Sample questions
Microsoft Azure Fundamentals AZ-900 practice questions
A company uses Azure and wants to organize all their virtual machines, databases, and storage accounts into logical containers for management and billing purposes. Which Azure component should they use to group these resources?
Trap 1: Azure Policy
Azure Policy is used to enforce compliance rules on resources, not to group them.
Trap 2: Management Group
Management groups are used to manage governance and access across multiple subscriptions, not to group resources within a subscription.
Trap 3: Azure Subscription
An Azure subscription provides billing and access boundaries, but it is not the container for individual resources; resource groups are inside subscriptions.
- A
Azure Policy
Why wrong: Azure Policy is used to enforce compliance rules on resources, not to group them.
- B
Resource Group
A resource group is a logical container for resources like VMs, databases, and storage accounts. It enables unified management and billing tracking.
- C
Management Group
Why wrong: Management groups are used to manage governance and access across multiple subscriptions, not to group resources within a subscription.
- D
Azure Subscription
Why wrong: An Azure subscription provides billing and access boundaries, but it is not the container for individual resources; resource groups are inside subscriptions.
A company uses multiple Azure subscriptions for different departments. The finance team wants to monitor spending across all subscriptions and receive automated email alerts when a subscription's actual spending reaches 80% of its monthly budget. The team does not want to write custom scripts or use external tools. Which Azure feature should they use?
Trap 1: Azure Policy
Azure Policy is used to enforce compliance rules on resource configurations (e.g., allowed locations or SKUs), not to monitor spending or send budget alerts.
Trap 2: Azure Blueprints
Azure Blueprints enables the creation of repeatable, versioned environments including policies, role assignments, and resources. It does not provide cost monitoring or budget alerts.
Trap 3: Azure Resource Locks
Resource Locks prevent deletion or modification of critical resources. They do not track costs or generate spending alerts.
- A
Azure Policy
Why wrong: Azure Policy is used to enforce compliance rules on resource configurations (e.g., allowed locations or SKUs), not to monitor spending or send budget alerts.
- B
Azure Cost Management + Budgets
This is the correct service. It allows creation of budgets at the subscription or resource group scope, with alerts triggered when actual or forecasted costs exceed defined thresholds. Email notifications are built in.
- C
Azure Blueprints
Why wrong: Azure Blueprints enables the creation of repeatable, versioned environments including policies, role assignments, and resources. It does not provide cost monitoring or budget alerts.
- D
Azure Resource Locks
Why wrong: Resource Locks prevent deletion or modification of critical resources. They do not track costs or generate spending alerts.
A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is created without the tag, it should be automatically denied. Which Azure Policy effect should they use?
Trap 1: B) audit
Audit only logs non-compliant resources; it does not block their creation.
Trap 2: C) append
Append adds the missing tag but does not deny creation if the tag cannot be added.
Trap 3: D) deployIfNotExists
DeployIfNotExists deploys additional resources to correct non-compliance, but does not block the original resource creation.
- A
A) deny
The deny effect prevents resources from being created if they do not comply with the policy condition.
- B
B) audit
Why wrong: Audit only logs non-compliant resources; it does not block their creation.
- C
C) append
Why wrong: Append adds the missing tag but does not deny creation if the tag cannot be added.
- D
D) deployIfNotExists
Why wrong: DeployIfNotExists deploys additional resources to correct non-compliance, but does not block the original resource creation.
A company uses Azure Blueprints to define a repeatable set of Azure resources and policies for new subscriptions. They want to ensure that when a new subscription is created, a specific role assignment is automatically applied. What should they include in the blueprint definition?
Trap 1: An Azure Policy assignment
Policy assignments enforce compliance rules, not RBAC role assignments.
Trap 2: An Azure Resource Manager template
ARM templates deploy resources, but role assignments in blueprints are better handled by the role assignment artifact.
Trap 3: A resource group
Resource groups are containers for resources, not artifacts that assign roles.
- A
A role assignment artifact
Blueprint artifacts include role assignments that automatically grant permissions.
