CCNA Describe Azure architecture and services Questions

75 of 409 questions · Page 2/6 · Describe Azure architecture and services · Answers revealed

76
MCQhard

A company is designing a solution that requires guaranteed message delivery and exactly-once processing for financial transactions. Which Azure messaging service should they use?

A.Azure Queue Storage
B.Azure Event Hubs
C.Azure Service Bus
D.Azure Event Grid
AnswerC

Service Bus with sessions and duplicate detection provides exactly-once processing and guaranteed delivery for transactions.

Why this answer

Azure Service Bus is the correct choice because it supports guaranteed message delivery through its 'Peek-Lock' and 'Scheduled Delivery' features, and it provides exactly-once processing via duplicate detection (based on the MessageId property) and transaction support (atomic operations across multiple entities). This makes it ideal for financial transactions where message loss or duplication is unacceptable.

Exam trap

The trap here is that candidates often confuse 'at-least-once' delivery (common in Queue Storage and Event Hubs) with 'exactly-once' processing, or they assume Event Grid's low-latency routing implies reliability guarantees, when in fact only Service Bus provides the necessary transactional and duplicate detection features for financial transactions.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage offers at-least-once delivery (messages can be processed multiple times) and does not support exactly-once processing or transactions. Option B is wrong because Azure Event Hubs is designed for high-throughput event ingestion with at-least-once delivery and does not provide exactly-once processing guarantees or transactional support. Option D is wrong because Azure Event Grid is a reactive event routing service that delivers events at least once (with no exactly-once guarantee) and lacks built-in duplicate detection or transaction capabilities.

77
MCQmedium

A company wants to migrate a set of on-premises databases to Azure. They require high compatibility with SQL Server features, including cross-database queries and SQL Agent jobs. They want a PaaS solution. Which Azure service is most appropriate?

A.Azure SQL Database
B.Azure SQL Managed Instance
C.SQL Server on Azure Virtual Machines
D.Azure Database for PostgreSQL
AnswerB

Managed Instance provides a fully managed SQL Server environment with high compatibility and support for SQL Agent and cross-database queries.

Why this answer

Azure SQL Managed Instance is the correct choice because it provides near 100% compatibility with SQL Server on-premises, including support for cross-database queries and SQL Agent jobs, while being a fully managed Platform-as-a-Service (PaaS) offering. This allows the company to lift-and-shift their databases without redesigning applications, meeting both the feature and PaaS requirements.

Exam trap

The trap here is that candidates often confuse Azure SQL Database (single database) with Azure SQL Managed Instance (instance-scoped features), assuming all Azure SQL PaaS offerings support SQL Agent and cross-database queries, but only Managed Instance provides these capabilities in a PaaS model.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a single-database PaaS offering that does not support cross-database queries or SQL Agent jobs, requiring application changes to use elastic queries or external tools. Option C is wrong because SQL Server on Azure Virtual Machines is an Infrastructure-as-a-Service (IaaS) solution, not PaaS, and requires the customer to manage the VM and SQL Server, including patching and backups. Option D is wrong because Azure Database for PostgreSQL is a different database engine that does not support SQL Server-specific features like T-SQL, cross-database queries, or SQL Agent jobs, and would require significant application rewriting.

78
MCQeasy

Which Azure service translates domain names to IP addresses for routing internet traffic?

A.Azure Traffic Manager
B.Azure DNS
C.Azure Private DNS
D.Azure Application Gateway
AnswerB

Azure DNS hosts DNS zones and resolves domain names to IP addresses using Azure's globally distributed nameservers.

Why this answer

Azure DNS is the correct service because it provides domain name resolution, translating human-readable domain names (e.g., www.example.com) into IP addresses using the DNS protocol. This is the fundamental function of a DNS service, enabling internet traffic to be routed to the correct destination based on the resolved IP address.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (which uses DNS for traffic routing) with the actual DNS resolution service, mistakenly thinking Traffic Manager translates domain names to IP addresses, when in fact it only redirects traffic based on DNS responses.

How to eliminate wrong answers

Option A is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that distributes incoming traffic across multiple endpoints based on routing methods (e.g., performance, priority), but it does not perform domain name to IP address translation; it relies on DNS for resolution. Option C is wrong because Azure Private DNS is used for name resolution within a virtual network (VNet) for private IP addresses, not for translating public domain names to IP addresses for internet traffic. Option D is wrong because Azure Application Gateway is a Layer 7 web traffic load balancer and web application firewall (WAF) that routes HTTP/HTTPS traffic based on URL paths, not a DNS resolution service.

79
MCQmedium

Which Azure service provides managed hosting for Hadoop ecosystems including HDFS, Hive, HBase, and Spark?

A.Azure Databricks
B.Azure Synapse Analytics
C.Azure HDInsight
D.Azure Data Factory
AnswerC

HDInsight provides managed Hadoop ecosystem clusters (HDFS, Hive, HBase, Kafka, Spark, Storm) on Azure.

Why this answer

Azure HDInsight is the correct answer because it is a fully managed, open-source analytics service specifically designed for running popular Hadoop ecosystems such as HDFS, Hive, HBase, and Spark on Azure. It provides pre-configured clusters with these components, allowing you to process large-scale data workloads without manual infrastructure management.

Exam trap

The trap here is that candidates often confuse Azure Databricks (a Spark-focused service) with HDInsight, failing to recognize that HDInsight is the only option that provides a full Hadoop ecosystem including HDFS, Hive, and HBase.

How to eliminate wrong answers

Option A is wrong because Azure Databricks is an Apache Spark-based analytics platform optimized for collaborative data engineering and machine learning, but it does not natively include HDFS, Hive, or HBase as managed services. Option B is wrong because Azure Synapse Analytics is a unified analytics service that combines data warehousing and big data analytics, but it does not provide managed Hadoop ecosystems like HDFS or HBase; it uses its own SQL-based engine and Spark pools. Option D is wrong because Azure Data Factory is a cloud-based ETL and data integration service that orchestrates data movement and transformation, but it does not host Hadoop components such as HDFS, Hive, or HBase.

80
MCQmedium

Which Azure service provides source control, CI/CD pipelines, project management, and artifact management in a single platform?

A.GitHub Enterprise
B.Azure DevOps
C.Azure App Service
D.Azure Resource Manager
AnswerB

Azure DevOps provides Repos, Pipelines, Boards, Test Plans, and Artifacts — a complete DevOps toolset.

Why this answer

Azure DevOps is the correct answer because it is a comprehensive Microsoft platform that integrates source control (Git or TFVC), CI/CD pipelines (Azure Pipelines), project management (Azure Boards with Scrum/Kanban), and artifact management (Azure Artifacts) into a single, unified service. This all-in-one approach enables teams to manage the entire application lifecycle without needing separate tools for each function.

Exam trap

The trap here is that candidates often confuse GitHub Enterprise with Azure DevOps because both offer source control and CI/CD, but Azure DevOps is the only option that natively bundles project management (Azure Boards) and artifact management (Azure Artifacts) as first-class, integrated services, whereas GitHub Enterprise requires additional tools or configurations for equivalent functionality.

How to eliminate wrong answers

Option A is wrong because GitHub Enterprise is primarily a source control and collaboration platform that, while it offers GitHub Actions for CI/CD and project management features, does not natively include artifact management (like NuGet or Maven feeds) as a core integrated service; it relies on external integrations or GitHub Packages, which is not as tightly coupled as Azure DevOps. Option C is wrong because Azure App Service is a PaaS offering for hosting web applications, APIs, and mobile backends, and it does not provide source control, CI/CD pipelines, project management, or artifact management—it only supports deployment from external CI/CD tools. Option D is wrong because Azure Resource Manager is the deployment and management service for Azure resources, providing a consistent management layer for creating, updating, and deleting resources via templates, but it has no built-in source control, CI/CD, project management, or artifact management capabilities.

81
MCQeasy

Which Azure service allows you to run Linux and Windows virtual machines in the cloud with full control over the operating system?

A.Azure App Service
B.Azure Virtual Machines
C.Azure Container Instances
D.Azure Functions
AnswerB

Azure VMs provide IaaS with full OS control for both Windows and Linux, supporting any workload that needs OS-level customization.

Why this answer

Azure Virtual Machines (IaaS) provide full control over the guest operating system, including the ability to install custom software, configure the kernel, and manage updates. This is the only service in the list that offers direct access to the OS for both Linux and Windows, as it runs on a hypervisor-managed virtual hardware stack.

Exam trap

The trap here is that candidates often confuse PaaS services like App Service or serverless Functions with IaaS VMs, mistakenly thinking they can control the OS in those services when in fact they only control the application code.

How to eliminate wrong answers

Option A is wrong because Azure App Service is a Platform-as-a-Service (PaaS) offering that abstracts the underlying OS; you cannot control or customize the operating system, only deploy web applications or APIs. Option C is wrong because Azure Container Instances runs containerized applications without a full virtual machine OS; you manage the container runtime but have no direct control over a guest OS. Option D is wrong because Azure Functions is a serverless compute service where the OS is fully managed by Azure and you only provide code triggered by events.

82
MCQeasy

A company wants to deploy a web application that automatically scales based on traffic, without managing any virtual machines. They need high availability and support for multiple development frameworks. Which Azure service should they use?

A.Azure Virtual Machines
B.Azure App Service
C.Azure Functions
D.Azure Kubernetes Service
AnswerB

App Service is a PaaS offering that handles scaling, patching, and availability, and supports multiple frameworks.

Why this answer

Azure App Service is a fully managed Platform-as-a-Service (PaaS) offering that automatically scales web applications based on traffic using built-in autoscale rules, without requiring any virtual machine management. It provides high availability through its SLA-backed multi-instance deployment and supports multiple development frameworks including .NET, Java, Node.js, Python, and PHP, making it the ideal choice for this scenario.

Exam trap

The trap here is that candidates often confuse Azure Functions (serverless, event-driven) with Azure App Service (PaaS for full web apps), but Functions lacks support for multiple development frameworks in a single application and is not designed for persistent, stateful web applications.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Machines are Infrastructure-as-a-Service (IaaS) resources that require manual management of operating systems, scaling, and patching, and do not automatically scale without additional configuration (e.g., VMSS). Option C is wrong because Azure Functions is a serverless compute service designed for event-driven, short-lived workloads (e.g., HTTP triggers, queue processing), not for hosting a full web application with persistent state and multiple frameworks. Option D is wrong because Azure Kubernetes Service (AKS) is a container orchestration platform that still requires managing node pools, pods, and scaling configurations, and does not eliminate virtual machine management entirely.

83
MCQmedium

Which Azure service provides real-time performance monitoring and alerting for live web applications, including request rates and failure rates?

A.Azure Monitor Metrics
B.Azure Application Insights
C.Azure Log Analytics
D.Azure Network Watcher
AnswerB

Application Insights monitors live web apps with request rates, failure rates, response times, and automatic anomaly detection.

Why this answer

Azure Application Insights is a feature of Azure Monitor specifically designed for Application Performance Management (APM) of live web applications. It automatically detects performance anomalies, includes powerful analytics tools to diagnose issues, and provides real-time metrics such as request rates, response times, and failure rates directly from the application code.

Exam trap

The trap here is that candidates often confuse Azure Monitor Metrics (which collects infrastructure-level metrics) with Application Insights (which collects application-level telemetry), leading them to choose Option A for a question specifically about live web application performance.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Metrics collects numerical data from Azure resources (e.g., CPU, memory) but does not provide application-level telemetry like request rates or failure rates for live web applications. Option C is wrong because Azure Log Analytics is a query and analysis tool for log data stored in Log Analytics workspaces; it does not offer real-time performance monitoring or alerting for live web applications out of the box. Option D is wrong because Azure Network Watcher is focused on network-level diagnostics and monitoring (e.g., packet capture, NSG flow logs), not application-layer performance metrics.

84
MCQmedium

Which Azure service provides a DNS hosting service that resolves domain names using the Azure infrastructure?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure DNS
D.Azure Private Link
AnswerC

Azure DNS hosts DNS zones and resolves domain names using Azure's global infrastructure.

Why this answer

Azure DNS is the correct answer because it is a hosting service for DNS domains that provides name resolution using Microsoft Azure infrastructure. It allows you to manage your DNS records using the same credentials, APIs, and billing as your other Azure services, and it supports common DNS record types like A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, and TXT.

Exam trap

The trap here is that candidates often confuse Azure DNS with Azure Traffic Manager because both involve DNS, but Traffic Manager only uses DNS for traffic routing and does not host DNS zones or provide authoritative name resolution.

How to eliminate wrong answers

Option A is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that distributes traffic across endpoints based on routing methods (e.g., priority, performance, geographic), but it does not host DNS zones or provide authoritative name resolution for custom domains. Option B is wrong because Azure Front Door is a global, scalable entry point that uses the Microsoft global edge network for application delivery, including load balancing and SSL termination, but it is not a DNS hosting service; it relies on external DNS for domain resolution. Option D is wrong because Azure Private Link provides private connectivity from a virtual network to Azure PaaS services or customer-owned services over the Microsoft backbone network, but it does not offer DNS hosting or domain name resolution services.

85
MCQmedium

A company is planning to migrate its on-premises applications to Azure. They have a mix of monolithic and microservices-based applications. Which Azure compute service should they choose for a microservices architecture that requires independent scaling and deployment of components?

A.Azure Functions
B.Azure App Service
C.Azure Kubernetes Service (AKS)
D.Azure Virtual Machines
AnswerC

AKS provides container orchestration, enabling independent scaling, deployment, and management of microservices.

Why this answer

Azure Kubernetes Service (AKS) is the correct choice because it provides a managed Kubernetes orchestration platform designed specifically for microservices architectures. AKS enables independent scaling, deployment, and management of containerized components, which aligns with the requirement for decoupled services that can be updated or scaled individually without affecting the entire application.

