a high-performance, integrated, and managed solution with minimal operational overhead?

Question 256mediummultiple choice
Review the full routing breakdown →

Your company has a multi-region Azure deployment with virtual networks in East US and West Europe connected via a hub-and-spoke topology. You need to ensure that all traffic between the spokes is routed through a centralized firewall in the hub. The hub uses Azure Firewall. Currently, spoke-to-spoke traffic is not being inspected. What should you configure?

Question 257hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your organization is migrating an on-premises application to Azure. The application consists of a load-balanced web tier and a backend SQL Server database. The web tier requires session persistence (sticky sessions) and SSL offload. You need to design a solution that meets these requirements with minimal operational overhead. Which Azure service should you use for the web tier load balancing?

Question 258easymultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a disaster recovery strategy for an Azure virtual machine running a critical application. The VM is in the East US region. Your recovery point objective (RPO) is 15 minutes, and your recovery time objective (RTO) is 1 hour. Which Azure service should you use to replicate the VM to the West US region?

Question 259hardmultiple choice
Read the full Design infrastructure solutions explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition that your team plans to assign. The policy is intended to deny the deployment of virtual networks and virtual machines if they do not have an NSG attached with a rule named containing 'Allow'. However, the policy is not working as expected. What is the most likely reason?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks"
          },
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          }
        ]
      },
      "then": {
        "effect": "deny",
        "details": {
          "existenceCondition": {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
            "like": "*Allow*"
          }
        }
      }
    }
  }
}
Question 260mediummultiple choice
Review the full routing breakdown →

Your company has an Azure subscription that contains a hub virtual network and multiple spoke virtual networks connected via VNet peering. You need to ensure that all traffic between spokes is routed through a network virtual appliance (NVA) in the hub. The NVA is configured with IP forwarding enabled. What should you configure in the spoke virtual networks?

Question 261easymultiple choice
Read the full Design infrastructure solutions explanation →

You need to design a storage solution for a new application that requires low-latency access to frequently accessed data and also needs to archive data that is older than 90 days to the most cost-effective storage tier. Which Azure storage account type and tier configuration should you recommend?

Question 262mediummulti select
Read the full Design infrastructure solutions explanation →

Your company is designing a hybrid identity solution that will allow users to authenticate to Azure resources using their on-premises Active Directory credentials. The solution must support multi-factor authentication (MFA) and conditional access policies. Which TWO components should you include?

Question 263hardmulti select
Read the full Design infrastructure solutions explanation →

You are designing a network architecture for a critical application that spans multiple Azure regions. The application requires low-latency communication between regions and must maintain connectivity even if an entire region fails. You need to recommend a solution that provides cross-region connectivity with automatic failover. Which TWO options meet the requirements?

Question 264hardmulti select
Read the full Design infrastructure solutions explanation →

You are designing a backup and disaster recovery strategy for a SQL Server database hosted on an Azure virtual machine. The database is critical and has a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 4 hours. Which THREE services should you include in the solution?

Question 265mediummulti select
Read the full Design infrastructure solutions explanation →

Your organization needs to ensure that all Azure resources are compliant with corporate security policies. You need to design a solution that can enforce policies at scale, audit compliance, and automatically remediate non-compliant resources. Which THREE Azure services should you include?

Question 266hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your company, Contoso Ltd., operates a global e-commerce platform hosted on Azure. The architecture consists of: (1) A web front-end running on Azure App Service in multiple regions (East US, West Europe, Southeast Asia). (2) A microservices backend running on Azure Kubernetes Service (AKS) in East US. (3) A SQL Database in East US with geo-replication to West Europe and Southeast Asia for read scaling. (4) Azure Redis Cache for session state. (5) Azure Front Door for global load balancing. The platform experiences periodic traffic spikes, and during a recent spike, users reported slow page loads and intermittent errors. The operations team observed that the SQL Database in East US reached 100% DTU consumption, causing timeouts. The geo-replicated databases in other regions were underutilized. The application logic is read-heavy but also writes to a separate write-only table. You need to design a solution to improve scalability and reduce database load. The solution must: minimize latency for users, ensure write consistency, and handle traffic spikes without over-provisioning. What should you do?

Question 267hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your organization is migrating a legacy on-premises application to Azure. The application uses a monolithic architecture and requires high availability. The application tier runs on Windows Server and uses a SQL Server database. You need to design a migration strategy that minimizes changes to the application code while maximizing availability. The application can be stateless if session state is externalized. You have the following requirements: (1) The application must be resilient to Azure region failures. (2) The database must have an RPO of 5 minutes and RTO of 1 hour. (3) The migration must be completed within 6 months. (4) The solution should use platform-as-a-service (PaaS) services where possible to reduce operational overhead. Which approach should you recommend?

Question 268mediummultiple choice
Read the full NAT/PAT explanation →

Your company is designing a new application that will process large volumes of streaming data from IoT devices. The data will be ingested, processed in near real-time, and stored for long-term analytics. You need to design a solution that meets the following requirements: (1) Ingest up to 1 million events per second. (2) Process events with a latency of less than 10 seconds. (3) Store processed data for 7 years for compliance. (4) Enable ad-hoc querying of the stored data. Which combination of Azure services should you recommend?

