CCNA Infrastructure Solutions Questions

75 of 292 questions · Page 3/4 · Infrastructure Solutions topic · Answers revealed

151
MCQhard

A manufacturing company is designing an IoT solution to monitor equipment in real-time. Thousands of sensors send telemetry data every second. The data must be ingested, processed, and stored for analysis. The solution must handle high throughput and provide low-latency analytics. Additionally, the company wants to use Azure Machine Learning to predict equipment failures based on historical data. You need to design a data pipeline that meets these requirements. What should you include in the design?

A.Use Azure IoT Hub to ingest data, Azure Stream Analytics for real-time processing, and Azure Blob Storage for long-term storage.
B.Use Azure IoT Hub to ingest data, Azure Cosmos DB for storage, and Azure Functions for processing.
C.Use Azure IoT Hub to ingest data, Azure Data Lake Storage for storage, and Azure Stream Analytics for processing.
D.Use Azure Event Hubs to ingest data, Azure Databricks for processing, and Azure Blob Storage for storage.
AnswerA

IoT Hub, Stream Analytics, and Blob Storage form a scalable real-time pipeline.

Why this answer

Option A is correct because Azure IoT Hub ingests sensor data, Azure Stream Analytics processes the stream in real-time with low latency, and Azure Blob Storage stores the data for historical analysis. Option B is wrong because Azure Data Lake Storage is for big data analytics, not real-time processing. Option C is wrong because Azure Cosmos DB is a NoSQL database, but the primary processing should be with Stream Analytics.

Option D is wrong because Azure Event Hubs is for ingestion, but Azure Databricks is overkill for simple real-time analytics.

152
MCQmedium

Your organization uses Microsoft Purview to govern data assets across Azure SQL Database, Azure Data Lake Storage, and on-premises SQL Server. You need to ensure that sensitive data such as credit card numbers are automatically detected and classified. What should you configure in Microsoft Purview?

A.Data share
B.Data catalog
C.Data lineage mapping
D.Data classification rules
AnswerD

Data classification rules automatically detect sensitive data using pattern matching.

Why this answer

Option D is correct because Microsoft Purview's data classification system uses built-in and custom classification rules to automatically detect sensitive data like credit card numbers via pattern matching. Option A (Data lineage) tracks data movement, not classification. Option B (Data share) is for sharing data, not classification.

Option C (Data catalog) organizes metadata but requires manual or automated classification to detect sensitive data.

153
MCQmedium

Your company is deploying a web application on Azure App Service. The application must be able to read secrets from Azure Key Vault without storing credentials in application code. Which feature should you enable?

A.Key Vault access policies
B.Azure AD Application Registration with client secret
C.Managed Identity
D.App Service Authentication / Authorization
AnswerC

Managed Identity provides an automatically managed identity for the app to authenticate to Key Vault.

Why this answer

Option C is correct because Managed Identity allows the App Service to authenticate to Key Vault without storing credentials. Option A is wrong because App Service authentication is for user authentication. Option B is wrong because Azure AD Application Registration requires client secrets.

Option D is wrong because Key Vault access policies are authorization, not authentication.

154
MCQmedium

You are designing a solution to provide high availability for a critical application running on Azure Virtual Machines. The virtual machines must be placed on physically separate hardware and have guaranteed availability during Azure maintenance events. Which option meets these requirements?

A.Deploy VMs in an Availability Set
B.Deploy VMs in a Proximity Placement Group
C.Deploy VMs in different Availability Zones
D.Deploy VMs in a Virtual Machine Scale Set
AnswerC

Availability Zones are physically separate datacenters within a region, providing high availability.

Why this answer

Availability Zones provide physically separate locations within an Azure region, protecting against datacenter failures. Option A (Availability Set) spreads VMs across fault domains but not across separate physical facilities. Option C (Scale Set) is for auto-scaling, not high availability.

Option D (Proximity Placement Group) is for low latency, not HA.

155
Multi-Selectmedium

You are designing a solution to monitor a hybrid environment consisting of Azure VMs and on-premises servers. The solution must provide centralized log analytics, security threat detection, and the ability to run custom queries across all logs. Which TWO Azure services should you include? (Choose two.)

Select 2 answers
A.Azure Monitor Agent
B.Azure Log Analytics workspace
C.Microsoft Sentinel
D.Azure Arc
E.Azure Update Manager
AnswersB, C

Central log repository with KQL queries.

Why this answer

Options B and C are correct. Azure Log Analytics workspace is the central repository for logs and supports KQL queries. Microsoft Sentinel provides security threat detection and SIEM capabilities.

Option A is wrong because Azure Monitor Agent is a data collection mechanism, not a central analytics service. Option D is wrong because Azure Update Manager is for patching, not monitoring. Option E is wrong because Azure Arc is for management, not log analytics.

156
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to access cloud applications using their on-premises credentials, and also enables single sign-on (SSO) for legacy on-premises applications that do not support modern authentication protocols. What should you recommend?

A.Deploy Azure Active Directory Domain Services and domain-join the legacy application servers.
B.Use Azure Active Directory B2B collaboration for internal users.
C.Implement Azure AD Connect with password hash synchronization and Azure AD Application Proxy.
D.Configure Azure AD Seamless SSO and use Azure AD Connect with pass-through authentication.
AnswerC

Password hash sync enables cloud authentication; Application Proxy allows SSO to legacy apps.

Why this answer

Option A is correct because Azure AD Application Proxy provides SSO to legacy on-premises apps without modifying them. Azure AD Connect with PHS enables cloud authentication. Option B (Azure AD DS) is for domain-joined VMs.

Option C (Azure AD B2B) is for external users. Option D (Azure AD Seamless SSO) only works for browser-based apps.

157
MCQhard

A global e-commerce company deploys its web application on Azure Kubernetes Service (AKS) clusters in multiple Azure regions. They need a single global endpoint for users, with SSL offloading, web application firewall (WAF) protection, and URL path-based routing to the nearest healthy AKS cluster. Which Azure service should they use?

A.Azure Front Door
B.Azure Traffic Manager
C.Azure Application Gateway
AnswerA

Front Door offers global load balancing, SSL offloading, WAF, and URL path-based routing. It can direct users to the nearest healthy backend using anycast and health probes.

Why this answer

Azure Front Door is the correct choice because it provides a single global endpoint with SSL offloading, WAF protection, and URL path-based routing. It uses Anycast-based routing to direct traffic to the nearest healthy AKS cluster, ensuring low latency and high availability across multiple regions.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level) with Azure Front Door (application-layer), overlooking the need for SSL offloading, WAF, and path-based routing that only Front Door provides.

How to eliminate wrong answers

Option B (Azure Traffic Manager) is wrong because it operates at the DNS level and does not support SSL offloading, WAF, or URL path-based routing; it only provides DNS-based traffic distribution. Option C (Azure Application Gateway) is wrong because it is a regional load balancer that cannot provide a single global endpoint across multiple Azure regions; it lacks global Anycast routing. Option D (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and does not support SSL offloading, WAF, or URL path-based routing; it is designed for regional traffic distribution within a single region.

158
MCQhard

A company is deploying a multi-tier web application on Azure. The web tier must be accessible from the internet. The application tier and database tier must be isolated within the virtual network and not directly accessible from the internet. The solution must provide SSL termination, URL-based routing, and Web Application Firewall (WAF) capabilities. Which Azure service should they use to expose the web tier?

A.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Application Gateway offers layer-7 features including SSL termination, URL path-based routing, and integrated WAF.

Why this answer

Azure Application Gateway is a layer-7 load balancer that provides SSL termination, URL-based routing, and a built-in Web Application Firewall (WAF). It can expose the web tier to the internet while keeping the application and database tiers isolated within the virtual network, as it routes traffic to backend pools using HTTP/HTTPS rules without exposing those backends directly.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway because both offer layer-7 features, but Front Door is a global load balancer that does not provide VNet-level isolation for backends, whereas Application Gateway is regionally scoped and integrates directly with virtual networks for internal tier isolation.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at layer 4 (TCP/UDP) and cannot perform SSL termination, URL-based routing, or WAF capabilities. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that directs traffic at the domain level, not a proxy or gateway; it does not terminate SSL, route based on URL paths, or provide WAF. Option D (Azure Front Door) is wrong because, although it offers SSL termination, URL-based routing, and WAF, it is a global, multi-region service designed for internet-facing applications at the edge; it does not isolate backends within a single virtual network and is not the correct choice for a single-region deployment requiring VNet integration for the application and database tiers.

159
Multi-Selectmedium

Which TWO services should you use to design a highly available and scalable web application on Azure that runs on Linux containers and requires automatic scaling based on HTTP traffic? (Choose two.)

Select 2 answers
B.Azure Web App for Containers
C.Azure Application Gateway
D.Azure Kubernetes Service (AKS)
E.Azure Container Instances (ACI)
AnswersC, D

Application Gateway provides HTTP load balancing and can route to AKS.

Why this answer

A and D are correct. Azure Kubernetes Service (AKS) orchestrates containers and supports horizontal pod autoscaling based on HTTP traffic. Azure Application Gateway acts as a load balancer and can route traffic to AKS.

B is wrong because Azure Container Instances is for simple container deployments without orchestration. C is wrong because Azure Load Balancer is for TCP/UDP traffic, not HTTP-specific scaling. E is wrong because Azure Web App for Containers does not support automatic scaling based on HTTP traffic as granularly as AKS.

160
MCQeasy

You need to design a virtual network architecture for a three-tier application in Azure. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of Azure services should you use?

A.Use Azure Front Door, service endpoints, and Azure SQL Database with firewall rules.
B.Use Azure Application Gateway with WAF, network security groups (NSGs) on subnets, and Azure Private Endpoints for the database.
C.Use Azure Load Balancer, Azure Firewall, and Azure SQL Database with public endpoint.
D.Use a single virtual network with three subnets, no NSGs, and Azure SQL Database with VNet injection.
AnswerB

Application Gateway provides internet-facing WAF and path-based routing; NSGs restrict traffic between tiers; Private Endpoints keep database traffic private.

Why this answer

Option A is correct because it uses Azure Application Gateway for inbound internet traffic with WAF, NSGs to restrict traffic between tiers, and Private Endpoints for database access. Option B is wrong because Azure Load Balancer does not provide WAF or path-based routing. Option C is wrong because Azure Front Door is a global service, not for internal VNet traffic.

Option D is wrong because placing all VMs in same subnet violates security.

161
MCQmedium

Refer to the exhibit. You run the Azure Resource Graph query shown. A colleague asks why the query returns no results even though there are VMs in the subscription. The VMs use managed disks with Premium_LRS. What is the most likely reason for the empty result set?

A.The storage account type is incorrectly specified; it should be 'Premium_ZRS'
B.The resource type string is case-sensitive; it should be 'Microsoft.Compute/virtualMachines'
C.The 'limit 10' clause restricts too many results; remove the limit
D.The 'name' property does not exist; use 'properties.name' instead
AnswerB

Azure Resource Graph queries are case-sensitive for resource type strings.