Exam trap

The trap here is that candidates often confuse Azure Functions (serverless) with microservices orchestration, but Functions lacks the container orchestration, service discovery, and rolling update capabilities that AKS provides for managing independent components.

How to eliminate wrong answers

Option A is wrong because Azure Functions is a serverless compute service optimized for event-driven, short-lived functions, not for orchestrating long-running microservices with independent scaling and deployment of components. Option B is wrong because Azure App Service is a Platform-as-a-Service (PaaS) for hosting web apps, APIs, and mobile backends, but it does not natively support container orchestration or fine-grained per-component scaling required by microservices. Option D is wrong because Azure Virtual Machines provide Infrastructure-as-a-Service (IaaS) with full control over the OS, but they require manual management of scaling, load balancing, and deployment, making them unsuitable for the automated, independent lifecycle management of microservices components.

86
MCQmedium

Which Azure service provides a hub for connecting IoT devices to Azure, supporting device management, telemetry ingestion, and bidirectional communication?

A.Azure Event Hubs
B.Azure IoT Hub
C.Azure Stream Analytics
D.Azure Service Bus
AnswerB

IoT Hub provides bidirectional communication, device management, and telemetry ingestion — the complete IoT connectivity platform.

Why this answer

Azure IoT Hub is the correct service because it is specifically designed as a cloud gateway for IoT devices, providing device identity registry, secure device-to-cloud and cloud-to-device messaging, and built-in device management capabilities. It supports bidirectional communication using MQTT, AMQP, and HTTPS protocols, making it the central hub for IoT solutions.

Exam trap

The trap here is that candidates confuse Azure Event Hubs with IoT Hub because both ingest telemetry, but Event Hubs lacks device management, identity registry, and bidirectional communication capabilities.

How to eliminate wrong answers

Option A is wrong because Azure Event Hubs is a big data streaming platform and event ingestion service, not a device management or bidirectional communication hub; it lacks device identity registry and cloud-to-device messaging. Option C is wrong because Azure Stream Analytics is a real-time analytics and complex event processing engine that consumes data from sources like Event Hubs or IoT Hub, but it does not manage devices or provide bidirectional communication. Option D is wrong because Azure Service Bus is a message broker for enterprise messaging and decoupling applications, not designed for IoT device connectivity, device management, or telemetry ingestion from constrained devices.

87
MCQmedium

A company hosts a public-facing e-commerce website on Azure virtual machines deployed in two Azure regions (East US and West Europe). The company wants to automatically route users to the region that provides the lowest network latency based on their geographic location. The solution must use DNS-based traffic routing and does not require terminating HTTP traffic at the load balancer. Which Azure service should the company use?

A.Azure Traffic Manager
B.Azure Application Gateway
C.Azure Front Door
D.Azure Load Balancer
AnswerA

Correct. Azure Traffic Manager is a DNS-based global traffic load balancer that routes end-user traffic to the nearest regional endpoint based on the configured routing method, such as Performance (lowest latency). It does not terminate HTTP traffic and works at the DNS level.

Why this answer

Azure Traffic Manager is a DNS-based traffic load balancer that routes incoming DNS requests to the most appropriate endpoint based on the traffic-routing method selected. The 'Performance' routing method directs users to the region with the lowest network latency, and because it operates at the DNS level, it does not terminate HTTP traffic, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Azure Front Door's global Layer 7 capabilities with DNS-level routing, but Front Door terminates HTTP traffic and is not a pure DNS-based solution, making Traffic Manager the correct choice when HTTP termination is not allowed.

How to eliminate wrong answers

Option B is wrong because Azure Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer that terminates HTTP traffic and performs SSL offloading, URL-based routing, and Web Application Firewall (WAF) functions; it does not use DNS-based routing to direct users based on geographic latency. Option C is wrong because Azure Front Door is a global Layer 7 load balancer and content delivery network that terminates HTTP/HTTPS traffic and provides features like SSL termination, WAF, and URL path-based routing; it does not operate purely at the DNS level and would terminate HTTP traffic, which the solution explicitly does not require.

88
MCQmedium

Which Azure storage feature enables you to recover previous versions of blob files that were accidentally deleted or overwritten?

A.Azure Backup for Blob Storage
B.Blob versioning and soft delete
C.Azure Site Recovery for storage
D.Geo-redundant storage (GRS)
AnswerB

Blob versioning preserves previous versions on overwrites; soft delete retains deleted blobs for a configurable retention period.

Why this answer

Blob versioning and soft delete work together to protect blob data. Soft delete retains deleted blobs for a specified retention period, while versioning automatically saves previous versions of blobs when they are overwritten or deleted. This allows you to recover blob files to any previous state, directly addressing the scenario of accidental deletion or overwrite.

Exam trap

The trap here is that candidates often confuse Azure Backup for Blob Storage (a managed backup service) with the native blob versioning and soft delete features, which are the correct tools for recovering from accidental deletion or overwrite at the blob level.

How to eliminate wrong answers

Option A is wrong because Azure Backup for Blob Storage provides a managed backup solution for blobs with policy-based scheduling and long-term retention, but it is not the feature specifically designed for point-in-time recovery of overwritten or deleted blobs; that is the role of blob versioning and soft delete. Option C is wrong because Azure Site Recovery is a disaster recovery service for replicating virtual machines and physical servers to a secondary region, not for recovering individual blob files within a storage account. Option D is wrong because Geo-redundant storage (GRS) provides asynchronous replication of data to a paired region for durability against regional outages, but it does not offer versioning or soft delete capabilities to recover from accidental deletion or overwrite.

89
MCQeasy

A company wants to run a containerized application in Azure without managing the underlying virtual machines. Which Azure service should they use?

A.A) Azure Virtual Machines
B.B) Azure Kubernetes Service (AKS)
C.C) Azure App Service
D.D) Azure Functions
AnswerB

AKS provides a managed Kubernetes cluster, abstracting the underlying VMs and allowing you to focus on container deployment and orchestration.

Why this answer

Azure Kubernetes Service (AKS) is a managed container orchestration service that abstracts the underlying virtual machines, allowing you to deploy, scale, and manage containerized applications without having to manage the host infrastructure. AKS handles provisioning, upgrading, and patching of the cluster nodes, so you only interact with the control plane and your workloads.

Exam trap

The trap here is that candidates often confuse Azure App Service's container support (Web App for Containers) with full container orchestration, but App Service lacks Kubernetes-native features like pod-level networking, persistent volume claims, and advanced scheduling policies that AKS provides.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Machines require you to manage the operating system, patching, and scaling of the VMs, which contradicts the requirement of not managing underlying VMs. Option C is wrong because Azure App Service is a platform-as-a-service (PaaS) for web applications, but it does not natively run arbitrary containerized applications with full orchestration; it supports containers only in limited scenarios (e.g., Web App for Containers) and lacks Kubernetes-level orchestration features. Option D is wrong because Azure Functions is a serverless compute service designed for event-driven, short-lived functions, not for running long-running containerized applications with full container lifecycle management.

90
MCQmedium

A company runs a multi-tier application on Azure virtual machines in a virtual network. The web tier VMs are in a front-end subnet, and the database tier VMs are in a back-end subnet. Currently, outbound internet traffic from the VMs goes directly to the internet without any inspection or logging. The security team needs a centralized service to inspect all outbound traffic from the virtual network, log the destinations, and reject traffic to malicious domains based on threat intelligence feeds. The solution must also allow rules based on fully qualified domain names (FQDNs) instead of only IP addresses. Which Azure service should the security team deploy?

A.Azure Bastion
B.Azure Firewall
C.Network Security Group (NSG)
D.Application Gateway
AnswerB

Azure Firewall is a managed, cloud-based network security service that provides inbound and outbound traffic inspection, supports FQDN-based rules, and can integrate with threat intelligence for malicious domain blocking. This matches all requirements.

Why this answer

Azure Firewall is a managed, cloud-based network security service that provides centralized outbound traffic inspection, logging, and threat intelligence-based filtering. It supports application rules based on fully qualified domain names (FQDNs), allowing the security team to reject traffic to malicious domains without relying solely on IP addresses. This makes it the correct choice for inspecting and controlling outbound traffic from the virtual network.

Exam trap

The trap here is that candidates often confuse Network Security Groups (NSGs) with Azure Firewall, assuming NSGs can perform application-layer filtering and threat intelligence-based blocking, but NSGs operate only at layers 3 and 4 (IP and port) and cannot inspect or log outbound traffic based on FQDNs or threat feeds.

How to eliminate wrong answers

Option A is wrong because Azure Bastion is a fully managed service that provides secure and seamless RDP/SSH connectivity to virtual machines directly in the Azure portal over TLS, without exposing public IP addresses; it does not inspect or filter outbound traffic or support FQDN-based rules. Option C is wrong because Network Security Groups (NSGs) filter traffic based on source/destination IP addresses, ports, and protocols, but they cannot inspect traffic, log destinations, or use threat intelligence feeds to reject traffic to malicious domains, nor do they support rules based on FQDNs.

91
MCQeasy

A company deploys a web application on Azure Virtual Machines across multiple availability zones within a single region. They need to distribute incoming network traffic across these VM instances to ensure high availability. Which Azure service should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Correct. Azure Load Balancer distributes inbound traffic at the transport layer (TCP/UDP) to healthy VM instances, supporting availability zones within a region.

Why this answer

Azure Load Balancer is the correct choice because it operates at Layer 4 (TCP/UDP) and distributes incoming traffic across healthy virtual machines within a single region, including across availability zones. It provides high availability by automatically routing traffic only to healthy VM instances based on health probes, and it supports both public and internal load balancing scenarios.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4, regional) with Azure Traffic Manager (DNS-based, global) or Azure Application Gateway (Layer 7, web-specific), failing to recognize that the requirement is for distributing traffic across VMs within a single region across availability zones.

How to eliminate wrong answers

Option B (Azure Application Gateway) is wrong because it is a Layer 7 (HTTP/HTTPS) web traffic load balancer with features like SSL termination, URL path-based routing, and Web Application Firewall (WAF), which are unnecessary for basic network-level traffic distribution across VMs. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that directs traffic at the global/regional level across different Azure regions, not within a single region or across availability zones; it does not distribute traffic directly to VM instances.

92
MCQmedium

A company deploys virtual machines in Azure. They want to ensure that the VMs are distributed across multiple fault domains and update domains within an Azure datacenter to protect against hardware failures and maintenance. Which Azure construct should they use?

A.A) Availability Set
B.B) Availability Zone
C.C) Region Pair
D.D) Resource Group
AnswerA

Availability sets provide fault and update domains to protect against hardware failures and planned maintenance within a datacenter.

Why this answer

An Availability Set is the correct Azure construct because it logically groups VMs to protect against both hardware failures (via fault domains) and planned maintenance (via update domains) within a single Azure datacenter. Fault domains distribute VMs across separate racks with independent power, cooling, and network, while update domains ensure VMs in different groups are not rebooted simultaneously during Azure host updates. This directly matches the requirement to isolate VMs across multiple fault and update domains within a datacenter.

Exam trap

The trap here is that candidates confuse Availability Zones (which span multiple datacenters) with Availability Sets (which operate within a single datacenter), leading them to choose the wrong construct for intra-datacenter fault and update domain protection.

How to eliminate wrong answers

Option B (Availability Zone) is wrong because it distributes VMs across physically separate datacenters within a region, not across fault and update domains within a single datacenter; it provides higher resilience but does not manage update domain sequencing. Option C (Region Pair) is wrong because it pairs two Azure regions for disaster recovery and geo-replication, not for intra-datacenter fault and update domain distribution; it operates at the region level, not within a single datacenter.

93
MCQmedium

Which Azure service provides a fully managed, serverless data warehouse for enterprise analytics with massive parallel processing?

A.Azure SQL Database
B.Azure Synapse Analytics
C.Azure Cosmos DB
D.Azure HDInsight
AnswerB

Synapse Analytics provides massively parallel processing data warehousing combined with big data analytics for enterprise BI.

Why this answer

Azure Synapse Analytics (formerly SQL Data Warehouse) is the correct answer because it is a fully managed, serverless data warehouse that uses massive parallel processing (MPP) to run complex queries across large datasets. It separates compute from storage, allowing you to scale compute resources independently and pause them when not in use, which is ideal for enterprise analytics workloads.

Exam trap

The trap here is that candidates confuse Azure SQL Database (a transactional OLTP service) with a data warehouse, overlooking that Synapse Analytics is the dedicated MPP-based solution for enterprise analytics.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational database-as-a-service (DBaaS) designed for OLTP workloads, not a data warehouse with MPP architecture. Option C is wrong because Azure Cosmos DB is a NoSQL database for globally distributed, low-latency applications, not a data warehouse for analytics. Option D is wrong because Azure HDInsight is a managed Apache Hadoop/Spark service for big data processing, not a serverless data warehouse with built-in MPP for enterprise analytics.

94
MCQmedium

Which Azure service provides a low-code platform for building business applications and automating workflows?

A.Azure Logic Apps
B.Azure Functions
C.Microsoft Power Platform
D.Azure App Service
AnswerC

Power Platform provides low-code tools (Power Apps, Power Automate) for building business apps and automating workflows.

Why this answer

Microsoft Power Platform is the correct answer because it is explicitly designed as a low-code platform for building business applications and automating workflows. It includes Power Apps for app creation, Power Automate for workflow automation, and Power BI for analytics, all with minimal hand-coding required.

Exam trap

The trap here is that candidates often confuse Azure Logic Apps (a workflow automation service) with Power Automate (the low-code workflow tool within Power Platform), but Logic Apps is an Azure service requiring more technical configuration, while Power Platform is the overarching low-code suite for business applications.

