CCNA Infrastructure Solutions Questions

67 of 292 questions · Page 4/4 · Infrastructure Solutions topic · Answers revealed

226
MCQeasy

A company has an on-premises data center and wants to connect it to Azure to extend their network. They require a dedicated, private, high-bandwidth connection that is not routed over the public internet. They also want a lower-cost backup connection for redundancy in case the primary connection fails. Which combination of connectivity options should they implement?

A.ExpressRoute as the primary connection and a Site-to-Site VPN as the backup connection.
B.Two ExpressRoute circuits from different service providers, both active.
C.Site-to-Site VPN as the primary connection and Point-to-Site VPN as the backup.
D.Azure VPN Gateway with active-passive mode and a second VPN Gateway for failover.
AnswerA

ExpressRoute provides a private, dedicated circuit with high bandwidth and low latency. A Site-to-Site VPN over the internet is a cost-effective backup that can be activated if ExpressRoute fails.

Why this answer

ExpressRoute provides a dedicated, private, high-bandwidth connection that bypasses the public internet, meeting the primary requirement. A Site-to-Site VPN over the internet serves as a cost-effective backup path for redundancy, as it uses encrypted tunnels over the public internet without the recurring costs of a second ExpressRoute circuit.

Exam trap

The trap here is that candidates often assume two ExpressRoute circuits are required for redundancy, overlooking the cost-effective alternative of using a Site-to-Site VPN as a backup, which still meets the redundancy requirement without the high cost of a second private connection.

How to eliminate wrong answers

Option B is wrong because two active ExpressRoute circuits from different providers provide high availability but at a higher cost, not a lower-cost backup. Option C is wrong because a Site-to-Site VPN as the primary connection does not meet the requirement for a dedicated, private, high-bandwidth connection not routed over the public internet; Point-to-Site VPN is for individual client connections, not site-to-site redundancy. Option D is wrong because Azure VPN Gateway with active-passive mode and a second VPN Gateway for failover still uses the public internet, failing the private connection requirement, and is more complex and costly than a single VPN Gateway with active-passive mode.

227
MCQeasy

A company has multiple virtual networks in different Azure regions. They need to connect all VNets together securely over the Microsoft backbone. They also need to connect to an on-premises data center via ExpressRoute. The solution should support transitive routing between all connected networks. Which Azure service should they use?

A.Azure Virtual Network Peering
B.Azure VPN Gateway
C.Azure Virtual WAN
D.Azure ExpressRoute Gateway
AnswerC

Virtual WAN provides a hub that connects multiple VNets and on-premises sites with automatic transitive routing.

Why this answer

Azure Virtual WAN is the correct choice because it provides a hub-and-spoke architecture that supports transitive routing between all connected networks (multiple VNets across regions and on-premises via ExpressRoute) over the Microsoft backbone. It natively integrates ExpressRoute and VPN gateways into a single managed service, enabling seamless connectivity and routing between any spoke VNet, branch, or on-premises site without requiring manual peering or gateway transit configuration.

Exam trap

The trap here is that candidates often choose Azure Virtual Network Peering (Option A) because they assume peering supports transitive routing, but Azure explicitly does not allow transitive routing through peered VNets unless you use a hub VNet with a network virtual appliance or enable gateway transit, which is not the same as native transitive routing.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network Peering does not support transitive routing; if you peer VNet A to VNet B and VNet B to VNet C, traffic cannot flow from A to C through B without additional configuration (e.g., a network virtual appliance or hub VNet). Option B is wrong because Azure VPN Gateway provides site-to-site or point-to-site connectivity over the public internet, not over the Microsoft backbone, and it does not natively support transitive routing between multiple VNets across regions without complex manual routing and additional gateways. Option D is wrong because Azure ExpressRoute Gateway is a component that connects a single VNet to an ExpressRoute circuit; it does not provide transitive routing between multiple VNets or across regions, and it requires additional services (like Virtual WAN or a hub VNet) to achieve full mesh connectivity.

228
MCQhard

A financial services company is designing a data platform on Azure that must comply with strict regulatory requirements. The platform will store sensitive customer data in Azure SQL Database. The company needs to prevent data exfiltration and ensure that only authorized Microsoft Entra ID users can access the data. The solution must also encrypt data at rest and in transit. Which combination of Azure services should the company implement?

A.Azure SQL Database firewall rules, Transparent Data Encryption (TDE), and Always Encrypted
B.Azure SQL Database with IP firewall rules, TLS 1.2, and Azure Information Protection
C.Azure SQL Database with Managed Identity, Azure Private Link, and Transparent Data Encryption (TDE)
D.Azure SQL Database with Microsoft Entra ID authentication, Azure Key Vault, and Azure Storage Service Encryption
AnswerC

Private Link prevents exposure to the internet, Managed Identity ensures only authorized identities can connect, and TDE encrypts data at rest.

Why this answer

Option A (Azure SQL Database firewall + Transparent Data Encryption + Always Encrypted) meets encryption requirements but does not prevent data exfiltration. Option B (Azure SQL Database with Managed Identity + Azure Private Link + Transparent Data Encryption) provides private connectivity, identity-based access, and encryption. Option C (Azure SQL Database with Azure AD authentication + Azure Key Vault + Azure Storage Service Encryption) is partially correct but Azure Storage Service Encryption is not relevant.

Option D (Azure SQL Database with IP firewall rules + TLS 1.2 + Azure Information Protection) does not prevent exfiltration. The best answer is B because Private Link ensures traffic stays within the Microsoft backbone, Managed Identity restricts access, and TDE encrypts at rest.

229
MCQmedium

You are an Azure administrator. The above Azure Policy definition is assigned to a subscription. A developer tries to deploy a Virtual Machine with SKU Standard_DS2_v2. What will happen?

A.The deployment is denied and an error message is returned.
B.The deployment succeeds with a warning logged.
C.The VM is created but the SKU is changed to a different series.
D.The deployment succeeds because the policy only audits.
AnswerA

The policy denies VMs matching the condition.

Why this answer

Option C is correct because the policy denies any VM with SKU name starting with 'Standard_DS*' (like match). Option A (allowed) is false. Option B (audited) is false.

Option D (modified) is false.

230
MCQhard

You are reviewing a network security group (NSG) rule for a subnet that hosts web servers. The subnet's address space is 10.0.1.0/24. What is the effect of this rule?

A.The rule allows inbound TCP traffic on ports 80 and 443 from any source.
B.The rule allows inbound TCP traffic on ports 80 and 443 from the same subnet.
C.The rule denies inbound TCP traffic on ports 80 and 443 from any source.
D.The rule allows inbound TCP traffic on ports 80 and 443 from the internet.
AnswerB

Source is 10.0.1.0/24, which is the same subnet.

Why this answer

Option A is correct because the rule allows inbound TCP traffic on ports 80 and 443 from any source (SourceAddressPrefixes is missing, but by default it means any; however, the JSON shows SourceAddressPrefixes with 10.0.1.0/24, so it only allows from that subnet). Wait, the exhibit shows SourceAddressPrefixes: ["10.0.1.0/24"], so the rule allows inbound traffic from the same subnet. Option A is incorrect because it says 'from any source'.

Actually, the rule allows from 10.0.1.0/24 only. So Option D is correct: The rule allows inbound traffic from the same subnet. Option B (deny) is false.

Option C (allow from internet) is false. Option D is correct.

231
MCQeasy

You are designing a storage solution for a new application that will store large binary files (up to 5 TB each) and require high throughput for sequential reads. The data is accessed infrequently but must be retained for 7 years for compliance. Which Azure storage solution should you recommend?

A.Azure Blob Storage in the Cool tier
B.Azure Managed Disks with Standard HDD
C.Azure Files shares in the Premium tier
D.Azure NetApp Files with Standard service level
AnswerA

Supports large blobs, cost-effective for infrequent access, and meets retention requirements.

Why this answer

Option B is correct because Azure Blob Storage supports large blobs (up to ~4.75 TB) and the Cool tier is cost-effective for infrequently accessed data with long retention. Option A (Azure Files) has size limits. Option C (Azure Managed Disks) is for VM disks, not unstructured data.

Option D (Azure NetApp Files) is for enterprise workloads, not cost-effective for archival.

232
Matchingmedium

Match each Azure monitoring service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collect, analyze, and act on telemetry

Query and analyze log data

Application performance monitoring (APM)

Personalized recommendations for best practices

Personalized alerts for service issues

Why these pairings

These are the primary tools for monitoring and observability.

233
MCQeasy

You are designing a backup strategy for Azure virtual machines that must support application-consistent backups and be capable of restoring to a different Azure region. Which solution should you use?

A.Azure Site Recovery
B.Azure Files
C.Azure Disk Backup
D.Azure Backup
AnswerD

Azure Backup supports application-consistent backups using VSS and cross-region restore with GRS storage.

Why this answer

Option C is correct because Azure Backup supports application-consistent backups for VMs and cross-region restore. Option A is wrong because Azure Site Recovery provides disaster recovery, not backup. Option B is wrong because Azure Disk Backup supports disk-level backups but not application-consistent backups.

Option D is wrong because Azure Files is a storage service, not a backup service.

234
MCQmedium

You are designing a network topology for a multi-tier application in Azure. The application has a web tier, an API tier, and a database tier. You need to ensure that the web tier can communicate with the API tier, and the API tier can communicate with the database tier, but the web tier cannot directly access the database tier. Which Azure networking solution should you implement?

A.Azure Firewall
B.Network Security Groups (NSGs) with service tags
C.Azure Application Security Groups (ASGs)
D.VNet peering
AnswerC

ASGs allow you to group VMs and define security rules based on application tiers, simplifying policy management.

Why this answer

Option B is correct because Azure Application Security Groups (ASGs) allow you to define network security policies based on application groups, and you can create rules that permit traffic only between specific tiers. Option A is wrong because NSGs alone would require complex rule management. Option C is wrong because Azure Firewall is a managed firewall but is overkill for this scenario.

