CCNA Design and implement a DevOps infrastructure Questions

28 questions · Design and implement a DevOps infrastructure · All types, answers revealed

1
MCQmedium

Refer to the exhibit. You monitor an Azure App Service web app. At 10:30 AM, you observe a spike in HTTP 5xx errors and response time. Based on the metrics, what is the most likely cause?

A.The web app reached its scaling limit and could not handle the increased load.
B.A deployment of new code at 10:30 AM introduced a bug.
C.A DDoS attack started at 10:30 AM.
D.A database outage caused the errors and slow responses.
AnswerA

Correct. The requests increased steadily, and at 10:30 AM, the app started returning errors and slowing down, indicating it hit a capacity bottleneck.

Why this answer

The request count increased gradually from 1200 to 2500 before the errors started at 10:30 AM. The sharp rise in errors and response time coinciding with peak load indicates the app reached its capacity limit (e.g., instance count or plan limits).

2
MCQmedium

A company uses Azure Pipelines to deploy a web app to Azure App Service. They want to ensure that the deployment is first validated in a staging slot before swapping to production. What should they configure?

A.Create two separate pipelines for staging and production
B.Use Azure Traffic Manager to route traffic
C.Use deployment slots in the App Service and configure auto-swap
D.Use an App Service plan with multiple instances
AnswerC

Deployment slots with auto-swap allow validation in staging and then swap to production.

Why this answer

Option C is correct because Azure App Service deployment slots allow you to deploy a web app to a staging slot, validate it, and then swap it to production with zero downtime. Auto-swap automates this process by swapping the staging slot into production after a successful deployment, ensuring validation occurs before the production slot receives the new code.

Exam trap

The trap here is that candidates often confuse deployment slots with separate pipelines or scaling, not realizing that slots provide a built-in, zero-downtime validation mechanism within the same App Service.

How to eliminate wrong answers

Option A is wrong because creating two separate pipelines for staging and production introduces manual overhead and potential configuration drift, whereas deployment slots within a single pipeline enable seamless validation and swap. Option B is wrong because Azure Traffic Manager is a DNS-based traffic load balancer for routing traffic across regions, not for validating deployments within a single App Service; it does not provide slot swapping or pre-production validation. Option D is wrong because scaling an App Service plan with multiple instances improves availability and performance but does not provide a staging environment for validating deployments before they reach production.

3
MCQhard

An Azure Policy is defined as shown in the exhibit. You attempt to create a storage account with HTTPS traffic only set to false. What will happen?

A.The policy will only apply if the storage account is in a specific resource group
B.The storage account will be created but HTTPS will be enforced
C.The storage account will be created and an audit event will be logged
D.The creation will be denied with an error message
AnswerD

The policy denies creation when the condition is met.

Why this answer

The Azure Policy in the exhibit uses a 'Deny' effect for the condition that storage accounts must have HTTPS traffic enabled. When you attempt to create a storage account with 'HTTPS traffic only' set to false, the policy evaluation detects a non-compliant resource and denies the creation request, returning an error message. This is because the 'Deny' effect blocks the resource deployment entirely, preventing the non-compliant configuration from being provisioned.

Exam trap

The trap here is that candidates often confuse the 'Deny' effect with 'Audit' or 'Modify', mistakenly thinking the policy will either log the violation or auto-correct the setting, rather than understanding that 'Deny' blocks the operation entirely.

How to eliminate wrong answers

Option A is wrong because the policy definition does not include a scope restriction to a specific resource group; Azure Policies apply at the assigned scope (e.g., subscription or management group) unless a parameter or condition explicitly filters by resource group. Option B is wrong because the 'Deny' effect prevents the storage account from being created at all; it does not allow creation and then enforce HTTPS after the fact—enforcement would require a 'Modify' or 'DeployIfNotExists' effect. Option C is wrong because the 'Deny' effect blocks creation and logs a denial event, but it does not allow creation with an audit event; an 'Audit' effect would log the non-compliance without blocking.

4
Matchingmedium

Match each Azure Repos policy to its enforcement.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ensures at least N reviewers approve

Requires PR to be associated with a work item

Requires all comments to be resolved before merge

Requires a successful pipeline run before merge

Why these pairings

Branch policies in Azure Repos to protect branches.

5
MCQhard

A team uses Terraform to manage Azure infrastructure. They want to store the Terraform state file securely and enable collaboration. What is the recommended approach?