How to eliminate wrong answers

Option A is wrong because Azure Logic Apps is a cloud-based service for automating workflows and integrating apps, but it is not a low-code platform; it uses a designer and connectors, yet it is part of Azure's integration services, not the dedicated low-code Power Platform. Option B is wrong because Azure Functions is a serverless compute service for running event-driven code, requiring developers to write code in languages like C# or Python, and is not a low-code platform. Option D is wrong because Azure App Service is a fully managed platform for hosting web apps, REST APIs, and mobile backends, but it requires custom code development and is not a low-code solution for building business applications.

95
MCQmedium

A company wants to host a web application that automatically scales based on traffic. Which Azure service is most appropriate for hosting this application without managing virtual machines?

A.Azure Virtual Machines
B.Azure App Service
C.Azure Batch
D.Azure Container Instances
AnswerB

App Service is PaaS for web apps — supports auto-scaling without managing VMs or OS.

Why this answer

Azure App Service is a fully managed platform-as-a-service (PaaS) offering that automatically scales web applications based on traffic without requiring you to manage the underlying virtual machines. It supports built-in autoscaling rules, load balancing, and high availability, making it ideal for hosting web apps with variable demand.

Exam trap

The trap here is that candidates often confuse Azure App Service with Azure Virtual Machines, thinking that any scalable web app requires IaaS control, or they mistakenly choose Azure Container Instances because of its 'serverless' label, overlooking its lack of built-in autoscaling for web traffic.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Machines are infrastructure-as-a-service (IaaS) resources that require manual management of the OS, scaling, and patching, contradicting the requirement to avoid managing VMs. Option C is wrong because Azure Batch is designed for large-scale parallel and high-performance computing (HPC) workloads, not for hosting web applications with autoscaling based on HTTP traffic. Option D is wrong because Azure Container Instances (ACI) provide serverless containers but lack built-in autoscaling for web traffic; scaling requires manual intervention or integration with additional services like Azure Container Apps or Kubernetes.

96
MCQmedium

Which Azure service provides enterprise-grade data integration and ETL/ELT pipelines for moving data between on-premises and cloud data stores?

A.Azure Stream Analytics
B.Azure Data Factory
C.Azure Databricks
D.Azure HDInsight
AnswerB

Data Factory is the dedicated ETL/ELT service for orchestrating data movement and transformation between 90+ data sources.

Why this answer

Azure Data Factory (ADF) is the correct answer because it is a cloud-based ETL/ELT service specifically designed for orchestrating and automating data movement and transformation between on-premises and cloud data stores. It provides over 90 built-in connectors, supports hybrid data integration via self-hosted integration runtimes, and enables code-free pipeline creation for complex data workflows.

Exam trap

The trap here is confusing Azure Data Factory with Azure Databricks or HDInsight, as candidates often associate 'data integration' with big data processing platforms rather than the dedicated orchestration service that handles connectivity, scheduling, and monitoring across heterogeneous sources.

How to eliminate wrong answers

Option A is wrong because Azure Stream Analytics is a real-time event processing engine for analyzing streaming data from sources like IoT devices or logs, not a batch-oriented ETL/ELT service for moving data between on-premises and cloud stores. Option C is wrong because Azure Databricks is an Apache Spark-based analytics platform focused on big data processing, machine learning, and collaborative notebooks, not a dedicated data integration or pipeline orchestration service. Option D is wrong because Azure HDInsight is a managed Hadoop/Spark cluster service for running big data workloads like batch processing or interactive queries, not a tool for building and managing ETL/ELT pipelines across hybrid environments.

97
MCQmedium

Which Azure service provides a way to deploy and manage Azure services at the edge, close to IoT devices and end users?

A.Azure IoT Hub
B.Azure IoT Edge
C.Azure Stack Edge
D.Azure Arc for IoT
AnswerB

IoT Edge extends Azure workloads (AI models, Stream Analytics, custom code) to run on local edge devices.

Why this answer

Azure IoT Edge is correct because it extends cloud intelligence to edge devices, allowing you to deploy and manage Azure services (like Azure Functions, Stream Analytics, and custom modules) directly on IoT devices or gateways. This enables local data processing and decision-making close to IoT sensors and end users, reducing latency and bandwidth usage.

Exam trap

The trap here is confusing Azure IoT Edge (which runs services on edge devices) with Azure IoT Hub (which is a cloud-based messaging service), leading candidates to pick IoT Hub because they think it 'manages' IoT devices, but it does not deploy or run services at the edge.

How to eliminate wrong answers

Option A is wrong because Azure IoT Hub is a cloud-based message broker that manages bi-directional communication between IoT devices and the cloud, but it does not deploy or run services at the edge. Option C is wrong because Azure Stack Edge is a hardware appliance that brings Azure compute and storage to the edge for data-intensive workloads, but it is designed for scenarios like AI inference or data preprocessing, not specifically for deploying and managing Azure services on IoT devices. Option D is wrong because Azure Arc for IoT is not a real service; Azure Arc enables management of on-premises and multi-cloud resources, but there is no specific 'Azure Arc for IoT' offering.

98
MCQmedium

A company is developing a REST API that processes incoming HTTP requests. The API usage is highly unpredictable; sometimes it receives thousands of requests per minute, and at other times it receives zero requests for hours. The company wants to pay only for the compute time consumed when the API code is actually executing. They also want Microsoft to automatically handle scaling and maintenance of the underlying server infrastructure. Which Azure compute service should the company use?

A.Azure Functions (Consumption plan)
B.Azure App Service (Basic tier)
C.Azure Container Instances
D.Azure Logic Apps
AnswerA

Correct. Azure Functions Consumption plan is a serverless, event-driven compute service. It automatically scales based on incoming HTTP requests and bills only for the time the function code executes. When there are no requests, there is no cost.

Why this answer

Azure Functions with the Consumption plan is the correct choice because it is a serverless compute service that executes code only when triggered by incoming HTTP requests, automatically scaling to handle unpredictable workloads. The Consumption plan charges only for the compute time consumed during execution, with no cost when the function is idle, and Microsoft fully manages the underlying infrastructure, including scaling and maintenance.

Exam trap

The trap here is that candidates often confuse Azure Functions with Azure App Service or Container Instances, assuming any 'serverless' or 'pay-per-use' label applies, but fail to recognize that only the Consumption plan of Azure Functions provides true zero-cost idle time and automatic scaling without manual configuration.

How to eliminate wrong answers

Option B is wrong because Azure App Service (Basic tier) runs on dedicated VMs that incur cost even when idle, does not provide true serverless scaling, and requires manual management of scaling and infrastructure. Option C is wrong because Azure Container Instances charges for the entire container lifetime (from start to stop), not just execution time, and requires the user to manage container orchestration and scaling, though it does handle some infrastructure.

99
MCQmedium

Which Azure service helps migrate on-premises VMware, Hyper-V VMs, and physical servers to Azure?

A.Azure Site Recovery
B.Azure Data Box
C.Azure Migrate
D.Azure Database Migration Service
AnswerC

Azure Migrate discovers, assesses, and migrates on-premises VMware, Hyper-V, and physical servers to Azure.

Why this answer

Azure Migrate is the correct service because it provides a unified platform for assessing and migrating on-premises workloads to Azure, including VMware VMs, Hyper-V VMs, and physical servers. It integrates with Azure Site Recovery for the actual replication and with Azure Database Migration Service for database migrations, but the core discovery, assessment, and migration orchestration for these server types is the primary function of Azure Migrate.

Exam trap

The trap here is that candidates confuse Azure Site Recovery (a disaster recovery tool) with Azure Migrate (a migration tool), because both involve moving workloads to Azure, but Azure Site Recovery is for replication and failover, not for initial assessment and migration of on-premises servers.

How to eliminate wrong answers

Option A is wrong because Azure Site Recovery is a disaster recovery and business continuity service that replicates workloads for failover, not a migration tool for initial assessment and migration of on-premises servers. Option B is wrong because Azure Data Box is a physical data transfer appliance for moving large volumes of data (e.g., terabytes to petabytes) over a network or by shipping, not for live migration of VMs or servers. Option D is wrong because Azure Database Migration Service is specifically designed for migrating databases (e.g., SQL Server, Oracle, MySQL) to Azure data platforms, not for migrating entire VMs or physical servers.

100
MCQmedium

A company deploys a multi-tier application using Azure virtual machines. The web tier VMs must be evenly distributed across two distinct data centers within an Azure region to avoid a single point of failure from an infrastructure outage. Which Azure construct should they use to meet this requirement?

A.Availability set
B.Availability zone
C.Proximity placement group
D.Azure Load Balancer
AnswerB

Availability zones are physically separate data centers within an Azure region. Deploying VMs across zones protects against an entire data center failure. This matches the requirement of using distinct data centers.

Why this answer

Availability zones are physically separate data centers within an Azure region, each with independent power, cooling, and networking. By deploying the web tier VMs across two distinct zones, the application avoids a single point of failure from an infrastructure outage at the data center level, meeting the requirement for high availability across distinct data centers.

Exam trap

The trap here is that candidates confuse availability sets (which protect against rack-level failures within a single data center) with availability zones (which protect against full data center outages), and they overlook the key phrase 'distinct data centers within an Azure region' that explicitly points to zones.

How to eliminate wrong answers

Option A is wrong because an availability set distributes VMs across multiple fault domains (racks) within a single Azure data center, not across distinct data centers, so it cannot protect against a full data center outage. Option C is wrong because a proximity placement group is designed to reduce network latency by keeping VMs physically close together, often within the same data center, which is the opposite of the requirement to distribute across distinct data centers.

101
MCQmedium

Which Azure service provides fully managed, distributed in-memory caching for data like session state and frequently accessed database queries?

A.Azure Storage Table
B.Azure Cache for Redis
C.Azure SQL Database In-Memory OLTP
D.Azure CDN edge caching
AnswerB

Azure Cache for Redis provides managed in-memory distributed caching for session state and frequently accessed data.

Why this answer

Azure Cache for Redis is a fully managed, distributed in-memory caching service based on the open-source Redis engine. It is specifically designed to store session state and cache frequently accessed database queries, providing low-latency data access by keeping data in memory rather than on disk.

Exam trap

The trap here is that candidates confuse Azure Cache for Redis with Azure SQL Database In-Memory OLTP, because both involve in-memory data, but In-Memory OLTP is a database engine feature for accelerating OLTP workloads, not a distributed caching service for session state or query results.

How to eliminate wrong answers

Option A is wrong because Azure Storage Table is a NoSQL key-value store for structured, non-relational data, not an in-memory caching service; it stores data on disk and is not optimized for sub-millisecond caching of session state or query results. Option C is wrong because Azure SQL Database In-Memory OLTP is a feature that accelerates transaction processing within a relational database by keeping tables or stored procedures in memory, but it is not a standalone distributed caching service for session state or external query caching. Option D is wrong because Azure CDN edge caching caches static content (e.g., images, videos) at edge locations to reduce latency for content delivery, not for dynamic data like session state or database query results.

102
MCQeasy

What is Azure Resource Manager (ARM) template used for?

A.To monitor the health of Azure resources
B.To define and deploy Azure infrastructure as code in a repeatable, consistent way
C.To create user accounts in Azure Active Directory
D.To generate cost reports for Azure spending
AnswerB

ARM templates (and Bicep) are Infrastructure as Code files that define Azure resources for consistent, repeatable deployments.

Why this answer

Azure Resource Manager (ARM) templates are JSON or Bicep files that define the infrastructure and configuration for Azure resources in a declarative manner. They enable Infrastructure as Code (IaC), allowing you to deploy, update, and manage resources consistently across environments without manual steps, ensuring repeatability and idempotency.

Exam trap

The trap here is that candidates confuse ARM templates with monitoring or management tools, mistakenly thinking they handle operational tasks like health checks or cost tracking, when in fact ARM templates are strictly for declarative infrastructure deployment and configuration.

How to eliminate wrong answers

Option A is wrong because monitoring the health of Azure resources is the function of Azure Monitor, not ARM templates; ARM templates are for deployment, not runtime monitoring. Option C is wrong because creating user accounts in Azure Active Directory is done via the Azure AD portal, Microsoft Graph API, or PowerShell, not ARM templates, which focus on Azure resource provisioning. Option D is wrong because generating cost reports for Azure spending is handled by Azure Cost Management + Billing, not ARM templates; ARM templates define resources, not financial analytics.

103
MCQeasy

Which Azure region feature provides fault tolerance by isolating failures within a single region? It consists of physically separate datacenters with independent power, cooling, and networking.

A.Availability Sets
B.Availability Zones
C.Region Pairs
D.Fault Domains
AnswerB

Availability Zones are distinct physical locations within a region that are isolated from failures in other zones. They protect an entire datacenter failure.

Why this answer

B is correct because Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. This isolation ensures that if one zone fails, the others remain operational, providing fault tolerance within the same region. Availability Zones protect applications from datacenter-level failures, not just server or rack failures.

Exam trap

The trap here is that candidates confuse Availability Zones (datacenter-level isolation within a region) with Availability Sets (rack-level isolation within a single datacenter), leading them to pick Option A when the question explicitly describes physically separate datacenters with independent infrastructure.

How to eliminate wrong answers

Option A is wrong because Availability Sets are a logical grouping of VMs within a single datacenter to protect against rack-level failures (via fault domains) and planned maintenance (via update domains), not against entire datacenter failures. Option C is wrong because Region Pairs provide disaster recovery across two different Azure regions (e.g., East US and West US), not fault tolerance within a single region. Option D is wrong because Fault Domains are a component of Availability Sets that distribute VMs across different racks within a single datacenter, but they do not span physically separate datacenters with independent power and cooling.

104
MCQeasy

A company wants to deploy a virtual machine in Azure and needs to ensure that the VM is placed in a location that provides the lowest network latency to its users in Europe. Which Azure construct should they consider to meet this requirement?

