CCNA Develop Azure compute solutions Questions

75 of 258 questions · Page 1/4 · Develop Azure compute solutions · Answers revealed

1
MCQhard

You are developing a serverless application using Azure Functions that processes order messages from an Azure Service Bus queue. Each order message is approximately 64 KB in size. The function must process messages in order and exactly once. The current implementation uses a Service Bus trigger with batch processing enabled. You notice that occasionally duplicate messages are processed. You need to ensure exactly-once processing while maintaining message ordering. What should you do?

A.Disable batch processing in the function trigger and process messages one at a time.
B.Enable sessions on the Service Bus queue and update the function trigger to use sessions.
C.Increase the lock duration on the Service Bus queue to 5 minutes.
D.Set the maxDeliveryCount property on the queue to 1.
AnswerB

Sessions ensure ordered and exactly-once processing within a session.

Why this answer

Option B is correct because enabling sessions on the Service Bus queue and using a session-enabled trigger guarantees message ordering and exactly-once processing. Sessions group related messages into a logical sequence, and the Service Bus trigger locks the entire session, ensuring that messages within a session are processed in order and that no other consumer can process the same session concurrently. This prevents duplicate processing while maintaining the required ordering.

Exam trap

The trap here is that candidates often confuse disabling batch processing or increasing lock duration with solving duplicate processing, but these do not address the root cause of duplicate deliveries; only session-based or duplicate detection mechanisms guarantee exactly-once processing with ordering.

How to eliminate wrong answers

Option A is wrong because disabling batch processing only processes messages one at a time but does not prevent duplicates; the trigger can still receive the same message multiple times if the lock expires or if there is a transient failure. Option C is wrong because increasing the lock duration only gives more time to process a message before the lock expires, but it does not prevent duplicate deliveries caused by other factors like receiver crashes or competing consumers. Option D is wrong because setting maxDeliveryCount to 1 will cause the message to be dead-lettered after the first failed delivery attempt, but it does not prevent duplicates from being delivered in the first place; duplicate detection requires a different mechanism like sessions or duplicate detection history.

2
MCQmedium

You are developing an Azure Logic App that processes files from an FTP server. The workflow must run every 10 minutes and process only new files. You need to ensure that files are not processed more than once. What should you use?

A.Use the FTP trigger 'When a file is added' with a recurrence of 10 minutes.
B.Use the 'When a file is added' trigger and store processed file names in a SQL database.
C.Use the FTP trigger 'When a file is added or modified' with a recurrence of 10 minutes.
D.Use the Sliding Window trigger and set the window size to 10 minutes.
AnswerC

This trigger supports deduplication by tracking file timestamps.

Why this answer

Option C is correct because the 'When a file is added or modified' FTP trigger in Azure Logic Apps automatically tracks processed files using a built-in 'trigger state' mechanism. When combined with a recurrence schedule (e.g., every 10 minutes), it ensures that only new or modified files since the last run are processed, preventing duplicate processing without external state management.

Exam trap

The trap here is that candidates often assume a simple 'When a file is added' trigger with a recurrence is sufficient, but they overlook that the 'or modified' variant is required to leverage the built-in deduplication state, while the plain 'added' trigger lacks this tracking and can cause reprocessing.

How to eliminate wrong answers

Option A is wrong because the 'When a file is added' trigger does not inherently track which files have already been processed; it can reprocess files if the trigger runs again without state persistence. Option B is wrong because storing processed file names in a SQL database introduces unnecessary complexity and external dependencies; the built-in trigger state already handles deduplication. Option D is wrong because the Sliding Window trigger is designed for event-based triggers (e.g., Azure Service Bus, Event Hubs) and is not applicable to FTP triggers; it does not provide file-level deduplication.

3
MCQhard

You deploy a containerized application on Azure Container Instances (ACI). The application writes data that must persist across container restarts and be accessible from multiple instances. Which volume mount should you configure?

A.Azure Files share
B.emptyDir volume
C.Azure Disk
D.ConfigMap
AnswerA

Azure Files offers SMB shares that can be mounted as volumes in ACI, persisting data independent of the container lifecycle.

Why this answer

Azure Files shares provide a fully managed SMB file share in the cloud that can be mounted as a volume in Azure Container Instances. This allows data written by the container to persist across restarts and be accessed concurrently by multiple container instances, meeting the requirements for durability and shared access.

Exam trap

The trap here is confusing Azure Disk (which is block storage with ReadWriteOnce semantics) with Azure Files (which is file storage with ReadWriteMany semantics), leading candidates to choose Azure Disk for persistence without considering multi-instance access requirements.

How to eliminate wrong answers

Option B is wrong because an emptyDir volume is ephemeral and tied to the lifecycle of a pod; data is lost when the container restarts and cannot be shared across multiple instances. Option C is wrong because Azure Disk supports ReadWriteOnce access mode, meaning it can only be mounted by a single container instance at a time, not multiple instances concurrently. Option D is wrong because a ConfigMap is designed for injecting configuration data (e.g., environment variables, files) into containers, not for persistent storage of application data.

4
Multi-Selecteasy

You are developing an Azure App Service web app that must authenticate users via Microsoft Entra ID. Which TWO components are required to set up authentication?

Select 2 answers
A.A managed identity
B.Client ID and Client Secret
C.An App Registration in Microsoft Entra ID
D.An Azure AD B2C tenant
E.Azure Front Door
AnswersB, C

These are used in the OAuth2 flow to obtain tokens.

Why this answer

To authenticate users via Microsoft Entra ID in an Azure App Service web app, you must register the app in Entra ID (Option C) to establish an identity and configure authentication. The Client ID and Client Secret (Option B) are then used as credentials in the OAuth 2.0 authorization code flow to verify the app's identity and obtain tokens. These two components are mandatory for the standard OpenID Connect authentication flow.

Exam trap

The trap here is that candidates often confuse managed identities (used for Azure resource-to-resource authentication) with the credentials needed for user authentication, leading them to select Option A instead of the correct Client ID and Secret.

5
MCQhard

A Kubernetes-based image resize worker on AKS must pull images from Azure Container Registry without storing registry passwords in Kubernetes secrets. What should be used?

A.Store the ACR admin password in every deployment manifest
B.Attach the ACR to AKS or grant the kubelet managed identity AcrPull
C.Make the container registry public
D.Use an App Service deployment slot
AnswerB

AKS can authenticate to ACR through managed identity permissions such as AcrPull.

Why this answer

Option B is correct because attaching an ACR to an AKS cluster or granting the kubelet managed identity the AcrPull role eliminates the need to store registry passwords in Kubernetes secrets. This leverages Azure AD managed identities for secure, password-less authentication, where the AKS cluster's kubelet uses its managed identity to authenticate with ACR via Azure Resource Manager tokens. The AcrPull role assignment authorizes the identity to pull images, ensuring credentials are never exposed in manifests or secrets.

Exam trap

The trap here is that candidates may think storing credentials in Kubernetes secrets (option A) is acceptable, but the question explicitly forbids that, and they might overlook the managed identity integration as the secure, password-less alternative.

How to eliminate wrong answers

Option A is wrong because storing the ACR admin password in every deployment manifest violates security best practices by exposing static credentials in plaintext, and it requires manual rotation of passwords across all manifests. Option C is wrong because making the container registry public exposes all images to the internet without authentication, creating a severe security vulnerability and violating least-privilege principles. Option D is wrong because App Service deployment slots are a feature for staging and swapping deployments in Azure App Service, not for authenticating to ACR from AKS; they have no relevance to Kubernetes image pull authentication.

6
Drag & Dropmedium

Arrange the steps to implement Azure Functions with a Cosmos DB trigger in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create Cosmos DB, then Function App, add trigger binding, write code, test.

7
Multi-Selecteasy

You are building a serverless API using Azure Functions. The API must be secured with OAuth 2.0 and must support both user authentication and application permissions. You need to configure the function app appropriately. Which TWO steps should you take?

Select 2 answers
A.Expose scopes and app roles in the Microsoft Entra ID app registration.
B.Use Azure AD v1.0 endpoints.
C.Configure authentication via the 'Authentication' blade in the portal.
D.Register the function app in Microsoft Entra ID.
E.Enable Azure App Service built-in authentication (EasyAuth).
AnswersA, D

Scopes for delegated permissions and app roles for application permissions are required.

Why this answer

Option A is correct because exposing scopes and app roles in the Microsoft Entra ID app registration is required to support both user authentication (via delegated permissions/scopes) and application permissions (via app roles). This allows the Azure Function to validate tokens for both user and application contexts using OAuth 2.0.

Exam trap

The trap here is that candidates often think enabling EasyAuth (Option E) alone is sufficient for OAuth 2.0 support, but it only handles token validation and does not configure the required scopes and app roles in the app registration.

8
MCQmedium

You develop an Azure Function app that processes orders. The function must write order status updates to a database. You need to ensure that if the function fails after writing to the database, the order is not lost and can be retried. Which pattern should you implement?

A.Use a Durable Functions orchestration
B.Use a retry policy in the function code
C.Enable function-level exception handling
D.Use an Azure Storage Queue for the function input
AnswerA

Durable Functions allow you to define an orchestrator that coordinates activities, provides retry, and handles failures atomically.

Why this answer

Option A is correct because Durable Functions orchestrations provide built-in support for reliable execution and automatic retry on failure. By using an orchestration, you can write the order status to the database as an activity function, and if the function fails after the write, the orchestration can replay from the last checkpoint, ensuring the order is not lost and can be retried without duplicating the write.

Exam trap

The trap here is that candidates often confuse a simple retry policy (Option B) with the durable checkpointing and replay mechanism, not realizing that a retry policy alone cannot prevent duplicate writes or recover from failures that occur after a side effect has been committed.

How to eliminate wrong answers

Option B is wrong because a retry policy in the function code only retries the current invocation; if the failure occurs after the database write, the retry would re-execute the entire function, potentially causing duplicate writes or inconsistent state. Option C is wrong because enabling function-level exception handling merely catches errors but does not provide a mechanism to replay or retry the operation from a known safe point, so the order could be lost if the function fails after the database write. Option D is wrong because using an Azure Storage Queue for input only decouples the trigger but does not inherently provide checkpointing or replay capabilities; the function would still need to manage its own retry and idempotency logic to avoid losing the order.

9
Multi-Selecthard

You are designing a serverless application using Azure Functions that needs to read from an Azure Storage Blob, process the data, and write to Azure Cosmos DB. Which THREE bindings are required?

Select 3 answers
A.HTTP trigger
B.Cosmos DB input binding
C.Blob input binding
D.Cosmos DB output binding
E.Timer trigger
AnswersA, C, D

Triggers the function execution.

Why this answer

The HTTP trigger is correct because the question describes a serverless application that needs to be invoked to read from Blob Storage, process data, and write to Cosmos DB. An HTTP trigger allows the function to be started via an HTTP request, which is the typical entry point for such event-driven processing. Without a trigger, the function cannot execute; the HTTP trigger provides the necessary invocation mechanism.

Exam trap

The trap here is that candidates often confuse input bindings with output bindings, mistakenly thinking a Cosmos DB input binding is needed to read data, when in fact the data source is Blob Storage and only an output binding to Cosmos DB is required.

10
MCQeasy

You are building a serverless API using Azure Functions. The API must authenticate requests using Microsoft Entra ID. You need to restrict access to users from a specific Microsoft Entra tenant only. What should you configure in the function app?

A.Set the 'Allowed Token Audiences' to the application ID.
B.Enable 'Require Authentication' and set the action to 'Login with Microsoft Entra ID'.
C.Set the 'Client ID' to the application ID.
D.Set the 'Issuer URL' to the specific tenant's endpoint.
AnswerD

The issuer URL validation restricts tokens to a specific tenant.

Why this answer

Option D is correct because setting the 'Issuer URL' to the specific tenant's endpoint (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0) tells Azure Functions to validate that the token was issued by that exact tenant. This restricts access to users from that tenant only, as tokens from other tenants will fail issuer validation.

Exam trap

The trap here is that candidates confuse 'Client ID' (which identifies the app) or 'Allowed Token Audiences' (which validates the audience) with tenant restriction, but only the Issuer URL enforces which tenant's tokens are accepted.

How to eliminate wrong answers

Option A is wrong because 'Allowed Token Audiences' validates that the token is intended for your application (audience claim), not the tenant; it does not restrict which tenant issued the token. Option B is wrong because enabling 'Require Authentication' with 'Login with Microsoft Entra ID' simply enforces authentication but does not restrict to a specific tenant; it allows any Microsoft Entra ID tenant by default. Option C is wrong because setting the 'Client ID' identifies your application to the identity provider, but does not enforce tenant restriction; it is used for audience validation, not issuer validation.

11
MCQmedium

You have an Azure Function app that uses a Service Bus queue trigger. The function processes messages, but sometimes it takes longer than 5 minutes to process a single message. You notice that the message is processed multiple times. What is the most likely cause?

A.The function's timeout is set to 5 minutes
B.The lock duration on the queue is shorter than the processing time
C.The maxDeliveryCount is set too high
D.The queue has sessions enabled
AnswerB

Correct: When the lock expires, another consumer can process the same message.

Why this answer

Option D is correct because the default lock duration for Service Bus queues is 60 seconds, and if processing takes longer, the lock is lost and the message becomes visible again, leading to duplicate processing. Option A is wrong because maxDeliveryCount is for poison messages. Option B is wrong because sessions are not related.

Option C is wrong because the function's timeout does not affect the lock.

12
MCQhard

You are designing a solution that uses Azure Functions to process events from Azure Event Hubs. The function must process events in order and exactly once per partition. What should you do?

A.Enable session state in the function app.
B.Use a Service Bus queue trigger with a singleton lock.
C.Disable checkpointing to ensure no duplicates.
D.Use the Event Hubs trigger for Azure Functions with default configuration.
AnswerD

Event Hubs trigger processes events in order per partition and uses checkpointing for exactly-once.