- B
An Azure Policy assignment
Why wrong: Policy assignments enforce compliance rules, not RBAC role assignments.
- C
An Azure Resource Manager template
Why wrong: ARM templates deploy resources, but role assignments in blueprints are better handled by the role assignment artifact.
- D
A resource group
Why wrong: Resource groups are containers for resources, not artifacts that assign roles.
A company uses Azure Policy to enforce governance. They want to prevent users from creating virtual machines of the Standard_DS3_v2 SKU in their subscription, and they also want to log any attempt to create such a VM (whether successful or not) for audit purposes. What is the minimum number of Azure Policy assignments required to meet both requirements?
Trap 1: One – assign a policy definition with the Deny effect.
A single Deny effect prevents creation but does not produce a separate compliance state for audit purposes; it only logs a denial event. The requirement explicitly asks for logging attempts for audit, which is more clearly satisfied by an Audit effect.
Trap 2: One – assign a policy definition with the Audit effect.
An Audit effect logs the attempt and shows compliance state, but it does not block the creation of the VM. The requirement also includes preventing the VM from being created.
Trap 3: Two – assign one policy definition with the Deny effect and another…
The Append effect adds tags or settings but does not log attempts for audit. Combining Deny with Append still does not address the logging/audit requirement.
- A
One – assign a policy definition with the Deny effect.
Why wrong: A single Deny effect prevents creation but does not produce a separate compliance state for audit purposes; it only logs a denial event. The requirement explicitly asks for logging attempts for audit, which is more clearly satisfied by an Audit effect.
- B
One – assign a policy definition with the Audit effect.
Why wrong: An Audit effect logs the attempt and shows compliance state, but it does not block the creation of the VM. The requirement also includes preventing the VM from being created.
- C
Two – assign one policy definition with the Deny effect and another with the Audit effect.
Assigning two policies, one with Deny and one with Audit, simultaneously blocks forbidden VM SKU creation and provides a clear compliance view of all attempts (both successful and blocked) for auditing. This is the minimum configuration to satisfy both requirements.
- D
Two – assign one policy definition with the Deny effect and another with the Append effect.
Why wrong: The Append effect adds tags or settings but does not log attempts for audit. Combining Deny with Append still does not address the logging/audit requirement.
A company wants to ensure that all Azure resources are tagged with metadata such as 'Environment' and 'Department'. They have created an Azure Policy that appends the required tags and their values when a resource is created. However, they notice that some resources created before the policy assignment are missing tags. They want to automatically add those tags without manual effort. What should they do?
Trap 1: Create a remediation task for the policy
Remediation tasks are only available for policies with effects like DeployIfNotExists or Modify, not for policies with Append effect.
Trap 2: Use Azure Resource Graph to query and update
Azure Resource Graph can query resources but does not automatically update them; you would need additional scripting or tooling.
Trap 3: Create an Azure Automation runbook
An Automation runbook can be used to update tags, but it would require manual or scheduled execution and is not natively integrated with Azure Policy for automatic remediation.
- A
Create a remediation task for the policy
Why wrong: Remediation tasks are only available for policies with effects like DeployIfNotExists or Modify, not for policies with Append effect.
- B
Create a new policy with DeployIfNotExists effect
A policy with DeployIfNotExists effect can deploy a resource (like a script) to add tags to existing resources. After assignment, a remediation task can run to apply the fix.
- C
Use Azure Resource Graph to query and update
Why wrong: Azure Resource Graph can query resources but does not automatically update them; you would need additional scripting or tooling.
- D
Create an Azure Automation runbook
Why wrong: An Automation runbook can be used to update tags, but it would require manual or scheduled execution and is not natively integrated with Azure Policy for automatic remediation.
A company uses Azure SQL Database for a web application. They need to ensure that the database can automatically scale to handle sudden spikes in traffic without downtime. Which feature should they enable?
Trap 1: Geo-replication
Geo-replication provides disaster recovery, not automatic scaling.
Trap 2: Active geo-replication
Active geo-replication provides readable replicas for scaling read workloads, not automatic compute scaling.
Trap 3: Elastic pool
Elastic pools share resources among multiple databases but require manual scaling of the pool.