Why this answer

Option B is correct because the query specifies 'microsoft.compute/virtualmachines' (all lowercase), but the correct casing includes capital letters: 'Microsoft.Compute/virtualMachines'. Option A is wrong because Premium_LRS is a valid storage account type. Option C is wrong because the query limits to 10 results, which is fine.

Option D is wrong because the query does not filter by name.

162
MCQmedium

Your organization has a containerized application running on Azure Kubernetes Service (AKS). You need to design a solution to securely store and manage secrets (e.g., database passwords, API keys) that the application consumes. The solution must integrate with AKS and support automatic rotation of secrets. What should you use?

A.Azure Key Vault with the Secrets Store CSI driver
B.Azure App Configuration
C.Azure Managed Identity
D.Azure Container Registry
AnswerA

Key Vault securely stores secrets; the CSI driver mounts them into AKS pods and supports rotation without pod restart.

Why this answer

Option C is correct because Azure Key Vault with the Secrets Store CSI driver integrates with AKS to mount secrets as volumes and supports rotation. Option A is wrong because Azure Container Registry stores container images, not secrets. Option B is wrong because Azure App Configuration stores configuration, not secrets, and does not support automatic rotation.

Option D is wrong because Azure Managed Identity provides identity, not secret storage.

163
MCQeasy

A company deploys a stateless web application on Azure VMs in a single region. They need to distribute incoming HTTP traffic across multiple VMs and perform health checks. The solution should be highly available within the region. Which Azure load balancing solution should they use?

A.Azure Load Balancer (Standard) with HTTP health probe.
B.Azure Application Gateway v2.
C.Azure Traffic Manager.
D.Azure Front Door.
AnswerA

A Standard Load Balancer distributes incoming TCP traffic (HTTP uses TCP) across backend VMs. It supports HTTP health probes and availability zones, meeting the requirements for high availability within a region.

Why this answer

Azure Load Balancer (Standard) operates at Layer 4 (TCP/UDP) and can distribute HTTP traffic across VMs in a single region while performing health checks via HTTP health probes. It provides high availability within a region by distributing traffic across availability zones or availability sets, meeting the requirement for a stateless web application without needing Layer 7 features.

Exam trap

The trap here is that candidates often choose Azure Application Gateway v2 because they assume HTTP traffic requires a Layer 7 load balancer, but Azure Load Balancer can handle HTTP traffic at Layer 4 with HTTP health probes, making it the simpler and more cost-effective choice for a stateless web application within a single region.

How to eliminate wrong answers

Option B is wrong because Azure Application Gateway v2 is a Layer 7 load balancer with features like SSL termination, URL-based routing, and WAF, which are unnecessary for a stateless web application that only needs basic HTTP traffic distribution and health checks, adding cost and complexity. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic routing solution that operates across regions, not within a single region, and does not perform health checks on individual VMs or distribute incoming HTTP traffic directly. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and CDN that routes traffic across regions, not within a single region, and includes features like SSL offload and WAF that are not required for this scenario.

164
MCQhard

You are designing a hybrid identity solution for a company with 5,000 on-premises users. The company wants to use Microsoft Entra ID for single sign-on and self-service password reset. They also need to synchronize user passwords to the cloud. Which feature should you enable to ensure password changes on-premises are immediately propagated to Microsoft Entra ID?

A.Federation with AD FS
B.Pass-through Authentication
C.Password Hash Synchronization
D.Microsoft Entra Cloud Sync
AnswerC

Password Hash Sync syncs password changes on-premises to Microsoft Entra ID in near real-time.

Why this answer

Option A is correct because Password Hash Synchronization with Microsoft Entra Connect synchronizes password hashes and can be configured for immediate sync on change. Option B is wrong because Pass-through Authentication does not synchronize passwords. Option C is wrong because Federation uses AD FS and does not sync passwords.

Option D is wrong because Microsoft Entra Cloud Sync is for syncing objects but password sync is a feature of Connect.

165
MCQmedium

Your company has an Azure subscription that contains several virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with a baseline security policy that includes specific registry key settings. The solution must automatically remediate non-compliant settings without manual intervention. What should you use?

A.Azure Automation State Configuration (DSC)
B.Azure Policy with Guest Configuration
C.Microsoft Defender for Cloud with custom recommendations
D.Microsoft Intune
AnswerB

Guest Configuration extends Azure Policy to audit and remediate settings inside VMs, including registry keys, with automatic remediation.

Why this answer

Azure Policy with guest configuration can audit and remediate settings inside VMs, including registry keys, using built-in or custom policies.

166
MCQmedium

Your company is designing a multi-region disaster recovery solution for a mission-critical application using Azure SQL Database. The application requires read-scale in the secondary region and must support automatic failover with no data loss. Which Azure SQL Database offering should you recommend?

A.Azure SQL Managed Instance
B.Azure SQL Database Failover group
C.Azure SQL Database Hyperscale with named replicas
D.Azure SQL Database Single Database with active geo-replication
AnswerB

Failover groups provide automatic failover with no data loss and support a readable secondary region.

Why this answer

Option A is incorrect because Azure SQL Database Single Database with active geo-replication supports up to four readable secondaries but does not provide automatic failover without additional configuration. Option B is correct because Azure SQL Database Hyperscale with named replicas can be used for read-scale in secondary regions, but it does not automatically failover. Option C is correct for automatic failover with no data loss and readable secondary.

Option D is incorrect because Azure SQL Managed Instance has limited geo-replication capabilities and does not support automatic failover with no data loss.

167
Multi-Selecthard

Your company plans to migrate a large number of on-premises virtual machines to Azure. You need to assess the current environment and migrate the workloads with minimal downtime. Which THREE Azure services or tools should you use? (Choose three.)

Select 3 answers
A.Azure App Service
B.Azure Import/Export Service
C.Azure Data Box
D.Azure Site Recovery
E.Azure Migrate
AnswersC, D, E

Data Box is used for large offline data transfers when network bandwidth is limited.

Why this answer

Options A, B, and D are correct. Azure Migrate provides discovery and assessment. Azure Site Recovery performs replication and migration.

Azure Data Box is for offline data transfer. Option C is wrong because Azure App Service is for web apps. Option E is wrong because Azure Import/Export is for physical disk shipping, not VM migration.

168
MCQeasy

A government agency is designing a solution to store sensitive citizen data. The data must be encrypted at rest and in transit. The agency requires that the encryption keys be managed by the agency and stored in a hardware security module (HSM). Additionally, the solution must comply with regulatory requirements that mandate customer-managed keys. You need to recommend a key management solution. What should you recommend?

A.Use Azure Key Vault Standard with software-protected keys.
B.Use Microsoft Purview to manage keys and compliance.
C.Use Azure Information Protection with a custom protection template.
D.Use Azure Key Vault Managed HSM with FIPS 140-2 Level 3 validated HSMs.
AnswerD

Managed HSM provides customer-managed keys in dedicated HSMs.

Why this answer

Option B is correct because Azure Key Vault Managed HSM provides FIPS 140-2 Level 3 validated HSMs, allowing customers to manage their own keys in a dedicated HSM. Option A is wrong because Azure Key Vault Standard uses software-backed keys, not HSM. Option C is wrong because Azure Information Protection is for classification and labeling, not key management.

Option D is wrong because Microsoft Purview is for data governance, not key management.

169
MCQeasy

Your company is migrating on-premises virtual machines to Azure. You need to assess the current environment and get a cost estimate for Azure. Which tool should you use?

A.Azure Cost Management
B.Azure Migrate
C.Azure Monitor
D.Azure Advisor
AnswerB

Azure Migrate discovers on-premises servers, assesses readiness, and provides cost estimates.

Why this answer

Azure Migrate provides assessment and migration capabilities for on-premises workloads to Azure. Option A (Azure Advisor) gives optimization recommendations after deployment. Option B (Azure Cost Management) is for cost analysis after migration.

Option D (Azure Monitor) is for monitoring, not assessment.

170
MCQmedium

A company has an Azure SQL Database that they need to access from an on-premises data center over ExpressRoute. They want to use a private IP address to connect to the database, ensuring traffic never traverses the public internet. Which Azure service should they use?

A.Azure Private Link
B.Azure Service Endpoints
C.Azure VPN Gateway
D.Azure Front Door
AnswerA

Correct. Private Link creates a private endpoint with a private IP, ensuring traffic stays within Microsoft's backbone.

Why this answer

Azure Private Link allows you to access Azure SQL Database over a private endpoint within your virtual network, using a private IP address. When combined with ExpressRoute, traffic from your on-premises data center to the database traverses the Microsoft backbone network and never touches the public internet, meeting the requirement for a private, secure connection.

Exam trap

The trap here is confusing Azure Service Endpoints with Private Link: both keep traffic on the Azure backbone, but only Private Link provides a private IP address and removes exposure to the public endpoint, which is the key requirement in this scenario.

How to eliminate wrong answers

Option B (Azure Service Endpoints) is wrong because service endpoints expose the Azure SQL Database to the internet via its public endpoint, even though traffic is routed over the Azure backbone; the connection still resolves to a public IP and is not a private IP address. Option C (Azure VPN Gateway) is wrong because it creates an encrypted tunnel over the public internet, which does not guarantee that traffic never traverses the public internet—it still uses internet routing between the VPN gateway and the on-premises device. Option D (Azure Front Door) is wrong because it is a global load balancer and application delivery service that operates over the public internet, using public endpoints and not providing private IP connectivity to Azure SQL Database.

171
MCQhard

You are designing a network architecture for a three-tier application hosted in Azure. The front-end tier must be accessible from the internet, the business tier must only communicate with the front-end tier, and the data tier must only communicate with the business tier. You need to minimize exposure and use Azure-native services. Which combination of services should you use?

A.Azure Load Balancer for front-end, NSGs on subnets, and VNet peering
B.VPN Gateway for front-end, NSGs on subnets, and private endpoints
C.Azure Application Gateway with WAF for front-end, NSGs on subnets, and service endpoints
D.Azure Firewall for all inbound traffic, NSGs on subnets, and VNet peering
AnswerC

Application Gateway provides HTTP/HTTPS load balancing and WAF. NSGs control traffic between tiers.

Why this answer

Azure Application Gateway with WAF provides internet-facing front-end with web firewall. Network Security Groups (NSGs) on subnets restrict traffic between tiers. Option A (Azure Load Balancer) lacks WAF.

Option C (Azure Firewall) is overkill for simple tier isolation. Option D (VPN Gateway) is for on-premises connectivity, not internal isolation.

172
Multi-Selecteasy

A company is planning to migrate on-premises SQL Server databases to Azure. They want to minimize administrative overhead and ensure high availability with automatic failover. Which TWO Azure SQL deployment options should they consider?

Select 2 answers
A.Azure SQL Database (single database)
B.SQL Server on Azure VMs
C.SQL Server Stretch Database
D.Azure SQL Database Managed Instance
E.Azure Synapse Analytics
AnswersA, D

Built-in high availability with automatic failover.

