CCNA Infrastructure Solutions Questions

75 of 292 questions · Page 1/4 · Infrastructure Solutions topic · Answers revealed

1
MCQhard

You are designing a disaster recovery solution for a multi-tier application. The application consists of a web tier, an application tier, and a database tier running SQL Server on Azure VMs. The RPO must be 5 seconds, and the RTO must be 15 minutes. You need to recommend a SQL Server availability solution that meets these requirements. What should you use?

A.Azure SQL Database Managed Instance automatic backups
B.Azure Site Recovery with replication of SQL Server VMs
C.SQL Server log shipping
D.SQL Server Always On Availability Groups with synchronous commit and automatic failover
AnswerD

Synchronous commit ensures zero data loss (RPO=0) and automatic failover can achieve RTO under 15 minutes.

Why this answer

Option A is correct because SQL Server Always On Availability Groups with synchronous commit can achieve an RPO of 5 seconds and an RTO of minutes with automatic failover. Option B is wrong because log shipping has a higher RPO (minutes to hours). Option C is wrong because Azure SQL Database Managed Instance automatic backups have an RPO of up to 5 minutes.

Option D is wrong because Azure Site Recovery replication for SQL Server can have an RPO of a few seconds but RTO may exceed 15 minutes due to recovery time.

2
MCQeasy

You need to design a solution to store log data from multiple Azure services. The data must be retained for 7 years for compliance purposes and should be queryable for analysis. Which Azure service should you use as the primary storage for these logs?

A.Azure Data Lake Storage
B.Azure SQL Database
C.Azure Blob Storage
D.Azure Log Analytics workspace
AnswerD

Log Analytics provides long-term retention and powerful KQL querying.

Why this answer

Option B is correct because Azure Log Analytics workspaces (part of Azure Monitor) can ingest logs from multiple services, retain data for up to 7 years (with extended retention), and support KQL queries. Option A (Azure Blob Storage) can store logs but is not optimized for interactive querying. Option C (Azure Data Lake Storage) is for big data analytics, not primarily for logs.

Option D (Azure SQL Database) is not designed for high-volume log ingestion and may be costly.

3
MCQeasy

A company plans to deploy a web application on Azure App Service that will be accessed by users worldwide. The application must have a single endpoint and use Azure Web Application Firewall (WAF) policies. Which Azure service should be placed in front of the App Service to meet these requirements?

A.Azure Application Gateway
C.Azure Front Door
D.Azure Traffic Manager
AnswerC

Azure Front Door is a global application delivery network with integrated WAF and single endpoint.

Why this answer

Option A (Azure Front Door) provides global load balancing, SSL offload, and WAF integration, making it the best choice. Option B (Azure Application Gateway) is a regional service, not global. Option C (Azure Traffic Manager) provides DNS-based load balancing but no WAF.

Option D (Azure Load Balancer) is layer 4 and does not support WAF.

4
MCQmedium

Your company, Contoso Ltd., is migrating its on-premises e-commerce application to Azure. The application consists of a web frontend, an API layer, and a SQL Server database. The migration must meet the following requirements: - The web frontend must automatically scale out based on CPU utilization. - The API layer must be stateless and scale out based on request count. - The database must be a managed service with high availability and disaster recovery across Azure regions. - All components must be secured using Azure Firewall and Web Application Firewall (WAF). - The solution must minimize operational overhead. You propose the following architecture: - Azure App Service for the web frontend with autoscaling rules based on CPU. - Azure Functions for the API layer (stateless, scaling based on request count). - Azure SQL Database with active geo-replication for the database. - Azure Front Door with WAF policies for global load balancing and security. - Azure Firewall to control outbound traffic. Which component of this design should be reconsidered to better meet the requirement to minimize operational overhead?

A.Replace Azure App Service with Azure Virtual Machine Scale Sets
B.Replace Azure Front Door with Azure Traffic Manager
C.Replace Azure Functions with Azure Kubernetes Service (AKS)
D.Replace Azure SQL Database with Azure SQL Managed Instance
AnswerC

AKS provides a container orchestration platform for stateless APIs with better control and scaling, and is more aligned with minimizing operational overhead for a microservices architecture compared to Functions, which is better for event-driven workloads.

Why this answer

Azure Functions is not ideal for a stateful API layer; Azure App Service (Web Apps) or Azure Kubernetes Service (AKS) would be better. However, the question says the API layer is stateless, so Azure Functions could work. But for a typical API layer, Azure App Service is more appropriate and easier to manage.

The correct answer is to replace Azure Functions with Azure App Service API apps or AKS. The distractors include other services that are not optimal.

5
MCQhard

A healthcare organization is migrating a regulatory-compliant application to Azure. The application must be isolated from the internet and accessible only from on-premises networks via a private IP address. The solution must minimize latency and maximize throughput for large data transfers. Which Azure networking solution should the organization implement?

A.Azure Private Link
B.Azure VPN Gateway
C.Azure Virtual WAN
D.Azure ExpressRoute
AnswerD

ExpressRoute offers dedicated private connections with low latency and high throughput, ideal for large data transfers.

Why this answer

Option A (Azure VPN Gateway) uses IPSec tunnels over the internet, which may not provide the lowest latency and throughput. Option B (Azure ExpressRoute) provides dedicated private connections with higher bandwidth, lower latency, and more reliability than VPN. Option C (Azure Private Link) provides private connectivity to PaaS services but does not connect on-premises to VNets.

Option D (Azure Virtual WAN) is a hub-and-spoke architecture that can incorporate ExpressRoute, but the question asks for the best solution to connect on-premises to Azure privately. ExpressRoute is the optimal choice for low latency and high throughput.

6
MCQeasy

A company needs to provide secure remote administration access to Azure virtual machines for their IT team. The VMs are in a virtual network with no public IP addresses. The IT team uses browsers to connect. The solution should not require any custom software on the client machines. Which Azure service should they use?

A.Azure Bastion
B.Just-in-Time VM access
C.Azure VPN Gateway
D.Microsoft Entra ID Domain Services
AnswerA

Correct. Azure Bastion provides browser-based RDP/SSH connectivity without public IPs or client software.

Why this answer

Azure Bastion provides secure, seamless RDP/SSH connectivity to Azure virtual machines directly in the Azure portal over TLS. Because the VMs have no public IP addresses, Bastion acts as a jump server that is deployed inside the virtual network, eliminating the need for any public exposure. Since the IT team uses browsers and cannot install custom software, Bastion's native browser-based HTML5 client meets the requirement perfectly.

Exam trap

The trap here is that candidates often confuse Just-in-Time VM access (which still requires a public IP and a client) with Bastion's fully browser-based, no-public-IP solution, or they mistakenly think a VPN gateway provides browser-based RDP/SSH without client software.

How to eliminate wrong answers

Option B (Just-in-Time VM access) is wrong because it only reduces the attack surface by temporarily opening ports on existing public IPs or NSGs; it does not eliminate the need for public IPs and still requires a client-side RDP/SSH client, not a browser. Option C (Azure VPN Gateway) is wrong because it requires installing a VPN client on each IT team member's machine and does not provide browser-based access; it also requires a public endpoint for the VPN gateway itself. Option D (Microsoft Entra ID Domain Services) is wrong because it provides managed domain services (LDAP, Kerberos, NTLM) for authentication and group policy, not remote desktop or SSH connectivity to VMs.

7
MCQmedium

A healthcare organization is migrating its on-premises applications to Azure. The applications use custom authentication and authorization logic and require low latency between application tiers. The organization needs to ensure that the applications can scale out dynamically based on user demand, and that costs are minimized by only paying for resources when they are used. The applications are expected to have variable traffic patterns, with peak usage during business hours and low usage at night. You need to design a compute solution that meets these requirements. What should you recommend?

A.Migrate the applications to Azure Virtual Machine Scale Sets with autoscaling.
B.Migrate the applications to Azure App Service with autoscaling enabled.
C.Migrate the applications to Azure Functions with consumption plan.
D.Migrate the applications to Azure Kubernetes Service (AKS) with cluster autoscaler.
AnswerB

App Service supports custom auth, autoscaling, and consumption-based billing.

Why this answer

Option B is correct because Azure App Service with autoscaling allows dynamic scaling, supports custom authentication, and you only pay for the resources used. Option A is wrong because Azure Functions is event-driven, not ideal for stateful custom authentication. Option C is wrong because Azure Kubernetes Service (AKS) adds complexity and cost for this use case.

Option D is wrong because Azure Virtual Machine Scale Sets require more management of VMs and are less cost-effective for variable traffic.

8
MCQeasy

Your company has a hybrid identity environment with Microsoft Entra ID and an on-premises Active Directory. You need to enable single sign-on (SSO) for users accessing Microsoft 365 applications from domain-joined devices. Which authentication method should you configure?

A.Microsoft Entra Pass-through Authentication
B.Microsoft Entra password hash synchronization
C.Microsoft Entra Seamless SSO
D.Active Directory Federation Services (AD FS)
AnswerC

Seamless SSO provides automatic sign-in for domain-joined devices.

Why this answer

Option A is correct. Seamless SSO automatically signs users in when they are on domain-joined devices connected to the corporate network. Option B is wrong because Pass-through Authentication validates passwords on-premises but does not provide SSO.

Option C is wrong because password hash sync does not provide SSO by itself. Option D is wrong because federation with AD FS can provide SSO but is more complex than Seamless SSO for this scenario.

9
MCQmedium

A company is designing a disaster recovery solution for Azure VMs running a critical application. They need a Recovery Time Objective (RTO) of less than 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The solution should be cost-effective and allow testing without affecting production. Which Azure service should they use?

