CCNA AZ Compute Questions

75 of 204 questions · Page 2/3 · AZ Compute topic · Answers revealed

76
MCQhard

You are deploying a stateless web application on Azure virtual machines. The solution must automatically add and remove instances based on CPU demand and allow all instances to be managed as one logical group. Which Azure compute feature should you deploy?

A.A Virtual Machine Scale Set
B.An availability set
C.A Recovery Services vault
D.Boot diagnostics
AnswerA

Scale Sets provide autoscaling and centralized management for identical VM instances.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct Azure compute feature because it automatically manages a group of identical, load-balanced VMs that can scale in and out based on CPU demand using autoscale rules. It treats all instances as a single logical group, enabling unified management, patching, and application deployment, which is exactly what the stateless web application requires.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides both high availability and automatic scaling), leading them to select availability set when the question explicitly requires automatic scaling and logical group management.

How to eliminate wrong answers

Option B (availability set) is wrong because it only provides high availability by distributing VMs across fault and update domains, but it does not support automatic scaling or management as a single logical group. Option C (Recovery Services vault) is wrong because it is a backup and disaster recovery service for Azure VMs and on-premises workloads, not a compute feature for scaling or grouping instances. Option D (boot diagnostics) is wrong because it is a troubleshooting feature that captures serial console output and screenshots for VM boot failures, with no capability for scaling or logical grouping.

77
MCQhard

An administrator has already increased the size of a managed data disk attached to a running Windows VM. Azure now shows the larger disk size, but the application still cannot use the new capacity. What should the administrator do next?

A.Detach the disk, shrink it, and reattach it to refresh the filesystem.
B.Expand the partition or volume inside the guest operating system.
C.Convert the data disk to a shared disk so Windows can auto-detect the size increase.
D.Redeploy the virtual machine to apply the new disk size.
AnswerB

After Azure grows the managed disk, the operating system still needs to recognize and consume that extra space. Expanding the partition or volume inside the guest OS is the required next step so the application can use the larger capacity.

Why this answer

When a managed data disk attached to a running Windows VM is resized in Azure, the underlying virtual hard disk (VHD) expands, but the guest operating system does not automatically recognize the new unallocated space. The administrator must use the Disk Management tool (diskmgmt.msc) or the diskpart command to extend the volume or partition into the unallocated space. This is a standard operating system task, not an Azure control-plane action.

Exam trap

The trap here is that candidates assume Azure automatically applies the size change to the guest OS, when in fact the administrator must manually extend the partition inside the operating system using disk management tools.

How to eliminate wrong answers

Option A is wrong because shrinking the disk would reduce capacity, not add it, and detaching/reattaching does not refresh the filesystem or recognize new space; the partition must be extended inside the OS. Option C is wrong because converting to a shared disk is unrelated to capacity detection; shared disks are for multi-VM cluster scenarios and do not trigger automatic partition expansion. Option D is wrong because redeploying the VM only moves it to a new host with the same disk configuration; it does not extend the partition inside the guest OS.

78
MCQmedium

A support desk needs to reset the local administrator password on specific virtual machines by using the VMAccess extension and restart those VMs. They must not be able to resize the machines, change networking, or manage disks. What should the administrator create?

A.Assign the Virtual Machine Contributor built-in role at the subscription scope
B.Assign the Contributor role at the resource group scope
C.Create a custom role with only the required VM actions and assign it at the virtual machine scope
D.Use an Azure Policy assignment to allow the VMAccess extension
AnswerC

A custom role is the least-privilege option when built-in roles are too broad. By including only the actions needed for VM password reset and restart, and assigning the role at the virtual machine scope, the administrator restricts the support desk to exactly one workload and prevents changes to disks, networking, or sizing.

Why this answer

Option C is correct because the support desk needs only specific actions (reset local admin password via VMAccess extension and restart VMs) without permissions to resize, change networking, or manage disks. A custom role at the VM scope allows you to grant precisely the required Microsoft.Compute/virtualMachines/runCommand/action and Microsoft.Compute/virtualMachines/restart/action, while excluding broader management actions. This follows the principle of least privilege and prevents unintended modifications to other resources.

Exam trap

The trap here is that candidates often choose a built-in role like Virtual Machine Contributor or Contributor, mistakenly believing it provides only VM management, but these roles include broader permissions like resizing and disk management, which are explicitly prohibited in the scenario.

How to eliminate wrong answers

Option A is wrong because the Virtual Machine Contributor built-in role at subscription scope grants full control over VMs, including resizing, networking changes, and disk management, which exceeds the required permissions. Option B is wrong because the Contributor role at resource group scope provides full management access to all resources in that group, including the ability to resize VMs, modify networking, and manage disks, violating the least-privilege requirement. Option D is wrong because Azure Policy assignments enforce compliance rules (e.g., allowed extensions) but do not grant permissions; they cannot authorize the support desk to run the VMAccess extension or restart VMs.

79
Multi-Selecthard

A reporting server will run an analytics engine that needs 8 vCPUs and 64 GiB of RAM. Average CPU use is expected to stay moderate, but the workload is memory heavy and should not use a burstable SKU. Which two deployment choices best align with the requirement? Select two.

Select 2 answers
A.Select a memory-optimized VM family.
B.Choose a size with at least 8 vCPUs and 64 GiB of RAM.
C.Choose a burstable B-series size to lower cost.
D.Pick a compute-optimized F-series size because CPU use is only moderate.
E.Select the smallest VM size that supports managed disks.
AnswersA, B

Correct. Memory-optimized families are intended for workloads where RAM is more important than raw CPU throughput.

Why this answer

Option A is correct because the workload is memory heavy, and memory-optimized VM families (e.g., E-series) are designed with a higher memory-to-vCPU ratio to handle such workloads efficiently. Option B is correct because the requirement explicitly states 8 vCPUs and 64 GiB of RAM, so selecting a size that meets these exact specifications is necessary, regardless of family, as long as it is not burstable.

Exam trap

The trap here is that candidates may assume a moderate CPU workload automatically calls for a compute-optimized SKU (F-series), ignoring the memory-heavy requirement that necessitates a memory-optimized family.

80
MCQhard

A stateless API must run 4 to 12 identical Windows VMs, scale out automatically when average CPU stays above 70% for 10 minutes, and distribute instances to improve resiliency. Deployments are defined in Bicep. Which Azure compute service should be used?

A.A single Azure VM with an autoscale setting
B.A virtual machine scale set with autoscale enabled
C.An availability set with manual VM resizing
D.Azure Container Instances running one container per request
AnswerB

VM scale sets are designed for many identical instances and work naturally with autoscale profiles.

Why this answer

A virtual machine scale set (VMSS) with autoscale enabled is the correct choice because it supports running multiple identical Windows VMs, can automatically scale out when average CPU exceeds 70% for 10 minutes, and distributes instances across fault domains and availability zones for resiliency. Bicep deployments natively define VMSS configurations, making it the ideal compute service for stateless, scalable API workloads.

Exam trap

The trap here is that candidates confuse autoscale settings (which only apply to scale sets or PaaS services) with individual VMs, or assume an availability set provides autoscaling, when in fact it only ensures fault tolerance for a static number of VMs.

How to eliminate wrong answers

Option A is wrong because a single Azure VM cannot scale out to multiple instances; autoscale settings apply only to scale sets or App Service plans, not individual VMs. Option C is wrong because an availability set provides high availability for a fixed set of VMs but does not support autoscaling or dynamic resizing based on CPU thresholds; manual resizing is not automated scaling. Option D is wrong because Azure Container Instances (ACI) runs containers, not Windows VMs, and scaling per request is not based on average CPU metrics over 10 minutes; ACI is designed for containerized workloads, not VM-based stateless APIs.

81
MCQmedium

You deploy a Windows VM with an ARM template. During the first boot, it must install IIS, copy application files from storage, and run a bootstrap script. Which Azure feature should you add to the deployment?

A.A VM extension such as Custom Script Extension
B.An availability set
C.A managed disk snapshot
D.A public IP address
AnswerA

A VM extension can run scripted configuration tasks during or after deployment, which fits bootstrap automation.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature to use because it allows you to execute PowerShell or Bash scripts on a Windows or Linux VM during first boot. By adding the CSE to your ARM template, you can automate the installation of IIS, copy application files from Azure Storage (using the `fileUris` property), and run a bootstrap script after the OS is provisioned, ensuring the VM is fully configured without manual intervention.

Exam trap

The trap here is that candidates often confuse a VM extension (which runs scripts post-deployment) with a VM image (which bakes configuration into the OS disk), leading them to think a snapshot or availability set can achieve the same result, but neither can execute commands during first boot.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to protect against infrastructure failures (e.g., rack-level faults) and does not provide any mechanism to install software or run scripts during deployment. Option C is wrong because a managed disk snapshot is a point-in-time copy of a disk used for backup or cloning, not for executing post-deployment configuration tasks like IIS installation or script execution. Option D is wrong because a public IP address provides inbound/outbound network connectivity to the VM but has no capability to run scripts or install applications; it is a networking resource, not a configuration tool.

82
MCQeasy

A stateless web application must automatically add VM instances during business hours and remove them at night based on CPU usage. Which Azure service should be deployed?

A.Virtual machine scale set
B.Availability set
C.Azure Bastion
D.Proximity placement group
AnswerA

A virtual machine scale set is designed for identical VM instances that can scale out and scale in based on demand. It works well for stateless applications because instances can be added or removed without needing manual reconfiguration of each server. Autoscale rules can use metrics such as CPU percentage to change capacity automatically.

Why this answer

Virtual Machine Scale Sets (VMSS) are designed to automatically scale the number of VM instances in or out based on metrics like CPU usage, and they support scheduled scaling to align with business hours. This makes them the correct choice for a stateless web application that needs to add instances during business hours and remove them at night, as VMSS can integrate with Azure Autoscale to adjust capacity based on both performance metrics and time schedules.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides auto-scaling), leading them to select availability set when the question explicitly requires automatic scaling based on CPU and time schedules.

How to eliminate wrong answers

Option B (Availability set) is wrong because an availability set only provides high availability by distributing VMs across fault and update domains; it does not support automatic scaling based on CPU usage or time-based schedules. Option C (Azure Bastion) is wrong because it is a fully managed PaaS service that provides secure RDP/SSH connectivity to VMs directly from the Azure portal, with no capability for scaling VM instances. Option D (Proximity placement group) is wrong because it is used to reduce network latency between VMs by ensuring they are physically close in an Azure datacenter, and it has no functionality for automatic scaling or instance management.

83
MCQmedium

You plan to run a web application on Azure virtual machines and need protection against a single datacenter failure within an Azure region. Which deployment option should you use?

A.An availability set only
B.Availability zones
C.A proximity placement group
D.A single VM with premium SSD
AnswerB

Availability zones provide resilience against the failure of a single datacenter in a region.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying your VMs across two or more zones protects against a single datacenter failure because if one zone goes down, the application continues running in the other zone. This meets the requirement for datacenter-level fault tolerance within a single region.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within one datacenter) with availability zones (which protect against full datacenter failures), leading them to select the cheaper or more familiar option without recognizing the critical difference in fault domain scope.

How to eliminate wrong answers

Option A is wrong because an availability set protects against failures within a single datacenter (e.g., rack or update domain failures) but does not protect against an entire datacenter outage. Option C is wrong because a proximity placement group is designed to reduce network latency between VMs by placing them close together, which actually increases the risk of a single datacenter failure affecting all VMs. Option D is wrong because a single VM with premium SSD provides no redundancy at all; if the datacenter hosting that VM fails, the application becomes completely unavailable.

84
MCQeasy

Two application VMs run in the same Azure region. The business wants to reduce the chance that both VMs are rebooted during planned host maintenance, but a datacenter outage is not part of the requirement. What should the administrator configure?

A.Availability set
B.Availability zone
D.Virtual machine scale set
AnswerA

An availability set spreads VMs across fault domains and update domains within a datacenter. This reduces the chance that all instances are affected by the same host maintenance event. It is the correct choice when the goal is host-level resilience rather than protection against an entire datacenter outage.

Why this answer

An availability set ensures that VMs are placed on different fault domains and update domains within the same Azure datacenter. This configuration guarantees that during planned host maintenance, only one update domain is rebooted at a time, reducing the chance that both VMs are rebooted simultaneously. Since the requirement explicitly excludes a datacenter outage, an availability set is the correct choice to protect against planned maintenance events.