Why this answer

Options B and C are correct. Azure SQL Database Managed Instance provides high availability with automatic failover and reduces administrative overhead. Azure SQL Database (single database) also provides built-in high availability.

Option A is incorrect because SQL Server on Azure VMs requires manual administration. Option D is incorrect because SQL Server Stretch Database is for archiving. Option E is incorrect because Azure Synapse Analytics is for data warehousing.

173
MCQhard

Your organization is designing a solution to capture and analyze IoT data from millions of devices. The solution must ingest data at high velocity, store the data for long-term analytics, and provide real-time dashboards. Which combination of Azure services should you recommend?

A.Azure Event Hubs, Azure Data Lake Storage, and Azure Stream Analytics
B.Azure Service Bus, Azure SQL Database, and Power BI
C.Azure Cosmos DB, Azure Data Explorer, and Azure Logic Apps
D.Azure IoT Hub, Azure Blob Storage, and Azure Functions
AnswerA

Event Hubs ingests high-velocity data, Data Lake Storage stores data for long-term analytics, and Stream Analytics provides real-time dashboards.

Why this answer

Option A is correct because Azure Event Hubs ingests high-velocity data, Azure Data Lake Storage stores data for long-term analytics, and Azure Stream Analytics provides real-time processing and dashboards. Option B is incorrect because Azure IoT Hub is for device management and telemetry, but it is not optimized for high-velocity ingestion from millions of devices. Option C is incorrect because Azure Service Bus is for messaging, not high-velocity ingestion.

Option D is incorrect because Azure Cosmos DB is for operational workloads, not long-term analytics.

174
MCQhard

You are designing a landing zone in Azure for a regulated financial services company. They require that all storage accounts be restricted to specific virtual networks and have encryption using customer-managed keys (CMK). Additionally, they want to ensure that any storage account creation outside of the approved network boundaries is prevented. Which combination of Azure Policy and Network Security controls should you recommend?

A.Use Azure Policy to enforce service endpoints on storage accounts and deny creation if not present, along with a policy requiring CMK encryption.
B.Use Azure Policy to require storage account encryption with CMK, and use network security groups (NSGs) to restrict storage account access to specific subnets.
C.Deploy Azure Firewall in the hub virtual network and configure application rules to allow only approved storage accounts.
D.Use Azure Policy to require storage accounts to use private endpoints, and use Azure Private Link to restrict access from specific virtual networks.
AnswerA

Azure Policy can enforce both network restrictions (via service endpoints) and CMK encryption. Deny policy prevents creation outside approved boundaries.

Why this answer

Option B is correct because Azure Policy can enforce service endpoints and deny creation if a required tag (like 'network') is not set. Network security groups alone cannot enforce encryption or creation policies. Option A is wrong because NSGs are not used for storage account access control.

Option C is wrong because Azure Firewall is for outbound traffic, not storage access. Option D is wrong because Private Endpoint is recommended for private connectivity, but service endpoints can also be used with policies; however, the question requires enforcement of network restrictions and CMK, which Azure Policy does.

175
MCQeasy

Your company has Azure virtual machines running a critical application. You need to back up these VMs daily and retain backups for 7 years. The solution must be cost-effective and support application-consistent backups. What should you use?

A.Azure Backup
B.Azure Files backup
C.Azure Site Recovery
D.Azure VM snapshots stored in Azure Storage
AnswerA

Supports daily backup, long-term retention, and application-consistent backups.

Why this answer

Option D is correct because Azure Backup supports daily backup, long-term retention (up to 99 years), and application-consistent backups via VSS. Option A is wrong because Azure Site Recovery is for disaster recovery, not backup. Option B is wrong because Azure VM snapshots are not managed backups.

Option C is wrong because Azure Files is for file shares, not VM backup.

176
MCQmedium

A company plans to deploy multiple virtual machines (VMs) across two Azure regions for high availability. The VMs will host a stateless web application that must be accessible via a single DNS endpoint. The solution must automatically route traffic to the nearest region with available capacity and provide failover if a region becomes unhealthy. Which Azure service should they use to meet these requirements?

A.Azure Traffic Manager
B.Azure Front Door
D.Azure Application Gateway
AnswerA

Traffic Manager uses DNS to route users to the nearest or best-performing region and supports automatic failover when an endpoint becomes unhealthy.

Why this answer

Azure Traffic Manager is a DNS-based traffic load balancer that distributes traffic to the nearest region with available capacity using the Performance traffic-routing method, and it automatically fails over to the next healthy endpoint when a region becomes unhealthy. It operates at the DNS level, returning the appropriate endpoint IP based on the client's DNS resolver location and endpoint health probes, making it ideal for stateless web applications requiring a single DNS endpoint across regions.

Exam trap

The trap here is that candidates often confuse Azure Front Door (Layer 7, HTTP/HTTPS) with Traffic Manager (DNS-based, any protocol), but the requirement for a single DNS endpoint and region-level failover without specifying HTTP makes Traffic Manager the correct choice.

How to eliminate wrong answers

Option B (Azure Front Door) is wrong because it is an HTTP/HTTPS application delivery controller that provides global load balancing with SSL offload and path-based routing, but it operates at Layer 7 and requires HTTP traffic, whereas the question does not specify HTTP-only traffic and Traffic Manager works at DNS level for any protocol. Option C (Azure Load Balancer) is wrong because it operates at Layer 4 and distributes traffic only within a single region, not across multiple Azure regions. Option D (Azure Application Gateway) is wrong because it is a regional Layer 7 load balancer with HTTP/HTTPS features and cannot route traffic across multiple regions or provide global failover.

177
MCQeasy

A company is deploying a multi-tier web application on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must be isolated within the virtual network. The solution must provide SSL termination, web application firewall (WAF) capabilities, and URL-based routing. Which Azure service should they use to expose the web tier?

A.Use an Azure Load Balancer and configure NSGs on each subnet.
B.Use Azure Firewall to inspect all traffic and allow internet traffic to the web tier.
C.Use Azure Application Gateway with WAF, and configure NSGs to restrict traffic between tiers.
D.Use Azure Front Door to expose the web tier and NSGs for internal isolation.
AnswerC

Application Gateway provides SSL termination, WAF, and URL routing. NSGs on subnets can enforce isolation by allowing only necessary traffic (e.g., only web tier to app tier on specific ports).

Why this answer

Azure Application Gateway is a Layer 7 load balancer that provides SSL termination, a web application firewall (WAF), and URL-based routing, making it ideal for exposing a web tier to the internet. By placing the gateway in front of the web tier and configuring network security groups (NSGs) on the application and database subnets, you can isolate internal tiers while meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming a basic load balancer can handle SSL termination and WAF, when in fact those features require Layer 7 capabilities.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 and cannot perform SSL termination, WAF inspection, or URL-based routing; it only distributes traffic based on IP and port. Option B is wrong because Azure Firewall is a stateful Layer 3/4 firewall that does not provide SSL termination or URL-based routing, and it is not designed to act as a reverse proxy for web tiers. Option D is wrong because Azure Front Door is a global Layer 7 service that excels at CDN and cross-region routing but does not natively support URL-based routing within a single virtual network; it is typically used for global load balancing, not for internal tier isolation with NSGs.

178
MCQmedium

Your company has a multi-region Azure deployment with virtual networks in East US and West Europe connected via a hub-and-spoke topology. You need to ensure that all traffic between the spokes is routed through a centralized firewall in the hub. The hub uses Azure Firewall. Currently, spoke-to-spoke traffic is not being inspected. What should you configure?

A.Use Azure Firewall Manager to enforce routing by adding route tables to the spoke subnets with a default route to the firewall.
B.Apply NSG rules to block direct spoke-to-spoke traffic.
C.Configure VNet peering between all spokes.
D.Deploy VPN gateways in each spoke and configure site-to-site VPNs.
AnswerA

This forces all inter-spoke traffic through the firewall for inspection.

Why this answer

Option B is correct because you need to add route tables to the spoke subnets with a default route (0.0.0.0/0) to the Azure Firewall private IP to force all traffic through the firewall. Azure Firewall Manager can push these routes automatically. Option A is wrong because peering alone does not force routing through the firewall.

Option C is wrong because VPN gateways are not required for this purpose. Option D is wrong because NSGs do not route traffic; they filter.

179
MCQhard

You are designing a logging and monitoring solution for a multi-region application. The application is deployed in three Azure regions. Security requirements mandate that all authentication and authorization logs be retained for 7 years. Logs must be queryable centrally from a single location. What is the most cost-effective way to meet these requirements?

A.Deploy a Log Analytics workspace per region, set retention to 7 years, and use cross-workspace queries from a central Log Analytics workspace or Azure Sentinel.
B.Use Azure Storage Analytics logs and store them in a geo-redundant storage account in each region.
C.Use Azure Event Hubs to collect logs from all regions and stream them to a Log Analytics workspace in a central region.
D.Deploy a single Log Analytics workspace in one region and configure all VMs to send logs to it.
AnswerA

Workspaces per region reduce data transfer costs and avoid a single point of failure; cross-workspace queries provide centralized querying.

Why this answer

Option D is correct because Azure Monitor Log Analytics workspaces can be used in each region, and then you can query across them using cross-workspace queries in the Azure Portal or using Azure Sentinel. Option A is wrong because Log Analytics workspace can store logs for 7 years with retention settings, but using a single workspace for all regions introduces latency and potential data loss if region fails. Option B is wrong because Event Hubs is for real-time streaming, not long-term retention.

Option C is wrong because Storage Analytics is for storage accounts only.

180
MCQmedium

Your company has an Azure subscription that contains a hub virtual network and multiple spoke virtual networks connected via VNet peering. You need to ensure that all traffic between spokes is routed through a network virtual appliance (NVA) in the hub. The NVA is configured with IP forwarding enabled. What should you configure in the spoke virtual networks?

A.Deploy a VPN gateway in each spoke and configure site-to-site VPNs.
B.Configure NSG rules to block direct spoke-to-spoke traffic.
C.Add route tables to the spoke subnets with a default route (0.0.0.0/0) pointing to the NVA's private IP.
D.Enable BGP on the VNet peerings.
AnswerC

This forces all outbound traffic from spokes to go through the NVA.

Why this answer

Option A is correct because user-defined routes (UDRs) in the spoke subnets with next hop as the NVA's private IP address force traffic through the NVA. Option B is wrong because BGP alone is not sufficient without route tables. Option C is wrong because VPN gateways are not needed.

Option D is wrong because NSGs do not route.

181
MCQeasy

A company has multiple Azure virtual networks (VNets) in different regions. They want to connect all VNets to each other securely over the Microsoft backbone network, and also connect to their on-premises data center via ExpressRoute. What is the simplest Azure solution to enable connectivity between all VNets and on-premises?

A.Azure Virtual WAN
B.VNet peering
C.ExpressRoute
AnswerA

Azure Virtual WAN provides a centralized hub that connects VNets, VPN sites, and ExpressRoute circuits. It automatically sets up transitive routing between all connected VNets and on-premises, simplifying management.

