Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 526600

999 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

A company runs a mission-critical application on Azure VMs in West US. They need a disaster recovery plan with an RPO of 5 minutes and an RTO of 30 minutes. The application consists of multiple VMs that must be recovered in a specific order: the database VM first, then the front-end VMs. They also need to ensure that after failover, the IP addresses of the VMs are retained to avoid DNS propagation delays. The company wants to test the recovery process periodically without affecting production. Which Azure Site Recovery features should they use?

A.Use recovery plans with virtual machine group ordering and failover network settings to assign static IPs.
B.Use failover settings with retention IP and test failover.
C.Use recovery plans with custom scripts for ordering and Azure Traffic Manager for IP retention.
D.Use Azure Site Recovery with Application Consistent Snapshots and ignore IP retention.
AnswerA

Recovery plans allow you to create groups of VMs and specify the order of failover. Failover network settings enable you to assign static IP addresses to the recovered VMs. Test failover is supported for drills.

Why this answer

Option A is correct because Azure Site Recovery recovery plans allow you to define the order of VM recovery using groups, and you can assign static IP addresses via failover network settings to retain IPs after failover. This meets the RPO of 5 minutes (via continuous replication) and RTO of 30 minutes (via orchestrated failover), while test failover can be performed without impacting production.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (a DNS-based traffic routing service) with Site Recovery's built-in IP retention capabilities, or they assume that 'retention IP' is a standalone feature rather than a configuration within failover network settings.

How to eliminate wrong answers

Option B is wrong because 'retention IP' is not a valid Azure Site Recovery feature; IP retention is achieved through failover network settings, not a separate 'retention IP' option, and test failover alone does not address VM ordering. Option C is wrong because Azure Traffic Manager is used for global load balancing and DNS-based traffic routing, not for IP retention in Site Recovery; custom scripts in recovery plans can help with ordering but are not the primary feature for static IP assignment. Option D is wrong because ignoring IP retention would cause IP address changes after failover, leading to DNS propagation delays, which contradicts the requirement to avoid such delays; Application Consistent Snapshots address data consistency but not IP retention or VM ordering.

527
MCQmedium

Refer to the exhibit. You create this Conditional Access policy in Microsoft Entra ID. What is the result?

A.Only administrators are prompted for MFA.
B.All users are prompted for MFA when accessing any application from a browser or mobile app.
C.External users are prompted for MFA.
D.Access is blocked for all users.
AnswerB

The policy requires MFA for all users and all apps for browser and mobile clients.

Why this answer

The exhibit shows a Conditional Access policy that applies to 'All users' and targets 'All cloud apps' with the grant control set to 'Require multi-factor authentication'. This configuration forces every user, including administrators and external users, to complete MFA when accessing any cloud application from any platform (browser or mobile app). Option B correctly states this universal MFA requirement.

Exam trap

The trap here is that candidates often assume a policy targeting 'All users' only applies to internal users or that 'All cloud apps' excludes certain Microsoft services, but in reality both scopes are comprehensive and include external users and every registered application.

How to eliminate wrong answers

Option A is wrong because the policy targets 'All users', not just administrators, so administrators are not the only group prompted for MFA. Option C is wrong because while external users are included under 'All users', the policy also applies to internal users, so the result is not limited to external users. Option D is wrong because the grant control is set to 'Require multi-factor authentication', not 'Block access', so access is not blocked; it is allowed after MFA is satisfied.

528
Multi-Selectmedium

Which TWO of the following Azure services can be used to enable automatic failover of a web application across Azure regions?

Select 2 answers
A.Azure DNS
B.Azure Load Balancer
C.Azure Front Door
D.Azure Traffic Manager
E.Azure Application Gateway
AnswersC, D

Front Door monitors endpoint health and routes traffic away from failed regions.

Why this answer

Options A and B are correct. Azure Front Door provides global load balancing with automatic failover. Azure Traffic Manager can also route traffic based on priority and automatically fail over.

Option C (Azure Load Balancer) is regional. Option D (Azure Application Gateway) is regional. Option E (Azure DNS) does not provide health-based failover.

529
MCQmedium

A financial services company runs a critical application on Azure VMs with SQL Server Always On availability groups. The primary region is East US, and the secondary region is West US. The business requires automatic failover with zero data loss in case of a regional disaster. Which configuration should you recommend for the availability group?

A.Use synchronous commit mode with manual failover
B.Use asynchronous commit mode with automatic failover
C.Use synchronous commit mode with automatic failover
D.Use asynchronous commit mode with manual failover
AnswerC

Synchronous commit ensures zero data loss; automatic failover meets RTO.

Why this answer

Option D is correct because synchronous commit mode with automatic failover ensures zero data loss and automatic failover. Option A is wrong because asynchronous commit can have data loss. Option B is wrong because manual failover does not meet automatic requirement.

Option C is wrong because asynchronous commit with automatic failover can cause data loss.

530
MCQeasy

Your company is implementing a monitoring solution for Azure virtual machines. You need to collect performance counters and log events from the VMs and send them to a centralized Log Analytics workspace. Which agent should you install on the VMs?

A.Azure Monitor Agent
B.Log Analytics agent (MMA)
C.Diagnostics Extension
D.Dependency Agent
AnswerA

AMA is the modern agent for collecting performance and event data to Log Analytics.

Why this answer

Azure Monitor Agent (AMA) is the current recommended agent for collecting performance counters and log events from Azure VMs and sending them to a Log Analytics workspace. It replaces the legacy Log Analytics agent (MMA) and offers centralized management via data collection rules (DCRs), improved security, and support for both Windows and Linux VMs. The AMA uses the Azure Monitor service pipeline and supports multi-homing to multiple workspaces natively.

Exam trap

The trap here is that candidates often confuse the legacy Log Analytics agent (MMA) as the correct choice because it was the standard for years, but Azure Monitor Agent is the modern replacement explicitly tested in the AZ-305 exam as the recommended solution for centralized log and performance collection.

How to eliminate wrong answers

Option B (Log Analytics agent, MMA) is wrong because it is the legacy agent that is being deprecated in favor of Azure Monitor Agent; it lacks support for data collection rules and does not provide the same level of centralized configuration or security. Option C (Diagnostics Extension) is wrong because it is designed to collect guest OS diagnostics and boot diagnostics for Azure VMs, not to send performance counters and log events to a Log Analytics workspace; it uses Azure Storage as its primary destination, not Log Analytics. Option D (Dependency Agent) is wrong because it is specifically used for collecting network and process dependency data for Azure Monitor's Service Map and VM Insights features, not for general performance counters and log events.

531
MCQmedium

Your company is designing a multi-region disaster recovery solution for a mission-critical application using Azure SQL Database. The application requires read-scale in the secondary region and must support automatic failover with no data loss. Which Azure SQL Database offering should you recommend?

A.Azure SQL Managed Instance
B.Azure SQL Database Failover group
C.Azure SQL Database Hyperscale with named replicas
D.Azure SQL Database Single Database with active geo-replication
AnswerB

Failover groups provide automatic failover with no data loss and support a readable secondary region.

Why this answer

Option A is incorrect because Azure SQL Database Single Database with active geo-replication supports up to four readable secondaries but does not provide automatic failover without additional configuration. Option B is correct because Azure SQL Database Hyperscale with named replicas can be used for read-scale in secondary regions, but it does not automatically failover. Option C is correct for automatic failover with no data loss and readable secondary.

Option D is incorrect because Azure SQL Managed Instance has limited geo-replication capabilities and does not support automatic failover with no data loss.

532
Multi-Selecthard

Your company plans to migrate a large number of on-premises virtual machines to Azure. You need to assess the current environment and migrate the workloads with minimal downtime. Which THREE Azure services or tools should you use? (Choose three.)

Select 3 answers
A.Azure App Service
B.Azure Import/Export Service
C.Azure Data Box
D.Azure Site Recovery
E.Azure Migrate
AnswersC, D, E

Data Box is used for large offline data transfers when network bandwidth is limited.

Why this answer

Options A, B, and D are correct. Azure Migrate provides discovery and assessment. Azure Site Recovery performs replication and migration.

Azure Data Box is for offline data transfer. Option C is wrong because Azure App Service is for web apps. Option E is wrong because Azure Import/Export is for physical disk shipping, not VM migration.

533
MCQeasy

A government agency is designing a solution to store sensitive citizen data. The data must be encrypted at rest and in transit. The agency requires that the encryption keys be managed by the agency and stored in a hardware security module (HSM). Additionally, the solution must comply with regulatory requirements that mandate customer-managed keys. You need to recommend a key management solution. What should you recommend?

A.Use Azure Key Vault Standard with software-protected keys.
B.Use Microsoft Purview to manage keys and compliance.
C.Use Azure Information Protection with a custom protection template.
D.Use Azure Key Vault Managed HSM with FIPS 140-2 Level 3 validated HSMs.
AnswerD

Managed HSM provides customer-managed keys in dedicated HSMs.

Why this answer

Option B is correct because Azure Key Vault Managed HSM provides FIPS 140-2 Level 3 validated HSMs, allowing customers to manage their own keys in a dedicated HSM. Option A is wrong because Azure Key Vault Standard uses software-backed keys, not HSM. Option C is wrong because Azure Information Protection is for classification and labeling, not key management.

Option D is wrong because Microsoft Purview is for data governance, not key management.

534
MCQhard

A company runs a critical application using Azure SQL Database in the West US region. They need a disaster recovery solution that automatically fails over to a secondary region (East US) with a recovery point objective (RPO) of 5 seconds and a recovery time objective (RTO) of 1 minute. The secondary region must also be able to serve read-only queries for reporting purposes. Which Azure SQL Database feature should they implement?

A.Azure SQL Database active geo-replication with auto-failover group
B.Azure SQL Database geo-restore
C.Azure SQL Database copy
D.Azure SQL Managed Instance failover group
AnswerA

Active geo-replication replicates data asynchronously with an RPO of 5 seconds. The auto-failover group enables automatic failover with an RTO of 1 minute, and the secondary can be used for read-only access.

Why this answer

Active geo-replication with auto-failover groups is the correct choice because it provides automatic, synchronous failover to a secondary region with an RPO of 5 seconds and an RTO of 1 minute. Additionally, the secondary database can be used for read-only reporting by connecting with the 'ApplicationIntent=ReadOnly' connection string, meeting both the disaster recovery and reporting requirements.

Exam trap

The trap here is that candidates often confuse geo-restore (which is manual and has high RPO/RTO) with active geo-replication, or they mistakenly think that SQL Managed Instance failover groups support read-only secondaries for Azure SQL Database, when in fact they are for Managed Instance only.

How to eliminate wrong answers

Option B (geo-restore) is wrong because it is a manual recovery process that restores a database from geo-replicated backups, resulting in an RPO of 1 hour and an RTO of several hours, far exceeding the required 5-second RPO and 1-minute RTO. Option C (copy) is wrong because it creates a point-in-time snapshot copy of the database, which is not a continuous replication solution and cannot provide automatic failover or meet the low RPO/RTO requirements. Option D (Azure SQL Managed Instance failover group) is wrong because it applies to Azure SQL Managed Instance, not Azure SQL Database, and while it supports auto-failover, it does not natively allow the secondary to serve read-only queries for reporting without additional configuration.

535
MCQeasy

Your company is migrating on-premises virtual machines to Azure. You need to assess the current environment and get a cost estimate for Azure. Which tool should you use?

A.Azure Cost Management
B.Azure Migrate
C.Azure Monitor
D.Azure Advisor
AnswerB

Azure Migrate discovers on-premises servers, assesses readiness, and provides cost estimates.

Why this answer

Azure Migrate provides assessment and migration capabilities for on-premises workloads to Azure. Option A (Azure Advisor) gives optimization recommendations after deployment. Option B (Azure Cost Management) is for cost analysis after migration.

Option D (Azure Monitor) is for monitoring, not assessment.

536
MCQmedium

A company has an Azure SQL Database that they need to access from an on-premises data center over ExpressRoute. They want to use a private IP address to connect to the database, ensuring traffic never traverses the public internet. Which Azure service should they use?

A.Azure Private Link
B.Azure Service Endpoints
C.Azure VPN Gateway
D.Azure Front Door
AnswerA

Correct. Private Link creates a private endpoint with a private IP, ensuring traffic stays within Microsoft's backbone.