Exam trap

The trap here is that candidates often confuse availability zones (which protect against datacenter outages) with availability sets (which protect against planned maintenance and hardware failures within a single datacenter), leading them to select availability zones even when the requirement explicitly excludes datacenter-level failures.

How to eliminate wrong answers

Option B is wrong because availability zones protect against datacenter-level failures by placing VMs in physically separate datacenters, which is overkill and not required when only planned host maintenance is the concern. Option C is wrong because Azure Load Balancer distributes traffic across VMs but does not influence the placement or reboot behavior during host maintenance. Option D is wrong because a virtual machine scale set provides auto-scaling and high availability through fault domains, but it is designed for identical, scalable workloads and does not inherently reduce the chance of both VMs being rebooted during planned maintenance unless configured with an availability set or zones, which is not the direct solution for this specific requirement.

85
MCQmedium

Based on the exhibit, the company will deploy two identical web server VMs in East US 2 behind a load balancer. The service must keep running if one datacenter in the region becomes unavailable. Which deployment choice best meets the requirement?

A.Place both VMs in an availability set so Azure can spread them across fault domains.
B.Place one VM in each of two availability zones and front them with the load balancer.
C.Place both VMs in one availability zone because all zones in a region share failure domains.
D.Deploy a single VM because Azure automatically replicates it across the region.
AnswerB

Availability zones place each VM in a separate datacenter boundary, which protects against one zone failure. If you distribute the web servers across zones, the load balancer can continue sending traffic to the remaining healthy instance when a zone becomes unavailable. This design matches the requirement to survive a datacenter outage within the region.

Why this answer

Option B is correct because deploying one VM in each of two availability zones within East US 2 ensures that the VMs are physically separated across distinct datacenters, each with independent power, cooling, and networking. If one datacenter (zone) fails, the other zone remains operational, and the load balancer automatically directs traffic to the healthy VM. This meets the requirement of keeping the service running if one datacenter in the region becomes unavailable.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within one datacenter) with availability zones (which protect against full datacenter outages), leading them to choose Option A as a sufficient solution.

How to eliminate wrong answers

Option A is wrong because an availability set only spreads VMs across fault domains within a single datacenter, not across multiple datacenters; a datacenter-level outage would still affect all VMs in the set. Option C is wrong because placing both VMs in one availability zone means they share the same datacenter failure boundary; a zone failure would take down both VMs. Option D is wrong because a single VM does not provide high availability; Azure does not automatically replicate a single VM across a region—it only provides redundancy at the storage or data level, not compute failover.

86
MCQeasy

A production workload must continue running if one entire Azure datacenter in the region becomes unavailable. The region supports availability zones, and you want the strongest placement option for a single VM. What should you choose?

A.Availability zone
B.Availability set
C.Proximity placement group
D.Managed disk snapshot
AnswerA

An availability zone places the VM in a separate datacenter within the region, helping protect against a full datacenter failure.

Why this answer

An availability zone protects against an entire datacenter failure by placing the VM in a physically separate zone within the region, each with independent power, cooling, and networking. This is the strongest placement option for a single VM because it guarantees isolation from other zones, ensuring the workload continues if one datacenter fails. Availability sets only protect against rack-level failures within the same datacenter, not a full datacenter outage.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack failures) with availability zones (which protect against datacenter failures), leading them to choose the cheaper or more familiar option without recognizing the requirement for full datacenter resilience.

How to eliminate wrong answers

Option B is wrong because an availability set only distributes VMs across multiple fault domains and update domains within a single datacenter, providing no protection if the entire datacenter becomes unavailable. Option C is wrong because a proximity placement group is designed to minimize network latency by co-locating VMs as close as possible, often within the same datacenter, which increases the risk of a single point of failure. Option D is wrong because a managed disk snapshot is a backup/recovery mechanism for disks, not a placement or high-availability feature; it cannot keep a VM running during a datacenter outage.

87
MCQmedium

Based on the exhibit, which Azure feature should the administrator use to install software and run the bootstrap script during VM provisioning?

A.Azure VM Custom Script Extension
B.A network security group rule allowing RDP from the Internet
C.An availability set with two fault domains
D.A managed disk snapshot restored as the operating system disk
AnswerA

The Custom Script Extension is designed to run scripts after deployment and is commonly used for first-boot configuration. It can download files, execute installation commands, and automate bootstrap tasks without requiring manual sign-in. This matches the requirement to install IIS, copy application files, and run bootstrap.ps1 as part of provisioning.

Why this answer

The Azure VM Custom Script Extension (CSE) is the correct feature because it allows the administrator to execute scripts (such as installing software or running a bootstrap script) during VM provisioning or after the VM is running. The extension downloads the script from Azure Storage or a public URL and executes it using the local system account, making it ideal for post-deployment configuration tasks.

Exam trap

The trap here is that candidates often confuse network security group rules (which control traffic) or availability sets (which provide redundancy) with the ability to run scripts, but only the Custom Script Extension can execute code during VM provisioning.

How to eliminate wrong answers

Option B is wrong because a network security group (NSG) rule allowing RDP from the Internet only opens port 3389 for remote desktop access; it does not install software or run scripts. Option C is wrong because an availability set with two fault domains is a high-availability feature that distributes VMs across separate hardware racks to protect against datacenter failures; it has no capability to execute scripts or install software. Option D is wrong because a managed disk snapshot restored as the operating system disk creates a new VM from a point-in-time copy of a disk; it does not run any scripts or install additional software during provisioning.

88
MCQeasy

Based on the exhibit, which image source should the administrator use to deploy the same approved server build again?

A.A public marketplace Windows Server image.
B.A custom image stored in Azure Compute Gallery.
C.A snapshot of the VM operating system disk.
D.A temporary disk attached to the VM.
AnswerB

A custom image in Azure Compute Gallery is intended for repeatable deployment of a standardized, generalized VM build. It preserves the patched operating system, installed agent, and line-of-business software so future VMs can be created from the same baseline across environments and subscriptions.

Why this answer

A custom image stored in Azure Compute Gallery (formerly Shared Image Gallery) is the correct choice because it allows the administrator to capture a generalized VM image that includes the exact OS configuration, applications, and settings of the approved server build. This image can then be used repeatedly to deploy identical VMs, ensuring consistency across deployments. Azure Compute Gallery supports versioning and replication across regions, making it the ideal solution for maintaining and distributing a standardized server build.

Exam trap

The trap here is that candidates often confuse a snapshot with a custom image, not realizing that a snapshot is not generalized and cannot be used to deploy multiple identical VMs without manual Sysprep and conversion to a managed image.

How to eliminate wrong answers

Option A is wrong because a public marketplace Windows Server image is a generic, unconfigured base image that does not include the specific applications, patches, or customizations of the approved server build, so it cannot replicate the same build. Option C is wrong because a snapshot of the VM operating system disk captures the disk state at a point in time but is not generalized (it retains the original computer name, SID, and user accounts), and deploying from a snapshot would create a VM with the same identity, leading to conflicts and not a clean, reusable image. Option D is wrong because a temporary disk attached to the VM is a local, ephemeral disk used for temporary storage (e.g., page files) and is not persisted; it cannot be used to deploy a new VM, let alone replicate a server build.

89
MCQmedium

You need to deploy a set of identical Azure virtual machines that can automatically scale out during demand spikes and scale in when usage falls. Which Azure feature should you use?

A.An availability set
B.A Virtual Machine Scale Set
C.A Recovery Services vault
D.Boot diagnostics
AnswerB

Scale Sets provide fleet management and autoscaling for identical VMs.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct Azure feature because it is designed specifically to deploy and manage a set of identical, load-balanced VMs that can automatically scale out (increase instance count) during demand spikes and scale in (decrease instance count) when usage falls, using autoscale rules based on metrics like CPU or memory.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides both high availability and automatic scaling), leading them to pick Option A when the question explicitly asks for automatic scaling.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs to protect against rack-level failures and maintenance events, but it does not provide any automatic scaling capabilities. Option C is wrong because a Recovery Services vault is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for deploying or scaling VMs. Option D is wrong because boot diagnostics captures serial console output and screenshots for troubleshooting VM boot failures, but it has no role in scaling or deploying multiple VMs.

90
MCQhard

A release team needs to deploy the same hardened Windows image to VMs in three regions. They must keep approved versions, replicate images to each region, and be able to roll back to an earlier approved version without uploading a new VHD. What should they use as the image source?

A.A managed disk snapshot captured from one reference VM
B.An Azure Compute Gallery image definition with image versions
C.A single unmanaged VHD stored in a storage account
D.A custom script extension that installs the operating system settings after deployment
AnswerB

Compute Gallery supports versioned, replicated images that can be reused and rolled back cleanly.

Why this answer

Azure Compute Gallery (formerly Shared Image Gallery) allows you to store multiple versions of a custom image definition, replicate them across regions, and manage rollbacks by simply changing which image version is referenced during deployment. This meets all requirements: hardened Windows image, multi-region replication, version control, and rollback without uploading a new VHD.

Exam trap

The trap here is that candidates often confuse managed disk snapshots with images, not realizing that snapshots lack the versioning, replication, and deployment flexibility that Azure Compute Gallery provides for multi-region scenarios.

How to eliminate wrong answers

Option A is wrong because a managed disk snapshot is a point-in-time copy of a disk, not an image; it cannot be directly used to deploy VMs in multiple regions with versioning and rollback capabilities. Option C is wrong because a single unmanaged VHD in a storage account lacks built-in versioning, regional replication, and the ability to roll back to an earlier approved version without uploading a new VHD. Option D is wrong because a custom script extension configures settings after deployment, but does not provide an image source for the OS; it cannot serve as the base image for multi-region deployment or version rollback.

91
MCQmedium

You need to run a scheduled script on an Azure virtual machine every time the VM starts. Which feature should you use?

A.Boot diagnostics
B.A Custom Script Extension
C.Azure Policy
D.An availability set
AnswerB

The Custom Script Extension is used to run scripts on Azure VMs.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a script on an Azure VM during startup by configuring it as part of the VM's provisioning or by using a scheduled task triggered at boot. CSE downloads and executes scripts from Azure Storage or GitHub, making it ideal for custom initialization tasks that must run every time the VM starts.

Exam trap

The trap here is confusing Boot diagnostics (which only provides logs/screenshots) with a feature that actually executes code, leading candidates to select A instead of B.

How to eliminate wrong answers

Option A is wrong because Boot diagnostics captures serial console output and screenshots for troubleshooting boot failures, but it does not execute custom scripts. Option C is wrong because Azure Policy enforces compliance rules on Azure resources (e.g., tagging, location restrictions) and cannot run scripts on VMs. Option D is wrong because an availability set is a logical grouping for high availability across fault and update domains, not a mechanism to execute scripts.

92
Multi-Selectmedium

Two workloads have different resilience requirements. Workload A must stay available if a single datacenter in the region fails. Workload B only needs protection from planned maintenance and a single hardware host failure. Which two deployment models should the administrator use? Select two.

Select 2 answers
A.Availability Zones for Workload A
B.Availability Set for Workload B
C.Virtual Machine Scale Set without zones
D.Proximity Placement Group
E.Single VM with premium SSD
AnswersA, B

Zones protect the workload from a datacenter-level outage.

Why this answer

Workload A requires protection against a full datacenter failure within a region. Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across multiple zones ensures that if one zone (datacenter) fails, the workload remains available in another zone.

Workload B only needs protection from planned maintenance and a single hardware host failure. An Availability Set distributes VMs across multiple fault domains (hardware hosts) and update domains (planned maintenance cycles), providing resilience against these specific failure scenarios without requiring zone-level separation.

Exam trap

The trap here is that candidates often confuse Availability Zones with Availability Sets, mistakenly thinking an Availability Set can protect against a full datacenter failure, or they assume a Virtual Machine Scale Set inherently provides zone-level resilience without explicitly configuring zones.

93
MCQeasy

A platform team must deploy the same group of Azure VMs every month from source control and wants the deployment to be repeatable and reviewable. Which approach should they use?

A.Manual portal deployment each month
B.A Bicep template in source control
C.A temporary virtual machine snapshot
D.A network security group rule collection
AnswerB

Bicep is an infrastructure-as-code language that is concise, readable, and well suited for Azure deployments. Storing the template in source control makes the deployment repeatable, auditable, and easy to modify over time. It is a strong choice when the team wants the same VM deployment every month.

Why this answer

Bicep is a domain-specific language (DSL) for deploying Azure resources declaratively. Storing a Bicep template in source control ensures the VM deployment is repeatable (same parameters produce identical infrastructure) and reviewable (changes are tracked via pull requests and commit history), meeting the team's requirements for infrastructure as code (IaC).