Why this answer

The Event Hubs trigger for Azure Functions, by default, processes events in order and exactly once per partition. It uses checkpointing to track the offset of the last successfully processed event, ensuring that each event is processed only once and in sequence within a partition. This default behavior aligns with the requirement without needing additional configuration.

Exam trap

The trap here is that candidates may think they need to manually configure session state or disable checkpointing to achieve ordering and exactly-once processing, but the default Event Hubs trigger already handles this via partition-based ordering and checkpointing.

How to eliminate wrong answers

Option A is wrong because session state is a feature of Service Bus, not Event Hubs; it enables ordered processing of messages in a session, but Event Hubs partitions inherently provide ordering without session state. Option B is wrong because a Service Bus queue trigger with a singleton lock would not process events from Event Hubs; it is designed for Service Bus queues and does not support Event Hubs partitions or checkpointing. Option C is wrong because disabling checkpointing would cause the function to reprocess events from the beginning each time, leading to duplicates and loss of ordering, which contradicts the 'exactly once' requirement.

13
MCQmedium

A web app experiences intermittent high latency. You discover that the Azure SQL database is experiencing a high number of connection timeouts. The application uses Entity Framework Core with the default connection pooling settings. You need to improve database connection reliability without changing the application code. What should you do?

A.Set the Minimum Pool Size to 10 in the connection string.
B.Increase the maximum pool size in the connection string.
C.Set the Connection Lifetime to 300 seconds.
D.Enable Multipool in the connection string.
AnswerA

A minimum pool size ensures a baseline of connections is always open, reducing initial connection delays.

Why this answer

Setting the Minimum Pool Size to 10 pre-creates a baseline of open connections in the pool, reducing the frequency of new connection creations during traffic spikes. This mitigates intermittent connection timeouts caused by the default pool starting empty and struggling to keep up with demand under high latency. Since the application uses Entity Framework Core with default pooling, this change is applied via the connection string without modifying code.

Exam trap

The trap here is that candidates often assume increasing the maximum pool size solves all connection issues, but the real problem is the delay in creating new connections from an empty pool, which is addressed by setting a minimum pool size.

How to eliminate wrong answers

Option B is wrong because increasing the maximum pool size only raises the cap on concurrent connections, but the intermittent timeouts are due to connections being created too slowly under load, not because the pool is full. Option C is wrong because setting Connection Lifetime to 300 seconds causes connections to be recycled after 5 minutes, which can actually increase churn and timeout risk during high latency, not improve reliability. Option D is wrong because 'Multipool' is not a valid connection string keyword in SQL Server or Entity Framework Core; it is a fabricated term.

14
MCQmedium

You are implementing an order processing system using Azure Durable Functions. The function must send notifications to multiple channels (email, SMS, push) in parallel and wait for all to complete before sending a confirmation. Which Durable Functions feature should you utilize?

A.Orchestration trigger with fan-out/fan-in pattern
B.Entity trigger
C.Activity trigger with retry policy
D.Timer trigger
AnswerA

Correct. The orchestrator can call multiple activity functions in parallel using Task.WhenAll, then aggregate results before proceeding.

Why this answer

The fan-out/fan-in pattern in Durable Functions allows you to invoke multiple activity functions in parallel (fan-out) and then wait for all of them to complete (fan-in) using `Task.WhenAll`. This is exactly what is needed to send notifications to email, SMS, and push simultaneously and then proceed only after all have finished, making option A correct.

Exam trap

The trap here is that candidates often confuse the fan-out/fan-in pattern with simple parallel execution using Entity triggers or assume that retry policies alone can coordinate multiple channels, but only the orchestration trigger with `Task.WhenAll` provides the required synchronization barrier.

How to eliminate wrong answers

Option B is wrong because Entity triggers are designed for managing stateful entities (like counters or actors) and are not suited for orchestrating parallel task execution with a completion barrier. Option C is wrong because an Activity trigger with retry policy handles individual task retries but cannot coordinate multiple parallel activities or wait for all to finish before proceeding. Option D is wrong because Timer triggers are for scheduled or periodic execution, not for orchestrating parallel workflows with a fan-in step.

15
MCQeasy

A company uses Azure Functions with a consumption plan. The function processes messages from a queue. During peak hours, the function takes longer to execute, and some messages are processed twice. What is the most likely cause?

A.The function timeout is set too low.
B.The queue message visibility timeout is shorter than the function processing time.
C.The function uses blob output binding incorrectly.
D.The function app is using a premium plan instead of consumption.
AnswerB

Correct. If the visibility timeout expires, the message becomes visible again and can be processed by another instance, resulting in duplicates.

Why this answer

In Azure Functions with a consumption plan, the queue message visibility timeout determines how long a message is invisible to other consumers after being dequeued. If the function's processing time exceeds this visibility timeout, the message becomes visible again and can be picked up by another function instance, leading to duplicate processing. This is the most likely cause of messages being processed twice during peak hours when execution times increase.

Exam trap

The trap here is that candidates often confuse the function timeout (which terminates execution) with the queue visibility timeout (which controls message re-delivery), leading them to incorrectly select option A.

How to eliminate wrong answers

Option A is wrong because the function timeout (default 5 minutes for consumption plan) controls the maximum execution duration, not message visibility; a low timeout would cause the function to fail or be terminated, not duplicate processing. Option C is wrong because incorrect blob output binding would cause errors or missing data, not duplicate message processing. Option D is wrong because a premium plan provides dedicated instances and faster execution, which would reduce the likelihood of timeouts and duplicates, not cause them.

16
MCQeasy

Your company develops a multi-tenant SaaS application hosted on Azure Kubernetes Service (AKS). Each tenant has isolated compute resources. You need to ensure that no single tenant can consume all cluster resources and affect others. You also want to optimize resource utilization by packing pods efficiently. You evaluate the following approaches: A) Use namespace resource quotas per tenant and let the Kubernetes scheduler handle packing. B) Deploy each tenant to a separate AKS cluster. C) Use Azure Policy to enforce pod resource limits. D) Use a service mesh to control traffic between tenants. Which approach should you recommend?

A.Use namespace resource quotas per tenant and let the Kubernetes scheduler handle packing.
B.Use a service mesh to control traffic between tenants.
C.Use Azure Policy to enforce pod resource limits.
D.Deploy each tenant to a separate AKS cluster.
AnswerA

Isolates tenants and optimizes packing.

Why this answer

Option A is correct because namespace resource quotas per tenant provide hard limits on compute resources (CPU, memory) and object counts, preventing any single tenant from exhausting cluster resources. The Kubernetes scheduler then efficiently packs pods within those quotas, optimizing utilization without manual intervention. This approach balances isolation and resource efficiency in a multi-tenant AKS environment.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces pod-level limits) with namespace-level resource quotas, missing that quotas are the correct mechanism for tenant-level aggregate resource isolation in a shared cluster.

How to eliminate wrong answers

Option B is wrong because deploying each tenant to a separate AKS cluster increases operational complexity and cost, and does not optimize resource utilization—idle resources in one cluster cannot be shared with another. Option C is wrong because Azure Policy can enforce pod resource limits (e.g., via built-in policies like 'Kubernetes cluster containers should have CPU and memory resource limits defined'), but it does not provide tenant-level resource quotas or prevent a tenant from consuming all cluster resources across namespaces; it only ensures individual pods have limits, not aggregate tenant consumption. Option D is wrong because a service mesh (e.g., Istio, Linkerd) controls east-west traffic between services, not resource consumption or isolation; it addresses network segmentation and observability, not compute resource guarantees.

17
MCQmedium

You are developing a solution that uses Azure Container Registry (ACR) to store Docker images. You need to ensure that only authorized users can deploy images from ACR to an AKS cluster. What should you do?

A.Configure AKS RBAC to limit image pull permissions.
B.Use Kubernetes secrets to store ACR credentials.
C.Use the AKS cluster's managed identity with AcrPull role assignment.
D.Enable the admin account on ACR and use the credentials in AKS.
AnswerC

Managed identity provides secure access without secrets.

Why this answer

Option D is correct because using a managed identity for AKS and assigning AcrPull role on ACR provides secure, password-less authentication. Option A is wrong because admin account is not recommended. Option B is wrong because AKS cannot use username/password directly.

Option C is wrong because namespace roles do not control ACR access.

18
MCQhard

Your company is migrating a legacy on-premises .NET Framework 4.7.2 web application to Azure. The application uses session state stored in-memory and reads/writes to a local SQL Server database. The migration must minimize code changes, support auto-scaling, and handle session state across multiple instances. You plan to use Azure App Service with Windows OS. You need to recommend a solution for session state storage and database connectivity. Which option should you choose?

A.Use Azure Cache for Redis as the session state provider via the RedisSessionStateProvider NuGet package, and configure the database connection string in Azure App Service App Settings.
B.Store session state in Azure Table Storage using a custom session state provider, and use a connection string for Azure SQL Database.
C.Configure session state using Azure SQL Database with a session state database, and update the connection string in web.config.
D.Use App Service's built-in session state with ARR affinity and connect to Azure SQL Database using Managed Identity.
AnswerA

Redis session state provider is easy to configure, supports auto-scaling, and minimal code changes. Database connection string in App Settings allows easy configuration.

Why this answer

Option A is correct because Azure Cache for Redis provides a distributed, in-memory session state provider that supports session state sharing across multiple App Service instances without requiring code changes to the application logic. The RedisSessionStateProvider NuGet package is a drop-in replacement for the default in-memory provider, and configuring the database connection string in App Settings allows you to change the target without modifying web.config, minimizing migration effort.

Exam trap

The trap here is that candidates often confuse ARR affinity with a valid session state solution, not realizing that it prevents horizontal scaling by forcing requests to a single instance, which contradicts the auto-scaling requirement.

How to eliminate wrong answers

Option B is wrong because Azure Table Storage is a NoSQL key-value store that does not natively support session state expiration or locking, and implementing a custom provider would require significant code changes, contradicting the requirement to minimize code changes. Option C is wrong because using Azure SQL Database for session state introduces higher latency and cost compared to an in-memory cache, and it requires updating web.config rather than using App Settings, which is less flexible for auto-scaling scenarios. Option D is wrong because ARR affinity (sticky sessions) prevents true auto-scaling by pinning a user to a specific instance, and while Managed Identity is good for database connectivity, it does not solve the session state sharing problem across instances.

19
Multi-Selecteasy

Your company is migrating a monolithic application to Azure. The application consists of several components that need to be deployed and scaled independently. You need to design a container orchestration solution. Which TWO services should you consider?

Select 2 answers
A.Azure Container Instances
B.Azure Container Apps
C.Azure Batch
D.Azure Service Fabric
E.Azure Kubernetes Service (AKS)
AnswersB, E

Serverless container orchestration with independent scaling.

Why this answer

Option A and D are correct because Azure Kubernetes Service (AKS) and Azure Container Apps are both managed container orchestration services that support independent scaling of components. Option B is wrong because Azure Container Instances is for running individual containers, not orchestration. Option C is wrong because Azure Service Fabric is also an orchestrator but is older and less relevant for new deployments; however, the question asks for two services, and AKS and Container Apps are the primary choices.

Option E is wrong because Azure Batch is for batch computing, not general orchestration.

20
MCQmedium

You are deploying a containerized application to Azure Container Instances. The container image is stored in a private Azure Container Registry (ACR). You need to ensure that ACI can pull the image without storing credentials in the container group definition. What should you use?

A.Enable managed identity for the container group and assign the AcrPull role.
B.Generate a SAS token for the ACR and use it in the image registry credential.
C.Create a service principal with AcrPull role and pass its credentials.
D.Use the ACR admin account and provide the credentials in the container group.
AnswerA

Managed identity avoids storing credentials.

Why this answer

Option D is correct because managed identity (system-assigned or user-assigned) allows ACI to authenticate to ACR without storing credentials, by granting the identity 'AcrPull' role. Option A is wrong because admin account requires username/password in the configuration. Option B is wrong because SAS tokens are not supported for ACR authentication in ACI.

Option C is wrong because service principal requires storing credentials in the container group.

21
Multi-Selecthard

An Azure Functions document rendering job processes Service Bus messages. The function sometimes fails after partially completing work. Which two practices improve correctness?

Select 2 answers
A.Use dead-letter handling for repeatedly failing messages
B.Make the handler idempotent
C.Disable retries for all messages
D.Store connection strings in source code
AnswersA, B

Dead-letter queues isolate messages that cannot be processed after retries.

Why this answer

Option A is correct because Azure Functions can use dead-letter queues (DLQ) to isolate messages that repeatedly fail processing, preventing them from blocking the queue and allowing investigation without data loss. Option B is correct because making the handler idempotent ensures that if a message is retried after a partial failure (e.g., the function crashes mid-execution), reprocessing the same message does not cause duplicate or inconsistent state, which is critical for correctness in a Service Bus triggered function.

Exam trap

The trap here is that candidates may think disabling retries (Option C) prevents duplicate processing, but they overlook that retries are essential for transient fault tolerance, and the correct approach is to combine idempotency with dead-letter handling for permanent failures.

22
MCQhard

You are reviewing the ARM template for an App Service. What is the effect of the 'alwaysOn' property set to true?

A.The app will enable health checks at /health.
B.The app will scale out to multiple instances automatically.
C.The app will stay loaded in memory to avoid cold starts.
D.The app will be redeployed whenever the code changes.
AnswerC

alwaysOn prevents the app from being unloaded.

Why this answer

Setting 'alwaysOn' to true in an Azure App Service ARM template ensures that the app is kept loaded in memory even when there is no incoming traffic. This prevents the app from being unloaded after a period of inactivity, which eliminates cold starts on subsequent requests. Cold starts occur when the app process is recycled or unloaded, causing a delay as the runtime and application code are reloaded.