A.Azure Migrate
B.Azure Backup
C.Azure Front Door
D.Azure Site Recovery
AnswerD

Azure Site Recovery meets the RTO and RPO requirements and supports testing.

Why this answer

Azure Site Recovery provides replication with RPO as low as 15 minutes and enables failover with RTO typically less than 1 hour. It also supports non-disruptive disaster recovery drills. Option A is wrong because Azure Backup has a higher RPO and RTO.

Option C is wrong because Azure Migrate is for migration, not DR. Option D is wrong because Azure Front Door is for global load balancing.

10
MCQeasy

A company deploys a web application on Azure VMs in a single region. They need to distribute incoming HTTPS traffic across multiple VMs, offload SSL termination, and provide session persistence. Which Azure load balancing solution should they choose?

A.Azure Load Balancer (Standard SKU)
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Provides Layer 7 load balancing, SSL offload, session persistence, and health probes.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that supports SSL termination, session persistence (via cookie-based affinity), and HTTP/HTTPS traffic distribution. Unlike Azure Load Balancer (Layer 4), it can inspect application-layer headers and offload SSL decryption, meeting all three requirements.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming all load balancers handle SSL termination, but only Layer 7 solutions like Application Gateway or Front Door can offload HTTPS traffic and provide cookie-based session persistence.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL termination or application-layer session persistence; it only distributes traffic based on IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not handle SSL termination or session persistence; it directs clients to endpoints based on DNS resolution, not proxying traffic. Option D is wrong because Azure Front Door is a global Layer 7 service with SSL termination and session affinity, but it is designed for multi-region distribution and CDN scenarios, not for a single-region VM deployment where Application Gateway is the more appropriate and cost-effective choice.

11
MCQhard

Your company is deploying a critical application on Azure VMs. The application requires a static private IP address that does not change even if the VM is stopped and deallocated. The VM must be placed in an availability zone for high availability. Which networking approach should you use?

A.Use Azure Firewall to provide static private IP and load balancing.
B.Assign a static private IP address to the VM's NIC and use a standard public load balancer.
C.Use Azure Traffic Manager to assign static private IP.
D.Use Application Gateway with a static private IP.
AnswerB

Static private IP persists even when VM is deallocated, and load balancer provides high availability.

Why this answer

Option A is correct because a standard public load balancer can be used in front of VMs, and static private IPs can be assigned via NIC-level static IP allocation. Option B is incorrect because Azure Firewall is not for load balancing. Option C is incorrect because Traffic Manager is a DNS-based load balancer for global traffic.

Option D is incorrect because Application Gateway is a layer 7 load balancer, but it does not provide static private IP for the VM itself.

12
MCQmedium

A company is designing a solution for storing sensitive documents in Azure Blob Storage. They require that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they want to prevent any accidental deletion of the key vault and its keys. Which combination of actions should they take?

A.Assign the Key Vault Contributor role to only the security team
B.Configure firewall rules to restrict network access
C.Enable soft-delete and purge protection on the key vault
D.Enable diagnostic settings and send logs to a Log Analytics workspace
AnswerC

Soft-delete and purge protection prevent deletion.

Why this answer

Option A is correct because enabling soft-delete and purge protection on the key vault prevents accidental deletion. Option B is incorrect because RBAC alone does not prevent deletion. Option C is incorrect because firewall rules do not prevent deletion.

Option D is incorrect because logging does not prevent deletion.

13
Multi-Selectmedium

Which TWO of the following are valid design considerations for implementing Azure SQL Database geo-replication? (Choose two.)

Select 2 answers
A.Geo-replication ensures zero data loss during failover
B.Geo-replication supports up to four readable secondary replicas
C.Geo-replication provides automatic failover without manual intervention
D.Geo-replication requires a listener for client connections
E.Geo-replication can be used to offload read-only workloads
AnswersB, E

You can have up to four readable secondaries in different regions.

Why this answer

Geo-replication creates readable secondaries in a paired region for disaster recovery. Option B (automatically failover without data loss) is incorrect because geo-replication is asynchronous, so there may be data loss. Option D (supports up to 4 readable secondaries) is correct.

Option E (can be used for read-only query offloading) is correct. Option A is incorrect because failover is manual or you can use auto-failover groups. Option C is incorrect because geo-replication does not require a listener; connection strings point to the server name.

14
MCQmedium

You are designing an identity solution for a multinational corporation that uses Microsoft Entra ID. The company has a complex organizational structure with multiple subsidiaries. You need to ensure that users from one subsidiary cannot access resources in another subsidiary unless explicitly granted. The solution must minimize administrative overhead. What should you use?

A.Administrative units
B.Conditional Access policies
C.Microsoft Entra B2B collaboration
D.Custom directory roles
AnswerA

Administrative units allow you to delegate administration and resource access per subsidiary.

Why this answer

Option D is correct. Administrative units in Microsoft Entra ID allow you to delegate administration and restrict access to a subset of users and resources. Option A is wrong because Conditional Access policies control access based on conditions but do not provide administrative boundaries.

Option B is wrong because custom roles can be created but administrative units are designed for scoping. Option C is wrong because B2B collaboration is for external users, not internal subsidiaries.

15
Multi-Selecthard

You are designing a disaster recovery (DR) solution for a critical application hosted on Azure VMs. The solution must meet the following requirements: - Recovery Point Objective (RPO) of 15 minutes. - Recovery Time Objective (RTO) of 1 hour. - Automatically fail over to a secondary region in the event of a regional outage. - Support for non-disruptive DR testing. Which THREE components should you include in the solution? (Choose three.)

Select 3 answers
A.Azure Backup
B.Azure Site Recovery test failover capability
C.Azure Site Recovery
D.Azure Traffic Manager
E.Azure Front Door
AnswersB, C, D

Test failover enables non-disruptive DR testing.

Why this answer

Option A, Option B, and Option E are correct. Azure Site Recovery provides replication and orchestration of failover to a secondary region, meeting RPO of 15 minutes and RTO of 1 hour. Azure Traffic Manager can be used to route traffic to the secondary region after failover.

Azure Site Recovery supports non-disruptive DR testing with test failover. Option C is wrong because Azure Backup is for backup, not DR with automatic failover. Option D is wrong because Azure Front Door is a global load balancer but does not provide DR orchestration; Traffic Manager is sufficient.

16
Multi-Selecthard

Which THREE considerations are important when designing a highly available Azure SQL Database solution?

Select 3 answers
A.Auto-failover groups
B.Transparent Data Encryption
C.Active geo-replication
D.Zone redundancy
E.Read scale-out
AnswersA, C, D

Enables automatic failover across regions.

Why this answer

Active geo-replication provides read-scale and failover to a secondary region. Zone redundancy provides resilience within a region. Auto-failover groups enable automatic failover.

Read scale-out is not related to HA. Transparent Data Encryption is for security, not HA.

17
MCQmedium

Your company is migrating a legacy application to Azure. The application uses a proprietary database that requires file-level access to data files. You need to minimize changes to the application. Which Azure storage solution should you recommend?

A.Azure Files
B.Azure Disk Storage
C.Azure Blob Storage
D.Azure NetApp Files
AnswerA

Provides SMB file shares with file-level access, minimizing changes.

Why this answer

Option A is incorrect because Azure Blob Storage does not provide file-level access. Option B is correct because Azure Files provides SMB file shares that can be mounted with file-level access. Option C is incorrect because Azure NetApp Files provides high-performance file shares but is overkill and more expensive.

Option D is incorrect because Azure Disk Storage provides block-level access, not file-level.

18
Multi-Selectmedium

You are designing a solution to monitor and analyze security events across your Azure environment. Which TWO Azure services should you include in your design to provide centralized logging and threat detection? (Choose two.)

Select 2 answers
A.Azure Firewall
B.Azure Log Analytics
C.Microsoft Sentinel
D.Azure Policy
E.Azure Network Watcher
AnswersB, C

Log Analytics collects and analyzes log data from various sources.

Why this answer

Options B and C are correct. Azure Log Analytics (now part of Azure Monitor) provides centralized logging and analysis. Microsoft Sentinel provides SIEM and threat detection.

Option A is wrong because Azure Policy is for compliance. Option D is wrong because Azure Firewall is a network security service. Option E is wrong because Azure Network Watcher is for network monitoring.

19
Multi-Selecthard

A global e-commerce company is designing a highly available application on Azure. The application uses Azure SQL Database and requires that in the event of a regional outage, failover to a secondary region occurs automatically without manual intervention. The solution must minimize data loss. Which THREE components should be included? (Choose three.)

Select 3 answers
A.Azure App Service with deployment slots in secondary region
B.Azure Traffic Manager with priority routing
C.Azure Front Door with health probes
D.Azure SQL Database active geo-replication
E.Azure DNS with alias records
AnswersA, B, D

Hosts application standby instance.

Why this answer

Options A, C, and E are correct. Azure SQL Database active geo-replication provides continuous replication. Azure Traffic Manager with priority routing ensures automatic traffic redirection.

Azure App Service with deployment slots in secondary region allows fast application failover. Option B is wrong because Azure Front Door is for global load balancing, not SQL failover. Option D is wrong because Azure DNS does not provide failover routing.

20
Multi-Selectmedium

Which TWO of the following are valid considerations when designing a SQL Server Always On availability group in Azure VMs? (Choose two.)

Select 2 answers
A.The availability group listener should use a static IP address in the same subnet as the primary replica.
B.The availability group listener can use DHCP to automatically assign an IP address.
C.The number of replicas should be an odd number to avoid split-brain scenarios.
D.A file share witness is required for the quorum configuration.
E.All replicas must be in the same subnet to use a single internal load balancer.
AnswersA, C

The listener IP should be in the same subnet as the primary replica for proper routing.