Exam trap

The trap here is that candidates may confuse a VM snapshot (a backup artifact) with a deployment template, or think manual portal steps can be 'repeatable' if documented, but Azure explicitly tests the concept that only IaC (Bicep/ARM) ensures true repeatability and auditability from source control.

How to eliminate wrong answers

Option A is wrong because manual portal deployment is not repeatable (prone to human error) and cannot be reviewed via source control, violating the core requirements. Option C is wrong because a temporary VM snapshot captures a point-in-time state of a single VM, not a repeatable deployment definition for a group of VMs, and it cannot be version-controlled or reviewed as code. Option D is wrong because a network security group (NSG) rule collection only defines inbound/outbound traffic rules for network interfaces/subnets, not the deployment of VMs themselves.

94
MCQeasy

Based on the exhibit, the workload must keep running if an entire datacenter in the region becomes unavailable. The region supports availability zones. What should you deploy?

A.An availability set with one update domain per VM.
B.Availability zones with the VMs distributed across zones.
C.A single VM with a premium SSD data disk.
D.An Azure proximity placement group.
AnswerB

Availability zones are the correct choice because they place resources in separate datacenters within the same region. That gives the application resilience if one datacenter or zone becomes unavailable. The scenario explicitly asks for datacenter-level protection, which is what zones are designed to provide.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across multiple zones ensures that if one entire datacenter fails, the workload continues running in the other zone(s), meeting the requirement for regional datacenter-level resilience.

Exam trap

The trap here is confusing availability sets (which protect against rack-level failures) with availability zones (which protect against datacenter-level failures), leading candidates to choose an availability set when the question explicitly requires surviving an entire datacenter outage.

How to eliminate wrong answers

Option A is wrong because an availability set protects against failures within a single datacenter (e.g., rack or update failures) but cannot survive an entire datacenter outage. Option C is wrong because a single VM with a premium SSD data disk provides no redundancy at the datacenter level; if that datacenter fails, the VM and its disk are lost. Option D is wrong because a proximity placement group is used to minimize network latency between VMs, not to provide disaster recovery across datacenters.

95
Multi-Selecthard

A business-critical application runs in a region that does not support availability zones. It uses two Azure VMs and must survive planned maintenance and a single host failure, but it does not need automatic scale-out. Which two actions should the administrator take? Select two.

Select 2 answers
A.Place both VMs in the same availability set
B.Deploy the VMs so Azure distributes them across fault and update domains within that set
C.Deploy the VMs in separate availability zones
D.Convert the workload to a single larger VM
E.Put the VMs in a proximity placement group
AnswersA, B

This is the standard design for spreading VMs across fault and update domains.

Why this answer

Option A is correct because an availability set provides redundancy within a single region that does not support availability zones, protecting against both planned maintenance (via update domains) and host failures (via fault domains). By placing both VMs in the same availability set, Azure ensures they are distributed across multiple fault domains (up to 3) and update domains (up to 20), so a single hardware failure or planned maintenance event does not affect both VMs simultaneously.

Exam trap

The trap here is that candidates often confuse availability zones with availability sets, assuming zones are always an option, but the question explicitly restricts the region to non-zone support, making the availability set the only viable redundancy mechanism.

96
MCQhard

A line-of-business web tier consists of two Azure VMs in a region that supports availability zones. The business requirement is to survive a full datacenter outage in that region without deploying to a second region. What should the administrator use?

A.An availability set with multiple update domains
B.Availability zones with the VMs placed in different zones
C.A proximity placement group for both VMs
D.A single-zone virtual machine scale set
AnswerB

Zones are isolated datacenter locations within a region, which protects against one datacenter becoming unavailable.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Placing the two VMs in different zones ensures that if one entire datacenter fails, the other VM remains operational, meeting the requirement to survive a full datacenter outage without deploying to a second region.

Exam trap

The trap here is that candidates confuse availability sets (which protect within a datacenter) with availability zones (which protect across datacenters), leading them to choose an availability set despite the explicit requirement to survive a full datacenter outage.

How to eliminate wrong answers

Option A is wrong because an availability set protects against hardware failures within a single datacenter (via fault domains) and planned maintenance (via update domains), but it cannot survive a full datacenter outage since all VMs in an availability set reside in the same datacenter. Option C is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs as close as possible, which actually increases the risk of a single datacenter outage affecting both VMs. Option D is wrong because a single-zone virtual machine scale set places all VM instances in the same availability zone, so a datacenter outage in that zone would take down the entire web tier.

97
Multi-Selecthard

A developer has the Contributor role on a resource group. A Bicep deployment that creates a VM with a public IP fails with a policy denial, but the same template succeeds after the public IP resource is removed. Which two statements are true? Select two.

Select 2 answers
A.The Contributor role allows deployments in the resource group, but it cannot override a deny policy inherited from a higher scope.
B.The policy assignment can apply to the resource group because policy inheritance flows from management group to subscription to resource group.
C.A CanNotDelete lock is the reason the public IP resource cannot be created.
D.Assigning Owner on the resource group would automatically bypass the policy denial and allow the template to deploy unchanged.
E.Moving the VM to another subnet in the same virtual network would remove the inherited policy effect.
AnswersA, B

Contributor grants broad management rights within its scope, but Azure Policy enforcement is separate from RBAC. A deny effect blocks the resource creation even when the user has sufficient permissions. The fact that the deployment succeeds once the public IP is removed strongly indicates a policy rule, not a permissions issue.

Why this answer

Option A is correct because the Contributor role grants full management access to resources within the resource group, but it cannot override Azure Policy effects such as 'deny'. Policy inheritance flows from higher scopes (management group, subscription) down to the resource group, and even a Contributor cannot bypass a deny policy assigned at a higher scope. The Bicep deployment fails specifically because the public IP resource violates a policy rule, not because of a lack of permissions on the role itself.

Exam trap

The trap here is confusing Azure Policy denials with Azure role-based access control (RBAC) or resource locks, leading candidates to incorrectly assume that a higher-privileged role like Owner can override a policy denial, or that a CanNotDelete lock blocks resource creation.

98
MCQmedium

Based on the exhibit, what should the administrator configure so the container group can pull the private image without storing registry credentials?

A.Assign a managed identity to the container group and grant it AcrPull on the registry.
B.Store the ACR admin account password in a container environment variable.
C.Use a SAS token for the container image reference.
D.Place the registry in the same resource group as the container group.
AnswerA

Managed identity-based access is the correct secret-free method for Azure Container Instances to authenticate to Azure Container Registry. By assigning an identity to the container group and granting that identity the AcrPull role on the registry, the group can pull the private image without storing credentials in the template. This satisfies both security and operational requirements.

Why this answer

Option A is correct because Azure Container Groups support managed identities, which allow the container group to authenticate to Azure Container Registry (ACR) without storing any credentials. By assigning a system-assigned or user-assigned managed identity to the container group and granting it the AcrPull role on the registry, the container runtime can use Azure AD authentication to pull the private image. This eliminates the need to store registry admin credentials or SAS tokens in the container configuration.

Exam trap

The trap here is that candidates often confuse SAS tokens (used for Azure Storage) with ACR authentication, or assume that resource group placement or admin credentials are valid solutions, when the core requirement is to use Azure AD-based authentication via a managed identity to avoid storing any credentials.

How to eliminate wrong answers

Option B is wrong because storing the ACR admin account password in a container environment variable exposes the credential in plain text within the container, which is a security risk and does not meet the requirement of not storing registry credentials. Option C is wrong because a SAS token is used for Azure Storage access, not for Azure Container Registry authentication; ACR does not support SAS tokens for image pulls. Option D is wrong because placing the registry in the same resource group as the container group does not grant any authentication permissions; resource group location has no bearing on access control or credential storage.

99
MCQeasy

A web front end must automatically add or remove instances based on demand. The application is stateless and all instances should be managed as one group. Which Azure service should you use?

A.A single Azure VM with a larger size
B.Virtual Machine Scale Set
C.Availability set
D.Managed disk snapshots
AnswerB

A Virtual Machine Scale Set is designed for multiple similar VMs that need to scale together. It is a good fit for stateless workloads because instances can be added or removed without special per-VM configuration. You can also combine it with autoscale rules to respond to changing demand automatically.

Why this answer

Virtual Machine Scale Sets (VMSS) automatically scale the number of VM instances in or out based on demand or a defined schedule, making them ideal for stateless, horizontally scalable applications. They manage all instances as a single group behind a load balancer, ensuring uniform configuration and seamless scaling without manual intervention.

Exam trap

The trap here is that candidates confuse availability sets (which only provide fault tolerance) with auto-scaling, or mistakenly think that a single large VM can handle variable load by resizing, when the question explicitly requires automatic addition/removal of instances as a group.

How to eliminate wrong answers

Option A is wrong because scaling up a single large VM does not provide automatic horizontal scaling; it requires manual resizing and introduces a single point of failure. Option C is wrong because an availability set only distributes VMs across fault and update domains for high availability, it does not provide any auto-scaling capability. Option D is wrong because managed disk snapshots are point-in-time backups used for disaster recovery or cloning, not for dynamic instance management or scaling.

100
MCQeasy

You want to deploy a resource group with Bicep and see the changes Azure plans to make before you apply them. Which command should you run?

A.az deployment group what-if
B.az deployment group create
C.az group delete
D.az vm update
AnswerA

The what-if command previews planned changes so you can review them before deploying the template.

Why this answer

The `az deployment group what-if` command is correct because it performs a dry-run validation of a Bicep (or ARM) deployment against a resource group, showing the changes Azure will make (create, modify, delete) without actually applying them. This is the Azure equivalent of a 'what-if' analysis, allowing you to review the impact before execution.

Exam trap

The trap here is that candidates often confuse `az deployment group what-if` with `az deployment group create`, assuming that `create` also provides a preview, but `create` immediately applies changes without any dry-run capability.

How to eliminate wrong answers

Option B is wrong because `az deployment group create` immediately deploys the Bicep template and applies the changes to the resource group, without providing a preview of the changes. Option C is wrong because `az group delete` removes the entire resource group and all its resources, which is destructive and unrelated to previewing deployment changes. Option D is wrong because `az vm update` modifies an existing virtual machine's properties, not a resource group deployment, and does not offer a what-if preview.

101
MCQmedium

A team standardizes 30 Windows VMs for a line-of-business application. They install IIS, a monitoring agent, and baseline security settings on one reference VM. Future deployments must use that same build and be easy to version. Which Azure feature should the administrator create?

A.A snapshot of the reference VM's OS disk
B.An image version in Azure Compute Gallery
C.An availability set for the reference VM
D.A custom script extension on each new VM
AnswerB

Azure Compute Gallery is designed for publishing, versioning, and distributing custom VM images. It lets administrators capture a hardened reference image, create managed versions, and deploy consistent new VMs from that approved build across environments or regions.

Why this answer

B is correct because an image version in Azure Compute Gallery (formerly Shared Image Gallery) captures the entire VM configuration—including IIS, monitoring agent, and security settings—into a reusable, versioned image. This allows the team to deploy standardized VMs from the same build and easily manage updates by creating new image versions, meeting the requirements for consistency and versioning.

Exam trap

The trap here is that candidates often confuse a snapshot with an image, thinking a snapshot can be used to deploy standardized VMs, but snapshots lack versioning, regional replication, and the ability to create multiple VMs directly without additional conversion steps.

How to eliminate wrong answers

Option A is wrong because a snapshot of the OS disk captures only the disk state at a point in time, not a deployable image; it cannot be used to create multiple VMs with the same build across regions or subscriptions without additional manual steps, and it lacks versioning capabilities. Option C is wrong because an availability set is a logical grouping for high availability that distributes VMs across fault and update domains; it does not capture or replicate the VM's configuration or software build. Option D is wrong because a custom script extension runs scripts on existing VMs to install software or apply settings, but it does not create a reusable, versioned image; each new VM would need to run the extension, which is not a build-based deployment approach.

102
MCQmedium

Based on the exhibit, which restart policy should be configured for the container group?

A.Always
B.OnFailure
C.Never
D.UnlessStopped
AnswerC

Never is the correct restart policy for a one-time task that should stop after finishing successfully. The exhibit describes a batch-style import job, not a long-running service. Using Never ensures the container exits and stays stopped until the next deployment or scheduled run. That behavior matches operational expectations for a completed import process.