Why this answer

Azure Virtual WAN is the simplest solution because it provides a hub-and-spoke architecture that automatically connects all VNets and on-premises sites over the Microsoft backbone network. It natively integrates ExpressRoute and VPN gateways into a single managed service, eliminating the need to manually configure multiple peering or gateway connections.

Exam trap

The trap here is that candidates often assume VNet peering or a single ExpressRoute circuit can provide transitive connectivity between all VNets and on-premises, but they forget that VNet peering is non-transitive and ExpressRoute alone does not route between VNets without additional gateways or a hub.

How to eliminate wrong answers

Option B (VNet peering) is wrong because it only connects two VNets directly and does not provide transitive routing; to connect multiple VNets and on-premises, you would need a mesh of peerings and a gateway in each VNet, which is complex and not scalable. Option C (ExpressRoute) is wrong because it only connects on-premises to Azure, not VNets to each other; it requires additional gateways or peering to enable inter-VNet connectivity. Option D (VPN Gateway) is wrong because it only provides site-to-site VPN connectivity to on-premises, not transitive routing between VNets; you would need multiple VPN gateways and complex routing to connect all VNets.

182
MCQmedium

A company has Azure virtual networks (VNets) in three different Azure regions and an on-premises data center connected via ExpressRoute. They need to connect all VNets to each other and to on-premises over the Microsoft global backbone. They also require centralized management of routing and the ability to enforce security policies such as forced tunneling for internet-bound traffic. Which Azure service should they use?

A.Azure Virtual Network Manager
B.Azure Virtual WAN
C.Azure Firewall
D.Azure Route Server
AnswerB

Azure Virtual WAN creates a hub-and-spoke architecture with a virtual hub in each region. It provides transit connectivity between VNets and on-premises, supports forced tunneling, and offers centralized policy management.

Why this answer

Azure Virtual WAN is the correct choice because it provides a hub-and-spoke architecture that connects VNets across regions and on-premises via the Microsoft global backbone, with built-in centralized routing management and the ability to enforce security policies like forced tunneling through integrated Azure Firewall or third-party NVAs. It meets all requirements: multi-region VNet connectivity, ExpressRoute integration, and centralized policy control.

Exam trap

The trap here is that candidates often confuse Azure Virtual Network Manager (a connectivity configuration tool) with Azure Virtual WAN (a full SD-WAN solution), overlooking that Virtual WAN provides the actual routing, global transit, and integrated security enforcement required for multi-region and hybrid connectivity.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network Manager manages network group membership and connectivity configurations (like mesh or hub-and-spoke) but does not provide built-in routing management, forced tunneling, or direct integration with ExpressRoute for global backbone connectivity. Option C is wrong because Azure Firewall is a stateful firewall service that enforces security policies and forced tunneling, but it does not provide the underlying connectivity between VNets and on-premises or centralized routing management across regions. Option D is wrong because Azure Route Server enables dynamic route exchange between NVAs and Azure VNets but does not provide the global connectivity fabric, centralized routing management, or forced tunneling enforcement required for multi-region and on-premises integration.

183
MCQmedium

A company deploys a web application on Azure VMs across multiple availability zones in the East US region. They need to distribute incoming HTTPS traffic across the VMs, offload SSL termination, and ensure that client requests from the same user session are sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

A.Azure Application Gateway v2 with cookie-based affinity
B.Azure Load Balancer Standard with source IP affinity
C.Azure Traffic Manager with performance routing
D.Azure Front Door with session affinity
AnswerA

Application Gateway is a layer-7 load balancer that provides SSL offload, cookie-based session affinity, and can distribute traffic across VMs in different availability zones.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that can offload SSL termination, distribute HTTPS traffic, and support cookie-based session affinity (also known as sticky sessions). Cookie-based affinity ensures that all requests from the same user session are routed to the same backend VM by injecting an Application Gateway-managed cookie into the client's response. This meets all three requirements: HTTPS traffic distribution, SSL offloading, and session persistence.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming that 'session persistence' alone is enough, but they overlook the explicit requirement for SSL termination, which only a Layer 7 solution like Application Gateway can provide.

How to eliminate wrong answers

Option B is wrong because Azure Load Balancer Standard operates at Layer 4 (TCP/UDP) and cannot offload SSL termination; it also supports source IP affinity for session persistence, but that is not cookie-based and does not handle HTTPS termination. Option C is wrong because Azure Traffic Manager is a DNS-level traffic router that does not perform SSL termination or session persistence; it only directs traffic based on routing methods like performance, priority, or geographic, and does not inspect HTTP/HTTPS payloads. Option D is wrong because Azure Front Door does support session affinity and SSL offloading, but it is a global load balancer and CDN service designed for multi-region distribution, not for distributing traffic across VMs within a single Azure region (East US) across availability zones; it adds unnecessary latency and complexity for a regional-only deployment.

184
MCQhard

You are designing a governance strategy for multiple Azure subscriptions. You need to ensure that all resources in a specific subscription are deployed only in the West US region. Additionally, any new resource group must contain a tag named 'Environment' with a value of 'Production'. What combination of Azure Policy initiatives should you assign?

A.Assign the 'Allowed Locations' policy to the management group and the 'Require a tag on resource groups' policy to the subscription
B.Assign the 'Allowed Locations' policy and the 'Require a tag on resource groups' policy to the subscription
C.Assign the 'Allowed Locations' policy to the subscription and the 'Inherit a tag from the resource group' policy to the management group
D.Assign a single Azure Policy definition that includes both the allowed location and require tag effects
AnswerB

These two policies together enforce the location restriction and the required tag on resource groups.

Why this answer

You need two policy definitions: one to restrict allowed locations and one to require a tag on resource groups. Assigning both policies to the subscription meets the requirements. Option A (single policy with both effects) is not possible.

Option B requires resource groups to inherit tag, not enforce. Option D (management group assignment) is not specific to the subscription.

185
MCQhard

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center. They need to implement a hub-and-spoke topology where the hub VNet hosts shared services like firewalls and DNS. All traffic between spokes, and between spokes and on-premises, must be routed through the hub for inspection. Additionally, spoke VNets must not be able to directly communicate with each other. Which Azure networking solution should they implement to meet these requirements with minimal administrative overhead?

A.VNet peering with user-defined routes (UDRs) and network virtual appliances (NVAs)
B.Azure Virtual WAN with routing policies
C.Azure VPN Gateway with route-based VPN
D.Azure ExpressRoute with private peering
AnswerB

Azure Virtual WAN provides a centralized hub that connects all spoke VNets and on-premises networks. Routing policies can force traffic through NVAs and block direct spoke-to-spoke routing, all managed with built-in features and minimal overhead.

Why this answer

Azure Virtual WAN with routing policies is the correct choice because it provides a managed hub-and-spoke topology that automatically routes all traffic between spokes and on-premises through the hub for inspection, without requiring manual user-defined routes (UDRs) or complex peering configurations. It enforces spoke isolation by default and integrates with network virtual appliances (NVAs) for traffic inspection, minimizing administrative overhead through centralized routing policies.

Exam trap

The trap here is that candidates often choose VNet peering with UDRs (Option A) because it seems familiar and technically capable, but they overlook the 'minimal administrative overhead' requirement, which Azure Virtual WAN explicitly addresses by automating routing and isolation.

How to eliminate wrong answers

Option A is wrong because VNet peering with UDRs and NVAs requires manual configuration of UDRs for each spoke and on-premises connection, and does not natively enforce spoke isolation without additional NSG rules or complex routing, leading to higher administrative overhead. Option C is wrong because Azure VPN Gateway with route-based VPN only provides site-to-site connectivity between on-premises and Azure, not a hub-and-spoke topology with spoke isolation and forced tunneling through a hub. Option D is wrong because Azure ExpressRoute with private peering provides dedicated private connectivity to on-premises but does not inherently create a hub-and-spoke topology or enforce traffic routing through a hub for inspection between spokes.

186
Multi-Selectmedium

Which TWO Azure services can be used to provide a fully managed DNS solution that supports custom domains and DNSSEC?

Select 1 answer
A.Azure Front Door
B.Azure DNS
C.Azure Traffic Manager
D.Azure App Service
E.Azure Public IP address
AnswersB

Azure DNS is a fully managed DNS service that supports DNSSEC and custom domains.

Why this answer

Azure DNS provides managed DNS with DNSSEC support (if enabled for certain zones). Azure Traffic Manager uses DNS to route traffic but does not manage DNS zones directly. Azure Front Door uses custom domains but does not provide DNS hosting or DNSSEC.

Azure App Service provides custom domains but not DNS management. Azure Public IP does not provide DNS. Therefore, only Azure DNS supports DNSSEC and custom domains.

187
MCQmedium

Your company plans to migrate on-premises file servers to Azure. The solution must support SMB protocol and integrate with Microsoft Entra ID for authentication. You need to choose a service that provides fully managed file shares accessible from multiple Azure regions. Which Azure service should you use?

A.Azure Disk Storage
B.Azure Files
C.Azure NetApp Files
D.Azure Blob Storage
AnswerB

Azure Files provides fully managed SMB file shares with Microsoft Entra ID integration and multi-region access.

Why this answer

Option A is correct because Azure Files offers fully managed SMB file shares that can be accessed from multiple regions using Azure File Sync or through public endpoints. It also supports Microsoft Entra ID authentication. Option B (Azure NetApp Files) is for high-performance NFS/SMB but is more expensive.

Option C (Azure Blob Storage) does not support SMB natively (only NFS for premium). Option D (Azure Disk Storage) is for VM disks, not file shares.

188
MCQeasy

A company deploys a web application on Azure VMs. They need to distribute incoming HTTP and HTTPS traffic based on the URL path: requests to /api/* go to one VM pool, requests to /images/* go to another pool. They also need to offload SSL/TLS termination. Which Azure load balancing solution should they use?

B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a Layer 7 web traffic load balancer that provides URL path-based routing, SSL termination, and session persistence.

Why this answer

Azure Application Gateway is a layer-7 load balancer that can route traffic based on URL path (e.g., /api/* vs /images/*) and provides SSL/TLS termination at the gateway, offloading the decryption from the backend VMs. This matches both requirements exactly, whereas other solutions either lack layer-7 path-based routing or are designed for global traffic distribution.

Exam trap

The trap here is that candidates often confuse Azure Application Gateway (regional layer-7 routing) with Azure Front Door (global layer-7 routing) or Azure Load Balancer (layer-4), failing to recognize that only Application Gateway provides both URL path-based routing and SSL termination for a single-region deployment.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at layer 4 (TCP/UDP) and cannot route based on URL path or perform SSL/TLS termination; it only distributes traffic by IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic load balancer that routes based on DNS queries, not URL paths, and does not offload SSL/TLS termination. Option D is wrong because Azure Front Door is a global layer-7 service that can route by URL path and offload SSL, but it is designed for global distribution across regions, not for routing within a single region to VM pools; Application Gateway is the correct regional solution for this scenario.