Why this answer

Correct answers are B and D. Option A is wrong because availability group replicas should be in different subnets for proper routing. Option C is wrong because cloud witness is recommended for quorum, not file share witness.

Option E is wrong because the listener requires a dedicated IP address.

21
MCQmedium

You are designing an authentication solution for a mobile application that uses Azure AD B2C (now Microsoft Entra External ID). The application needs to support social logins (Google, Facebook) and also allow users to sign in with their corporate Microsoft Entra ID accounts. Which of the following identity providers should you configure?

A.Use Microsoft Entra ID as the only identity provider and configure federation with Google and Facebook.
B.Use Microsoft Entra External ID with Google and Facebook only, and advise corporate users to create local accounts.
C.Configure Google and Facebook as social identity providers, and add Microsoft Entra ID as a custom identity provider.
D.Configure only Google and Facebook as identity providers, and use Microsoft account for corporate users.
AnswerC

Microsoft Entra External ID allows multiple identity providers, including social and enterprise Microsoft Entra ID tenants.

Why this answer

Option A is correct because Microsoft Entra External ID (formerly Azure AD B2C) supports both social identity providers and Microsoft Entra ID as a custom identity provider. Option B is wrong because Microsoft Entra ID alone does not support social logins. Option C is wrong because Microsoft account is not for corporate accounts.

Option D is wrong because it doesn't include corporate identity.

22
MCQhard

A multinational corporation is designing a disaster recovery strategy for a critical application running on Azure VMs. The application must have a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The primary region is East US, and the secondary region is West US. The solution must minimize costs while meeting the requirements. What should you recommend?

A.Deploy an active-passive configuration with Azure Front Door and Traffic Manager
B.Implement Azure Site Recovery for the VMs
C.Configure the VMs in an availability zone across East US and West US
D.Use Azure Backup with cross-region restore for the VMs
AnswerB

Azure Site Recovery provides continuous replication with RPO as low as 15 seconds and RTO of minutes, meeting the requirements cost-effectively.

Why this answer

Azure Site Recovery provides orchestrated replication with RPO as low as 15 minutes and RTO of minutes. It is the most cost-effective option for VM-level DR.

23
MCQhard

You are a solutions architect for a financial services company. The company is deploying a new critical application on Azure that processes sensitive customer transactions. The application consists of an ASP.NET Core web app (Azure App Service), a REST API (Azure Kubernetes Service), and an Azure SQL Database. The requirements are: - All data at rest must be encrypted using customer-managed keys (CMK) stored in a managed HSM. - All network traffic between components must be encrypted and traverse the Microsoft backbone network. - The web app must be protected against common web attacks (SQL injection, XSS). - The solution must automatically scale the API based on CPU utilization. - All API calls must be authenticated using OAuth 2.0 with Microsoft Entra ID. - Logs from all components must be sent to a central Log Analytics workspace for analysis. - The solution must have a recovery time objective (RTO) of 1 hour and recovery point objective (RPO) of 5 minutes for the database. Which combination of Azure services should you recommend to meet ALL requirements?

A.Azure Front Door with WAF, Azure SQL Database point-in-time restore, Azure Key Vault Managed HSM, Azure App Service with private endpoint, AKS with HPA, Azure Log Analytics agent, Microsoft Entra ID
B.Azure Front Door with WAF, Azure SQL Database geo-replication, Azure Key Vault (Standard), Azure App Service with private endpoint, AKS with HPA, Azure Diagnostics extension, Microsoft Entra ID
C.Azure Application Gateway with WAF, Azure SQL Database active geo-replication, Azure Key Vault Managed HSM, Azure App Service with VNet integration, AKS with cluster autoscaler, Azure Monitor Agent, Microsoft Entra ID
D.Azure Application Gateway with WAF, Azure SQL Database failover groups, Azure Key Vault Managed HSM, Azure App Service with service endpoint, AKS with HPA, Azure Monitor Agent, Microsoft Entra ID
AnswerC

Meets all requirements.

Why this answer

Option C is correct because it includes all required services: Azure Application Gateway with WAF for web protection, Azure SQL Database active geo-replication for DR with RPO=5s, Azure Key Vault Managed HSM for CMK, Azure App Service with VNet integration for private connectivity, Azure Kubernetes Service with cluster autoscaler for API scaling, Azure Monitor Agent for log collection, and Microsoft Entra ID for authentication. Option A is wrong because Azure Front Door does not provide WAF at the application layer for SQL injection. Option B is wrong because Azure Firewall is not a WAF.

Option D is wrong because Azure SQL Database point-in-time restore cannot meet RPO of 5 minutes.

24
MCQhard

A company runs a high-performance computing (HPC) workload on Azure that requires extremely low latency (under 10 microseconds) between multiple VMs for MPI communication. The VMs are part of a single job and must be placed together to minimize network latency. Which VM deployment option should they use?

A.Azure Virtual Machine Scale Sets with a Proximity Placement Group
B.Azure Availability Sets
C.Azure Virtual Machine Scale Sets across Availability Zones
D.Azure Kubernetes Service (AKS)
AnswerA

Proximity Placement Groups (PPG) co-locate VMs in the same datacenter region, providing ultra-low latency required for MPI workloads. VMSS allows scaling out while staying in the PPG.

Why this answer

A Proximity Placement Group (PPG) within a Virtual Machine Scale Set ensures that all VMs are physically located as close as possible within an Azure datacenter, reducing network latency to under 10 microseconds for MPI communication. This is the only option that guarantees co-location of VMs for a single HPC job, as PPGs minimize inter-VM latency by placing VMs in the same rack or cluster.

Exam trap

The trap here is that candidates often confuse Availability Sets (which provide high availability) with Proximity Placement Groups (which provide low latency), or assume that Availability Zones offer sufficient performance for HPC, ignoring the significant latency penalty of inter-zone communication.

How to eliminate wrong answers

Option B is wrong because Availability Sets only protect against failures by distributing VMs across fault and update domains, but they do not guarantee low latency or co-location; in fact, they may spread VMs across different racks, increasing latency. Option C is wrong because Virtual Machine Scale Sets across Availability Zones place VMs in physically separate datacenters within a region, which introduces network latency far exceeding the 10-microsecond requirement due to inter-zone communication. Option D is wrong because Azure Kubernetes Service (AKS) abstracts VM placement and does not provide native mechanisms to enforce co-location of pods for low-latency MPI communication; it relies on underlying node placement, which is not guaranteed to be within a single rack.

25
MCQhard

You are designing a backup strategy for Azure virtual machines. The solution must support application-consistent backups for SQL Server databases running on the VMs. You need to ensure that backups are taken every 4 hours and retained for 30 days. What should you configure in Azure Backup?

A.Configure Azure SQL Backup for the SQL Server databases.
B.Configure a VM backup policy with 4-hour frequency and 30-day retention using the default backup extension.
C.Configure Azure Site Recovery replication policy with 4-hour frequency.
D.Configure Azure Backup for SAP HANA on the VM.
AnswerB

VM backup policy supports application-consistent backups and custom schedules.

Why this answer

Option D is correct because Azure Backup supports application-consistent backups via the VM backup policy, which can be configured with a frequency of 4 hours and retention of 30 days. The backup extension for Windows (VMSnapshot) ensures application consistency. Option A (Azure Site Recovery) is for replication, not backup.

Option B (Azure SQL Backup) is for Azure SQL databases, not VMs. Option C (Azure Backup for SAP HANA) is specific to SAP HANA.

26
MCQeasy

You are designing a disaster recovery strategy for an Azure virtual machine running a critical application. The VM is in the East US region. Your recovery point objective (RPO) is 15 minutes, and your recovery time objective (RTO) is 1 hour. Which Azure service should you use to replicate the VM to the West US region?

A.Azure Site Recovery
B.Azure Traffic Manager
C.Azure Backup
D.Azure Migrate
AnswerA

ASR replicates VMs to another region with low RPO and RTO.

Why this answer

Option A is correct because Azure Site Recovery provides automated replication with RPO as low as 30 seconds and RTO of minutes to hours. Option B is wrong because Azure Backup is for backup, not replication for DR. Option C is wrong because Azure Migrate is for assessment and migration.

Option D is wrong because Azure Traffic Manager is for traffic routing.

27
Multi-Selecteasy

Your company is designing a new application that will run on Azure VMs. The application must be highly available across two Azure regions. You need to ensure that the application can automatically fail over if a regional outage occurs. Which THREE components should you include in the architecture? (Choose three.)

Select 3 answers
A.Azure Application Gateway
B.Azure Traffic Manager
C.Availability Sets
D.Availability Zones
AnswersB, C, E

Traffic Manager provides global load balancing across regions.

Why this answer

Option A, Option C, and Option D are correct. Azure Traffic Manager distributes traffic across regions. Azure Load Balancer distributes traffic within a region.

Availability Sets protect against failures within a datacenter. Option B is wrong because Availability Zones are within a region, not across regions. Option E is wrong because Azure Application Gateway is a regional load balancer but not necessary if using Traffic Manager and Load Balancer.

28
MCQeasy

You need to design a networking solution for a multi-tier application that includes a web front-end, an API layer, and a database. The web and API tiers must be accessible from the internet, while the database tier must be isolated. What is the most secure and efficient design?

A.Place all VMs in the same subnet and use a single Azure Load Balancer to distribute traffic.
B.Use separate VNets for each tier and connect them with VNet peering.
C.Deploy all VMs in a single subnet and use Azure Firewall to inspect all inbound and outbound traffic.
D.Deploy all tiers in the same VNet with separate subnets, and use NSGs to restrict traffic. Place an Azure Application Gateway with WAF in front of the web tier.
AnswerD

Secure and efficient: subnets isolate tiers, NSGs control traffic, Application Gateway provides internet-facing entry and WAF protection.