Why this answer

The container group in the exhibit is configured with a restart policy of 'Never' because it is designed to run a batch job that should execute once and then terminate. Azure Container Instances supports three restart policies: Always, OnFailure, and Never. Since the task is a one-time job, 'Never' ensures the container does not restart after completion, which is the correct choice for a single-run workload.

Exam trap

The trap here is that candidates confuse Docker's native restart policies (which include 'UnlessStopped') with Azure Container Instances' supported policies, leading them to select 'UnlessStopped' even though it is not available in ACI.

How to eliminate wrong answers

Option A is wrong because 'Always' would restart the container regardless of exit code, which is intended for long-running services like web servers, not for a batch job that should run once. Option B is wrong because 'OnFailure' would restart the container only if it exits with a non-zero exit code, but the exhibit shows the container is expected to complete successfully (exit code 0) and should not restart even on failure in this scenario. Option D is wrong because 'UnlessStopped' is not a valid restart policy for Azure Container Instances; it is a Docker-specific policy not supported in ACI.

103
MCQmedium

After a Windows VM is deployed, an administrator must install IIS, copy application files, and run a post-deployment configuration script without connecting interactively to the server. Which Azure feature should be used?

A.Custom Script Extension.
B.An availability zone assignment.
C.A route table association.
D.A user-assigned managed identity alone.
AnswerA

The Custom Script Extension runs post-provisioning commands and scripts on a VM without interactive login.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature because it allows you to run scripts on an Azure VM after deployment without requiring interactive login. It is specifically designed for post-deployment configuration tasks like installing IIS, copying application files, and executing configuration scripts, all executed via the Azure VM agent.

Exam trap

The trap here is that candidates may confuse the Custom Script Extension with other automation tools like Azure Automation or Desired State Configuration (DSC), but the question specifically requires a feature that runs a script post-deployment without interactive login, and CSE is the direct, lightweight solution for that task.

How to eliminate wrong answers

Option B is wrong because an availability zone assignment is a high-availability feature that distributes VMs across physically separate datacenters within a region; it does not execute scripts or configure software. Option C is wrong because a route table association controls network traffic routing for subnets or network interfaces, not post-deployment software installation or configuration. Option D is wrong because a user-assigned managed identity alone provides Azure AD authentication for the VM to access Azure resources (e.g., Key Vault, Storage) but does not run scripts or install software; it must be combined with an extension or other mechanism to execute commands.

104
Multi-Selecthard

After applying a custom image, a Linux VM stops at a black screen before the sign-in prompt. The administrator cannot use RDP or SSH and needs the fastest way to inspect the boot process. Which two actions should they take? Select two.

Select 2 answers
A.Enable Boot diagnostics on the virtual machine.
B.Review the screenshot and serial log in Boot diagnostics.
C.Reimage the VM immediately to a clean managed disk.
D.Increase the VM size to a larger SKU.
E.Reset the network interface configuration from the portal.
AnswersA, B

Correct. Boot diagnostics captures startup output even when the guest OS does not finish booting.

Why this answer

Enabling Boot diagnostics on the virtual machine allows the administrator to capture serial console output and screenshots of the VM during boot. This is the fastest way to inspect the boot process without requiring network connectivity (RDP/SSH), as the serial log provides kernel-level messages and the screenshot shows the display state at the point of failure.

Exam trap

The trap here is that candidates may assume RDP/SSH are the only ways to diagnose a VM, overlooking that Boot diagnostics provides out-of-band access to boot-time information even when the OS is unresponsive.

105
MCQeasy

A team has an approved Windows VM that already includes their application, patches, and monitoring agent. They want future VMs to start with the same configuration. What should they use?

A.A managed image created from the approved VM
B.An availability set
C.A snapshot of the OS disk
D.A larger virtual machine size
AnswerA

A managed image captures the configured operating system and installed software so you can deploy new VMs with the same baseline. This is the simplest way to standardize a known-good VM configuration for repeated use. It fits the requirement because the team wants future VMs to start from the same approved setup, not rebuild the software manually each time. It is an operationally common choice for consistent VM deployment.

Why this answer

A managed image captures the entire VM configuration, including the OS, application, patches, and monitoring agent, allowing you to create multiple identical VMs from a single source. Unlike a snapshot, which is tied to a specific disk and requires manual steps to replicate the full VM setup, a managed image provides a reusable template for consistent deployments. This approach ensures future VMs start with the exact same configuration as the approved VM.

Exam trap

The trap here is that candidates often confuse a snapshot with a managed image, not realizing that a snapshot only captures a single disk's state and lacks the VM-level configuration needed to create a fully functional VM directly.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains, not a mechanism to capture or replicate a VM's configuration. Option C is wrong because a snapshot of the OS disk captures only the disk state at a point in time, but it does not include the VM's metadata, network settings, or other attached disks, requiring additional steps to create a full VM from it. Option D is wrong because a larger VM size changes the hardware resources (CPU, RAM) but does not preserve or replicate the software configuration, patches, or applications of the approved VM.

106
Multi-Selectmedium

A development team needs a new Windows VM created from an approved hardened image, and IIS must be installed automatically after deployment. Which three actions should the administrator take? Select three.

Select 3 answers
A.Use an Azure Compute Gallery image version created from the approved hardened build.
B.Reference that gallery image as the source image in the VM deployment.
C.Include the IIS extension or a custom script extension in the same deployment template or script.
D.Start from a fresh marketplace image and harden it manually after the VM is running.
E.Install IIS interactively after logging in to the VM with an administrator account.
AnswersA, B, C

Azure Compute Gallery lets the team store and version approved images centrally. That makes it easy to deploy future VMs from the same hardened baseline rather than rebuilding the image each time.

Why this answer

Option A is correct because an Azure Compute Gallery (formerly Shared Image Gallery) allows you to create and store custom VM images, including hardened builds. Using a gallery image version ensures the VM is deployed from an approved, pre-configured image that meets security and compliance requirements, avoiding the need to manually harden a fresh marketplace image.

Exam trap

The trap here is that candidates may think manual hardening or interactive installation is acceptable, but the question explicitly requires automation and an approved hardened image, making options D and E incorrect because they lack automation and consistency.

107
Multi-Selectmedium

Two line-of-business VMs in a single region must stay available if one physical host is patched or fails. A zone failure is not part of the requirement. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create an availability set for the application VMs before deployment.
B.Deploy both VMs into the same availability set.
C.Allow Azure to place the VMs across different fault and update domains within the availability set.
D.Deploy the VMs in separate availability zones to protect against a datacenter outage.
E.Use a single larger VM and rely on snapshots for uptime.
AnswersA, B, C

An availability set is the correct Azure construct for protecting workloads from host-level maintenance and failures inside a datacenter. It provides the placement mechanism needed to improve availability without requiring zone-level resilience.

Why this answer

Option A is correct because an availability set ensures that VMs are placed on different fault domains (physical hosts) and update domains within a single Azure region, protecting against physical host patching or failure. This meets the requirement of keeping VMs available during a single host event without requiring zone-level redundancy.

Exam trap

The trap here is that candidates often confuse availability sets (protecting against host failure) with availability zones (protecting against datacenter failure), leading them to select zone-based deployment when the requirement only specifies a single host failure scenario.

108
MCQeasy

A line-of-business app runs on two Azure VMs in the same region. The business wants to reduce the chance that both VMs are affected by the same planned host update. What should the administrator use?

A.An availability set
B.A public load balancer
C.A managed image
D.A private endpoint
AnswerA

An availability set spreads VMs across fault domains and update domains within a datacenter environment. This reduces the chance that a planned host update or a hardware issue affects both VMs at the same time. It is the right choice when the goal is host-level resilience for VMs in the same region.

Why this answer

An availability set ensures that VMs are placed on different fault domains and update domains within an Azure datacenter. Fault domains isolate VMs from shared hardware failures, while update domains ensure that planned host updates (e.g., OS patching) are applied sequentially across groups, so not all VMs are rebooted simultaneously. This directly reduces the chance that both VMs are affected by the same planned host update.

Exam trap

The trap here is that candidates often confuse availability sets (logical grouping for update/fault domain isolation within a single datacenter) with availability zones (physical separation across datacenters), or mistakenly think a load balancer provides high availability against planned maintenance, when it only distributes traffic and does not affect host placement.

How to eliminate wrong answers

Option B is wrong because a public load balancer distributes incoming traffic across VMs but does not influence the underlying host placement or update scheduling; it operates at the network layer (Layer 4) and cannot protect against planned host updates. Option C is wrong because a managed image is a snapshot of a VM's OS and data disks used for scaling out identical VMs, but it has no effect on how those VMs are placed across update or fault domains. Option D is wrong because a private endpoint provides secure connectivity to Azure PaaS services over a private IP address in a virtual network; it is a networking construct unrelated to VM placement or host update isolation.

109
Drag & Dropmedium

Order the steps to configure Azure DNS for a custom domain.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create zone, add records, get name servers, update registrar, verify.

110
MCQhard

A web application runs in Azure App Service and uploads files to Azure Blob Storage. The storage account has shared key access disabled, and the app must not store secrets in configuration. If the App Service is deleted and recreated later, the storage access should be removed automatically with the app. What should you configure?

A.A system-assigned managed identity with Blob Data Contributor permissions on the container.
B.A user-assigned managed identity with Blob Data Reader permissions on the storage account.
C.A shared access signature generated from the storage account key.
D.A storage account access key stored in an application setting.
AnswerA

A system-assigned managed identity is tied directly to the App Service instance and disappears when the app is deleted, which satisfies the automatic cleanup requirement. Because shared key access is disabled and secrets are not allowed in configuration, the app should authenticate through Microsoft Entra ID using the managed identity. Assigning Blob Data Contributor at the appropriate scope allows upload access without storing credentials.

Why this answer

A system-assigned managed identity is tied to the App Service lifecycle, so when the app is deleted, the identity is automatically removed, revoking access to Blob Storage. Granting Blob Data Contributor permissions on the container allows the app to upload files without storing any secrets, satisfying the requirement that shared key access is disabled and no secrets are stored in configuration.

Exam trap

The trap here is that candidates might choose a user-assigned managed identity (Option B) because it also avoids secrets, but they overlook the requirement that access must be automatically removed when the app is deleted, which only a system-assigned identity guarantees.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity persists independently of the App Service lifecycle, so deleting the app would not automatically remove storage access; also, Blob Data Reader is insufficient for uploading files. Option C is wrong because a shared access signature (SAS) requires a storage account key to generate, and shared key access is disabled, making this option invalid; additionally, the SAS would need to be stored as a secret. Option D is wrong because storing a storage account access key in an application setting violates the requirement that the app must not store secrets in configuration, and shared key access is disabled.

111
MCQmedium

After a custom image is applied, a VM restarts to a black screen and never reaches the login prompt. The administrator needs the fastest way to inspect what happened during boot without logging into the guest OS. What should be enabled or reviewed first?

A.Boot diagnostics
B.Azure Monitor metric alert
C.VM extension status
D.Network Watcher IP flow verify
AnswerA

Boot diagnostics captures a screenshot and serial log data that help diagnose failures before the guest OS loads.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during boot, allowing you to inspect boot failures like a black screen without guest OS access. This is the fastest method because it provides immediate, out-of-band visibility into the boot process, including kernel panics or driver issues, without requiring RDP or SSH connectivity.

Exam trap

The trap here is that candidates often confuse Boot diagnostics (which captures boot-time logs and screenshots) with VM extension status or metrics, mistakenly thinking they can diagnose a boot failure from post-boot telemetry or network checks.

How to eliminate wrong answers

Option B is wrong because Azure Monitor metric alerts monitor performance metrics (e.g., CPU, memory) and cannot capture boot-time logs or screenshots; they are reactive to post-boot conditions, not boot failures. Option C is wrong because VM extension status shows the state of installed extensions (e.g., custom scripts, antivirus), which run after the OS loads, so they cannot reveal why the VM failed to reach the login prompt during boot. Option D is wrong because Network Watcher IP flow verify checks network connectivity (e.g., allowed/denied traffic) between a source and destination, which is irrelevant to a boot failure that manifests as a black screen before any network services start.

112
MCQeasy

A workload needs more CPU and memory than the current Azure VM size provides. The administrator wants to increase compute capacity without redeploying the application. What should be done?

A.Resize the VM to a larger size
B.Move the VM into an availability set
C.Replace the VM with a snapshot
D.Assign a user-assigned managed identity
AnswerA

Resizing changes the VM's compute capacity while keeping the same VM and typically preserves the installed application.