Question 269mediummultiple choice
Review the full routing breakdown →

Your company is expanding its Azure presence to a new region in Asia. You need to design a network connectivity solution between the on-premises data center in New York and the new Azure region in Singapore. The solution must provide high bandwidth, low latency, and high availability. The company already has an ExpressRoute circuit to the East US region. You want to use that circuit to extend connectivity to Singapore if possible. The budget allows for additional ExpressRoute circuits if needed. What should you recommend?

Question 270hardmultiple choice
Read the full Design infrastructure solutions explanation →

Your organization is designing a secure microservices architecture using Azure Kubernetes Service (AKS). The application must be compliant with PCI DSS, which requires strict network segmentation and encryption of data at rest and in transit. You need to design a solution that meets these requirements while minimizing operational overhead. The AKS cluster will be deployed in a virtual network. The application consists of multiple microservices that need to communicate with each other and with an Azure SQL Database. Some microservices are public-facing. Which design should you recommend?

Question 271mediummulti select
Read the full Design infrastructure solutions explanation →

Your company is migrating a critical application to Azure and needs to design a highly available and disaster recovery solution. The application runs on Azure VMs with SQL Server Always On Availability Groups. You need to ensure that the database remains available even during a regional outage. Which TWO options should you include in the design? (Choose two.)

Question 272hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation is designing a hybrid identity solution using Microsoft Entra ID. The company has multiple on-premises Active Directory forests with complex trust relationships. They require that users can authenticate to both cloud and on-premises resources using the same credentials, and they want to minimize changes to the existing infrastructure. Which THREE components should be part of the solution? (Choose three.)

Question 273easymulti select
Read the full Design infrastructure solutions explanation →

A company is designing a storage solution for a new application that will store large amounts of unstructured data, such as images and videos. The data must be highly durable and available, and the solution should minimize costs for infrequently accessed data. Which TWO storage options should be recommended? (Choose two.)

Question 274hardmultiple choice
Review the full routing breakdown →

You are designing a network topology for a global e-commerce company that operates multiple web applications. The company has three main offices (New York, London, Tokyo) connected via ExpressRoute to Azure. Users access the applications through a public endpoint. The company requires that traffic be routed to the nearest healthy application instance based on geographic location, and that the solution provide automatic failover if an entire region goes down. Additionally, the company wants to protect against DDoS attacks at the network layer. You need to recommend a solution that meets these requirements while minimizing cost. What should you include in the design?

Question 275mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating its on-premises applications to Azure. The applications use custom authentication and authorization logic and require low latency between application tiers. The organization needs to ensure that the applications can scale out dynamically based on user demand, and that costs are minimized by only paying for resources when they are used. The applications are expected to have variable traffic patterns, with peak usage during business hours and low usage at night. You need to design a compute solution that meets these requirements. What should you recommend?

Question 276mediummultiple choice
Read the full Design infrastructure solutions explanation →

You are designing a backup and disaster recovery solution for a financial services company. The company has a critical application running on Azure VMs with premium SSDs. The RPO for the application is 15 minutes, and the RTO is 1 hour. The application data is stored on a separate managed disk with a premium SSD. The company wants to ensure that backups are cost-effective and do not impact application performance. You need to recommend a backup strategy. What should you do?

Question 277easymultiple choice
Read the full Design infrastructure solutions explanation →

A small business is moving its on-premises file server to Azure. The company has 50 users and stores approximately 500 GB of data, which includes documents and spreadsheets. The users need to access the files from their Windows laptops both at the office and remotely. The company wants to minimize costs while ensuring that files are always available and secure. You need to recommend a storage solution. What should you recommend?

Question 278hardmultiple choice
Read the full network assurance explanation →

A manufacturing company is designing an IoT solution to monitor equipment in real-time. Thousands of sensors send telemetry data every second. The data must be ingested, processed, and stored for analysis. The solution must handle high throughput and provide low-latency analytics. Additionally, the company wants to use Azure Machine Learning to predict equipment failures based on historical data. You need to design a data pipeline that meets these requirements. What should you include in the design?

Question 279easymultiple choice
Read the full Design infrastructure solutions explanation →

A government agency is designing a solution to store sensitive citizen data. The data must be encrypted at rest and in transit. The agency requires that the encryption keys be managed by the agency and stored in a hardware security module (HSM). Additionally, the solution must comply with regulatory requirements that mandate customer-managed keys. You need to recommend a key management solution. What should you recommend?

Question 280mediummultiple choice
Read the full Design infrastructure solutions explanation →

A media company is building a video streaming platform on Azure. The platform will store original high-definition videos and convert them to multiple resolutions for distribution. The company needs a cost-effective storage solution for the original videos, which are accessed infrequently but must be instantly available when needed. The converted videos will be served to end users globally and must be cached at edge locations for low latency. You need to design a storage and content delivery solution. What should you recommend?