Exam trap

The trap here is that candidates may confuse 'alwaysOn' with health checks or scaling features, as the name suggests constant availability, but it specifically addresses process idle behavior, not load balancing or monitoring.

How to eliminate wrong answers

Option A is wrong because health checks are configured separately via the 'healthCheckPath' property in the site config, not by the 'alwaysOn' property. Option B is wrong because automatic scaling is controlled by autoscale rules or scaling settings, not by the 'alwaysOn' property which only affects the app's in-memory state. Option D is wrong because redeployment on code changes is handled by deployment slots, continuous deployment pipelines, or triggers like webhooks, not by the 'alwaysOn' property.

23
MCQhard

You are creating an Azure Container Instance using the Azure CLI command shown in the exhibit. The container needs to connect to a SQL database. After running the command, you notice that the DB_PASSWORD environment variable is visible in the container's logs. What is the most likely reason?

A.The --secure-environment-variables flag is misspelled.
B.The --secure-environment-variables flag is not supported for ACI.
C.The DB_PASSWORD value contains special characters that were not escaped.
D.The container image logs environment variables at startup, exposing the secure variable.
AnswerD

Secure environment variables are not visible in the Azure portal or CLI, but if the container logs them, they are exposed.

Why this answer

Option D is correct because the `--secure-environment-variables` flag in Azure CLI for Azure Container Instances does not prevent the values from being logged by the container itself. The flag only masks the values in the Azure portal and CLI output, but if the container image explicitly logs environment variables at startup (e.g., via a startup script or application code), the secure variable will be exposed in the container logs. The issue is not with Azure's handling but with the container image's behavior.

Exam trap

The trap here is that candidates assume `--secure-environment-variables` fully protects the variable from any exposure, but it only masks it in Azure's management plane, not from the container's own logging or process environment.

How to eliminate wrong answers

Option A is wrong because the correct flag is `--secure-environment-variables` (with a hyphen), and the exhibit shows it spelled correctly; a misspelling would cause a CLI parsing error, not silent exposure in logs. Option B is wrong because `--secure-environment-variables` is indeed supported for ACI (since API version 2018-10-01) and correctly masks values in Azure CLI output and portal. Option C is wrong because special characters in environment variable values require proper escaping in the shell command, but this would cause a syntax error or incorrect value assignment, not exposure in logs after successful deployment.

24
MCQmedium

Your organization runs a critical e-commerce application on Azure App Service. The application uses a Standard App Service plan with three instances. During a flash sale, traffic spikes cause some requests to fail with HTTP 503 errors. The operations team reports that the app's CPU usage reaches 95% during spikes. You need to ensure the application remains responsive without manual intervention. The solution must minimize cost while handling unpredictable traffic patterns. You evaluate the following options: A) Enable autoscale to scale out based on CPU usage threshold of 70%, with a maximum of 10 instances. B) Change the App Service plan to Premium v3 and enable zone redundancy. C) Implement a queue-based load leveling pattern using Azure Queue Storage and a background process. D) Use Azure Front Door with a Web Application Firewall (WAF) policy to distribute traffic. Which option should you recommend?

A.Use Azure Front Door with a Web Application Firewall (WAF) policy to distribute traffic.
B.Enable autoscale to scale out based on CPU usage threshold of 70%, with a maximum of 10 instances.
C.Implement a queue-based load leveling pattern using Azure Queue Storage and a background process.
D.Change the App Service plan to Premium v3 and enable zone redundancy.
AnswerB

Autoscale handles spikes cost-effectively.

Why this answer

Option B is correct because enabling autoscale on the Standard App Service plan allows the application to automatically scale out from 3 to up to 10 instances when CPU exceeds 70%, handling traffic spikes without manual intervention. This minimizes cost by only adding instances when needed, and the Standard plan supports autoscale natively, making it the most cost-effective solution for unpredictable traffic patterns.

Exam trap

The trap here is that candidates often confuse traffic distribution solutions (like Azure Front Door) with scaling solutions, or assume that upgrading the plan is necessary for high availability, when autoscale on the existing Standard plan is the most cost-effective and direct fix for CPU-driven 503 errors.

How to eliminate wrong answers

Option A is wrong because Azure Front Door with WAF is a global load balancer and security layer that distributes traffic across endpoints but does not scale the underlying App Service instances; it would not resolve CPU saturation causing 503 errors. Option C is wrong because a queue-based load leveling pattern decouples request processing but introduces latency and complexity for a synchronous e-commerce application where users expect immediate responses, and it does not directly address CPU spikes on the web tier. Option D is wrong because changing to Premium v3 and enabling zone redundancy improves availability and performance but significantly increases cost and does not provide dynamic scaling based on CPU usage; it is overprovisioning for unpredictable spikes.

25
MCQeasy

You need to deploy a container that runs a simple web server on Azure Container Instances. The container should be accessible via a public IP address. Which property should you set in the container group configuration?

A.ipAddress.type = "Public"
B.osType = "Linux"
C.restartPolicy = "Always"
D.volumes.mountPath = "/mnt"
AnswerA

This property explicitly requests a public IP address for the container group, enabling external access.

Why this answer

To make a container group accessible from the internet via a public IP address, you must set the `ipAddress.type` property to `"Public"`. This instructs Azure Container Instances to assign a public IP and optionally a fully qualified domain name (FQDN) to the container group, allowing inbound traffic from the internet to reach the container's exposed ports.

Exam trap

The trap here is that candidates often confuse operational settings like OS type or restart policy with networking configuration, mistakenly thinking they influence public accessibility, when in fact only the `ipAddress.type` property controls public IP assignment in Azure Container Instances.

How to eliminate wrong answers

Option B is wrong because `osType` (e.g., "Linux" or "Windows") determines the underlying operating system for the container, not its network accessibility; a public IP can be assigned regardless of the OS type. Option C is wrong because `restartPolicy` (e.g., "Always") controls whether the container restarts after it exits, not its network exposure; it does not affect public IP assignment. Option D is wrong because `volumes.mountPath` specifies where a volume is mounted inside the container for persistent storage, which has no bearing on making the container publicly reachable.

26
MCQmedium

An Azure Functions image resize worker must run for up to 30 minutes and uses a VNet integration feature. The team wants serverless scaling without managing virtual machines. Which hosting plan should be used? The design must avoid adding custom operational scripts.

A.App Service Free tier
B.Premium plan
C.Azure Batch pool
D.Consumption plan
AnswerB

The Premium plan supports longer execution duration, VNet integration, pre-warmed instances, and serverless scale.

Why this answer

The Premium plan is correct because it supports VNet integration, allows execution durations up to 30 minutes (unlike the Consumption plan's 10-minute default), and provides serverless scaling without requiring you to manage virtual machines or add custom operational scripts. It is the only plan that combines these capabilities for a long-running, VNet-connected function.

Exam trap

The trap here is that candidates often assume the Consumption plan is the only serverless option, forgetting that the Premium plan also provides serverless scaling with additional features like VNet integration and extended execution duration.

How to eliminate wrong answers

Option A is wrong because the App Service Free tier does not support VNet integration and has strict resource limits (e.g., 1 GB memory, 60 minutes of CPU per day) that cannot sustain a 30-minute image resize worker. Option C is wrong because Azure Batch requires you to manage a pool of virtual machines or use a job scheduler, which adds operational scripts and contradicts the requirement to avoid managing VMs. Option D is wrong because the Consumption plan has a maximum execution timeout of 10 minutes (configurable up to 10 minutes by default) and does not support VNet integration without a dedicated plan.

27
MCQhard

You run the above command. The web app is connected to a GitHub repository via Continuous Deployment. You push a new commit to the 'main' branch, but the web app does not update. What is the most likely cause?

A.The repository is Mercurial, not Git.
B.The GitHub webhook is not configured to trigger on push events.
C.The deployment rollback is enabled and blocking new deployments.
D.The 'branch' property is set to 'main', but the actual branch is 'master'.
AnswerB

Without a webhook, Azure App Service is not notified of new commits.

Why this answer

The web app is configured for Continuous Deployment via GitHub, which relies on a webhook to notify Azure App Service of new commits. When a push event occurs on the 'main' branch, the webhook must be configured to trigger the deployment. If the webhook is not set to fire on push events, Azure will never receive the notification, and the app will not update despite the new commit.

Exam trap

The trap here is that candidates may assume the webhook is automatically configured correctly when setting up Continuous Deployment, but Azure requires explicit event selection, and a missing 'push' event trigger is a frequent oversight.

How to eliminate wrong answers

Option A is wrong because Azure App Service's Continuous Deployment from GitHub only supports Git repositories; Mercurial is not supported, so the connection would have failed at setup, not silently after a push. Option C is wrong because deployment rollback is a feature that allows reverting to a previous deployment, but it does not block new deployments; it only affects the ability to swap slots or revert after a deployment completes. Option D is wrong because if the 'branch' property were set to 'main' but the actual branch were 'master', the webhook would still trigger on push events to 'master', but the deployment would fail or not match; however, the question states the push is to 'main', and the web app is connected to the repository, so the branch mismatch would cause a deployment failure, not a silent lack of update.

28
MCQmedium

You are deploying a containerized application to Azure Container Instances (ACI). The application requires a connection string to an Azure SQL Database. The connection string contains a password that is stored as a secret in Azure Key Vault. The container image expects to read the connection string from an environment variable named SQL_CONNECTION_STRING. You want to pass the secret securely without embedding it in the YAML deployment file and without modifying the container image. The ACI container group will use a system-assigned managed identity that has access to the Key Vault secret. Which approach should you use?

A.Mount a volume from Azure Files containing the connection string
B.Use a secure environment variable with a Key Vault reference syntax (e.g., secret://myvault/secretname)
C.Use the managed identity inside the container to call the Key Vault SDK and retrieve the secret
D.Store the connection string as an environment variable in ACI configuration but mark it as secure
AnswerB

ACI resolves the Key Vault reference at runtime using the managed identity, keeping the secret out of the deployment definition and requiring no image changes.

Why this answer

Option B is correct because Azure Container Instances supports Key Vault references in environment variables using the `secret://` syntax, which allows you to securely inject secrets into containers at runtime without exposing them in the deployment YAML. The system-assigned managed identity is automatically used by the ACI infrastructure to authenticate to Key Vault and retrieve the secret, so no code changes to the container image are required.

Exam trap

The trap here is that candidates often assume they must write code inside the container to use the managed identity with the Key Vault SDK, but ACI provides a built-in mechanism to inject secrets as environment variables without any code changes.

How to eliminate wrong answers

Option A is wrong because mounting a volume from Azure Files would require the connection string to be stored in a file, which still exposes the secret in the storage account and does not leverage Key Vault for secret management. Option C is wrong because using the managed identity inside the container to call the Key Vault SDK would require modifying the container image to include code for secret retrieval, which violates the requirement of not modifying the image. Option D is wrong because marking an environment variable as 'secure' in ACI only hides its value in the Azure portal and logs, but the secret is still embedded in the deployment configuration and can be retrieved by anyone with access to the resource definition.

29
MCQeasy

You deploy a containerized application to Azure Container Instances (ACI). The application needs to store configuration settings that might change at runtime. You need to update the configuration without redeploying the container. What should you do?

A.Use environment variables in the container group
B.Mount an Azure Files share and update the configuration file
C.Use Application Settings in the container
D.Modify the container image to include new configuration
AnswerA

Environment variables can be updated by restarting the container group with new values.

Why this answer

Environment variables in Azure Container Instances (ACI) can be set at container group creation or updated by redeploying the container group with new values. They are accessible at runtime without modifying the container image, allowing configuration changes without a full redeploy. This is the recommended approach for dynamic configuration in ACI because environment variables are lightweight, secure, and natively supported by the container runtime.

Exam trap

The trap here is that candidates confuse Azure Container Instances with Azure App Service, mistakenly selecting 'Application Settings' (Option C) which is an App Service feature, not available in ACI.

How to eliminate wrong answers

Option B is wrong because mounting an Azure Files share and updating a configuration file requires the application to watch for file changes and reload configuration, which adds complexity and is not a built-in ACI feature for runtime updates without redeployment. Option C is wrong because 'Application Settings' is an Azure App Service concept, not applicable to Azure Container Instances; ACI does not have an Application Settings blade. Option D is wrong because modifying the container image to include new configuration requires rebuilding, pushing to a registry, and redeploying the container group, which contradicts the requirement to avoid redeployment.

30
Multi-Selectmedium

Which TWO options are valid ways to authenticate an Azure Functions app to Azure Storage when using a managed identity? (Choose two.)

Select 2 answers
A.Enable system-assigned managed identity on the function app and grant it the 'Storage Blob Data Contributor' role
B.Generate a shared access signature (SAS) token and include it in the connection string
C.Use the storage account access key in the connection string
D.Create a user-assigned managed identity, assign it to the function app, and grant it the 'Storage Queue Data Contributor' role
E.Use the default AzureWebJobsStorage connection string from the function app settings
AnswersA, D

System-assigned managed identity is tied to the function app and can be granted RBAC roles.

Why this answer

Option A is correct because enabling a system-assigned managed identity on the function app allows it to authenticate to Azure Storage without storing credentials. Granting the 'Storage Blob Data Contributor' role to that identity via Azure RBAC authorizes the function app to perform blob data operations (read, write, delete) using Azure AD tokens, which are automatically managed by the Azure platform.

Exam trap

The trap here is that candidates may confuse 'managed identity' with any non-key-based method (like SAS tokens) or assume the default AzureWebJobsStorage connection string automatically uses managed identity, when in fact it defaults to a key-based connection unless explicitly configured for identity-based authentication.

31
MCQmedium

An Azure Functions IoT command API must run for up to 30 minutes and uses a VNet integration feature. The team wants serverless scaling without managing virtual machines. Which hosting plan should be used?

A.Azure Batch pool
B.Consumption plan
C.App Service Free tier
D.Premium plan
AnswerD

The Premium plan supports longer execution duration, VNet integration, pre-warmed instances, and serverless scale.