Why this answer

Option C is correct because using subnets for each tier with NSG restrictions provides isolation. Application Gateway with WAF protects the web tier. Option A (load balancer for all tiers) exposes the database.

Option B (VNet peering) is not needed. Option D (Azure Firewall for all traffic) is overkill and complex.

29
MCQmedium

A company is designing a multi-region disaster recovery solution for Azure VMs. They need to ensure that if the primary region fails, VMs can be failed over to a secondary region with minimal data loss. The application writes data to Azure SQL Database and Azure Files. Which Azure service should they use to meet the recovery point objective (RPO) of 5 seconds for the SQL Database?

A.Azure Site Recovery for SQL Server
B.Active geo-replication for SQL Database
C.Failover groups with auto-failover
D.Geo-restore of SQL Database backups
AnswerB

Active geo-replication provides an RPO of 5 seconds.

Why this answer

Option C is correct because Azure SQL Database active geo-replication provides a configurable RPO of 5 seconds. Option A is incorrect because failover groups provide a higher RPO of 1 hour. Option B is incorrect because geo-restore has an RPO of hours.

Option D is incorrect because Azure Site Recovery replicates VMs, not the database, and does not meet the SQL RPO.

30
MCQeasy

You need to design a storage solution for unstructured data that requires low latency (single-digit milliseconds) for frequently accessed files and must support NFS and SMB protocols. Which Azure storage solution should you recommend?

A.Azure Files
B.Azure Blob Storage
C.Azure Disk Storage
D.Azure NetApp Files
AnswerD

Azure NetApp Files offers high-performance file shares with both NFS and SMB, low latency.

Why this answer

Azure NetApp Files provides high-performance file storage with NFS and SMB support in a fully managed service. Option A (Azure Blob Storage) is object storage, not file shares. Option B (Azure Files) supports SMB but not NFS and may have higher latency.

Option D (Azure Disk Storage) is block storage for VMs.

31
Multi-Selectmedium

You are designing a highly available architecture for a stateful application running on Azure Virtual Machines. The application requires a shared storage solution that supports concurrent read/write access from multiple VMs, and must be resilient to zone failures. Which TWO Azure solutions meet these requirements? (Choose TWO.)

Select 2 answers
A.Azure Disk Storage with shared disks enabled
B.Azure NetApp Files with cross-zone replication
C.Azure Files (Premium tier) with zone-redundant storage (ZRS)
D.Azure Managed Disks with Standard SSD
E.Azure Blob Storage with hot access tier and geo-redundant storage (GRS)
AnswersB, C

Supports concurrent access and zone resilience.

Why this answer

Option A (Azure Files premium shares) supports SMB multichannel and concurrent access, and can be zone-redundant. Option C (Azure NetApp Files) supports NFS/SMB and cross-zone replication. Option B (Azure Blob Storage) does not support concurrent access as a file share.

Option D (Azure Managed Disks) cannot be shared without special clustering. Option E (Azure Disk Storage with shared disks) is limited to 2-3 nodes and not zone-redundant.

32
MCQmedium

A company deploys a web application on multiple Azure VMs in a single region. They need to distribute incoming HTTP and HTTPS traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

A.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Correct: Application Gateway provides Layer 7 load balancing, SSL termination, and cookie-based session affinity.

Why this answer

Azure Application Gateway is a Layer 7 load balancer that can distribute HTTP/HTTPS traffic, offload SSL/TLS termination, and support session persistence via cookie-based affinity (sticky sessions). These capabilities directly match the requirements, making it the correct choice.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming that any load balancer can handle SSL termination and sticky sessions, but only Layer 7 solutions like Application Gateway or Front Door provide these features.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL/TLS termination or inspect HTTP/HTTPS traffic for session persistence. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that directs traffic across regions, not within a single region, and it does not handle SSL termination or sticky sessions. Option D (Azure Front Door) is wrong because it is a global Layer 7 load balancer and CDN designed for multi-region distribution, not for a single-region deployment, and its session affinity uses different mechanisms (e.g., ARR affinity) that are not optimized for intra-region VM load balancing.

33
MCQmedium

Your company is deploying a new application that uses Azure Cosmos DB for globally distributed low-latency reads and writes. The application must be highly available with a recovery point objective (RPO) of less than 5 seconds and recovery time objective (RTO) of less than 1 second in case of a regional outage. Which Cosmos DB configuration should you recommend?

A.Multiple write regions with manual failover and eventual consistency.
B.Single write region with strong consistency and multi-region writes disabled.
C.Single write region with multiple read regions and multi-region writes disabled.
D.Multiple write regions enabled with automatic failover and session consistency.
AnswerD

Multi-region writes allow RTO < 1s and RPO = 0 for writes within the same region.

Why this answer

Option B is correct because enabling multiple write regions with automatic failover provides RTO < 1s and RPO = 0 within a region. Option A (single write region with read replicas) has RTO > 1s. Option C (strong consistency) limits availability.

Option D (manual failover) increases RTO.

34
Multi-Selecteasy

Which TWO of the following are valid data storage solutions for an Azure-based microservices architecture that requires high throughput and low latency? (Choose two.)

Select 2 answers
A.Azure Table Storage
B.Azure Cosmos DB
C.Azure Files
D.Azure Cache for Redis
E.Azure SQL Database
AnswersB, D

Cosmos DB is a globally distributed, multi-model database with guaranteed low latency and high throughput.

Why this answer

Correct answers are A and D. Option B is wrong because Azure SQL Database is relational and may not provide the scalability needed for high throughput. Option C is wrong because Azure Files is for file shares, not optimized for microservices.

Option E is wrong because Table Storage is for NoSQL key-value store but lower throughput than Cosmos DB.

35
MCQmedium

Your organization is building a serverless application that processes events from Azure Event Hubs and stores results in Azure Cosmos DB. The processing logic must be scalable and cost-effective, with no idle costs. Which compute service should you use?

A.Azure Functions
B.Azure Container Instances
C.Azure Logic Apps
D.Azure Kubernetes Service
AnswerA

Functions are serverless, scalable, and cost-effective with no idle costs.

Why this answer

Option A is correct because Azure Functions can be triggered by Event Hubs and scales automatically, with pay-per-execution pricing. Option B is incorrect because Azure Logic Apps is more expensive and less suitable for high-throughput event processing. Option C is incorrect because Azure Container Instances have idle costs and are not serverless.

Option D is incorrect because Azure Kubernetes Service has management overhead and idle costs.

36
MCQeasy

A company is planning to migrate its on-premises Active Directory to Microsoft Entra ID. They have a complex on-premises infrastructure with multiple forests and over 50,000 users. They need to synchronize identities and enable single sign-on (SSO) for Office 365. What should you recommend?

A.Microsoft Entra Connect Cloud Sync
B.Microsoft Entra Connect
C.Microsoft Entra ID synchronization
D.Microsoft Entra Connect Sync
AnswerD

Microsoft Entra Connect Sync supports multiple forests and large-scale deployments.

Why this answer

Option A is incorrect because Microsoft Entra Connect is the correct tool, but it only supports a single forest. Option B is correct because Microsoft Entra Connect Sync supports multiple forests and large numbers of users. Option C is incorrect because Microsoft Entra Connect Cloud Sync is for simpler scenarios and does not support multiple forests.

Option D is incorrect because Microsoft Entra ID synchronization is not a product name; it is a concept.

37
MCQmedium

Refer to the exhibit. The JSON shows role assignments for user1. The role definition IDs are: b24988ac-6180-42a0-ab88-20f7382dd24c = Key Vault Secrets User, 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 = Reader. User1 reports being unable to list secrets in the key vault 'vault-prod' using Azure CLI. What is the most likely cause?

A.User1 does not have any role assignment on the key vault
B.The Key Vault Secrets User role does not include the ability to list secrets
C.User1 must have the Contributor role on the key vault
D.The Reader role at resource group scope overrides the vault role
AnswerB

The role only allows reading secret values, not listing.

Why this answer

Option B is correct because the Key Vault Secrets User role at the vault scope does not include the 'list' permission on secrets; it only allows reading secret values. Option A is wrong because user1 has a role assignment at the vault scope. Option C is wrong because the Reader role at resource group scope does not grant permissions on secrets.

Option D is wrong because the permissions are explicit.

38
MCQhard

A healthcare organization needs to store patient health records in Azure. The data must be encrypted at rest and in transit. The organization requires a customer-managed key (CMK) with automatic key rotation every 90 days. The solution must support Azure SQL Database and Azure Blob Storage. Which key management solution should you recommend?

A.Azure Storage Service Encryption
B.Azure Information Protection
C.Azure Key Vault Standard
D.Azure Key Vault Managed HSM (Premium tier)
AnswerD

Supports CMK with automatic rotation and FIPS 140-2 Level 3.

Why this answer

Option A is correct because Azure Key Vault Managed HSM supports CMK with automatic rotation and FIPS 140-2 Level 3 validation, meeting compliance. Option B is wrong because Key Vault Standard does not support automatic rotation. Option C is wrong because Azure Information Protection is for classification, not key management.

Option D is wrong because Azure Storage encryption uses Microsoft-managed keys by default.

39
MCQmedium

Refer to the exhibit. You are analyzing Azure VM performance using Azure Monitor Logs. You run the KQL query shown. What is the purpose of the 'take 10' operator?

A.Limits the results to the first 10 rows after sorting by time.
B.Limits the time range to the last 10 hours.
C.Filters the results to only include the top 10 CPUs.
D.Samples the data to reduce query cost.
AnswerA

'take' returns the specified number of rows from the result set.