A.Azure region
B.Azure availability zone
C.Azure resource group
D.Azure management group
AnswerA

Choosing a region in Europe (e.g., West Europe) ensures proximity to users and low latency.

Why this answer

Azure regions are geographically discrete data center groupings that provide low-latency connectivity to users within that region. By deploying the VM in a Europe-based region (e.g., West Europe or North Europe), the company ensures the shortest physical distance and network path to its European users, minimizing latency. Availability zones, resource groups, and management groups do not influence geographic placement or network latency.

Exam trap

The trap here is that candidates confuse availability zones (which offer redundancy within a region) with regions (which determine geographic proximity and latency), leading them to select availability zones as a latency solution.

How to eliminate wrong answers

Option B is wrong because Azure availability zones are physically separate data centers within a single Azure region, designed for high availability and fault tolerance, not for reducing latency to users in a specific geographic area. Option C is wrong because an Azure resource group is a logical container for managing and organizing Azure resources, with no impact on network latency or geographic placement. Option D is wrong because an Azure management group is a hierarchical governance container for managing access, policies, and compliance across multiple subscriptions, and does not affect the physical location or latency of deployed resources.

105
MCQmedium

A company is migrating a legacy on-premises application to Azure. The application runs on multiple Windows Server virtual machines and requires a shared file system that multiple servers can mount simultaneously using the SMB protocol. The data must also be accessible from on-premises servers in a hybrid configuration. The IT team wants to minimize management overhead and avoid provisioning additional servers solely for file sharing. Which Azure service should they use?

A.Azure Blob Storage
B.Azure Files
C.Azure Disk Storage
D.Azure NetApp Files
AnswerB

Azure Files offers fully managed file shares accessible via the SMB protocol. Multiple VMs can mount the same file share concurrently, and Azure File Sync enables hybrid access by caching files on on-premises servers. This service meets all the requirements while minimizing operational overhead.

Why this answer

Azure Files provides fully managed SMB file shares that can be mounted simultaneously by multiple Windows Server VMs, both in Azure and on-premises, without needing to provision or manage a dedicated file server. It supports the SMB 3.0 protocol required for hybrid access and offers low management overhead through a serverless, PaaS-based file share service.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage (object storage) with a file share service, overlooking that Blob Storage does not support SMB protocol or simultaneous multi-VM mounting, while Azure Files is the only option that provides a fully managed, SMB-based file share accessible from both Azure and on-premises.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage is an object storage service designed for unstructured data (e.g., images, backups, logs) and does not support the SMB protocol or simultaneous mounting as a shared file system by multiple VMs. Option C is wrong because Azure Disk Storage provides block-level storage volumes attached to a single VM (via iSCSI or as a managed disk) and cannot be simultaneously mounted by multiple servers; it also requires provisioning and managing a separate file server to share the disk over SMB.

106
MCQmedium

Which Azure service provides distributed, low-latency access to large files (like game assets or software packages) for global users?

A.Azure Blob Storage alone
B.Azure CDN with Blob Storage origin
C.Azure Front Door
D.Azure Files
AnswerB

Azure CDN caches Blob Storage content at global edge locations, providing low-latency access to large files for users worldwide.

Why this answer

Azure CDN (Content Delivery Network) with a Blob Storage origin is the correct choice because it caches large files like game assets or software packages at edge nodes distributed globally, providing low-latency access to users. Blob Storage alone offers scalable storage but lacks the distributed caching and geographic proximity that CDN provides, which is essential for reducing latency for global users.

Exam trap

The trap here is that candidates confuse Azure CDN with Azure Front Door, assuming both are interchangeable for static content delivery, but Front Door is designed for global load balancing and application acceleration with HTTP routing, while CDN is purpose-built for caching and distributing large static files at the edge.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage alone provides scalable object storage but does not include a global caching layer or edge distribution, so users would retrieve files directly from the storage endpoint, resulting in higher latency for remote locations. Option C is wrong because Azure Front Door is a global load balancer and application delivery controller optimized for HTTP(S) traffic with advanced routing and WAF capabilities, not specifically designed for caching and distributing large static files like game assets; it can cache but is overkill and less efficient for this use case compared to CDN. Option D is wrong because Azure Files provides fully managed file shares using SMB and NFS protocols, intended for shared file access in enterprise scenarios, not for high-throughput, low-latency distribution of large static assets to global users.

107
MCQeasy

A developer wants to host a static website with HTML, CSS, and JavaScript files. Which Azure service is the MOST cost-effective option?

A.Azure App Service
B.Azure Blob Storage static website hosting
C.Azure Virtual Machines
D.Azure Kubernetes Service
AnswerB

Blob Storage's static website feature serves static content at minimal cost — just storage and bandwidth, no compute charges.

Why this answer

Azure Blob Storage static website hosting is the most cost-effective option because it allows you to serve static content (HTML, CSS, JavaScript) directly from a storage container at a fraction of the cost of compute-based services. There is no need to provision or pay for virtual machines, app service plans, or orchestration layers, as the content is served via HTTP from Azure's highly durable and low-cost blob storage infrastructure.

Exam trap

The trap here is that candidates often assume Azure App Service is the default choice for any website, overlooking that static content does not require a runtime environment, making blob storage the far more economical and architecturally appropriate option.

How to eliminate wrong answers

Option A is wrong because Azure App Service is a fully managed platform for hosting web applications, APIs, and mobile backends, which incurs costs for the underlying App Service Plan (compute resources) even for static content, making it more expensive than blob storage. Option C is wrong because Azure Virtual Machines require provisioning, managing, and paying for VM instances, operating system licenses, and ongoing maintenance, which is overkill and cost-inefficient for a simple static website. Option D is wrong because Azure Kubernetes Service (AKS) is designed for orchestrating containerized applications and requires a cluster of VMs, networking, and management overhead, making it the most expensive and complex option for static content hosting.

108
MCQhard

An application needs to store session state that can be accessed by multiple web server instances. The state must be retrieved in under 1 millisecond. Which Azure service BEST meets this requirement?

A.Azure SQL Database
B.Azure Blob Storage
C.Azure Cache for Redis
D.Azure Table Storage
AnswerC

Azure Cache for Redis is an in-memory data store providing sub-millisecond latency — ideal for distributed session state.

Why this answer

Azure Cache for Redis is an in-memory data store that provides extremely low-latency (sub-millisecond) read and write operations, making it ideal for storing session state that must be accessed quickly by multiple web server instances. Unlike disk-based storage services, Redis keeps data in RAM, ensuring consistent retrieval times under 1 millisecond even under load.

Exam trap

The trap here is that candidates often choose Azure SQL Database or Azure Table Storage because they associate 'state storage' with databases, overlooking the explicit sub-millisecond latency requirement that only an in-memory cache like Redis can satisfy.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational database that stores data on disk, with typical read latencies in the range of 5–50 milliseconds due to disk I/O and query processing overhead, far exceeding the 1 ms requirement. Option B is wrong because Azure Blob Storage is an object store designed for large, unstructured data with latencies typically in the 10–100 ms range, and it lacks the sub-millisecond access needed for session state. Option D is wrong because Azure Table Storage is a NoSQL key-value store that also uses disk-based storage, with average read latencies of 10–20 milliseconds, making it too slow for the required retrieval time.

109
Matchingmedium

Match each Azure security service to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unified security management and threat protection

Cloud-native SIEM and SOAR

Manage secrets, keys, and certificates

Protect against distributed denial-of-service attacks

Managed network firewall service

Why these pairings

These services form a comprehensive security posture for Azure.

110
MCQmedium

Which Azure storage redundancy option replicates data synchronously across three availability zones within a single region?

A.Locally Redundant Storage (LRS)
B.Zone-Redundant Storage (ZRS)
C.Geo-Redundant Storage (GRS)
D.Geo-Zone-Redundant Storage (GZRS)
AnswerB

ZRS replicates data synchronously across three availability zones in one region.

Why this answer

Zone-Redundant Storage (ZRS) is the correct answer because it synchronously replicates data across three Azure availability zones within a single region, ensuring high durability and availability even if an entire zone fails. This meets the exact requirement of the question: synchronous replication across multiple zones in one region.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, thinking LRS provides zone-level redundancy, but LRS only replicates within a single datacenter and does not protect against zone failures.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) replicates data synchronously within a single datacenter, not across availability zones. Option C is wrong because Geo-Redundant Storage (GRS) replicates data asynchronously to a paired secondary region, not across zones within a single region. Option D is wrong because Geo-Zone-Redundant Storage (GZRS) combines zone-redundant storage in the primary region with asynchronous geo-replication to a secondary region, which includes cross-region replication not specified in the question.

111
MCQmedium

Which Azure service provides a set of APIs and tools for building real-time communication features into applications, such as voice and video calling?

A.Azure Media Services
B.Azure Communication Services
C.Azure Event Grid
D.Azure Bot Service
AnswerB

Communication Services provides APIs for voice/video calling, SMS, email, and chat for custom applications.

Why this answer

Azure Communication Services is the correct answer because it provides a set of REST APIs and client SDKs specifically designed to integrate real-time communication features—such as voice, video, and chat—into custom applications. Unlike other Azure services, it offers managed WebRTC-based media streaming and PSTN telephony capabilities, making it the dedicated solution for embedding communication experiences.

Exam trap

The trap here is that candidates often confuse Azure Communication Services with Azure Media Services, assuming both handle video, but Media Services is for one-way streaming (e.g., on-demand or live events) while Communication Services is for two-way interactive communication.

How to eliminate wrong answers

Option A is wrong because Azure Media Services is focused on encoding, streaming, and protecting video-on-demand and live broadcast content, not on enabling real-time two-way voice or video calling. Option C is wrong because Azure Event Grid is a pub-sub event routing service that delivers notifications about resource state changes, not a platform for building real-time communication channels. Option D is wrong because Azure Bot Service provides tools for building conversational AI chatbots, but it does not include APIs for voice/video calling; it relies on channels like Web Chat or Teams, not direct media streaming.

112
MCQmedium

A company plans to use an infrastructure-as-code approach to deploy its Azure resources. The company wants to define all resources (virtual networks, virtual machines, storage accounts) in a declarative JSON file. This file must ensure that resources are created in the correct order, handle dependencies automatically, and allow the same configuration to be deployed to multiple environments (dev, test, production) with parameterized values. The solution should be a native Azure feature. Which Azure feature should the company use?

A.Azure Policy
B.Azure Resource Manager (ARM) templates
C.Azure Blueprints
D.Azure Automation State Configuration
AnswerB

ARM templates are declarative JSON files that define Azure resources and their dependencies. They handle creation order automatically, support parameters for multi-environment reuse, and are the native infrastructure-as-code tool for Azure. This matches all requirements in the scenario.

Why this answer

Azure Resource Manager (ARM) templates are the native Azure feature for infrastructure-as-code using a declarative JSON format. They define resources, handle dependencies automatically via the 'dependsOn' element, and support parameterization for deploying the same template to multiple environments (dev, test, production) by passing different parameter files. This directly matches the scenario's requirements for declarative JSON, dependency management, and multi-environment deployment.

Exam trap

The trap here is that candidates confuse Azure Blueprints (which bundles multiple ARM templates and policies) with the core declarative JSON file itself, but the question specifically asks for the feature that defines resources in a declarative JSON file and handles dependencies—which is the ARM template, not the Blueprint wrapper.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a governance tool used to enforce rules and compliance across resources (e.g., restricting VM SKUs or requiring tags), not a deployment mechanism for defining and provisioning infrastructure in a declarative JSON file. Option C is wrong because Azure Blueprints is a higher-level orchestration service that packages ARM templates, policies, and role assignments into a repeatable environment blueprint, but the core declarative JSON file that defines resources and handles dependencies is the ARM template itself, not Blueprints.

113
MCQeasy

Which Azure service provides a content delivery network (CDN) that caches static content at edge locations worldwide to reduce latency for users?

A.Azure Front Door
B.Azure CDN
C.Azure Traffic Manager
D.Azure Application Gateway
AnswerB

Azure CDN is the dedicated content delivery network service that caches static content at global edge locations.

Why this answer

Azure CDN is the correct answer because it is specifically designed as a content delivery network that caches static content (such as images, CSS, JavaScript files) at edge locations worldwide. By distributing cached copies closer to users, it reduces latency and offloads origin server traffic. Azure Front Door also uses edge caching but is primarily a global load balancer and application delivery controller, not a dedicated CDN service.

Exam trap

The trap here is that candidates confuse Azure Front Door with Azure CDN because both offer edge caching and global presence, but Front Door is primarily a global load balancer with advanced routing and WAF capabilities, while Azure CDN is the dedicated service for static content caching and delivery.

How to eliminate wrong answers

Option A is wrong because Azure Front Door is a global load balancer and application delivery controller that provides HTTP/HTTPS load balancing, SSL offload, and path-based routing, but its primary function is not a dedicated CDN for static content caching; while it does offer some caching capabilities, it is not the core service for a traditional CDN. Option C is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that routes incoming traffic to healthy endpoints based on routing methods (e.g., performance, geographic, priority), but it does not cache content at edge locations. Option D is wrong because Azure Application Gateway is a regional Layer 7 load balancer that provides features like URL-based routing, SSL termination, and Web Application Firewall (WAF), but it operates within a single region and does not cache content at global edge locations.

114
MCQmedium

Which Azure compute service runs identical VM instances in multiple Availability Zones with automatic load balancing?

A.Azure Availability Sets
B.Azure Virtual Machine Scale Sets across Availability Zones
C.Azure Dedicated Host
D.Azure Batch
AnswerB

VMSS deployed across AZs provides zone-redundant auto-scaling VM groups with cross-zone load balancing.