Why this answer

Resizing the Azure VM to a larger size (option A) directly increases the CPU and memory resources allocated to the VM without requiring redeployment of the application. Azure supports resizing VMs within the same hardware family or to a different family, provided the new size is available in the current region and the VM is not part of a VMSS with overprovisioning constraints. The resize operation updates the VM's SKU, and after a reboot, the new resources are available to the OS and applications.

Exam trap

The trap here is that candidates may confuse 'increasing compute capacity' with high availability features (availability set) or identity management, leading them to select options that do not address resource scaling.

How to eliminate wrong answers

Option B is wrong because moving a VM into an availability set does not change its compute capacity (CPU/memory); it only provides high availability by distributing replicas across fault and update domains. Option C is wrong because replacing a VM with a snapshot creates a new VM from a disk image, which requires redeployment and does not inherently increase the size of the original VM's resources. Option D is wrong because assigning a user-assigned managed identity grants the VM access to Azure resources (e.g., Key Vault, Storage) without affecting its CPU or memory allocation.

113
Multi-Selectmedium

A customer-facing application has two goals: it must keep running if one datacenter in the region fails, and it must be able to scale out automatically during daily peaks. Which two Azure compute choices best match those requirements? Select two.

Select 2 answers
A.Deploy the workload across Availability Zones
B.Place all instances in one Availability Set
C.Use a Virtual Machine Scale Set with autoscale
D.Run a single VM behind a load balancer
E.Use a proximity placement group
AnswersA, C

Zones place instances in separate datacenters to reduce outage impact.

Why this answer

Option A is correct because deploying across Availability Zones provides datacenter-level fault tolerance: each zone is an isolated physical datacenter with independent power, cooling, and networking. If one zone fails, the application continues running in the other zones. Option C is correct because a Virtual Machine Scale Set with autoscale automatically adjusts the number of VM instances based on CPU or memory metrics, enabling the application to scale out during daily peaks and scale in during off-peak hours.

Exam trap

The trap here is that candidates often confuse Availability Sets (which protect against rack failures) with Availability Zones (which protect against datacenter failures), and they may overlook that a single VM behind a load balancer still has a single point of failure.

114
MCQmedium

A container group in Azure Container Instances must pull a private image from Azure Container Registry without embedding registry credentials in the template. What should you configure?

A.A managed identity for the container group and the AcrPull role on the registry
B.An admin user account on the Azure Container Registry
C.A shared access signature in a container environment variable
D.A public network access rule that allows all Azure services
AnswerA

A managed identity lets the container group authenticate to ACR without secrets, and AcrPull grants pull permission.

Why this answer

Option A is correct because Azure Container Instances (ACI) can authenticate to Azure Container Registry (ACR) using a managed identity assigned to the container group. By granting the managed identity the AcrPull role on the registry, ACI can pull private images without embedding any credentials in the deployment template, leveraging Azure AD authentication and RBAC for secure access.

Exam trap

The trap here is that candidates often confuse network access controls (like 'Allow Azure Services' or service endpoints) with authentication mechanisms, assuming that enabling network rules alone grants pull access, when in fact a managed identity with AcrPull is required for credential-free authentication.

How to eliminate wrong answers

Option B is wrong because enabling the admin user account on ACR creates a static username/password pair that would need to be embedded in the container group template or passed as environment variables, violating the requirement to avoid embedding credentials. Option C is wrong because a shared access signature (SAS) is used for delegated access to Azure Storage resources (blobs, files, queues), not for authenticating to ACR; ACR uses OAuth2 tokens or admin credentials, not SAS tokens. Option D is wrong because a public network access rule allowing all Azure services only controls network-level access to the registry (bypassing firewalls), not authentication; it does not provide the container group with any identity or credentials to pull the image.

115
Multi-Selecthard

A build agent VM is recreated from image every night. The OS can be lost on reimage, but build caches and artifacts must persist across rebuilds. The team also wants the cheapest OS storage option that supports this pattern. Which two choices should you make? Select two.

Select 2 answers
A.Use an ephemeral OS disk.
B.Place build caches and artifacts on a separate managed data disk.
C.Use a Premium SSD OS disk so the reimage is preserved.
D.Store the caches only on the temporary resource disk.
E.Use an availability set to make the OS disk persistent.
AnswersA, B

An ephemeral OS disk is the cheapest OS storage choice for a VM that can be recreated from image often. It is acceptable here because the scenario explicitly says the OS can be lost on reimage.

Why this answer

Option A is correct because an ephemeral OS disk uses the local VM storage or temp SSD, which is destroyed when the VM is deallocated or reimaged. This matches the requirement that the OS can be lost on reimage. Option B is correct because placing build caches and artifacts on a separate managed data disk ensures they persist independently of the OS disk lifecycle; data disks are not affected by OS reimaging and can be reattached to the new VM instance.

Exam trap

The trap here is that candidates often confuse the temporary resource disk (which is also ephemeral) with a managed data disk, or assume that Premium SSD or availability sets provide persistence, when in fact only a separate managed data disk ensures data survives OS reimaging.

116
MCQeasy

You are creating a new Ubuntu VM and want it to create a local admin account and install packages automatically on the first boot. Which approach should you use?

A.Use an availability set so the script runs during placement.
B.Use cloud-init to run first-boot configuration in Linux.
C.Use a snapshot of the operating system disk.
D.Use a custom image and manually log in later.
AnswerB

cloud-init is designed for Linux first-boot automation and can create users, install packages, and apply startup settings.

Why this answer

Cloud-init is the standard method for automating first-boot configuration on Linux VMs in Azure. It processes user-data (such as cloud-config YAML) to create users, install packages, and run scripts during initial boot, making it the correct choice for creating a local admin account and installing packages automatically.

Exam trap

The trap here is that candidates may confuse availability sets with orchestration features or assume snapshots can trigger automation, missing that cloud-init is the Azure-native solution for first-boot configuration in Linux.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping for VM fault and update domains, not a mechanism to run scripts during placement. Option C is wrong because a snapshot captures the disk state at a point in time but does not trigger any automated first-boot configuration. Option D is wrong because a custom image only provides a pre-configured OS; it does not automatically create a local admin account or install packages on first boot without additional tooling like cloud-init.

117
Multi-Selecthard

A development team wants to publish an internet-facing application directly from source code. The solution must support built-in HTTPS, deployment slots for safe testing, and autoscale as demand changes. Which two choices should the administrator select? Select two.

Select 2 answers
A.Use Azure App Service.
B.Choose an App Service plan at Standard tier or higher.
C.Use Azure Container Instances for the public application.
D.Deploy the app on a virtual machine scale set.
E.Use an availability set for the application instances.
AnswersA, B

Correct. App Service is designed for hosted web applications with managed platform features.

Why this answer

Azure App Service is a fully managed platform for building, deploying, and scaling web apps. It natively supports publishing directly from source code (via continuous deployment from GitHub, Azure Repos, or Bitbucket), built-in HTTPS (with automatic certificate management), deployment slots for staging and swapping, and autoscale based on metrics or schedules. These features directly satisfy all the requirements stated in the question.

Exam trap

The trap here is that candidates often confuse Azure Container Instances or virtual machine scale sets as simpler alternatives, but they lack the integrated deployment slots and built-in HTTPS management that App Service provides out of the box.

118
MCQmedium

An operations team maintains a hardened Windows base image that includes patch baseline settings and monitoring agents. They need to publish new versions, replicate the image to another region, and deploy future VMs from the same controlled image source. What should they use?

A.A snapshot of the generalized OS disk.
B.An Azure Compute Gallery image version.
C.A VM extension on an existing VM.
D.An availability set for the image resources.
AnswerB

Compute Gallery supports versioned images, replication across regions, and repeatable VM deployment from one source.

Why this answer

An Azure Compute Gallery (formerly Shared Image Gallery) is the correct service for managing, versioning, replicating, and deploying custom Windows images across regions. It supports multiple image versions, regional replication, and allows you to deploy VMs from a controlled, hardened base image. Snapshots alone lack versioning and cross-region replication capabilities.

Exam trap

The trap here is that candidates often confuse a simple snapshot or managed disk copy with the versioning, replication, and lifecycle management capabilities that only an Azure Compute Gallery provides.

How to eliminate wrong answers

Option A is wrong because a snapshot of a generalized OS disk is a point-in-time copy that cannot be versioned, replicated across regions, or used as a managed image source for consistent VM deployments. Option C is wrong because a VM extension is used to configure software or agents on an existing VM, not to publish, replicate, or deploy new VM images. Option D is wrong because an availability set is a logical grouping for VM fault and update domains, not a mechanism for managing or distributing image versions.

119
Multi-Selecthard

An application runs on two VMs in one Azure region. The business wants protection from a single hardware host failure and planned maintenance, but it does not require protection from an entire datacenter outage. Which two choices should the administrator make? Select two.

Select 2 answers
A.Place the workload in a single VM with a premium SSD.
B.Place both VMs in an availability set.
C.Use availability zones across the region.
D.Keep at least two running VMs in that availability set.
E.Replicate the VMs to another region with Azure Site Recovery.
AnswersB, D

Correct. Availability sets are the standard option for protecting VMs from host and maintenance domain failures.

Why this answer

An availability set distributes VMs across multiple fault domains (hardware hosts) and update domains within a single Azure datacenter. This protects against a single hardware host failure and planned maintenance (update domains ensure VMs are not rebooted simultaneously during updates). Option B is correct because it provides this isolation without requiring protection from an entire datacenter outage.

Exam trap

The trap here is that candidates often confuse availability zones (which protect against datacenter failure) with availability sets (which protect against host failure and maintenance), leading them to select option C when the requirement is only for host-level and maintenance protection.

120
Matchingeasy

Match each VM identity concept to its best use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best for one VM; the identity is deleted with the VM.

Can be attached to multiple VMs.

Lets an app get Azure tokens without storing secrets.

Grants permissions to an Azure resource at a chosen scope.

Why these pairings

Managed identities (system or user-assigned) eliminate credential management; Azure AD app identity is for custom apps; IMDS provides tokens; role assignments grant access to resources.

121
MCQmedium

A stateless web application is hosted on an Azure virtual machine scale set. Traffic is predictable: CPU usage stays below 20% overnight, then rises above 70% during business hours. The administrator wants the instance count to increase automatically when average CPU stays high for 10 minutes and to decrease after demand drops. What should be configured?

A.A proximity placement group for the scale set instances.
B.Manual scale operations only.
C.Autoscale rules on the virtual machine scale set.
D.An availability set with three update domains.
AnswerC

Autoscale rules can add or remove VMSS instances based on CPU thresholds and time conditions.

Why this answer

Autoscale rules on the virtual machine scale set allow the administrator to define a scale-out condition (e.g., average CPU > 70% for 10 minutes) and a scale-in condition (e.g., average CPU < 20% for a specified duration). This matches the requirement for automatic, metric-based scaling based on predictable traffic patterns.

Exam trap

The trap here is that candidates may confuse availability sets or proximity placement groups with autoscaling, thinking they provide automatic instance count adjustments, when in fact they only address placement or fault tolerance.

How to eliminate wrong answers

Option A is wrong because a proximity placement group is used to reduce network latency between VMs by ensuring they are physically close, not for automatic scaling based on CPU metrics. Option B is wrong because manual scale operations require an administrator to manually change the instance count, which does not meet the requirement for automatic scaling when CPU stays high or drops. Option D is wrong because an availability set with update domains is a high-availability feature for VMs, not a scaling mechanism; it does not provide automatic scaling based on CPU usage.

122
MCQeasy

Based on the exhibit, a stateless web app must add VM instances during business hours and remove them at night based on CPU usage. Which Azure service should the administrator deploy?

A.An availability set with two virtual machines.
B.An Azure virtual machine scale set.
C.A single Azure VM with a larger size.
D.A recovery services vault.
AnswerB

A virtual machine scale set is designed for identical VM instances that can scale out and scale in automatically. It works well for stateless workloads, and autoscale rules can use CPU thresholds or schedules to adjust capacity over time. This exactly matches the requirement for business-hour scaling.

Why this answer

An Azure virtual machine scale set (VMSS) is the correct choice because it automatically scales the number of VM instances in or out based on CPU usage metrics, and it supports scheduled scaling to add instances during business hours and remove them at night. This aligns with the stateless web app requirement for elastic, automated scaling without manual intervention.

Exam trap

The trap here is that candidates often confuse availability sets (which provide high availability) with scale sets (which provide autoscaling), leading them to pick Option A for a scenario that explicitly requires dynamic scaling based on load and schedule.