- A
Geo-replication
Why wrong: Geo-replication provides disaster recovery, not automatic scaling.
- B
Serverless compute
Correct. Serverless compute auto-scales and is designed for intermittent usage patterns with spikes.
- C
Active geo-replication
Why wrong: Active geo-replication provides readable replicas for scaling read workloads, not automatic compute scaling.
- D
Elastic pool
Why wrong: Elastic pools share resources among multiple databases but require manual scaling of the pool.
A company uses Azure to host multiple virtual machines and virtual networks. The network team is responsible for configuring and maintaining virtual networks, subnets, and network security groups. The company wants to ensure that the network team can manage these network resources but cannot modify or delete virtual machines. Which Azure built-in role should the company assign to the network team?
Trap 1: Owner
The Owner role grants full access to all resources in the subscription, including the ability to manage and delete virtual machines. This provides more permissions than necessary for the network team and violates the principle of least privilege.
Trap 2: Contributor
The Contributor role grants full access to manage all resources in the subscription, including virtual machines. It does not restrict the network team to only network resources, so it is overly permissive.
Trap 3: Virtual Machine Contributor
The Virtual Machine Contributor role allows managing virtual machines, including starting, stopping, and modifying them. It does not grant permissions to manage virtual networks, subnets, or network security groups, so it would not allow the network team to perform their required duties.
- A
Owner
Why wrong: The Owner role grants full access to all resources in the subscription, including the ability to manage and delete virtual machines. This provides more permissions than necessary for the network team and violates the principle of least privilege.
- B
Contributor
Why wrong: The Contributor role grants full access to manage all resources in the subscription, including virtual machines. It does not restrict the network team to only network resources, so it is overly permissive.
- C
Virtual Machine Contributor
Why wrong: The Virtual Machine Contributor role allows managing virtual machines, including starting, stopping, and modifying them. It does not grant permissions to manage virtual networks, subnets, or network security groups, so it would not allow the network team to perform their required duties.
- D
Network Contributor
The Network Contributor role provides full management of network resources such as virtual networks, subnets, network security groups, and load balancers. It does not grant permissions to manage virtual machines or other compute resources, which matches the requirement to restrict the network team's scope.
A company wants to ensure their application remains available even if an entire Azure region experiences an outage. Which Azure feature should they implement?
Trap 1: Availability sets
Availability sets protect against failures within a single datacenter, not across entire regions.
Trap 2: Availability zones
Availability zones protect against datacenter failures within a region, not a full regional outage.
Trap 3: Load balancer
Load balancer distributes traffic but does not provide cross-region failover.
- A
Availability sets
Why wrong: Availability sets protect against failures within a single datacenter, not across entire regions.
- B
Availability zones
Why wrong: Availability zones protect against datacenter failures within a region, not a full regional outage.
- C
Region pairs
Region pairs provide cross-region disaster recovery and are designed for regional outages.
- D
Load balancer
Why wrong: Load balancer distributes traffic but does not provide cross-region failover.
A company wants to view a consolidated list of all Azure resources across multiple subscriptions and query them using Kusto Query Language (KQL). Which Azure tool should they use?
Trap 1: Azure Resource Manager
ARM handles deployments, not resource querying.
Trap 2: Azure Monitor
Monitor collects telemetry, not resource inventory.
Trap 3: Azure Policy
Policy enforces rules, not query resources.
- A
Azure Resource Graph
Resource Graph enables KQL queries across subscriptions for resource discovery.
- B
Azure Resource Manager
Why wrong: ARM handles deployments, not resource querying.
- C
Azure Monitor
Why wrong: Monitor collects telemetry, not resource inventory.
- D
Azure Policy
Why wrong: Policy enforces rules, not query resources.
A global company creates a new Azure subscription for each major project. To ensure compliance and consistency, the governance team needs a single, versioned, auditable package that, when assigned to a subscription, automatically deploys a standard set of Azure Policy assignments, role assignments, a resource group structure, and a pre-configured virtual network. The solution must allow these packages to be updated centrally and have changes tracked for auditing. Which Azure service should the governance team use?