Why this answer

Azure Private Link allows you to access Azure SQL Database over a private endpoint within your virtual network, using a private IP address. When combined with ExpressRoute, traffic from your on-premises data center to the database traverses the Microsoft backbone network and never touches the public internet, meeting the requirement for a private, secure connection.

Exam trap

The trap here is confusing Azure Service Endpoints with Private Link: both keep traffic on the Azure backbone, but only Private Link provides a private IP address and removes exposure to the public endpoint, which is the key requirement in this scenario.

How to eliminate wrong answers

Option B (Azure Service Endpoints) is wrong because service endpoints expose the Azure SQL Database to the internet via its public endpoint, even though traffic is routed over the Azure backbone; the connection still resolves to a public IP and is not a private IP address. Option C (Azure VPN Gateway) is wrong because it creates an encrypted tunnel over the public internet, which does not guarantee that traffic never traverses the public internet—it still uses internet routing between the VPN gateway and the on-premises device. Option D (Azure Front Door) is wrong because it is a global load balancer and application delivery service that operates over the public internet, using public endpoints and not providing private IP connectivity to Azure SQL Database.

537
MCQmedium

You need to design a disaster recovery strategy for an Azure SQL Database that supports a critical financial application. The recovery point objective (RPO) is 5 seconds and recovery time objective (RTO) is 30 seconds. Which option should you choose?

A.Use failover groups with manual failover.
B.Use long-term retention (LTR) backups.
C.Configure active geo-replication with auto-failover groups.
D.Enable geo-restore (geo-redundant backup).
AnswerC

Provides RPO of 5 seconds and RTO of 30 seconds.

Why this answer

Option C is correct because Azure SQL Database active geo-replication provides continuous data synchronization with an RPO of 5 seconds and automatic failover with an RTO of 30 seconds when configured with failover groups. Option A is wrong because geo-restore has an RPO of 1 hour. Option B is wrong because long-term retention does not provide near-real-time RPO.

Option D is wrong because auto-failover groups with manual failover have higher RTO.

538
MCQmedium

A company runs a critical SQL Server database on an Azure VM. The database is used by a line-of-business application that requires minimal data loss (RPO of 5 seconds) and fast recovery (RTO of 15 minutes). The VM is in a single region. What should you recommend to meet the RPO and RTO requirements?

A.Use Azure Storage geo-redundant storage (GRS) for the VM's managed disks.
B.Migrate the database to Azure SQL Managed Instance and configure a failover group with a secondary in another region.
C.Deploy the VM in an Availability Set and use SQL Server Always On Availability Groups.
D.Configure Azure Backup for the VM with application-consistent backups every 5 minutes.
AnswerB

Failover group provides automated replication with RPO of seconds and RTO of ~1 minute.

Why this answer

Option D (Azure SQL Managed Instance with failover group) provides automated replication with RPO of seconds and RTO of minutes. Option A (backup to Azure Blob) has higher RPO/RTO. Option B (Availability Set) protects against host failure but not region failure.

Option C (geo-redundant storage) does not protect against database corruption.

539
MCQhard

You are designing a network architecture for a three-tier application hosted in Azure. The front-end tier must be accessible from the internet, the business tier must only communicate with the front-end tier, and the data tier must only communicate with the business tier. You need to minimize exposure and use Azure-native services. Which combination of services should you use?

A.Azure Load Balancer for front-end, NSGs on subnets, and VNet peering
B.VPN Gateway for front-end, NSGs on subnets, and private endpoints
C.Azure Application Gateway with WAF for front-end, NSGs on subnets, and service endpoints
D.Azure Firewall for all inbound traffic, NSGs on subnets, and VNet peering
AnswerC

Application Gateway provides HTTP/HTTPS load balancing and WAF. NSGs control traffic between tiers.

Why this answer

Azure Application Gateway with WAF provides internet-facing front-end with web firewall. Network Security Groups (NSGs) on subnets restrict traffic between tiers. Option A (Azure Load Balancer) lacks WAF.

Option C (Azure Firewall) is overkill for simple tier isolation. Option D (VPN Gateway) is for on-premises connectivity, not internal isolation.

540
Multi-Selectmedium

You are designing a disaster recovery plan for an Azure virtual machine running a critical application. The solution must meet an RPO of 1 hour and an RTO of 4 hours. Which TWO actions should you take? (Choose TWO.)

Select 2 answers
A.Deploy the VM in an Availability Set and use premium storage.
B.Configure Azure Backup with daily snapshots stored in a Recovery Services vault.
C.Enable Azure Site Recovery for the VM with replication to a secondary region.
D.Create a Recovery Services vault in the secondary region with geo-redundant storage (GRS).
E.Use Azure Front Door to distribute traffic between the primary and secondary regions.
AnswersC, D

ASR provides low RPO and meets RTO.

Why this answer

Options B and D are correct. Azure Site Recovery can replicate VMs with an RPO as low as 30 seconds and RTO of a few hours. Using a Recovery Services vault with GRS ensures geo-redundancy.

Option A is wrong because Azure Backup has a higher RPO. Option C is wrong because Availability Zones do not provide cross-region DR. Option E is wrong because Azure Front Door is for traffic distribution, not VM replication.

541
Multi-Selecthard

Which THREE of the following are best practices for designing a data storage solution using Azure Cosmos DB?

Select 3 answers
A.Store large binary data (e.g., images) directly as documents
B.Use the appropriate consistency level based on application requirements
C.Choose a partition key that evenly distributes request units (RU) across partitions
D.Enable autoscale on containers with unpredictable traffic patterns
E.Use manual provisioned throughput for all containers to control costs
AnswersB, C, D

Choosing consistency optimizes performance and cost.

Why this answer

Option B is correct because Azure Cosmos DB offers five well-defined consistency levels (strong, bounded staleness, session, consistent prefix, and eventual). Choosing the appropriate level based on application requirements is a best practice, as it balances data consistency guarantees against latency and throughput. For example, session consistency is ideal for multi-user applications where each user reads their own writes, while strong consistency ensures linearizability but reduces availability and increases latency.

Exam trap

The trap here is that candidates often assume manual throughput is always more cost-effective, but Azure Cosmos DB's autoscale is designed to handle unpredictable workloads without the risk of throttling or over-provisioning, making it a best practice for such scenarios.

542
MCQeasy

You are designing a storage solution for a globally distributed application that requires low-latency read access from multiple regions. Which Azure storage solution should you recommend?

A.Azure Blob Storage with read-access geo-redundant storage (RA-GRS)
B.Azure SQL Database with active geo-replication
C.Azure Files with Azure File Sync
D.Azure Cosmos DB with multi-region writes and multiple read regions
AnswerD

Cosmos DB is designed for global distribution with low-latency reads and writes.

Why this answer

Azure Cosmos DB with multi-region writes and multiple read regions is the correct choice because it provides turnkey global distribution with single-digit-millisecond latency for reads and writes from any Azure region. This solution directly addresses the requirement for low-latency read access from multiple regions, as Cosmos DB automatically replicates data to all configured regions and offers multiple consistency models to balance performance and data freshness.

Exam trap

The trap here is that candidates often confuse RA-GRS (which provides read-only secondary access only during failover) with true active-active multi-region reads, leading them to choose Azure Blob Storage instead of Cosmos DB.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with RA-GRS provides read access from a secondary region only during failover or if the primary region is unavailable, and it does not offer active-active multi-region reads with low-latency guarantees; the secondary region is read-only and not designed for simultaneous low-latency access from multiple regions. Option B is wrong because Azure SQL Database with active geo-replication is designed for disaster recovery and read-scale workloads, but it does not support multi-region writes and typically incurs higher latency for cross-region reads compared to a globally distributed NoSQL solution like Cosmos DB. Option C is wrong because Azure Files with Azure File Sync is optimized for file sharing and caching on-premises or in a single region, not for globally distributed low-latency read access from multiple Azure regions; it relies on sync intervals and does not provide native multi-region read endpoints.

543
MCQeasy

Your company is deploying Microsoft Entra ID Governance and needs to ensure that guest users' access to internal applications expires after 90 days. Which feature should you configure?

A.Privileged Identity Management (PIM)
B.Access reviews
C.Conditional Access policies
D.Entitlement management
AnswerD

Entitlement management allows creating access packages with a specified expiration duration for guest users.

Why this answer

Entitlement management in Microsoft Entra ID Governance allows you to create access packages that govern guest user access to internal applications. You can configure an access package with a specific expiration policy, such as setting the access to expire after 90 days, ensuring automatic removal of guest access without manual intervention.

Exam trap

The trap here is that candidates often confuse Access reviews (which require manual attestation) with automatic expiration, but Entitlement management provides the automated, policy-driven expiration that the question explicitly requires.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight, not for managing expiration of guest user access to applications. Option B is wrong because Access reviews provide periodic attestation and manual review of access, but they do not enforce automatic expiration after a fixed duration like 90 days; they require reviewer action to remove access. Option C is wrong because Conditional Access policies enforce real-time access controls based on conditions (e.g., location, device state), but they cannot automatically expire or remove access after a set time period.

544
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to automatically block sign-ins from malicious IP addresses and require users to perform multi-factor authentication (MFA) when signing in from untrusted locations. Which Microsoft Entra ID feature should they use?

A.Conditional Access policies
B.Identity Protection
C.Privileged Identity Management
D.Access Reviews
AnswerB

Identity Protection provides risk detections (like malicious IPs) and risk-based conditional access policies to auto-block or require MFA.

Why this answer

Identity Protection (option B) is the correct feature because it uses machine learning and heuristics to detect risky sign-ins, such as those from malicious IP addresses or untrusted locations. It can automatically block sign-ins from known malicious IPs and, when combined with Conditional Access, require MFA for sign-ins from untrusted locations. This directly addresses the requirement to block malicious IPs and enforce MFA based on location risk.

Exam trap

The trap here is that candidates often confuse Conditional Access (the policy engine) with the risk detection source, forgetting that Identity Protection provides the risk signals (like malicious IPs) that Conditional Access then enforces.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies enforce access controls based on conditions like location or device state, but they do not natively detect or block malicious IP addresses; they rely on Identity Protection to provide the risk signals. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not sign-in risk detection or MFA enforcement from untrusted locations. Option D is wrong because Access Reviews are used to audit and recertify group memberships or role assignments periodically, not to block sign-ins or enforce MFA based on real-time risk.

545
Multi-Selecteasy

A company is planning to migrate on-premises SQL Server databases to Azure. They want to minimize administrative overhead and ensure high availability with automatic failover. Which TWO Azure SQL deployment options should they consider?

Select 2 answers
A.Azure SQL Database (single database)
B.SQL Server on Azure VMs
C.SQL Server Stretch Database
D.Azure SQL Database Managed Instance
E.Azure Synapse Analytics
AnswersA, D

Built-in high availability with automatic failover.

Why this answer

Options B and C are correct. Azure SQL Database Managed Instance provides high availability with automatic failover and reduces administrative overhead. Azure SQL Database (single database) also provides built-in high availability.

Option A is incorrect because SQL Server on Azure VMs requires manual administration. Option D is incorrect because SQL Server Stretch Database is for archiving. Option E is incorrect because Azure Synapse Analytics is for data warehousing.

546
MCQhard

You are reviewing a Bicep template that deploys two App Service Environments (ASE) and an Azure Traffic Manager profile. The exhibit shows the template snippet. What is the expected behavior when the primary ASE becomes unhealthy?

A.Traffic is stopped until an administrator updates the DNS manually.
B.Traffic is load-balanced between both ASEs based on performance.
C.Traffic is automatically routed to the secondary ASE with priority 2.
D.Traffic continues to be sent to the primary ASE because priority routing only uses the primary.
AnswerC

Priority routing fails over to the next priority when the primary is unhealthy.

Why this answer

The Traffic Manager profile uses priority routing with primary endpoint priority 1 and secondary priority 2. When the primary endpoint is unhealthy, Traffic Manager automatically routes traffic to the secondary endpoint. Option A is incorrect because it says primary continues.

Option C is incorrect because priority routing does not distribute traffic. Option D is incorrect because it mentions manual intervention.

547
MCQmedium

Your company uses Azure Cosmos DB for a globally distributed application. You need to ensure that writes in one region are not lost if that region fails. Which consistency level should you use to guarantee that writes are durable?

A.Eventual consistency
B.Bounded staleness consistency
C.Strong consistency
D.Consistent prefix consistency
AnswerB

Bounded staleness provides a guarantee that writes are not lost beyond a configurable staleness.