How to eliminate wrong answers

Option A is wrong because an availability set only provides high availability by distributing VMs across fault and update domains, but it does not offer any autoscaling capability based on CPU usage or time-based schedules. Option C is wrong because a single larger VM cannot dynamically add or remove instances; it only provides fixed compute capacity and cannot scale out to handle variable load. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery, not for scaling compute resources.

123
MCQeasy

A developer wants to publish an internet-facing web application from source code. The solution must support built-in HTTPS, deployment slots for testing, and autoscale. The team does not want to manage servers. Which Azure service should the administrator recommend?

A.Azure App Service
B.Azure Container Instances
C.Azure Virtual Machine Scale Sets
D.Azure Bastion
AnswerA

Azure App Service is designed for hosting web applications and APIs with minimal infrastructure management. It supports built-in TLS/HTTPS, deployment slots for staging and swap testing, and autoscale for changing demand. Those features make it a strong fit for internet-facing applications that need operational simplicity and common web hosting capabilities without managing virtual machines.

Why this answer

Azure App Service is the correct choice because it provides a fully managed platform for hosting web applications from source code, with built-in support for HTTPS via TLS/SSL certificates, deployment slots for staging and testing, and autoscale capabilities. It eliminates server management, aligning with the requirement for a PaaS (Platform as a Service) solution that handles infrastructure, patching, and scaling automatically.

Exam trap

The trap here is that candidates often confuse Azure Container Instances with Azure App Service for web apps, overlooking that Container Instances lacks built-in deployment slots and autoscale for web applications, and requires additional orchestration for HTTPS and scaling.

How to eliminate wrong answers

Option B (Azure Container Instances) is wrong because it is a container orchestration service that requires managing container images and does not natively provide deployment slots or built-in HTTPS with autoscale for web apps; it is designed for running containers on demand, not for hosting a web application from source code with those features. Option C (Azure Virtual Machine Scale Sets) is wrong because it is an IaaS (Infrastructure as a Service) solution that requires managing VMs, operating systems, and scaling rules manually, contradicting the 'no server management' requirement; it also lacks built-in HTTPS and deployment slots without additional configuration. Option D (Azure Bastion) is wrong because it is a PaaS service for secure RDP/SSH access to virtual machines, not for hosting web applications; it does not support HTTPS, deployment slots, or autoscale for web apps.

124
MCQeasy

Based on the exhibit, which Azure compute service should you deploy for a stateless web app that needs more instances during business hours and fewer at night?

A.A single larger virtual machine.
B.A virtual machine scale set with autoscale rules.
C.An availability set with two VMs.
D.A dedicated host with one VM per host.
AnswerB

A virtual machine scale set is the right choice because it can run multiple identical instances and scale them automatically when demand changes. The exhibit shows predictable workload spikes, and the app is stateless, so instances can be added or removed without affecting user sessions.

Why this answer

A virtual machine scale set with autoscale rules is the correct choice because it automatically adjusts the number of VM instances based on demand, scaling out during business hours and scaling in at night. This matches the stateless web app requirement, as scale sets are designed for stateless workloads where instances can be added or removed without data loss.

Exam trap

The trap here is that candidates often confuse availability sets (high availability) with autoscaling, or think a single large VM can handle variable load by resizing, but autoscaling requires horizontal scaling via VMSS.

How to eliminate wrong answers

Option A is wrong because a single larger virtual machine cannot scale out or in; it only provides vertical scaling (resizing), which requires downtime and does not handle variable load efficiently. Option C is wrong because an availability set with two VMs provides high availability but no autoscaling; it keeps a fixed number of instances regardless of demand. Option D is wrong because a dedicated host with one VM per host is for licensing or compliance requirements, not for dynamic scaling, and it does not support automatic instance count adjustments.

125
MCQmedium

A build pipeline starts a containerized data-processing job every evening. Each run finishes in under 20 minutes, does not need persistent servers, and never receives inbound traffic. Which compute service best fits this workload?

A.Azure App Service
B.Azure Container Instances
C.Azure Virtual Machines
D.Azure Kubernetes Service
AnswerB

Azure Container Instances is designed for on-demand container execution without managing a cluster or servers.

Why this answer

Azure Container Instances (ACI) is the best fit because it allows you to run a containerized job directly in Azure without provisioning or managing any underlying infrastructure. The workload is short-lived (under 20 minutes), requires no persistent servers, and has no inbound traffic, which aligns perfectly with ACI's pay-per-second billing and ability to start containers on demand from a build pipeline.

Exam trap

The trap here is that candidates often choose Azure Kubernetes Service (D) because they associate containers with Kubernetes, overlooking that ACI is the simpler, more cost-effective solution for single, short-lived containerized jobs without orchestration needs.

How to eliminate wrong answers

Option A is wrong because Azure App Service is designed for hosting web applications and RESTful APIs that require persistent HTTP/HTTPS endpoints and inbound traffic, not for ephemeral batch jobs that never receive inbound traffic. Option C is wrong because Azure Virtual Machines require provisioning and managing a full OS, incurring costs even when idle, and are overkill for a containerized job that runs for under 20 minutes without persistent servers. Option D is wrong because Azure Kubernetes Service is a complex orchestration platform designed for managing multiple containers across a cluster, which introduces unnecessary overhead and cost for a single, short-lived containerized job that does not need scaling, load balancing, or persistent storage.

126
Multi-Selectmedium

You are designing a containerized application deployment in Azure. Which three options must you consider when choosing between Azure Container Instances (ACI) and Azure Kubernetes Service (AKS)? (Choose three.)

Select 3 answers
.ACI is ideal for simple, short-lived tasks or burst workloads that do not require orchestration.
.AKS provides built-in auto-scaling, service discovery, and rolling update capabilities.
.ACI supports mounting an Azure Files share as a persistent volume.
.AKS supports only Linux-based container images and cannot run Windows containers.
.ACI automatically manages container orchestration, including load balancing and scaling across nodes.
.AKS requires you to manage the underlying virtual machine infrastructure, including patching the OS.

Why this answer

ACI is correct because it is designed for simple, short-lived tasks or burst workloads that do not require orchestration, making it ideal for scenarios like batch processing or event-driven applications. AKS is correct because it provides built-in auto-scaling, service discovery, and rolling update capabilities, which are essential for managing complex microservices architectures. ACI is correct because it supports mounting an Azure Files share as a persistent volume, enabling stateful workloads to share data across container instances.

Exam trap

The trap here is that candidates may confuse ACI's lack of orchestration with automatic orchestration, or assume AKS requires full VM management, when in fact AKS abstracts node management through managed node pools.

127
MCQeasy

You have already deployed a Windows Server VM. After provisioning, you need to run a PowerShell script once to configure an application and create a registry setting without logging in interactively. Which Azure feature should you use?

A.Custom Script Extension
B.cloud-init
C.Azure Policy
D.Recovery Services vault
AnswerA

This extension can download and run a script on a VM after deployment without requiring interactive logon.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a PowerShell script on a Windows VM after provisioning, without requiring interactive logon. It executes the script as the local system account, making it ideal for one-time configuration tasks like setting registry keys or installing applications. This aligns with the requirement to run a script once non-interactively.

Exam trap

The trap here is that candidates often confuse cloud-init (a Linux-only tool) with the Custom Script Extension, mistakenly assuming cloud-init works on Windows VMs, or they think Azure Policy can execute scripts when it only evaluates and enforces policies.

How to eliminate wrong answers

Option B (cloud-init) is wrong because it is designed for Linux VMs and uses cloud-init scripts (e.g., YAML or shell scripts), not PowerShell; it does not support Windows Server. Option C (Azure Policy) is wrong because it enforces compliance rules and governance at the subscription or resource group level, not for executing one-time scripts on a specific VM. Option D (Recovery Services vault) is wrong because it is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for running configuration scripts.

128
Multi-Selectmedium

A Linux VM deployed from a custom image shows only a black screen after reboot, and SSH never becomes available. The administrator needs to inspect the startup process without logging into the OS. Which two Azure features should be used? Select two.

Select 2 answers
A.Boot diagnostics
B.Azure Serial Console
C.Azure Site Recovery
D.VM application health extension
E.Azure Backup restore point
AnswersA, B

Provides console output and screenshots for startup troubleshooting.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during boot, allowing you to see kernel panics, driver failures, or bootloader errors even when the OS is unresponsive. Azure Serial Console provides a text-based console connection to the VM at the hypervisor layer, enabling interactive troubleshooting of the boot process (e.g., GRUB recovery, initramfs issues) without requiring network connectivity or SSH.

Exam trap

The trap here is that candidates confuse Azure Serial Console with SSH or RDP, assuming it requires the OS to be running, when in fact it works at the hypervisor level and is available even if the OS has not fully booted.

129
MCQeasy

An administrator needs to deploy a VM quickly using the same hardened operating system image that was approved by the security team. What should the administrator use as the source for the new VM?

A.A managed image
B.A network interface
C.A resource lock
D.A public IP address
AnswerA

A managed image captures the OS disk configuration of a prepared VM and can be used as the source for creating new VMs. It is a common way to standardize deployments when the organization has an approved build with hardening already applied. This supports quick and consistent provisioning.

Why this answer

A managed image captures a fully configured, hardened OS disk (including installed software and settings) as a reusable snapshot. When deploying a new VM, specifying this managed image as the source ensures the VM boots with the exact, security-approved OS configuration, meeting the requirement for a quick, consistent deployment.

Exam trap

The trap here is that candidates may confuse a managed image with a snapshot or a VHD, but a managed image is the correct source for deploying a new VM with a specific OS configuration, while a snapshot is used for backup or disk cloning, not direct VM creation.

How to eliminate wrong answers

Option B is wrong because a network interface is a virtual network adapter that provides connectivity; it does not contain an OS image or bootable disk. Option C is wrong because a resource lock prevents accidental deletion or modification of a resource; it has no role in providing an OS image for VM deployment. Option D is wrong because a public IP address is a network addressing resource that enables inbound/outbound internet access; it cannot serve as a source for an operating system image.

130
MCQmedium

Administrators need to manage Linux virtual machines that do not have public IP addresses. They want to connect from a browser without installing a VPN client. Which Azure service should they use?

A.Azure Bastion
D.Private endpoint
AnswerA

Azure Bastion provides secure browser-based RDP and SSH access to VMs using the private IP address. It avoids exposing public IPs on the virtual machines and does not require a VPN client.

Why this answer

Azure Bastion provides secure, seamless RDP/SSH connectivity to virtual machines directly from the Azure portal over TLS, without requiring public IP addresses or a VPN client. It uses a browser-based HTML5 client, making it ideal for administrators who need to manage Linux VMs without exposing them to the internet or installing additional software.

Exam trap

The trap here is that candidates often confuse Azure Bastion with VPN Gateway, assuming a VPN is required for private VM access, but Bastion eliminates the need for a VPN client by providing browser-based connectivity directly through the Azure portal.

How to eliminate wrong answers

Option B (VPN Gateway) is wrong because it requires installing a VPN client on the administrator's device and establishing a site-to-site or point-to-site tunnel, which contradicts the requirement of connecting from a browser without a VPN client. Option C (Load Balancer) is wrong because it distributes incoming network traffic across multiple VMs but does not provide direct administrative access or a browser-based console to individual VMs. Option D (Private endpoint) is wrong because it is used to securely connect to Azure PaaS services over a private IP address, not to provide browser-based management access to VMs.

131
Multi-Selecteasy

An administrator wants future VMs to start from the same approved server build as an existing generalized VM. Which two image sources can be used to create the new VM? Select two.

Select 2 answers
A.A managed image created from the approved server build.
B.An image stored in Azure Compute Gallery.
C.A Marketplace image from the operating system vendor.
D.A single managed disk snapshot.
E.A public IP address assigned to the VM.
AnswersA, B

A managed image captures a reusable VM image from a generalized source and can be used to deploy new VMs.

Why this answer

A managed image captures the exact configuration of a generalized VM, including the OS and data disks, and can be used to deploy multiple identical VMs. This ensures that future VMs start from the same approved server build without needing to recreate the image each time.

Exam trap

The trap here is that candidates often confuse a single disk snapshot with a managed image, not realizing that a snapshot lacks the VM configuration and multiple disk support required to replicate the full approved build.

132
MCQeasy

A customer-facing application runs on two Azure VMs. The business wants the application to stay available even if one datacenter in the Azure region has an outage. Which availability option should the administrator use?