Why this answer

The Premium plan (Elastic Premium EP) is the correct choice because it supports VNet integration for accessing resources inside a virtual network, allows execution durations up to 30 minutes (the Consumption plan caps at 10 minutes by default), and provides serverless scaling without requiring you to manage virtual machines. This plan also offers always-ready instances to reduce cold start latency, which is critical for IoT command APIs.

Exam trap

The trap here is that candidates often assume the Consumption plan supports VNet integration and long timeouts because it is the default serverless option, but they overlook the explicit 10-minute timeout limit and the lack of native VNet integration without a dedicated gateway.

How to eliminate wrong answers

Option A is wrong because Azure Batch pool is designed for large-scale parallel and high-performance computing jobs, not for hosting a single long-running API with serverless scaling, and it requires managing virtual machine pools. Option B is wrong because the Consumption plan has a maximum execution timeout of 10 minutes (configurable up to 10 minutes) and does not support VNet integration for outbound traffic without additional configuration like a VNet NAT gateway, making it unsuitable for a 30-minute API. Option C is wrong because the App Service Free tier does not support VNet integration, has a 60-second request timeout, and lacks serverless scaling (it runs on shared, fixed-capacity VMs).

32
MCQhard

Refer to the exhibit. You have an Azure App Service that uses the authentication settings shown. Users report that they are repeatedly prompted to sign in even after authenticating. What is the most likely cause?

A.The 'allowedAudiences' is missing the App Service URL.
B.The 'loginParameters' does not include 'offline_access'.
C.The 'issuer' URL is incorrect; it should be a tenant-specific endpoint.
D.No 'tokenRefreshEndpoint' is configured for session management.
AnswerD

Without a refresh endpoint or session management, tokens expire and prompt re-authentication.

Why this answer

Option D is correct because the absence of a 'tokenRefreshEndpoint' in the authentication configuration prevents the App Service from automatically refreshing the user's session token. Without this endpoint, the token expires after its lifetime (typically 1 hour for Azure AD access tokens), causing the user to be repeatedly prompted to sign in again. Configuring a token refresh endpoint enables the use of refresh tokens to silently obtain new access tokens, maintaining the session without user interaction.

Exam trap

The trap here is that candidates often confuse the need for 'offline_access' scope (which requests a refresh token) with the need for a configured 'tokenRefreshEndpoint' (which actually uses that refresh token to silently renew the session).

How to eliminate wrong answers

Option A is wrong because the 'allowedAudiences' parameter is used to validate the token's audience claim, not to control session persistence; missing the App Service URL here would cause authentication failures, not repeated sign-in prompts. Option B is wrong because 'offline_access' in 'loginParameters' is required to request a refresh token, but the question states users are repeatedly prompted after authenticating, implying the initial authentication succeeds; the issue is that no token refresh endpoint is configured to use that refresh token. Option C is wrong because the 'issuer' URL being tenant-specific is about token validation, not session refresh; an incorrect issuer would cause authentication to fail entirely, not just prompt re-authentication after a successful login.

33
Multi-Selecthard

Which THREE considerations are important when designing a solution using Azure Functions with a Consumption plan for a latency-sensitive application?

Select 3 answers
A.Cold start latency may impact initial requests.
B.Function execution timeout is limited to 10 minutes.
C.Scaling may not be instantaneous, causing latency spikes.
D.Always-on feature must be enabled to avoid cold starts.
E.Pre-warmed instances can be configured to reduce latency.
AnswersA, B, C

Cold starts add latency to first request.

Why this answer

A is correct because Azure Functions on the Consumption plan can experience cold starts when a function app is idle or after scaling down to zero instances. During a cold start, the runtime must load the function host, load dependencies, and execute the function code, which adds latency that can be unacceptable for latency-sensitive applications. This delay occurs because the Consumption plan does not keep instances warm when there is no traffic.

Exam trap

The trap here is that candidates often confuse the features of the Consumption plan with those of the Premium plan, mistakenly thinking Always-on or pre-warmed instances are available in the Consumption plan, when they are exclusive to higher-tier plans.

34
MCQmedium

You find the above ARM template for an App Service. What is a security concern with this configuration?

A.The connection string is stored in the source code.
B.The password is passed as a parameter and may be exposed in deployment logs.
C.The connection string type should be 'Custom' instead of 'SQLAzure'.
D.The connection string is not encrypted at rest.
AnswerB

Parameters can be logged, exposing the password.

Why this answer

Option A is correct because the connection string includes the password as a parameter, which may be stored in plain text in the ARM template parameters file or deployment history. Option B is wrong because the connection string uses SQLAzure type, which is correct. Option C is wrong because the connection string is encrypted at rest in App Service, but the issue is at deployment time.

Option D is wrong because the connection string is stored in App Service configuration, not in source code, but the ARM template exposes the password.

35
MCQhard

You are designing a solution that uses Azure Container Instances (ACI) to run a batch job that processes images. The job is triggered by a message in Azure Queue Storage. Each image takes about 5 minutes to process. You need to ensure that the container runs only when there are messages in the queue and scales automatically. What should you use?

A.Use Azure Logic Apps with a Container Instances connector.
B.Use Azure Functions with a custom container and queue trigger.
C.Use Azure Batch to process the images in a pool of VMs.
D.Deploy the image processing job as a pod in Azure Kubernetes Service.
AnswerA

Logic Apps can trigger on queue messages and start ACI containers per message.

Why this answer

Option A is correct because Azure Logic Apps provides a serverless workflow that can be triggered by a queue message (via the Azure Queue Storage connector) and then use the Container Instances connector to start a container group. This ensures the container runs only when messages are present and scales automatically by creating a new container instance per message, matching the requirement for event-driven, on-demand execution without idle costs.

Exam trap

The trap here is that candidates often assume Azure Functions is the only serverless option for queue-triggered workloads, overlooking that Logic Apps can directly orchestrate ACI creation without writing custom code, which is simpler and more aligned with the requirement to 'run the container only when there are messages'.

How to eliminate wrong answers

Option B is wrong because Azure Functions with a custom container and queue trigger runs the function code inside the container, but it does not directly orchestrate the creation of a separate ACI container for each batch job; the function would need to manage ACI lifecycle manually, adding complexity and not leveraging ACI's native scaling. Option C is wrong because Azure Batch is designed for large-scale parallel batch processing with a pool of VMs, which is overkill for a simple queue-triggered job and introduces unnecessary overhead for managing a VM pool. Option D is wrong because Azure Kubernetes Service (AKS) is a full orchestration platform for containerized applications, requiring cluster management and scaling configuration, which is excessive for a single batch job that should run only on demand; it does not natively integrate with Azure Queue Storage triggers without additional components like KEDA.

36
MCQeasy

You are deploying a containerized application using Azure Kubernetes Service (AKS). You need to ensure that sensitive configuration data, such as API keys, is not stored in container images. Which Kubernetes resource should you use?

A.Deployment
B.ConfigMap
C.PersistentVolume
D.Secret
AnswerD

Secrets store sensitive data.

Why this answer

Option D is correct because Kubernetes Secrets are specifically designed to store sensitive data like API keys, connection strings, and passwords. They are stored in etcd as base64-encoded values (and can be encrypted at rest) and are injected into pods as environment variables or mounted as volumes, ensuring the sensitive data never resides in the container image.

Exam trap

The trap here is that candidates often confuse ConfigMaps with Secrets, assuming both are interchangeable for configuration, but ConfigMaps store data in plain text and are not secure for sensitive information, while Secrets provide base64 encoding and optional encryption for sensitive data.

How to eliminate wrong answers

Option A is wrong because a Deployment manages replica sets and pod lifecycle, but it does not provide any mechanism for storing or injecting sensitive configuration data. Option B is wrong because ConfigMaps store non-sensitive configuration data in plain text (base64-encoded but not encrypted by default) and are not intended for secrets; using a ConfigMap for API keys would expose them in plain text. Option C is wrong because a PersistentVolume provides storage for stateful workloads (e.g., databases) but is not designed for injecting sensitive configuration into pods; it would require manual management of secret files and does not integrate with Kubernetes RBAC or encryption for secrets.

37
MCQmedium

You have an Azure Function app that processes orders. The function uses a queue trigger from Azure Storage. Recent load tests show that the function is not scaling out fast enough under high load. What should you do to improve scaling?

A.In the function code, increase the number of retries on failure
B.In host.json, increase the batchSize and increase the newBatchThreshold
C.In host.json, increase the batchSize and decrease the newBatchThreshold
D.Switch from Consumption plan to Premium plan
AnswerB

Correct: Larger batchSize means each function instance grabs more messages, and higher newBatchThreshold triggers scale-out sooner.

Why this answer

Option B is correct because increasing the batchSize and newBatchThreshold in host.json allows the Azure Functions runtime to fetch more messages per polling cycle and trigger more parallel function instances sooner. This directly improves scaling velocity under high load by reducing the latency between message arrival and processing, which is the core issue identified in the load test.

Exam trap

The trap here is that candidates often confuse scaling improvements with plan upgrades (Premium vs. Consumption) or retry logic, when the real solution lies in tuning the queue trigger's batch processing parameters in host.json.

How to eliminate wrong answers

Option A is wrong because increasing the number of retries on failure does not affect scaling speed; it only affects fault tolerance for individual message processing failures. Option C is wrong because decreasing newBatchThreshold would cause the runtime to wait longer before fetching a new batch, which would actually slow down scaling and worsen the problem. Option D is wrong because switching to Premium plan provides more predictable scaling and VNET integration but does not inherently improve scaling speed; the bottleneck here is the queue trigger configuration, not the hosting plan.

38
MCQeasy

You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS certificate. What should you do?

A.Place an Azure Application Gateway in front of the container group.
B.Configure the container to listen on port 443 and map a custom domain.
C.Upload the certificate to the container and configure the web server.
D.Use a private endpoint with a custom domain.
AnswerA

Application Gateway can terminate SSL and route based on hostname.

Why this answer

Azure Container Instances (ACI) does not natively support custom domain names or SSL/TLS termination. By placing an Azure Application Gateway in front of the container group, you can offload SSL/TLS termination at the gateway layer, map a custom domain via the gateway's frontend IP, and route traffic to the container group's private IP. This is the recommended pattern for adding HTTPS and custom domains to ACI workloads.

Exam trap

The trap here is that candidates assume Azure Container Instances supports custom domains and SSL/TLS natively, similar to Azure App Service, but ACI lacks these features, requiring an external load balancer or gateway like Application Gateway.

How to eliminate wrong answers

Option B is wrong because simply configuring the container to listen on port 443 and mapping a custom domain does not provide SSL/TLS termination; ACI does not support binding a custom domain or certificate directly to the container group's public IP. Option C is wrong because uploading a certificate to the container and configuring the web server would require managing the certificate lifecycle inside the container, but ACI still cannot expose a custom domain name on its public endpoint; the container's FQDN is auto-generated and cannot be changed. Option D is wrong because a private endpoint with a custom domain only enables private connectivity within a virtual network; it does not expose the container group to the internet with a custom domain and SSL/TLS certificate.

39
Multi-Selecteasy

You are creating an Azure Functions app that uses a Blob Storage trigger to process new files. The function must process files only when they are completely written (i.e., no ongoing writes). You need to avoid processing partially written files. Which TWO configurations should you consider?

Select 2 answers
A.Increase the 'BatchSize' to reduce the frequency of trigger evaluations.
B.Check the blob's 'LastModified' timestamp in the function code to verify no recent changes.
C.Use a timer-triggered function that lists blobs and processes those with a stable size.
D.Use the 'BlobTrigger' with the 'LeaseBlob' property set to 'True'.
E.Set the 'ScanBlob' property to 'True' in the trigger binding.
AnswersD, E

LeaseBlob ensures the blob is committed and not being written.

Why this answer

Option D is correct because setting the 'LeaseBlob' property to 'True' in the BlobTrigger binding acquires a lease on the blob before processing, ensuring that no other process (including ongoing writes) can modify the blob. This prevents processing partially written files. Option E is correct because setting 'ScanBlob' to 'True' forces the trigger to scan the blob's metadata and content to verify it is complete before firing, which helps avoid triggering on incomplete writes.

Exam trap

The trap here is that candidates often confuse 'BatchSize' or 'LastModified' checks as solutions for partial writes, when in fact the correct native mechanisms are blob leasing and scan verification, which are directly configurable in the trigger binding.

40
MCQhard

You are building a serverless API using Azure Functions with an HTTP trigger. The API must authenticate requests using Microsoft Entra ID (formerly Azure AD). You need to validate the token in the function code. Which component should you use?

A.Configure the Azure Functions host to use Microsoft Entra ID authentication.
B.Use the Microsoft Authentication Library (MSAL) to validate the token.
C.Use the Microsoft.Identity.Web library to validate the token.
D.Use Azure AD B2C to validate the token.
AnswerC

Microsoft.Identity.Web provides token validation for Microsoft Entra ID tokens.

Why this answer

Option C is correct because Microsoft.Identity.Web is the recommended library for integrating Azure Functions with Microsoft Entra ID. It provides built-in token validation, including signature verification, issuer validation, and audience checking, by leveraging the same middleware used in ASP.NET Core. This library simplifies the process of validating JWT tokens issued by Microsoft Entra ID without requiring manual token parsing or validation logic.

Exam trap

The trap here is that candidates often confuse MSAL (for token acquisition) with token validation libraries, or assume that host-level Easy Auth (Option A) is equivalent to in-code validation, when the question explicitly requires validation within the function code.

How to eliminate wrong answers

Option A is wrong because configuring the Azure Functions host to use Microsoft Entra ID authentication (Easy Auth) offloads authentication to the host layer, but the question specifically requires validating the token in the function code, not at the host level. Option B is wrong because MSAL is designed for acquiring tokens, not for validating them; it does not include token validation APIs, and using it for validation would be incorrect and unsupported. Option D is wrong because Azure AD B2C is a separate identity service for customer-facing applications with custom policies, not the appropriate choice for validating tokens from Microsoft Entra ID in a serverless API.