Why this answer

The 'take' operator returns a specified number of rows. Here, it limits the output to 10 rows after sorting by TimeGenerated ascending. Option A is correct.

Option B is incorrect because 'take' does not sample; it returns the first N rows. Option C is incorrect because the query returns rows after aggregation. Option D is incorrect because 'take' is not specific to time windows.

40
MCQhard

Your organization is designing a secure microservices architecture using Azure Kubernetes Service (AKS). The application must be compliant with PCI DSS, which requires strict network segmentation and encryption of data at rest and in transit. You need to design a solution that meets these requirements while minimizing operational overhead. The AKS cluster will be deployed in a virtual network. The application consists of multiple microservices that need to communicate with each other and with an Azure SQL Database. Some microservices are public-facing. Which design should you recommend?

A.Deploy AKS with a private API server, enable network policies, and use a service endpoint or private endpoint for Azure SQL Database.
B.Deploy AKS with a public API server and use Network Security Groups (NSGs) to restrict access.
C.Deploy AKS with a private API server and use a jump box for administration.
D.Deploy AKS with a public API server and disable network policies to simplify management.
AnswerA

Private cluster ensures API server is not exposed; network policies enforce micro-segmentation; private endpoints secure database connectivity.

Why this answer

Option C is correct because a private AKS cluster with a service endpoint on the subnet and Azure SQL Database firewall rules ensures network isolation. AKS can enforce network policies for micro-segmentation. Option A is wrong because a public cluster exposes the API server, which is less secure.

Option B is wrong because a jump box adds operational overhead and is not required. Option D is wrong because disabling network policies reduces security.

41
MCQmedium

Refer to the exhibit. You have an Azure Storage account with the settings shown. A developer reports that they cannot access the storage account from their Azure VM that is connected to subnet-a. The VM's subnet ID matches the one in the rule. What is the most likely cause of the issue?

A.The storage account requires HTTPS and the VM is using HTTP
B.The storage account does not have a firewall rule for the VM's public IP
C.The subnet does not have a service endpoint for Microsoft.Storage enabled
D.The storage account uses GRS replication which is not supported with network rules
AnswerC

Virtual network rules require a service endpoint on the subnet to be effective.

Why this answer

The network rule set has defaultAction set to Deny, and only virtual network rules are configured. For traffic from a VM in subnet-a to be allowed, the VM's subnet must be listed. However, the VM might not have a service endpoint enabled for Microsoft.Storage on that subnet.

Option A is wrong because the subnet is listed. Option C is wrong because HTTPS is enabled. Option D is wrong because GRS does not prevent access.

42
MCQmedium

A company is designing a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The solution must support legacy authentication protocols for on-premises apps and modern authentication for cloud apps. Which Azure service should the company use?

A.Active Directory Federation Services (AD FS)
B.Microsoft Entra Application Proxy
C.Microsoft Entra ID
D.Microsoft Entra Connect
AnswerB

Application Proxy provides secure access to on-premises apps with modern authentication and supports legacy protocols.

Why this answer

Option A (Microsoft Entra ID) provides modern authentication but does not natively support legacy on-premises protocols. Option B (Microsoft Entra Connect) syncs identities to the cloud. Option C (Microsoft Entra Application Proxy) provides access to on-premises apps without requiring legacy protocols on the client side.

Option D (Active Directory Federation Services) can be used but is not a managed Azure service. The best answer is Microsoft Entra Application Proxy, which enables secure access to on-premises apps using modern authentication while the proxy handles the legacy protocol translation.

43
MCQeasy

Your company plans to migrate an on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. Which Azure storage solution should you recommend?

A.Azure Blob Storage
B.Azure Disk Storage
C.Azure Files
D.Azure Queue Storage
AnswerC

Azure Files supports SMB protocol and provides shared file access.

Why this answer

Option B is correct because Azure Files supports SMB protocol and can be used as a shared file system with low-latency access when deployed in the same region. Option A is wrong because Blob Storage does not support SMB natively. Option C is wrong because Disk Storage is block-level and not shared.

Option D is wrong because Queue Storage is for messaging.

44
MCQhard

You are designing a storage strategy for a data analytics solution that processes large volumes of streaming data. The data must be stored in a cost-effective manner with low latency for hot data and infrequent access for cold data after 30 days. The solution must support both batch and interactive queries. Which combination of Azure storage services should you recommend?

A.Azure Data Lake Storage Gen2 with lifecycle management
B.Azure SQL Database with geo-replication
C.Azure Blob Storage with hot and cool access tiers
D.Azure Cosmos DB with multiple consistency levels
AnswerA

ADLS Gen2 is optimized for analytics and lifecycle management can move cold data to cheaper storage.

Why this answer

Option B is correct because Azure Data Lake Storage Gen2 provides scalable storage for analytics with hierarchical namespace, and lifecycle management policies can move data to cool or archive tiers. Option A is wrong because Blob Storage with hot/cool tiers works but Data Lake Gen2 is optimized for analytics. Option C is wrong because Azure SQL Database is relational and expensive for large-scale analytics.

Option D is wrong because Cosmos DB is for NoSQL workloads.

45
Multi-Selectmedium

Your company is designing a hybrid network architecture to connect an on-premises data center to Azure. The requirements include: high availability, low latency, and cost optimization. Which TWO options should you recommend?

Select 2 answers
A.ExpressRoute Gateway
B.Single ExpressRoute circuit
C.Site-to-Site VPN
D.ExpressRoute Direct
E.Two ExpressRoute circuits from different providers
AnswersA, E

Provides low latency and high bandwidth.

Why this answer

Option A is correct because ExpressRoute offers low latency and high bandwidth. Option C is correct because two ExpressRoute circuits from different providers provide high availability. Option B is incorrect because VPN Gateway can be used for backup but does not provide low latency.

Option D is incorrect because ExpressRoute Direct is not required for high availability. Option E is incorrect because a single ExpressRoute circuit does not provide high availability.

46
MCQeasy

You run the above KQL query in Azure Monitor Logs. What does the query return?

A.The number of failed VM creation attempts per hour.
B.The total number of successful operations across all Azure resources.
C.The number of successful VM write operations per caller per hour.
D.A list of all Azure activity log entries.
AnswerC

The query summarizes successful VM write operations by caller and hour.

Why this answer

Option B is correct. The query filters AzureActivity for successful VM write operations, then summarizes the count by caller and hourly bins. Option A is wrong because it counts only successful, not failed.

Option C is wrong because it groups by caller and hour. Option D is wrong because it does not include operation names.

47
Matchingmedium

Match each Azure identity service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud-based identity and access management

Customer identity and access management for apps

Managed domain services like LDAP and Kerberos

Role-based access control for Azure resources

Policy-based evaluation to enforce access controls

Why these pairings

These are key identity and access management services in Azure.

48
MCQhard

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?

A.Use Azure Virtual WAN with a secured virtual hub.
B.Use VNet peering with user-defined routes (UDRs) in each spoke and Azure Route Server.
C.Create a single large VNet and use network security groups (NSGs) to isolate traffic.
D.Use Azure Firewall in the hub VNet and configure forced tunneling via custom routes.
AnswerA

Azure Virtual WAN provides a managed hub-and-spoke architecture with automatic routing. A secured virtual hub can integrate NVAs or Azure Firewall, and it handles transitive routing between spokes and on-premises without manual route tables or UDRs.

Why this answer

Azure Virtual WAN with a secured virtual hub is the correct choice because it provides a managed hub-and-spoke topology with built-in routing, eliminating the need for manual user-defined routes (UDRs) and route tables. The secured virtual hub includes Azure Firewall for traffic inspection, and all inter-spoke and on-premises traffic is automatically routed through the hub via the Virtual WAN routing engine, which uses the Border Gateway Protocol (BGP) to propagate routes dynamically. This minimizes administrative overhead by centralizing routing and security management.

Exam trap

The trap here is that candidates often choose VNet peering with UDRs (Option B) because it is a familiar pattern for hub-and-spoke, but they overlook that Azure Virtual WAN is the managed service designed to eliminate the administrative overhead of manual routing, especially when multiple regions and on-premises connectivity are involved.

How to eliminate wrong answers

Option B is wrong because using VNet peering with UDRs in each spoke and Azure Route Server still requires manual configuration and maintenance of UDRs for each spoke to force traffic through the hub NVAs, which increases administrative overhead and does not provide a fully managed routing solution. Option C is wrong because creating a single large VNet and using NSGs to isolate traffic violates the hub-and-spoke requirement for traffic inspection through NVAs; NSGs are stateless or stateful filters that do not route traffic through a central inspection point, and a single VNet cannot span multiple regions natively without additional complexity. Option D is wrong because using Azure Firewall in the hub VNet with forced tunneling via custom routes still requires manual UDR configuration on each spoke subnet to direct traffic to the firewall, and it does not provide the automated, scalable routing that Azure Virtual WAN offers for multi-region and on-premises connectivity.

49
MCQhard

Your company has a large number of IoT devices sending telemetry to Azure IoT Hub. The data must be processed in near real-time to detect anomalies and trigger alerts. Additionally, the processed data must be stored in a time-series database for historical analysis. Which combination of Azure services should you recommend?

A.Azure Functions and Azure SQL Database
B.Azure HDInsight and Azure Cosmos DB
C.Azure Data Factory and Azure Blob Storage
D.Azure Stream Analytics and Azure Data Explorer
AnswerD

Stream Analytics provides real-time processing; Data Explorer is a time-series database.

Why this answer

Option D is correct. Azure Stream Analytics can process streaming data from IoT Hub in near real-time and output to Azure Data Explorer (time-series database) for historical analysis. Option A is wrong because Azure Functions is not optimized for streaming.

Option B is wrong because Azure Data Factory is for batch processing, not real-time. Option C is wrong because Azure HDInsight is for big data but not as efficient for time-series.