Why this answer

Bounded staleness consistency guarantees that writes are durable across regions by ensuring that replicas lag behind the primary by at most K versions or a time interval T. This means that even if a region fails, all acknowledged writes are preserved and will be replicated to other regions within the configured staleness window, preventing data loss.

Exam trap

The trap here is that candidates often assume strong consistency is required for write durability, but bounded staleness actually provides the same durability guarantee with better performance and availability in globally distributed setups.

How to eliminate wrong answers

Option A is wrong because eventual consistency does not guarantee durability of writes in the event of a region failure; it only ensures that replicas will eventually converge, but writes may be lost if the region fails before propagation. Option C is wrong because strong consistency, while providing the highest durability, is not required to prevent write loss and can introduce higher latency and reduced availability in globally distributed scenarios. Option D is wrong because consistent prefix consistency ensures reads see writes in order but does not guarantee that all writes are durably stored across regions before a failure.

548
MCQhard

Refer to the exhibit. You deploy this Azure Monitor scheduled query rule to alert when CPU usage exceeds 90% for sustained periods. However, alerts are not firing even when the condition is met. What is the most likely cause?

A.The KQL query syntax is incorrect and returns no results.
B.The action group is not configured with a valid email address.
C.The evaluation frequency is too short compared to the window size.
D.The threshold of 5 with 'Count' aggregation requires more than 5 data points above 90% in the window, which may not be happening.
AnswerD

The alert condition is too strict; it requires >5 occurrences in 15 minutes.

Why this answer

Option D is correct because the alert rule uses a 'Count' aggregation with a threshold of 5, meaning the alert fires only when the number of data points exceeding 90% CPU within the evaluation window is greater than 5. If the sustained high CPU usage produces fewer than 5 such data points (e.g., due to a short burst or insufficient sampling), the condition is not met, and the alert will not fire. This is a common misconfiguration where the threshold value is set too high relative to the actual data point frequency.

Exam trap

Microsoft often tests the misconception that any sustained high metric value will trigger an alert, ignoring how the 'Count' aggregation and threshold value interact with the number of data points in the evaluation window.

How to eliminate wrong answers

Option A is wrong because if the KQL query syntax were incorrect, the alert rule would typically show an error during creation or evaluation, and the rule would not be in a 'healthy' state; the question implies the rule is deployed and running. Option B is wrong because the action group's email validity affects notification delivery, not the firing of the alert itself; the alert can still trigger even if the action group is misconfigured. Option C is wrong because a short evaluation frequency relative to a long window size actually increases the chance of detecting sustained high CPU, as the rule checks more frequently; this would not prevent alerts from firing.

549
Multi-Selectmedium

Which TWO actions should you take to ensure business continuity for an Azure SQL Managed Instance? (Choose two.)

Select 2 answers
A.Use Azure Site Recovery to replicate the instance to another region
B.Configure a readable secondary replica in the same region
C.Enable automated backups with a retention period that meets your RPO
D.Configure a failover group with a secondary instance in a different region
E.Enable long-term retention (LTR) for backups
AnswersC, D

Automated backups allow point-in-time restore within retention period.

Why this answer

Options B and D are correct. Azure SQL Managed Instance supports automated backups with point-in-time restore (B) and failover groups for geo-replication (D). Option A is wrong because configuring a readable secondary is not directly supported; failover groups handle that.

Option C is wrong because Azure Site Recovery is for VMs, not managed instances. Option E is wrong because long-term retention is for backup storage, not failover.

550
MCQhard

Your organization is designing a solution to capture and analyze IoT data from millions of devices. The solution must ingest data at high velocity, store the data for long-term analytics, and provide real-time dashboards. Which combination of Azure services should you recommend?

A.Azure Event Hubs, Azure Data Lake Storage, and Azure Stream Analytics
B.Azure Service Bus, Azure SQL Database, and Power BI
C.Azure Cosmos DB, Azure Data Explorer, and Azure Logic Apps
D.Azure IoT Hub, Azure Blob Storage, and Azure Functions
AnswerA

Event Hubs ingests high-velocity data, Data Lake Storage stores data for long-term analytics, and Stream Analytics provides real-time dashboards.

Why this answer

Option A is correct because Azure Event Hubs ingests high-velocity data, Azure Data Lake Storage stores data for long-term analytics, and Azure Stream Analytics provides real-time processing and dashboards. Option B is incorrect because Azure IoT Hub is for device management and telemetry, but it is not optimized for high-velocity ingestion from millions of devices. Option C is incorrect because Azure Service Bus is for messaging, not high-velocity ingestion.

Option D is incorrect because Azure Cosmos DB is for operational workloads, not long-term analytics.

551
MCQmedium

You are designing a governance strategy for Azure resources. Your organization has multiple departments, each with its own set of Azure subscriptions. You need to enforce consistent policies across all subscriptions, such as allowed resource locations and required tags, while allowing departments to manage their own resources within those constraints. Which Azure service should you use?

A.Azure Blueprints
B.Azure Policy
C.Azure Management Groups
D.Azure Role-Based Access Control (RBAC)
AnswerB

Azure Policy enforces rules on resources at scale.

Why this answer

Azure Policy is the correct service because it enforces organizational standards and compliance rules across all Azure resources, such as allowed locations and required tags, at scale. It applies policies to management groups, subscriptions, or resource groups, ensuring consistent governance while allowing departments to manage their own resources within those constraints. Unlike Azure Blueprints, which deploys a full environment template, Azure Policy focuses solely on rule enforcement and remediation.

Exam trap

The trap here is confusing Azure Policy with Azure Blueprints, as both involve governance, but Blueprints is for deploying a full environment template while Policy is for ongoing rule enforcement and compliance auditing.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints is used to deploy a repeatable set of Azure resources and policies as a package (e.g., ARM templates, RBAC assignments), but it does not enforce ongoing compliance or prevent non-compliant resources from being created after deployment. Option C is wrong because Azure Management Groups provide a hierarchical structure for organizing subscriptions and applying policies at scale, but they are not the service that enforces rules; they are the container for policy assignment. Option D is wrong because Azure Role-Based Access Control (RBAC) manages who can perform actions on resources (authorization), not what resource configurations are allowed (compliance); RBAC cannot enforce tag requirements or restrict resource locations.

552
MCQhard

You are designing a landing zone in Azure for a regulated financial services company. They require that all storage accounts be restricted to specific virtual networks and have encryption using customer-managed keys (CMK). Additionally, they want to ensure that any storage account creation outside of the approved network boundaries is prevented. Which combination of Azure Policy and Network Security controls should you recommend?

A.Use Azure Policy to enforce service endpoints on storage accounts and deny creation if not present, along with a policy requiring CMK encryption.
B.Use Azure Policy to require storage account encryption with CMK, and use network security groups (NSGs) to restrict storage account access to specific subnets.
C.Deploy Azure Firewall in the hub virtual network and configure application rules to allow only approved storage accounts.
D.Use Azure Policy to require storage accounts to use private endpoints, and use Azure Private Link to restrict access from specific virtual networks.
AnswerA

Azure Policy can enforce both network restrictions (via service endpoints) and CMK encryption. Deny policy prevents creation outside approved boundaries.

Why this answer

Option B is correct because Azure Policy can enforce service endpoints and deny creation if a required tag (like 'network') is not set. Network security groups alone cannot enforce encryption or creation policies. Option A is wrong because NSGs are not used for storage account access control.

Option C is wrong because Azure Firewall is for outbound traffic, not storage access. Option D is wrong because Private Endpoint is recommended for private connectivity, but service endpoints can also be used with policies; however, the question requires enforcement of network restrictions and CMK, which Azure Policy does.

553
MCQmedium

You are designing a governance strategy for a new Azure subscription. The security team requires that all resources must have a 'CostCenter' tag and an 'Environment' tag. Which Azure policy effect should you use to automatically apply the tags to new resources?

A.audit
B.modify
C.deny
D.deployIfNotExists
AnswerB

modify can automatically add or replace tags during resource creation or update.

Why this answer

The 'modify' effect is correct because it can automatically append or replace missing tags on new or existing non-compliant resources during resource creation or update. Unlike 'deployIfNotExists', which only runs remediation tasks after creation, 'modify' applies the tags inline as part of the resource creation request, ensuring compliance without requiring a separate remediation task.

Exam trap

The trap here is that candidates often confuse 'deployIfNotExists' with 'modify', thinking both can automatically apply tags, but 'deployIfNotExists' requires a separate remediation task and does not apply tags inline during resource creation, making 'modify' the correct choice for automatic tag application on new resources.

How to eliminate wrong answers

Option A is wrong because 'audit' only logs non-compliance without taking any action to apply the tags. Option C is wrong because 'deny' blocks resource creation if tags are missing, but does not automatically apply them. Option D is wrong because 'deployIfNotExists' can deploy a remediation task to apply tags, but it runs after resource creation and requires a separate remediation trigger, whereas 'modify' applies tags inline during the creation or update request.

554
MCQhard

A financial services company runs a critical SQL Server database on Azure VMs. They require a failover solution that provides automatic detection of database health issues and automatically fails over to a secondary replica in another Azure region with no data loss and sub-minute RPO. What should they use?

A.Azure SQL Database geo-replication
B.SQL Server Always On Availability Groups with automatic failover
C.Azure SQL Managed Instance failover groups
D.Azure Backup for SQL Server
AnswerB

Always On AGs with synchronous commit and automatic failover meet the requirements.

Why this answer

Option C is correct because SQL Server Always On Availability Groups with automatic failover can provide synchronous replication between VMs in different regions, offering no data loss and sub-minute RPO. Option A is wrong because Azure SQL Managed Instance failover groups provide automatic failover but with a maximum of one hour RPO for geo-replication. Option B is wrong because Azure SQL Database geo-replication has an RPO of up to 5 seconds, but the scenario specifies VMs, not PaaS.

Option D is wrong because Azure Backup does not provide real-time replication.

555
MCQmedium

A company runs a stateless web application on Azure VMs. They need to ensure the application remains available in the event of an entire Azure datacenter failure. They want to achieve a 99.99% SLA. Which deployment option should they recommend?

A.A
B.B
C.C
D.D
AnswerB

Deploying VMs across at least two availability zones in the same region protects against an entire datacenter failure and meets the 99.99% SLA.

Why this answer

To survive an entire Azure datacenter failure and achieve a 99.99% SLA, the stateless web application must be deployed across at least two Azure Availability Zones within a region. Availability Zones are physically separate datacenters within the same region, each with independent power, cooling, and networking. Deploying VMs in a zone-redundant configuration ensures that if one datacenter fails, the application continues running in another zone, meeting the 99.99% SLA (which requires a minimum of two zones).

Exam trap

The trap here is that candidates often confuse Availability Sets (which protect against rack failures) with Availability Zones (which protect against datacenter failures), leading them to choose an option that only provides 99.95% SLA instead of the required 99.99%.

How to eliminate wrong answers

Option A is wrong because deploying VMs in an Availability Set protects against rack-level failures within a single datacenter, not against an entire datacenter failure, and it offers only a 99.95% SLA. Option C is wrong because deploying VMs in a single Availability Zone still leaves the application vulnerable to a datacenter failure within that zone, and the SLA for a single zone is 99.95%. Option D is wrong because deploying VMs in a single region without zone redundancy does not protect against a full datacenter failure, and the SLA for a single VM is 99.9%.

556
MCQeasy

Your company has Azure virtual machines running a critical application. You need to back up these VMs daily and retain backups for 7 years. The solution must be cost-effective and support application-consistent backups. What should you use?

A.Azure Backup
B.Azure Files backup
C.Azure Site Recovery
D.Azure VM snapshots stored in Azure Storage
AnswerA

Supports daily backup, long-term retention, and application-consistent backups.

Why this answer

Option D is correct because Azure Backup supports daily backup, long-term retention (up to 99 years), and application-consistent backups via VSS. Option A is wrong because Azure Site Recovery is for disaster recovery, not backup. Option B is wrong because Azure VM snapshots are not managed backups.

Option C is wrong because Azure Files is for file shares, not VM backup.

557
Multi-Selectmedium

Your organization uses Azure Monitor to collect metrics from Azure resources. You need to create a custom metric alert that triggers when the average CPU usage of a specific virtual machine exceeds 80% for 10 minutes. Which TWO components are required? (Choose two.)