Trap 1: Azure Policy
Azure Policy enforces and audits compliance rules, but it cannot deploy resources like virtual networks or create resource groups. It only handles policy definitions and assignments, not the full package of resources, roles, and policies.
Trap 2: Azure Resource Manager templates
ARM templates deploy Azure resources declaratively, but they do not natively assign Azure Policy or role assignments. While you can use ARM templates for resource deployment, they lack the centralized versioning and auditing of governance artifacts that Blueprints provide.
Trap 3: Management groups
Management groups organize subscriptions into hierarchies for policy and RBAC inheritance. However, they do not deploy resources or define a package of resources, policies, and roles. They are containers, not deployment packages.
- A
Azure Policy
Why wrong: Azure Policy enforces and audits compliance rules, but it cannot deploy resources like virtual networks or create resource groups. It only handles policy definitions and assignments, not the full package of resources, roles, and policies.
- B
Azure Blueprints
Azure Blueprints allows you to define a repeatable set of Azure resources and governance artifacts (policies, role assignments, resource groups, ARM templates) that can be assigned to subscriptions. Blueprints are versioned and auditable, ideal for a single package that enforces a standard environment.
- C
Azure Resource Manager templates
Why wrong: ARM templates deploy Azure resources declaratively, but they do not natively assign Azure Policy or role assignments. While you can use ARM templates for resource deployment, they lack the centralized versioning and auditing of governance artifacts that Blueprints provide.
- D
Management groups
Why wrong: Management groups organize subscriptions into hierarchies for policy and RBAC inheritance. However, they do not deploy resources or define a package of resources, policies, and roles. They are containers, not deployment packages.
A company wants to enforce a naming convention for all Azure resources. For example, all resources must start with 'Contoso-'. They want to automatically audit and deny creation of resources that do not follow the naming convention. Which Azure Policy effect should they use?
Trap 1: Audit
Audit only logs non-compliance, it does not prevent creation.
Trap 2: Modify
Modify can change properties but does not deny creation.
Trap 3: Append
Append adds additional fields but does not deny creation.
- A
Deny
Deny blocks creation of resources that violate the naming rule.
- B
Audit
Why wrong: Audit only logs non-compliance, it does not prevent creation.
- C
Modify
Why wrong: Modify can change properties but does not deny creation.
- D
Append
Why wrong: Append adds additional fields but does not deny creation.
A company wants to ensure that its cloud resources are available even if a major disaster occurs in one region. They plan to deploy resources in two different geographic locations. Which cloud computing characteristic does this scenario primarily address?
Trap 1: A) Scalability
Scalability is about handling increased load, not regional disaster recovery.
Trap 2: B) Elasticity
Elasticity allows dynamic scaling, not specifically for disasters.
Trap 3: C) High availability
High availability typically covers failures within a datacenter or region, not a full regional outage.
- A
A) Scalability
Why wrong: Scalability is about handling increased load, not regional disaster recovery.
- B
B) Elasticity
Why wrong: Elasticity allows dynamic scaling, not specifically for disasters.
- C
C) High availability
Why wrong: High availability typically covers failures within a datacenter or region, not a full regional outage.
- D
D) Disaster recovery
Disaster recovery prepares for major regional failures by replicating resources to another geographic region.
A company wants to segregate their Azure resources into logical groups based on department and environment. They also want to apply access control and management at these group levels. Which Azure construct should they use?
Trap 1: Availability sets
Availability sets are for VM high availability, not for logical organization.
Trap 2: Virtual networks
Virtual networks provide network isolation, not a management grouping construct.
Trap 3: Subscriptions
Subscriptions are billing and access boundaries, but resources are further organized into resource groups within a subscription.
- A
Resource groups
Correct. Resource groups group resources for management, RBAC, and policy enforcement.
- B
Availability sets
Why wrong: Availability sets are for VM high availability, not for logical organization.
- C
Virtual networks
Why wrong: Virtual networks provide network isolation, not a management grouping construct.