A.Store the state file in an Azure Storage account with state locking enabled
B.Store the state file in a local folder and commit to Git
C.Store the state file in Terraform Cloud
D.Store the state file in a Git repository with manual locking
AnswerA

Azure Storage provides remote state with leasing for locking, ensuring consistency.

Why this answer

Storing the Terraform state file in an Azure Storage account with state locking enabled is the recommended approach because it provides a centralized, durable backend that supports native state locking via Azure Blob Storage leases. This prevents concurrent modifications and state corruption, enabling safe collaboration among team members. Azure Storage also offers encryption at rest and access control via RBAC, aligning with security best practices for infrastructure-as-code.

Exam trap

The trap here is that candidates often assume Terraform Cloud is always the best remote backend, but the question specifies Azure infrastructure, and the recommended approach for Azure is the native Azure Storage backend due to its tight integration, lower latency, and no additional licensing cost.

How to eliminate wrong answers

Option B is wrong because storing the state file in a local folder and committing it to Git exposes sensitive data (e.g., plaintext secrets, resource IDs) in version control and lacks state locking, leading to corruption if multiple team members run Terraform simultaneously. Option C is wrong because while Terraform Cloud is a valid remote backend, the question specifically asks for the recommended approach for Azure infrastructure, and the Azure Storage backend is the native, cost-effective, and fully integrated solution within Azure; Terraform Cloud introduces an external dependency and additional cost. Option D is wrong because storing the state file in a Git repository with manual locking does not prevent concurrent writes—Git does not provide distributed locking, and manual coordination is error-prone and unscalable, risking state conflicts.

6
Drag & Dropmedium

Drag and drop the steps to implement a branch policy in Azure Repos for pull requests into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Branch policies are set by accessing repo settings, selecting branch, adding requirements, and saving.

7
Multi-Selecteasy

Which TWO of the following are benefits of using Infrastructure as Code (IaC) over manual infrastructure management?

Select 2 answers
A.Consistent environment provisioning
B.Reduced configuration drift
C.Removes the need for testing
D.Eliminates the need for documentation
E.Lower infrastructure costs
AnswersA, B

IaC ensures environments are created from the same definition.

Why this answer

Options B and C are correct. Option B is correct because IaC ensures consistent environments. Option C is correct because IaC reduces configuration drift.

Option A is wrong because IaC does not reduce cost. Option D is wrong because IaC requires training. Option E is wrong because IaC does not eliminate testing.

8
MCQhard

Refer to the exhibit. You have an availability set with two VMs. One VM shows a degraded availability state. What is the most likely impact on application availability?

A.The application will be fully resilient to both planned and unplanned maintenance events.
B.The application will be vulnerable to unplanned hardware failures that affect the degraded VM's host.
C.The application will experience downtime during planned maintenance events.
D.The application will continue to run without any impact because the other VM is healthy.
AnswerB

Correct. The degraded VM is not on fault-tolerant infrastructure, meaning if its host fails, the VM will go down, potentially causing application downtime if the other VM cannot handle the load.

Why this answer

The availability set provides fault tolerance by distributing VMs across fault domains. A degraded state indicates one VM is on a host with potential issues, making it susceptible to unplanned hardware failures. The other VM remains healthy, but the application may not be fully resilient.

9
MCQeasy

A company uses Azure DevOps to manage code. They want to enforce that all changes to the main branch must go through a pull request with at least two reviewers. What should they configure?

A.Branch policy on the main branch
B.Add a tag to the main branch
C.Repository permissions
D.Configure a service hook
AnswerA

Branch policies can require a minimum number of reviewers.

Why this answer

Branch policies in Azure DevOps allow you to enforce requirements on pull requests targeting a specific branch. By configuring a branch policy on the main branch, you can require a minimum number of reviewers (e.g., two) and mandate that all changes must go through a pull request. This ensures that no direct commits bypass the review process.

Exam trap

The trap here is that candidates may confuse repository permissions (which control access) with branch policies (which control workflow and quality gates), leading them to select Option C instead of the correct branch policy configuration.

How to eliminate wrong answers

Option B is wrong because adding a tag to the main branch is a labeling mechanism for marking releases or milestones; it does not enforce any workflow or review requirements. Option C is wrong because repository permissions control who can read, write, or administer the repository, but they do not enforce pull request review requirements on specific branches. Option D is wrong because a service hook is used to integrate with external systems (e.g., sending notifications or triggering builds) and cannot enforce branch-level policies like requiring reviewers.