A.Availability set
B.Availability zones
C.Proximity placement group
AnswerB

Availability zones place resources in physically separate datacenters within the same Azure region. That gives the application protection against a full datacenter failure, which is the scenario described. When the workload must survive a zone outage, zones are the right resiliency choice rather than a same-datacenter availability set.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. By deploying the two VMs into different zones, the application remains available if one entire datacenter fails, meeting the requirement for datacenter-level fault tolerance.

Exam trap

The trap here is that candidates confuse Availability Sets (which protect against rack-level failures within one datacenter) with Availability Zones (which protect against full datacenter outages), leading them to choose the cheaper but insufficient option A.

How to eliminate wrong answers

Option A is wrong because an Availability Set protects against failures within a single datacenter (rack-level faults) by distributing VMs across update and fault domains, but it cannot survive a full datacenter outage. Option C is wrong because a Proximity Placement Group is designed to reduce network latency by co-locating VMs close together, which actually increases the risk of simultaneous failure and does not provide datacenter-level redundancy. Option D is wrong because Azure Load Balancer is a traffic distribution mechanism that can route across zones or sets, but it is not itself an availability option—it requires underlying VMs to be deployed with an availability strategy to provide fault tolerance.

133
MCQhard

A new Windows VM must be deployed with an application installed, a configuration file copied from a storage account, and a bootstrap script run automatically after the operating system is provisioned. The operations team does not want to log in manually after deployment. What should they use?

A.A Custom Script Extension attached to the VM during provisioning.
B.Azure Bastion to connect through the browser and complete setup interactively.
C.A managed identity assigned to the VM without any extensions.
D.An availability set so the VM comes online faster during provisioning.
AnswerA

The Custom Script Extension is designed to run post-provisioning commands, download files, and perform installation tasks automatically. It fits a deployment workflow where the VM must be configured without manual logon after creation.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a PowerShell or Bash script automatically after the VM is provisioned. This script can install applications, download configuration files from Azure Storage using a managed identity or SAS token, and execute bootstrap commands—all without any manual login. CSE is the standard Azure mechanism for post-deployment configuration automation on both Windows and Linux VMs.

Exam trap

The trap here is that candidates often confuse Azure Bastion (a connectivity tool) with an automation tool, or they assume a managed identity alone can run scripts, when in fact it only provides authentication and must be paired with an extension or custom code to perform actions.

How to eliminate wrong answers

Option B is wrong because Azure Bastion provides secure browser-based RDP/SSH connectivity to the VM, but it still requires a human to log in and perform the setup manually, which contradicts the requirement to avoid manual login. Option C is wrong because a managed identity alone does not execute any scripts or configuration steps; it only provides an identity for the VM to authenticate to Azure services like Key Vault or Storage, but the actual bootstrap logic must be triggered by an extension or other automation. Option D is wrong because an availability set is a logical grouping for high availability and fault tolerance; it does not affect provisioning speed or execute any post-deployment configuration tasks.

134
Multi-Selecthard

A stateless customer portal runs on Azure VMs and must keep serving traffic if an entire datacenter in the region fails. The operations team also wants the portal to add and remove instances automatically during daily spikes without managing a Kubernetes cluster. Which two Azure compute capabilities should the administrator configure? Select two.

Select 2 answers
A.Deploy the portal instances across availability zones.
B.Use a virtual machine scale set with autoscale enabled.
C.Place the VMs in an availability set within a single datacenter.
D.Create a proximity placement group for the portal VMs.
E.Use a single larger VM with premium managed disks.
AnswersA, B

Availability zones place instances in separate datacenters, which helps survive a zone-level outage.

Why this answer

Availability zones protect against a full datacenter failure by distributing VM instances across physically separate datacenters within a region. This ensures that if one datacenter goes down, the portal continues serving traffic from the other zones. Combined with a load balancer, this provides high availability for stateless workloads.

Exam trap

The trap here is confusing availability sets (rack-level redundancy) with availability zones (datacenter-level redundancy), leading candidates to pick availability sets for a full datacenter failure scenario.

135
MCQeasy

Based on the exhibit, a workload must remain available even if one datacenter in an Azure region becomes unavailable. The region supports zone deployment. What should the administrator configure?

A.An availability set.
B.Availability zones.
C.A resource lock.
D.A user-defined route.
AnswerB

Availability zones place resources in separate physically isolated datacenters within the same region. If one datacenter becomes unavailable, the workload can continue running in another zone. That is the correct resilience option when the requirement explicitly calls for protection from a datacenter-level outage.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying the workload across two or more zones ensures that if one datacenter fails, the other zones continue to operate, maintaining availability. This directly meets the requirement of surviving a single datacenter outage within a region that supports zone deployment.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures) with availability zones (which protect against entire datacenter failures), leading them to select the wrong answer when the question explicitly requires datacenter-level resilience.

How to eliminate wrong answers

Option A is wrong because an availability set protects against rack-level failures within a single datacenter (by distributing VMs across fault domains and update domains), but it does not provide resilience if an entire datacenter becomes unavailable. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, but it has no effect on availability during a datacenter outage. Option D is wrong because a user-defined route (UDR) controls network traffic routing (e.g., forced tunneling or custom next hops) and does not provide any redundancy or failover capability for compute workloads.

136
MCQmedium

You deploy several Windows virtual machines and need to install Microsoft Antimalware on each VM without logging on manually. What should you use?

A.An NSG application security group.
B.A VM extension.
C.A route table.
D.A blob lifecycle rule.
AnswerB

This is the standard mechanism for automated VM guest configuration tasks.

Why this answer

VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. The Microsoft Antimalware extension can be deployed to multiple VMs at scale via Azure PowerShell, CLI, ARM templates, or policies, enabling silent installation without manual login.

Exam trap

The trap here is that candidates confuse network-level controls (NSGs, route tables) or storage management (lifecycle rules) with VM-level software deployment, overlooking that VM extensions are the dedicated Azure mechanism for post-deployment configuration and software installation.

How to eliminate wrong answers

Option A is wrong because an NSG application security group is a network security feature that groups VMs for traffic filtering, not for installing software. Option C is wrong because a route table controls network traffic routing between subnets or to virtual appliances, not software installation. Option D is wrong because a blob lifecycle rule manages tiering or deletion of storage blobs based on age, not VM software deployment.

137
Multi-Selecthard

A Windows VM must install a monitoring agent, run a bootstrap script during provisioning, and download a configuration file from an Azure resource without storing any credentials in the script or on disk. Which two Azure compute features should the administrator use? Select two.

Select 2 answers
A.Use a Custom Script Extension to run the bootstrap actions after provisioning.
B.Assign a system-assigned managed identity to the virtual machine.
C.Enable boot diagnostics and review the serial console output.
D.Attach a read-only managed disk to store the configuration file.
E.Use an availability set to keep the bootstrap script highly available.
AnswersA, B

A custom script extension can execute setup commands and copy files automatically during deployment.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature to run a bootstrap script after provisioning because it executes a script on the VM during or after deployment, enabling installation of the monitoring agent and other configuration tasks. It is the standard method for post-deployment automation on Azure VMs, and it can reference a script stored in Azure Storage or a public URL without embedding credentials.

Exam trap

The trap here is that candidates often confuse boot diagnostics (Option C) with a method to run scripts, or think that a managed disk (Option D) can replace the need for secure credential storage, when in fact the combination of managed identity and Custom Script Extension is the only secure, credential-free approach for post-deployment automation.

138
MCQeasy

Based on the exhibit, the administrator needs to deploy a VM quickly using a preapproved hardened operating system image. Which source should be used when creating the VM?

A.An approved custom image in an Azure Compute Gallery.
B.A temporary public IP address.
C.A network security group rule.
D.An Azure Monitor alert rule.
AnswerA

A custom image in an Azure Compute Gallery lets the team standardize VM deployments on a hardened, approved operating system image. It is the right source when the same validated image should be reused consistently for new VMs. This supports repeatability and compliance across deployments.

Why this answer

An approved custom image in an Azure Compute Gallery (formerly Shared Image Gallery) is the correct source because it allows the administrator to deploy a VM quickly using a preapproved, hardened operating system image. The Azure Compute Gallery provides versioning, replication, and regional distribution of custom images, ensuring that the hardened OS is readily available for rapid deployment across multiple regions. This aligns with the requirement for a preapproved image that meets security and compliance standards.

Exam trap

The trap here is that candidates may confuse a VM image source with networking or monitoring components, mistakenly thinking a public IP or NSG rule can serve as an image source, when in fact only a compute gallery or managed image provides the OS disk definition.

How to eliminate wrong answers

Option B is wrong because a temporary public IP address is a networking resource used for outbound/inbound connectivity, not a source for VM operating system images; it does not provide a hardened OS. Option C is wrong because a network security group rule defines inbound/outbound traffic filtering rules for subnets or NICs, not a VM image source. Option D is wrong because an Azure Monitor alert rule is a monitoring and notification configuration that triggers actions based on metrics or logs, not a source for VM operating system images.

139
Multi-Selecthard

A Windows VM must run a bootstrap script during provisioning to install a monitoring agent and write configuration files. The administrator does not want to log in interactively, and the script must be runnable again after the VM is rebuilt. Which two Azure compute components should be used? Select two.

Select 2 answers
A.Azure VM Agent
B.Custom Script Extension
C.Boot diagnostics
D.Availability zone
E.Ephemeral OS disk
AnswersA, B

This is the runtime required for Azure to deliver and manage VM extensions.

Why this answer

The Azure VM Agent (A) is required because it enables the VM to run extensions, including the Custom Script Extension. The Custom Script Extension (B) is the correct mechanism to execute the bootstrap script during provisioning without interactive login, and it can be reapplied to a rebuilt VM by redeploying the same ARM template or CLI command.

Exam trap

The trap here is that candidates confuse Boot diagnostics (which only shows logs) with a tool that can run scripts, or they mistakenly think Ephemeral OS disks or Availability zones are involved in script execution, when in fact only the VM Agent and Custom Script Extension provide the required automation.

140
MCQeasy

Before changing a production VM's data disk, you want a point-in-time copy that can be restored later without affecting the VM. What should you create?

A.Snapshot
B.Availability set
C.Azure Policy assignment
D.Virtual network peering
AnswerA

A snapshot creates a point-in-time copy of a managed disk and can be used to restore or create a new disk later.

Why this answer

A snapshot captures a point-in-time, read-only copy of a managed or unmanaged disk. It can be used to create a new disk or restore the original disk without affecting the running VM, making it the correct choice for a non-disruptive backup before a data disk change.

Exam trap

The trap here is that candidates may confuse a snapshot with a backup vault or recovery services vault, but the question specifically asks for a point-in-time copy that does not affect the running VM, and only a snapshot meets that requirement without requiring a backup policy or agent.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to protect against rack-level failures and maintenance events; it does not provide any point-in-time copy or backup capability. Option C is wrong because an Azure Policy assignment enforces compliance rules (e.g., allowed VM sizes, tagging) across resources; it cannot create a disk copy or restore a disk. Option D is wrong because virtual network peering connects two Azure virtual networks for low-latency communication; it has no relation to disk backup or restoration.

141
Matchingeasy

Match each Azure VM deployment concept to the description that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Spreads VMs across fault and update domains within one datacenter.

Places VMs in separate datacenters within the same Azure region.

Reusable source for creating the same VM build again.

Defines CPU, memory, and temporary storage resources.

Why these pairings

VMSS provides auto-scaling identical VMs; Availability Set groups VMs for redundancy; Availability Zone offers physical separation; Managed Disk is persistent block storage; Azure Bastion provides secure remote access; Dedicated Host gives single-tenant physical servers.

142
MCQmedium

A managed data disk on a VM was deleted by mistake. You have a snapshot from before the deletion and want to restore the data with minimal impact to the VM's operating system disk. What should you do?

A.Create a new managed disk from the snapshot and attach it to the VM
B.Redeploy the VM from the marketplace image
C.Convert the snapshot directly into an OS disk and boot from it
D.Resize the VM to a larger size and the deleted disk will reappear
AnswerA

This restores the disk contents without rebuilding the VM or changing the OS disk.

Why this answer

Option A is correct because you can create a new managed disk from the snapshot and attach it as a data disk to the existing VM. This restores the data without affecting the OS disk or requiring a VM redeployment, minimizing downtime and impact.

Exam trap

The trap here is that candidates may confuse snapshots with OS disk recovery options, incorrectly assuming a data disk snapshot can be used to boot the VM, or that resizing or redeploying the VM will restore deleted disks.