- D
Subscriptions
Why wrong: Subscriptions are billing and access boundaries, but resources are further organized into resource groups within a subscription.
A financial services company runs a critical trading application in its on-premises data center. The company is migrating some workloads to Azure and requires a dedicated, private network connection between its on-premises network and Azure. The connection must not use the public internet, must provide consistent latency and higher bandwidth than a typical internet-based VPN, and must be backed by a service-level agreement (SLA) for availability. Which Azure service should the company use to meet these requirements?
Trap 1: Azure VPN Gateway
Azure VPN Gateway creates an encrypted tunnel over the public internet. While it provides a secure connection, it does not offer a private connection that bypasses the public internet, and bandwidth and latency are typically lower and less consistent than ExpressRoute.
Trap 2: Azure Firewall
Azure Firewall is a managed network security service that helps protect Azure virtual network resources. It does not provide a connectivity service between on-premises and Azure.
Trap 3: Azure Front Door
Azure Front Door is a global load balancer and content delivery network that operates over the public internet. It is designed for web applications and does not provide a private dedicated connection between an on-premises network and Azure.
- A
Azure VPN Gateway
Why wrong: Azure VPN Gateway creates an encrypted tunnel over the public internet. While it provides a secure connection, it does not offer a private connection that bypasses the public internet, and bandwidth and latency are typically lower and less consistent than ExpressRoute.
- B
ExpressRoute
ExpressRoute provides a dedicated private connection from on-premises to Azure that does not use the public internet. It offers higher bandwidth, lower and consistent latency, and an availability SLA, meeting all the stated requirements.
- C
Azure Firewall
Why wrong: Azure Firewall is a managed network security service that helps protect Azure virtual network resources. It does not provide a connectivity service between on-premises and Azure.
- D
Azure Front Door
Why wrong: Azure Front Door is a global load balancer and content delivery network that operates over the public internet. It is designed for web applications and does not provide a private dedicated connection between an on-premises network and Azure.
A company wants to query all Azure resources across multiple subscriptions to find all storage accounts without encryption enabled. They need to use a powerful query language to filter and join data. Which Azure tool should they use?
Trap 1: Azure Monitor Logs
Azure Monitor Logs collects and analyzes telemetry data (logs and metrics) from resources, not resource inventory queries.
Trap 2: Azure Advisor
Azure Advisor provides recommendations but does not support custom queries across resources.
Trap 3: Azure Policy
Azure Policy evaluates compliance but cannot perform ad-hoc queries across all resources.
- A
Azure Resource Graph
Resource Graph allows querying Azure resources at scale across subscriptions using KQL, perfect for discovering resources with specific configurations.
- B
Azure Monitor Logs
Why wrong: Azure Monitor Logs collects and analyzes telemetry data (logs and metrics) from resources, not resource inventory queries.
- C
Azure Advisor
Why wrong: Azure Advisor provides recommendations but does not support custom queries across resources.
- D
Azure Policy
Why wrong: Azure Policy evaluates compliance but cannot perform ad-hoc queries across all resources.
A company wants to ensure that their cloud provider's physical data centers are located in specific geographic areas to comply with data residency requirements. Which cloud concept is this related to?
Trap 1: Availability
Incorrect. Availability focuses on uptime and resilience, not the physical location of data centers.
Trap 2: Disaster recovery
Incorrect. Disaster recovery involves data replication and failover, not the initial placement of data centers for legal compliance.
Trap 3: Hybrid cloud
Incorrect. Hybrid cloud refers to a combination of on-premises and public cloud, not specifically about data center locations for sovereignty.
- A
Data sovereignty
Correct. Data sovereignty deals with data being stored within specific geographic or legal boundaries, directly relating to choosing Azure regions for compliance.
- B
Availability
Why wrong: Incorrect. Availability focuses on uptime and resilience, not the physical location of data centers.
- C
Disaster recovery
Why wrong: Incorrect. Disaster recovery involves data replication and failover, not the initial placement of data centers for legal compliance.
- D
Hybrid cloud
Why wrong: Incorrect. Hybrid cloud refers to a combination of on-premises and public cloud, not specifically about data center locations for sovereignty.