10
MCQhard

Refer to the exhibit. You apply this Azure Policy to a subscription. A developer attempts to deploy a VM with SKU Standard_D2s_v3. What is the result?

A.The deployment is denied only if the VM is in a specific resource group.
B.The deployment is denied because the SKU matches the pattern.
C.The deployment is allowed because the SKU matches the pattern.
D.The deployment is allowed and a non-compliance event is logged.
AnswerB

Correct. The condition matches VM type and SKU name starting with 'Standard_D', so the deny effect blocks the deployment.

Why this answer

The policy definition uses a deny effect when the VM type is Microsoft.Compute/virtualMachines and the SKU name starts with 'Standard_D'. Since Standard_D2s_v3 matches that pattern, the deployment is denied.

11
MCQhard

A company uses Azure Pipelines to build a .NET Core application. The build takes 45 minutes due to dependency restoration. They want to reduce build time. What is the most effective strategy?

A.Cache the NuGet packages and enable caching in the pipeline
B.Use parallel jobs in the pipeline
C.Use a self-hosted agent with more CPU
D.Enable incremental builds
AnswerA

Caching packages reduces the need to download them every build, significantly reducing build time.

Why this answer

Caching NuGet packages in Azure Pipelines is the most effective strategy because dependency restoration is the primary bottleneck, often downloading hundreds of packages from nuget.org. By caching the ~/.nuget/packages folder, subsequent builds skip the network download entirely, reducing the 45-minute build time to minutes. This directly addresses the root cause—repetitive package restoration—without requiring additional infrastructure or parallelism.

Exam trap

The trap here is that candidates confuse 'parallel jobs' or 'faster agents' with solving a network-bound dependency restoration problem, when caching is the only strategy that eliminates the repeated download of unchanged packages.

How to eliminate wrong answers

Option B is wrong because parallel jobs distribute work across multiple agents but do not eliminate the redundant dependency restoration step; each parallel job would still spend 45 minutes restoring packages independently. Option C is wrong because a self-hosted agent with more CPU does not address the network-bound dependency restoration; the bottleneck is I/O and network latency, not CPU. Option D is wrong because incremental builds only skip recompiling unchanged code, but dependency restoration is a separate step that runs before compilation; incremental builds do not cache NuGet packages.

12
MCQhard

Refer to the exhibit. You queue a build in Azure Pipelines. The build status remains 'notStarted' for an extended period. What is the most likely reason?

A.The build priority is set to normal, causing delay.
B.The build is waiting for an available agent that meets the demands.
C.The build definition has a syntax error in the YAML file.
D.The build definition is not authorized to use the Azure Pipelines pool.
AnswerB

Correct. The demands require a Linux agent with Agent.Version > 2.170.1. If no hosted agent matches, the build waits indefinitely.

Why this answer

The build demands specify 'Agent.OS -equals Linux' and 'Agent.Version -gtVersion 2.170.1'. If no agent in the Azure Pipelines pool satisfies these demands, the build will remain queued until an appropriate agent becomes available.

13
Multi-Selecthard

A company is designing an Azure DevOps strategy for a microservices application. They need to ensure that each microservice can be built, tested, and deployed independently. They also want to reuse pipeline components across services. Which TWO practices should they implement?

Select 2 answers
A.Publish all microservice artifacts to the same Azure Artifacts feed.
B.Store all pipeline variables in a single variable group.
C.Create a single pipeline that handles all microservices.
D.Use pipeline templates to define common build and test steps.
E.Use multi-stage YAML pipelines with separate pipeline definitions per microservice.
AnswersD, E

Templates promote reuse and consistency.

Why this answer

Option D is correct because pipeline templates in Azure DevOps allow you to define reusable YAML snippets for common build and test steps, enabling consistency across microservices without duplicating code. Option E is correct because multi-stage YAML pipelines with separate definitions per microservice ensure each service can be built, tested, and deployed independently, aligning with microservices architecture principles.

Exam trap

The trap here is that candidates often confuse reusing pipeline components (templates) with centralizing everything (single pipeline or single variable group), missing that independent deployment requires separate pipeline definitions per microservice.

14
MCQeasy

A team wants to enforce that all Azure resource groups in a subscription are tagged with 'CostCenter' and 'Environment'. They need a solution that automatically applies these tags to any new resource group and ensures compliance without manual intervention. What should they use?