How to eliminate wrong answers

Option B is wrong because redeploying the VM from a marketplace image would replace the entire VM, including the OS disk, and does not restore the deleted data disk from a snapshot. Option C is wrong because a snapshot of a data disk cannot be converted into an OS disk; snapshots are disk-type specific, and booting from a data disk snapshot would fail. Option D is wrong because resizing a VM does not recover deleted disks; disk deletion is permanent and not reversed by VM size changes.

143
Multi-Selectmedium

Which three of the following statements about Azure App Service plans are correct? (Choose three.)

Select 3 answers
.Apps in the same App Service plan share the same compute resources, even if they are in different resource groups.
.You can scale out an App Service plan independently of the apps running within it.
.The Isolated tier provides network isolation and is designed for apps that require high security and scaling.
.Changing the pricing tier of an App Service plan always causes downtime for all apps in the plan.
.An App Service plan can only contain apps from the same region and the same resource group.
.The Free and Shared tiers support custom domain names and SSL binding without additional cost.

Why this answer

Apps in the same App Service plan share the same compute resources (VMs, memory, CPU) because the plan defines the underlying infrastructure. This is true even if the apps are in different resource groups, as the plan is the boundary for resource allocation, not the resource group.

Exam trap

The trap here is that candidates often assume apps must be in the same resource group to share resources, but Azure App Service plans are resource-group-agnostic for compute sharing, and they also mistakenly think Free/Shared tiers include custom domains and SSL, which they do not.

144
MCQeasy

After a Windows VM is created, the administrator wants IIS installed and a configuration script run automatically without signing in to the server. Which Azure feature should be used?

A.An availability set
B.A virtual machine extension
C.An Azure Policy assignment
D.A network security group rule
AnswerB

A VM extension is designed to run additional configuration tasks on a VM after deployment. For example, the Custom Script Extension can install software, copy files, or execute scripts without an interactive logon. This directly matches the requirement to automate IIS installation and post-deployment configuration.

Why this answer

A virtual machine extension (such as the Custom Script Extension for Windows) allows you to deploy and run scripts on an Azure VM after provisioning, without requiring any interactive sign-in. This is the correct Azure feature to automatically install IIS and execute a configuration script as part of the VM deployment or post-deployment automation.

Exam trap

The trap here is that candidates often confuse Azure Policy (which only audits or enforces configurations) with VM extensions (which actually perform software installation and script execution), leading them to select Azure Policy as the automation tool.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs to protect against infrastructure failures and maintenance events; it does not execute scripts or install software. Option C is wrong because an Azure Policy assignment enforces compliance rules (e.g., allowed VM sizes or resource tags) across resources, but it cannot install IIS or run configuration scripts on a VM. Option D is wrong because a network security group (NSG) rule controls inbound/outbound traffic to a VM's network interface or subnet; it has no capability to install software or run scripts.

145
MCQhard

A scale set of application VMs uploads JSON files to one blob container. The identity must not use secrets, must keep working if an instance is reimaged or replaced, and the same identity should be reusable across all instances. What should the administrator configure?

A.A system-assigned managed identity on each VM instance, with account-wide storage permissions.
B.A user-assigned managed identity, attached to the scale set, with Storage Blob Data Contributor scoped to the container.
C.A shared access signature stored in the VM image and renewed annually.
D.The storage account access key, because it allows the most reliable upload path.
AnswerB

A user-assigned managed identity persists independently of any single VM instance, so it remains usable after reimaging or replacement. Scoping Storage Blob Data Contributor to the container follows least privilege while still allowing the workload to upload the JSON files.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource, can be assigned to multiple VMs in a scale set, and persists independently of any VM instance lifecycle. This ensures the identity remains available even if an instance is reimaged or replaced, and it avoids the need for secrets. The Storage Blob Data Contributor role scoped to the specific container grants the necessary permissions for uploading JSON files without exposing account-level access.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, assuming system-assigned identities can be shared across instances, when in fact each instance gets a unique identity that is destroyed on reimage, making user-assigned the only option for a reusable, persistent identity across a scale set.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of each individual VM instance; if an instance is reimaged or replaced, the identity is destroyed and recreated, breaking continuity and requiring reconfiguration of permissions. Option C is wrong because a shared access signature (SAS) is a secret token that must be securely stored and renewed, violating the requirement to avoid secrets and adding management overhead; embedding it in a VM image also risks exposure and does not survive reimaging. Option D is wrong because using the storage account access key exposes a high-privilege secret that must be managed and rotated, contradicts the 'no secrets' requirement, and provides full account access rather than scoped container permissions.

146
MCQhard

Your company hosts an internal web app in Azure App Service. Access must be limited to users connecting from the corporate virtual network over private IP addresses only. What should you configure?

A.An App Service Environment only.
B.Access restrictions based on public IP ranges only.
C.A private endpoint for the web app.
D.A public load balancer in front of the web app.
AnswerC

This provides private access from the VNet using a private IP address.

Why this answer

Option C is correct because a private endpoint assigns a private IP address from your virtual network to the web app, making it accessible only over the corporate network via private IPs. This ensures traffic never traverses the public internet, meeting the requirement for private IP-only access.

Exam trap

The trap here is that candidates often confuse access restrictions (which filter by public IP) with private endpoint (which eliminates public exposure entirely), mistakenly thinking IP-based restrictions can enforce private-only access when they cannot prevent internet routing.

How to eliminate wrong answers

Option A is wrong because an App Service Environment (ASE) is a fully isolated and dedicated environment that can be injected into a virtual network, but it is overkill and not required for simply restricting access to a single web app; the question does not demand dedicated compute or isolation. Option B is wrong because access restrictions based on public IP ranges only control inbound traffic from specific public IPs, but they do not prevent traffic from traversing the public internet; the requirement is to limit access to users connecting from the corporate virtual network over private IP addresses, which public IP restrictions cannot enforce. Option D is wrong because a public load balancer in front of the web app would still expose the app via a public IP and route traffic over the internet, failing to restrict access to private IPs only.

147
MCQhard

A platform team has a hardened Windows Server VM that was generalized after patching, agent installation, and baseline configuration. They must deploy the same build to development, test, and production subscriptions, and they want a controlled way to publish newer versions later without rebuilding the image each time. What should they create first?

A.An availability set for the source VM so new virtual machines inherit the same configuration.
B.A managed disk snapshot of the OS disk so new VMs can be created from the captured state.
C.An Azure Compute Gallery image version based on the generalized VM image.
D.A proximity placement group so all future VMs land close to the current server.
AnswerC

Azure Compute Gallery is the best fit when you need a reusable, versioned VM image that can be deployed consistently across subscriptions and regions. It supports image publishing, replication, and controlled updates, which makes it ideal for a hardened base build that will evolve over time.

Why this answer

An Azure Compute Gallery (formerly Shared Image Gallery) allows you to store and manage multiple versions of a generalized VM image, enabling controlled, incremental publishing of image updates across subscriptions. By creating an image version in a gallery, the team can deploy the same build to dev, test, and prod subscriptions while maintaining versioning and replication control, avoiding the need to rebuild the image from scratch for each update.

Exam trap

The trap here is that candidates often confuse a managed disk snapshot (Option B) with a reusable, versionable image, not realizing that snapshots lack the versioning, replication, and cross-subscription sharing capabilities that an Azure Compute Gallery image version provides.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping for high availability within a single region, not a mechanism for capturing or distributing a generalized VM configuration across subscriptions. Option B is wrong because a managed disk snapshot captures only the OS disk state at a point in time, but it cannot be versioned or replicated across subscriptions in a controlled manner, and it does not support incremental publishing of newer builds without creating new snapshots. Option D is wrong because a proximity placement group optimizes VM placement for low network latency, but it has no role in image management, versioning, or cross-subscription deployment of generalized images.

148
MCQeasy

An application on an Azure VM has outgrown its current CPU and memory. The administrator wants to increase compute capacity without rebuilding the application or changing the VM image. What should be done?

A.Resize the virtual machine to a larger size
B.Create a new snapshot of the OS disk
C.Move the VM to an availability set
D.Attach a data disk
AnswerA

Resizing the VM changes the amount of CPU, memory, and sometimes other capabilities assigned to the existing machine. This is the correct operational fix when the application needs more compute resources but does not need a new image or rebuild. It keeps the same VM and operating system while giving it more capacity. For an easy Azure administration scenario, this is the direct answer to a performance-capacity problem.

Why this answer

Resizing the VM to a larger size (Option A) directly increases the CPU and memory resources allocated to the VM without requiring any changes to the application or the underlying OS disk image. Azure allows you to change the VM size as long as the new size is available in the current hardware cluster and the VM is deallocated (stopped) first. This is the simplest and most appropriate method to scale up compute capacity while preserving the existing configuration and data.

Exam trap

The trap here is that candidates often confuse scaling compute resources with adding storage or improving availability, leading them to select options like attaching a data disk or moving to an availability set, which do not address CPU/memory constraints.

How to eliminate wrong answers

Option B is wrong because creating a new snapshot of the OS disk captures a point-in-time backup of the disk, but it does not increase the CPU or memory resources of the running VM. Option C is wrong because moving the VM to an availability set improves redundancy and fault tolerance by distributing VMs across fault domains, but it does not change the compute capacity (CPU/memory) of the individual VM. Option D is wrong because attaching a data disk adds additional storage capacity to the VM, not CPU or memory; it does not address the performance bottleneck caused by insufficient compute resources.

149
MCQeasy

A company hosts a stateless web application behind a load balancer. Traffic increases during the day and drops at night. The team wants Azure to automatically add or remove identical VM instances based on demand. What should the administrator deploy?

A.A single large virtual machine
B.A virtual machine scale set
C.An availability set
D.A managed image
AnswerB

A virtual machine scale set is designed for deploying and managing multiple identical VMs as a group. It supports autoscaling rules so Azure can add or remove instances based on metrics such as CPU usage or scheduled demand. This is the best fit for a stateless web workload with changing traffic.

Why this answer

A virtual machine scale set (VMSS) is the correct choice because it automatically manages a group of identical, load-balanced VMs and can scale out (add VMs) or scale in (remove VMs) based on demand metrics like CPU usage or a schedule. This matches the requirement for a stateless web application with variable traffic, as VMSS integrates with Azure Load Balancer or Application Gateway and supports autoscale rules to handle daytime spikes and nighttime drops without manual intervention.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides elasticity), leading them to pick Option C because they think 'automatic addition/removal' means fault tolerance, not scaling.

How to eliminate wrong answers

Option A is wrong because a single large virtual machine cannot scale horizontally; it only supports vertical scaling (resizing), which requires downtime and cannot automatically add or remove instances to handle variable traffic. Option C is wrong because an availability set is a logical grouping of VMs that protects against hardware failures and updates within a datacenter, but it does not provide autoscaling or load balancing capabilities. Option D is wrong because a managed image is a static snapshot of a VM's OS and data disks used to create identical VMs, but it is not a compute resource that can automatically scale or handle traffic; it is a deployment artifact, not a running service.

150
MCQeasy

You need to deploy a new Ubuntu VM that automatically creates an app user and installs packages the first time it boots. Which approach should you use?

A.Use an availability set so the VM runs the initialization tasks during host placement.
B.Use cloud-init in the VM creation settings to perform first-boot configuration.
C.Use an Azure Policy assignment to install the packages after deployment.
D.Use a managed disk snapshot and attach it to the VM after deployment.
AnswerB

Cloud-init is the standard Linux initialization method for automating first boot tasks. It can create users, install packages, write files, and run commands as the VM starts. This makes it a good fit when you want the operating system to configure itself without needing to sign in afterward or run a separate manual script.

Why this answer

B is correct because cloud-init is the standard, native mechanism for performing first-boot configuration on Linux VMs in Azure. It allows you to inject a configuration file (e.g., YAML or shell script) during VM creation that automatically creates users, installs packages, and runs custom commands on the first boot, without requiring any post-deployment scripts or manual intervention.

Exam trap

The trap here is that candidates confuse Azure Policy (a governance tool) with a configuration management tool like cloud-init or Desired State Configuration (DSC), assuming Policy can execute scripts inside a VM when it only enforces resource-level rules.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs to protect against rack-level failures and planned maintenance; it does not execute initialization tasks or run any code. Option C is wrong because Azure Policy is a governance tool used to enforce compliance rules (e.g., allowed VM sizes, tagging) across resources; it cannot install packages or run scripts inside a VM. Option D is wrong because a managed disk snapshot is a point-in-time copy of a disk used for backup or cloning; attaching it after deployment does not trigger first-boot configuration or package installation.

← PreviousPage 2 of 3 · 204 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Compute questions.