189
MCQhard

You are designing a backup strategy for Azure VMs running critical business applications. The solution must support application-consistent backups and allow for restoration to a different region. Which Azure service and configuration should you use?

A.Azure Backup with application-consistent backup policy and geo-redundant storage
B.Azure Disk Encryption with Azure Backup
C.Azure Snapshot with cross-region copy
D.Azure Site Recovery with replication to secondary region
AnswerA

Azure Backup supports application-consistent VSS backups and geo-restore to paired regions.

Why this answer

Option A is correct because Azure Backup with application-consistent backups and geo-restore meets the requirements. Option B is wrong because Azure Site Recovery is for disaster recovery, not backups. Option C is wrong because Azure Snapshot is not application-consistent.

Option D is wrong because Azure Disk Encryption encrypts disks but does not provide backups.

190
MCQeasy

A company plans to deploy a web application on Azure virtual machines. They want to protect against a datacenter failure within a region. The VMs must be distributed across multiple physically separate locations with independent power, cooling, and networking. Which deployment option should they use?

A.Availability Set
B.Availability Zones
C.Virtual Machine Scale Set
D.Proximity Placement Group
AnswerB

Availability Zones are distinct physical locations within a region, each with independent power, cooling, and networking. Deploying VMs across zones ensures resilience to a datacenter failure.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. By deploying VMs across multiple zones, the application is protected against a single datacenter failure, meeting the requirement for fault isolation at the datacenter level.

Exam trap

The trap here is that candidates often confuse Availability Sets (which protect against rack-level failures within a single datacenter) with Availability Zones (which protect against entire datacenter failures), leading them to select the wrong option when the question explicitly requires physically separate locations with independent infrastructure.

How to eliminate wrong answers

Option A is wrong because an Availability Set protects against failures within a single datacenter (rack-level faults) by distributing VMs across update and fault domains, not across physically separate datacenters. Option C is wrong because a Virtual Machine Scale Set is primarily for auto-scaling and managing identical VMs; while it can use Availability Zones, the scale set itself is not a deployment option that guarantees distribution across physically separate locations without explicit zone configuration. Option D is wrong because a Proximity Placement Group is designed to reduce network latency by co-locating VMs close together, which is the opposite of distributing them across physically separate locations.

191
MCQmedium

A company is planning to migrate its on-premises data center to Azure. The company has 50 virtual machines (VMs) running Windows Server and Linux, along with several physical servers hosting legacy applications. The company wants to minimize administrative overhead and use Azure-native services as much as possible. The migration must be performed with minimal downtime and the company wants to assess the readiness of their on-premises environment. They also need to replicate data to Azure for disaster recovery. Which combination of Azure services should the company use to assess, migrate, and replicate?

A.Azure Backup
B.Azure Database Migration Service
C.Azure Migrate
D.Azure Site Recovery
AnswerC

Azure Migrate provides assessment, migration, and integrates with Azure Site Recovery for replication, covering all requirements.

Why this answer

Option A (Azure Migrate) provides assessment and migration capabilities for VMs and physical servers. Option B (Azure Site Recovery) provides replication for disaster recovery. Option C (Azure Backup) provides backup, not real-time replication.

Option D (Azure Database Migration Service) is for databases only. The correct approach is to use Azure Migrate for assessment and migration, and Azure Site Recovery for disaster recovery replication. However, the question asks for a combination in a single answer.

The best answer is Option A: Azure Migrate alone can perform assessment and migration, and it integrates with Azure Site Recovery for replication. But among the options, Option A is the most comprehensive. Option B is only for replication.

Option C is for backup. Option D is for databases. So the correct answer is Azure Migrate.

192
MCQmedium

Your company has an Azure subscription with multiple virtual networks connected via VNet peering. You need to design a solution to allow VMs in different peered VNets to resolve each other's private IP addresses using custom DNS suffixes. The solution must minimize administrative overhead. What should you implement?

A.Deploy custom DNS servers on Azure VMs and configure VNets to use those servers.
B.Configure Azure DNS to use a custom domain name and update each VM's DNS suffix.
C.Use Azure Firewall as a DNS proxy with custom DNS settings.
D.Create an Azure Private DNS Zone linked to each VNet with auto-registration enabled.
AnswerD

Private DNS Zone with auto-registration automatically manages DNS records for VMs across peered VNets.

Why this answer

Option D is correct because Azure Private DNS Zones with auto-registration automatically register and resolve VMs across peered VNets. Option A is wrong because Azure DNS does not support custom DNS suffixes for private IPs. Option B is wrong because custom DNS servers require manual configuration and maintenance.

Option C is wrong because Azure Firewall is not a DNS resolver.

193
MCQeasy

A company is deploying a new application on Azure Kubernetes Service (AKS). The application requires persistent storage that can be dynamically provisioned and accessed by multiple pods simultaneously. Which Azure storage solution should the company use?

A.Azure Blob Storage
B.Azure Files
C.Azure Disk
D.Azure NetApp Files
AnswerB

Azure Files supports ReadWriteMany and can be dynamically provisioned via CSI driver.

Why this answer

Option A (Azure Disk) can only be mounted on a single pod as ReadWriteOnce. Option B (Azure Files) supports ReadWriteMany and can be accessed by multiple pods. Option C (Azure Blob Storage) is object storage not directly mountable as a volume.

Option D (Azure NetApp Files) supports ReadWriteMany but is more expensive and complex. The simplest and most cost-effective solution is Azure Files.

194
MCQmedium

A company is designing a containerized application on Azure Kubernetes Service (AKS). They need to ensure that the control plane is managed by Microsoft and that the worker nodes are isolated to a single tenant. They also require that the worker nodes be automatically patched for security updates. Which AKS node pool type should they use?

A.System node pools
B.Spot node pools
C.User node pools
D.Virtual nodes (serverless)
AnswerA

System node pools are managed and automatically patched.

Why this answer

Option C is correct because system node pools are managed by Azure and provide automatic patching. Option A is incorrect because serverless nodes are for on-demand pods, not managed nodes. Option B is incorrect because user node pools are for user workloads but require manual patching.

Option D is incorrect because spot nodes are for non-critical workloads.

195
MCQhard

A company deploys Azure VNets in multiple regions and has on-premises data centers. They need to connect all VNets to each other and to on-premises sites using the Microsoft global network for optimal routing. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

A.Azure Virtual Network peering
B.Azure VPN Gateway with multi-site connections
C.Azure ExpressRoute Gateway
D.Azure Virtual WAN
AnswerD

Correct. Virtual WAN connects VNets and on-premises sites over the Microsoft backbone, with centralized routing and management.

Why this answer

Azure Virtual WAN (D) is correct because it provides a hub-and-spoke architecture that connects VNets across multiple regions and on-premises sites using the Microsoft global network for optimal routing. It offers a single orchestration interface (the Virtual WAN portal/API) to manage all connectivity, including site-to-site VPN, ExpressRoute, and VNet-to-VNet traffic, simplifying management and ensuring traffic traverses Microsoft's backbone rather than the public internet.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with a simple VPN gateway or peering solution, overlooking that Virtual WAN is specifically designed for large-scale, multi-region, multi-site connectivity with a single management plane, while the other options are point solutions that require complex manual configuration to achieve the same result.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network peering only connects two VNets directly and does not provide a single orchestration interface for multiple VNets and on-premises sites; it also does not inherently use the Microsoft global network for routing between peered VNets in different regions (traffic may traverse the internet unless ExpressRoute or VPN is added). Option B is wrong because Azure VPN Gateway with multi-site connections can connect multiple on-premises sites to a single VNet, but it does not connect multiple VNets to each other natively (requires additional VPN gateways or peering) and lacks a unified orchestration interface for all connectivity. Option C is wrong because Azure ExpressRoute Gateway provides dedicated private connectivity to on-premises but only connects a single VNet to on-premises; it does not interconnect multiple VNets across regions or offer a single management interface for multi-site and multi-VNet topologies.

196
Multi-Selecthard

A company is designing hub-and-spoke networking. Spoke VNets must use a central Azure Firewall for outbound internet traffic. Which two configurations are required?

Select 2 answers
A.Enable public IP addresses on all workload VMs
B.Peer each spoke VNet with the hub VNet
C.Associate a route table to spoke subnets with a default route to the firewall private IP
D.Deploy a NAT gateway in every spoke subnet
AnswersB, C

VNet peering provides private connectivity between hub and spokes.

Why this answer

B is correct because VNet peering is required to establish connectivity between the spoke VNets and the hub VNet, enabling traffic to flow through the central Azure Firewall. Without peering, the spoke VNets would be isolated and unable to route traffic to the hub. C is correct because a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP ensures that all outbound internet traffic from spoke subnets is forced through the firewall for inspection and control.

Exam trap

The trap here is that candidates often assume a NAT gateway or public IPs on VMs are needed for outbound internet, but the correct design forces all traffic through the firewall using UDRs and peering, not direct egress.

197
MCQeasy

A company needs to connect its on-premises data center to Azure for hybrid workloads. The connection must be private, dedicated, and provide guaranteed bandwidth. Which Azure service should they use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Peering Service
AnswerB

Correct. ExpressRoute offers a dedicated, private connection with bandwidth guarantees and higher reliability than VPN.

Why this answer

Azure ExpressRoute provides a private, dedicated connection from on-premises to Azure, bypassing the public internet. It offers guaranteed bandwidth, higher reliability, and lower latency compared to VPN-based solutions, making it ideal for hybrid workloads requiring consistent performance.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway's 'dedicated tunnel' concept with true dedicated bandwidth, overlooking that VPNs still traverse the public internet and cannot guarantee performance, while ExpressRoute provides a physically isolated connection with contractual bandwidth guarantees.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway uses encrypted tunnels over the public internet, which cannot provide dedicated bandwidth or guaranteed performance. Option C is wrong because Azure Virtual WAN is a networking orchestration service that can aggregate VPN, ExpressRoute, and SD-WAN connections, but it does not itself provide a dedicated, private connection with guaranteed bandwidth. Option D is wrong because Azure Peering Service is designed to optimize connectivity to Microsoft cloud services over the internet via partner ISPs, not to provide a dedicated private link with guaranteed bandwidth.

198
MCQmedium

A company has two on-premises data centers and an Azure subscription. They need to connect each data center to Azure with a private, high-bandwidth, and reliable connection. They also want a low-cost backup connection for each data center in case the primary connection fails. Which combination of connectivity options should they recommend?

A.A
B.B
C.C
D.D
AnswerA

Deploy an ExpressRoute circuit for each data center as the primary connection, and a site-to-site VPN as the backup connection for each. This provides high bandwidth and reliability with a cost-effective failover.

Why this answer

Azure ExpressRoute provides a private, high-bandwidth, and reliable connection from on-premises data centers to Azure, bypassing the public internet. To meet the low-cost backup requirement, Azure VPN Gateway (Site-to-Site VPN) offers a secure, encrypted connection over the internet as a failover path, which is significantly cheaper than a second ExpressRoute circuit. This combination ensures primary connectivity via ExpressRoute and cost-effective redundancy via VPN.