41
MCQhard

You are a developer at a financial services company. You need to design a solution for processing real-time stock trade data. The system receives thousands of trades per second from an on-premises system. Each trade must be validated, enriched with reference data, and then stored in a data lake for analytics. You have the following requirements: - The processing must be serverless and scale automatically with high throughput. - The enrichment step requires calling an external REST API that can handle up to 100 requests per second. If the API is overwhelmed, trades must be retried with exponential backoff. - The solution must minimize cost and operational overhead. - Trades must be processed in order per stock symbol. You provision an Azure Event Hubs namespace with a single event hub. Trades are sent to the event hub with the stock symbol as the partition key. You configure an Azure Functions app with an Event Hubs trigger to process events. The function validates, enriches by calling the external API, and writes the enriched trade to Azure Data Lake Storage. During testing, you notice that some trades are processed out of order for the same stock symbol when the external API throttles requests. What should you do to ensure ordering per stock symbol?

A.Use Durable Functions to orchestrate the processing and enforce ordering.
B.Increase the 'maxEventBatchSize' setting to 100 in the host.json file to improve throughput.
C.Set the 'maxEventBatchSize' to 1 in the host.json file to process one event at a time per instance.
D.Use a different partition key such as a unique trade ID to distribute load evenly.
AnswerC

Ensures sequential processing per partition, preserving order.

Why this answer

Option D is correct. To maintain ordering per stock symbol, you need to ensure that all events for a given symbol are processed by a single function instance. Event Hubs partitions guarantee ordering within a partition.

By using the stock symbol as the partition key, all trades for the same symbol go to the same partition. However, if the function scales out to multiple instances, the Event Hubs trigger may distribute partitions across instances, but each partition is processed by only one instance at a time. The issue is that when the external API throttles, the function may retry the event, but during the retry, other events from the same partition might be processed by the same instance out of order if the function does not wait for the retry to complete before processing next events.

By setting 'maxEventBatchSize' to 1 in the host.json, you ensure that only one event is processed at a time per function instance, preventing out-of-order processing. Option A is wrong because increasing batch size would increase concurrency and worsen ordering. Option B is wrong because Durable Functions add complexity and are not needed for simple ordering.

Option C is wrong because using a different partition key would scatter events for the same symbol across partitions, breaking ordering.

42
Multi-Selectmedium

You are deploying a containerized application to Azure Container Instances (ACI). Which TWO actions should you take to ensure the container can securely access an Azure Key Vault?

Select 2 answers
A.Pass secrets as environment variables
B.Enable a managed identity for the container group
C.Mount a volume that maps to a Key Vault secret store
D.Register the container with an Azure AD application
E.Configure a custom DNS server
AnswersB, C

Correct: Managed identity allows secure access to Key Vault.

Why this answer

Option B is correct because enabling a managed identity for the container group allows the container to authenticate to Azure Key Vault without storing any credentials in the container image or code. The managed identity is automatically integrated with Azure AD, and the container can request an access token from the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254. This token is then used to authorize requests to Key Vault, ensuring secrets are never exposed in environment variables or configuration files.

Exam trap

The trap here is that candidates often assume environment variables are a secure way to pass secrets, but Azure explicitly recommends against this in ACI because environment variables can be viewed in the container's metadata and logs, whereas managed identities and volume mounts provide secure, auditable access without embedding secrets.

43
MCQmedium

You have an Azure Function app that uses an Event Hubs trigger. The function processes events in batches. You notice that some events are being processed more than once. Which setting should you adjust to minimize duplicate processing?

A.Increase the maxRetries per event
B.Enable checkpointing in the function code
C.Increase the event batch size
D.Decrease the prefetch count
AnswerB

Correct: Checkpointing saves the offset so events are not reprocessed.

Why this answer

Option B is correct because checkpointing in Azure Event Hubs stores the offset of the last successfully processed event in a durable store (e.g., Azure Blob Storage). When the function restarts or scales, it resumes from that checkpoint, preventing reprocessing of already-handled events. Without checkpointing, the default behavior may start from the earliest offset or use the `latest` position, leading to duplicate processing.

Exam trap

The trap here is that candidates often confuse retry policies or batch sizes with the checkpointing mechanism, not realizing that duplicate processing in Event Hubs is typically caused by missing or infrequent checkpointing, not by event handling failures.

How to eliminate wrong answers

Option A is wrong because increasing `maxRetries` per event only controls how many times a failed event is retried, not the root cause of duplicate processing from checkpointing gaps. Option C is wrong because increasing the event batch size processes more events per invocation but does not affect whether events are reprocessed after a restart or scaling event. Option D is wrong because decreasing the prefetch count reduces the number of events buffered locally, which can reduce the chance of duplicates from a crash during processing, but it does not address the fundamental need for checkpointing to persist progress across function restarts.

44
Multi-Selectmedium

Which THREE features are supported by Azure Container Apps? (Select three.)

Select 3 answers
A.Virtual network (VNet) injection.
B.Mounting Azure NetApp Files volumes.
C.Event-driven scaling using KEDA.
D.Blue-green deployment with revisions.
E.Integration with Dapr (Distributed Application Runtime).
AnswersC, D, E

KEDA is integrated for scaling based on events.

Why this answer

Azure Container Apps uses KEDA (Kubernetes Event-Driven Autoscaling) to scale containers based on event-driven metrics such as queue depth, HTTP request count, or custom Prometheus metrics. This allows containers to scale to zero when idle and scale out rapidly based on real-time demand, making it ideal for event-driven workloads.

Exam trap

The trap here is that candidates often confuse Azure Container Apps with Azure Kubernetes Service (AKS) and assume VNet injection and NetApp Files are supported, but Container Apps abstracts the underlying Kubernetes layer and restricts these advanced networking and storage features.

45
Multi-Selectmedium

You are designing a solution that uses Azure Functions to process messages from an Azure Service Bus queue. Which TWO configurations can improve the throughput of the function?

Select 1 answer
A.Set maxDeliveryCount to a higher value
B.Set maxMessagesPerBatch to a higher value
C.Set newBatchThreshold to a lower value
D.Set maxMessagesPerBatch to a lower value
E.Set maxEventBatchSize to a higher value
AnswersB

Correct: Allows more messages per function execution.

Why this answer

Increasing maxMessagesPerBatch allows the Azure Functions Service Bus trigger to retrieve more messages in a single batch from the queue, reducing the number of round trips to the Service Bus namespace. This directly improves throughput by enabling the function to process multiple messages concurrently within the same function invocation, assuming the function code can handle parallel processing efficiently.

Exam trap

The trap here is that candidates confuse maxMessagesPerBatch with maxEventBatchSize, which is specific to Event Hubs, or assume that lowering thresholds like newBatchThreshold improves throughput when it actually increases fetch frequency and overhead.

46
MCQmedium

You are deploying a sensitive configuration to Azure Container Instances. The configuration must be encrypted at rest and not visible in the container logs. What should you use?

A.Environment variables in the container group
B.Azure Key Vault with managed identity and secret volumes
C.Azure Files volume mounted into the container
D.ConfigMap in a Kubernetes cluster
AnswerB

Correct. This approach ensures secrets are encrypted in Key Vault, mounted as volumes, and not exposed in logs.

Why this answer

Azure Key Vault with managed identity and secret volumes is the correct choice because it allows you to mount secrets as files into the container without exposing them in environment variables or logs. The secrets are encrypted at rest in Key Vault and are only accessible via a managed identity assigned to the container group, ensuring the configuration remains secure and invisible in container logs.

Exam trap

The trap here is that candidates often choose environment variables (Option A) because they are easy to implement, but they overlook the requirement that the configuration must not be visible in container logs, which environment variables inherently violate.

How to eliminate wrong answers

Option A is wrong because environment variables in the container group are visible in the container logs and can be exposed through the Azure portal or CLI, failing the requirement to not be visible in logs. Option C is wrong because Azure Files volumes are not encrypted at rest by default (unless using Azure Storage Service Encryption, but the configuration data would still be visible in the container's file system and potentially in logs if accessed). Option D is wrong because ConfigMap is a Kubernetes concept and does not apply to Azure Container Instances, which is a serverless container service without Kubernetes orchestration.

47
MCQmedium

Your company develops a microservices application deployed to Azure Kubernetes Service (AKS). You need to enable secure communication between services using managed identities. Which Azure service should you use to manage the identities and access control for the pods?

A.Azure Service Bus
B.Microsoft Entra Workload ID
C.Azure Key Vault
D.Azure Policy
AnswerB

Entra Workload ID (formerly Azure AD Pod Identity) assigns managed identities to AKS pods for secure service-to-service communication.

Why this answer

Microsoft Entra Workload ID (formerly Azure AD Workload Identity) is the correct choice because it integrates with Kubernetes to automatically project an Azure AD-managed identity into each pod. This allows pods to authenticate to Azure resources (e.g., Key Vault, Storage) without managing secrets, using federated identity credentials that map a Kubernetes service account to an Azure AD application or user-assigned managed identity.

Exam trap

The trap here is that candidates often confuse Azure Key Vault (a secret store) with identity management, but Key Vault cannot authenticate pods—it requires an identity service like Workload ID to grant access to its secrets.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus is a message broker for decoupling applications, not an identity or access control service for pods. Option C is wrong because Azure Key Vault stores secrets, keys, and certificates but does not manage identities or provide pod-level authentication; it relies on an identity service like Workload ID to grant access. Option D is wrong because Azure Policy enforces compliance rules on Azure resources (e.g., requiring TLS) but cannot assign or manage managed identities for AKS pods.

48
MCQmedium

Your company uses Azure App Service to host a web application that requires periodic database maintenance. The maintenance tasks are time-consuming and must run outside of peak hours. You need to schedule these tasks to run automatically at 2:00 AM every Sunday. The tasks should be implemented as an Azure Function that runs in the same App Service plan to reduce costs. What should you do?

A.Deploy the maintenance code as an Azure Function in the Consumption plan and configure a timer trigger.
B.Create a separate Azure Function App in the same App Service plan and configure a timer trigger.
C.Add a WebJob to the App Service that uses a scheduled trigger to run the maintenance code.
D.Use Azure Logic Apps with a recurrence trigger to call the web application's maintenance endpoint.
AnswerC

WebJobs can be scheduled and run within the same App Service plan at no extra cost.

Why this answer

Option C is correct because WebJobs in Azure App Service allow you to run background tasks on a schedule using a settings.job file with a CRON expression. Since the WebJob runs in the same App Service plan as the web application, it shares the same resources and incurs no additional cost, meeting the requirement to reduce costs. The scheduled trigger at 2:00 AM every Sunday can be configured with the CRON expression '0 0 2 * * 0'.

Exam trap

The trap here is that candidates often confuse Azure Functions with WebJobs, assuming that a timer-triggered Azure Function in the same plan is the correct choice, but they overlook that WebJobs are the native, cost-effective way to run scheduled background tasks within an existing App Service without creating a separate Function App resource.

How to eliminate wrong answers

Option A is wrong because deploying the Azure Function in the Consumption plan would incur separate costs and does not run in the same App Service plan, violating the cost-reduction requirement. Option B is wrong because creating a separate Azure Function App in the same App Service plan still requires a separate Function App resource, which adds management overhead and does not leverage the existing App Service's built-in WebJob feature for cost efficiency. Option D is wrong because Azure Logic Apps is a separate service with its own pricing model, and using it to call a maintenance endpoint would introduce additional costs and complexity, not reducing costs as required.

49
MCQmedium

You are developing a solution that processes orders from an e-commerce website. The order processing logic is CPU-intensive and can take up to 30 seconds per order. You need to ensure that the web front-end remains responsive and that orders are processed reliably. What should you use?

A.Use Azure WebJobs to process orders in the same App Service plan.
B.Add orders to Azure Queue Storage and process them using a background worker role.
C.Use Azure Service Bus Queues with sessions for order processing.
D.Use Azure Functions with Durable Functions to manage order processing state.
AnswerB

Queue Storage decouples the front-end from processing, ensuring responsiveness and reliability.

Why this answer

Option B is correct because Azure Queue Storage provides a reliable, asynchronous message-passing mechanism that decouples the CPU-intensive order processing from the web front-end. By adding orders to a queue and processing them with a background worker (e.g., a WebJob or Worker Role), the web front-end remains responsive, and the queue ensures at-least-once delivery and durability, even if the worker fails or restarts.

Exam trap

The trap here is that candidates often choose Azure Service Bus Queues (Option C) because they assume 'reliable' messaging requires a premium service, but Azure Queue Storage is fully reliable for this scenario and simpler/cheaper, while sessions are a red herring for unordered processing.

How to eliminate wrong answers

Option A is wrong because running CPU-intensive work in the same App Service plan (via WebJobs) can still compete for resources (CPU, memory) with the web front-end, potentially causing responsiveness issues; it does not truly decouple the workload. Option C is wrong because Azure Service Bus Queues with sessions are designed for ordered, grouped message processing (e.g., FIFO per session), but the scenario does not require session-based ordering or grouping—simple reliable queuing suffices, and Service Bus adds unnecessary complexity and cost. Option D is wrong because Durable Functions are optimized for orchestrating long-running, stateful workflows with checkpoints, not for simple CPU-intensive batch processing; they introduce overhead for state management and are not the simplest or most cost-effective solution for this use case.

50
MCQhard

You are deploying a Docker container to Azure Container Instances (ACI). The container must use GPU resources for machine learning inference. You need to select the appropriate option to provision GPU-enabled containers. What should you do?

A.Deploy the container to a container group with a GPU-enabled SKU (e.g., NV series).
B.Mount a GPU volume from the host.
C.Use Azure Batch with GPU-enabled pools.
D.Enable container GPU support in the Dockerfile.
AnswerA

A GPU SKU in the container group resource allocation assigns a physical GPU from the Azure infrastructure to the container instance.