Option D is wrong because VNet peering is for connecting VNets, not controlling traffic within a VNet.

235
MCQeasy

You are designing a cloud-native application that will run on Azure Kubernetes Service (AKS). The application needs to authenticate users and manage access to resources. Which identity service should you use?

A.Microsoft Entra External ID
B.Microsoft Entra ID
C.Microsoft Account
D.Azure Active Directory Domain Services
AnswerB

Microsoft Entra ID (formerly Azure AD) is the identity provider for Azure, offering authentication and authorization for AKS via managed identities or service principals.

Why this answer

Microsoft Entra ID is the cloud-based identity and access management service for Azure, providing authentication and authorization for AKS workloads.

236
Multi-Selecteasy

Which TWO of the following are benefits of using Azure Policy? (Choose two.)

Select 2 answers
A.Assess compliance of resources against defined policies
B.Enforce tagging conventions on resources
C.Manage access control for resources
D.Create new Azure resources based on a template
E.Automatically remediate non-compliant resources without manual intervention
AnswersA, B

Azure Policy provides compliance dashboard and evaluation.

Why this answer

Azure Policy enforces organizational standards and assesses compliance. Option A (enforce tags) is a common use. Option D (assess compliance) is a core feature.

Option B is wrong because Azure Policy does not auto-remediate; it can trigger remediation tasks but not automatically fix all issues. Option C is wrong because Azure Policy does not create resources. Option E is wrong because RBAC is separate.

237
MCQmedium

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones in the East US region. The application receives HTTPS traffic. They need to distribute incoming traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer-7 load balancer that provides SSL termination, cookie-based session affinity, and URL-based routing. It can distribute HTTPS traffic across VMs in availability zones.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that supports SSL/TLS termination, cookie-based session persistence (affinity), and can distribute HTTPS traffic across VMs in multiple availability zones. These features directly match all three requirements: SSL offloading, session persistence, and cross-zone traffic distribution.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can handle SSL termination and session persistence, but only Layer 7 solutions like Application Gateway or Front Door provide cookie-based affinity and SSL offload.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and does not support SSL/TLS termination or application-layer session persistence; it can only maintain session affinity using source IP hashing, which is not cookie-based and less reliable for HTTPS. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not perform SSL termination or session persistence; it directs clients to regional endpoints based on DNS resolution, not per-request load balancing. Option D is wrong because Azure Front Door is a global Layer 7 service that supports SSL termination and session affinity, but it is designed for global distribution across regions, not for distributing traffic within a single region across availability zones; it adds unnecessary latency and complexity for a regional-only workload.

238
MCQhard

A multinational organization is designing a Microsoft 365 deployment for 10,000 users. The organization requires that all users have a consistent experience and that desktop settings follow users across devices. The solution must also support offline access to files and automatic sync. Which Microsoft 365 service should the organization use?

A.Microsoft Entra ID
B.Microsoft Intune
C.Enterprise State Roaming
D.OneDrive for Business
AnswerD

OneDrive for Business provides file sync, offline access, and Known Folder Move which roams user folders, meeting the requirements.

Why this answer

Option A (Microsoft Intune) manages devices and can enforce policies, but it does not provide settings roaming. Option B (Microsoft Entra ID) provides identity but not settings. Option C (Enterprise State Roaming) provides roaming of Windows settings and application data across devices, but it does not provide file sync.

Option D (OneDrive for Business) provides file sync, offline access, and Known Folder Move, but it does not roam desktop settings. The best answer is Enterprise State Roaming combined with OneDrive for Business. However, the question asks for a single service.

Among the options, Enterprise State Roaming is specifically designed for settings roaming. But it does not sync files. Maybe the intended answer is Microsoft Entra ID because it enables Enterprise State Roaming.

But that's not accurate. Let's rethink: The requirement includes offline access to files and automatic sync, which points to OneDrive. But settings roaming is also needed.

The best single service that supports both settings and file sync? None. However, OneDrive for Business can sync files and also, with Known Folder Move, it can sync desktop, documents, etc., which effectively roams settings? Not exactly. Actually, OneDrive does not roam Windows settings like wallpaper or taskbar.

So the correct answer is likely a combination, but since it's single-choice, the best available is Enterprise State Roaming? But the question includes offline access to files. I think the question might be flawed. Let's adjust: Option D (Microsoft 365 Apps for enterprise) is not relevant.

The correct answer should be Microsoft Intune because it can manage settings via configuration profiles and also integrate with OneDrive for file sync? But it's not directly. Given the options, perhaps the intended correct answer is Enterprise State Roaming (Option C) because it roams settings and also, with OneDrive, file sync can be added separately. However, the stem says 'solution must also support offline access to files and automatic sync', which is not part of Enterprise State Roaming.

I think the best answer is OneDrive for Business (Option D) because it syncs files, and settings roaming can be achieved separately? But the question asks for a single service. I'll go with D as it covers file sync and offline access, and settings can be roamed via other means. But that's not ideal.

Let me correct: The correct service is Microsoft Intune because it can manage device configurations and also has settings catalog for roaming? Actually, Intune does not roam settings; it pushes policies. The correct answer is Enterprise State Roaming. But it doesn't sync files.

I think the question expects OneDrive for Business because it syncs files and also, with Known Folder Move, it essentially roams the user's files and folders, which is a major part of settings. However, true settings roaming is not there. I'll choose Option D.

239
MCQhard

Your organization has a hybrid identity solution using Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to use their on-premises credentials to authenticate to cloud applications, but you want to avoid synchronizing password hashes to the cloud. Which authentication method should you choose?

A.Seamless Single Sign-On
B.Pass-through Authentication
C.Active Directory Federation Services (AD FS)
D.Password Hash Synchronization
AnswerB

Pass-through Authentication validates passwords on-premises without storing hashes in the cloud.

Why this answer

Pass-through Authentication allows users to sign in using their on-premises password without synchronizing password hashes to Microsoft Entra ID. Option A (Password Hash Synchronization) requires hash sync. Option B (Federation with AD FS) requires federation infrastructure.

Option D (Seamless Single Sign-On) is a feature that works with other methods.

240
MCQhard

A company has multiple Azure subscriptions and wants to enforce consistent network policies across all VNets. They need to ensure that all traffic going out to the internet is inspected by a central firewall. The solution must be scalable and support multiple regions. What should they implement?

A.Use Azure Virtual WAN with a secured hub and Azure Firewall Manager
B.Deploy Azure Firewall in each subscription and route traffic through it
C.Use Azure Policy to enforce route tables on each VNet
D.Create VNet peering and use a network virtual appliance in one subscription
AnswerA

Virtual WAN provides centralized routing and inspection across regions.

Why this answer

Option B is correct because Azure Virtual WAN with a secured hub using Azure Firewall Manager provides centralized internet inspection for multiple regions. Option A is incorrect because Azure Firewall in a single VNet does not scale across subscriptions without Virtual WAN. Option C is incorrect because Azure Policy enforces rules but does not inspect traffic.

Option D is incorrect because VNet peering does not centralize traffic inspection.

241
MCQhard

A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?

A.Set route tables on spoke subnets with a 0.0.0.0/0 route to the Internet
B.Configure Azure Firewall in the hub with forced tunneling to on-premises
C.Create user-defined routes (UDRs) in each spoke subnet that force traffic to go through the hub NVA
D.Use VNet peering with gateway transit enabled
AnswerC

Correct. UDRs allow precise control of traffic routing; adding a route for the spoke address spaces with next hop as the NVA IP enforces inspection.

Why this answer

Option C is correct because user-defined routes (UDRs) allow you to explicitly override Azure's default system routes. By adding a route in each spoke subnet with the hub NVA's private IP as the next hop for inter-spoke traffic (e.g., 10.1.0.0/16 -> 10.0.0.4), all traffic between spokes is forced through the NVA for inspection. This ensures the hub-spoke topology meets the requirement without relying on Azure Firewall or Internet routing.

Exam trap

The trap here is that candidates often confuse VNet peering's built-in transitive routing (which is disabled by default) with the ability to force traffic through an NVA, mistakenly thinking peering alone or gateway transit can achieve the required inspection without explicit UDRs.

How to eliminate wrong answers

Option A is wrong because a 0.0.0.0/0 route to the Internet would send all outbound traffic to the Internet, not through the hub NVA, and would not route inter-spoke traffic correctly. Option B is wrong because Azure Firewall with forced tunneling to on-premises would route traffic to on-premises, not through the hub NVA, and does not satisfy the requirement for inter-spoke inspection within Azure. Option D is wrong because VNet peering with gateway transit enables spokes to use a VPN gateway in the hub, but it does not force inter-spoke traffic through an NVA; it only provides transitive routing via the gateway, not custom inspection.

242
Multi-Selecteasy

You are designing a network architecture for a three-tier application in Azure. The web tier must be accessible from the internet. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier. Which TWO Azure services should you use to enforce these network rules? (Choose two.)

Select 2 answers
A.Azure Bastion
B.Network Security Groups (NSGs)
C.Azure Application Gateway
D.Azure Front Door
E.Azure Firewall
AnswersB, C

Restrict traffic between subnets.

Why this answer

Options A and D are correct. Azure Application Gateway provides web traffic routing and WAF. Network Security Groups (NSGs) allow inbound/outbound rules to restrict traffic between tiers.

Option B is wrong because Azure Firewall is a stateful firewall but not needed for simple tier isolation. Option C is wrong because Azure Bastion is for RDP/SSH access. Option E is wrong because Azure Front Door is for global load balancing.

243
MCQeasy

A company deploys a web application on Azure VMs within a single region. They need to distribute incoming HTTP traffic across multiple VMs, offload SSL encryption, and maintain session persistence (sticky sessions) for user sessions. Which Azure load balancing solution should they use?