A.Azure Policy
B.Azure RBAC
C.Azure Blueprints
D.Azure Resource Graph
AnswerA

Azure Policy can enforce tagging rules via 'deny' or 'append' effects on resource groups.

Why this answer

Azure Policy is the correct choice because it allows you to define and enforce tagging rules at scale. By creating a policy that requires 'CostCenter' and 'Environment' tags on resource groups, and setting the policy effect to 'deny' or 'append' (to automatically add missing tags), any new resource group creation that violates the policy is blocked or automatically remediated, ensuring compliance without manual intervention.

Exam trap

The trap here is that candidates confuse Azure Blueprints (which can include policies) with Azure Policy itself, but Blueprints are for deploying entire environments, not for continuous, automatic enforcement on all new resource groups across a subscription.

How to eliminate wrong answers

Option B (Azure RBAC) is wrong because Role-Based Access Control manages permissions (who can do what) on Azure resources, not the enforcement of resource metadata like tags. Option C (Azure Blueprints) is wrong because while Blueprints can include policies and assign tags during deployment, they are designed for orchestrating repeatable environments (e.g., a full subscription setup) and do not automatically enforce tagging on all new resource groups outside the blueprint's scope. Option D (Azure Resource Graph) is wrong because it is a query service for exploring and auditing resources, not a mechanism to enforce or automatically apply tags.

15
MCQeasy

You run the Azure CLI command shown in the exhibit. What is the output?

A.An error because the query syntax is incorrect
B.A table showing VM names and resource groups for VMs in eastus
C.A list of all VMs in the subscription
D.A list of all VMs in the westus location
AnswerB

The command filters by eastus and projects name and resource group.

Why this answer

The Azure CLI command `az vm list --query "[?location=='eastus'].{Name:name, ResourceGroup:resourceGroup}" --output table` filters virtual machines to only those in the 'eastus' location, then projects the 'name' and 'resourceGroup' properties into a table. The `--query` parameter uses JMESPath syntax, which is correct here, and the `--output table` formats the result as a table. Therefore, the output is a table showing VM names and resource groups for VMs in eastus.

Exam trap

The trap here is that candidates might think the query syntax is invalid (Option A) due to unfamiliarity with JMESPath, or they might overlook the location filter and assume the command returns all VMs (Option C) or VMs in a different location (Option D).

How to eliminate wrong answers

Option A is wrong because the query syntax is valid JMESPath; the filter `[?location=='eastus']` and projection `{Name:name, ResourceGroup:resourceGroup}` are correctly formed, so no error occurs. Option C is wrong because the query explicitly filters by location 'eastus', so it does not list all VMs in the subscription. Option D is wrong because the filter specifies 'eastus', not 'westus'; the command will only return VMs in the eastus location.

16
Multi-Selectmedium

Which THREE of the following are prerequisites for implementing a CI/CD pipeline for a .NET Core application?

Select 3 answers
A.Build agent (Microsoft-hosted or self-hosted)
B.Source control repository (e.g., Git)
C.Unit test framework
D.Docker container registry
E.Target deployment environment (e.g., App Service)
AnswersA, B, E

A build agent executes the pipeline tasks.

Why this answer

A build agent is required to execute the pipeline tasks, such as compiling code, running tests, and packaging artifacts. Microsoft-hosted agents provide a pre-configured environment with common tools, while self-hosted agents allow custom configurations and access to on-premises resources. Without a build agent, the CI/CD pipeline cannot perform any automated build or deployment steps.

Exam trap

The trap here is that candidates often mistake optional pipeline components (like unit tests or container registries) as prerequisites, when in fact only the core infrastructure (agent, source control, and target environment) is mandatory for a basic CI/CD pipeline.

17
MCQeasy

A DevOps engineer needs to ensure that only approved Azure Resource Manager (ARM) templates are used for deployments. They want to enforce this at the subscription level. Which Azure service should they use?

A.Azure Role-Based Access Control (RBAC)
B.Azure Policy
C.Azure Blueprints
D.Azure Management Groups
AnswerB

Azure Policy can enforce allowed template versions or deny non-compliant deployments.

Why this answer

Azure Policy is the correct service because it allows you to create, assign, and manage policies that enforce specific rules on your Azure resources. By using a built-in or custom policy definition (e.g., 'Allowed resource types' or 'Audit if ARM template is not from approved location'), you can restrict ARM template deployments at the subscription level. Azure Policy evaluates all resource creation and update requests against these rules, blocking or auditing any non-compliant ARM template usage.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC, thinking that role-based access can restrict template content, when in fact RBAC only controls who can deploy, not what they deploy.