Why this answer

Azure Container Instances supports GPU resources only when you deploy a container group using a GPU-optimized SKU, such as the NV-series (e.g., Standard_NC6s_v3). These SKUs provide NVIDIA Tesla GPUs (e.g., K80, P100, V100) that are directly exposed to the container, enabling hardware-accelerated machine learning inference. You must specify the GPU SKU in the container group's resource requests during deployment, and the container image must include the appropriate NVIDIA CUDA drivers or runtime.

Exam trap

The trap here is that candidates confuse local Docker GPU configuration (e.g., `--gpus all` in Dockerfile or docker run) with ACI's infrastructure-level GPU provisioning, assuming that a Dockerfile directive alone will enable GPU access in ACI, when in fact the SKU selection is mandatory and overrides any local settings.

How to eliminate wrong answers

Option B is wrong because ACI does not support mounting a GPU volume from the host; GPU access is provided exclusively through the container group's SKU selection, not via volume mounts. Option C is wrong because Azure Batch with GPU-enabled pools is a separate service for batch processing, not a direct method to provision a single GPU container in ACI; the question specifically asks about ACI deployment. Option D is wrong because enabling GPU support in the Dockerfile (e.g., using `--gpus all` or NVIDIA runtime) is a local Docker configuration that does not affect ACI's provisioning; ACI ignores Dockerfile GPU directives and requires the SKU-based approach.

51
MCQeasy

Refer to the exhibit. You deploy this ARM template to a resource group. The template fails with a 'ResourceNotFound' error. What is the most likely cause?

A.The App Service plan 'myplan' does not exist in the resource group.
B.The 'apiVersion' is incorrect.
C.The template is missing the 'dependsOn' property.
D.The 'type' property is incorrect for a web app.
AnswerA

The plan must exist or be defined in the template.

Why this answer

The ARM template references an App Service plan named 'myplan' in the 'serverFarmId' property of the Microsoft.Web/sites resource. If 'myplan' does not exist in the same resource group, the deployment fails with a 'ResourceNotFound' error because Azure Resource Manager cannot resolve the dependency on a non-existent resource. The template does not include a definition for the App Service plan, so it must already exist in the resource group.

Exam trap

Microsoft often tests the distinction between a missing resource and a missing dependency; the trap here is that candidates assume a 'ResourceNotFound' error always means a missing 'dependsOn' property, when in fact it indicates the referenced resource does not exist at all.

How to eliminate wrong answers

Option B is wrong because an incorrect 'apiVersion' typically causes a 'NoRegisteredProviderFound' or 'InvalidApiVersion' error, not a 'ResourceNotFound' error. Option C is wrong because the 'dependsOn' property is not required when referencing an existing resource by name; it is only needed to enforce deployment order when both resources are defined in the same template. Option D is wrong because the 'type' property 'Microsoft.Web/sites' is correct for a web app; an incorrect type would result in a 'InvalidResourceType' or 'ResourceNotFound' error only if the resource provider does not recognize it.

52
MCQhard

You deploy the above ARM template. Later, you update the web app's code by deploying a new ZIP package to Azure Blob Storage and updating the WEBSITE_RUN_FROM_PACKAGE setting with the new package URL. However, the web app continues to run the old code. What is the most likely cause?

A.The app setting name is misspelled. It should be 'WEBSITE_RUN_FROM_ZIP'.
B.The setting requires a value of '0' to enable external packages.
C.The ARM template uses an incorrect apiVersion.
D.The value '1' indicates the package is from local storage, not an external URL.
AnswerD

A value of '1' means the package is already deployed locally. To use a URL, set the value to the URL directly.

Why this answer

Option D is correct because when the WEBSITE_RUN_FROM_PACKAGE app setting is set to '1', it tells Azure App Service to use a local package stored in the site's wwwroot folder. To use an external package from Azure Blob Storage, the setting must be set to the full URL of the blob (with a SAS token if private). Keeping the value as '1' means the service ignores the new blob URL and continues to run the old local package.

Exam trap

The trap here is that candidates assume setting the value to '1' is a generic 'enable' flag, not realizing it has a specific meaning (local package) and that external packages require the full URL as the setting value.

How to eliminate wrong answers

Option A is wrong because the correct app setting name is 'WEBSITE_RUN_FROM_PACKAGE', not 'WEBSITE_RUN_FROM_ZIP'; the latter is not a recognized setting. Option B is wrong because a value of '0' disables the run-from-package feature entirely, causing the app to run from the deployed files directly, not enabling external packages. Option C is wrong because the apiVersion in the ARM template only affects deployment of the template itself, not the runtime behavior of the web app after it's deployed; an incorrect apiVersion would cause a deployment failure, not silent use of old code.

53
Multi-Selecteasy

You are deploying an Azure App Service that uses a Linux container to host a custom web application. You need to configure continuous deployment from a GitHub repository. Which TWO actions should you take?

Select 2 answers
A.Set up an FTP trigger to poll the GitHub repository for changes.
B.Use the App Service built-in CI/CD feature to connect to GitHub.
C.Configure the 'Deployment Center' in the App Service to use GitHub Actions.
D.Use the Kudu service to sync with GitHub.
E.Push the container image to Docker Hub and configure webhook.
AnswersB, C

Built-in CI/CD supports GitHub.

Why this answer

Option B is correct because Azure App Service provides a built-in CI/CD feature that directly integrates with GitHub, enabling automatic deployment of code changes without additional configuration. Option C is also correct because the Deployment Center in App Service allows you to configure GitHub Actions as the CI/CD pipeline, which builds and deploys the container to the App Service on each push.

Exam trap

The trap here is that candidates may think Kudu is the only deployment engine for App Service, but for Linux containers, the built-in CI/CD and GitHub Actions are the supported methods, and Kudu is not used for GitHub sync in this scenario.

54
MCQeasy

You are developing an API using Azure API Management (APIM). The API is backed by an Azure Function that processes requests. You need to implement caching for responses that are expensive to compute. The cache should expire after 10 minutes. What should you configure in APIM?

A.Configure Azure Redis Cache as an external cache in APIM.
B.Add a cache-lookup and cache-store policy to the API operation.
C.Implement response caching in the Azure Function code.
D.Use Azure Front Door to cache responses.
AnswerB

These policies cache responses in APIM's built-in cache.

Why this answer

Option B is correct because Azure API Management (APIM) provides built-in caching policies—`cache-lookup` and `cache-store`—that can be applied directly to an API operation. These policies cache the response from the backend (the Azure Function) and respect the `cache-control` header or a specified duration, such as 10 minutes, without requiring an external cache. This is the simplest and most direct way to implement response caching for expensive-to-compute operations within APIM.

Exam trap

The trap here is that candidates often assume an external cache like Redis is required for any caching in APIM, but the built-in cache-lookup and cache-store policies use APIM's internal cache by default, making external Redis optional and only needed for advanced scenarios like multi-region deployments or higher cache capacity.

How to eliminate wrong answers

Option A is wrong because configuring Azure Redis Cache as an external cache in APIM is an optional enhancement for scenarios requiring a distributed cache across multiple APIM instances, but it is not necessary for basic response caching; the built-in cache-lookup and cache-store policies work with APIM's internal cache by default. Option C is wrong because implementing response caching in the Azure Function code would cache responses at the function level, but the question specifically asks what to configure in APIM, and APIM caching policies provide centralized control, offload the backend, and can cache even non-cacheable responses from the function. Option D is wrong because Azure Front Door is a global load balancer and CDN that caches at the edge, not within APIM; it operates at a different layer and does not integrate with APIM's policy-based caching for API operations.

55
MCQmedium

A IoT command API runs in Azure App Service and must call a private API hosted inside a virtual network. Which feature allows outbound access from the app to the VNet?

A.Regional VNet integration
B.Azure CDN custom domain
C.Application Gateway path routing
D.Private Endpoint for the web app only
AnswerA

Regional VNet integration enables App Service outbound connectivity to resources in a virtual network.

Why this answer

Regional VNet integration enables an Azure App Service app to make outbound calls to resources in a virtual network (VNet) using the app's outbound IP addresses. It works by injecting the app's outbound traffic into the VNet via a delegated subnet, allowing the app to reach private APIs hosted inside the VNet without exposing them to the public internet.

Exam trap

The trap here is that candidates often confuse Private Endpoint (inbound) with VNet integration (outbound), mistakenly thinking a Private Endpoint on the app allows it to call VNet resources, when in fact it only allows VNet resources to call the app.

How to eliminate wrong answers

Option B is wrong because Azure CDN custom domain is a content delivery feature that caches and serves static content from edge locations; it does not provide outbound connectivity from an App Service to a VNet. Option C is wrong because Application Gateway path routing is an inbound traffic management feature that routes external HTTP/S requests to backend pools; it does not enable outbound access from the app to the VNet. Option D is wrong because Private Endpoint for the web app only secures inbound traffic to the app from the VNet; it does not allow the app to make outbound calls to resources inside the VNet.

56
MCQeasy

You deploy a web application to Azure App Service. You need to deploy a new version of the application without downtime and have the ability to test the new version before switching traffic. Which feature should you use?

A.Deployment slots
B.Auto-scaling
C.Backup
D.Custom domains
AnswerA

Correct. Deployment slots allow you to deploy to a staging environment and swap with production, enabling zero downtime and testing.

Why this answer

Deployment slots are live, independently running app versions in Azure App Service that allow you to deploy a new build to a staging slot, validate it with zero impact on production, and then swap it into production with instant traffic redirection. This swap operation is atomic and warm-up aware, ensuring no downtime during the transition.

Exam trap

The trap here is that candidates confuse auto-scaling with deployment strategies, thinking scaling out instances can serve new code without downtime, but auto-scaling only replicates the existing app version and does not provide a mechanism to test or switch traffic between builds.

How to eliminate wrong answers

Option B (Auto-scaling) is wrong because it adjusts the number of instances based on load metrics, not for staging or testing new code versions. Option C (Backup) is wrong because it creates point-in-time copies of app files and databases for disaster recovery, not for zero-downtime deployment or pre-production validation. Option D (Custom domains) is wrong because it maps a DNS name to the app's endpoint and has no role in deployment staging or traffic switching.

57
MCQhard

You are designing a serverless data processing pipeline. The pipeline receives JSON messages from an Azure Event Hubs instance. Each message must be enriched with data from a Cosmos DB database and then written to a Parquet file in Azure Data Lake Storage Gen2. The enrichment step involves a lookup that takes approximately 2 seconds per message. The pipeline must process up to 1000 messages per second. You need to choose the most cost-effective and scalable compute option. Consider the following options: A) Use a single Azure Function with Event Hubs trigger and output to Data Lake Storage. B) Use a Durable Functions orchestration with fan-out/fan-in pattern. C) Use Azure Stream Analytics with a reference data input from Cosmos DB and output to Data Lake Storage. D) Use an Azure Databricks notebook with structured streaming. Which option should you recommend?

A.Use an Azure Databricks notebook with structured streaming.
B.Use a Durable Functions orchestration with fan-out/fan-in pattern.
C.Use Azure Stream Analytics with a reference data input from Cosmos DB and output to Data Lake Storage.
D.Use a single Azure Function with Event Hubs trigger and output to Data Lake Storage.
AnswerC

Scalable, serverless, supports enrichment and Parquet output.

Why this answer

Azure Stream Analytics with a reference data input from Cosmos DB is the most cost-effective and scalable option because it can handle high-throughput streams (up to 1 GB/s) with sub-second latency, and it natively supports enriching incoming events with static or slowly-changing reference data (like Cosmos DB) without requiring custom code. The enrichment lookup is performed in-memory within the Stream Analytics job, avoiding per-message function invocation overhead and enabling linear scale-out across streaming units to meet 1000 messages/second with a 2-second lookup.

Exam trap

The trap here is that candidates often assume Azure Functions are the default serverless choice for all event processing, but they fail to recognize that per-message enrichment with a 2-second lookup creates a throughput bottleneck that only a streaming engine like Stream Analytics can handle cost-effectively at scale.

How to eliminate wrong answers

Option A is wrong because a single Azure Function with an Event Hubs trigger cannot scale to 1000 messages/second with a 2-second enrichment per message — the function would be severely throttled by its concurrency limits (default 200 max per plan) and the 2-second lookup would create a backlog, causing massive event processing delays and potential data loss. Option B is wrong because Durable Functions orchestration with fan-out/fan-in is designed for long-running workflows and stateful coordination, not for high-throughput stateless stream processing; the orchestration overhead and checkpointing would introduce latency and cost that far exceed the requirements. Option D is wrong because Azure Databricks with structured streaming, while scalable, is overkill and cost-inefficient for this simple enrichment and write pipeline — it requires a running cluster with VMs, incurs high per-hour costs, and introduces operational complexity (cluster management, autoscaling delays) that is unnecessary compared to a fully managed serverless service like Stream Analytics.

58
Multi-Selecthard

You are developing a serverless application using Azure Functions. The function needs to scale to zero when idle and handle high traffic spikes. Which THREE features should you implement?

Select 3 answers
A.Use a Consumption hosting plan
B.Use a queue trigger for processing
C.Configure the function to use the built-in scaling controller
D.Enable the 'Always On' setting
E.Use a Premium hosting plan
AnswersA, B, C

Correct: Consumption plan scales to zero when idle.

Why this answer

A Consumption hosting plan is correct because it provides automatic scaling and can scale down to zero instances when the function is idle, meaning you only pay for execution time. This is essential for a serverless application that needs to handle high traffic spikes while minimizing costs during idle periods.

Exam trap

The trap here is that candidates often confuse the 'Always On' setting (which prevents scaling to zero) with a necessary feature for serverless apps, or they mistakenly choose the Premium plan thinking it is required for high traffic, when in fact the Consumption plan with queue triggers and built-in scaling is the correct serverless approach.