Select 2 answers
A.Metric alert rule
B.Automation runbook
C.Action group
D.Log Analytics workspace
E.Diagnostic setting
AnswersA, C

The metric alert rule defines the resource, metric, condition (avg CPU > 80%), and evaluation frequency.

Why this answer

Option A is correct because an action group defines who gets notified. Option C is correct because a metric alert rule defines the condition. Option B is wrong because a Log Analytics workspace is not needed for metrics.

Option D is wrong because a diagnostic setting is for sending logs, not for metrics alerts. Option E is wrong because a runbook is not required; you can use action groups to trigger automation.

558
MCQmedium

Your company runs a mission-critical application on Azure Virtual Machines in a single region. You need to design a monitoring solution that provides proactive alerts for performance degradation and allows the operations team to analyze historical trends. The solution must minimize cost and operational overhead. You have an existing Log Analytics workspace. What should you include in the design?

A.Enable VM insights in Azure Monitor and use its live map and performance views for historical analysis.
B.Configure Azure Autoscale for the VMs based on CPU metrics and use Azure Monitor for logging.
C.Deploy Application Insights on each VM and use its built-in alerts for performance.
D.Enable Azure Monitor on all VMs using the Azure Monitor agent. Create metric alerts for high CPU and memory usage. Use Log Analytics to query and analyze historical performance data.
AnswerD

This provides proactive alerts and historical analysis with low overhead.

Why this answer

Option D is correct because it uses the Azure Monitor agent to collect performance data from VMs, enabling metric alerts for proactive notification of high CPU and memory usage, while leveraging the existing Log Analytics workspace for cost-effective historical analysis. This approach minimizes operational overhead by using a single agent and native Azure Monitor features without additional services or complex configurations.

Exam trap

The trap here is that candidates may confuse VM insights (which offers rich visualizations but limited historical analysis) with the full monitoring solution required, or mistakenly think Application Insights is appropriate for VM-level performance monitoring when it is designed for application telemetry.

How to eliminate wrong answers

Option A is wrong because VM insights provides live map and performance views for real-time monitoring but is not designed for deep historical trend analysis, and its prebuilt performance charts have limited retention without Log Analytics. Option B is wrong because Azure Autoscale is for automatically scaling VM instances based on metrics, not for monitoring performance degradation or analyzing historical trends; it also does not address the requirement for proactive alerts and historical analysis. Option C is wrong because Application Insights is primarily for application-level monitoring (e.g., web apps, APIs) and requires instrumenting each application, which adds cost and complexity; it is not suitable for OS-level performance metrics like CPU and memory on VMs.

559
MCQmedium

A company runs a critical application on Azure Kubernetes Service (AKS) in a single region. The application is stateless and uses an Azure SQL Database with active geo-replication for database DR. They need to ensure the AKS cluster can failover to a secondary region with an RTO of 15 minutes and an RPO of 5 seconds for the database. What should they recommend for the AKS cluster?

A.Deploy AKS clusters in two regions and use Azure Traffic Manager to route traffic.
B.Deploy a single AKS cluster with pods spread across availability zones within the region.
C.Use Azure Site Recovery to replicate the AKS cluster to another region.
D.Back up the AKS cluster configuration and container images to a geo-redundant storage account.
AnswerA

Traffic Manager provides DNS-based global load balancing. With AKS clusters in two regions, Traffic Manager can direct users to the healthy region, achieving the required RTO. The database DR is handled separately by active geo-replication.

Why this answer

Option A is correct because deploying AKS clusters in two regions with Azure Traffic Manager enables active-passive or active-active failover. Traffic Manager uses DNS-based routing to direct traffic to the secondary region when the primary fails, meeting the RTO of 15 minutes. The stateless application can be redeployed or scaled in the secondary cluster, while the Azure SQL Database with active geo-replication ensures an RPO of 5 seconds by continuously replicating transactions.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery as a solution for AKS DR, but Site Recovery only supports IaaS VMs, not managed Kubernetes services, making multi-region AKS clusters with Traffic Manager the correct approach.

How to eliminate wrong answers

Option B is wrong because spreading pods across availability zones within a single region protects against zonal failures but not against a regional outage, which is required for cross-region DR. Option C is wrong because Azure Site Recovery does not support replicating AKS clusters; it is designed for IaaS VMs, not managed Kubernetes services. Option D is wrong because backing up cluster configuration and container images to geo-redundant storage provides data backup but does not enable automated failover or meet the RTO of 15 minutes, as manual restoration would be required.

560
MCQhard

You are designing a data lake for advanced analytics in Azure. The data includes structured, semi-structured, and unstructured data. The solution must support schema-on-read and have the ability to query using SQL. Which Azure service should you choose?

A.Azure Blob Storage.
B.Azure SQL Database.
C.Azure Data Lake Storage Gen2.
D.Azure Cosmos DB.
AnswerC

Supports all data types, schema-on-read, and SQL querying.

Why this answer

Option D is correct because Azure Data Lake Storage Gen2 provides a hierarchical namespace for storing all data types and integrates with query engines like Azure Synapse SQL for schema-on-read. Option A is wrong because Azure SQL Database is for structured data only. Option B is wrong because Azure Cosmos DB is for transactional workloads, not data lake.

Option C is wrong because Azure Blob Storage lacks the hierarchical namespace needed for a data lake.

561
MCQmedium

A company plans to deploy multiple virtual machines (VMs) across two Azure regions for high availability. The VMs will host a stateless web application that must be accessible via a single DNS endpoint. The solution must automatically route traffic to the nearest region with available capacity and provide failover if a region becomes unhealthy. Which Azure service should they use to meet these requirements?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure Load Balancer
D.Azure Application Gateway
AnswerA

Traffic Manager uses DNS to route users to the nearest or best-performing region and supports automatic failover when an endpoint becomes unhealthy.

Why this answer

Azure Traffic Manager is a DNS-based traffic load balancer that distributes traffic to the nearest region with available capacity using the Performance traffic-routing method, and it automatically fails over to the next healthy endpoint when a region becomes unhealthy. It operates at the DNS level, returning the appropriate endpoint IP based on the client's DNS resolver location and endpoint health probes, making it ideal for stateless web applications requiring a single DNS endpoint across regions.

Exam trap

The trap here is that candidates often confuse Azure Front Door (Layer 7, HTTP/HTTPS) with Traffic Manager (DNS-based, any protocol), but the requirement for a single DNS endpoint and region-level failover without specifying HTTP makes Traffic Manager the correct choice.

How to eliminate wrong answers

Option B (Azure Front Door) is wrong because it is an HTTP/HTTPS application delivery controller that provides global load balancing with SSL offload and path-based routing, but it operates at Layer 7 and requires HTTP traffic, whereas the question does not specify HTTP-only traffic and Traffic Manager works at DNS level for any protocol. Option C (Azure Load Balancer) is wrong because it operates at Layer 4 and distributes traffic only within a single region, not across multiple Azure regions. Option D (Azure Application Gateway) is wrong because it is a regional Layer 7 load balancer with HTTP/HTTPS features and cannot route traffic across multiple regions or provide global failover.

562
Multi-Selecthard

Which THREE considerations are important when designing a storage solution for Azure Virtual Desktop (AVD) user profiles using FSLogix? (Choose three.)

Select 3 answers
A.Use Azure Files as the storage solution.
B.Use a public endpoint for profile storage.
C.Provision sufficient IOPS for user profiles.
D.Enable geo-redundant storage (GRS) for disaster recovery.
E.Ensure low latency between session hosts and storage.
AnswersA, C, E

Supports SMB, needed for FSLogix.

Why this answer

Options B, C, and D are correct. FSLogix profiles require a share that supports SMB (Azure Files). Low latency is critical for user experience.

High IOPS are needed for profile reads/writes. Option A is wrong because public endpoint is not required; private endpoint is recommended. Option E is wrong because geo-redundancy is not typically required for FSLogix; locally redundant or zone-redundant is sufficient.

563
MCQeasy

A company runs a web application on Azure VMs in a single region. They need to ensure that if the region fails, the VMs are replicated to another region and can be started automatically. Which Azure service should they use?

A.Azure Site Recovery
B.Azure Backup
C.Azure Traffic Manager
D.Azure Load Balancer
AnswerA

Azure Site Recovery replicates VMs to another region and supports automated failover and startup.

Why this answer

Azure Site Recovery (ASR) orchestrates replication, failover, and failback of Azure VMs from one region to another. It continuously replicates VM disks to the target region and, upon failover, automatically starts the replicated VMs, meeting the requirement for regional disaster recovery with automated startup.

Exam trap

The trap here is that candidates confuse Azure Backup (which provides point-in-time restores but not automated regional failover) with Azure Site Recovery (which provides continuous replication and automated VM startup), or they mistakenly think Traffic Manager or Load Balancer can handle VM replication and startup when they only manage traffic routing.

How to eliminate wrong answers

Option B (Azure Backup) is wrong because it is designed for backup and restore of VM data to a Recovery Services vault, not for continuous replication and automated startup of VMs in another region; it requires manual restore and does not provide automatic VM startup after failover. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic load balancer that routes incoming traffic to healthy endpoints across regions, but it does not replicate VMs or start them automatically after a regional failure. Option D (Azure Load Balancer) is wrong because it distributes traffic within a single region at the transport layer (Layer 4) and does not provide cross-region replication or automated VM startup.

564
MCQmedium

You need to design a storage solution for a global e-commerce application that requires low-latency access to product catalog data across multiple Azure regions. The data is read-heavy and updates are rare. Which service should you use for the primary data store?

A.Azure SQL Database with active geo-replication
B.Azure Table Storage
C.Azure Redis Cache
D.Azure Cosmos DB
AnswerD

Cosmos DB offers turnkey global distribution with multiple consistency levels and low latency.

Why this answer

Azure Cosmos DB is the correct choice because it provides globally distributed, multi-region writes and reads with turnkey data replication and guaranteed single-digit-millisecond latency at the 99th percentile. Its multi-homing API and automatic failover capabilities make it ideal for a read-heavy, rarely updated global e-commerce catalog that requires low-latency access across multiple Azure regions.

Exam trap

The trap here is that candidates often confuse a caching layer (Redis) with a globally distributed primary store, or assume that a relational database with geo-replication (Azure SQL) is suitable for any multi-region scenario, ignoring the specific read-heavy, rare-update pattern that Cosmos DB is optimized for.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database with active geo-replication is designed for transactional workloads with frequent writes and strong consistency, not for a read-heavy, rarely updated catalog; its geo-replication adds latency and cost overhead for read-only scenarios. Option B is wrong because Azure Table Storage is a NoSQL key-value store that lacks native global distribution and multi-region replication, resulting in higher latency for cross-region reads and no built-in low-latency guarantees. Option C is wrong because Azure Redis Cache is an in-memory cache, not a durable primary data store; it is used to accelerate reads from a backing database, not to serve as the authoritative source of truth for product catalog data.

565
MCQmedium

A company wants workload deployments to access Azure resources without storing client secrets in CI/CD variables. The pipeline runs from GitHub Actions. Which identity design should be used?

A.A shared user account with MFA disabled
B.A storage account access key
C.Workload identity federation with Microsoft Entra ID
D.A long-lived app registration client secret
AnswerC

Workload identity federation allows external workloads such as GitHub Actions to exchange trusted tokens without stored secrets.

Why this answer

Workload identity federation with Microsoft Entra ID allows GitHub Actions to exchange an OpenID Connect (OIDC) token for an Azure access token, eliminating the need to store client secrets in CI/CD variables. This design uses short-lived tokens and federated identity credentials, aligning with the principle of zero-trust and secretless authentication.

Exam trap

The trap here is that candidates may choose a long-lived client secret (Option D) thinking it is the standard way to authenticate, overlooking the requirement to avoid storing secrets and the modern OIDC-based federation approach.

How to eliminate wrong answers

Option A is wrong because a shared user account with MFA disabled violates security best practices and does not eliminate secrets; it still requires storing credentials in CI/CD variables. Option B is wrong because a storage account access key is a static secret that must be stored in CI/CD variables, and it provides broad, unmonitored access to the storage account. Option D is wrong because a long-lived app registration client secret is a static secret that must be stored in CI/CD variables, defeating the requirement to avoid storing secrets.

566
MCQeasy

A company is deploying a multi-tier web application on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must be isolated within the virtual network. The solution must provide SSL termination, web application firewall (WAF) capabilities, and URL-based routing. Which Azure service should they use to expose the web tier?