B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Correct. Application Gateway is a Layer 7 load balancer that offloads SSL, supports sticky sessions, and distributes HTTP traffic.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that can route HTTP/HTTPS traffic, offload SSL/TLS encryption, and support session affinity (sticky sessions) using cookies. Unlike a Layer 4 load balancer, it can inspect application-layer data, making it ideal for web applications requiring SSL termination and persistent user sessions.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming all load balancers support SSL offloading and sticky sessions, but only Layer 7 solutions like Application Gateway or Front Door provide these application-layer features.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot offload SSL encryption or maintain HTTP-based sticky sessions; it only distributes traffic based on IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not handle SSL offloading or session persistence at the application layer; it directs clients to endpoints based on DNS resolution. Option D is wrong because Azure Front Door is a global Layer 7 service designed for multi-region distribution and acceleration, not for intra-region load balancing with SSL offloading and sticky sessions within a single region; it adds unnecessary complexity and cost for a single-region scenario.

244
MCQeasy

A company is designing a virtual network architecture for a three-tier application (web, application, database). They want network isolation between tiers and secure access from the internet to the web tier only. Which Azure networking solution should they use?

A.Azure Virtual Network with subnets for each tier and Network Security Groups.
B.Azure Virtual Network with a single subnet and application security groups.
C.Azure Virtual Network with subnets and Azure Firewall.
D.Azure Virtual Network with subnets and a network virtual appliance (NVA).
AnswerA

This is the standard and most cost-effective approach. Subnets provide logical isolation, and NSGs enforce inbound/outbound rules. Internet traffic can be allowed only to the web subnet via a public IP and NSG rules.

Why this answer

Option A is correct because deploying each tier in its own subnet within an Azure Virtual Network and applying Network Security Groups (NSGs) allows granular inbound/outbound rule enforcement. NSGs can restrict traffic so that only the web tier is reachable from the internet (via a public IP or Azure Load Balancer), while the application and database tiers are isolated from direct internet access and can only communicate with the adjacent tier as defined by NSG rules.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing Azure Firewall or an NVA for basic isolation, not realizing that NSGs with subnets are the native, cost-effective, and fully supported method for network segmentation within a single Azure VNet.

How to eliminate wrong answers

Option B is wrong because a single subnet with Application Security Groups (ASGs) still places all VMs in the same broadcast domain and does not provide network-level isolation between tiers; ASGs only group VMs logically for NSG rule application, but they do not prevent lateral traffic within the subnet without explicit NSG rules, and a single subnet cannot enforce separate routing or address spaces. Option C is wrong because Azure Firewall is a managed, stateful firewall service used for centralized inspection and logging across VNets or hybrid networks, but it is overkill and not the simplest solution for basic tier isolation within a single VNet; NSGs alone provide sufficient subnet-level filtering without the cost and complexity of a firewall. Option D is wrong because a Network Virtual Appliance (NVA) is typically used for advanced traffic inspection, routing, or security functions (e.g., third-party firewalls, WAN optimization) and is unnecessary for simple tier isolation; it adds operational overhead and cost when NSGs can achieve the same isolation with less complexity.

245
MCQhard

A global company is deploying a microservices application on AKS clusters in multiple Azure regions. They need to provide a single endpoint for users worldwide with SSL offloading, web application firewall, and URL path-based routing to the nearest healthy AKS cluster. They also need global load balancing with automatic failover. Which Azure service should they use?

A.Azure Front Door
B.Azure Application Gateway
C.Azure Traffic Manager
AnswerA

Front Door provides global HTTP load balancing with SSL termination, WAF, and URL routing. It uses anycast to direct users to the nearest healthy endpoint, and supports path-based routing to different backends (AKS clusters).

Why this answer

Azure Front Door is the correct choice because it provides global HTTP/HTTPS load balancing with SSL offloading, web application firewall (WAF) integration, and URL path-based routing. It uses Anycast-based routing to direct users to the nearest healthy AKS cluster, ensuring low latency and automatic failover across regions.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Azure Traffic Manager, but Traffic Manager only provides DNS-level routing without application-layer features like SSL offloading, WAF, or path-based routing.

How to eliminate wrong answers

Option B is wrong because Azure Application Gateway is a regional load balancer that operates within a single Azure region and cannot provide global load balancing or cross-region failover. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not support SSL offloading, WAF, or URL path-based routing at the application layer. Option D is wrong because Azure Load Balancer is a Layer 4 (TCP/UDP) load balancer that operates regionally and lacks application-layer features like SSL termination, WAF, and path-based routing.

246
MCQhard

A multinational corporation needs to design a global DNS solution for Azure resources. They require automatic failover across Azure regions and low-latency responses based on the client's geographic location. The solution must also support custom domains without exposing the underlying Azure public IP addresses. Which combination of Azure services should they use?

A.Azure Traffic Manager with geographic routing and Azure Front Door
B.Azure Application Gateway with Azure Front Door
C.Azure DNS with Azure Traffic Manager
D.Azure Traffic Manager with priority routing and Azure Application Gateway
AnswerA

Traffic Manager provides global load balancing and Front Door provides custom domain and private endpoint support.

Why this answer

Azure Traffic Manager with geographic routing and Azure Front Door with custom domain and private endpoint integration provides the required functionality. Option A is wrong because Azure DNS does not provide traffic routing. Option C is wrong because Application Gateway does not provide global routing.

Option D is wrong because Traffic Manager alone does not support custom domains without exposing IPs.

247
MCQmedium

Your company is expanding its Azure presence to a new region in Asia. You need to design a network connectivity solution between the on-premises data center in New York and the new Azure region in Singapore. The solution must provide high bandwidth, low latency, and high availability. The company already has an ExpressRoute circuit to the East US region. You want to use that circuit to extend connectivity to Singapore if possible. The budget allows for additional ExpressRoute circuits if needed. What should you recommend?

A.Set up a site-to-site VPN between the on-premises network and the Singapore region.
B.Use ExpressRoute Global Reach to connect the on-premises network to the Singapore region via the existing circuit.
C.Deploy Azure Front Door to route traffic between on-premises and Singapore.
D.Peer the East US VNet with the Singapore VNet and route traffic through the existing ExpressRoute.
AnswerB

Global Reach enables connectivity to any Azure region with low latency and high availability.

Why this answer

Option B is correct because ExpressRoute Global Reach allows you to connect your on-premises network to multiple Azure regions using a single circuit, providing low latency and high bandwidth. Option A is wrong because site-to-site VPN over the internet may have variable latency and is less reliable. Option C is wrong because VNet peering does not connect on-premises to Azure.

Option D is wrong because Azure Front Door is a global load balancer, not a WAN connectivity solution.

248
Multi-Selectmedium

Your company plans to migrate a legacy on-premises application to Azure. The application has a monolithic architecture and requires low-latency access to a shared file system. You need to choose a migration strategy that minimizes changes to the application code. Which TWO options should you recommend? (Choose two.)

Select 2 answers
A.Use Azure Migrate to perform a lift-and-shift migration to Azure VMs
B.Refactor the application to run in Azure Kubernetes Service (AKS)
C.Migrate the file share to Azure Files
D.Migrate the file share to Azure NetApp Files
E.Rearchitect the application to use a microservices architecture
AnswersA, C

Lift-and-shift minimizes code changes by moving VMs as-is.

Why this answer

Option A and Option D are correct. Azure Migrate with lift-and-shift moves VMs as-is, minimizing code changes. Azure Files provides a managed file share that can be accessed via SMB.

Option B is wrong because refactoring to containers requires code changes. Option C is wrong because Azure NetApp Files is also a file share but is more expensive and complex for this scenario. Option E is wrong because rearchitecting to microservices is a major change.

249
MCQmedium

A company deploys a web application on Azure VMs in an availability set. They need to expose the application to the internet with SSL termination and health probes. Additionally, they need to protect against DDoS attacks and common web vulnerabilities. Which Azure service should they use?

A.Azure Application Gateway with Web Application Firewall (WAF) and DDoS Protection
B.Azure Front Door with WAF and DDoS Protection
C.Azure Traffic Manager and Azure Load Balancer
D.Azure CDN with WAF
AnswerA

Application Gateway offers SSL termination, health probes, WAF, and can be combined with DDoS Protection.

Why this answer

Azure Application Gateway with WAF and DDoS Protection is the correct choice because it provides Layer 7 load balancing with SSL termination at the gateway, health probes for backend VMs, and the WAF feature protects against common web vulnerabilities (e.g., OWASP Top 10). DDoS Protection (Azure DDoS Network Protection) can be enabled on the virtual network hosting the Application Gateway to mitigate volumetric attacks. This combination directly meets all stated requirements: internet exposure, SSL offload, health monitoring, and dual-layer security.

Exam trap

The trap here is that candidates confuse Azure Front Door (global, multi-region) with Application Gateway (regional, single-region), overlooking that the question specifies an availability set (single-region) and requires SSL termination and health probes at the gateway level, which Front Door does not natively provide for a single-region backend.

How to eliminate wrong answers

Option B (Azure Front Door with WAF and DDoS Protection) is wrong because Azure Front Door is a global, anycast-based service designed for multi-region load balancing and HTTP(S) acceleration, not for terminating SSL directly on a single-region availability set; it also lacks native health probes for VM-level backend pools without additional configuration. Option C (Azure Traffic Manager and Azure Load Balancer) is wrong because Traffic Manager is a DNS-level traffic router (Layer 3/4) that cannot perform SSL termination or WAF inspection, and Azure Load Balancer operates at Layer 4 without application-layer security features. Option D (Azure CDN with WAF) is wrong because Azure CDN is a content delivery network focused on caching static content and does not provide SSL termination for backend VMs or health probes for an availability set; its WAF integration is limited to edge rules, not full application-layer protection.

250
MCQeasy

A company needs to implement a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The company has on-premises Active Directory Domain Services (AD DS). They want to synchronize identities to the cloud while also enabling password writeback for self-service password reset. Which Azure service should they use?