A financial services firm uses a hybrid cloud strategy. They run customer-facing applications in a public cloud and store sensitive customer data in an on-premises data center to meet regulatory compliance. The firm wants to allow its applications in the public cloud to securely access the on-premises data when needed. Which cloud deployment model best describes this setup?
Trap 1: Public cloud
Incorrect because a public cloud deployment model uses only cloud resources hosted by a third-party provider. The firm also uses an on-premises data center, so it is not purely public cloud.
Trap 2: Private cloud
Incorrect because a private cloud deployment model is dedicated to a single organization and usually resides on-premises or in a hosted private environment. The firm also uses public cloud services, so it is not purely private cloud.
Trap 3: Community cloud
Incorrect because a community cloud is a collaborative deployment model shared among several organizations with common regulatory or compliance needs. This scenario involves only one firm, not a community.
- A
Public cloud
Why wrong: Incorrect because a public cloud deployment model uses only cloud resources hosted by a third-party provider. The firm also uses an on-premises data center, so it is not purely public cloud.
- B
Private cloud
Why wrong: Incorrect because a private cloud deployment model is dedicated to a single organization and usually resides on-premises or in a hosted private environment. The firm also uses public cloud services, so it is not purely private cloud.
- C
Hybrid cloud
Correct. A hybrid cloud combines public cloud and private cloud (on-premises) environments, enabling data and application sharing. This matches the firm's setup of running applications in the public cloud while keeping sensitive data on-premises with secure connectivity.
- D
Community cloud
Why wrong: Incorrect because a community cloud is a collaborative deployment model shared among several organizations with common regulatory or compliance needs. This scenario involves only one firm, not a community.
A development team lead needs to quickly provision a new Azure virtual machine for a short-term testing project. Instead of submitting a ticket to the IT procurement team and waiting several days for hardware approval and setup, the lead directly signs into the Azure portal, configures the VM settings, and has it running within 15 minutes. The entire process required no human interaction from the cloud provider's staff. Which cloud computing characteristic does this scenario primarily demonstrate?
Trap 1: Broad network access
Incorrect. Broad network access refers to resources being available over the network and accessible from a variety of client platforms (e.g., laptops, smartphones). While the lead accessed the Azure portal over the internet, the core focus of the scenario is the ability to provision resources without waiting, not the method of access.
Trap 2: Measured service
Incorrect. Measured service means cloud providers meter and monitor resource usage for billing and optimization purposes. The scenario does not mention any tracking or metering of the VM usage; it emphasizes the speed and lack of human interaction in provisioning.
Trap 3: Resource pooling
Incorrect. Resource pooling refers to the provider's physical resources being shared among multiple customers (multi-tenancy). The scenario focuses on the customer's experience of instant provisioning, not on how the underlying resources are shared.
- A
On-demand self-service
Correct. The team lead provisioned the VM directly through the portal without any human intervention from the provider, demonstrating on-demand self-service.
- B
Broad network access
Why wrong: Incorrect. Broad network access refers to resources being available over the network and accessible from a variety of client platforms (e.g., laptops, smartphones). While the lead accessed the Azure portal over the internet, the core focus of the scenario is the ability to provision resources without waiting, not the method of access.
- C
Measured service
Why wrong: Incorrect. Measured service means cloud providers meter and monitor resource usage for billing and optimization purposes. The scenario does not mention any tracking or metering of the VM usage; it emphasizes the speed and lack of human interaction in provisioning.
- D
Resource pooling
Why wrong: Incorrect. Resource pooling refers to the provider's physical resources being shared among multiple customers (multi-tenancy). The scenario focuses on the customer's experience of instant provisioning, not on how the underlying resources are shared.
A company wants to ensure that all new Azure storage accounts have a specific encryption setting enabled. They also want to automatically remediate any existing non-compliant storage accounts without manual effort. Which Azure Policy effect should they use?
Trap 1: Append
Append can only add tags or fields, not enable encryption settings.
Trap 2: AuditIfNotExists
AuditIfNotExists logs non-compliance but does not remediate.