A.Use an Azure Load Balancer and configure NSGs on each subnet.
B.Use Azure Firewall to inspect all traffic and allow internet traffic to the web tier.
C.Use Azure Application Gateway with WAF, and configure NSGs to restrict traffic between tiers.
D.Use Azure Front Door to expose the web tier and NSGs for internal isolation.
AnswerC

Application Gateway provides SSL termination, WAF, and URL routing. NSGs on subnets can enforce isolation by allowing only necessary traffic (e.g., only web tier to app tier on specific ports).

Why this answer

Azure Application Gateway is a Layer 7 load balancer that provides SSL termination, a web application firewall (WAF), and URL-based routing, making it ideal for exposing a web tier to the internet. By placing the gateway in front of the web tier and configuring network security groups (NSGs) on the application and database subnets, you can isolate internal tiers while meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming a basic load balancer can handle SSL termination and WAF, when in fact those features require Layer 7 capabilities.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 and cannot perform SSL termination, WAF inspection, or URL-based routing; it only distributes traffic based on IP and port. Option B is wrong because Azure Firewall is a stateful Layer 3/4 firewall that does not provide SSL termination or URL-based routing, and it is not designed to act as a reverse proxy for web tiers. Option D is wrong because Azure Front Door is a global Layer 7 service that excels at CDN and cross-region routing but does not natively support URL-based routing within a single virtual network; it is typically used for global load balancing, not for internal tier isolation with NSGs.

567
MCQmedium

A company runs several Azure virtual machines (VMs) that host SQL Server databases. The databases are stored on data disks attached to the VMs. The company needs to back up the databases and VMs separately. They require application-consistent backups for SQL Server to ensure transactional integrity. Additionally, they need to retain backups for up to 7 years to meet compliance requirements. The solution must minimize administrative overhead and support long-term retention of database backups. Which Azure service or feature should they use for the database backups?

A.Azure Backup for Azure VMs with application-consistent snapshots
B.Azure Backup for SQL Server in Azure VMs
C.Azure Site Recovery
D.Azure Files
AnswerB

This offers true application-consistent backups for SQL Server databases, supports granular point-in-time restore, and allows retention of backups for up to 10 years using the archive tier, meeting the 7-year requirement.

Why this answer

Azure Backup for SQL Server in Azure VMs is the correct choice because it provides native, application-consistent backups specifically for SQL Server databases running on Azure VMs. It integrates directly with SQL Server VSS writer to ensure transactional integrity, supports long-term retention up to 10 years (exceeding the 7-year requirement), and minimizes administrative overhead by automating backup scheduling, retention management, and point-in-time restore. This service is purpose-built for SQL Server database backups, separate from VM-level backups.

Exam trap

The trap here is that candidates often confuse 'application-consistent snapshots' at the VM level with true SQL Server–aware database backups, overlooking that VM-level backups do not guarantee SQL Server transactional integrity or support database-level restore and long-term retention policies.

How to eliminate wrong answers

Option A is wrong because Azure Backup for Azure VMs with application-consistent snapshots backs up the entire VM (including OS and data disks) but does not provide SQL Server–aware, database-level backup granularity or transactional integrity for SQL Server databases; it only ensures file-system consistency, not application consistency for SQL Server. Option C is wrong because Azure Site Recovery is a disaster recovery solution focused on replication and failover for business continuity, not a backup service for long-term retention or application-consistent database backups. Option D is wrong because Azure Files is a managed file share service for storing files, not a backup solution; it lacks SQL Server–aware backup capabilities, application-consistent snapshot support, and long-term retention policies for databases.

568
MCQmedium

Your company has a multi-region Azure deployment with virtual networks in East US and West Europe connected via a hub-and-spoke topology. You need to ensure that all traffic between the spokes is routed through a centralized firewall in the hub. The hub uses Azure Firewall. Currently, spoke-to-spoke traffic is not being inspected. What should you configure?

A.Use Azure Firewall Manager to enforce routing by adding route tables to the spoke subnets with a default route to the firewall.
B.Apply NSG rules to block direct spoke-to-spoke traffic.
C.Configure VNet peering between all spokes.
D.Deploy VPN gateways in each spoke and configure site-to-site VPNs.
AnswerA

This forces all inter-spoke traffic through the firewall for inspection.

Why this answer

Option B is correct because you need to add route tables to the spoke subnets with a default route (0.0.0.0/0) to the Azure Firewall private IP to force all traffic through the firewall. Azure Firewall Manager can push these routes automatically. Option A is wrong because peering alone does not force routing through the firewall.

Option C is wrong because VPN gateways are not required for this purpose. Option D is wrong because NSGs do not route traffic; they filter.

569
MCQmedium

A company is migrating a large on-premises SQL Server database to Azure SQL Managed Instance. They need to minimize downtime during migration. The database is 500 GB and the network link is 1 Gbps. Which migration approach should they recommend?

A.Use Azure Database Migration Service with online migration
B.Perform offline backup and restore
C.Use transactional replication
D.Export BACPAC and import
AnswerA

Online migration via DMS allows continuous replication with minimal downtime, suitable for a 500 GB database.

Why this answer

Option A is correct because Azure Database Migration Service (DMS) with online migration mode uses continuous change data capture (CDC) to synchronize ongoing changes from the on-premises SQL Server to Azure SQL Managed Instance, minimizing downtime to a brief cutover window. This approach is ideal for a 500 GB database over a 1 Gbps link, as it avoids the lengthy full data transfer required by offline methods.

Exam trap

The trap here is that candidates often assume offline backup and restore is the simplest and fastest method, but they overlook the 'minimize downtime' requirement, which makes online migration via DMS the only correct choice despite its added complexity.

How to eliminate wrong answers

Option B is wrong because offline backup and restore requires taking the source database offline for the entire duration of the backup transfer and restore, which for a 500 GB database over 1 Gbps would cause significant downtime (hours), failing the minimize-downtime requirement. Option C is wrong because transactional replication requires manual setup of publishers, distributors, and subscribers, and while it can reduce downtime, it is more complex to configure and manage for a full database migration compared to DMS, and it does not natively handle schema changes or large-scale migrations as efficiently. Option D is wrong because exporting a BACPAC file involves a full database export and import, which locks tables during export and requires the database to be mostly offline, resulting in substantial downtime for a 500 GB database over 1 Gbps.

570
Multi-Selectmedium

Your organization has a critical application running on Azure Virtual Machines. You need to design a backup and disaster recovery strategy. Which TWO options should you include in your design to meet a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour? (Choose two.)

Select 2 answers
A.Store data in Azure Files and use Azure File Sync for replication.
B.Implement Azure Site Recovery with replication to a secondary region.
C.Use Azure Traffic Manager to distribute traffic between regions.
D.Configure Azure Backup for daily backups with geo-redundant storage.
E.Enable application-consistent snapshots for the VMs within the replication policy.
AnswersB, E

Azure Site Recovery can achieve an RPO of 15 seconds to 15 minutes and an RTO of minutes, meeting the requirements.

Why this answer

Option B and Option D are correct. Azure Site Recovery can replicate VMs with an RPO as low as 15 minutes and an RTO of minutes to hours. Azure Backup can be used for additional long-term retention, but to meet the RPO/RTO requirements, Site Recovery is necessary.

Option A is wrong because Azure Backup has a default RPO of 1 hour for VMs. Option C is wrong because Traffic Manager does not provide RPO/RTO guarantees. Option E is wrong because Azure Files is not a VM backup solution.

571
MCQeasy

You need to design a storage solution for a large-scale media streaming application. The application serves video files to users worldwide. The solution must minimize latency for end-users and optimize content delivery costs. Which Azure service combination should you use?

A.Azure Cosmos DB with multi-region writes
B.Azure NetApp Files with Azure Front Door
C.Azure Blob Storage with Azure Content Delivery Network (CDN)
D.Azure Files with Azure File Sync
AnswerC

Blob Storage stores videos; CDN caches at edge locations for low latency and cost efficiency.

Why this answer

Azure Blob Storage is optimized for storing large, unstructured data like video files, and when paired with Azure Content Delivery Network (CDN), it caches content at edge nodes worldwide. This combination minimizes latency for global users by serving videos from the nearest point of presence (PoP) and reduces egress costs by offloading traffic from the origin storage to the CDN's distributed network.

Exam trap

The trap here is that candidates confuse Azure Front Door (a global load balancer with HTTP caching) with a full CDN, but for static video content, Azure CDN (or Azure Front Door's CDN profile) is the correct service because it provides dedicated edge caching and egress cost optimization, whereas Front Door's primary role is application acceleration and routing.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB is a NoSQL database designed for transactional workloads with multi-region writes, not for storing and serving large binary video files; it lacks the cost-effective blob storage and CDN integration needed for media streaming. Option B is wrong because Azure NetApp Files provides high-performance NFS/SMB file shares for enterprise applications, not a globally distributed content delivery mechanism; Azure Front Door is a global load balancer and application accelerator, not a caching CDN optimized for static content like video files. Option D is wrong because Azure Files with Azure File Sync is designed for hybrid file sharing and synchronization across on-premises and cloud, not for low-latency global video streaming; it lacks edge caching and does not optimize egress costs for large-scale media delivery.

572
MCQmedium

Your organization uses Microsoft Entra ID and Azure Key Vault. You need to ensure that a custom application can securely access secrets in Key Vault without storing credentials in code. The application runs on an Azure Virtual Machine. What should you use?

A.Store the Key Vault URL and connection string in the application configuration
B.Create a service principal and upload a certificate to the VM
C.Assign a system-assigned managed identity to the VM
D.Use a shared access signature (SAS) token
AnswerC

Managed identity provides a secure way to access Key Vault without credentials.

Why this answer

Option C is correct because a system-assigned managed identity for Azure Virtual Machines allows the application to authenticate to Azure Key Vault without storing any credentials in code. Azure automatically manages the identity's lifecycle and tokens, enabling the VM to obtain an access token from Azure AD (now Microsoft Entra ID) to call Key Vault's REST API. This aligns with the principle of zero-trust and eliminates the need for service principals or certificates in the application.

Exam trap

The trap here is that candidates may confuse SAS tokens (used for Azure Storage) with Key Vault authentication, or mistakenly think that a service principal with a certificate is the most secure option, overlooking the fully managed, credential-less nature of managed identities.

How to eliminate wrong answers

Option A is wrong because storing the Key Vault URL and connection string in application configuration still exposes credentials (the connection string) in code or config files, violating the requirement to avoid storing credentials. Option B is wrong because creating a service principal and uploading a certificate to the VM requires manual certificate management, rotation, and storage of the certificate on the VM, which introduces credential management overhead and security risks. Option D is wrong because a shared access signature (SAS) token is used for delegating access to Azure Storage resources, not for authenticating to Azure Key Vault; Key Vault does not support SAS tokens for authentication.

573
Multi-Selectmedium

Which TWO of the following are valid strategies for achieving high availability for Azure SQL Database?

Select 2 answers
A.Deploy Azure SQL Database in a zone-redundant configuration within a single region.
B.Enable read scale-out to distribute read queries to a secondary replica.
C.Enable active geo-replication with a readable secondary in the same region.
D.Use Azure Backup to copy database backups to another region.
E.Configure auto-failover groups with a secondary in another region.
AnswersA, C

Zone-redundant configuration replicates across availability zones for HA.

Why this answer

Options B and D are correct. Active geo-replication provides readable secondaries and supports manual failover. Zone-redundant configuration protects against datacenter failure within a region.

Option A (auto-failover groups) is a strategy but is a superset; the question asks for strategies. Option C (backup to another region) is for disaster recovery, not high availability. Option E (read scale-out) is for read scalability, not availability.

574
MCQhard

You are designing a logging and monitoring solution for a multi-region application. The application is deployed in three Azure regions. Security requirements mandate that all authentication and authorization logs be retained for 7 years. Logs must be queryable centrally from a single location. What is the most cost-effective way to meet these requirements?

A.Deploy a Log Analytics workspace per region, set retention to 7 years, and use cross-workspace queries from a central Log Analytics workspace or Azure Sentinel.
B.Use Azure Storage Analytics logs and store them in a geo-redundant storage account in each region.
C.Use Azure Event Hubs to collect logs from all regions and stream them to a Log Analytics workspace in a central region.
D.Deploy a single Log Analytics workspace in one region and configure all VMs to send logs to it.
AnswerA

Workspaces per region reduce data transfer costs and avoid a single point of failure; cross-workspace queries provide centralized querying.