59
MCQmedium

You develop an Azure Durable Functions application that orchestrates a series of activities. The orchestrator function calls activity functions that perform long-running tasks. You need to ensure that the orchestrator function can handle transient errors and retry failed activity functions. Which feature should you use?

A.Polly library for retry logic
B.Built-in retry policies in Durable Functions
C.Application Insights alerts
D.Azure Storage queue message retries
AnswerB

Durable Functions allows you to specify retry options for activity function calls, including max retry count and backoff.

Why this answer

Durable Functions provides built-in retry policies that can be configured directly on activity function calls within orchestrator functions. This allows you to specify parameters such as max retry count, backoff interval, and retry timeout, enabling the orchestrator to automatically retry failed activities without custom code or external dependencies.

Exam trap

The trap here is that candidates may assume any retry mechanism (like Polly or queue retries) works equally well, but they fail to recognize that Durable Functions' built-in retry policies are the only option that integrates seamlessly with the orchestrator's deterministic replay and state management.

How to eliminate wrong answers

Option A is wrong because the Polly library is a general-purpose .NET resilience framework that would require manual integration and does not leverage Durable Functions' native replay and checkpointing mechanisms, leading to potential state inconsistencies. Option C is wrong because Application Insights alerts are used for monitoring and notification, not for implementing retry logic within the orchestrator's execution flow. Option D is wrong because Azure Storage queue message retries apply to queue-triggered functions, not to activity function calls orchestrated by Durable Functions; the orchestrator manages retries at the function invocation level, not via queue message dequeue counts.

60
MCQeasy

You are designing a solution that runs background jobs to process images. The jobs can run up to 10 minutes each. You need to ensure the jobs are resilient to failures and can be retried automatically. Which Azure service should you use?

A.Azure Logic Apps with a recurrence trigger
B.Azure Queue Storage with an Azure Function trigger
C.Azure Service Bus with a WebJob
D.Azure Event Grid with a Logic App
AnswerB

Queue Storage with function trigger offers automatic retries and poison message handling.

Why this answer

Azure Queue Storage with an Azure Function trigger is the correct choice because it provides a reliable, message-based architecture for background job processing. Queue messages persist until processed, and the Azure Function trigger automatically retries on failure (up to 5 times by default, with configurable policies). This handles the 10-minute job duration via the queue's visibility timeout, which can be set to match the job's maximum runtime, ensuring messages are not prematurely reprocessed.

Exam trap

The trap here is that candidates often confuse Azure Queue Storage with Azure Service Bus, assuming Service Bus is always better for reliability, but Queue Storage is simpler, cheaper, and perfectly suited for long-running background jobs with automatic retry via Azure Functions.

How to eliminate wrong answers

Option A is wrong because Azure Logic Apps with a recurrence trigger is designed for scheduled, time-based workflows, not for resilient, failure-retry background job processing triggered by queue messages. Option C is wrong because Azure Service Bus with a WebJob is overly complex for this scenario; WebJobs are a legacy technology and Service Bus is better suited for enterprise messaging with advanced features like sessions and transactions, not simple image processing jobs. Option D is wrong because Azure Event Grid with a Logic App is an event-driven pattern for reacting to events (e.g., blob created), but it lacks built-in retry and queue-based persistence for long-running jobs; Event Grid has a 5-minute timeout and no native retry for failed processing.

61
MCQhard

You are deploying a batch processing application to Azure Container Instances (ACI). The application processes multiple files from an Azure Blob Storage container and writes results to another container. Each container instance processes a single file and then exits. The processing logic is written in a Docker image that reads input and output connection strings from environment variables. You need to configure the container group so that it writes the results to the output container durably and efficiently. The environment variables must be provided at runtime but must not be exposed in the ACI configuration. Which approach should you use?

A.Mount an Azure File Share volume for the output container and configure the application to write output files to a directory on that share. Store the connection string for the file share in a secure fashion using Key Vault and pass it as an environment variable.
B.Use a managed identity for the container group, grant the identity access to an Azure Key Vault secret that contains the storage account connection string. The application retrieves the secret at startup using the managed identity and then writes directly to Azure Blob Storage.
C.Embed the storage account connection string directly into the Docker image during build time and rely on the container's environment to provide the output blob container name.
D.Set the storage account connection string as an environment variable in the ACI container group definition (YAML or ARM template) and have the application use it at runtime.
AnswerB

This approach uses managed identity to securely access Key Vault, avoiding any credentials in the container configuration. The application then uses the connection string to write to Blob Storage via the SDK, which is efficient and durable.

Why this answer

Option B is correct because it uses a managed identity to securely retrieve the storage account connection string from Azure Key Vault at runtime, ensuring the secret is never exposed in the ACI configuration. The application writes directly to Azure Blob Storage, which is durable and efficient for blob output. This approach aligns with the requirement to avoid exposing environment variables in the ACI configuration while providing them at runtime.

Exam trap

The trap here is that candidates may choose Option A, thinking a file share mount is more durable or simpler, but the question explicitly requires writing to a blob container, and direct blob writes via a securely retrieved connection string are both more efficient and aligned with the requirement to avoid exposing secrets in the ACI configuration.

How to eliminate wrong answers

Option A is wrong because mounting an Azure File Share volume introduces additional latency and complexity compared to direct blob writes, and the file share connection string would still need to be securely passed (e.g., via Key Vault), but the question specifically requires writing to a blob container, not a file share. Option C is wrong because embedding the connection string in the Docker image violates security best practices and makes the secret static and exposed in the image layers, failing the requirement to provide secrets at runtime without exposure. Option D is wrong because setting the connection string as an environment variable in the ACI configuration directly exposes it in the YAML/ARM template and container logs, violating the requirement that secrets must not be exposed in the ACI configuration.

62
Multi-Selecteasy

You are developing a web application that will be deployed to Azure App Service. You need to configure automatic scaling based on CPU usage. Which TWO settings should you configure?

Select 2 answers
A.Configure authentication for the scaling endpoint.
B.Set the minimum and maximum instance count.
C.Set the Always On setting to On.
D.Configure a scale in condition based on CPU percentage.
E.Configure a scale out condition based on CPU percentage.
AnswersD, E

Scale in condition triggers when CPU drops below a threshold.

Why this answer

Option D is correct because configuring a scale-in condition based on CPU percentage allows the App Service plan to automatically reduce the number of instances when CPU usage drops below a defined threshold, which is essential for cost optimization. Option E is correct because configuring a scale-out condition based on CPU percentage enables the platform to automatically add instances when CPU usage exceeds a threshold, ensuring the application can handle increased load. Together, these two settings define the autoscale rules that react to CPU metrics, which is the core requirement for CPU-based automatic scaling.

Exam trap

The trap here is that candidates often confuse the prerequisite settings (like instance count limits) with the actual scaling condition rules, or they think that only one direction (scale-out or scale-in) is needed, but autoscale requires both to be fully defined for CPU-based scaling to work correctly.

63
MCQhard

You have an Azure Function app that uses .NET 8 isolated process. The function must connect to an Azure SQL database using a managed identity. The function app has a system-assigned managed identity enabled. Which code snippet correctly retrieves the access token?

A.new SqlConnection(connectionString) using Integrated Security=true;
B.var token = await new Azure.Identity.DefaultAzureCredential().GetTokenAsync("https://database.windows.net");
C.var credential = new DefaultAzureCredential(); var token = await credential.GetTokenAsync(new TokenRequestContext(new[] {"https://database.windows.net/.default"}));
D.var credential = new ManagedIdentityCredential(); var token = await credential.GetTokenAsync("https://database.windows.net");
AnswerC

Correct approach to get token.

Why this answer

Option C is correct because it uses `DefaultAzureCredential` to obtain an access token for Azure SQL Database by specifying the resource URI `https://database.windows.net/.default` in a `TokenRequestContext`. In a .NET 8 isolated process function app with a system-assigned managed identity, `DefaultAzureCredential` automatically attempts managed identity authentication as one of its credential sources, making it the recommended approach. The `GetTokenAsync` method requires a `TokenRequestContext` object, not a plain string, to correctly request the token for the Azure SQL resource.

Exam trap

The trap here is that candidates often forget that `GetTokenAsync` requires a `TokenRequestContext` object with an array of scopes, not a plain string URL, and they may also omit the `/.default` suffix required for Azure SQL Database token requests.

How to eliminate wrong answers

Option A is wrong because `Integrated Security=true` is used for Windows authentication in on-premises environments, not for managed identity authentication to Azure SQL Database; it does not retrieve an access token. Option B is wrong because `GetTokenAsync` expects a `TokenRequestContext` object, not a plain string URL; passing `"https://database.windows.net"` without the `/.default` scope and without wrapping it in a `TokenRequestContext` will cause a compilation error. Option D is wrong because `ManagedIdentityCredential` is valid but the `GetTokenAsync` method still requires a `TokenRequestContext` object, not a plain string; additionally, using `DefaultAzureCredential` is preferred for flexibility in local development and production scenarios.

64
MCQmedium

You find the above ARM template snippet in a deployment. What is the effect of this configuration on the App Service?

A.Allows cross-origin requests from app.contoso.com and portal.contoso.com without credentials.
B.Configures the App Service to require authentication for cross-origin requests.
C.Enables CORS for all origins by setting allowedOrigins to a wildcard.
D.Blocks all cross-origin requests because supportCredentials is false.
AnswerA

CORS allows listed origins, and supportCredentials: false prevents credentials.

Why this answer

Option A is correct because the ARM template snippet sets `allowedOrigins` to specific domains (`app.contoso.com` and `portal.contoso.com`) and `supportCredentials` to `false`. This configuration allows cross-origin requests from those two origins but does not include credentials (cookies, HTTP authentication, or client-side certificates) in the requests, as per the CORS specification.

Exam trap

The trap here is that candidates often confuse `supportCredentials: false` with blocking all cross-origin requests, when in fact it only disallows credentials while still allowing non-credentialed requests from the specified origins.

How to eliminate wrong answers

Option B is wrong because CORS does not require authentication; it controls which origins can make cross-origin requests, and `supportCredentials` being `false` means credentials are not sent, not that authentication is required. Option C is wrong because `allowedOrigins` is set to specific domains, not a wildcard (`*`), so it does not enable CORS for all origins. Option D is wrong because `supportCredentials: false` does not block all cross-origin requests; it only prevents credentials from being included in the requests, while the allowed origins can still make non-credentialed requests.

65
MCQmedium

Your Azure Function app uses an Event Hub trigger. Under high load, some events are processed multiple times. You need to ensure exactly-once processing without losing events. What should you implement?

A.Make the function idempotent
B.Use Azure Queue Storage instead
C.Enable checkpointing
D.Increase the batch size
AnswerA

Idempotent processing ensures same event handled once.

Why this answer

Option A is correct because making the function idempotent ensures that even if the Event Hub trigger delivers the same event multiple times (which can happen under high load due to at-least-once delivery semantics), the function's side effects are safe to repeat. Idempotency is the only reliable way to achieve exactly-once processing in a distributed system where the trigger itself does not guarantee deduplication.

Exam trap

The trap here is that candidates confuse checkpointing with deduplication, assuming it guarantees exactly-once processing, when in reality checkpointing only tracks read progress and does not prevent duplicate event delivery within the same batch or across restarts.

How to eliminate wrong answers

Option B is wrong because switching to Azure Queue Storage does not inherently solve duplicate processing; queues also use at-least-once delivery and require idempotent consumers. Option C is wrong because checkpointing tracks progress in the Event Hub partition but does not prevent duplicate deliveries; it only helps resume from the last checkpoint after a restart, not deduplicate within a batch. Option D is wrong because increasing the batch size increases throughput but amplifies the risk of duplicates and does not address the root cause of duplicate event processing.

66
MCQhard

You deploy an Azure Function app that uses the Premium plan. The function processes messages from an Azure Service Bus queue. Under heavy load, some messages are processed multiple times. You need to ensure exactly-once processing without losing messages. What should you do?

A.Enable duplicate detection on the Service Bus queue.
B.Use Peek-Lock mode instead of Receive and Delete.
C.Set the maxDeliveryCount to 1 on the queue.
D.Reduce the batch size in the function host.json.
AnswerA

Duplicate detection ensures the queue removes duplicates based on the MessageId, enabling exactly-once processing.

Why this answer

Option A is correct because enabling duplicate detection on the Service Bus queue ensures that the Service Bus broker itself discards duplicate messages based on a user-defined time window. This prevents the function from processing the same message multiple times, even if the function host restarts or the message is re-delivered due to transient failures. Duplicate detection works by tracking the MessageId of each message and ignoring any subsequent message with the same MessageId within the detection window.

Exam trap

The trap here is that candidates often confuse client-side idempotency (e.g., using a database unique constraint) with broker-level duplicate detection, or they mistakenly believe that Peek-Lock mode alone guarantees exactly-once processing, ignoring the risk of crashes after processing but before completion.

How to eliminate wrong answers

Option B is wrong because Peek-Lock mode is already the default for Service Bus triggered Azure Functions and does not prevent duplicate processing; it only provides explicit message completion, which can still lead to duplicates if the function crashes after processing but before completing the message. Option C is wrong because setting maxDeliveryCount to 1 does not guarantee exactly-once processing; it simply limits the number of delivery attempts, but the message can still be processed multiple times if it is re-queued or if the function host restarts after processing but before the message is settled. Option D is wrong because reducing the batch size in host.json only controls how many messages are fetched at once, which can reduce the blast radius of duplicates but does not eliminate the root cause of duplicate processing.

67
Multi-Selectmedium

Which TWO actions should you perform to configure autoscaling for an Azure App Service web app based on CPU usage?