Exam trap

The trap here is that candidates often assume two ExpressRoute circuits are needed for redundancy, overlooking the cost-effective VPN backup option that still meets the 'low-cost' requirement while providing private connectivity only for the primary link.

How to eliminate wrong answers

Option B is wrong because using two ExpressRoute circuits for primary and backup is not low-cost; it doubles the recurring expense and is unnecessary for a backup path. Option C is wrong because using two Site-to-Site VPN connections for both primary and backup does not provide the high-bandwidth, reliable, private connection required; VPNs are internet-based and subject to latency and bandwidth limitations. Option D is wrong because using a single ExpressRoute circuit without any backup fails the requirement for a backup connection in case of failure.

199
MCQmedium

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones. The application needs to automatically distribute incoming HTTPS traffic, offload SSL/TLS termination, and provide session persistence. Additionally, the solution must include a Web Application Firewall (WAF) to protect against common web vulnerabilities. Which Azure load balancing solution should they use?

B.Azure Traffic Manager
C.Azure Application Gateway
D.Azure Front Door
AnswerC

Application Gateway is a Layer 7 load balancer that supports SSL termination, cookie-based session affinity, and includes a built-in Web Application Firewall for protection against web attacks.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that can route HTTPS traffic, offload SSL/TLS termination, and provide session persistence (cookie-based affinity). It also natively integrates a Web Application Firewall (WAF) to protect against common web vulnerabilities like SQL injection and cross-site scripting.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway because both offer WAF and SSL offload, but Front Door is optimized for global multi-region traffic management, not for intra-region zone-resilient load balancing with session persistence, which is the specific requirement in this question.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL/TLS termination, session persistence based on application cookies, or provide a WAF. Option B is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that routes traffic at the DNS level (Layer 3/4) and does not handle SSL/TLS termination, session persistence, or WAF capabilities. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and CDN that can offload SSL and provide WAF, but it is designed for global HTTP(S) traffic distribution across regions, not for intra-region multi-zone distribution with session persistence; Application Gateway is the appropriate choice for regional, zone-resilient deployments.

200
MCQmedium

You are designing a solution to store sensitive documents in Azure Blob Storage. The data must be encrypted at rest and access must be audited. You need to ensure that the encryption keys are managed by your organization and that access to the keys is logged. Which combination of Azure services should you use?

A.Azure Storage encryption with customer-managed keys in Azure Key Vault and Azure Monitor
B.Azure Disk Encryption with Azure Key Vault
C.Azure Storage encryption with Microsoft-managed keys and Azure Monitor
D.Azure Information Protection and Azure Sentinel
AnswerA

Customer-managed keys provide control and key access logging via Key Vault diagnostics.

Why this answer

Option B is correct because using customer-managed keys (CMK) with Azure Key Vault allows you to control encryption keys and enable logging for key access. Azure Storage encryption with CMK requires Key Vault for key storage. Option A uses Microsoft-managed keys, which do not provide key control.

Option C uses Azure Information Protection, which is for classification, not storage encryption. Option D uses Azure Disk Encryption, which is for VM disks, not Blob Storage.

201
Multi-Selecthard

You are designing a backup and disaster recovery strategy for a SQL Server database hosted on an Azure virtual machine. The database is critical and has a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 4 hours. Which THREE services should you include in the solution?

Select 3 answers
A.Azure Backup
B.Azure SQL Database backup
C.Azure Files
D.Azure Site Recovery
E.Azure SQL Database auto-failover groups
AnswersA, B, D

Provides backup of SQL Server on Azure VM.

Why this answer

Options B, C, and D are correct. Azure Backup can back up the VM and database with application-consistent backups. Azure Site Recovery replicates the VM to another region for DR.

Azure SQL Database auto-failover groups are for PaaS, not IaaS. Option A is wrong because Azure SQL Database is a different service; for SQL Server on VM, you need IaaS solutions. Option E is wrong because Azure Files is for file shares, not SQL.

202
MCQhard

An organization is designing a storage solution for Azure VMs running a database that requires low latency and high IOPS. The data is critical and must be durable with automatic replication across multiple datacenters in the same region. Which Azure managed disk type and redundancy option should they choose?

A.Standard SSD with GRS
B.Premium SSD with ZRS
C.Ultra Disk with LRS
D.Premium SSD v2 with LRS
AnswerB

Premium SSD with ZRS provides high IOPS and replicates across multiple datacenters within a region.

Why this answer

Premium SSD v2 managed disks with locally-redundant storage (LRS) provide high IOPS and low latency with synchronous replication within a datacenter, but LRS is not multi-datacenter. For multi-datacenter within a region, zone-redundant storage (ZRS) is needed, but Premium SSD v2 does not support ZRS. The correct choice is Premium SSD with ZRS to meet durability across datacenters.

Option A is wrong because Premium SSD v2 with LRS is not multi-datacenter. Option C is wrong because Standard SSD is lower performance. Option D is wrong because Ultra Disk with LRS is single-datacenter.

203
MCQmedium

You are designing a backup and disaster recovery strategy for an Azure SQL Database instance that runs a critical business application. The database is 500 GB and experiences high transaction rates. The recovery point objective (RPO) is 1 minute and recovery time objective (RTO) is 1 hour. What should you recommend?

A.Enable geo-redundant backup storage and use geo-restore in the secondary region.
B.Configure automated backups with locally-redundant storage (LRS) and enable point-in-time restore.
C.Configure active geo-replication to a secondary region in the same Azure geography.
D.Export the database to a bacpac file daily and store it in Azure Blob Storage.
AnswerC

Active geo-replication provides RPO of seconds and RTO of minutes with automatic failover.

Why this answer

Option D is correct because active geo-replication provides RPO < 1 minute and RTO < 1 hour with automatic failover. Option A (auto backup with LRS) has RPO > 1 minute. Option B (geo-restore) has RTO > 1 hour.

Option C (export to blob) has high RTO.

204
MCQmedium

A company has multiple Azure virtual networks (VNets) in different regions connected via VNet peering. They also have an on-premises data center connected to Azure via ExpressRoute. They need to provide internet-bound traffic from all Azure VNets through a single, centralized network virtual appliance (NVA) in the hub VNet for security inspection. They also need to ensure that traffic between VNets and on-premises is routed optimally without going through the internet. Which Azure solution should they implement?

A.Implement VNet peering with user-defined routes (UDRs) to force traffic through the NVA
B.Use Azure Firewall in each VNet to inspect traffic locally
C.Deploy an Azure Virtual WAN with a secured hub (Azure Firewall) and route traffic through it
D.Use Azure Route Server to propagate routes to all VNets
AnswerC

Virtual WAN provides automatic transitive routing, centralized security, and integrates with ExpressRoute, meeting all requirements.

Why this answer

Option C is correct because Azure Virtual WAN with a secured hub (Azure Firewall) provides a centralized, managed routing architecture that meets all requirements. It automatically routes internet-bound traffic from all VNets through the Azure Firewall in the hub for security inspection, while also ensuring optimal routing between VNets and on-premises via ExpressRoute without traversing the internet. This solution eliminates the need for manual UDRs and complex NVA management, as Virtual WAN handles routing and security centrally.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with simple VNet peering or assume that Azure Route Server alone can provide centralized security inspection, but Virtual WAN is the only solution that combines centralized routing, security, and automatic propagation across multiple regions.

How to eliminate wrong answers

Option A is wrong because VNet peering with UDRs to force traffic through an NVA requires complex manual route management and does not scale well across multiple regions; it also does not inherently optimize on-premises routing without additional configuration. Option B is wrong because deploying Azure Firewall in each VNet inspects traffic locally, not centrally, which violates the requirement for a single, centralized inspection point and increases operational overhead. Option D is wrong because Azure Route Server propagates routes between NVAs and VNets but does not provide centralized internet-bound traffic inspection or force traffic through a single NVA; it is designed for dynamic route exchange, not security inspection.

205
MCQeasy

A company deploys a web application on Azure VMs across availability zones. They need to distribute HTTPS traffic, offload SSL termination, and maintain session persistence. They do not require traffic inspection. Which Azure load balancing solution should they use?

A.Azure Application Gateway v2.
B.Azure Load Balancer (Standard).
C.Azure Traffic Manager.
D.Azure Front Door.
AnswerA

Application Gateway supports HTTPS termination, cookie-based session persistence, and health probes, all at layer 7. It is designed for web traffic within a region and can be deployed across availability zones.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that supports HTTPS traffic distribution, SSL termination (offloading the decryption burden from backend VMs), and session persistence via cookie-based affinity. It meets all requirements without needing traffic inspection, which is optional and can be disabled.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can handle SSL termination, but only Layer 7 solutions like Application Gateway or Front Door can offload SSL and maintain session persistence at the application layer.

How to eliminate wrong answers

Option B (Azure Load Balancer Standard) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL termination or application-layer session persistence; it only distributes traffic based on IP and port. Option C (Azure Traffic Manager) is wrong because it is a DNS-based global traffic router that does not handle HTTPS traffic directly, SSL termination, or session persistence at the application layer. Option D (Azure Front Door) is wrong because it is a global Layer 7 service with built-in WAF and traffic inspection capabilities, which is unnecessary here and adds complexity; it also requires a custom domain for SSL termination, whereas Application Gateway v2 is a regional solution better suited for this scenario.

206
MCQmedium

You are designing a disaster recovery solution for an Azure IaaS workload. The application runs on Azure VMs in a single region and requires a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 4 hours. Which of the following is the most cost-effective approach to meet these requirements?

A.Configure geo-redundant storage (GRS) for the VM disks and manually attach them to new VMs in the secondary region.
B.Use Azure Front Door with a back-end pool containing VMs in both regions, and configure health probes to route traffic on failure.
C.Deploy Azure Site Recovery to replicate VMs to the secondary region with a replication policy that meets the RPO and RTO.
D.Use Azure Backup to back up VMs to a Recovery Services vault in the secondary region and perform restore during failover.
AnswerC

Azure Site Recovery offers continuous replication with RPO as low as 30 seconds and automated failover minutes, meeting both requirements cost-effectively.

Why this answer

Option C is correct because Azure Site Recovery provides replication with RPO as low as 30 seconds to another region, easily meeting 15 minutes, and automated failover within minutes, meeting 4-hour RTO. Option A is wrong because geo-redundant storage applies to storage accounts, not VMs, and doesn't provide automated failover. Option B is wrong because backing up to a secondary region via Azure Backup has an RPO of 1-2 hours and RTO of hours to days.

Option D is wrong because Azure Front Door is for web traffic load balancing, not VM failover.

207
MCQeasy

A company deploys a web application on multiple Azure virtual machines (VMs) in a single region. The application receives HTTP and HTTPS traffic. They need to distribute the traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Additionally, they need to route requests based on URL paths (e.g., /api/* to one pool, /images/* to another). Which Azure load balancing solution should they use?