A.Microsoft Entra ID
B.Microsoft Entra Connect Health
C.Microsoft Entra Connect
D.Microsoft Entra Domain Services
AnswerC

Microsoft Entra Connect syncs identities and supports password writeback.

Why this answer

Option A is correct because Microsoft Entra Connect can synchronize identities and support password writeback. Option B is incorrect because Microsoft Entra Connect Health is for monitoring. Option C is incorrect because Microsoft Entra Domain Services provides managed domain services.

Option D is incorrect because Microsoft Entra ID is the cloud identity service but does not sync directly.

251
MCQmedium

A company wants to deploy a web application on Azure virtual machines (VMs). The application experiences variable traffic patterns, so the company needs to automatically add or remove VM instances based on CPU utilization. They also want the application to remain highly available even if an Azure datacenter fails. Which combination of Azure services should they use?

A.Virtual Machine Scale Sets configured with autoscale rules based on CPU and distributed across availability zones
B.Azure App Service with autoscale rules and deployment slots
C.Azure Load Balancer with a backend pool of VMs and autoscale rules applied to individual VMSS
D.Azure Traffic Manager with endpoints in separate regions and Manual scaling of VMs
AnswerA

VM Scale Sets allow you to define autoscale conditions (e.g., scale out when CPU > 75%) and can be deployed across availability zones. This provides both horizontal scaling and protection against a zone failure.

Why this answer

Virtual Machine Scale Sets (VMSS) with autoscale rules based on CPU utilization automatically add or remove VM instances to match variable traffic patterns. Distributing the VMSS across availability zones ensures the application remains highly available even if an entire Azure datacenter fails, because availability zones are physically separate datacenters within a region.

Exam trap

The trap here is that candidates often confuse Azure App Service (PaaS) with IaaS VM solutions, or assume that a load balancer alone can handle autoscaling, when in fact autoscale rules must be configured directly on the VMSS resource.

How to eliminate wrong answers

Option B is wrong because Azure App Service is a Platform-as-a-Service (PaaS) offering, not a VM-based solution, and the question explicitly requires deployment on Azure virtual machines. Option C is wrong because Azure Load Balancer distributes traffic but does not itself perform autoscaling; autoscale rules must be applied directly to the VMSS, not to individual VMs, and the phrase 'applied to individual VMSS' is redundant and misstates the architecture. Option D is wrong because Traffic Manager provides global DNS-based traffic routing across regions, but manual scaling of VMs does not meet the requirement for automatic scaling based on CPU utilization.

252
MCQmedium

Your company plans to migrate on-premises SQL Server databases to Azure. The databases require high availability with automatic failover to a secondary region in the event of a regional outage. The solution must minimize data loss and support read-only queries on the secondary replica. Which Azure service should you use?

A.Azure SQL Database with geo-restore
B.Azure SQL Database with active geo-replication
C.Azure SQL Database with failover groups
D.Azure SQL Managed Instance with failover groups
AnswerB

Active geo-replication provides a readable secondary in another region with automatic failover and minimal data loss.

Why this answer

Option B is correct because Azure SQL Database with active geo-replication provides automatic failover to a secondary region, supports read-only queries on the secondary, and minimizes data loss with synchronous replication within the primary region. Option A is wrong because Azure SQL Managed Instance does not support geo-replication by default. Option C is wrong because Azure SQL Database with failover groups uses asynchronous replication, which may cause data loss.

Option D is wrong because Azure SQL Database with geo-restore does not provide automatic failover or a readable secondary.

253
MCQeasy

A company has multiple branch offices and needs to connect them to Azure and to each other using a scalable, managed solution that simplifies network architecture. The solution should support automatic routing and integration with ExpressRoute and VPN. Which Azure service should they use?

A.Azure Virtual Network
B.Azure Virtual WAN
C.Azure ExpressRoute
D.Azure VPN Gateway
AnswerB

Virtual WAN offers a scalable, managed hub that connects branch offices, Azure VNets, and on-premises resources with automatic routing and integration with ExpressRoute/S2S VPN.

Why this answer

Azure Virtual WAN is a managed networking service that aggregates branch, VPN, and ExpressRoute connectivity into a single hub-and-spoke architecture. It automatically handles routing between branches and Azure, supports any-to-any connectivity, and integrates natively with ExpressRoute and VPN gateways, making it the correct choice for a scalable, managed solution that simplifies network architecture.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with Azure Virtual Network, thinking that a simple VNet with VPN gateways can scale to interconnect multiple branches, but they overlook the managed, automatic routing and aggregation capabilities that Virtual WAN provides for multi-site topologies.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network is a fundamental building block for creating isolated networks in Azure, but it does not provide managed, automatic routing between multiple branch offices or native integration with ExpressRoute and VPN at scale; it requires manual configuration of peering, gateways, and routing. Option C is wrong because Azure ExpressRoute is a dedicated private connection from on-premises to Azure, but it does not connect multiple branch offices to each other or provide automatic routing between them; it is a connectivity option, not a managed WAN service. Option D is wrong because Azure VPN Gateway provides site-to-site VPN connectivity from a single branch to Azure, but it does not offer a managed, scalable hub for interconnecting multiple branches or automatic routing between them; it requires additional configuration and does not aggregate multiple connections into a single managed topology.

254
MCQhard

Refer to the exhibit. The ARM template provisions a VM. The deployment succeeds but the VM fails to start. What is the most likely cause?

A.The admin password is in plaintext and does not meet complexity requirements
B.The data disk size 1023 GB exceeds the maximum for StandardSSD_LRS
C.The network interface resource ID is incorrectly formatted
D.The VM size Standard_D2s_v3 is not available in the region
AnswerA

Plaintext password violates Azure policy.

Why this answer

Option C is correct because the template contains the admin password in plaintext, which violates Azure policy that requires a complex password or use of Key Vault. Option A is wrong because Premium_LRS is supported in most regions. Option B is wrong because StandardSSD_LRS is valid for data disks.

Option D is wrong because the NIC reference uses the correct resourceId function.

255
MCQmedium

You are designing a backup and disaster recovery solution for a financial services company. The company has a critical application running on Azure VMs with premium SSDs. The RPO for the application is 15 minutes, and the RTO is 1 hour. The application data is stored on a separate managed disk with a premium SSD. The company wants to ensure that backups are cost-effective and do not impact application performance. You need to recommend a backup strategy. What should you do?

A.Use Azure Site Recovery with replication from the primary to a secondary region.
B.Use Azure Disk Backup with a backup policy of 15-minute frequency.
C.Use Azure Backup with application-consistent snapshots and configure a backup policy with a 15-minute frequency.
D.Use Azure Compute Gallery to create custom snapshots every 15 minutes.
AnswerC

Azure Backup supports high-frequency backups and application consistency.

Why this answer

Option A is correct because Azure Backup with application-consistent snapshots can achieve an RPO of 15 minutes with high-frequency backup policies, and the use of premium SSDs ensures low performance impact. Option B is wrong because Azure Site Recovery has a higher RTO and is more expensive for backup. Option C is wrong because manual snapshots are not automated and can impact performance.

Option D is wrong because Azure Disk Backup does not provide application consistency and has a minimum backup frequency of 4 hours.

256
MCQeasy

You need to design a storage solution for a data lake that will store petabytes of structured and unstructured data. The data must be accessible from Azure Databricks and Azure Machine Learning. The solution must optimize costs by automatically moving data to cooler tiers when access frequency decreases. Which Azure storage solution should you use?

A.Azure Data Lake Storage Gen2
B.Azure Blob Storage (flat namespace)
C.Azure NetApp Files
D.Azure Files
AnswerA

ADLS Gen2 combines blob storage with a hierarchical namespace, supports lifecycle management, and integrates with Databricks and ML.

Why this answer

Option B is correct because Azure Data Lake Storage Gen2 provides hierarchical namespace, integration with analytics services, and lifecycle management to tier data to cool and archive tiers. Option A is wrong because Azure Blob Storage (flat namespace) is not optimized for data lake workloads. Option C is wrong because Azure NetApp Files is for high-performance file shares, not data lakes.

Option D is wrong because Azure Files is for file shares, not petabyte-scale data lakes.

257
MCQmedium

A company has an Azure virtual network (VNet) in the East US region hosting a web application. They need to securely connect to an on-premises data center in the same region using a dedicated, private network connection with high throughput and low latency. They also need a backup connection for redundancy in case the primary connection fails. Which connectivity solution should they implement?

A.Site-to-Site VPN only
B.ExpressRoute only
C.ExpressRoute as primary with Site-to-Site VPN as backup
D.Azure Virtual WAN with VPN
AnswerC

This combination provides a dedicated private connection for primary traffic and a lower-cost VPN as a redundant backup, meeting both performance and redundancy requirements.

Why this answer

ExpressRoute provides a dedicated, private, high-throughput, low-latency connection to Azure, ideal for the primary link. A Site-to-Site VPN over the internet serves as a cost-effective, encrypted backup path that activates if the ExpressRoute circuit fails, meeting the redundancy requirement without relying on the same physical infrastructure.

Exam trap

The trap here is that candidates often choose ExpressRoute only, forgetting that it lacks built-in redundancy and that a Site-to-Site VPN is the standard, cost-effective backup for ExpressRoute circuits in the same region.

How to eliminate wrong answers

Option A is wrong because a Site-to-Site VPN alone uses the public internet, which cannot guarantee the dedicated, high-throughput, low-latency private connection required for the primary link. Option B is wrong because ExpressRoute alone provides no automatic backup; if the circuit fails, connectivity is lost, violating the redundancy requirement. Option D is wrong because Azure Virtual WAN with VPN is a managed networking service that can aggregate multiple connections, but it does not inherently provide a dedicated private primary link with a VPN backup unless ExpressRoute is also configured; the option as stated lacks the ExpressRoute component needed for the primary connection.