Why this answer

Azure Virtual Machine Scale Sets (VMSS) can be configured to span multiple Availability Zones, automatically distributing VM instances across those zones for high availability. When combined with an Azure Load Balancer or Application Gateway, the scale set provides automatic load balancing of incoming traffic across all instances, meeting the requirement exactly.

Exam trap

The trap here is that candidates often confuse Availability Sets (which only protect within a single datacenter) with Availability Zones (which protect across datacenters), leading them to select Option A even though it lacks both multi-zone distribution and automatic load balancing.

How to eliminate wrong answers

Option A is wrong because Azure Availability Sets only protect against failures within a single datacenter by distributing VMs across fault domains and update domains, not across multiple Availability Zones, and they do not provide automatic load balancing. Option C is wrong because Azure Dedicated Host is a single physical server dedicated to your VMs, offering no multi-zone distribution or built-in load balancing. Option D is wrong because Azure Batch is a job scheduling and compute orchestration service for parallel workloads, not a service that runs identical VM instances with automatic load balancing across zones.

115
MCQmedium

A manufacturing company is building a web-based dashboard to display real-time production metrics from sensors. The development team wants to deploy the application without managing the underlying infrastructure, including the web server and operating system. The application uses ASP.NET Core. Which Azure service should they use?

A.Azure Functions
B.Azure App Service
C.Azure Kubernetes Service (AKS)
D.Azure Virtual Machines
AnswerB

Azure App Service is a fully managed PaaS service that runs web applications, REST APIs, and mobile backends. It supports ASP.NET Core out of the box, handles patching of the OS and web server, and provides built-in scaling and load balancing, meeting the requirement of not managing infrastructure.

Why this answer

Azure App Service is the correct choice because it provides a fully managed platform for hosting web applications, including ASP.NET Core, without requiring the user to manage the underlying web server or operating system. It supports continuous deployment, auto-scaling, and built-in load balancing, making it ideal for a real-time dashboard that needs high availability and minimal operational overhead.

Exam trap

The trap here is that candidates often confuse Azure Functions with a general-purpose web host, but Functions is optimized for stateless, event-driven triggers and lacks the persistent HTTP session and WebSocket support needed for a real-time dashboard.

How to eliminate wrong answers

Option A is wrong because Azure Functions is a serverless compute service designed for event-driven, short-lived tasks (e.g., processing sensor data), not for hosting a persistent web-based dashboard with real-time updates. Option C is wrong because Azure Kubernetes Service (AKS) is a container orchestration platform that still requires management of the Kubernetes cluster and node infrastructure, contradicting the requirement to avoid managing underlying infrastructure. Option D is wrong because Azure Virtual Machines provide IaaS-level control, requiring the user to manage the OS, web server, and all patches, which directly violates the 'without managing the underlying infrastructure' requirement.

116
MCQmedium

Which Azure service provides code repository hosting with features like pull requests, code review, and branch protection?

A.Azure Artifacts
B.Azure Repos
C.Azure Pipelines
D.Azure Boards
AnswerB

Azure Repos provides Git source control with pull requests, code review, and branch policies.

Why this answer

Azure Repos is the correct answer because it provides Git-based code repository hosting with full support for pull requests, code review workflows, and branch protection policies. These features enable teams to collaborate on code changes, enforce quality gates, and prevent direct pushes to critical branches.

Exam trap

The trap here is that candidates often confuse Azure Repos with Azure Pipelines or Azure Boards because all three are part of Azure DevOps, but only Azure Repos provides the actual code repository hosting with pull request and branch protection features.

How to eliminate wrong answers

Option A is wrong because Azure Artifacts is a package management service for hosting Maven, npm, NuGet, and other package feeds, not a code repository. Option C is wrong because Azure Pipelines is a CI/CD service for building and deploying code, not for hosting repositories or managing code reviews. Option D is wrong because Azure Boards is a work tracking and Agile project management tool with backlogs and boards, not a code repository.

117
MCQeasy

Which Azure database service supports both relational (SQL) and non-relational (NoSQL) data models with multi-master global distribution?

A.Azure SQL Database
B.Azure Database for PostgreSQL Hyperscale
C.Azure Cosmos DB
D.Azure Synapse Analytics
AnswerC

Cosmos DB supports multiple data models (SQL, MongoDB, Cassandra, Graph, Table) with global multi-master distribution.

Why this answer

Azure Cosmos DB is the correct answer because it is a globally distributed, multi-model database service that natively supports both SQL (relational) and NoSQL (non-relational) data models, including document, key-value, graph, and column-family. It offers multi-master replication, enabling writes to be accepted at any region with automatic conflict resolution, which is a unique capability not found in the other listed services.

Exam trap

The trap here is that candidates often confuse Azure SQL Database's elastic scale or Azure Synapse's distributed query capabilities with true multi-model and multi-master support, but only Cosmos DB provides native multi-master writes and support for both relational and non-relational data models.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a purely relational database service based on SQL Server engine, it does not support NoSQL data models or multi-master global distribution. Option B is wrong because Azure Database for PostgreSQL Hyperscale is a relational database service that scales out read replicas but does not support NoSQL models or multi-master writes. Option D is wrong because Azure Synapse Analytics is a big data analytics and data warehousing service that uses T-SQL for querying, it is not a multi-model database and does not offer multi-master global distribution.

118
MCQmedium

A company needs to store massive amounts of unstructured data, such as videos and images, that will be accessed over the internet. The data must be highly durable and available. Which Azure service should they use?

A.Azure Blob Storage
B.Azure Files
C.Azure Disk Storage
D.Azure Queue Storage
AnswerA

Blob storage is designed for unstructured data like images and videos with HTTP access.

Why this answer

Azure Blob Storage is designed for storing massive amounts of unstructured data, such as videos and images, and provides high durability (99.9999999999% with LRS) and availability through geo-redundancy options. It is accessible over the internet via HTTP/HTTPS, making it ideal for serving content globally.

Exam trap

The trap here is that candidates often confuse Azure Files (a managed SMB share) with object storage, but Azure Files is not designed for massive unstructured data or direct internet access without additional configuration like Azure File Sync.

How to eliminate wrong answers

Option B is wrong because Azure Files provides fully managed file shares using the SMB protocol, which is optimized for shared file access in hybrid environments, not for storing massive unstructured data like videos and images. Option C is wrong because Azure Disk Storage provides block-level storage volumes for Azure VMs, designed for persistent OS and data disks, not for internet-accessible unstructured data storage.

119
MCQmedium

Which Azure service allows you to create a private network connection between your Azure VNet and your on-premises network using a dedicated circuit, not over the public internet?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Bastion
AnswerB

ExpressRoute provides dedicated private circuits between on-premises and Azure, bypassing the public internet for better reliability and security.

Why this answer

Azure ExpressRoute is the correct answer because it provides a dedicated, private connection from your on-premises network to Azure, bypassing the public internet entirely. This is achieved through a direct, private circuit provided by a connectivity partner, offering higher reliability, lower latency, and higher bandwidth than internet-based connections.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway (which also connects on-premises to Azure) with ExpressRoute, failing to recognize that VPN Gateway uses the public internet while ExpressRoute uses a dedicated private circuit.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway creates encrypted tunnels over the public internet using IPsec/IKE protocols, not a dedicated private circuit. Option C is wrong because Azure Virtual WAN is a networking service that aggregates branch connectivity, but it can use VPN or ExpressRoute as underlying transport; it is not itself a dedicated circuit service. Option D is wrong because Azure Bastion is a fully managed PaaS service that provides secure RDP/SSH access to VMs directly from the Azure portal over TLS, without exposing public IPs, and has nothing to do with private on-premises connectivity.

120
MCQmedium

A company stores sensitive customer data in an Azure Blob Storage account. The company's security policy requires that all data traffic between the virtual network (VNet) and the storage account must never traverse the public internet. Additionally, the storage account must remain accessible from an on-premises data center through a Site-to-Site VPN connection. Which Azure feature should the company configure on the storage account?

A.Azure service endpoints
B.Azure Private Link (using a private endpoint)
C.Azure VPN Gateway connection to the storage account
D.Azure route tables
AnswerB

A private endpoint creates a network interface with a private IP address in the VNet. Traffic to the storage account goes over the Microsoft backbone without ever leaving the VNet or touching the public internet. Because the storage account appears inside the VNet, on-premises access via Site-to-Site VPN is naturally possible. This meets both requirements.

Why this answer

Azure Private Link with a private endpoint is correct because it assigns a private IP address from the VNet to the storage account, ensuring all traffic between the VNet and the storage account stays within the Microsoft Azure backbone network and never traverses the public internet. Additionally, the storage account can still be accessed from an on-premises data center via a Site-to-Site VPN connection that terminates in the same VNet, as the private endpoint is reachable over the VPN.

Exam trap

The trap here is that candidates often confuse Azure service endpoints with private endpoints, thinking both provide the same level of isolation, but service endpoints still expose the public endpoint and do not guarantee that traffic from on-premises over a VPN stays off the public internet.

How to eliminate wrong answers

Option A is wrong because Azure service endpoints only provide a direct route from the VNet to the storage account over the Azure backbone, but they do not assign a private IP address to the storage account; the storage account's public endpoint is still used, and traffic from on-premises over a Site-to-Site VPN would still need to traverse the public internet to reach that public endpoint. Option C is wrong because an Azure VPN Gateway connection is used to connect on-premises networks to an Azure VNet, not to connect directly to a storage account; the storage account itself cannot have a VPN Gateway attached. Option D is wrong because Azure route tables control the routing of traffic within a VNet or between subnets, but they do not provide private connectivity to PaaS services like Blob Storage or prevent traffic from traversing the public internet.

121
MCQmedium

A company wants to run a containerized microservices application on Azure. The application requires automatic scaling, service discovery, and rolling updates without manual intervention. They prefer not to manage the underlying virtual machines. Which Azure compute service should they choose?

A.Azure Container Instances
B.Azure Kubernetes Service (AKS)
C.Azure App Service
D.Azure Functions
AnswerB

AKS is a fully managed Kubernetes service that provides orchestration, automatic scaling, service discovery, and rolling updates. It offloads the management of the control plane to Azure.

Why this answer

Azure Kubernetes Service (AKS) is the correct choice because it provides a fully managed Kubernetes orchestration platform that handles automatic scaling (via Horizontal Pod Autoscaler), service discovery (via Kubernetes DNS and Services), and rolling updates (via Deployment strategies) without requiring you to manage the underlying virtual machines. AKS abstracts the control plane and node management, allowing you to focus on deploying and managing containerized microservices.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) with AKS because both run containers, but ACI lacks orchestration features like automatic scaling, service discovery, and rolling updates, which are essential for multi-container microservices applications.

How to eliminate wrong answers

Option A (Azure Container Instances) is wrong because it is designed for running individual containers on demand without orchestration features like automatic scaling, service discovery, or rolling updates across multiple containers. Option C (Azure App Service) is wrong because it is a platform-as-a-service (PaaS) for web apps, APIs, and mobile backends, not optimized for containerized microservices orchestration; it lacks native Kubernetes-based service discovery and rolling update mechanisms. Option D (Azure Functions) is wrong because it is a serverless compute service for event-driven, short-lived functions, not designed for long-running containerized microservices with orchestration needs.

122
MCQmedium

Which Azure service provides a way to build workflows that integrate apps, data, and services across cloud and on-premises environments?

A.Azure Functions
B.Azure Logic Apps
C.Azure Service Bus
D.Azure Event Grid
AnswerB

Logic Apps provides visual workflow automation with connectors to integrate apps, data, and services.

Why this answer

Azure Logic Apps is the correct answer because it is a cloud-based platform for creating and running automated workflows that integrate apps, data, services, and systems across cloud and on-premises environments. It provides a visual designer and hundreds of prebuilt connectors to orchestrate business processes without writing code, making it ideal for enterprise integration scenarios.

Exam trap

The trap here is that candidates often confuse Azure Logic Apps with Azure Functions because both can automate tasks, but Logic Apps is specifically designed for workflow integration with prebuilt connectors, while Functions is for running custom code snippets in response to events.

How to eliminate wrong answers

Option A is wrong because Azure Functions is a serverless compute service for running event-driven code (functions) in response to triggers, not a workflow integration service; it lacks the built-in connectors and visual designer for orchestrating multi-step integrations. Option C is wrong because Azure Service Bus is a fully managed enterprise message broker for decoupling applications and services via queues and topics, not a workflow engine for building integration workflows. Option D is wrong because Azure Event Grid is a highly scalable event routing service that uses a publish-subscribe model to deliver events from sources to handlers, but it does not provide workflow orchestration or integration logic.

123
MCQmedium

Which Azure identity service provides single sign-on (SSO) and multi-factor authentication (MFA) for cloud and on-premises applications?

A.Azure AD Domain Services
B.Azure Active Directory (Azure AD)
C.Azure Key Vault
D.Azure Information Protection
AnswerB

Azure AD provides SSO, MFA, conditional access, and identity management for cloud and on-premises apps.

Why this answer

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service that provides single sign-on (SSO) and multi-factor authentication (MFA) for both cloud and on-premises applications. It enables users to sign in once and access multiple resources, while MFA adds an extra layer of security by requiring additional verification methods like a phone call or app notification.

Exam trap

The trap here is that candidates confuse Azure AD Domain Services (which sounds similar to Azure AD) as the identity provider for SSO and MFA, but it only provides domain join and LDAP services, not cloud authentication features.

How to eliminate wrong answers

Option A is wrong because Azure AD Domain Services provides managed domain services like group policy and Kerberos authentication, not SSO or MFA. Option C is wrong because Azure Key Vault is a secrets management service for storing cryptographic keys and certificates, not an identity provider for SSO or MFA. Option D is wrong because Azure Information Protection focuses on data classification and protection labels, not user authentication or identity services.

124
MCQmedium

What is the purpose of Azure Load Balancer?