How to eliminate wrong answers

Option A is wrong because Azure RBAC controls who can perform actions (authentication and authorization) on resources, not what specific ARM templates are allowed; it cannot inspect the content or source of a template. Option C is wrong because Azure Blueprints is used to orchestrate the deployment of a repeatable set of Azure resources (including policies, RBAC, and resource groups) but does not itself enforce which ARM templates are used; it relies on Azure Policy for enforcement. Option D is wrong because Azure Management Groups provide a hierarchical structure for managing access, policies, and compliance across multiple subscriptions, but they do not directly enforce ARM template restrictions; they are a container for applying policies, not the enforcement mechanism itself.

18
MCQmedium

A team is designing a release pipeline for a .NET Core web application. They want to deploy to Azure App Service using a blue-green deployment strategy to minimize downtime. Which Azure App Service feature should they use to implement this?

A.Use Azure Load Balancer in front of two separate App Services.
B.Use deployment slots with swap operation.
C.Configure auto-scaling rules.
D.Use Azure Traffic Manager to route traffic between slots.
AnswerB

Deployment slots enable blue-green swaps with zero downtime.

Why this answer

Deployment slots in Azure App Service support swap operations that enable blue-green deployment by swapping the production slot with a staging slot. This minimizes downtime because the swap is warm-up and validation is done in the staging slot before traffic is redirected, and the swap itself is instantaneous under the hood. No external load balancer or traffic manager is needed because the swap operation handles the routing internally.

Exam trap

The trap here is that candidates may confuse Azure Traffic Manager or Load Balancer as necessary for blue-green deployments, but Azure App Service's built-in deployment slots with swap operation are the correct and simplest implementation for this specific service.

How to eliminate wrong answers

Option A is wrong because using Azure Load Balancer in front of two separate App Services adds unnecessary complexity and cost; it does not leverage the built-in slot swap mechanism that Azure App Service provides for zero-downtime deployments. Option C is wrong because auto-scaling rules handle scaling out or in based on demand, not traffic routing or deployment strategies like blue-green. Option D is wrong because Azure Traffic Manager is a DNS-based traffic routing service that operates at the DNS level and cannot perform instant slot swaps; it would introduce DNS propagation delays and is not designed for the warm-up and validation workflow of blue-green deployments.

19
Multi-Selecthard

Which THREE of the following are valid methods to securely store and use secrets in Azure DevOps pipelines?

Select 3 answers
A.Azure Key Vault task in the pipeline
B.Variable Group linked to Azure Key Vault
C.Azure App Configuration with Key Vault references
D.Storing secrets in a pipeline YAML file with encryption
E.Pipeline variables marked as 'secret'
AnswersA, B, E

The Azure Key Vault task can fetch secrets during pipeline execution.

Why this answer

Option A is correct because the Azure Key Vault task in a pipeline allows you to fetch secrets directly from an Azure Key Vault instance during pipeline execution. This task retrieves secret values as pipeline variables, ensuring they are never exposed in logs or YAML files, and it supports both Azure Resource Manager and service principal authentication for secure access.

Exam trap

The trap here is that candidates may think Azure App Configuration with Key Vault references is a direct pipeline secret storage method, but it is designed for application configuration at runtime, not for pipeline variable management, and it requires additional configuration to resolve references during pipeline execution.

20
MCQmedium

A company uses Azure DevOps for CI/CD. They have multiple pipelines that deploy to different environments. They want to ensure that secrets like API keys are not exposed in pipeline logs. What is the best approach?

A.Use Azure App Configuration with Key Vault references
B.Create a Variable Group linked to Azure Key Vault
C.Use Azure Kubernetes Service secrets
D.Use pipeline variables marked as 'secret'
AnswerB

Variable Groups linked to Key Vault ensure secrets are never stored in the pipeline and are fetched at runtime.

Why this answer

Option C is correct because Variable Groups linked to Azure Key Vault securely store secrets and can be referenced in pipelines without exposing values. Option A is wrong because pipeline variables can be set as secret but still need secure storage. Option B is wrong because Azure App Configuration can store secrets but is less integrated for secret management.

Option D is wrong because environment secrets are for Kubernetes, not general pipeline secrets.