Why this answer

Option D is correct because Azure Monitor Log Analytics workspaces can be used in each region, and then you can query across them using cross-workspace queries in the Azure Portal or using Azure Sentinel. Option A is wrong because Log Analytics workspace can store logs for 7 years with retention settings, but using a single workspace for all regions introduces latency and potential data loss if region fails. Option B is wrong because Event Hubs is for real-time streaming, not long-term retention.

Option C is wrong because Storage Analytics is for storage accounts only.

575
Multi-Selectmedium

Your company has an Azure subscription that contains 100 virtual machines (VMs). You are designing a monitoring solution that must meet the following requirements: - Alert when any VM's CPU usage exceeds 90% for 15 minutes. - Alert when any VM's available memory drops below 1 GB. - Provide a centralized dashboard showing real-time performance metrics for all VMs. Which TWO Azure services should you include in the solution? (Choose two.)

Select 2 answers
A.Azure Policy
B.Microsoft Sentinel
C.Azure Monitor
D.Azure Monitor Workbooks
E.Azure Automation
AnswersC, D

Azure Monitor collects performance metrics and supports metric alerts for CPU and memory thresholds.

Why this answer

Azure Monitor is the core service for collecting, analyzing, and acting on telemetry from Azure resources. It can collect CPU and memory metrics from VMs via the Azure Monitor Agent, and its alerting engine can trigger actions when CPU exceeds 90% for 15 minutes or available memory drops below 1 GB, meeting both alerting requirements.

Exam trap

The trap here is that candidates often confuse Azure Monitor Workbooks with Azure Dashboards or Power BI, but Workbooks are the correct service for creating a centralized, real-time performance dashboard that integrates directly with Azure Monitor alerts and metrics.

576
MCQhard

You are designing a business continuity plan for a financial services company that uses Azure SQL Database for its transactional workloads. The solution must meet an RPO of 5 seconds and an RTO of 30 seconds during a regional outage. What should you use?

A.Azure Database for PostgreSQL with read replicas in another region
B.Azure SQL Database auto-failover group with a secondary in a paired region
C.Azure SQL Database with active geo-replication and automatic failover
D.Azure SQL Managed Instance with failover group
AnswerC

Active geo-replication in a failover group provides exactly 5 sec RPO and ~30 sec RTO.

Why this answer

Option C is correct because Azure SQL Database failover groups with active geo-replication provide an RPO of 5 seconds and RTO of about 30 seconds when using automatic failover. Option A is wrong because auto-failover groups have an RPO of 5 seconds. Option B is wrong because Azure SQL Managed Instance failover groups have a higher RTO.

Option D is wrong because Azure Database for PostgreSQL is not the same service.

577
MCQmedium

Your company has an Azure subscription that contains a hub virtual network and multiple spoke virtual networks connected via VNet peering. You need to ensure that all traffic between spokes is routed through a network virtual appliance (NVA) in the hub. The NVA is configured with IP forwarding enabled. What should you configure in the spoke virtual networks?

A.Deploy a VPN gateway in each spoke and configure site-to-site VPNs.
B.Configure NSG rules to block direct spoke-to-spoke traffic.
C.Add route tables to the spoke subnets with a default route (0.0.0.0/0) pointing to the NVA's private IP.
D.Enable BGP on the VNet peerings.
AnswerC

This forces all outbound traffic from spokes to go through the NVA.

Why this answer

Option A is correct because user-defined routes (UDRs) in the spoke subnets with next hop as the NVA's private IP address force traffic through the NVA. Option B is wrong because BGP alone is not sufficient without route tables. Option C is wrong because VPN gateways are not needed.

Option D is wrong because NSGs do not route.

578
MCQeasy

Your organization plans to use Azure Policy to enforce tagging on all resources. The tags must include 'CostCenter' and 'Environment'. Resources that do not have these tags should be automatically remediated. What should you use?

A.A policy with 'append' effect
B.A policy with 'audit' effect
C.A policy with 'deployIfNotExists' effect and a remediation task
D.A policy with 'deny' effect
AnswerC

DeployIfNotExists can deploy a remediation task to add missing tags to existing resources.

Why this answer

The 'deployIfNotExists' effect is correct because it allows Azure Policy to evaluate resources for missing tags and then deploy a remediation task that automatically adds the required tags. This effect is specifically designed for scenarios where non-compliance can be corrected by deploying or modifying resources, such as adding tags via a policy definition that triggers a remediation task.

Exam trap

The trap here is that candidates often confuse 'append' with 'deployIfNotExists', thinking that 'append' can remediate existing resources, but 'append' only applies during resource creation or update, not to already deployed resources.

How to eliminate wrong answers

Option A is wrong because the 'append' effect adds tags only during resource creation or update, but it does not automatically remediate existing resources that are already missing the tags. Option B is wrong because the 'audit' effect only logs non-compliance without any automatic remediation, requiring manual intervention. Option D is wrong because the 'deny' effect prevents creation or update of resources that do not have the required tags, but it does not remediate existing non-compliant resources.

579
MCQhard

A financial services company is migrating its on-premises SAP HANA database to Azure. The database requires high IOPS and low latency with a capacity of 4 TB. They need to choose a storage solution that supports SAP HANA certified configurations. Which Azure storage solution should they use?

A.Azure Premium SSD v2
B.Azure Ultra Disk Storage
C.Azure Standard HDD
D.Azure NetApp Files
AnswerB

Azure Ultra Disk Storage provides high IOPS, low latency, and is certified for SAP HANA.

Why this answer

Azure Ultra Disk Storage is the correct choice because it is the only Azure managed disk that is SAP HANA certified for high IOPS and sub-millisecond latency, which is critical for SAP HANA workloads. It supports up to 300,000 IOPS and 2,000 MB/s throughput per disk, and can be provisioned with up to 64 TB capacity, easily covering the 4 TB requirement. Premium SSD v2 is not SAP HANA certified for production databases, and Azure NetApp Files, while offering high performance, is not a managed disk and requires specific NFS configurations that may not meet SAP HANA's strict certification requirements for block storage.

Exam trap

The trap here is that candidates often assume Premium SSD v2 is the best choice for all high-performance workloads, but SAP HANA has specific certification requirements that exclude Premium SSD v2 for production databases, making Ultra Disk the only correct option among the managed disks listed.

How to eliminate wrong answers

Option A is wrong because Azure Premium SSD v2, despite offering high IOPS and low latency, is not certified by SAP for SAP HANA production workloads; SAP HANA requires specific disk types like Ultra Disk or Premium SSD (v1) for certified configurations. Option C is wrong because Azure Standard HDD provides low IOPS and high latency, which cannot meet the performance demands of SAP HANA databases requiring high IOPS and low latency. Option D is wrong because Azure NetApp Files is a file-based NFS storage solution, not a block storage managed disk, and while it can be used with SAP HANA, it requires additional configuration and is not the direct Azure managed disk solution that is SAP HANA certified for high IOPS and low latency block storage.

580
Multi-Selectmedium

You are designing an identity solution for a multinational company that has a Microsoft Entra ID tenant. The company plans to acquire a smaller company that currently uses an on-premises Active Directory (AD) forest. The acquired company's users need to access Microsoft 365 applications and Azure resources. The solution must minimize identity management overhead. Which TWO actions should you include in the design? (Choose two.)

Select 2 answers
A.Configure Microsoft Entra Connect Sync to synchronize users from the on-premises AD to the new Entra ID tenant.
B.Federate the on-premises AD with the existing Microsoft Entra ID tenant.
C.Create a new Microsoft Entra ID tenant for the acquired company.
D.Establish a cross-tenant trust between the existing and new Entra ID tenants.
E.Use Microsoft Entra B2B collaboration to invite users from the acquired company.
AnswersA, C

Sync brings identities to the cloud without federation complexity.

Why this answer

Option A is correct because configuring a new Microsoft Entra tenant for the acquired company isolates identity management and minimizes overhead. Option C is correct because synchronizing users using Microsoft Entra Connect Sync brings on-premises identities to the cloud. Option B is wrong because a cross-tenant trust between Entra ID tenants is not supported for authentication.

Option D is wrong because federation requires additional infrastructure and overhead. Option E is wrong because B2B collaboration is for external users, not for employees of an acquired company.

581
MCQmedium

Your organization uses Microsoft Entra ID. You need to enforce multifactor authentication (MFA) for all guest users accessing a specific SharePoint Online site. What is the most efficient way to achieve this?

A.Use SharePoint site permissions to require MFA.
B.Create a Conditional Access policy targeting guest users and the SharePoint Online app.
C.Enable MFA per-user for each guest account.
D.Configure Microsoft Entra Entitlement Management to require MFA.
AnswerB

Conditional Access can enforce MFA for guest users and specific apps.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID allow you to enforce MFA specifically for guest users when they access the SharePoint Online app. This is the most efficient approach as it targets the exact user group (guests) and the specific application (SharePoint Online) without requiring per-user configuration or additional licensing overhead.

Exam trap

The trap here is that candidates often confuse SharePoint site permissions with identity-level security controls, assuming that MFA can be enforced at the site level, when in fact MFA must be enforced through Entra ID Conditional Access policies.

How to eliminate wrong answers

Option A is wrong because SharePoint site permissions control access at the site level but cannot enforce MFA; MFA is an identity-level security requirement managed by Entra ID, not SharePoint. Option C is wrong because enabling MFA per-user for each guest account is inefficient, requires manual management, and does not scale; it also lacks the granularity to target only the specific SharePoint Online site. Option D is wrong because Microsoft Entra Entitlement Management manages access packages and approval workflows, not MFA enforcement; it can require MFA as part of an access package policy, but that is not the most efficient or direct method for enforcing MFA on a single SharePoint site.

582
MCQhard

Contoso Ltd. is a global retail company with headquarters in New York and operations in Europe and Asia. They are migrating their on-premises SQL Server databases to Azure. The databases include a customer database (500 GB), an orders database (2 TB), and a product catalog database (100 GB). The customer database requires high read throughput with sub-10 ms latency for global users. The orders database must support complex queries and reporting with point-in-time restore capability up to 35 days. The product catalog is updated infrequently but must be available for read-heavy workloads with strong consistency. Contoso wants to minimize costs while meeting performance and compliance requirements. They also need to support hybrid deployments for databases that must remain on-premises due to data sovereignty laws. You need to design a data storage solution. Which combination of Azure services and configurations should you recommend?

A.Azure SQL Managed Instance for all databases with geo-replication for customer DB; use failover groups for global distribution; Azure Data Sync for hybrid
B.Azure SQL Database Hyperscale for all databases; use geo-replication for customer DB; Azure SQL Server on Azure VMs for hybrid
C.Azure Cosmos DB with multiple write regions for customer DB; Azure SQL Database Business Critical for orders; Azure SQL Database serverless for product catalog; Azure SQL Managed Instance with managed instance link for hybrid
D.Azure SQL Database Business Critical for customer DB with geo-replication; Azure SQL Database Hyperscale for orders; Azure SQL Database serverless for product catalog; Azure SQL Managed Instance for hybrid
AnswerC

Cosmos DB provides global low-latency; SQL DB Business Critical supports complex queries; serverless reduces cost; managed instance link enables hybrid.

Why this answer

Option C is correct because Azure Cosmos DB with multiple write regions provides global low-latency for customer data; Azure SQL Database with Business Critical tier for orders provides complex query support and point-in-time restore; Azure SQL Database serverless for product catalog reduces costs for infrequent updates; and Azure SQL Managed Instance supports hybrid deployments with link. Option A is wrong because Azure SQL Database Hyperscale is for large databases but does not provide global low-latency. Option B is wrong because Azure SQL Database for customer data would not meet sub-10 ms latency globally.

Option D is wrong because Azure SQL Managed Instance for all databases increases costs unnecessarily.

583
MCQeasy

A company has multiple Azure virtual networks (VNets) in different regions. They want to connect all VNets to each other securely over the Microsoft backbone network, and also connect to their on-premises data center via ExpressRoute. What is the simplest Azure solution to enable connectivity between all VNets and on-premises?

A.Azure Virtual WAN
B.VNet peering
C.ExpressRoute
D.VPN Gateway
AnswerA

Azure Virtual WAN provides a centralized hub that connects VNets, VPN sites, and ExpressRoute circuits. It automatically sets up transitive routing between all connected VNets and on-premises, simplifying management.