A.To cache web content at edge locations globally
B.To distribute incoming network traffic across multiple backend resources
C.To connect on-premises networks to Azure
D.To manage domain names and DNS routing
AnswerB

Load Balancer distributes TCP/UDP traffic across healthy backend VMs for high availability.

Why this answer

Azure Load Balancer operates at Layer 4 (TCP/UDP) of the OSI model to distribute incoming traffic across healthy backend resources, such as virtual machines or instances in a backend pool. It uses a hash-based distribution algorithm (5-tuple hash for inbound traffic) to ensure high availability and scalability by spreading requests evenly. This directly supports fault tolerance by automatically routing traffic away from unhealthy instances based on health probes.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer with Azure Traffic Manager or Azure Application Gateway, but Load Balancer operates at Layer 4 (TCP/UDP) for regional traffic distribution, not at Layer 7 (HTTP/HTTPS) or for global DNS-based routing.

How to eliminate wrong answers

Option A is wrong because caching web content at edge locations globally is the purpose of Azure Content Delivery Network (CDN) or Azure Front Door, not Load Balancer. Option C is wrong because connecting on-premises networks to Azure is achieved via Azure VPN Gateway or Azure ExpressRoute, which provide site-to-site or dedicated private connectivity. Option D is wrong because managing domain names and DNS routing is the function of Azure DNS or Azure Traffic Manager, which handle name resolution and traffic routing based on DNS policies, not Layer 4 load balancing.

125
MCQeasy

Which Azure service provides NoSQL wide-column database storage compatible with Apache Cassandra?

A.Azure Table Storage
B.Azure Cosmos DB for Apache Cassandra
C.Azure Cache for Redis
D.Azure SQL Database Hyperscale
AnswerB

Cosmos DB for Cassandra provides wide-column NoSQL storage with Cassandra wire protocol and CQL compatibility.

Why this answer

Azure Cosmos DB for Apache Cassandra is the correct choice because it provides a NoSQL wide-column database storage that is fully compatible with the Apache Cassandra Query Language (CQL) and wire protocol. This allows you to run existing Cassandra workloads and tools (like cqlsh and Cassandra drivers) directly on Azure without any code changes, while benefiting from Cosmos DB's global distribution and SLA-backed performance.

Exam trap

The trap here is that candidates confuse Azure Table Storage (a key-value store) with a wide-column database, or assume that any NoSQL service (like Redis) can substitute for Cassandra's specific data model and protocol compatibility.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage is a key-value store, not a wide-column database, and it does not support the Apache Cassandra protocol or CQL. Option C is wrong because Azure Cache for Redis is an in-memory data store (caching and session management) based on the Redis protocol, not a wide-column NoSQL database compatible with Cassandra. Option D is wrong because Azure SQL Database Hyperscale is a relational database service using SQL Server engine, not a NoSQL wide-column store, and it has no compatibility with Apache Cassandra.

126
MCQmedium

A company has two on-premises data centers connected to each other via a high-speed MPLS link. They plan to migrate several critical workloads to Azure. The network team requires a dedicated, private connection from each on-premises site to Azure that does not traverse the public internet. The connection must provide high bandwidth, low latency, and a Service Level Agreement (SLA) for availability. Which Azure service should the network team provision to meet these requirements?

A.Azure VPN Gateway (Site-to-Site)
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Application Gateway
AnswerB

ExpressRoute extends your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. This connection does not traverse the public internet, offering higher security, reliability, and up to 10 Gbps bandwidth with an SLA.

Why this answer

Azure ExpressRoute provides a dedicated, private connection from on-premises data centers to Azure that does not traverse the public internet. It offers high bandwidth, low latency, and a financially backed SLA of 99.95% availability, meeting all the stated requirements for critical workloads.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN as a direct connectivity solution, when it is actually an orchestration hub that still relies on ExpressRoute or VPN for the underlying private connection.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway (Site-to-Site) uses IPSec tunnels over the public internet, which does not meet the requirement for a private connection that avoids the public internet and lacks the same SLA guarantees as ExpressRoute. Option C is wrong because Azure Virtual WAN is a networking orchestration service that can aggregate multiple connection types (including VPN and ExpressRoute), but it is not itself a dedicated private connection; the actual private connectivity still requires ExpressRoute circuits, so Virtual WAN alone does not fulfill the dedicated, private, high-bandwidth, low-latency SLA requirement.

127
MCQmedium

Which Azure service provides a managed Apache Kafka-compatible event streaming service for high-throughput data pipelines?

A.Azure Service Bus
B.Azure Event Hubs
C.Azure Queue Storage
D.Azure Event Grid
AnswerB

Event Hubs is the Azure equivalent of Apache Kafka — a managed, high-throughput event streaming service with Kafka protocol compatibility.

Why this answer

Azure Event Hubs is the correct answer because it provides a fully managed, native Apache Kafka-compatible event streaming platform designed for high-throughput data ingestion and processing. It supports the Kafka protocol (including Kafka Connect and Kafka Streams) without requiring you to run any Kafka clusters, making it ideal for real-time data pipelines and analytics.

Exam trap

The trap here is that candidates confuse Azure Event Hubs with Azure Service Bus because both handle messages, but Event Hubs is optimized for high-throughput event ingestion and Kafka compatibility, while Service Bus is for enterprise messaging with features like sessions and dead-lettering.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus is a message broker for enterprise messaging patterns (e.g., queues and topics with competing consumers), not a Kafka-compatible event streaming service, and it lacks the high-throughput, partitioned log architecture of Event Hubs. Option C is wrong because Azure Queue Storage is a simple, low-cost message queue for decoupling application components, but it does not support the Kafka protocol, event streaming, or high-throughput data pipelines. Option D is wrong because Azure Event Grid is a serverless event routing service that uses a publish-subscribe model for reacting to events (e.g., resource state changes), but it is not designed for high-throughput event streaming and does not offer Kafka protocol compatibility.

128
MCQmedium

A multinational e-commerce company runs its customer-facing web application on Azure virtual machines deployed in two Azure regions: East US and West Europe. The company wants to automatically route user traffic to the nearest regional deployment based on the user's geographic location. Additionally, if one region becomes unavailable, all traffic should automatically be redirected to the remaining healthy region. The company wants a solution that works at the DNS level and does not require terminating HTTPS traffic at the routing layer. Which Azure service should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerC

Azure Traffic Manager is a DNS-based traffic routing service that can direct users to the closest or most appropriate regional endpoint based on geographic location, latency, or priority. It automatically detects endpoint health and fails over to healthy endpoints, making it ideal for global load balancing with DNS-level routing and without terminating HTTPS.

Why this answer

Azure Traffic Manager is a DNS-based traffic load balancer that routes incoming DNS requests to the nearest available endpoint based on geographic location (using the Performance traffic-routing method) and automatically fails over to the next healthy region when a region becomes unavailable. It operates at the DNS level, so it does not terminate HTTPS traffic, meeting the requirement to avoid SSL/TLS termination at the routing layer.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level, global, no SSL termination) with Azure Front Door (global, but terminates SSL at the edge), leading them to pick Front Door because it also supports geographic routing, but they overlook the explicit requirement to avoid HTTPS termination at the routing layer.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and distributes traffic within a single region, not across regions, and it cannot route based on user geography or perform DNS-level failover. Option B is wrong because Azure Application Gateway is a Layer 7 HTTP/HTTPS load balancer that terminates SSL/TLS traffic and routes based on URL paths, but it is regional (not global) and does not provide DNS-level geographic routing or cross-region failover. Option D is wrong because Azure Front Door is a global Layer 7 load balancer that terminates HTTPS traffic at its edge, which violates the requirement to not terminate HTTPS at the routing layer; it also provides application-layer acceleration and WAF, which are not needed here.

129
MCQmedium

A company runs a latency-sensitive application on Azure virtual machines and needs to connect its on-premises data center to Azure. The connection must offer high reliability, predictable performance, and a service-level agreement (SLA) from the connectivity provider. It must also bypass the public internet for security and performance reasons. Which Azure service should the company use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Application Gateway
AnswerB

Correct. Azure ExpressRoute establishes a private, dedicated connection from on-premises to Azure, bypassing the public internet. It provides higher reliability, lower latency, consistent performance, and a service-level agreement from the connectivity partner, meeting all the stated requirements.

Why this answer

Azure ExpressRoute is the correct choice because it provides a dedicated, private connection from the on-premises data center to Azure that bypasses the public internet entirely. This ensures high reliability, predictable performance (low latency and jitter), and a financially backed SLA of up to 99.95% availability. For latency-sensitive applications, ExpressRoute offers consistent network performance that VPNs over the internet cannot guarantee.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway with ExpressRoute, assuming a VPN is sufficient for 'private' connectivity, but they overlook the requirement for a provider-backed SLA and bypassing the public internet, which only ExpressRoute fulfills.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway uses encrypted tunnels over the public internet, which introduces variable latency, potential packet loss, and does not offer a performance SLA from the connectivity provider. Option C is wrong because Azure Virtual WAN is a networking orchestration service that can aggregate VPN, ExpressRoute, and SD-WAN connections, but it is not a connectivity service itself; it does not provide the dedicated private bypass of the internet required here. Option D is wrong because Azure Application Gateway is a Layer 7 load balancer and web application firewall (WAF) that operates within Azure, not a hybrid connectivity service; it cannot connect an on-premises data center to Azure.

130
MCQmedium

A global company is designing a disaster recovery solution for a critical application. They plan to deploy the application to two Azure regions. The company wants to minimize the risk of both regions failing simultaneously due to a major platform update or a widespread natural disaster. Which Azure feature provides a specific pairing of regions to meet this goal?

A.Availability Zones within a single region
B.Azure region pairs
C.Azure Traffic Manager with geographic routing
D.Azure Site Recovery replication between any two regions of your choice
AnswerB

Azure region pairs are designed to provide protection against simultaneous failures by ensuring sequential updates and physical separation. This is the specific feature that pairs regions for disaster recovery purposes.

Why this answer

Azure region pairs are designed to ensure that two paired regions are updated sequentially during platform maintenance, reducing the risk of simultaneous failure. They are also physically separated by at least 300 miles to minimize the impact of natural disasters. This meets the company's goal of minimizing simultaneous failure risk from both a major platform update and a widespread natural disaster.

Exam trap

The trap here is that candidates often confuse Availability Zones (which protect within a region) with region pairs (which protect across regions), or assume that any two regions can be used for disaster recovery with the same guarantees as official region pairs.

How to eliminate wrong answers

Option A is wrong because Availability Zones are physically separate datacenters within a single Azure region, which does not protect against a region-wide failure from a natural disaster or a major platform update affecting the entire region. Option C is wrong because Azure Traffic Manager with geographic routing distributes traffic based on user geography for latency or compliance, not for disaster recovery isolation between specific paired regions; it does not provide the guaranteed physical separation and sequential update benefit of region pairs. Option D is wrong because Azure Site Recovery can replicate between any two regions of your choice, but not all region pairs are guaranteed to have the same physical distance and sequential update isolation as official Azure region pairs; choosing arbitrary regions may increase the risk of simultaneous failure.

131
MCQmedium

A company wants to ensure that all Azure resources they deploy are created in the Europe West region to comply with data sovereignty requirements. They want to block creation of resources in any other region. Which Azure service should they use?

A.Resource groups
B.Management groups
C.Azure Policy with allowed locations
D.Azure Blueprints
AnswerC

Azure Policy can deny creation of resources outside allowed regions.

Why this answer

Azure Policy with the 'allowed locations' built-in policy definition can enforce that all resources are deployed only in the Europe West region. When assigned to a subscription or resource group scope, this policy denies any resource creation outside the specified regions, directly meeting the data sovereignty requirement.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints, thinking Blueprints directly enforce restrictions, when in fact Blueprints package policies but the enforcement itself comes from Azure Policy.

How to eliminate wrong answers

Option A is wrong because Resource groups are logical containers for resources and do not enforce regional restrictions; they only group resources for management and billing. Option B is wrong because Management groups provide hierarchical governance for subscriptions but do not themselves block resource creation in specific regions; they are used for organizing policy and RBAC inheritance. Option D is wrong because Azure Blueprints is a declarative orchestration tool for deploying repeatable environments (including policies, role assignments, and resource templates), but it is not the service that directly enforces regional restrictions—it relies on Azure Policy definitions within the blueprint to do so.

132
MCQmedium

A company needs to protect their Azure VMs from DDoS attacks at the network layer. Which Azure service provides this protection?

A.Azure Firewall
B.Azure DDoS Protection Standard
C.Network Security Groups
D.Azure WAF
AnswerB

DDoS Protection Standard provides enhanced protection against volumetric DDoS attacks for Azure resources with automatic mitigation.

Why this answer

Azure DDoS Protection Standard is the correct service because it provides dedicated mitigation against Distributed Denial of Service (DDoS) attacks targeting Azure virtual machines at the network layer (Layer 3/4). It uses adaptive tuning, traffic monitoring, and automatic attack mitigation to protect public IP addresses associated with Azure resources, including VMs, without requiring any application-level changes.

Exam trap

The trap here is that candidates often confuse Azure Firewall or NSGs with DDoS protection because they both filter traffic, but they serve fundamentally different purposes—access control versus volumetric attack mitigation—and only DDoS Protection Standard handles network-layer DDoS attacks.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a stateful, network-level firewall that filters traffic based on rules (e.g., source/destination IP, port, protocol) but does not provide DDoS mitigation at the network layer; it is designed for access control, not volumetric attack protection. Option C is wrong because Network Security Groups (NSGs) are stateless or stateful packet filters that control inbound/outbound traffic to subnets or NICs based on rules, but they cannot detect or mitigate DDoS attacks—they lack the adaptive monitoring and automatic mitigation capabilities of DDoS Protection. Option D is wrong because Azure Web Application Firewall (WAF) operates at Layer 7 (application layer) to protect web applications from threats like SQL injection and cross-site scripting, not from network-layer DDoS attacks targeting VMs.

