AZ-305 Design infrastructure solutions • Complete Question Bank
Complete AZ-305 Design infrastructure solutions question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Cloud-based identity and access management
Customer identity and access management for apps
Managed domain services like LDAP and Kerberos
Role-based access control for Azure resources
Policy-based evaluation to enforce access controls
Drag a concept onto its matching description — or click a concept then click the description.
Collect, analyze, and act on telemetry
Query and analyze log data
Application performance monitoring (APM)
Personalized recommendations for best practices
Personalized alerts for service issues
Refer to the exhibit.
```json
{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.Compute/virtualMachines/size",
"notIn": ["Standard_D2s_v3", "Standard_D4s_v3", "Standard_D8s_v3"]
}
}
},
"parameters": {}
}
}
```Refer to the exhibit. ``` $rg = 'myResourceGroup' $location = 'eastus' $vnetName = 'myVNet' $subnetName = 'mySubnet' $publicIPName = 'myPublicIP' $nsgName = 'myNSG' $nicName = 'myNIC' $vmName = 'myVM' $vmSize = 'Standard_DS2_v2' $adminUsername = 'azureuser' $adminPassword = 'P@ssw0rd123!' New-AzResourceGroup -Name $rg -Location $location $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix '10.0.1.0/24' $vnet = New-AzVirtualNetwork -ResourceGroupName $rg -Location $location -Name $vnetName -AddressPrefix '10.0.0.0/16' -Subnet $subnet $publicIP = New-AzPublicIpAddress -ResourceGroupName $rg -Location $location -AllocationMethod Static -Name $publicIPName $nsgRule = New-AzNetworkSecurityRuleConfig -Name 'RDP' -Protocol Tcp -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $rg -Location $location -Name $nsgName -SecurityRules $nsgRule $nic = New-AzNetworkInterface -ResourceGroupName $rg -Location $location -Name $nicName -SubnetId $subnet.Id -PublicIpAddressId $publicIP.Id -NetworkSecurityGroupId $nsg.Id $vmConfig = New-AzVMConfig -VMName $vmName -VMSize $vmSize Set-AzVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmName -Credential (New-Object System.Management.Automation.PSCredential ($adminUsername, (ConvertTo-SecureString $adminPassword -AsPlainText -Force))) New-AzVM -ResourceGroupName $rg -Location $location -VM $vmConfig ```
Refer to the exhibit. ```sql -- Kusto Query Language (KQL) query AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE' | where ActivityStatusValue == 'Succeeded' | summarize count() by Caller, bin(TimeGenerated, 1h) ```
Refer to the exhibit.
```json
{
"Name": "Allow specific traffic",
"Priority": 100,
"Direction": "Inbound",
"Access": "Allow",
"SourceAddressPrefixes": ["10.0.1.0/24"],
"DestinationAddressPrefixes": ["*"],
"DestinationPortRanges": ["80", "443"],
"Protocol": "TCP"
}
```Refer to the exhibit.
```json
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/sku.name",
"like": "Standard_DS*"
}
]
},
"then": {
"effect": "deny"
}
}
}{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-02-01",
"name": "vnet-01",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "subnet-a",
"properties": {
"addressPrefix": "10.0.0.0/24"
}
},
{
"name": "subnet-b",
"properties": {
"addressPrefix": "10.0.1.0/24",
"delegations": [
{
"name": "delegation",
"properties": {
"serviceName": "Microsoft.Web/serverFarms"
}
}
]
}
}
]
}
}
]
},
"parameters": {}
}
}{
"properties": {
"provisioningState": "Succeeded",
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyVaultProperties": {
"keyUri": "https://mykeyvault.vault.azure.net/keys/mykey/abc123",
"currentVersionedKeyIdentifier": "https://mykeyvault.vault.azure.net/keys/mykey/abc123",
"lastKeyRotationTimestamp": "2025-03-15T10:00:00Z"
},
"infrastructureEncryption": "Enabled"
},
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "1.2"
}
}{
"properties": {
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"accessTier": "Hot",
"supportsHttpsTrafficOnly": true,
"networkRuleSet": {
"defaultAction": "Deny",
"virtualNetworkRules": [
{
"id": "/subscriptions/.../subnets/subnet-a",
"action": "Allow"
}
]
}
}
}{
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.Compute/virtualMachines/sku.name",
"notIn": ["Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2"]
}
}
}
}{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS",
"Premium_LRS"
]
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[format('storage{0}', uniqueString(resourceGroup().id))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "[parameters('storageAccountType')]"
},
"kind": "StorageV2"
}
]
}{
"query": "AzureMetrics | where ResourceId contains '/virtualMachines' | where MetricName == 'Percentage CPU' | summarize AvgCPU = avg(Average) by bin(TimeGenerated, 1h), Resource | order by TimeGenerated asc | take 10"
}{
"roleAssignments": [
{
"principalId": "user1@contoso.com",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"scope": "/subscriptions/1234-5678/resourceGroups/rg-prod/providers/Microsoft.KeyVault/vaults/vault-prod"
},
{
"principalId": "user1@contoso.com",
"roleDefinitionId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"scope": "/subscriptions/1234-5678/resourceGroups/rg-prod"
}
]
}{
"parameters": { "vmName": { "value": "prod-vm-001" } },
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2023-03-01",
"name": "[parameters('vmName')]",
"location": "[resourceGroup().location]",
"properties": {
"hardwareProfile": { "vmSize": "Standard_D2s_v3" },
"storageProfile": {
"osDisk": { "createOption": "fromImage", "managedDisk": { "storageAccountType": "Premium_LRS" } },
"dataDisks": [
{ "createOption": "empty", "diskSizeGB": 1023, "lun": 0, "managedDisk": { "storageAccountType": "StandardSSD_LRS" } }
]
},
"osProfile": {
"computerName": "[parameters('vmName')]",
"adminUsername": "azureuser",
"adminPassword": "Password123!"