B.Azure Application Gateway
C.Azure Front Door
D.Azure Traffic Manager
AnswerB

Application Gateway is a layer-7 load balancer that supports SSL termination, cookie-based session affinity, and URL path-based routing to multiple backend pools.

Why this answer

Azure Application Gateway is the correct choice because it is a layer-7 load balancer that supports SSL/TLS termination, URL path-based routing, and session persistence (sticky sessions) via cookies. These features directly match the requirements for distributing HTTP/HTTPS traffic, offloading SSL, routing requests based on URL paths, and maintaining user session affinity to the same backend VM.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (layer 4) with Application Gateway (layer 7), assuming any load balancer can handle SSL termination and URL routing, but only layer-7 solutions like Application Gateway provide these application-level features.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at layer 4 (TCP/UDP) and cannot perform SSL/TLS termination, URL path-based routing, or session persistence based on HTTP cookies. Option C is wrong because Azure Front Door is a global layer-7 load balancer and CDN designed for multi-region traffic distribution, not for routing within a single region, and it does not support URL path-based routing to separate backend pools in the same region. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that operates at layer 3/4 and cannot offload SSL/TLS, route based on URL paths, or provide session persistence.

208
MCQeasy

A company runs a web application on Azure VMs in a single region. The application must scale out automatically based on CPU utilization. The VMs are behind an Azure Load Balancer. Which Azure service should they use to automatically add or remove VMs based on demand?

A.Azure Virtual Machine Scale Sets
B.Azure App Service
C.Azure Functions
D.Azure Batch
AnswerA

Correct: VMSS provides autoscaling based on metrics and integrates with Azure Load Balancer.

Why this answer

Azure Virtual Machine Scale Sets (VMSS) is the correct service because it provides automatic scaling of identical VM instances based on metrics like CPU utilization. When you configure an autoscale rule on a VMSS, it automatically adds or removes VM instances behind the Azure Load Balancer, ensuring the application scales out or in based on demand without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure App Service's autoscale feature (which scales the number of App Service instances, not VMs) with the requirement to scale VMs behind a load balancer, leading them to select App Service instead of VMSS.

How to eliminate wrong answers

Option B (Azure App Service) is wrong because it is a platform-as-a-service (PaaS) offering for web apps, not a service that manages VMs behind a load balancer; it does not allow you to run custom VMs with full control over the OS. Option C (Azure Functions) is wrong because it is a serverless compute service for event-driven code, not designed for long-running web applications on VMs, and it does not integrate with Azure Load Balancer for VM-level scaling. Option D (Azure Batch) is wrong because it is a job-scheduling and compute-management service for large-scale parallel and HPC workloads, not for automatically scaling VMs behind a load balancer based on CPU utilization.

209
MCQeasy

A company plans to migrate on-premises SQL Server databases to Azure. They need to minimize changes to existing applications and want to use the latest features of SQL Server. Which Azure data service should they use?

A.SQL Server on Azure Virtual Machines
B.Azure SQL Managed Instance
C.Azure SQL Database
D.Azure Cosmos DB
AnswerB

Managed Instance offers high compatibility with on-premises SQL Server and latest features.

Why this answer

Option A is correct because Azure SQL Managed Instance provides near 100% compatibility with SQL Server, minimizing application changes, and supports the latest SQL Server features. Option B is wrong because Azure SQL Database requires application changes for database-level compatibility. Option C is wrong because SQL Server on Azure VMs requires management of OS and SQL Server.

Option D is wrong because Azure Cosmos DB is NoSQL, not compatible with SQL Server.

210
MCQmedium

You are designing a solution to securely store and manage secrets for multiple applications deployed in Azure. The solution must support automated rotation of secrets and provide audit logging. Which Azure service should you use?

A.Microsoft Entra ID application registration
B.Azure App Service Key Vault references
C.Azure Key Vault with managed identity and rotation policy
D.Azure Automation with PowerShell runbooks
AnswerC

Supports automated rotation and audit logging.

Why this answer

Option C is correct because Azure Key Vault with managed identities and rotation policies provides automated secret rotation and audit logging. Option A is wrong because Azure App Service Key Vault references are for referencing secrets, not managing rotation. Option B is wrong because Azure Automation can rotate secrets but is more complex.

Option D is wrong because Microsoft Entra ID is for identity, not secret storage.

211
MCQmedium

A company plans to deploy a multi-tier application on Azure. The web tier requires SSL termination and health probes. The application tier must be isolated from the internet. The database tier requires high availability. They want to minimize administrative overhead and use Azure native services. Which architecture should they recommend?

A.Azure Application Gateway for web tier, Azure Load Balancer (internal) for application tier, and Azure SQL Database with active geo-replication
B.Azure Front Door for web tier, Azure Load Balancer for database tier, and SQL Server on Azure VMs with Always On
C.Azure Traffic Manager for web tier, Azure Application Gateway for database tier, and Azure SQL Database with failover groups
D.Azure Application Gateway for web tier, Azure Load Balancer (internal) for application tier, and Azure SQL Database with geo-restore
AnswerA

Application Gateway handles SSL termination and probes; internal Load Balancer keeps app tier private; SQL Database active geo-replication provides HA.

Why this answer

Option A is correct because Azure Application Gateway provides SSL termination and health probes for the web tier, an internal Azure Load Balancer isolates the application tier from the internet, and Azure SQL Database with active geo-replication offers high availability with automatic failover, minimizing administrative overhead by using PaaS services.

Exam trap

The trap here is that candidates often confuse Azure Front Door or Traffic Manager with Application Gateway for SSL termination and health probes, or assume that geo-restore provides the same automatic high availability as active geo-replication, leading them to choose options that either lack required features or increase administrative overhead.

How to eliminate wrong answers

Option B is wrong because Azure Front Door is a global load balancer for web traffic, but it does not natively provide SSL termination for a single-region web tier, and using Azure Load Balancer for the database tier is inappropriate as it does not offer database-level high availability; SQL Server on Azure VMs with Always On requires significant administrative overhead. Option C is wrong because Azure Traffic Manager is a DNS-based traffic router that does not perform SSL termination or health probes for the web tier, and Azure Application Gateway is not designed for the database tier; Azure SQL Database with failover groups is a valid HA option but the web tier architecture is incorrect. Option D is wrong because Azure SQL Database with geo-restore does not provide automatic high availability; it requires manual restore from a geo-redundant backup, which does not meet the requirement for minimal administrative overhead and active failover.

212
MCQeasy

A company is migrating a legacy application to Azure VMs. The application requires a static IP address that does not change if the VM is stopped and started. Which type of IP address should they assign to the VM?

A.Dynamic private IP address
B.Dynamic public IP address
C.Static public IP address
D.Ephemeral IP address
AnswerC

Static public IP remains assigned even when VM is stopped.

Why this answer

A static public IP address or a static private IP address ensures the IP does not change. Option A is wrong because dynamic public IPs change on stop/start. Option C is wrong because private IPs can be dynamic or static; dynamic changes.

Option D is wrong because ephemeral IPs are for temporary usage.

213
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition that your team plans to assign. The policy is intended to deny the deployment of virtual networks and virtual machines if they do not have an NSG attached with a rule named containing 'Allow'. However, the policy is not working as expected. What is the most likely reason?

A.The field 'Microsoft.Network/networkSecurityGroups/securityRules[*].name' is an incorrect alias.
B.The policy does not check whether the NSG is actually associated with the resource.
C.The policy rule syntax is invalid.
D.The effect 'deny' cannot be used with existenceCondition.
AnswerB

The policy checks for the existence of an NSG with a rule name but does not verify association.

Why this answer

Option C is correct because the existenceCondition checks the NSG rule name on the NSG resource, but the policy's 'if' condition only checks the resource type. The policy does not ensure that the NSG is associated with the subnet or NIC; an NSG can exist without being attached. Option A is wrong because the policy syntax is valid.

Option B is wrong because 'deny' is a valid effect. Option D is wrong because the policy rule does not use aliases incorrectly.

214
MCQeasy

You need to design a storage solution for an application that stores large amounts of unstructured data that is accessed frequently for the first 30 days, then rarely after that. Compliance requirements mandate that data be retained for 7 years. Which of the following is the most cost-effective storage solution?

A.Use Azure Files with snapshots and keep files in the Premium tier for 30 days, then move to Standard tier.
B.Use Azure Managed Disks with read-only snapshots and delete snapshots after 7 years.
C.Use Azure Blob Storage with lifecycle management to transition blobs from Hot to Cool to Archive tiers.
D.Store all data in Blob Storage Hot tier and delete after 7 years.
AnswerC

Lifecycle management automates tiering based on age, providing cost savings. Hot for frequent, Cool for infrequent, Archive for long-term retention.

Why this answer

Option B is correct because Azure Blob Storage with lifecycle management can automatically move blobs from Hot to Cool to Archive tiers as access patterns change, minimizing cost. Option A is wrong because Azure Files is for file shares, not optimal for large unstructured data. Option C is wrong because keeping all data in Hot tier is expensive.

Option D is wrong because managed disks are for VM disks, not for general unstructured data storage.

215
MCQmedium

A company is designing a multi-region disaster recovery solution for a mission-critical application hosted on Azure VMs. The application requires synchronous replication of storage and automatic failover with no data loss. The recovery time objective (RTO) is 15 minutes, and the recovery point objective (RPO) is 0. Which Azure service should the company use?

A.Azure Availability Zones
B.Azure Backup
C.Azure Site Recovery
D.Azure Storage with geo-redundant storage (GRS)
AnswerC

Azure Site Recovery provides automated failover across regions with low RPO (seconds) and RTO (minutes). While strict RPO=0 is not guaranteed, it is the best fit for DR scenarios.

Why this answer

Option A (Azure Site Recovery) supports RPO as low as a few seconds and RTO in minutes, but it uses asynchronous replication, so RPO of 0 cannot be guaranteed. Option B (Azure Backup) is for backup, not real-time replication. Option C (Azure Storage with geo-redundant storage) provides asynchronous replication, not synchronous.

Option D (Azure Availability Zones) uses synchronous replication and can achieve RPO=0 and low RTO within the same region, but for multi-region, the company would need a stretched cluster across regions, which is complex. However, the question specifies 'multi-region' and 'no data loss' which implies synchronous replication across regions; Azure does not offer synchronous replication across regions for VMs. But among the options, Azure Site Recovery is the only one that can provide automated failover across regions, even though RPO is not zero.

The best answer is Azure Site Recovery because it's designed for DR with low RPO/RTO, and although RPO=0 is not guaranteed, it's the closest fit. Corrected: Option A is the correct choice as it's the primary DR service for VMs.

216
MCQeasy

A company has an on-premises data center and wants to connect it to Azure with a dedicated, private network connection that is not routed over the public internet. They also need a higher service-level agreement (SLA) compared to VPN-based connections. Which Azure service should they use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Bastion
D.Azure Virtual WAN
AnswerB

ExpressRoute establishes a private connection to Azure via a connectivity provider, bypassing the internet. It offers higher reliability, bandwidth, and a stronger SLA (99.95% for dedicated circuits).