258
MCQeasy

A small business is moving its on-premises file server to Azure. The company has 50 users and stores approximately 500 GB of data, which includes documents and spreadsheets. The users need to access the files from their Windows laptops both at the office and remotely. The company wants to minimize costs while ensuring that files are always available and secure. You need to recommend a storage solution. What should you recommend?

A.Migrate the files to Azure Blob Storage and use Azure Storage Explorer for access.
B.Use Azure Stack Edge to sync the data to Azure Blob Storage.
C.Deploy Azure NetApp Files with a Standard capacity pool.
D.Deploy Azure Files with Azure File Sync and use a Windows File Server on-premises.
AnswerD

Azure Files provides cloud file shares, File Sync enables caching on-premises.

Why this answer

Option C is correct because Azure Files with Azure File Sync provides cloud file shares that can be synced to on-premises Windows Server for local access, and supports remote access via SMB over the internet. Option A is wrong because Azure Blob Storage is not a file share and does not support SMB access natively. Option B is wrong because Azure NetApp Files is too expensive for this small use case.

Option D is wrong because Azure Stack Edge is for edge computing, not file sharing.

259
MCQhard

A company uses Azure Firewall to secure outbound traffic from a hub virtual network. The security team reports that some traffic is bypassing the firewall because of asymmetric routing. You need to design a solution to force all outbound traffic through the firewall. What should you implement?

A.VNet peering with gateway transit
B.User Defined Routes (UDRs) with a default route (0.0.0.0/0) pointing to Azure Firewall
C.Azure Route Server
D.Azure Firewall Manager to enforce routing policies
AnswerB

UDRs override system routes and force all outbound traffic through the firewall, ensuring symmetric routing.

Why this answer

Option D is correct because User Defined Routes with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP enforce traffic symmetry. Option A is wrong because Azure Firewall Manager does not enforce routing; it manages policies. Option B is wrong because VNet peering does not force traffic through a firewall.

Option C is wrong because Azure Route Server learns routes dynamically but does not enforce forced tunneling.

260
MCQmedium

A media company is building a video streaming platform on Azure. The platform will store original high-definition videos and convert them to multiple resolutions for distribution. The company needs a cost-effective storage solution for the original videos, which are accessed infrequently but must be instantly available when needed. The converted videos will be served to end users globally and must be cached at edge locations for low latency. You need to design a storage and content delivery solution. What should you recommend?

A.Store original videos in Azure Blob Storage Cool tier and use Azure CDN for distribution.
B.Store original videos in Azure Blob Storage Premium tier and use Azure CDN for distribution.
C.Store original videos in Azure Blob Storage Archive tier and use Azure CDN for distribution.
D.Store original videos in Azure Files and use Azure Front Door for caching.
AnswerA

Cool tier is cost-effective, and CDN provides edge caching.

Why this answer

Option C is correct because Azure Blob Storage Cool tier is cost-effective for infrequently accessed original videos, and Azure Content Delivery Network (CDN) caches converted videos at edge locations for low latency. Option A is wrong because Premium tier is expensive for infrequent access. Option B is wrong because Azure Files is not optimized for video streaming.

Option D is wrong because Archive tier has high retrieval latency.

261
MCQmedium

You are designing a containerized microservices application on Azure Kubernetes Service (AKS). The application must scale automatically based on HTTP traffic. You need to minimize cost by scaling down to zero pods when there is no traffic. Which scaling solution should you use?

A.Horizontal Pod Autoscaler (HPA)
B.Cluster Autoscaler
C.Kubernetes Event-driven Autoscaler (KEDA)
D.Vertical Pod Autoscaler (VPA)
AnswerC

KEDA can scale to zero based on HTTP traffic.

Why this answer

Option B is correct. The Kubernetes Event-driven Autoscaler (KEDA) can scale based on HTTP requests and supports scaling to zero pods when there is no traffic. Option A is wrong because the horizontal pod autoscaler (HPA) cannot scale to zero.

Option C is wrong because the cluster autoscaler scales nodes, not pods. Option D is wrong because the vertical pod autoscaler adjusts resource requests, not number of pods.

262
MCQeasy

A company deploys a web application on multiple Azure VMs within an availability set. They need to distribute incoming HTTP traffic evenly across the VMs and provide health probe monitoring. The solution must support SSL termination and source IP affinity (session persistence). Which Azure load balancing solution should they choose?

A.Azure Load Balancer (Basic)
B.Azure Load Balancer (Standard)
C.Azure Application Gateway v2
D.Azure Traffic Manager
AnswerC

Application Gateway is a layer-7 load balancer that offers SSL termination, cookie-based session affinity, and health probes, meeting all requirements.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that supports SSL termination, source IP affinity (session persistence), and health probe monitoring. It can distribute HTTP traffic evenly across VMs in an availability set while offloading SSL processing from the backend VMs.

Exam trap

The trap here is that candidates often confuse Layer 4 load balancers (Azure Load Balancer) with Layer 7 application delivery controllers (Application Gateway), assuming that SSL termination and session persistence are available in all load balancing tiers, but these features require application-layer processing only provided by Application Gateway.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer (Basic) operates at Layer 4 and does not support SSL termination or application-layer features like session persistence based on source IP. Option B is wrong because Azure Load Balancer (Standard) also operates at Layer 4 and cannot terminate SSL or provide Layer 7 routing capabilities. Option D is wrong because Azure Traffic Manager is a DNS-based global traffic routing solution that does not handle SSL termination or health probes at the application layer; it distributes traffic across endpoints based on DNS resolution, not direct HTTP traffic distribution.

263
MCQmedium

Your company has a global application deployed across multiple Azure regions. You need to design a disaster recovery solution that meets a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The solution should use Azure-native services and minimize costs. Which option should you choose?

A.Azure Traffic Manager with priority routing
B.Azure Site Recovery with 15-minute replication
C.Active geo-replication for Azure SQL Database
D.Azure Backup with cross-region restore
AnswerB

Azure Site Recovery supports replication frequencies as low as 15 minutes and orchestrated failover within minutes.

Why this answer

Azure Site Recovery with replication frequency of 15 minutes meets the RPO, and the orchestrated failover meets the RTO. Option A (Active geo-replication for Azure SQL Database) is not applicable to all workloads. Option B (Azure Backup) has a longer RTO.

Option D (Traffic Manager with health probes) is for load balancing, not disaster recovery.

264
MCQmedium

Your company is migrating a legacy on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. The solution must be highly available within a single Azure region and must not require the application to be modified. Which Azure service should you recommend?

A.Azure Managed Disks (SSD)
B.Azure NetApp Files
C.Azure Files (premium tier)
D.Azure Blob Storage
AnswerC

Managed SMB file share with low latency and high availability.

Why this answer

Option C is correct because Azure Files with premium SSD (SMB) provides a fully managed SMB file share with low latency and high availability. Option A is wrong because Azure NetApp Files supports SMB but is more expensive and complex for this use case. Option B is wrong because Azure Blob Storage does not support SMB natively.

Option D is wrong because Azure Managed Disks are block storage, not file shares.

265
MCQeasy

Your company deploys a line-of-business application on Azure App Service. The application requires custom domain names and SSL/TLS certificates. You need to ensure that the application can be accessed via a custom domain with HTTPS. What should you configure in the App Service?

A.Add the custom domain and bind the SSL/TLS certificate.
B.Configure IP restrictions to allow only the custom domain.
C.Create a deployment slot for production traffic.
D.Scale out the App Service plan to increase instance count.
AnswerA

Adding a custom domain and binding a certificate enables HTTPS access.

Why this answer

Option C is correct because to use a custom domain with HTTPS, you need to add the custom domain in the App Service's custom domains blade and upload or bind an SSL/TLS certificate. Option A is incorrect because scaling out does not affect custom domains. Option B is incorrect because deployment slots are for staging, not custom domains.

Option D is incorrect because IP restrictions are for network security, not domain configuration.

266
MCQhard

You need to design a network topology for a global e-commerce platform on Azure. The solution must provide low-latency access to static content and protect the backend APIs from DDoS attacks. The backend APIs are deployed in multiple regions behind an internal load balancer. Which services should you use?

A.Azure Traffic Manager and Azure Firewall.
B.Azure Content Delivery Network (CDN) and Azure Load Balancer.
C.Azure Application Gateway with WAF and Azure API Management.
D.Azure Front Door with WAF and Azure API Management.
AnswerD

Front Door provides global load balancing, WAF, DDoS protection; API Management secures and manages APIs.

Why this answer

Option D is correct because Azure Front Door provides global load balancing, SSL offload, WAF, and DDoS protection; Azure API Management provides API gateway functionality. Option A is wrong because Azure Application Gateway is regional, not global. Option B is wrong because Azure Traffic Manager is DNS-based and does not provide WAF.

Option C is wrong because Azure CDN does not provide API management.

267
MCQmedium

A company has headquarters and multiple branch offices worldwide, each with its own on-premises network. They want to connect all these sites to Azure and to each other over a single, centrally managed solution. They need high bandwidth connectivity for site-to-site traffic, support for both VPN and ExpressRoute connections, and automatic routing management without the complexity of configuring multiple VPN tunnels or BGP manually. Which Azure service should they use?

A.Azure Virtual WAN
B.Azure VPN Gateway (site-to-site) with BGP
C.Azure ExpressRoute with Microsoft peering
D.Azure Virtual Network peering
AnswerA

Azure Virtual WAN provides a hub-and-spoke architecture across regions, automatically routes traffic, supports VPN and ExpressRoute, and simplifies management of multiple branch connections.

Why this answer

Azure Virtual WAN is the correct choice because it provides a single, centrally managed hub-and-spoke architecture that connects branch offices, headquarters, and Azure over a unified network. It supports both VPN and ExpressRoute connections, automatically manages routing (including BGP) without manual configuration of multiple tunnels, and offers high bandwidth for site-to-site traffic.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with a simple VPN gateway or ExpressRoute, not realizing that Virtual WAN is a managed overlay that combines both connectivity types with automatic routing, while the other options require manual configuration for multi-site scenarios.