Select 2 answers
A.Configure the minimum and maximum instance limits.
B.Enable manual scaling and set the instance count to 3.
C.Set the default instance count to 1.
D.Create a scale rule based on a specific date and time.
E.Define a scale rule that triggers when CPU percentage exceeds a threshold.
AnswersA, E

Instance limits define the boundaries for autoscaling.

Why this answer

Option A is correct because autoscaling in Azure App Service requires you to define the minimum and maximum instance limits to control the scaling range. These limits ensure the web app scales out or in within a safe boundary, preventing runaway costs or performance degradation. Without setting these limits, the autoscale engine cannot determine the operational range for scaling actions.

Exam trap

The trap here is that candidates often confuse the 'default instance count' (Option C) with the minimum instance limit, but the default count is only a starting point and does not define the scaling range, whereas the minimum and maximum limits are mandatory for autoscaling configuration.

68
MCQhard

Images are uploaded to a high-volume Blob Storage account. An Azure Function with a Blob Storage trigger processes each new image. The team has observed processing delays of up to 10 minutes on accounts with large numbers of containers and blobs. They need processing to start within seconds of upload. What should the developer change?

A.Replace the Blob Storage trigger with an Event Grid trigger and create a Blob Created event subscription that targets the Function's endpoint
B.Switch to a Timer trigger that runs every 30 seconds and lists newly created blobs via the SDK
C.Use a Queue Storage trigger and write blob metadata to the queue from the upload client
D.Move the Function to a Premium plan, which uses a dedicated worker and eliminates Blob trigger polling delays
AnswerA

Event Grid delivers blob creation events within seconds of the upload by pushing events rather than polling. The Function receives the event payload (which includes the blob URI) and begins processing immediately. This eliminates the polling delay inherent in the Blob Storage trigger on large accounts.

Why this answer

Option A is correct because Event Grid provides near-real-time event delivery (typically under 1 second) for Blob Created events, eliminating the polling latency inherent in the Blob Storage trigger. The Blob Storage trigger polls Azure Storage logs for new blobs, which can cause delays of up to 10 minutes in high-volume accounts with many containers and blobs. By switching to an Event Grid trigger, the function is invoked directly via HTTP webhook as soon as the blob is created, meeting the requirement for processing to start within seconds.

Exam trap

The trap here is that candidates often assume upgrading the hosting plan (Premium) will fix latency issues, but the root cause is the polling-based Blob Storage trigger, not the underlying infrastructure; the correct solution is to switch to an event-driven trigger like Event Grid.

How to eliminate wrong answers

Option B is wrong because a Timer trigger running every 30 seconds still introduces up to 30 seconds of delay, and listing blobs via the SDK is inefficient and does not guarantee sub-second processing; it also adds unnecessary overhead and complexity. Option C is wrong because it requires modifying the upload client to write metadata to a queue, which is an architectural change that adds coupling and does not leverage the existing blob upload event; the question asks what the developer should change in the current setup, not how to redesign the client. Option D is wrong because moving to a Premium plan does not change the underlying polling mechanism of the Blob Storage trigger; the delay is caused by the trigger's polling interval, not by the plan's performance or dedicated workers.

69
MCQhard

A containerized checkout API deployed to Azure Container Apps must scale to zero when idle and scale out based on queue length. What should the developer configure?

A.A KEDA-based scale rule for the queue trigger
B.A manual replica count only
C.An Availability Set
D.An Azure Front Door health probe
AnswerA

Azure Container Apps uses KEDA scale rules to scale replicas based on event sources such as queues.

Why this answer

Azure Container Apps supports KEDA (Kubernetes Event-Driven Autoscaling) for scaling based on external metrics. A KEDA-based scale rule configured with an Azure Queue Storage trigger allows the containerized checkout API to scale to zero when no messages are in the queue and scale out dynamically as queue length increases, meeting the requirement precisely.

Exam trap

The trap here is that candidates may confuse Azure Container Apps' built-in HTTP scaling rules with KEDA-based event-driven scaling, or incorrectly assume that a manual replica count or a load-balancing health probe can achieve the required queue-based autoscaling behavior.

How to eliminate wrong answers

Option B is wrong because a manual replica count only provides static scaling and cannot scale to zero or scale out based on queue length, which is required for event-driven workloads. Option C is wrong because an Availability Set is a virtual machine (VM) high-availability construct in Azure, not applicable to Azure Container Apps which is a serverless container platform. Option D is wrong because an Azure Front Door health probe is used for load balancing and health monitoring at the HTTP/HTTPS edge, not for autoscaling based on queue metrics.

70
MCQeasy

You are developing a solution that processes orders. Each order must be processed exactly once, in the order it was received. You need to choose an Azure service that guarantees FIFO delivery and at-least-once processing. Which service should you use?

A.Azure Service Bus Queue with sessions
B.Azure Event Hubs
C.Azure Event Grid
D.Azure Storage Queue
AnswerA

Azure Service Bus queues with sessions provide FIFO guarantee and duplicate detection.

Why this answer

Azure Service Bus Queue with sessions is correct because it provides FIFO (first-in, first-out) delivery by grouping related messages into sessions, ensuring messages within a session are processed in order. The at-least-once processing guarantee is inherent to Service Bus queues, as messages are not removed until the receiver completes them, and they can be redelivered if the processing fails or times out.

Exam trap

The trap here is that candidates often confuse Azure Storage Queue's 'first-in, first-out' appearance with true FIFO, but it does not guarantee order due to its visibility timeout and dequeuing behavior, making Service Bus sessions the only correct choice for strict FIFO with at-least-once processing.

How to eliminate wrong answers

Option B (Azure Event Hubs) is wrong because it is designed for high-throughput event ingestion and does not guarantee FIFO ordering across partitions; it only preserves order within a partition but lacks at-least-once processing guarantees without additional checkpointing logic. Option C (Azure Event Grid) is wrong because it provides at-least-once delivery but does not guarantee FIFO ordering; events are delivered in a best-effort order and can be retried, but the order is not preserved. Option D (Azure Storage Queue) is wrong because it guarantees at-least-once processing but does not guarantee FIFO delivery; messages can be dequeued out of order due to visibility timeouts and retries.

71
MCQhard

You have implemented a long-running order processing workflow using Azure Durable Functions. The orchestration may run for hours and involves multiple activity functions. You need to monitor the status of all running orchestrations and receive alerts when an orchestration fails. Which approach provides the most comprehensive and real-time monitoring?

A.Use the Durable Functions HTTP API to poll the status of each orchestration.
B.Use Azure Monitor to create alerts on custom metrics published by the Durable Functions.
C.Enable Application Insights for the Functions app and use its telemetry to monitor orchestration execution and set alerts.
D.Use Azure Logic Apps to periodically check the orchestration status and send alerts.
AnswerC

Application Insights automatically captures orchestration lifecycle events (start, running, failed, etc.). You can use Kusto queries to monitor running orchestrations and create alerts on failed orchestrations with detailed context.

Why this answer

Application Insights provides comprehensive, real-time monitoring for Durable Functions by automatically capturing orchestration lifecycle events, including failures, retries, and durations. It enables proactive alerting on failure metrics (e.g., 'orchestration-failed') without polling, and offers rich diagnostic tools like distributed tracing and custom querying. This is the most integrated and feature-rich approach for monitoring long-running orchestrations.

Exam trap

The trap here is that candidates often assume Azure Monitor is the primary monitoring tool, but for Durable Functions, Application Insights is the recommended and most comprehensive solution because it natively captures orchestration-specific telemetry without custom instrumentation.

How to eliminate wrong answers

Option A is wrong because polling the Durable Functions HTTP API for each orchestration is inefficient, introduces latency, and does not provide real-time alerting; it also requires custom code to manage state and scale. Option B is wrong because Azure Monitor custom metrics require manual instrumentation and publishing from within the function code, which is less comprehensive than the automatic telemetry collected by Application Insights. Option D is wrong because Logic Apps add unnecessary complexity and cost, and periodic polling still cannot match the real-time, event-driven monitoring and alerting capabilities of Application Insights.

72
MCQhard

You have an Azure Container Apps environment running multiple microservices. One microservice is experiencing high CPU usage and slow response times. You need to configure autoscaling rules to scale based on HTTP requests. Which scaling rule should you add?

A.HTTP scaling rule (KEDA)
B.CPU percentage scaling rule
C.Memory percentage scaling rule
D.Custom scaling rule using Azure Monitor metrics
AnswerA

HTTP scaling rule scales based on request rate, ideal for web microservices.

Why this answer

Option A is correct because KEDA's HTTP scaling rule is specifically designed to scale Azure Container Apps based on the number of concurrent HTTP requests, which directly addresses high CPU usage and slow response times caused by request load. Unlike CPU or memory metrics, HTTP scaling reacts to incoming request volume proactively, allowing the microservice to handle spikes before resource saturation occurs.

Exam trap

The trap here is that candidates often choose CPU or memory scaling rules because they seem directly related to high CPU usage, but the question explicitly asks for scaling based on HTTP requests, which requires a request-based scaler like KEDA's HTTP scaler, not resource-based metrics.

How to eliminate wrong answers

Option B is wrong because CPU percentage scaling rule reacts to resource utilization after it has already increased, which is reactive and may not prevent slow response times during sudden request surges. Option C is wrong because memory percentage scaling rule is typically used for memory-bound workloads, not CPU-bound or request-driven scenarios, and memory often lags behind CPU as a scaling signal. Option D is wrong because custom scaling rules using Azure Monitor metrics require additional configuration and are not as straightforward or purpose-built as KEDA's HTTP scaler for request-based autoscaling in Container Apps.

73
MCQmedium

You have an Azure App Service that runs a web API. The API is accessed by multiple client applications. You need to implement authentication and authorization using Microsoft Entra ID. The solution must allow client applications to obtain access tokens using the OAuth 2.0 client credentials flow. Which authentication setting should you configure in the App Service?

A.Enable the 'Token store' in the Authentication / Authorization blade.
B.Configure the app to use the Microsoft.Identity.Web library to validate tokens.
C.Use the built-in authentication module with Microsoft Entra ID as the identity provider.
D.Upload a client certificate and configure certificate-based authentication.
AnswerC

Easy Auth can validate tokens issued by Microsoft Entra ID.

Why this answer

Option B is correct. The 'App Service authentication' feature (Easy Auth) with Microsoft Entra ID as the identity provider can be configured to allow the client credentials flow by setting the 'Client ID' and 'Client Secret' and enabling the 'Allow anonymous requests' option appropriately. However, for the client credentials flow, the App Service itself doesn't issue tokens; clients obtain tokens from Microsoft Entra ID directly and then present them.

The App Service must be configured to accept tokens from Microsoft Entra ID as the identity provider. Option A is wrong because the built-in authentication does not require the app to handle tokens manually. Option C is wrong because the 'Token store' is for storing tokens, not for configuring authentication.

Option D is wrong because client certificates are for mutual TLS authentication, not OAuth.

74
MCQeasy

You are deploying a web application to Azure App Service. The application needs to read configuration settings that vary by deployment environment (development, staging, production). You want to minimize application changes and leverage Azure services. What should you use?

A.Use Azure Key Vault secrets for configuration values.
B.Use Azure DevOps variable groups and inject them at build time.
C.Use Azure App Configuration with feature flags.
D.Use Azure App Service application settings.
AnswerD

Application settings are environment variables that can be configured per deployment slot.

Why this answer

Azure App Service application settings are the correct choice because they are natively supported by the App Service platform, allowing you to define key-value pairs that are injected as environment variables at runtime. This approach requires no application code changes, as the settings are automatically available via standard configuration APIs (e.g., `Environment.GetEnvironmentVariable` in .NET or `process.env` in Node.js), and you can configure different values per deployment slot (e.g., development, staging, production) without redeploying the application.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing Azure App Configuration or Key Vault for all configuration needs, forgetting that Azure App Service application settings are the simplest, most direct way to handle environment-specific, non-sensitive settings without additional code or services.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault secrets are designed for storing sensitive data (e.g., passwords, connection strings) and require explicit code changes to retrieve them via SDK calls or a managed identity, adding complexity for non-sensitive configuration settings. Option B is wrong because Azure DevOps variable groups are a build-time mechanism that injects values during the CI/CD pipeline, not a runtime configuration service; this would require modifying the build process and does not leverage Azure App Service's native environment-based settings. Option C is wrong because Azure App Configuration with feature flags is a centralized configuration service for managing feature toggles and hierarchical settings, but it is overkill for simple environment-specific key-value pairs and requires additional SDK integration in the application code.

75
MCQhard

A containerized booking backend deployed to Azure Container Apps must scale to zero when idle and scale out based on queue length. What should the developer configure?

A.A manual replica count only
B.An Availability Set
C.An Azure Front Door health probe
D.A KEDA-based scale rule for the queue trigger
AnswerD

Azure Container Apps uses KEDA scale rules to scale replicas based on event sources such as queues.

Why this answer

Option D is correct because KEDA (Kubernetes Event-Driven Autoscaling) is natively integrated with Azure Container Apps to enable event-driven scaling. By configuring a KEDA-based scale rule with an Azure Queue Storage trigger, the container app can scale to zero replicas when the queue is empty and scale out based on the queue length, meeting the requirement for idle scaling and queue-driven scaling.

Exam trap

The trap here is that candidates may confuse Azure Front Door health probes (used for traffic routing) with scaling triggers, or assume manual replica counts or Availability Sets are relevant to container scaling, when in fact KEDA is the specific technology for event-driven scaling in Azure Container Apps.

How to eliminate wrong answers

Option A is wrong because a manual replica count only sets a fixed number of replicas and cannot scale to zero or dynamically scale based on queue length. Option B is wrong because an Availability Set is a feature for virtual machine high availability within a region, not applicable to Azure Container Apps which uses replica-based scaling. Option C is wrong because an Azure Front Door health probe is used for load balancing and routing traffic based on backend health, not for scaling container replicas based on queue metrics.

Page 1 of 4 · 258 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Develop Azure compute solutions questions.