21
MCQmedium

Refer to the exhibit. You run an ARM template deployment and get the error shown. What is the most likely cause?

A.The template references a resource that already exists and conflicts with the deployment.
B.The deployment name already exists in the resource group.
C.The resource group location does not match the template location.
D.The template has a syntax error in the JSON.
AnswerA

Correct. The inner error indicates a user 'adminuser' already exists in the resource group, causing a conflict.

Why this answer

The error details show a Conflict with message 'User 'adminuser' already exists in this resource group.' This indicates the template tries to create a resource that already exists, causing a conflict.

22
MCQmedium

A company uses Azure Pipelines to deploy microservices to Azure Kubernetes Service (AKS). They want to implement a canary deployment strategy. What should they use?

A.Use Kubernetes native deployment strategies with multiple replica sets and traffic splitting
B.Use Azure Front Door to route traffic between clusters
C.Use deployment slots in Azure App Service
D.Use Azure Container Instances as a staging environment
AnswerA

Kubernetes supports canary deployments via service mesh, multiple deployments, and traffic routing.

Why this answer

Option A is correct because Kubernetes natively supports canary deployments by running multiple replica sets of the same application and using a service mesh or ingress controller (e.g., Istio, NGINX Ingress) to split traffic between the stable and canary versions. Azure Pipelines can orchestrate this by updating the canary deployment and adjusting traffic weights gradually, enabling controlled rollouts and rollbacks without external routing services.

Exam trap

The trap here is that candidates confuse Azure Front Door’s global traffic routing with Kubernetes-native traffic splitting, assuming a PaaS-level service can replace the granular, service-mesh-based canary logic required within a single AKS cluster.

How to eliminate wrong answers

Option B is wrong because Azure Front Door is a global load balancer and application delivery network that routes traffic between entire clusters or regions, not between microservice versions within the same AKS cluster; it cannot perform fine-grained canary traffic splitting at the pod or replica set level. Option C is wrong because deployment slots are a feature of Azure App Service, not AKS; they apply to web apps running on Windows or Linux App Service plans, not to containerized microservices orchestrated by Kubernetes. Option D is wrong because Azure Container Instances (ACI) is a serverless container runtime for running individual containers, not a staging environment for canary deployments; it lacks the orchestration, service discovery, and traffic management capabilities needed to split traffic between versions of a microservice.

23
MCQhard

An organization uses an on-premises Jenkins server to build Docker images and push them to Azure Container Registry (ACR). The security team requires that all images be scanned for vulnerabilities before deployment. The DevOps team needs to automate this scanning after each push. What is the most efficient way to meet this requirement?

A.Use Azure Policy to enforce vulnerability scanning.
B.Configure a Jenkins job to scan images before pushing to ACR.
C.Configure a webhook in ACR to notify Jenkins to scan the image.
D.Create an ACR task that runs a vulnerability scanner triggered by image push events.
AnswerD

ACR tasks can be triggered by push events and run custom steps like scanning.

Why this answer

Option D is correct because ACR Tasks natively support automated vulnerability scanning via integration with Azure Security Center or third-party scanners like Trivy. By creating an ACR task that triggers on image push events, the organization can scan images immediately after they are pushed without additional infrastructure or manual intervention. This approach is event-driven, serverless, and aligns with the requirement to automate scanning after each push.

Exam trap

The trap here is that candidates may confuse Azure Policy with an action that performs scanning, or assume ACR webhooks can directly trigger Jenkins jobs for scanning, when in fact ACR Tasks provide a simpler, event-driven, and fully managed solution for post-push scanning.

How to eliminate wrong answers

Option A is wrong because Azure Policy can enforce compliance rules (e.g., requiring scanning) but does not perform the actual vulnerability scanning; it only audits or denies resources that don't meet policy definitions, not trigger scans. Option B is wrong because scanning images before pushing to ACR would require the Jenkins job to pull the image back or scan locally, which adds latency and complexity, and does not leverage the push event as required. Option C is wrong because ACR does not support webhooks that notify Jenkins of push events for vulnerability scanning; ACR webhooks can trigger actions like sending notifications or invoking HTTP endpoints, but they are not designed to initiate scanning workflows directly, and this approach would require custom Jenkins plugin configuration and polling, making it less efficient than a native ACR task.

24
MCQeasy

A team wants to automatically destroy a temporary test environment after a pull request is merged or closed. What Azure DevOps feature should they use?