How to eliminate wrong answers

Option B is wrong because Azure VPN Gateway (site-to-site) with BGP requires manual configuration of multiple VPN tunnels and BGP peering for each branch, lacking the centralized management and automatic routing that Virtual WAN provides. Option C is wrong because Azure ExpressRoute with Microsoft peering only provides private connectivity to Azure, not site-to-site connectivity between branch offices, and does not include VPN support or automatic routing management across multiple sites. Option D is wrong because Azure Virtual Network peering connects only Azure virtual networks, not on-premises networks, and cannot provide site-to-site connectivity between branch offices or support VPN/ExpressRoute connections.

268
MCQhard

A company is planning to migrate a legacy application to Azure VMs. The application requires a static IP address for licensing purposes. The VM must be highly available within a single region. Which combination of Azure resources should they use?

A.Application Gateway with a static frontend IP and virtual machine scale set
B.Standard Load Balancer with a static frontend IP and availability set
C.Basic Load Balancer with a static frontend IP and availability zone
D.Azure Front Door with a static backend IP and VM in an availability zone
AnswerB

Standard Load Balancer supports static IP and high availability.

Why this answer

Option B is correct because an Azure Standard Load Balancer with a frontend IP and availability set provides a static IP and high availability. Option A is incorrect because a basic load balancer does not support availability zones. Option C is incorrect because an Application Gateway is for web traffic.

Option D is incorrect because a public IP prefix is for multiple IPs.

269
Multi-Selecteasy

A company is designing a storage solution for a new application that will store large amounts of unstructured data, such as images and videos. The data must be highly durable and available, and the solution should minimize costs for infrequently accessed data. Which TWO storage options should be recommended? (Choose two.)

Select 2 answers
A.Azure Blob Storage with Cool access tier
B.Azure Disk Storage with Standard HDD
C.Azure Files with Premium performance tier
D.Azure NetApp Files with Standard service level
E.Azure Blob Storage with Archive access tier
AnswersA, E

Optimized for unstructured data and cost-effective for infrequent access.

Why this answer

The correct answers are A and C. Azure Blob Storage is ideal for unstructured data, and the Cool access tier is cost-effective for infrequently accessed data. Option B is wrong because Azure Files is for file shares, not optimal for large-scale unstructured data.

Option D is wrong because Azure Disk Storage is for VM disks, not for general unstructured data. Option E is wrong because Azure NetApp Files is for enterprise workloads requiring high performance, not cost-effective for infrequent access.

270
Multi-Selecthard

Which THREE components are required to implement a hybrid cloud solution that extends on-premises Active Directory to Azure and provides single sign-on (SSO) to cloud applications? (Choose three.)

Select 3 answers
A.Microsoft Entra Domain Services
B.Microsoft Entra Connect Sync
C.Azure AD Application Proxy
D.Microsoft Entra ID (formerly Azure AD)
E.Active Directory Federation Services (AD FS)
AnswersB, D, E

Synchronizes on-premises AD with Entra ID.

Why this answer

A, B, and C are correct. Microsoft Entra Connect Sync synchronizes identities; Microsoft Entra ID provides the cloud identity platform; Active Directory Federation Services (AD FS) enables SSO for on-premises and cloud apps. D is wrong because Azure AD Application Proxy is for publishing on-premises apps, not SSO.

E is wrong because Microsoft Entra Domain Services manages domain services in the cloud, but is not required for SSO.

271
Drag & Dropmedium

Drag and drop the steps to set up Azure Key Vault for storing secrets and access them from an Azure function into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create vault, add secret, grant access, configure references, test.

272
MCQhard

A healthcare organization is deploying a new application on Azure that will handle Protected Health Information (PHI). The application must be compliant with HIPAA. The security team requires encryption at rest and in transit, and the ability to audit access to the data. The solution should minimize administrative overhead. Which storage solution should you recommend?

A.Azure SQL Database with Transparent Data Encryption and Always Encrypted
B.Azure Cosmos DB with encryption at rest
C.Azure SQL Managed Instance with customer-managed keys
D.SQL Server on Azure Virtual Machine with BitLocker
AnswerA

Azure SQL Database provides built-in encryption at rest (TDE) and in transit (Always Encrypted), along with auditing, and is a PaaS service minimizing management.

Why this answer

Azure SQL Database with Transparent Data Encryption (TDE) and Always Encrypted meets HIPAA requirements for encryption at rest and in transit, and provides auditing capabilities. It is a PaaS solution that reduces administrative overhead compared to IaaS.

273
MCQmedium

A company wants to deploy containerized microservices on Azure without managing virtual machines. The solution must support automatic scaling based on demand, built-in load balancing, rolling updates for zero-downtime deployments, and a fully managed platform. Which Azure compute service should they choose?

A.Azure Container Apps
B.Azure Container Instances
C.Azure Batch
D.Azure Functions
AnswerA

Azure Container Apps is a serverless platform for running containers. It provides automatic scaling based on HTTP traffic or events, built-in load balancing, and supports rolling updates via revisions. It abstracts away underlying infrastructure, so no VMs to manage.

Why this answer

Azure Container Apps is the correct choice because it provides a fully managed, serverless platform for running containerized microservices without managing virtual machines. It supports automatic scaling based on HTTP traffic or events, built-in load balancing via Envoy, and rolling updates with revision management to ensure zero-downtime deployments. This aligns perfectly with the requirement for a fully managed platform that abstracts away infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) with a managed orchestration solution, but ACI lacks the automatic scaling, load balancing, and rolling update capabilities that Container Apps provides for microservices.

How to eliminate wrong answers

Option B (Azure Container Instances) is wrong because it is designed for running individual containers on demand without built-in orchestration, automatic scaling, or rolling update capabilities—it lacks the microservice management features required. Option C (Azure Batch) is wrong because it is a job-scheduling service for high-performance computing (HPC) and parallel workloads, not for deploying containerized microservices with load balancing and rolling updates. Option D (Azure Functions) is wrong because it is a serverless compute service for event-driven code (functions), not for running containerized microservices; it does not support container orchestration or rolling updates for containers.

274
MCQeasy

A company is deploying a web application that must be accessible from the internet. The application is hosted on Azure virtual machines in a virtual network. The solution must provide SSL termination, web application firewall (WAF) protection, and URL path-based routing (e.g., /api/* to one backend pool, /app/* to another). The web tier must not be directly exposed to the internet. Which Azure load balancing solution should they use?

A.Azure Application Gateway v2
B.Azure Front Door
D.Azure Traffic Manager
AnswerA

Application Gateway is a layer 7 load balancer that offers SSL termination, WAF, and URL-based routing. It can be placed in front of VMs with private IPs to protect the web tier.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that provides SSL termination, a web application firewall (WAF), and URL path-based routing. It can route traffic to different backend pools based on URL paths (e.g., /api/* and /app/*) while keeping the web tier isolated within the virtual network, as the gateway itself is exposed to the internet.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway, but Front Door is designed for global, multi-region scenarios and cannot provide direct VNet integration for a single-region app without exposing backend public IPs, whereas Application Gateway is the correct Layer 7 solution for a single-region VNet deployment.

How to eliminate wrong answers

Option B (Azure Front Door) is wrong because it is a global, multi-region load balancer and application delivery network that operates at the edge, not within a single virtual network; it cannot provide direct SSL termination and WAF for a single-region VNet-hosted app without exposing the backend to the internet via public endpoints. Option C (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL termination, WAF inspection, or URL path-based routing. Option D (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that only directs clients to endpoints based on DNS resolution, not a proxy that can terminate SSL, apply WAF rules, or route based on URL paths.

275
MCQhard

Your organization is migrating a legacy on-premises application to Azure. The application uses a monolithic architecture and requires high availability. The application tier runs on Windows Server and uses a SQL Server database. You need to design a migration strategy that minimizes changes to the application code while maximizing availability. The application can be stateless if session state is externalized. You have the following requirements: (1) The application must be resilient to Azure region failures. (2) The database must have an RPO of 5 minutes and RTO of 1 hour. (3) The migration must be completed within 6 months. (4) The solution should use platform-as-a-service (PaaS) services where possible to reduce operational overhead. Which approach should you recommend?

A.Rehost the application on Azure VMs in an availability set and use SQL Server Always On Availability Groups.
B.Migrate the web tier to Azure App Service with staging slots and use Azure SQL Database with active geo-replication.
C.Refactor the application into microservices and deploy to Azure Kubernetes Service.
D.Containerize the application using Docker and deploy to Azure Container Instances in paired regions.
AnswerB

PaaS services reduce overhead; App Service supports external session state; SQL Database with geo-replication meets RPO/RTO.

Why this answer

Option C is correct because Azure App Service provides a PaaS environment that can host the web tier with minimal code changes, and Azure SQL Database with active geo-replication meets the RPO/RTO requirements. Option A is wrong because Azure VMs are IaaS, not PaaS, and require more management. Option B is wrong because Azure Container Instances are not ideal for monolithic apps.

Option D is wrong because Azure Functions are event-driven and not suitable for a monolithic application.

276
MCQmedium

A company is designing an Azure Kubernetes Service (AKS) cluster for a microservices application. They need to ensure that pods can securely access Azure resources such as Azure Key Vault and Azure SQL Database without using service principals or connection strings. Which AKS feature should they enable?

A.Azure RBAC for Kubernetes authorization
B.Azure Policy for AKS
C.Microsoft Entra Workload ID
D.Azure CNI network plugin
AnswerC

Workload ID assigns an Azure AD identity to pods for secure access to Azure resources.

Why this answer

Azure AD pod-managed identity (now called Microsoft Entra Workload ID) allows pods to assume an identity to access Azure resources. Option A is wrong because Azure RBAC is for Kubernetes authorization. Option B is wrong because Azure Policy is for compliance.

Option C is wrong because Azure CNI is for networking.