50
MCQhard

A company is designing a solution for a global e-commerce platform that requires low-latency access to product catalog data from multiple regions. The data is read-heavy with occasional updates. The solution must support automatic scaling and provide high availability. Which Azure service should you recommend?

A.Azure SQL Database with active geo-replication
B.Azure Cosmos DB with multi-region writes
C.Azure Table Storage
D.Azure Cache for Redis
AnswerB

Cosmos DB provides global distribution, low-latency reads, automatic scaling, and high availability.

Why this answer

Option A is incorrect because Azure SQL Database with geo-replication can provide global distribution but is not optimized for low-latency reads. Option B is correct because Azure Cosmos DB with multi-region writes provides global distribution, low-latency reads, automatic scaling, and high availability. Option C is incorrect because Azure Table Storage is not as performant for global low-latency reads.

Option D is incorrect because Azure Cache for Redis is a cache, not a primary data store.

51
MCQmedium

A global e-commerce company runs a web application in multiple Azure regions. They need to distribute incoming HTTPS traffic across regional deployments to provide low latency and high availability. The solution must support SSL offloading, Web Application Firewall (WAF) policies, and content caching to reduce backend load. They also need to route users to the nearest healthy backend region. Which Azure service should they use?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure Application Gateway
D.Azure Content Delivery Network (CDN)
AnswerB

Azure Front Door is a global layer 7 load balancer. It offers SSL offload, WAF, content caching, and intelligent routing to the nearest region, meeting all requirements.

Why this answer

Azure Front Door is the correct choice because it is a global, scalable entry point that provides HTTPS traffic distribution across multiple Azure regions with low latency, SSL offloading, WAF policies, and content caching. It uses Anycast-based routing to direct users to the nearest healthy backend region, meeting all the requirements for high availability and performance.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level routing) with Azure Front Door (HTTP/HTTPS-level routing), overlooking the need for SSL offloading, WAF, and content caching, which Traffic Manager cannot provide.

How to eliminate wrong answers

Option A (Azure Traffic Manager) is wrong because it operates at the DNS level and does not support SSL offloading, WAF policies, or content caching; it only routes traffic based on DNS responses without inspecting the HTTP/HTTPS payload. Option C (Azure Application Gateway) is wrong because it is a regional load balancer that provides SSL offloading and WAF, but it cannot distribute traffic across multiple regions or route users to the nearest healthy backend region globally. Option D (Azure Content Delivery Network (CDN)) is wrong because it focuses on caching static content at edge locations and does not provide SSL offloading, WAF, or intelligent routing to the nearest healthy backend region for dynamic traffic.

52
MCQmedium

A company is deploying an internal web application on Azure VMs. The application requires SSL offloading, session stickiness, and URL-based routing (e.g., /api/* to one backend, /app/* to another). The solution must operate within a single Azure region and must not be exposed to the public internet. Which Azure load balancing solution should they use?

A.A
B.B
C.C
D.D
AnswerC

Azure Application Gateway can be deployed internally (internal Application Gateway) and provides all required features: SSL offloading, session affinity, and URL path-based routing.

Why this answer

Azure Application Gateway v2 is the correct choice because it provides SSL offloading (SSL termination at the gateway), session stickiness (cookie-based affinity), and URL-based routing (path-based routing rules) within a single Azure region. It can be deployed with a private IP address only, ensuring it is not exposed to the public internet, meeting all requirements.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway, but Front Door is a global service requiring public endpoints and multi-region support, whereas Application Gateway can be deployed privately within a single region.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL offloading or URL-based routing; it only distributes traffic based on IP and port. Option B is wrong because Azure Traffic Manager is a DNS-based global load balancer that operates across regions and requires public endpoints; it cannot provide SSL offloading or URL-based routing within a single region. Option D is wrong because Azure Front Door is a global Layer 7 load balancer with SSL offloading and URL routing, but it is designed for multi-region deployments and requires public internet exposure; it cannot be restricted to a single region with private-only access.

53
Multi-Selecteasy

You are designing a highly available architecture for a web application that runs on Azure VMs. The solution must distribute incoming traffic across multiple VMs in an availability set. Which TWO Azure components should you include? (Choose two.)

Select 2 answers
B.Azure Traffic Manager
C.Azure Front Door
D.Availability Set
E.Azure Application Gateway
AnswersA, D

Load Balancer distributes traffic to VMs in the same region.

Why this answer

Options A and D are correct. Azure Load Balancer distributes incoming traffic. Availability Set provides VM redundancy.

Option B is wrong because Azure Traffic Manager is for global traffic routing. Option C is wrong because Azure Application Gateway is a layer 7 load balancer with additional features, but the scenario specifically mentions distributing traffic across VMs in an availability set, which is a basic load balancer function. However, both Load Balancer and Application Gateway can distribute traffic, but the simplest is Load Balancer.

For high availability, you need both a load balancer and an availability set. Option E is wrong because Azure Front Door is for global load balancing.

54
Multi-Selecthard

A company is designing a backup strategy for Azure resources. They have the following resources: Azure VMs, Azure SQL Database, and Azure Files shares. They need to meet the following requirements: 1) Backup of VMs must be application-consistent. 2) SQL Database backups must be retained for 10 years. 3) Azure Files backups must support soft delete. Which THREE services or features should they use?

Select 3 answers
A.Azure Backup
B.Soft delete for Azure Files
C.Long-term retention (LTR) for Azure SQL Database
D.Azure Site Recovery
E.Azure Policy
AnswersA, B, C

Azure Backup provides application-consistent backups for VMs.

Why this answer

Options B, C, and D are correct. Azure Backup can perform application-consistent backups for VMs (using VSS). Long-term retention (LTR) for SQL Database can retain backups for up to 10 years.

Soft delete for Azure Files can be enabled to protect against accidental deletion. Option A is incorrect because Azure Site Recovery is for disaster recovery, not backup. Option E is incorrect because Azure Policy is for governance, not backup.

55
MCQmedium

A company deploys a web application on Azure VMs across multiple availability zones in a region. They need to distribute incoming traffic across VMs in all zones, maintain session persistence, and support SSL offloading and URL-based routing (e.g., /api/* to one pool, /app/* to another). Which Azure load balancing solution should they use?

B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer-7 load balancer that provides SSL offloading, URL-based routing, and session affinity, making it suitable for this requirement.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 (HTTP/HTTPS) load balancer that supports SSL offloading, URL-based routing (e.g., /api/* and /app/* to different backend pools), and session persistence (cookie-based affinity). It can distribute traffic across VMs in multiple availability zones within a region, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming all load balancers support HTTP-level features like URL routing and SSL offloading, but only Layer 7 solutions do.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and does not support SSL offloading or URL-based routing; it cannot inspect HTTP paths. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that distributes traffic across regions, not within a single region, and it does not support SSL offloading or URL-based routing. Option D is wrong because Azure Front Door is a global Layer 7 service that supports SSL offloading and URL-based routing but is designed for multi-region distribution, not for distributing traffic across VMs within a single region's availability zones.

56
MCQhard

You are designing a compute solution for a batch processing workload that runs once per day for about 30 minutes. The workload is CPU-intensive and can be parallelized. The team wants to minimize cost while ensuring the job completes within 2 hours. Which of the following is the most cost-effective solution?

A.Deploy an Azure App Service plan with multiple instances, and trigger the job with a timer.
B.Use Azure Functions with a timer trigger and a Premium plan to allow longer execution.
C.Create an Azure VM that runs the job on schedule and turn it off after completion.
D.Use Azure Batch with a pool of low-priority VMs, and scale up to many nodes to complete the job quickly.
AnswerD

Azure Batch is designed for parallel batch processing; low-priority VMs offer up to 80% cost savings and the job can complete in minutes.

Why this answer

Option D is correct because Azure Batch with low-priority VMs provides significant cost savings for interruptible workloads and can be scaled to complete quickly. Option A is wrong because App Service is not designed for batch processing and would be more expensive. Option B is wrong because a VM running all the time incurs cost even when idle.

Option C is wrong because Functions have a timeout limit (default 5 min, max 10 min) unsuitable for 30-min job.

57
MCQhard

You are designing a disaster recovery strategy for an Azure virtual machine running a SQL Server Always On availability group. The primary region is East US, and the secondary region is West US. You need to ensure minimal data loss and automatic failover. Which Azure service should you use for cross-region replication of the managed disks?

A.Azure Traffic Manager
B.Azure Site Recovery
C.Azure Backup
D.Azure Storage Geo-Redundant Storage (GRS)
AnswerB

Azure Site Recovery replicates Azure VMs and supports automatic failover with low RPO.

Why this answer

Option A is correct because Azure Site Recovery provides orchestrated replication and failover for Azure VMs, including managed disks, with recovery point objectives (RPO) as low as a few seconds. Option B (Azure Backup) is for backup, not replication. Option C (Azure Storage Geo-Redundant Storage) replicates at the storage level but does not handle VM failover orchestration.

Option D (Azure Traffic Manager) is for DNS-level traffic distribution, not disk replication.

58
MCQmedium

A company is designing a backup strategy for a critical Azure SQL Database. The database is used in a production environment and the company requires the ability to restore to any point within the last 35 days with a maximum granularity of 5 minutes. Which backup configuration should the company choose?

A.Use Azure Backup for SQL Server in Azure VM
B.Configure point-in-time restore with a retention period of 35 days and a backup frequency of 5 minutes
C.Use Azure SQL Database automatic backups with a retention period of 35 days
D.Configure geo-redundant backup with long-term retention
AnswerC

Automatic backups provide point-in-time restore within 35 days with 5-minute granularity.