A.Environment with post-deployment approvals
B.Branch policy with required reviewers
C.Pipeline trigger on branch deletion
D.Service hook to Azure Functions
AnswerA

Post-deployment approvals can trigger a cleanup job when the environment is no longer needed.

Why this answer

Option A is correct because Azure DevOps Environments support post-deployment approvals and can be configured with a deployment job that automatically triggers resource cleanup when a pull request is merged or closed. By defining a 'destroy' job in the YAML pipeline that runs only on the 'post-deployment' trigger of an environment, the team can tear down the temporary test environment without manual intervention.

Exam trap

The trap here is that candidates often confuse pipeline triggers on branch deletion (Option C) with environment lifecycle events, not realizing that branch deletion triggers do not inherently respond to pull request merge/close events and lack the built-in environment management capabilities of deployment jobs with post-deployment gates.

How to eliminate wrong answers

Option B is wrong because branch policies with required reviewers control code review and merge gates, not the lifecycle of deployed environments. Option C is wrong because pipeline triggers on branch deletion fire when a branch is removed from the repository, but they do not inherently know about pull request merge or close events, and they cannot automatically destroy a test environment without additional custom logic. Option D is wrong because service hooks to Azure Functions can be used to trigger external processes on pull request events, but they are not a built-in Azure DevOps feature for environment lifecycle management; they require custom code and do not integrate directly with Azure Pipelines environment cleanup.

25
Multi-Selecthard

Which TWO of the following are valid ways to trigger a pipeline in Azure DevOps when a pull request is created?

Select 2 answers
A.Pull request trigger in YAML pipeline
B.Scheduled trigger
C.Continuous integration trigger
D.Branch policy with build validation
E.Pipeline completion trigger
AnswersA, D

YAML pipelines can define PR triggers using the 'pr:' keyword.

Why this answer

Option A is correct because Azure DevOps YAML pipelines support a `pr` trigger that automatically runs the pipeline when a pull request is created or updated. This trigger is defined directly in the YAML file and can be scoped to specific branches or paths, making it a native and flexible way to respond to PR events.

Exam trap

The trap here is that candidates often confuse the continuous integration trigger (which fires on push) with the pull request trigger, or they overlook that branch policy build validation is a separate but equally valid method to trigger a pipeline on PR creation.

26
MCQhard

You are the lead DevOps engineer for a large e-commerce company. The company has a multi-region Azure Kubernetes Service (AKS) cluster deployment for its microservices. The current CI/CD pipeline uses Azure DevOps to build Docker images and deploy to AKS via Helm charts. Recently, the team noticed that after a deployment to the West Europe region, the application experienced a 5-minute downtime due to a configuration error where the new pods couldn't connect to the database because the connection string was pointing to a staging database instead of production. The issue was detected manually after a customer reported the outage. The team wants to implement a mechanism to automatically detect such misconfigurations before they affect production traffic. They also want to ensure that if a deployment fails health checks, the previous version is automatically rolled back. The pipeline currently runs all stages in sequence: build, deploy to West Europe, then deploy to East US. The team has a small budget for additional resources. Which approach should the team implement?

A.Implement a canary deployment strategy with automated health checks and automatic rollback on failure.
B.Use a blue-green deployment strategy with deployment slots in AKS.
C.Add a manual approval gate before the deployment to East US, requiring a tester to verify the deployment in West Europe.
D.Deploy to a separate test environment first, run integration tests, then deploy to production.
AnswerA

Canary releases with health checks and rollback catch misconfigurations early and minimize impact.

Why this answer

Option A is correct because a canary deployment strategy with automated health checks and automatic rollback directly addresses the need to detect misconfigurations before they affect all production traffic. By routing a small percentage of traffic to the new pods and monitoring health probes (e.g., liveness and readiness probes in Kubernetes), the pipeline can automatically roll back if the canary fails, preventing the 5-minute downtime scenario. This approach is cost-effective as it leverages existing AKS features without requiring additional infrastructure.

Exam trap

The trap here is that candidates may confuse blue-green or test environment strategies with automated detection and rollback, but these options lack the real-time health monitoring and automatic traffic shifting that canary deployments provide for catching configuration errors in production.