277
MCQeasy

Refer to the exhibit. You deploy this ARM template to a resource group in the East US region. You specify the parameter storageAccountType as 'Standard_GRS'. Which of the following is true about the deployed storage account?

A.The storage account name will be 'storage' followed by a random string.
B.The storage account will be deployed in the same region as specified by the parameter.
C.The storage account is zone-redundant and replicates data across availability zones.
D.The storage account is geo-redundant and replicates data to a paired region.
AnswerD

Standard_GRS provides geo-redundancy.

Why this answer

The template deploys a StorageV2 account with Standard_GRS SKU. Standard_GRS is geo-redundant, meaning data is replicated to a paired region. Option A is correct.

Option B is incorrect because Standard_GRS is not zone-redundant. Option C is incorrect because the name is generated by uniqueString, which is deterministic based on the resource group ID. Option D is incorrect because the location is derived from the resource group location, not the parameter.

278
MCQmedium

Your company is designing a new application that will process large volumes of streaming data from IoT devices. The data will be ingested, processed in near real-time, and stored for long-term analytics. You need to design a solution that meets the following requirements: (1) Ingest up to 1 million events per second. (2) Process events with a latency of less than 10 seconds. (3) Store processed data for 7 years for compliance. (4) Enable ad-hoc querying of the stored data. Which combination of Azure services should you recommend?

A.Azure IoT Hub, Azure Stream Analytics, and Azure Cosmos DB.
B.Azure Service Bus, Azure Functions, and Azure SQL Database.
C.Azure Event Hubs, Azure Functions, and Azure Cosmos DB.
D.Azure Event Hubs, Azure Stream Analytics, and Azure Data Lake Storage Gen2.
AnswerD

Event Hubs ingests millions of events, Stream Analytics processes with low latency, Data Lake Storage provides cheap archival storage with query capability.

Why this answer

Option D is correct because Event Hubs ingests high-volume streaming data, Stream Analytics processes it in real-time, and Azure Data Lake Storage Gen2 provides cost-effective long-term storage with query capabilities via Azure Synapse or U-SQL. Option A is wrong because IoT Hub is for device management, not high-throughput ingestion. Option B is wrong because Service Bus is for messaging, not streaming.

Option C is wrong because Cosmos DB is not optimized for long-term analytics storage.

279
Multi-Selectmedium

Your company is migrating a critical application to Azure and needs to design a highly available and disaster recovery solution. The application runs on Azure VMs with SQL Server Always On Availability Groups. You need to ensure that the database remains available even during a regional outage. Which TWO options should you include in the design? (Choose two.)

Select 2 answers
A.Enable geo-redundant backup storage (RA-GRS) for the database.
B.Configure Azure Site Recovery for the SQL Server VMs.
C.Use Azure SQL Database Managed Instance with auto-failover groups.
D.Deploy SQL Server Always On Availability Groups across availability zones.
E.Deploy a load balancer and distribute traffic to multiple replicas.
AnswersA, C

Geo-redundant backups allow point-in-time restore in another region.

Why this answer

The correct answers are B and D. Azure SQL Database Managed Instance with auto-failover groups provides automatic failover to a secondary region. Geo-redundant backup storage (RA-GRS) ensures backups are replicated to a paired region.

Option A is wrong because Always On Availability Groups require manual configuration for cross-region failover. Option C is wrong because Azure Site Recovery replicates VMs but not SQL Server databases in a consistent manner for transactional workloads. Option E is wrong because load balancers do not provide database-level failover.

280
MCQhard

Your organization is migrating a legacy on-premises application to Azure. The application uses a proprietary authentication protocol that is not supported by Microsoft Entra ID. You need to integrate the application with Microsoft Entra ID without modifying the application code. What should you do?

A.Use Azure Active Directory B2C with custom policies to translate the authentication protocol.
B.Deploy Azure Active Directory Domain Services and domain-join the application servers.
C.Configure Microsoft Entra ID Application Proxy to provide secure remote access and pass through authentication.
D.Implement Azure Active Directory Connect with pass-through authentication.
AnswerC

Application Proxy supports pass-through authentication for legacy protocols.

Why this answer

Option A is correct because Microsoft Entra ID Application Proxy can be configured to pass authentication to the on-premises application, allowing legacy protocols. Option B (Azure AD Domain Services) is for Kerberos/NTLM. Option C (Azure AD B2C) is for customer-facing apps.

Option D (Azure AD Connect) syncs identities but doesn't help with protocol translation.

281
MCQeasy

You are designing a disaster recovery solution for a critical application running in Azure. The application uses Azure SQL Database. The recovery point objective (RPO) is 5 seconds, and the recovery time objective (RTO) is 30 minutes. Which Azure SQL Database configuration should you recommend?

A.Point-in-time restore to a different region
B.Active geo-replication
C.Auto-failover groups
D.Azure Backup for SQL Server in Azure VM
AnswerB

Meets RPO of 5 seconds and RTO within 30 minutes.

Why this answer

Option A is correct because active geo-replication provides continuous replication with RPO of 5 seconds and supports failover within 30 minutes. Option B is wrong because auto-failover groups have similar RPO but slightly higher RTO. Option C is wrong because point-in-time restore cannot meet the RPO of 5 seconds.

Option D is wrong because Azure Backup has higher RPO.

282
MCQhard

Refer to the exhibit. You are analyzing a deployment of Azure Storage account with customer-managed key encryption. The deployment fails with an error indicating that the key vault is not accessible. Which of the following is the most likely cause?

A.The key vault name is misspelled in the keyUri
B.The key vault has a firewall enabled and does not allow access from the storage account
C.The key vault is in a different Azure region than the storage account
D.The user-assigned managed identity does not have permissions to access the key
AnswerD

The user-assigned identity must be granted at least get, wrapKey, and unwrapKey permissions on the key vault.

Why this answer

The exhibit shows a user-assigned managed identity in the encryption settings. The most likely cause is that the user-assigned managed identity does not have the necessary permissions (get, wrapKey, unwrapKey) on the key vault. Option A is incorrect because the key vault might not be in the same region, but that is not a common issue.

Option B is incorrect because the key vault is accessible via URI. Option D is irrelevant because network restrictions are not mentioned. Option C is the most common cause.

283
MCQmedium

A multinational company plans to deploy a new application on Azure. The application must comply with GDPR and requires data residency in the EU. The solution should minimize latency for users in Europe and provide disaster recovery across regions. Which Azure architecture should the company implement?

A.Deploy the application in two EU regions with Azure Front Door and Azure SQL Database geo-replication.
B.Deploy the application in a single Azure region in Ireland with Azure Site Recovery for DR.
C.Deploy the application in two EU regions with Azure Traffic Manager and Azure Cosmos DB multi-region writes.
D.Deploy the application in a single EU region with Azure Site Recovery and Azure Redis Cache.
AnswerC

Traffic Manager routes users to nearest region, Cosmos DB multi-region writes enable low latency and data residency within EU.

Why this answer

Option C is correct because an active-active multi-region deployment with Azure Traffic Manager and Cosmos DB provides low latency and data residency control. Option A is wrong because a single-region deployment does not provide disaster recovery across regions. Option B is wrong because Azure Front Door is for global load balancing but does not enforce data residency.

Option D is wrong because Azure Site Recovery provides DR but does not minimize latency for active traffic.

284
MCQhard

You are designing a network topology for a global e-commerce company that operates multiple web applications. The company has three main offices (New York, London, Tokyo) connected via ExpressRoute to Azure. Users access the applications through a public endpoint. The company requires that traffic be routed to the nearest healthy application instance based on geographic location, and that the solution provide automatic failover if an entire region goes down. Additionally, the company wants to protect against DDoS attacks at the network layer. You need to recommend a solution that meets these requirements while minimizing cost. What should you include in the design?

A.Deploy Azure Front Door with geographic routing and enable DDoS protection.
B.Deploy Azure Firewall in each region and use Public IP prefix for egress.
C.Deploy Azure Application Gateway v2 with WAF in each region and Azure DDoS Standard protection.
D.Deploy Azure Traffic Manager with geographic routing and Azure DDoS Standard protection.
AnswerA

Front Door provides global load balancing, geographic routing, and DDoS protection.

Why this answer

Option C is correct because Azure Front Door provides global load balancing with automatic failover, geographic routing, and integrated DDoS protection (Azure DDoS Protection Basic is included). Option A is wrong because Traffic Manager provides DNS-based routing without DDoS protection and has slower failover. Option B is wrong because Application Gateway is regional, not global.

Option D is wrong because Azure Firewall is a stateful firewall but does not provide global load balancing or geographic routing.

285
MCQeasy

A company plans to migrate a legacy web application to Azure. The application runs on multiple Windows virtual machines (VMs) in an availability set. The VMs must be exposed to the internet via a single endpoint that performs SSL termination and health checks. The load-balancing solution must preserve the original client IP address for logging purposes. Which Azure service should the company use?

A.Azure Load Balancer (Standard)
B.Azure Application Gateway v2
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer-7 load balancer that provides SSL termination, health probes, and preserves the client IP address via X-Forwarded-For headers.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that supports SSL termination, health probes, and provides a single public endpoint. It preserves the original client IP address by inserting the X-Forwarded-For header in the HTTP request, which the backend VMs can read for logging. This meets all requirements: single internet-facing endpoint, SSL offload, health checks, and client IP preservation.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming that any load balancer can terminate SSL and preserve client IP, but only Layer 7 services can inspect HTTP headers and perform SSL offload natively.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer (Standard) operates at Layer 4 (TCP/UDP) and does not support SSL termination or HTTP-level health checks; it also preserves client IP only via Direct Server Return (DSR) mode, which is not suitable for SSL termination and adds complexity. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not perform SSL termination or health checks at the application layer; it only directs traffic based on DNS resolution and cannot preserve the original client IP in the HTTP headers. Option D is wrong because Azure Front Door is a global Layer 7 service that does support SSL termination and health checks, but it is designed for global distribution and CDN scenarios, not for a single regional endpoint; it also modifies the client IP by default (inserting X-Forwarded-For but also adding its own IP), which can complicate logging if only a single regional endpoint is needed.