Question 281hardmultiple choice
Read the full VPN explanation →

A large enterprise is designing a hybrid network architecture. The company has an on-premises data center connected to Azure via ExpressRoute. They want to extend their on-premises network to Azure by using a site-to-site VPN as a backup connection. The company has multiple VNets in Azure that need to communicate with each other and with the on-premises network. The solution must be highly available and provide redundancy for the ExpressRoute connection. You need to recommend a network connectivity design. What should you include?

Question 282easymultiple choice
Read the full Design infrastructure solutions explanation →

A startup is building a web application that will be used by a small number of users initially but is expected to grow rapidly. The application runs on Linux and uses a PostgreSQL database. The company wants to minimize operational overhead and costs during the early stages. You need to recommend a platform as a service (PaaS) solution for both the application and the database. What should you recommend?

Question 283mediummultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a disaster recovery solution for a critical application that runs on Azure VMs in a single region. The RTO is 4 hours, and the RPO is 1 hour. The application uses Azure SQL Database. The company wants to minimize the cost of the disaster recovery solution while meeting the RTO and RPO. You need to recommend a solution. What should you recommend?

Question 284hardmultiple choice
Read the full Design infrastructure solutions explanation →

A company is designing a solution for a data analytics workload. The company receives streaming data from multiple sources, including IoT devices and social media feeds. The data must be ingested, processed in real-time, and stored for historical analysis. The company also wants to use Power BI to create real-time dashboards from the streaming data. You need to recommend a data pipeline architecture. What should you include?

Question 285mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company is migrating a legacy on-premises application to Azure. The application requires persistent storage for configuration files that must be accessible from multiple virtual machines in a virtual network. The storage must be accessible only from within the virtual network and should not be exposed to the internet. Which Azure storage solution should you use?

Question 286hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing a disaster recovery strategy for a critical application running on Azure VMs. The application must have a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The primary region is East US, and the secondary region is West US. The solution must minimize costs while meeting the requirements. What should you recommend?

Question 287easymultiple choice
Read the full NAT/PAT explanation →

You are designing a cloud-native application that will run on Azure Kubernetes Service (AKS). The application needs to authenticate users and manage access to resources. Which identity service should you use?

Question 288mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company has an Azure subscription that contains several virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with a baseline security policy that includes specific registry key settings. The solution must automatically remediate non-compliant settings without manual intervention. What should you use?

Question 289hardmultiple choice
Read the full Design infrastructure solutions explanation →

A healthcare organization is deploying a new application on Azure that will handle Protected Health Information (PHI). The application must be compliant with HIPAA. The security team requires encryption at rest and in transit, and the ability to audit access to the data. The solution should minimize administrative overhead. Which storage solution should you recommend?

Question 290mediummulti select
Read the full Design infrastructure solutions explanation →

Your organization is planning to migrate a large number of on-premises file servers to Azure. The data includes millions of small files. You need to select a storage solution that supports SMB protocol and can handle high file counts. Which TWO Azure services meet these requirements?

Question 291hardmulti select
Read the full MPLS explanation →

A company is designing a hybrid network architecture that connects an on-premises data center to Azure. The requirements include high availability (99.99% SLA), low latency, and the ability to use existing MPLS connections. Which THREE Azure connectivity options should be considered?

Question 292mediummultiple choice
Read the full Design infrastructure solutions explanation →

Your company, Contoso Ltd., is migrating its on-premises e-commerce application to Azure. The application consists of a web frontend, an API layer, and a SQL Server database. The migration must meet the following requirements: - The web frontend must automatically scale out based on CPU utilization. - The API layer must be stateless and scale out based on request count. - The database must be a managed service with high availability and disaster recovery across Azure regions. - All components must be secured using Azure Firewall and Web Application Firewall (WAF). - The solution must minimize operational overhead.

You propose the following architecture: - Azure App Service for the web frontend with autoscaling rules based on CPU. - Azure Functions for the API layer (stateless, scaling based on request count). - Azure SQL Database with active geo-replication for the database. - Azure Front Door with WAF policies for global load balancing and security. - Azure Firewall to control outbound traffic.

Which component of this design should be reconsidered to better meet the requirement to minimize operational overhead?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-305 Practice Test 1 — 10 Questions→AZ-305 Practice Test 2 — 10 Questions→AZ-305 Practice Test 3 — 10 Questions→AZ-305 Practice Test 4 — 10 Questions→AZ-305 Practice Test 5 — 10 Questions→AZ-305 Practice Exam 1 — 20 Questions→AZ-305 Practice Exam 2 — 20 Questions→AZ-305 Practice Exam 3 — 20 Questions→AZ-305 Practice Exam 4 — 20 Questions→Free AZ-305 Practice Test 1 — 30 Questions→Free AZ-305 Practice Test 2 — 30 Questions→Free AZ-305 Practice Test 3 — 30 Questions→AZ-305 Practice Questions 1 — 50 Questions→AZ-305 Practice Questions 2 — 50 Questions→AZ-305 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design identity, governance, and monitoring solutionsDesign data storage solutionsDesign business continuity solutionsDesign infrastructure solutions

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design infrastructure solutions setsAll Design infrastructure solutions questionsAZ-305 Practice Hub