How to eliminate wrong answers

Option B is wrong because blue-green deployment with deployment slots in AKS does not inherently provide automated health checks or rollback on failure; it requires manual traffic switching and does not automatically detect configuration errors like a wrong database connection string. Option C is wrong because adding a manual approval gate before deploying to East US still relies on human verification, which is slow and error-prone, and does not automatically detect misconfigurations or trigger rollback. Option D is wrong because deploying to a separate test environment first and running integration tests does not guarantee that the exact production configuration (e.g., database connection strings) is validated; it also adds cost and complexity without addressing the need for automatic rollback in production.

27
MCQhard

Your organization uses Azure DevOps to manage a large-scale microservices application deployed to Azure Kubernetes Service (AKS). The application consists of 20 microservices, each with its own code repository and CI/CD pipeline. Recently, the team has been experiencing frequent build failures due to dependency conflicts between microservices when multiple pipelines run simultaneously and try to use the same build agent. The team is using Microsoft-hosted agents with a single agent pool. The builds take an average of 30 minutes each, and there are often 10+ builds queued at the same time. The team wants to reduce build failures and improve build throughput without significant increase in cost. What should they do?

A.Reduce the number of agents to 5 to avoid conflicts
B.Move all microservices into a single repository and use a single pipeline
C.Provision self-hosted agents on Azure VMs with dedicated agent pools for each microservice
D.Increase the number of parallel jobs in the agent pool to 20
AnswerC

Self-hosted agents can be isolated per microservice, avoiding dependency conflicts, and can be sized appropriately.

Why this answer

Option C is correct because provisioning self-hosted agents on Azure VMs with dedicated agent pools for each microservice eliminates dependency conflicts by isolating build environments. This approach also improves throughput by allowing parallel builds without contention, and using Azure VMs (e.g., spot instances or reserved instances) can be cost-effective compared to scaling Microsoft-hosted parallel jobs, which incur per-minute charges.

Exam trap

The trap here is that candidates often assume increasing parallel jobs (Option D) is the cheapest and simplest fix, but they overlook the per-minute billing for Microsoft-hosted agents and the fact that dependency conflicts persist because agents are not isolated.

How to eliminate wrong answers

Option A is wrong because reducing the number of agents to 5 would worsen queue times and increase build failures due to even higher contention, directly contradicting the goal of improving throughput. Option B is wrong because moving all microservices into a single repository and using a single pipeline would create a monolithic build process, increasing build times, reducing parallelism, and violating microservices best practices for independent deployment and scaling. Option D is wrong because increasing parallel jobs in the agent pool to 20 with Microsoft-hosted agents would significantly increase costs (each parallel job incurs additional charges) and does not address the root cause of dependency conflicts, as agents still share the same environment and can interfere with each other.

28
MCQmedium

A company uses Azure DevOps for CI/CD. They have a multi-stage YAML pipeline that builds a Java application, runs unit tests, and deploys to a test environment. The test environment uses an Azure SQL Database. The pipeline currently runs successfully but the team notices that the test database schema is not always up-to-date. They want to apply database migrations automatically as part of the pipeline. Which tool or task should they integrate?

A.Use the Azure SQL Database deployment task to run a SQL script manually.
B.Use Azure SQL Database backup and restore to update the schema.
C.Add a PowerShell task that runs SQLCMD.
D.Integrate Flyway or similar database migration tool in the pipeline.
AnswerD

Flyway provides versioned migrations that can be automated in CI/CD.

Why this answer

Option D is correct because Flyway is a dedicated database migration tool that integrates seamlessly with Azure DevOps pipelines, allowing you to version-control and apply schema changes automatically. Unlike ad-hoc scripts, Flyway tracks which migrations have been applied, ensuring the test database schema is always up-to-date without manual intervention.

Exam trap

The trap here is that candidates may think any SQL execution task (like SQLCMD or the Azure SQL task) is sufficient for schema updates, overlooking the critical need for version control, state tracking, and repeatability that dedicated migration tools provide.

How to eliminate wrong answers

Option A is wrong because the Azure SQL Database deployment task is designed for deploying a DACPAC or running a single SQL script, but it does not provide versioning or incremental migration tracking, so it cannot reliably keep the schema up-to-date across multiple changes. Option B is wrong because backup and restore is a data recovery operation, not a schema migration strategy; it would overwrite the entire database rather than applying incremental schema changes. Option C is wrong because a PowerShell task running SQLCMD can execute arbitrary SQL scripts, but it lacks migration state management, rollback capabilities, and version control, making it error-prone and non-repeatable for continuous schema updates.

Ready to test yourself?

Try a timed practice session using only Design and implement a DevOps infrastructure questions.