Why this answer

Azure Virtual WAN is the simplest solution because it provides a hub-and-spoke architecture that automatically connects all VNets and on-premises sites over the Microsoft backbone network. It natively integrates ExpressRoute and VPN gateways into a single managed service, eliminating the need to manually configure multiple peering or gateway connections.

Exam trap

The trap here is that candidates often assume VNet peering or a single ExpressRoute circuit can provide transitive connectivity between all VNets and on-premises, but they forget that VNet peering is non-transitive and ExpressRoute alone does not route between VNets without additional gateways or a hub.

How to eliminate wrong answers

Option B (VNet peering) is wrong because it only connects two VNets directly and does not provide transitive routing; to connect multiple VNets and on-premises, you would need a mesh of peerings and a gateway in each VNet, which is complex and not scalable. Option C (ExpressRoute) is wrong because it only connects on-premises to Azure, not VNets to each other; it requires additional gateways or peering to enable inter-VNet connectivity. Option D (VPN Gateway) is wrong because it only provides site-to-site VPN connectivity to on-premises, not transitive routing between VNets; you would need multiple VPN gateways and complex routing to connect all VNets.

584
MCQmedium

A company has Azure virtual networks (VNets) in three different Azure regions and an on-premises data center connected via ExpressRoute. They need to connect all VNets to each other and to on-premises over the Microsoft global backbone. They also require centralized management of routing and the ability to enforce security policies such as forced tunneling for internet-bound traffic. Which Azure service should they use?

A.Azure Virtual Network Manager
B.Azure Virtual WAN
C.Azure Firewall
D.Azure Route Server
AnswerB

Azure Virtual WAN creates a hub-and-spoke architecture with a virtual hub in each region. It provides transit connectivity between VNets and on-premises, supports forced tunneling, and offers centralized policy management.

Why this answer

Azure Virtual WAN is the correct choice because it provides a hub-and-spoke architecture that connects VNets across regions and on-premises via the Microsoft global backbone, with built-in centralized routing management and the ability to enforce security policies like forced tunneling through integrated Azure Firewall or third-party NVAs. It meets all requirements: multi-region VNet connectivity, ExpressRoute integration, and centralized policy control.

Exam trap

The trap here is that candidates often confuse Azure Virtual Network Manager (a connectivity configuration tool) with Azure Virtual WAN (a full SD-WAN solution), overlooking that Virtual WAN provides the actual routing, global transit, and integrated security enforcement required for multi-region and hybrid connectivity.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network Manager manages network group membership and connectivity configurations (like mesh or hub-and-spoke) but does not provide built-in routing management, forced tunneling, or direct integration with ExpressRoute for global backbone connectivity. Option C is wrong because Azure Firewall is a stateful firewall service that enforces security policies and forced tunneling, but it does not provide the underlying connectivity between VNets and on-premises or centralized routing management across regions. Option D is wrong because Azure Route Server enables dynamic route exchange between NVAs and Azure VNets but does not provide the global connectivity fabric, centralized routing management, or forced tunneling enforcement required for multi-region and on-premises integration.

585
MCQhard

A company runs a high-throughput time-series workload that stores sensor data from IoT devices. Data is ingested at a rate of millions of events per second. The application requires low-latency queries (under 100 ms) on recent data (less than 30 days old) and the ability to run occasional analytical queries on historical data older than 30 days. The solution must automatically move cold data to a cost-optimized tier and provide built-in analytics. Which Azure service should they use?

A.Azure Time Series Insights (TSI)
B.Azure Cosmos DB with analytical store
C.Azure Event Hubs with Azure Data Lake Storage
D.Azure SQL Database with elastic query
AnswerA

Azure TSI is purpose-built for time-series data, supports high ingestion, low-latency warm queries, automatic cold tiering, and built-in time-series analytics.

Why this answer

Azure Time Series Insights (TSI) is purpose-built for high-throughput IoT time-series data, supporting millions of events per second with sub-100 ms query latency on warm data (less than 30 days old). It automatically moves cold data to a cost-optimized warm/cold store and provides built-in analytics and visualization for time-series patterns, making it the ideal choice for this scenario.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB or Event Hubs because they are familiar with high-throughput ingestion, but they overlook the specific requirement for built-in time-series analytics and automatic cold data tiering, which TSI uniquely provides out of the box.

How to eliminate wrong answers

Option B is wrong because Azure Cosmos DB with analytical store is a NoSQL database optimized for multi-model data and transactional workloads, not specifically for high-throughput time-series ingestion with automatic cold tiering and built-in time-series analytics. Option C is wrong because Azure Event Hubs with Azure Data Lake Storage provides event ingestion and long-term storage but lacks built-in low-latency querying (under 100 ms) and native time-series analytics; it requires additional services like Azure Stream Analytics or Synapse for querying. Option D is wrong because Azure SQL Database with elastic query is a relational database designed for structured transactional data, not for ingesting millions of events per second with automatic cold data movement and time-series-specific analytics.

586
MCQmedium

Your company has multiple Azure subscriptions. You need to create a single query that aggregates resource utilization metrics across all subscriptions and visualizes them in a dashboard. Which combination of Azure services should you use?

A.Azure Monitor Log Analytics workspace and Azure Dashboards
B.Azure Policy and Azure Monitor Alerts
C.Azure Resource Graph and Azure Monitor Workbooks
D.Microsoft Sentinel and Azure Playbooks
AnswerC

Resource Graph can query across subscriptions, Workbooks can visualize.

Why this answer

Azure Resource Graph (ARG) can query across multiple subscriptions, resource groups, and resource types in a single query, making it ideal for aggregating utilization metrics. Azure Monitor Workbooks then provide a flexible, interactive canvas to visualize those query results in a dashboard, supporting rich visualizations and parameterized inputs.

Exam trap

The trap here is confusing Azure Resource Graph (which queries resource metadata and properties across subscriptions) with Azure Monitor Log Analytics (which queries log data within a single workspace), leading candidates to choose Option A for cross-subscription queries.

How to eliminate wrong answers

Option A is wrong because Log Analytics workspaces are scoped to a single workspace and cannot natively query across multiple subscriptions in a single query; Azure Dashboards can display data from multiple sources but lack the cross-subscription query capability. Option B is wrong because Azure Policy is used for governance and compliance (e.g., enforcing tags or allowed locations), not for querying or aggregating utilization metrics; Azure Monitor Alerts are for notification on conditions, not visualization. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution focused on security event analysis and threat detection, not resource utilization metrics; Azure Playbooks (automation runbooks) are for automated responses, not dashboards.

587
MCQmedium

A company deploys a web application on Azure VMs across multiple availability zones in the East US region. They need to distribute incoming HTTPS traffic across the VMs, offload SSL termination, and ensure that client requests from the same user session are sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

A.Azure Application Gateway v2 with cookie-based affinity
B.Azure Load Balancer Standard with source IP affinity
C.Azure Traffic Manager with performance routing
D.Azure Front Door with session affinity
AnswerA

Application Gateway is a layer-7 load balancer that provides SSL offload, cookie-based session affinity, and can distribute traffic across VMs in different availability zones.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that can offload SSL termination, distribute HTTPS traffic, and support cookie-based session affinity (also known as sticky sessions). Cookie-based affinity ensures that all requests from the same user session are routed to the same backend VM by injecting an Application Gateway-managed cookie into the client's response. This meets all three requirements: HTTPS traffic distribution, SSL offloading, and session persistence.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming that 'session persistence' alone is enough, but they overlook the explicit requirement for SSL termination, which only a Layer 7 solution like Application Gateway can provide.

How to eliminate wrong answers

Option B is wrong because Azure Load Balancer Standard operates at Layer 4 (TCP/UDP) and cannot offload SSL termination; it also supports source IP affinity for session persistence, but that is not cookie-based and does not handle HTTPS termination. Option C is wrong because Azure Traffic Manager is a DNS-level traffic router that does not perform SSL termination or session persistence; it only directs traffic based on routing methods like performance, priority, or geographic, and does not inspect HTTP/HTTPS payloads. Option D is wrong because Azure Front Door does support session affinity and SSL offloading, but it is a global load balancer and CDN service designed for multi-region distribution, not for distributing traffic across VMs within a single Azure region (East US) across availability zones; it adds unnecessary latency and complexity for a regional-only deployment.

588
MCQhard

You are designing a governance strategy for multiple Azure subscriptions. You need to ensure that all resources in a specific subscription are deployed only in the West US region. Additionally, any new resource group must contain a tag named 'Environment' with a value of 'Production'. What combination of Azure Policy initiatives should you assign?

A.Assign the 'Allowed Locations' policy to the management group and the 'Require a tag on resource groups' policy to the subscription
B.Assign the 'Allowed Locations' policy and the 'Require a tag on resource groups' policy to the subscription
C.Assign the 'Allowed Locations' policy to the subscription and the 'Inherit a tag from the resource group' policy to the management group
D.Assign a single Azure Policy definition that includes both the allowed location and require tag effects
AnswerB

These two policies together enforce the location restriction and the required tag on resource groups.

Why this answer

You need two policy definitions: one to restrict allowed locations and one to require a tag on resource groups. Assigning both policies to the subscription meets the requirements. Option A (single policy with both effects) is not possible.

Option B requires resource groups to inherit tag, not enforce. Option D (management group assignment) is not specific to the subscription.

589
MCQeasy

Your company has a hybrid infrastructure with on-premises servers and Azure virtual machines. You need to design a backup strategy that includes on-premises file servers and Azure VMs. The solution must support long-term retention for compliance (7 years) and provide immediate recovery for recent versions. What should you include in the design?

A.Use Azure Storage account snapshots for on-premises files and Azure VM snapshots for VMs.
B.Deploy Azure Backup with the Microsoft Azure Recovery Services (MARS) agent for on-premises and the Azure Backup extension for VMs.
C.Set up Azure File Sync to sync on-premises files to Azure Files, then back up the Azure file shares.
D.Use Azure Site Recovery for both on-premises servers and Azure VMs.
AnswerB

Azure Backup supports both on-premises (MARS agent) and Azure VMs (extension) with configurable retention policies up to 99 years, meeting the 7-year compliance requirement.

Why this answer

Option C is correct because Azure Backup provides a unified backup solution for both on-premises (via MARS agent) and Azure VMs, with support for long-term retention using Backup Vault and Recovery Services vault. Option A is wrong because Azure Site Recovery is for disaster recovery, not backup. Option B is wrong because Azure File Sync syncs files but does not provide backup capabilities.

Option D is wrong because Azure Storage snapshots are not a comprehensive backup solution with centralized management.

590
MCQhard

A company uses Azure Cosmos DB with a single write region. They need to ensure business continuity with an RPO of 5 seconds and RTO of 1 minute in case of a regional outage. What configuration should they use?

A.Enable multi-region writes with automatic failover
B.Enable automatic failover from a single write region to a read region
C.Deploy Cosmos DB in an availability zone-enabled region
D.Use manual failover to a secondary read region
AnswerA

Multi-region writes provide near-zero RPO and automatic failover with low RTO.

Why this answer

Option C is correct because Cosmos DB multi-region writes with automatic failover provides the lowest RPO and RTO. With multiple write regions, if one region fails, the other region continues to accept writes with no data loss. Option A is wrong because single-region writes with automatic failover has higher RPO (up to 15 minutes).

Option B is wrong because manual failover has higher RTO. Option D is wrong because availability zones protect within a region, not cross-region.

591
MCQhard

You are reviewing a JSON policy for Microsoft Entra Privileged Identity Management (PIM) that governs activation of a privileged role for an Azure App Service. You notice that the policy has the configuration shown in the exhibit. You need to ensure that only members of the 'group-app-admins@contoso.com' group can activate the role and that activations are limited to 8 hours with approval required. However, users report that they cannot activate the role even though they are members of the group. What is the most likely cause?

A.The group 'group-app-admins@contoso.com' has an expiration policy that has expired.
B.The PIM role has not been scoped to the 'myapp' App Service resource.
C.The group 'group-app-admins@contoso.com' is a mail-enabled security group, which is not supported for PIM.
D.The approval required setting is incorrectly configured and requires a global administrator as approver.
AnswerB

Without proper scoping, the policy may not apply to the resource.

Why this answer

Option C is correct because PIM role assignments must be scoped to the specific resource (e.g., the App Service) in order for the policy to apply. Without proper scoping, the policy may not be accessible. Option A is wrong because the policy does not specify an expiration for the group membership.