133
MCQhard

A team uses Docker containers to run microservices. They need a service that automatically manages the cluster, scales containers based on demand, and provides load balancing without requiring them to manage the underlying VMs. Which Azure compute service should they choose?

A.Azure Container Instances
B.Azure Kubernetes Service
C.Azure Batch
D.Azure Virtual Machine Scale Sets
AnswerB

Correct. AKS is a managed Kubernetes service that offers full orchestration, scaling, and load balancing.

Why this answer

Azure Kubernetes Service (AKS) is the correct choice because it provides a managed Kubernetes cluster that automates container orchestration, scaling, and load balancing. AKS abstracts the underlying VMs, handling master node management, updates, and scaling based on demand, which aligns with the team's requirement to avoid VM management.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) with AKS, assuming ACI can manage clusters and scale containers across multiple nodes, but ACI is for single-container deployments without orchestration features like cluster management or multi-node load balancing.

How to eliminate wrong answers

Option A is wrong because Azure Container Instances (ACI) is a serverless container service for running individual containers on demand, but it does not provide cluster management, automatic scaling across multiple nodes, or built-in load balancing for microservices. Option C is wrong because Azure Batch is designed for high-performance computing (HPC) and parallel job scheduling, not for managing containerized microservices with dynamic scaling and load balancing. Option D is wrong because Azure Virtual Machine Scale Sets (VMSS) manage VM-level scaling and load balancing, but they require the team to manage the VMs and container orchestration themselves, which contradicts the requirement to avoid managing underlying VMs.

134
MCQmedium

A global e-commerce company has web applications deployed on Azure virtual machines in the West US and West Europe regions. The company needs a single, global HTTP-based entry point that can perform SSL offloading, route requests based on the URL path (e.g., /api to one backend pool, /images to another), and provide a web application firewall (WAF) to protect against common web attacks. Additionally, the solution must automatically direct users to the closest regional deployment to minimize latency. Which Azure service should the company use?

A.Azure Traffic Manager
B.Azure Application Gateway
C.Azure Load Balancer
D.Azure Front Door
AnswerD

Azure Front Door is a global HTTP(S) load balancer that provides SSL offloading, path-based routing, WAF integration, and intelligent traffic routing to the closest available regional backend. It meets all the specified requirements in a single global service.

Why this answer

Azure Front Door is the correct choice because it provides a global, HTTP/HTTPS-based entry point with SSL offloading, URL path-based routing to different backend pools, and a built-in web application firewall (WAF). It also uses Anycast-based routing to automatically direct users to the closest regional deployment, minimizing latency.

Exam trap

The trap here is that candidates often confuse Azure Application Gateway (regional, path-based routing with WAF) with Azure Front Door (global, path-based routing with WAF and global load balancing), missing the critical requirement for global traffic distribution and automatic user proximity routing.

How to eliminate wrong answers

Option A is wrong because Azure Traffic Manager operates at the DNS layer (Layer 3/4) and cannot perform SSL offloading, URL path-based routing, or provide a web application firewall (WAF); it only directs traffic based on DNS responses. Option B is wrong because Azure Application Gateway is a regional service that can perform SSL offloading, path-based routing, and WAF, but it cannot route traffic globally or automatically direct users to the closest regional deployment across multiple regions. Option C is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL offloading, URL path-based routing, or provide a web application firewall (WAF); it is designed for regional load balancing within a single region.

135
MCQmedium

A company plans to deploy two Azure virtual machines that host a critical web application. Both VMs will be in the same Azure region and the same virtual network. The company’s requirements are: 1) During Azure platform-initiated maintenance (e.g., OS updates), at least one VM must remain running. 2) If a hardware failure occurs in the server rack that hosts one VM, the other VM must not be affected. 3) The solution must not incur additional costs beyond the VMs themselves. Which Azure feature should the company configure?

A.Availability Zones
B.Availability Set
C.Azure Site Recovery
D.Azure Load Balancer
AnswerB

An Availability Set groups VMs across multiple fault domains (separate server racks) and update domains (for planned maintenance). This ensures that at least one VM remains available during maintenance and that a single rack failure does not affect both VMs. No additional cost is incurred for using an Availability Set.

Why this answer

An Availability Set distributes VMs across multiple fault domains (different server racks with independent power and networking) and update domains (groups that undergo platform maintenance sequentially). This ensures that during Azure-initiated maintenance, only one update domain is rebooted at a time, leaving at least one VM running, and that a hardware failure in one fault domain does not affect VMs in other fault domains. Availability Sets are free of charge beyond the cost of the VMs themselves, meeting all requirements.

Exam trap

The trap here is that candidates often confuse Availability Zones (which provide physical separation across data centers) with Availability Sets (which provide fault and update domain isolation within a single data center), leading them to choose Availability Zones despite the cost and networking constraints that make Availability Sets the correct answer for this scenario.

How to eliminate wrong answers

Option A is wrong because Availability Zones provide physical separation across different Azure data centers within a region, which incurs additional costs for inter-zone data transfer and does not guarantee that both VMs remain in the same virtual network without extra configuration; moreover, the requirement does not specify the need for zone-level isolation, and the cost constraint makes zones unsuitable. Option C is wrong because Azure Site Recovery is a disaster recovery service that replicates VMs to a secondary region for business continuity, which involves additional costs for replication, storage, and failover, and it does not address the requirement for maintaining at least one VM running during platform-initiated maintenance within the same region.

136
MCQmedium

Which Azure storage redundancy option stores three copies of data within a single data center in a single region?

A.Zone-Redundant Storage (ZRS)
B.Geo-Redundant Storage (GRS)
C.Locally Redundant Storage (LRS)
D.Read-Access Geo-Redundant Storage (RA-GRS)
AnswerC

LRS keeps three copies within a single data center in one region — the lowest cost option.

Why this answer

Locally Redundant Storage (LRS) replicates data three times within a single physical data center in a single region. This provides protection against server rack and drive failures but does not protect against a full data center outage. It is the lowest-cost redundancy option and is suitable for scenarios where data can be reconstructed from other sources.

Exam trap

The trap here is that candidates confuse 'zone' (availability zone) with 'data center' and incorrectly choose ZRS, thinking it replicates within a single data center, when in fact ZRS spans multiple data centers (availability zones) within a region.

How to eliminate wrong answers

Option A is wrong because Zone-Redundant Storage (ZRS) replicates data synchronously across three Azure availability zones within a single region, not within a single data center. Option B is wrong because Geo-Redundant Storage (GRS) replicates data to a secondary region, not within a single data center. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) is a variant of GRS that additionally provides read access to the secondary region copy; it also does not store three copies within a single data center.

137
MCQmedium

Which Azure service provides a managed Apache Hadoop cluster for processing large amounts of data using batch analytics?

A.Azure Databricks
B.Azure HDInsight
C.Azure Synapse Analytics
D.Azure Stream Analytics
AnswerB

HDInsight provides managed Apache Hadoop (and other open-source frameworks) for batch analytics on large datasets.

Why this answer

Azure HDInsight is the correct answer because it is a fully managed, open-source analytics service that provides Apache Hadoop clusters specifically designed for batch processing of large data sets using MapReduce and other Hadoop ecosystem components. Unlike other services, HDInsight directly supports Hadoop's distributed file system (HDFS) and YARN resource management, making it the native choice for traditional big data batch analytics.

Exam trap

The trap here is that candidates confuse Azure Databricks (which also uses Spark) with HDInsight, but Databricks is not a managed Hadoop cluster and focuses on collaborative analytics and machine learning, not native batch Hadoop processing.

How to eliminate wrong answers

Option A is wrong because Azure Databricks is an Apache Spark-based analytics platform optimized for interactive and real-time processing, not a managed Hadoop cluster for batch analytics. Option C is wrong because Azure Synapse Analytics is a unified data warehouse and big data analytics service that uses SQL pools and serverless SQL, not a managed Hadoop cluster. Option D is wrong because Azure Stream Analytics is a real-time event processing engine for streaming data, not a batch analytics service for large static datasets.

138
MCQmedium

A company is deploying a web application in Azure. The application consists of an Azure App Service, an Azure SQL Database, and a Storage account. The development team maintains three separate environments: development, test, and production. The team wants to be able to delete all resources associated with a specific environment (e.g., development) in a single action, without affecting the other environments. The solution must also allow applying role-based access control (RBAC) and tags consistently to all resources within each environment. Which Azure component should the team use to achieve these requirements?

A.Azure subscription
B.Azure resource group
C.Azure management group
D.Azure availability zone
AnswerB

A resource group is a container that holds related resources for an Azure solution. It allows you to manage, delete, and apply policies, tags, and RBAC to all resources in that group together. This is exactly what the team needs to manage each environment independently.

Why this answer

An Azure resource group is a logical container that holds related resources for an Azure solution. By placing all resources for a specific environment (e.g., development) into a single resource group, the team can delete the entire environment in one action by deleting the resource group, without affecting other environments. Additionally, RBAC roles and tags applied at the resource group level are inherited by all resources within that group, ensuring consistent governance.

Exam trap

The trap here is that candidates often confuse resource groups with subscriptions or management groups, thinking that a subscription is needed to isolate environments, but subscriptions are billing boundaries, not lifecycle containers for a single environment's resources.

How to eliminate wrong answers

Option A is wrong because an Azure subscription is a billing and management boundary that can contain multiple environments; deleting a subscription would remove all environments, not just one, and it does not provide granular per-environment RBAC or tag inheritance. Option C is wrong because an Azure management group is a hierarchical container used to manage governance, policy, and compliance across multiple subscriptions, not to group resources within a single environment for lifecycle management. Option D is wrong because an Azure availability zone is a physically separate datacenter within an Azure region used for high availability and disaster recovery, not a logical container for organizing resources or applying RBAC and tags.

139
MCQmedium

A company runs a critical application on multiple Azure virtual machines (VMs) in the East US region. The application requires that the VMs are physically separated from any other customer's workloads and that the underlying physical servers are dedicated to this company alone. The compliance team mandates that no other customer's VMs can run on the same physical hardware. Which Azure compute offering should the company use to meet this requirement?

A.Azure Dedicated Host
B.Azure Availability Set
C.Azure Virtual Machine Scale Set
D.Azure Reserved Virtual Machine Instances
AnswerA

Correct. Azure Dedicated Host provides single-tenant physical servers dedicated to a single customer, ensuring complete physical isolation from other customers' workloads.

Why this answer

Azure Dedicated Host provides single-tenant physical servers dedicated to a single customer, ensuring that no other customer's VMs run on the same hardware. This meets the compliance requirement for physical separation and dedicated underlying servers. The company can deploy VMs directly onto these dedicated hosts, guaranteeing isolation at the hardware level.

Exam trap

The trap here is that candidates often confuse Azure Dedicated Host with Azure Reserved Instances or Availability Sets, mistakenly thinking that high availability or cost savings can achieve physical isolation, when only Dedicated Host provides dedicated physical servers.

How to eliminate wrong answers

Option B (Azure Availability Set) is wrong because it only provides high availability by distributing VMs across fault domains and update domains within the same physical infrastructure, but does not guarantee physical separation from other customers' workloads. Option C (Azure Virtual Machine Scale Set) is wrong because it is designed for auto-scaling and load balancing of identical VMs, but it does not provide dedicated physical hardware or isolation from other tenants. Option D (Azure Reserved Virtual Machine Instances) is wrong because it is a billing discount for committing to a one- or three-year term, and it does not affect the underlying physical hardware or provide any form of tenant isolation.

140
MCQmedium

A company runs a critical ERP system on-premises and plans to extend the application to Azure IaaS VMs for burst capacity. The network team requires a dedicated, private connection between the on-premises data center and Azure that does not traverse the public internet. The connection must offer consistent latency, high bandwidth options up to 10 Gbps, and a financially backed SLA for availability. Which Azure service should the team provision to meet these requirements?

A.Azure ExpressRoute
B.Azure VPN Gateway (site-to-site)
C.Azure Front Door
D.Azure Bastion
AnswerA

Correct. ExpressRoute provides a dedicated private circuit from an on-premises network to Azure, bypassing the public internet for improved latency, security, and reliability. It supports high bandwidth (up to 10 Gbps) and offers a financially backed SLA (e.g., 99.95% availability for a single connection).

Why this answer

Azure ExpressRoute provides a dedicated, private connection from on-premises to Azure that bypasses the public internet, ensuring consistent latency and high bandwidth up to 10 Gbps. It also offers a financially backed SLA for availability, making it the ideal choice for extending a critical ERP system for burst capacity with predictable performance.

Exam trap

Microsoft often tests the misconception that a site-to-site VPN can provide dedicated, private connectivity with guaranteed performance, but the key differentiator is that ExpressRoute bypasses the public internet entirely and offers a financially backed SLA.

How to eliminate wrong answers

Option B is wrong because Azure VPN Gateway (site-to-site) uses IPSec tunnels over the public internet, which does not guarantee consistent latency, high bandwidth up to 10 Gbps, or a financially backed SLA for availability. Option C is wrong because Azure Front Door is a global load balancer and application delivery service that operates over the public internet, not a dedicated private connection, and it does not provide a direct private link between on-premises and Azure VNets.

141
MCQeasy

A company wants to segregate their Azure resources into logical groups based on department and environment. They also want to apply access control and management at these group levels. Which Azure construct should they use?

A.Resource groups
B.Availability sets
C.Virtual networks
D.Subscriptions
AnswerA

Correct. Resource groups group resources for management, RBAC, and policy enforcement.