286
MCQmedium

A company deploys a containerized microservices application on Azure Kubernetes Service (AKS). They need to expose the application to the internet with TLS termination and provide a single endpoint for multiple services. The solution must also include a Web Application Firewall (WAF). Which Azure service should they use as the ingress controller?

A.Azure Application Gateway with WAF
B.Azure Front Door with WAF
C.Azure Load Balancer with TLS termination
D.Azure Traffic Manager with health probes
AnswerA

Application Gateway Ingress Controller (AGIC) enables TLS termination, WAF, and single endpoint for AKS services.

Why this answer

Azure Application Gateway with WAF is the correct choice because it is a regional, layer-7 load balancer that can act as an ingress controller for AKS. It provides TLS termination at the gateway and integrates a Web Application Firewall (WAF) to protect against common web exploits. This allows a single public endpoint to route traffic to multiple microservices within the AKS cluster based on URL paths or host headers.

Exam trap

The trap here is that candidates often confuse Azure Front Door (global, edge-based) with Application Gateway (regional, cluster-facing), assuming both can serve as an AKS ingress controller, but only Application Gateway integrates natively with AKS via AGIC for internal cluster routing.

How to eliminate wrong answers

Option B is wrong because Azure Front Door is a global, multi-region load balancer and application delivery controller, not a regional ingress controller for AKS; it is designed for global HTTP(S) load balancing and WAF at the edge, not for terminating TLS and routing directly into a single AKS cluster's internal services. Option C is wrong because Azure Load Balancer operates at layer 4 (TCP/UDP) and does not support TLS termination or WAF; it cannot inspect HTTP headers or perform path-based routing. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that operates at layer 3/4 and does not provide TLS termination, WAF, or HTTP-level routing; it only directs traffic to endpoints based on DNS resolution.

287
MCQhard

You are designing a storage solution for a healthcare application that stores patient records. The solution must meet the following requirements: - Support for both structured and unstructured data. - Provide low-latency access to frequently accessed data. - Automatically move cold data to a lower-cost tier. - Encrypt data at rest using customer-managed keys. Which combination of Azure services should you recommend?

A.Azure Table Storage for structured data and Azure Blob Storage for unstructured data
B.Azure Files for unstructured data and Azure SQL Database for structured data
C.Azure Blob Storage for unstructured data and Azure Cosmos DB for structured data
D.Azure Blob Storage for unstructured data and Azure SQL Database for structured data
AnswerC

Blob Storage provides tiering; Cosmos DB provides low-latency access; both support CMK.

Why this answer

Option A is correct. Azure Blob Storage supports unstructured data with hot, cool, and archive tiers; Azure Cosmos DB supports structured data with low-latency access; both support customer-managed keys. Option B is wrong because Azure Files is for file shares, not a database.

Option C is wrong because Azure SQL Database is for relational data only. Option D is wrong because Azure Table Storage is a NoSQL key-value store but does not support automatic tiering.

288
MCQhard

A company has a hub-spoke network topology in Azure. They have multiple spoke VNets connected to a hub VNet via peering. They need to ensure that all east-west traffic between spoke VNets goes through a network virtual appliance (NVA) in the hub for inspection. Additionally, all outbound internet traffic from spoke VMs must use a single public IP address. What should they configure?

A.Configure spoke VNets with a default route to the NVA IP, and deploy a NAT gateway in the hub for outbound traffic.
B.Configure a route table in each spoke with a route to the hub NVA for inter-spoke traffic, and use Azure Firewall in the hub for outbound internet traffic.
C.Enable 'Allow gateway transit' on the hub VNet and 'Use remote gateways' on the spoke VNets for the NVA.
D.Configure VNet peering with 'Allow forwarded traffic' enabled, add user-defined routes in each spoke pointing to the NVA IP for inter-spoke traffic, and use Azure Firewall in the hub for outbound internet with a default route in spokes.
AnswerD

This combination correctly routes east-west traffic through the NVA using UDRs and 'Allow forwarded traffic'. For outbound, Azure Firewall provides a single public IP and UDRs direct internet traffic to it.

Why this answer

Option D is correct because it combines two critical configurations: user-defined routes (UDRs) in each spoke VNet force inter-spoke traffic through the NVA in the hub by specifying the NVA's IP as the next hop, and 'Allow forwarded traffic' on the VNet peering enables the hub NVA to forward packets between spokes. For outbound internet traffic, Azure Firewall in the hub provides a single public IP, and a default route (0.0.0.0/0) in the spoke UDRs directs all internet-bound traffic to the Azure Firewall's private IP, ensuring centralized inspection and egress.

Exam trap

The trap here is that candidates often forget to enable 'Allow forwarded traffic' on the VNet peering, assuming UDRs alone are sufficient for transitive routing through an NVA, or they confuse 'Allow gateway transit' with NVA forwarding, which is a common misstep in hub-spoke design questions.

How to eliminate wrong answers

Option A is wrong because a NAT gateway in the hub does not inspect traffic; it only provides source network address translation (SNAT) for outbound connections, failing the inspection requirement. Option B is wrong because while it correctly uses Azure Firewall for outbound traffic, it omits the critical 'Allow forwarded traffic' setting on the VNet peering, without which the hub NVA cannot forward packets between spoke VNets even with UDRs in place. Option C is wrong because 'Allow gateway transit' and 'Use remote gateways' are used for VPN/ExpressRoute gateway sharing, not for routing traffic through an NVA; these settings do not force inter-spoke traffic through the NVA.

289
MCQeasy

You are designing a solution to securely store secrets, keys, and certificates for a cloud application. Which Azure service should you use?

A.Azure App Configuration
B.Azure Key Vault
C.Azure Managed HSM
D.Azure Storage
AnswerB

Azure Key Vault is designed for secure storage of secrets, keys, and certificates.

Why this answer

Azure Key Vault is the correct service for securely storing and managing secrets, keys, and certificates. Option A (Azure App Configuration) is wrong because it is optimized for application configuration, not secrets. Option B (Azure Managed HSM) is a hardware security module but is more specialized and not the standard recommendation for general secret storage.

Option D (Azure Storage) is incorrect as it lacks native secret management capabilities.

290
MCQeasy

A company has Azure virtual networks (VNets) in three different Azure regions (West US, East US, and West Europe). They also have an on-premises data center connected to the East US region via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. The solution must support transitive routing between all sites and provide centralized management of connectivity and routing policies. Which Azure service should they use?

A.VNet peering
B.Azure Virtual WAN
D.ExpressRoute Direct
AnswerB

Azure Virtual WAN provides a hub-and-spoke architecture with built-in transitive routing between VNets and on-premises sites via ExpressRoute or VPN. It offers centralized management of connectivity, routing, and security policies.

Why this answer

Azure Virtual WAN is correct because it provides a hub-and-spoke architecture with built-in transitive routing between all VNets and on-premises sites. It supports automatic connectivity through Virtual Hub routers, which use BGP to propagate routes across all spokes and branches, meeting the requirement for centralized management of connectivity and routing policies.

Exam trap

The trap here is that candidates often assume VNet peering can be chained to achieve transitive routing, but Azure explicitly blocks transitive routing through peered VNets unless a network virtual appliance or Azure Virtual WAN is used.

How to eliminate wrong answers

Option A is wrong because VNet peering does not support transitive routing; peered VNets cannot route traffic through each other to reach a third VNet or on-premises network without additional user-defined routes and network virtual appliances. Option C is wrong because a VPN Gateway only provides site-to-site or point-to-site connectivity to a single VNet and does not inherently enable transitive routing between multiple VNets or centralized policy management across regions. Option D is wrong because ExpressRoute Direct is a physical port offering for dedicated private connections to Azure, not a service that provides transitive routing or centralized connectivity management between multiple VNets and on-premises networks.

291
MCQeasy

You need to design a solution to store configuration data for a cloud-native application. The configuration must be centrally managed, versioned, and accessible to multiple services without hard-coding values. Which Azure service should you use?

A.Azure App Configuration
B.Azure Cosmos DB
C.Azure Blob Storage
D.Azure Key Vault
AnswerA

App Configuration is designed for managing application settings.

Why this answer

Option A is correct. Azure App Configuration provides centralized management, versioning, and access for application settings. Option B is wrong because Azure Key Vault is for secrets, not configuration.

Option C is wrong because Azure Cosmos DB is a database, not a configuration store. Option D is wrong because Azure Blob Storage is for unstructured data.

292
Multi-Selectmedium

A company is designing a highly available architecture for a web application on Azure VMs. The solution must protect against both planned and unplanned downtime and provide automatic failover. Which TWO Azure services should the company use together? (Choose two.)

Select 2 answers
A.Azure Availability Zones
B.Azure Site Recovery
C.Azure Traffic Manager
E.Azure Application Gateway
AnswersA, D

Availability Zones place VMs in different physical locations within a region, providing fault isolation.

Why this answer

Option A (Azure Load Balancer) distributes traffic but does not provide automatic failover across zones. Option B (Azure Traffic Manager) provides DNS-based failover across regions. Option C (Azure Application Gateway) provides load balancing and WAF but is regional.

Option D (Azure Availability Zones) protects against datacenter failures within a region. Option E (Azure Site Recovery) provides disaster recovery across regions. To achieve high availability within a region, use Availability Sets or Availability Zones along with a load balancer.

The correct combination for automatic failover across zones is Azure Load Balancer (or App Gateway) with Availability Zones. But the options include Load Balancer and Availability Zones. Option B is for cross-region, not intra-region.

The best answer is A and D: Azure Load Balancer (standard SKU) with Availability Zones provides automatic failover within a region.

← PreviousPage 4 of 4 · 292 questions total

Ready to test yourself?

Try a timed practice session using only Infrastructure Solutions questions.