Option B is wrong because PIM does not require global admin approval by default. Option D is wrong because there is no indication that the group is a mail-enabled security group.

592
Multi-Selecteasy

Which TWO Azure services provide native support for change data capture (CDC) to stream database changes to other systems?

Select 2 answers
A.Azure Table Storage
B.Azure Cosmos DB
C.Azure Cache for Redis
D.Azure SQL Database
E.Azure Synapse Link for Azure Cosmos DB
AnswersB, D

Cosmos DB change feed provides CDC.

Why this answer

Azure Cosmos DB provides native change feed support, which is a persistent, ordered log of changes (inserts, updates, deletes) that can be streamed to downstream systems via the Change Feed processor or Azure Functions. This makes it a correct answer for change data capture (CDC) scenarios.

Exam trap

The trap here is that candidates may confuse Azure Synapse Link for Azure Cosmos DB (an analytical store) with a native CDC service, when in fact it relies on the underlying change feed but is not itself a CDC streaming solution.

593
MCQmedium

A company is migrating a MongoDB-compatible application to Azure. The application requires low-latency reads and writes globally. It needs to support multi-region writes so that updates can be made from any region with automatic conflict resolution. The data is JSON documents that can vary in schema. The company wants a fully managed database service with native support for MongoDB APIs. Which Azure data service should they choose?

A.Azure SQL Database
B.Azure Cosmos DB with the API for MongoDB
C.Azure Database for MongoDB
D.Azure Cache for Redis
AnswerB

Cosmos DB's API for MongoDB provides full MongoDB wire protocol compatibility, global distribution with multi-region writes, configurable consistency levels, and automatic conflict resolution. It is designed for low-latency, globally distributed applications.

Why this answer

Azure Cosmos DB with the API for MongoDB is the correct choice because it provides a fully managed, globally distributed database service that natively supports the MongoDB wire protocol. It offers multi-region writes with automatic conflict resolution using last-writer-wins (LWW) or custom conflict resolution policies, ensuring low-latency reads and writes globally. Its schema-agnostic nature handles JSON documents with varying schemas, meeting all stated requirements.

Exam trap

The trap here is that candidates may confuse 'Azure Database for MongoDB' (which does not exist) with Azure Cosmos DB's API for MongoDB, or incorrectly assume that a relational database like Azure SQL Database can handle schema-flexible JSON documents with global multi-region writes.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational database that does not support MongoDB APIs, JSON document storage with varying schemas, or multi-region writes with automatic conflict resolution. Option C is wrong because Azure Database for MongoDB does not exist as a native Azure service; the correct service is Azure Cosmos DB with the API for MongoDB, and this option represents a common misconception of a separate service. Option D is wrong because Azure Cache for Redis is an in-memory caching service, not a fully managed database for persistent JSON document storage, and it does not support MongoDB APIs or multi-region writes.

594
MCQhard

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center. They need to implement a hub-and-spoke topology where the hub VNet hosts shared services like firewalls and DNS. All traffic between spokes, and between spokes and on-premises, must be routed through the hub for inspection. Additionally, spoke VNets must not be able to directly communicate with each other. Which Azure networking solution should they implement to meet these requirements with minimal administrative overhead?

A.VNet peering with user-defined routes (UDRs) and network virtual appliances (NVAs)
B.Azure Virtual WAN with routing policies
C.Azure VPN Gateway with route-based VPN
D.Azure ExpressRoute with private peering
AnswerB

Azure Virtual WAN provides a centralized hub that connects all spoke VNets and on-premises networks. Routing policies can force traffic through NVAs and block direct spoke-to-spoke routing, all managed with built-in features and minimal overhead.

Why this answer

Azure Virtual WAN with routing policies is the correct choice because it provides a managed hub-and-spoke topology that automatically routes all traffic between spokes and on-premises through the hub for inspection, without requiring manual user-defined routes (UDRs) or complex peering configurations. It enforces spoke isolation by default and integrates with network virtual appliances (NVAs) for traffic inspection, minimizing administrative overhead through centralized routing policies.

Exam trap

The trap here is that candidates often choose VNet peering with UDRs (Option A) because it seems familiar and technically capable, but they overlook the 'minimal administrative overhead' requirement, which Azure Virtual WAN explicitly addresses by automating routing and isolation.

How to eliminate wrong answers

Option A is wrong because VNet peering with UDRs and NVAs requires manual configuration of UDRs for each spoke and on-premises connection, and does not natively enforce spoke isolation without additional NSG rules or complex routing, leading to higher administrative overhead. Option C is wrong because Azure VPN Gateway with route-based VPN only provides site-to-site connectivity between on-premises and Azure, not a hub-and-spoke topology with spoke isolation and forced tunneling through a hub. Option D is wrong because Azure ExpressRoute with private peering provides dedicated private connectivity to on-premises but does not inherently create a hub-and-spoke topology or enforce traffic routing through a hub for inspection between spokes.

595
Multi-Selecthard

Which THREE components are required to monitor and audit Azure resource changes using Azure Monitor?

Select 3 answers
A.An Application Insights resource
B.A Log Analytics workspace
C.Diagnostic settings on resources to send logs to the workspace
D.Azure Activity Log export to the workspace
E.Azure Policy with audit effect
AnswersB, C, D

Log Analytics workspace stores log data for querying and alerting.

Why this answer

A Log Analytics workspace is required because it serves as the central repository where Azure Monitor collects and stores log data from various sources, including diagnostic settings and activity logs. Without a workspace, there is no destination for the logs to be ingested, queried, or analyzed, making it an essential component for monitoring and auditing resource changes.

Exam trap

The trap here is that candidates often confuse Azure Policy’s audit effect as a direct logging mechanism, when in fact it only evaluates compliance and requires diagnostic settings to send its data to a Log Analytics workspace for auditing.

596
MCQmedium

A financial services company runs a critical SQL Server database on Azure Virtual Machines. They require a disaster recovery solution with an RPO of less than 15 seconds and an RTO of less than 1 hour. Which technology should they implement?

A.Azure Site Recovery
B.SQL Server Always On Availability Groups
C.Azure Backup for SQL Server
D.Geo-redundant backups
AnswerB

Correct. Always On Availability Groups with synchronous replication can provide an RPO of zero and an RTO of seconds to minutes, satisfying the disaster recovery requirements.

Why this answer

SQL Server Always On Availability Groups provide synchronous data replication at the database level, enabling an RPO of less than 15 seconds by committing transactions on both primary and secondary replicas simultaneously. With automatic failover and a secondary replica in a different Azure region, the RTO can be under 1 hour, meeting the critical requirements for a SQL Server workload on Azure VMs.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery's VM-level replication with database-level replication, assuming it can meet low RPO/RTO for SQL Server, but it cannot achieve sub-15-second RPO because it replicates at the hypervisor level with inherent lag.

How to eliminate wrong answers

Option A is wrong because Azure Site Recovery replicates entire VMs at the hypervisor level, not the database level, and its typical RPO is around 30 seconds to several minutes, failing to meet the sub-15-second requirement. Option C is wrong because Azure Backup for SQL Server is a backup solution, not a real-time replication or disaster recovery technology; it provides point-in-time restores with RPOs measured in minutes or hours, not seconds. Option D is wrong because geo-redundant backups (e.g., GRS) offer recovery points that are typically hours old (due to backup schedules and replication lag), and they require a full restore process, resulting in RTOs far exceeding 1 hour.

597
MCQhard

Refer to the exhibit. You run the KQL query in Azure Monitor Log Analytics. Which user accounts should you investigate first?

A.Users with the highest number of sign-in attempts.
B.Users who had sign-ins from anonymous IP addresses.
C.Users who have unfamiliar features in their sign-ins.
D.Users with more than 5 medium-risk sign-ins in the last day.
AnswerD

Exactly what the query returns.

Why this answer

Option D is correct because the KQL query filters for sign-ins where RiskLevelDuringSignIn equals 'medium' and then summarizes by UserPrincipalName, counting occurrences. Users with more than 5 medium-risk sign-ins in the last day indicate a pattern of suspicious activity that warrants immediate investigation, as medium-risk sign-ins often correspond to atypical travel, anonymous IPs, or unfamiliar properties, but the query specifically targets the count threshold as the trigger for escalation.

Exam trap

The trap here is that candidates may focus on the specific risk detection types (anonymous IPs, unfamiliar features) instead of recognizing that the query's explicit filter on RiskLevelDuringSignIn and the count threshold is the direct basis for the answer, not the underlying risk reasons.

How to eliminate wrong answers

Option A is wrong because the query does not count total sign-in attempts; it counts only medium-risk sign-ins, so a high number of total attempts is irrelevant to the query's output. Option B is wrong because while anonymous IP addresses can contribute to risk, the query does not filter by anonymous IPs; it filters by RiskLevelDuringSignIn equals 'medium', which may include anonymous IPs but is not limited to them. Option C is wrong because unfamiliar features are a specific risk detection type, but the query aggregates all medium-risk sign-ins regardless of the underlying risk reason, so unfamiliar features are not isolated or prioritized.

598
MCQhard

Refer to the exhibit. You are reviewing an Azure Site Recovery replicated item for a VM. The replication health is Normal, and the last recovery point is at 10:30 AM. The primary region experiences a failure at 10:35 AM. You initiate a failover at 10:40 AM. What is the maximum potential data loss?

A.5 minutes of data
B.15 minutes of data
C.0 minutes of data
D.10 minutes of data
AnswerA

Data between 10:30 and 10:35 is lost.

Why this answer

Option A is correct because the last recovery point is at 10:30 AM, and the failure occurred at 10:35 AM. The data loss is up to 5 minutes of data (between 10:30 and 10:35). Option B is wrong because the RPO is defined by the policy, but the actual loss is based on the last recovery point.

Options C and D are incorrect.

599
MCQeasy

A company needs to protect an Azure App Service web app from regional outages. The web app uses Azure SQL Database. They need to ensure that users are automatically redirected to a secondary region if the primary region fails. What should you configure?

A.Configure Azure Backup for the web app and restore in a secondary region.
B.Deploy the web app in two regions and use Azure Traffic Manager with priority routing.
C.Deploy the web app in a single region with a Standard Load Balancer and backend pool.
D.Deploy the web app in two regions and use Azure Front Door with an origin group and health probes.
AnswerD

Azure Front Door monitors health and redirects traffic automatically.

Why this answer

Option A (Azure Front Door with origin groups and health probes) provides automatic failover. Option B (Traffic Manager) does not integrate with App Service health. Option C (App Service backup) does not provide automatic failover.

Option D (Standard Load Balancer) is not regional.

600
MCQeasy

A company is deploying a containerized microservices application on Azure Kubernetes Service (AKS). The application requires persistent storage that can be attached to pods and supports dynamic provisioning. Which Azure storage solution should they use?

A.Azure Blob Storage
B.Azure Files
C.Azure NetApp Files
D.Azure Disks
AnswerD

Azure Disks support dynamic provisioning via StorageClass and are commonly used with AKS.

Why this answer

Azure Disks is the correct choice because it provides block-level storage volumes that can be dynamically provisioned via the AKS built-in StorageClass, supporting ReadWriteOnce access mode required for a single pod in a containerized microservices application. Azure Disks integrate directly with Kubernetes PersistentVolumeClaims (PVCs) for dynamic provisioning, offering low-latency, high-performance storage suitable for stateful workloads.

Exam trap

The trap here is that candidates often confuse Azure Files (shared file storage) with Azure Disks (block storage), assuming that 'persistent storage' always means file shares, but for single-pod dynamic provisioning in AKS, Azure Disks are the native and optimal choice.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage is object storage accessed via HTTP/HTTPS, not block storage, and does not support direct attachment to pods via Kubernetes PV/PVC without a CSI driver or sidecar, making it unsuitable for dynamic provisioning in AKS. Option B is wrong because Azure Files provides SMB/NFS file shares that support ReadWriteMany access, but for a single-pod persistent storage scenario, Azure Disks offer lower latency and are more cost-effective; Azure Files is typically used for shared access across multiple pods, not single-pod dynamic provisioning. Option C is wrong because Azure NetApp Files is a premium enterprise-grade file service with high cost and complexity, overkill for standard AKS persistent storage, and requires additional configuration for dynamic provisioning compared to the native Azure Disks integration.

Page 7

Page 8 of 14

Page 9