Why this answer

Resource groups are logical containers in Azure that allow you to group related resources (e.g., VMs, databases, storage) by department and environment. They enable you to apply access control via Azure RBAC and management policies (e.g., tags, locks) at the group level, ensuring consistent governance across all resources within the group.

Exam trap

The trap here is that candidates often confuse subscriptions with resource groups, thinking subscriptions are the correct logical grouping mechanism, but subscriptions are billing and administrative boundaries, not designed for fine-grained grouping by department and environment.

How to eliminate wrong answers

Option B is wrong because availability sets are a VM high-availability feature that distributes VMs across fault and update domains, not a logical grouping construct for access control or management. Option C is wrong because virtual networks provide network isolation and connectivity for Azure resources, but they do not serve as a management or access control boundary for grouping resources by department or environment. Option D is wrong because subscriptions are billing and administrative boundaries that contain resource groups, but they are too coarse-grained for segregating resources by department and environment; resource groups are the correct construct for that purpose.

142
MCQeasy

What is an Azure availability zone?

A.A geographic region with multiple Azure datacenters
B.A physically separate datacenter within an Azure region with independent power and cooling
C.A pair of geographically distant Azure regions
D.A logical grouping of Azure resources for billing
AnswerB

Availability zones are distinct datacenters within a region, each independent so a failure in one doesn't affect others.

Why this answer

An Azure availability zone is a physically separate datacenter within an Azure region, each with its own independent power, cooling, and networking. This isolation ensures that if one zone fails, applications and data in other zones remain unaffected, providing high availability and fault tolerance for critical workloads.

Exam trap

The trap here is that candidates often confuse an availability zone with an Azure region or a region pair, mistakenly thinking a zone spans multiple datacenters or is used for geo-redundancy, when in fact it is a single, isolated datacenter within one region.

How to eliminate wrong answers

Option A is wrong because a geographic region with multiple Azure datacenters describes an Azure region, not an availability zone; a region contains multiple zones, but the zone itself is a single datacenter. Option C is wrong because a pair of geographically distant Azure regions describes a region pair (used for disaster recovery), not an availability zone, which is a single datacenter within one region. Option D is wrong because a logical grouping of Azure resources for billing refers to a management group or subscription, not an availability zone, which is a physical infrastructure concept.

143
MCQhard

Which Azure service provides dedicated physical servers for regulatory or licensing requirements where hardware cannot be shared with other customers?

A.Azure Reserved VM Instances
B.Azure Spot VMs
C.Azure Dedicated Host
D.Azure Isolated VM sizes
AnswerC

Dedicated Host provides physical servers dedicated to one organization for compliance and licensing requirements.

Why this answer

Azure Dedicated Host provides physical servers dedicated to a single Azure subscription, ensuring that hardware is not shared with other customers. This meets regulatory or licensing requirements that mandate hardware isolation, such as specific compliance standards or software licensing agreements that restrict usage to dedicated hardware.

Exam trap

The trap here is that candidates often confuse Azure Dedicated Host with Azure Isolated VM sizes, but Isolated VM sizes only guarantee isolation from other VM sizes on the same host, not a dedicated physical server, whereas Dedicated Host provides full physical server exclusivity.

How to eliminate wrong answers

Option A is wrong because Azure Reserved VM Instances are a pricing model that reserves capacity and offers discounts for one- or three-year commitments, but they do not provide dedicated physical servers; the underlying hardware may still be shared. Option B is wrong because Azure Spot VMs offer unused compute capacity at a reduced cost but can be evicted when Azure needs the capacity back, and they run on shared hardware, not dedicated physical servers. Option D is wrong because Azure Isolated VM sizes run on isolated hardware for a specific VM size, but they do not guarantee a dedicated physical server; multiple VMs of the same size can still share the same physical host, and the isolation is at the VM level, not the physical server level.

144
MCQmedium

Which Azure service allows you to extend your on-premises Active Directory to the cloud for hybrid identity scenarios?

A.Azure AD B2C
B.Azure AD Connect
C.Azure Active Directory Domain Services
D.Azure Conditional Access
AnswerB

Azure AD Connect synchronizes on-premises AD user accounts and groups to Azure AD, enabling hybrid identity with SSO.

Why this answer

Azure AD Connect is the correct service because it synchronizes on-premises Active Directory identities with Azure AD, enabling hybrid identity scenarios where users can use the same credentials for both on-premises and cloud resources. It handles password hash synchronization, pass-through authentication, and federation integration, making it the primary tool for extending on-premises AD to the cloud.

Exam trap

The trap here is confusing Azure AD Domain Services (Azure AD DS) with Azure AD Connect, as both involve 'domain' concepts, but Azure AD DS provides managed domain services for cloud workloads without extending on-premises AD, while Azure AD Connect is the actual synchronization tool for hybrid identity.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is a customer-facing identity service for external users (e.g., social logins) and does not extend on-premises Active Directory. Option C is wrong because Azure Active Directory Domain Services (Azure AD DS) provides managed domain services like group policy and LDAP for cloud VMs, but it does not synchronize or extend on-premises AD; it creates a separate domain. Option D is wrong because Azure Conditional Access is a policy-based access control feature that evaluates sign-in conditions (e.g., location, device compliance) and does not perform identity synchronization or extension.

145
MCQmedium

Which Azure database service is specifically optimized for running open-source MariaDB workloads as a fully managed service?

A.Azure Database for MySQL
B.Azure Database for MariaDB
C.Azure SQL Database
D.Azure Cosmos DB
AnswerB

Azure Database for MariaDB is the dedicated fully managed service for MariaDB open-source workloads.

Why this answer

Azure Database for MariaDB is the correct answer because it is a fully managed relational database service specifically built for the MariaDB community edition, offering high availability, automated backups, and scaling. It uses the same wire protocol as MySQL but is tailored to MariaDB's specific engine features and versioning, such as support for the Aria storage engine and Galera cluster replication.

Exam trap

The trap here is that candidates often confuse MariaDB with MySQL due to their shared history, assuming Azure Database for MySQL can handle MariaDB workloads, but Azure explicitly separates these services to account for divergent features and versioning.

How to eliminate wrong answers

Option A is wrong because Azure Database for MySQL is optimized for the MySQL database engine, not MariaDB, and while MariaDB is a fork of MySQL, the two have diverged in features and compatibility, so Azure offers a separate service for each. Option C is wrong because Azure SQL Database is a fully managed relational database service for Microsoft SQL Server, which uses Transact-SQL (T-SQL) and is not compatible with MariaDB's SQL dialect or storage engines. Option D is wrong because Azure Cosmos DB is a globally distributed, multi-model NoSQL database service that supports document, key-value, graph, and column-family data models, not relational MariaDB workloads.

146
MCQmedium

A company is designing a multi-tier application on Azure. The web tier needs to scale out based on CPU usage, while the database tier requires high-performance storage for transactional data. Which combination of Azure services should they choose?

A.Azure Functions and Azure Cosmos DB
B.Azure App Service and Azure SQL Database
C.Azure Virtual Machine Scale Sets and Azure Files
D.Azure Kubernetes Service and Blob Storage
AnswerB

App Service provides autoscaling for web applications, and Azure SQL Database offers high-performance transactional storage with built-in scaling.

Why this answer

Azure App Service provides built-in autoscaling based on metrics like CPU usage, making it ideal for the web tier that needs to scale out. Azure SQL Database offers high-performance, low-latency storage for transactional data with features like automatic indexing and in-memory OLTP, meeting the database tier's requirements.

Exam trap

The trap here is that candidates often confuse Azure Functions with App Service for web tier scaling, overlooking that Functions is for event-driven, stateless code, not for a full web application with persistent scaling needs.

How to eliminate wrong answers

Option A is wrong because Azure Functions is a serverless compute service designed for event-driven, short-lived workloads, not for a multi-tier web application that requires continuous scaling based on CPU usage; Azure Cosmos DB is a NoSQL database optimized for globally distributed, schema-less data, not for high-performance transactional storage with ACID guarantees needed for a relational database tier. Option C is wrong because Azure Virtual Machine Scale Sets can scale VMs based on CPU, but they require manual management of the web server software and are more complex than App Service for a simple web tier; Azure Files provides SMB-based file shares, which lack the transactional performance and low-latency I/O of a dedicated database service like Azure SQL Database.

147
MCQmedium

Which Azure service provides a platform for analyzing and visualizing large amounts of data stored in Azure Data Lake or Azure Blob Storage?

A.Azure Data Factory
B.Azure HDInsight
C.Azure SQL Database
D.Azure Cognitive Services
AnswerB

HDInsight is a managed analytics platform supporting Spark, Hadoop, Hive, and other frameworks for big data processing.

Why this answer

Azure HDInsight is a fully managed, open-source analytics service that runs popular frameworks like Apache Spark, Apache Hive, and Apache Hadoop. It is specifically designed for processing and analyzing large-scale data stored in Azure Data Lake Storage or Azure Blob Storage, and integrates with visualization tools like Power BI for insights.

Exam trap

The trap here is that candidates often confuse Azure Data Factory (a data movement service) with an analytics platform, or assume Azure SQL Database can handle big data analytics, when in fact HDInsight is the correct service for large-scale data analysis and visualization.

How to eliminate wrong answers

Option A is wrong because Azure Data Factory is a cloud-based ETL and data integration service that orchestrates data movement and transformation, not a platform for analyzing and visualizing data. Option C is wrong because Azure SQL Database is a relational database service for transactional workloads and structured data, not designed for large-scale analytics on data lakes or blob storage. Option D is wrong because Azure Cognitive Services provides pre-built AI APIs for vision, speech, language, and decision-making, not for analyzing or visualizing large datasets.

148
MCQmedium

Which Azure service provides a managed Kubernetes environment for deploying and managing containerized applications?

A.Azure Container Instances
B.Azure Kubernetes Service (AKS)
C.Azure App Service
D.Azure Container Registry
AnswerB

AKS is Azure's managed Kubernetes service for deploying and operating containerized applications at scale.

Why this answer

Azure Kubernetes Service (AKS) is the correct answer because it is Azure's managed Kubernetes orchestration service, which handles the control plane (including the API server, etcd, and scheduler) for you, while you manage the worker nodes and your containerized applications. This allows you to deploy, scale, and manage containerized applications using Kubernetes without the operational overhead of maintaining the control plane infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) with a managed Kubernetes service because both deal with containers, but ACI lacks orchestration, scaling, and self-healing capabilities, making it unsuitable for production-grade multi-container applications.

How to eliminate wrong answers

Option A is wrong because Azure Container Instances (ACI) is a serverless container execution service that runs a single container or a small group of containers directly, without any orchestration layer like Kubernetes; it is designed for simple, short-lived tasks, not for managing complex, multi-container applications with scaling and self-healing. Option C is wrong because Azure App Service is a Platform-as-a-Service (PaaS) for hosting web applications, REST APIs, and mobile backends, and while it supports container deployment (via Web App for Containers), it does not provide native Kubernetes orchestration or the full set of Kubernetes features like pod scheduling, service discovery, and rolling updates. Option D is wrong because Azure Container Registry (ACR) is a private Docker registry for storing and managing container images, not a compute service for running containers; it is used to store images that can be deployed to AKS, ACI, or other container hosts.

149
MCQmedium

Which Azure service enables the creation of event-driven architectures by reacting to state changes in Azure resources?

A.Azure Service Bus
B.Azure Event Grid
C.Azure Event Hubs
D.Azure Monitor Alerts
AnswerB

Event Grid routes events from Azure resource state changes to handlers like Functions and Logic Apps.

Why this answer

Azure Event Grid is the correct service because it is a fully managed event routing service that enables event-driven architectures by reacting to state changes in Azure resources. It uses a publish-subscribe model where events from Azure services (e.g., blob storage, resource groups) are sent to subscribers like Azure Functions or webhooks, allowing automatic reactions to changes such as resource creation or deletion.

Exam trap

The trap here is that candidates confuse Azure Event Grid (event-driven reactions to state changes) with Azure Event Hubs (high-throughput data streaming) or Azure Service Bus (message queuing), because all three deal with events but serve fundamentally different purposes in Azure's messaging ecosystem.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus is a message broker for decoupling applications using queues and topics, not designed for reacting to state changes in Azure resources; it focuses on reliable message delivery rather than event-driven reactions. Option C is wrong because Azure Event Hubs is a big data streaming platform and event ingestion service optimized for high-throughput telemetry and log data, not for reacting to state changes in Azure resources. Option D is wrong because Azure Monitor Alerts is a monitoring and notification service that triggers actions based on metrics or log queries, not a native event-driven architecture service for reacting to resource state changes.

150
MCQmedium

A company plans to deploy a critical application across multiple physical locations within a single Azure region to ensure that if one datacenter fails, the application remains available. Which Azure feature should they use to distribute virtual machines across these locations?

A.Availability Set
B.Availability Zone
C.Region Pair
D.Resource Group
AnswerB

Availability Zones are unique physical locations within an Azure region, each with independent power, cooling, and networking. Deploying VMs across zones provides resiliency against datacenter failures.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. By deploying VMs across multiple zones, the application remains available even if one entire datacenter fails, meeting the requirement for fault isolation within a single region.

Exam trap

The trap here is that candidates often confuse Availability Sets (which protect against rack-level failures) with Availability Zones (which protect against entire datacenter failures), leading them to choose the wrong option when the question specifies 'multiple physical locations' within a single region.

How to eliminate wrong answers

Option A is wrong because an Availability Set protects against failures within a single datacenter (e.g., rack or update domain failures) but does not provide isolation across physically separate datacenters, so it cannot ensure availability if an entire datacenter fails. Option C is wrong because Region Pairs are used for disaster recovery across two different Azure regions (e.g., East US paired with West US), not for distributing VMs across locations within a single region.

← PreviousPage 2 of 6 · 409 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe Azure architecture and services questions.