Why this answer

Option A (Geo-redundant backup with long-term retention) does not specify point-in-time restore granularity. Option B (Configure point-in-time restore with a retention period of 35 days and a backup frequency of 5 minutes) is not possible because Azure SQL Database does not allow custom backup frequency; it uses automatic backups. Option C (Use Azure SQL Database automatic backups with a retention period of 35 days) meets the requirement because automatic backups provide point-in-time restore up to 35 days with 5-minute granularity.

Option D (Use Azure Backup for SQL Server in Azure VM) is for SQL Server on VMs, not Azure SQL Database.

59
MCQmedium

A company has multiple on-premises sites and Azure VNets in different regions. They need to connect all networks with a single mesh topology, ensuring that any network can communicate with any other network directly. They also want to minimize administrative overhead. Which Azure service should they use?

A.Azure Virtual WAN
B.Azure VPN Gateway
C.Azure ExpressRoute
D.Azure Peering Service
AnswerA

Virtual WAN provides a scalable and automated mesh connectivity solution with integrated routing, reducing manual configuration overhead.

Why this answer

Azure Virtual WAN is the correct choice because it provides a managed, global mesh network that automatically connects on-premises sites and Azure VNets across regions using a hub-and-spoke architecture with built-in transitive routing. This eliminates the need to manually configure individual VPN gateways or ExpressRoute circuits for each pair of networks, directly supporting the requirement for any-to-any direct communication with minimal administrative overhead.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway's ability to create multiple site-to-site connections with a true mesh topology, overlooking that VPN Gateway lacks automatic transitive routing and requires manual configuration for any-to-any connectivity, whereas Virtual WAN provides this natively.

How to eliminate wrong answers

Option B (Azure VPN Gateway) is wrong because it only creates point-to-site or site-to-site connections between individual networks; it does not natively support a full mesh topology without complex, manual configuration of multiple VPN tunnels and route tables, which increases administrative overhead. Option C (Azure ExpressRoute) is wrong because it provides private, dedicated connectivity between on-premises sites and Azure, but it does not inherently create a mesh between multiple on-premises sites or VNets; additional routing and gateway configurations are required to achieve transitive connectivity. Option D (Azure Peering Service) is wrong because it is designed to optimize connectivity to Microsoft cloud services over the internet, not to create a mesh network between customer-owned on-premises sites and Azure VNets.

60
MCQeasy

A company has an Azure API Management instance deployed in the internal virtual network (VNet) mode. They want to securely expose their backend APIs to external partners over the internet. External partners need to authenticate using OAuth2 tokens. The company also wants to enforce rate limits (throttling) per subscription, cache responses, and enable CORS. Which Azure service should they use to expose the APIs?

A.Azure Application Gateway
B.Azure API Management
C.Azure Front Door
D.Azure Traffic Manager
AnswerB

Azure API Management is a full-featured API gateway that supports OAuth2, rate limiting, caching, CORS, and many other policies. It can be deployed with a public endpoint to securely expose APIs to external partners.

Why this answer

Azure API Management (APIM) in internal VNet mode can securely expose backend APIs to external partners over the internet by using its built-in OAuth2 token validation, per-subscription rate limiting (throttling), response caching, and CORS support. APIM acts as the API gateway that handles authentication, policy enforcement, and traffic management, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse Azure API Management with Azure Application Gateway or Azure Front Door, but only APIM provides the comprehensive API gateway features (OAuth2, throttling, caching, CORS) required for this scenario.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a Layer 7 load balancer and web application firewall (WAF), but it does not natively support OAuth2 token validation, per-subscription rate limiting, or API-level caching and CORS policies. Option C is wrong because Azure Front Door is a global load balancer and CDN that provides WAF and caching at the edge, but it lacks built-in OAuth2 authentication, per-subscription throttling, and API management policies. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that only routes traffic based on DNS resolution and does not provide any API gateway features like OAuth2, rate limiting, caching, or CORS.

61
MCQmedium

Your company is deploying a web application that experiences unpredictable traffic spikes. You need to ensure the application can handle sudden increases in load automatically without manual intervention and minimize costs during low traffic periods. Which Azure service should you use?

A.Azure App Service with manual scale-out
B.Azure Functions with consumption plan
C.Virtual Machine Scale Set with autoscale
D.Azure Container Instances
AnswerC

Scale Sets with autoscale rules automatically adjust capacity based on metrics.

Why this answer

Virtual Machine Scale Sets with autoscale rules can automatically adjust the number of VM instances based on demand. Option A (Azure App Service with manual scaling) does not autoscale automatically. Option B (Azure Functions) is for event-driven workloads, not web apps.

Option D (Azure Container Instances) does not autoscale natively.

62
MCQeasy

A company has multiple Azure virtual networks (VNets) in different Azure regions and an on-premises data center connected via ExpressRoute. They want to connect all VNets to each other and to the on-premises network securely over the Microsoft global backbone. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

A.Azure Virtual WAN
B.VNet peering
C.Azure VPN Gateway
D.Azure ExpressRoute
AnswerA

Virtual WAN provides a centralized hub-and-spoke architecture that connects VNets and branches over the Microsoft network, with simplified management and orchestration.

Why this answer

Azure Virtual WAN is correct because it provides a hub-and-spoke architecture that connects branch offices, VNets, and on-premises networks over the Microsoft global backbone. It offers a single orchestration interface for managing connectivity, routing, and security policies across multiple regions and ExpressRoute circuits, meeting the requirement for secure, global connectivity with simplified management.

Exam trap

The trap here is that candidates often confuse VNet peering (which is point-to-point) with the hub-and-spoke model of Virtual WAN, or assume ExpressRoute alone can connect multiple VNets, missing the requirement for a single orchestration interface and transitive routing across regions.

How to eliminate wrong answers

Option B (VNet peering) is wrong because it only connects two VNets directly and does not provide a single orchestration interface for multiple VNets across regions; it also requires manual transitive routing configuration and does not natively integrate with ExpressRoute for on-premises connectivity. Option C (Azure VPN Gateway) is wrong because it creates site-to-site VPN tunnels over the public internet, not over the Microsoft global backbone, and does not offer a unified management interface for multiple VNets and ExpressRoute connections. Option D (Azure ExpressRoute) is wrong because it only provides a dedicated private connection from on-premises to Azure, but does not connect multiple VNets to each other or offer a single orchestration interface for managing inter-VNet and hybrid connectivity.

63
MCQmedium

You are designing a disaster recovery solution for a critical application hosted in Azure VMs. The primary region is East US. The application requires a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 15 minutes. Which Azure service should you use to replicate the VMs?

A.Azure Front Door
B.Azure Backup
C.Azure Traffic Manager
D.Azure Site Recovery
AnswerD

Azure Site Recovery offers near-synchronous replication with low RPO and can meet the RTO with orchestrated failover.

Why this answer

Option C is correct because Azure Site Recovery provides replication with RPO as low as 15 minutes and can meet the RTO with proper planning. Option A is wrong because Azure Backup has higher RPO. Option B is wrong because Azure Traffic Manager is for traffic routing, not replication.

Option D is wrong because Azure Front Door is a global load balancer.

64
MCQeasy

A company needs to provide secure access to Azure resources for remote employees. They want to enforce multi-factor authentication and conditional access policies. The solution should not require a VPN connection. Which Azure service should they implement?

A.Microsoft Intune
B.Azure VPN Gateway
C.Azure Bastion
D.Microsoft Entra ID
AnswerD

Entra ID provides identity and access management with MFA and conditional access.

Why this answer

Microsoft Entra ID (formerly Azure AD) with conditional access and MFA provides secure access without VPN. Option B is wrong because Azure VPN Gateway requires VPN. Option C is wrong because Azure Bastion is for RDP/SSH to VMs.

Option D is wrong because Microsoft Intune is for device management.

65
MCQeasy

A company wants to implement a backup strategy for their Azure virtual machines. They need to retain backups for 7 years for compliance and ensure backups are encrypted at rest. Which solution should you recommend?

A.Azure Disk Snapshot with a lifecycle management policy.
B.Azure Backup with a vault configured for 7-year retention and encryption at rest.
C.Azure Files Backup to a Recovery Services vault.
D.Azure Site Recovery with custom retention policies.
AnswerB

Azure Backup supports long-term retention and encryption at rest.

Why this answer

Option C is correct because Azure Backup supports long-term retention (up to 99 years) and encryption at rest using Azure Storage Service Encryption. Option A is wrong because Azure Site Recovery is for disaster recovery, not long-term backup. Option B is wrong because Azure Disk Snapshot does not support 7-year retention natively.

Option D is wrong because Azure Files Backup is for file shares, not VMs.

66
MCQeasy

A company wants to run a containerized application on Azure without managing virtual machines. They need automatic scaling, load balancing, and rolling updates. Which Azure compute service should they choose?

A.Azure Virtual Machine Scale Sets
B.Azure Kubernetes Service (AKS)
C.Azure App Service
D.Azure Container Instances
AnswerB

AKS offers full container orchestration with built-in scaling, load balancing, and rolling updates.

Why this answer

Azure Kubernetes Service (AKS) is the correct choice because it provides a fully managed Kubernetes orchestration platform that handles containerized applications with automatic scaling (via Horizontal Pod Autoscaler), built-in load balancing (via Azure Load Balancer integration), and rolling updates (via Kubernetes deployment strategies). This meets the requirement of running containers without managing VMs, as AKS abstracts the underlying node management.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) as a full orchestration solution, but ACI lacks the automatic scaling, load balancing, and rolling update capabilities that AKS provides for multi-container applications.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Machine Scale Sets require you to manage VMs and the container runtime, and they do not natively support container orchestration features like rolling updates or service discovery. Option C is wrong because Azure App Service is a Platform-as-a-Service (PaaS) for web apps and APIs, not designed for containerized applications with full orchestration; it lacks native Kubernetes features like pod-level scaling and rolling update strategies. Option D is wrong because Azure Container Instances (ACI) is a serverless container service that does not provide built-in orchestration for automatic scaling, load balancing across multiple containers, or rolling updates; it is intended for simple, single-container scenarios.