Why this answer

Azure ExpressRoute provides a dedicated, private connection from on-premises to Azure that bypasses the public internet, ensuring lower latency, higher reliability, and a 99.95% SLA (for dedicated circuits) compared to VPN-based connections. This meets the requirement for a private network connection with a higher SLA than VPN Gateway, which relies on internet-based IPSec tunnels with a 99.9% SLA.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN as a direct replacement for ExpressRoute, but Virtual WAN is a management overlay that still requires ExpressRoute or VPN as the underlying transport, not a dedicated private connection itself.

How to eliminate wrong answers

Option A (Azure VPN Gateway) is wrong because it uses IPSec tunnels over the public internet, which does not provide a dedicated private connection and has a lower SLA (99.9%) than ExpressRoute. Option C (Azure Bastion) is wrong because it is a PaaS service for secure RDP/SSH access to Azure VMs via the browser, not a hybrid connectivity solution between on-premises and Azure. Option D (Azure Virtual WAN) is wrong because it is a networking service that aggregates branch connectivity, but it still requires an underlying connectivity method (VPN or ExpressRoute) to provide the dedicated private link; by itself, it does not offer a dedicated private connection or the higher SLA specified.

217
Multi-Selecteasy

Which TWO Azure services can be used to implement a serverless event-driven architecture that processes messages from a queue and stores results in a database? (Choose two.)

Select 2 answers
A.Azure Logic Apps
B.Azure Event Grid
C.Azure Service Bus
D.Azure Functions
E.Azure Batch
AnswersA, D

Can be triggered by queue messages and orchestrate workflows.

Why this answer

A and D are correct. Azure Functions can process messages from Azure Queue Storage; Azure Logic Apps can also process messages from queues and orchestrate workflows. B is wrong because Azure Event Grid is for event routing, not queue processing.

C is wrong because Azure Batch is for parallel compute jobs. E is wrong because Azure Service Bus is a messaging service, not a compute trigger in serverless context.

218
Multi-Selecthard

A company is designing a data warehouse solution in Azure. The solution must support petabyte-scale data, high-performance queries, and integration with Power BI. The data includes both structured and semi-structured data. Which THREE services should you recommend?

Select 3 answers
A.Power BI
B.Azure Analysis Services
C.Azure Data Lake Storage
D.Azure Synapse Analytics
E.Azure HDInsight
AnswersA, C, D

Integrates with Synapse Analytics for reporting.

Why this answer

Option A is correct because Azure Synapse Analytics provides petabyte-scale data warehousing with high-performance queries. Option B is incorrect because Azure HDInsight is for big data processing, not data warehousing. Option C is correct because Azure Data Lake Storage can store structured and semi-structured data at petabyte scale.

Option D is incorrect because Azure Analysis Services is for semantic models, not data warehousing. Option E is correct because Power BI integrates with Synapse Analytics for reporting.

219
MCQhard

A large enterprise is designing a data analytics platform in Azure that will ingest terabytes of data daily from multiple sources, including IoT devices, social media feeds, and internal databases. The data must be stored in a raw format for future processing, and then transformed and aggregated for reporting. The company requires low-latency querying for real-time dashboards and the ability to run complex batch analytics using Spark. The solution must also provide a unified data governance layer for cataloging and lineage tracking. Which combination of Azure services should the company choose to meet all these requirements with minimal operational overhead?

A.Azure Cosmos DB, Azure Stream Analytics, and Azure Analysis Services
B.Azure Blob Storage, Azure HDInsight, and Azure Data Factory
C.Azure SQL Database, Azure Databricks, and Azure Data Catalog
D.Azure Data Lake Storage, Azure Synapse Analytics, and Microsoft Purview
AnswerD

ADLS stores raw data, Synapse provides real-time querying and Spark-based batch analytics, and Purview provides data cataloging and lineage.

Why this answer

Option A (Azure Data Lake Storage + Azure Synapse Analytics + Azure Purview) provides a scalable data lake, unified analytics, and data governance. Option B (Azure Blob Storage + Azure HDInsight + Azure Data Factory) requires more management. Option C (Azure Cosmos DB + Azure Stream Analytics + Azure Analysis Services) is not suitable for batch analytics with Spark.

Option D (Azure SQL Database + Azure Databricks + Azure Data Catalog) lacks a data lake for raw storage. The best answer is A because it includes ADLS for raw storage, Synapse for both real-time and batch analytics, and Purview for governance.

220
MCQmedium

A company is deploying a web application on Azure App Service. The application must authenticate users with their Microsoft Entra ID credentials. The development team wants to use the Microsoft Authentication Library (MSAL) for authentication. Which App Service authentication feature should they use to simplify integration?

A.Use Application Insights to capture authentication logs
B.Use Azure API Management to handle authentication
C.Use Azure AD B2C for identity management
D.Configure the App Service authentication / authorization feature to use Microsoft Entra ID
AnswerD

Easy Auth simplifies integration with Microsoft Entra ID.

Why this answer

Option A is correct because the App Service authentication / authorization feature (Easy Auth) can be configured to use Microsoft Entra ID as the identity provider and integrate with MSAL. Option B is incorrect because App Insights is for monitoring. Option C is incorrect because Azure AD B2C is for external users.

Option D is incorrect because Azure API Management is for managing APIs.

221
MCQeasy

You need to design a monitoring solution for a set of Azure virtual machines running a business-critical application. The solution must provide centralized log management, enable real-time analysis of security events, and support custom alerts for anomalous behavior. Which Azure service should you use?

A.Azure Log Analytics
B.Microsoft Defender for Cloud
C.Azure Monitor
D.Microsoft Sentinel
AnswerD

Microsoft Sentinel is a cloud-native SIEM that provides log management, analysis, and custom alerts.

Why this answer

Option C is correct because Microsoft Sentinel provides SIEM capabilities for centralized log management, real-time analysis, and custom alerts. Option A (Azure Monitor) is for metrics and logs but lacks SIEM. Option B (Log Analytics) is a component of Azure Monitor.

Option D (Microsoft Defender for Cloud) focuses on security posture and threat protection.

222
MCQeasy

A company plans to deploy a stateless web application on Azure virtual machines. They want to ensure that the application remains available in the event of a hardware failure within a single Azure datacenter. The VMs must be placed in a way that ensures they are on different physical servers and racks, but are still within the same datacenter. Which deployment strategy should they use?

A.Deploy the VMs in an Availability Set.
B.Deploy the VMs in different Availability Zones.
C.Deploy the VMs in a single Virtual Machine Scale Set with a large instance count.
D.Deploy each VM in a separate resource group.
AnswerA

An Availability Set distributes VMs across fault domains (different racks) and update domains within a datacenter, protecting against hardware failures and maintenance.

Why this answer

An Availability Set ensures that VMs are distributed across multiple fault domains (different physical servers, racks, and network switches) and update domains within a single Azure datacenter. This protects against hardware failures in that datacenter by guaranteeing that not all VMs are affected by the same local failure, while keeping them in the same datacenter for low-latency communication.

Exam trap

The trap here is that candidates often confuse Availability Zones (which span multiple datacenters) with Availability Sets (which operate within a single datacenter), leading them to select the zone-based option when the question explicitly requires staying within the same datacenter.

How to eliminate wrong answers

Option B is wrong because Availability Zones place VMs in physically separate datacenters within a region, not within the same datacenter, which adds cross-datacenter latency and is not required for the stated goal of surviving a single datacenter hardware failure. Option C is wrong because a single Virtual Machine Scale Set with a large instance count does not by itself enforce distribution across different physical servers and racks unless it is configured with an Availability Set or Availability Zones; a scale set without such placement constraints can place many VMs on the same physical host. Option D is wrong because deploying each VM in a separate resource group has no impact on physical placement or fault domain isolation; resource groups are logical containers for management and RBAC, not for infrastructure redundancy.

223
MCQmedium

Refer to the exhibit. A custom role is created. A user assigned this role reports being unable to view the VM's boot diagnostics in the Azure portal. What is the most likely reason?

A.The user does not have permission to start or restart the VM
B.The VM is stopped and deallocated
C.The role lacks permissions to the diagnostics storage account
D.The role does not include Microsoft.Compute/virtualMachines/read
AnswerC

Missing storage account permissions.

Why this answer

Option D is correct because the role does not include 'Microsoft.Storage/storageAccounts/listKeys/action' or 'Microsoft.Storage/storageAccounts/read' required to access boot diagnostics data in the diagnostics storage account. Option A is wrong because the role includes 'read' permission on VMs. Option B is wrong because start/restart are allowed.

Option C is wrong because the issue is not related to VM size.

224
MCQmedium

A company is designing a hybrid network solution connecting an on-premises data center to Azure. They require high availability with active-active routing and need to support up to 10 Gbps throughput. Which Azure service should they include in the design?

A.Site-to-Site VPN Gateway
B.Azure Virtual WAN
C.ExpressRoute FastPath
D.ExpressRoute Direct
AnswerC

FastPath offers active-active connectivity with high throughput.

Why this answer

ExpressRoute FastPath provides active-active connectivity with high throughput up to 10 Gbps. Option A is wrong because VPN Gateway typically supports lower throughput and is active-passive. Option B is wrong because Azure Virtual WAN is a management layer, not a connectivity service itself.

Option D is wrong because ExpressRoute Direct provides dedicated ports but not inherently active-active routing.

225
MCQeasy

A company deploys a web application in two Azure regions for high availability. They need to automatically direct users to the nearest healthy region based on geographic location and endpoint health. Which Azure service should they use?

A.Azure Traffic Manager
C.Azure Application Gateway
D.Azure Front Door
AnswerA

Correct. Traffic Manager uses DNS to route traffic to the nearest healthy region, providing simple global load balancing.

Why this answer

Azure Traffic Manager is a DNS-based traffic load balancer that directs users to the nearest healthy region based on geographic location and endpoint health. It uses DNS resolution to route traffic to the closest available endpoint, making it ideal for global high-availability scenarios where users need automatic failover across regions.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Traffic Manager because both can route traffic globally, but Front Door is an application delivery controller with integrated WAF and SSL offload, whereas Traffic Manager is a simpler DNS-based load balancer focused solely on geographic and health-based routing.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and distributes traffic within a single region, not across multiple regions or based on geographic location. Option C (Azure Application Gateway) is wrong because it is a regional Layer 7 load balancer with features like SSL termination and URL-based routing, but it does not provide global geographic routing or multi-region failover. Option D (Azure Front Door) is wrong because, while it offers global load balancing and geographic routing, it is primarily an HTTP/HTTPS application delivery platform with advanced web application firewall (WAF) capabilities; for simple DNS-based geographic routing and health monitoring, Traffic Manager is the correct and more lightweight choice.

← PreviousPage 3 of 4 · 292 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Infrastructure Solutions questions.