},
"networkProfile": {
"networkInterfaces": [
{ "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), '-nic'))]" }
]
}
}
}
]
}{
"roleDefinition": {
"Name": "Custom VM Operator",
"Actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/read"
],
"NotActions": [],
"AssignableScopes": ["/subscriptions/1234-5678"]
}
}You are a solutions architect for a financial services company. The company is deploying a new critical application on Azure that processes sensitive customer transactions. The application consists of an ASP.NET Core web app (Azure App Service), a REST API (Azure Kubernetes Service), and an Azure SQL Database. The requirements are:
- All data at rest must be encrypted using customer-managed keys (CMK) stored in a managed HSM. - All network traffic between components must be encrypted and traverse the Microsoft backbone network. - The web app must be protected against common web attacks (SQL injection, XSS). - The solution must automatically scale the API based on CPU utilization. - All API calls must be authenticated using OAuth 2.0 with Microsoft Entra ID. - Logs from all components must be sent to a central Log Analytics workspace for analysis. - The solution must have a recovery time objective (RTO) of 1 hour and recovery point objective (RPO) of 5 minutes for the database.
Which combination of Azure services should you recommend to meet ALL requirements?
{
"properties": {
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyVaultProperties": {
"keyUri": "https://mykeyvault.vault.azure.net/keys/mykey/abc123",
"identity": {
"userAssignedIdentity": "/subscriptions/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/mysi"
}
}
}
}
}{
"policy": {
"policyType": "Custom",
"mode": "All",
"displayName": "Allowed locations for resource groups",
"description": "This policy enables you to restrict the locations your organization can specify when creating resource groups. Use to enforce your geo-compliance requirements.",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "location",
"notIn": ["eastus", "westus", "centralus"]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resource groups.",
"displayName": "Allowed locations",
"strongType": "location"
},
"defaultValue": ["eastus", "westus", "centralus"]
}
}
}
}{
"query": "Resources\n| where type == 'microsoft.compute/virtualmachines'\n| where properties.storageProfile.osDisk.managedDisk.storageAccountType == 'Premium_LRS'\n| project name, location, resourceGroup, properties.storageProfile.osDisk.diskSizeGB\n| order by diskSizeGB desc\n| limit 10"
}{
"properties": {
"policyRule": {
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny",
"details": {
"existenceCondition": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
"like": "*Allow*"
}
}
}
}
}
}Your company, Contoso Ltd., is migrating its on-premises e-commerce application to Azure. The application consists of a web frontend, an API layer, and a SQL Server database. The migration must meet the following requirements: - The web frontend must automatically scale out based on CPU utilization. - The API layer must be stateless and scale out based on request count. - The database must be a managed service with high availability and disaster recovery across Azure regions. - All components must be secured using Azure Firewall and Web Application Firewall (WAF). - The solution must minimize operational overhead.
You propose the following architecture: - Azure App Service for the web frontend with autoscaling rules based on CPU. - Azure Functions for the API layer (stateless, scaling based on request count). - Azure SQL Database with active geo-replication for the database. - Azure Front Door with WAF policies for global load balancing and security. - Azure Firewall to control outbound traffic.
Which component of this design should be reconsidered to better meet the requirement to minimize operational overhead?