67
MCQmedium

A company is designing private access to a PaaS database from workloads in a VNet. The database should not be reachable over its public endpoint. What should be recommended?

A.A public IP address with NSG rules
B.A route table to the internet gateway
C.Private Endpoint with public network access disabled
D.Azure CDN endpoint
AnswerC

Private Endpoint exposes the PaaS resource through a private IP in the VNet and can be combined with disabling public access.

Why this answer

Private Endpoint with public network access disabled is the correct recommendation because it assigns a private IP address from the VNet to the PaaS database, making it accessible only over the private network. This eliminates exposure to the public internet by disabling the public endpoint, aligning with the requirement that the database should not be reachable over its public endpoint.

Exam trap

The trap here is that candidates may confuse Private Endpoint with Service Endpoint, but Service Endpoint does not remove the public endpoint and still allows internet-based access if the firewall permits it, whereas Private Endpoint with public access disabled fully isolates the resource.

How to eliminate wrong answers

Option A is wrong because a public IP address with NSG rules still exposes the database to the internet, and NSGs only filter traffic at the subnet/NIC level, not prevent public endpoint access. Option B is wrong because a route table to the internet gateway directs traffic to the internet, which does not provide private access and would actually route traffic away from the private endpoint. Option D is wrong because an Azure CDN endpoint is a content delivery network for caching static content at edge locations, not a mechanism for private network access to a PaaS database.

68
Multi-Selecthard

Your organization is designing a data platform for real-time analytics on streaming data from IoT devices. The solution must ingest millions of events per second, process the data with low latency, and store results in a format optimized for analytical queries. Which THREE Azure services should you include in the design? (Choose THREE.)

Select 3 answers
A.Azure Event Hubs
B.Azure Stream Analytics
C.Azure Functions
D.Azure Synapse Analytics
E.Azure IoT Hub
AnswersA, B, D

Capable of ingesting millions of events per second.

Why this answer

Option A (Azure Event Hubs) is for high-throughput ingestion. Option C (Azure Stream Analytics) for real-time processing. Option E (Azure Synapse Analytics) for analytical storage.

Option B (Azure IoT Hub) is for device management, not high-throughput ingestion. Option D (Azure Functions) is for serverless compute, not stream processing at scale.

69
MCQeasy

A company deploys a web application on multiple Azure VMs. They need to distribute incoming HTTP traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

A.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Application Gateway is a layer-7 load balancer that supports SSL offloading, cookie-based session affinity (sticky sessions), and HTTP-based routing.

Why this answer

Azure Application Gateway is a Layer 7 load balancer that can route HTTP/HTTPS traffic, offload SSL/TLS termination, and support session persistence using cookie-based affinity. This makes it the correct choice for distributing incoming HTTP traffic across multiple VMs while maintaining sticky sessions and handling SSL termination at the gateway.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), forgetting that SSL termination and cookie-based sticky sessions require Layer 7 capabilities, not just Layer 4 load balancing.

How to eliminate wrong answers

Option B is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL/TLS termination or HTTP-level session persistence; it only supports source IP affinity, which is not cookie-based sticky sessions. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not handle SSL termination or session persistence; it directs traffic at the DNS level, not at the application layer. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and CDN that can offload SSL and provide session affinity, but it is designed for global distribution across regions, not for distributing traffic within a single region to multiple VMs; using it for regional load balancing would introduce unnecessary latency and complexity.

70
MCQeasy

A company plans to deploy a web application on Azure VMs across multiple availability zones. They need to distribute incoming HTTP traffic across the VMs and provide health probes. Which Azure load balancing solution should they use?

B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer 7 load balancer that supports HTTP/HTTPS, health probes, SSL offloading, and can distribute traffic across VMs in availability zones.

Why this answer

Azure Application Gateway is the correct choice because it operates at Layer 7 (HTTP/HTTPS), providing application-level routing, SSL termination, and HTTP health probes. This matches the requirement to distribute incoming HTTP traffic across VMs in multiple availability zones, whereas Azure Load Balancer operates at Layer 4 and cannot inspect HTTP headers or perform URL-based routing.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can handle HTTP traffic, but the requirement for HTTP health probes and application-level distribution specifically demands a Layer 7 solution.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform HTTP-specific health probes or application-level routing; it only distributes traffic based on IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic load balancer that routes traffic at the DNS level, not at the HTTP request level, and it does not provide HTTP health probes or direct traffic to VMs across availability zones within a region. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and application delivery network designed for multi-region scenarios, not for distributing HTTP traffic across VMs within a single region's availability zones.

71
Multi-Selecteasy

You need to design a solution to securely connect an on-premises data center to Azure for hybrid workloads. The connection must be private, use the internet for transport, and provide high availability. Which TWO Azure services should you consider? (Choose TWO.)

Select 2 answers
A.Azure Virtual WAN
B.Azure ExpressRoute
C.Azure VPN Gateway (Site-to-Site VPN)
D.Azure VPN Gateway (active-active mode)
E.Azure Bastion
AnswersC, D

Uses internet and can be configured for high availability with active-active tunnels.

Why this answer

Option A (Site-to-Site VPN) uses internet and can be made highly available with active-active configuration. Option D (Azure VPN Gateway supports active-active). Option B (Azure ExpressRoute) is private but not over internet.

Option C (Azure Virtual WAN) is a managed hub but still uses VPN or ExpressRoute. Option E (Azure Bastion) is for RDP/SSH access to VMs.

72
Drag & Dropmedium

Drag and drop the steps to set up Azure Private Link for an Azure SQL Database into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create endpoint, approve, configure DNS, test, then disable public access.

73
MCQeasy

A company deploys a web application across multiple Azure VMs in a single region. They want to distribute incoming HTTP traffic evenly across the VMs, offload SSL encryption, and provide a fixed public IP address for clients. Which Azure load balancing solution should they use?

A.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Azure Application Gateway is a layer 7 load balancer that provides SSL offloading, session persistence, and URL-based routing. It can distribute HTTP/HTTPS traffic across VMs and expose a fixed public IP address.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that supports HTTP/HTTPS traffic, SSL termination, and cookie-based session affinity. It can distribute incoming HTTP traffic evenly across VMs, offload SSL encryption to reduce backend processing, and provide a fixed public IP address (VIP) for client access. This aligns with all three requirements: load balancing, SSL offload, and a static public IP.

Exam trap

The trap here is confusing Layer 4 (Azure Load Balancer) with Layer 7 (Application Gateway) capabilities, leading candidates to pick Azure Load Balancer because it is the default choice for distributing traffic across VMs, but it cannot offload SSL or handle HTTP-specific features like session affinity.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL termination or inspect HTTP traffic; it only forwards packets without understanding application-layer protocols. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that distributes traffic across regions, not within a single region, and it does not provide a fixed public IP for clients (it uses DNS names) nor offloads SSL. Option D (Azure Front Door) is wrong because it is a global Layer 7 service designed for multi-region scenarios with advanced WAF and acceleration features; it does not provide a fixed public IP for clients (it uses a dynamic anycast IP) and is overkill for a single-region deployment.

74
MCQeasy

A company plans to migrate an on-premises application with strict low-latency requirements to Azure. The application must communicate with an Azure SQL Database. Which of the following is the best design to minimize latency?

A.Deploy the application in one region and Azure SQL Database in a different region, using Azure Traffic Manager.
B.Deploy the application on-premises and use a Point-to-Site VPN to connect to Azure SQL Database.
C.Deploy the application and Azure SQL Database in the same Azure region, and connect via Azure Private Link.
D.Deploy the application on-premises and use ExpressRoute to connect to Azure SQL Database.
AnswerC

Same region ensures low latency; Private Link provides private connectivity within Azure backbone.

Why this answer

Option A is correct because deploying in the same region and using Azure Private Link for a private connection keeps traffic within the Microsoft backbone, minimizing latency. Option B is wrong because ExpressRoute adds extra latency. Option C is wrong because different regions increase latency.

Option D is wrong because Point-to-Site VPN is not suitable for production applications and adds latency.

75
MCQmedium

A company is designing a disaster recovery solution for a critical application that runs on Azure VMs in a single region. The RTO is 4 hours, and the RPO is 1 hour. The application uses Azure SQL Database. The company wants to minimize the cost of the disaster recovery solution while meeting the RTO and RPO. You need to recommend a solution. What should you recommend?

A.Use Azure SQL Database active geo-replication for the database and Azure Backup for VMs.
B.Use Azure Backup to back up VMs and Azure SQL Database to a secondary region.
C.Use Azure Traffic Manager to distribute traffic to VMs in multiple regions and Azure SQL Database failover groups.
D.Use Azure Site Recovery to replicate VMs to a secondary region and Azure SQL Database geo-replication for the database.
AnswerD

Site Recovery meets RPO of 1 hour; geo-replication provides low RPO for SQL.

Why this answer

Option C is correct because Azure Site Recovery can replicate VMs to a secondary region with a 1-hour RPO, and Azure SQL Database active geo-replication can provide a secondary database with RPO of seconds. Option A is wrong because Azure Backup has a higher RPO (typically 4 hours). Option B is wrong because read-scale replicas are for read-only workloads, not disaster recovery.

Option D is wrong because Traffic Manager does not handle database failover.

Page 1 of 4 · 292 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Infrastructure Solutions questions.