Trap 3: Deny
Deny blocks creation of non-compliant resources but does not remediate existing ones.
- A
Append
Why wrong: Append can only add tags or fields, not enable encryption settings.
- B
AuditIfNotExists
Why wrong: AuditIfNotExists logs non-compliance but does not remediate.
- C
DeployIfNotExists
DeployIfNotExists deploys a configuration to enforce the encryption setting on both new and existing resources.
- D
Deny
Why wrong: Deny blocks creation of non-compliant resources but does not remediate existing ones.
A financial services company must migrate a critical application to Azure. Regulatory compliance requires that the virtual machines (VMs) hosting this application run on physical servers that are dedicated solely to the company and not shared with any other Azure customer. The company needs full control over server hardware maintenance, including the ability to schedule updates and isolate the environment at the physical layer. Which Azure compute solution should the company use?
Trap 1: Azure Reserved Instances
Reserved Instances are a billing and pricing model that offers discounted rates in exchange for a one- or three-year commitment. They do not provide any physical server isolation; VMs purchased under Reserved Instances may still run on shared physical hardware.
Trap 2: Azure Virtual Machine Scale Sets
Virtual Machine Scale Sets allow you to deploy and manage a group of identical, load-balanced VMs that can scale in or out automatically. They do not guarantee that the VMs are placed on a dedicated physical host; the underlying hardware may be shared with other tenants.
Trap 3: Azure Confidential Computing
Confidential computing protects data in use by using hardware-based trusted execution environments (e.g., Intel SGX). While this provides strong data encryption during processing, it does not ensure that the entire physical server is dedicated to a single customer. Multiple tenants' VMs using confidential computing can still reside on the same physical host.
- A
Azure Dedicated Host
Azure Dedicated Host provides physical servers dedicated to one Azure subscription. VMs are isolated at the hardware level, and the customer controls maintenance and scheduling. This fully satisfies the compliance requirement for physical server isolation.
- B
Azure Reserved Instances
Why wrong: Reserved Instances are a billing and pricing model that offers discounted rates in exchange for a one- or three-year commitment. They do not provide any physical server isolation; VMs purchased under Reserved Instances may still run on shared physical hardware.
- C
Azure Virtual Machine Scale Sets
Why wrong: Virtual Machine Scale Sets allow you to deploy and manage a group of identical, load-balanced VMs that can scale in or out automatically. They do not guarantee that the VMs are placed on a dedicated physical host; the underlying hardware may be shared with other tenants.
- D
Azure Confidential Computing
Why wrong: Confidential computing protects data in use by using hardware-based trusted execution environments (e.g., Intel SGX). While this provides strong data encryption during processing, it does not ensure that the entire physical server is dedicated to a single customer. Multiple tenants' VMs using confidential computing can still reside on the same physical host.
A multinational company has a strict data residency requirement: all Azure virtual machines must be deployed only in the East US or West Europe Azure regions. The IT governance team wants to enforce this rule automatically so that any attempt to create a virtual machine in any other region is blocked immediately at the time of deployment. Users must receive a clear error message if they try to create a VM in a disallowed region. Which Azure feature should the governance team configure to meet this requirement?
Trap 1: Create a resource lock on the subscription to prevent all resource…
Resource locks (CanNotDelete or ReadOnly) are designed to protect resources from accidental deletion or modification, not to block the creation of new resources. A resource lock on the subscription would prevent deletion of the subscription itself, but it does not block deployments of virtual machines in disallowed regions.
Trap 2: Assign an Azure RBAC role that denies create permissions for VMs in…
Azure RBAC roles manage permissions based on actions (e.g., Microsoft.Compute/virtualMachines/write) but cannot easily restrict by resource property such as region. Even with a custom role, you would need to specify each disallowed region in NotActions, which is cumbersome and error-prone. Azure Policy is the correct service for rules based on resource properties.
Trap 3: Set up a budget alert in Cost Management to notify when a VM is…
Azure Cost Management budget alerts are designed to track spending and send notifications when costs exceed thresholds. They do not prevent resource creation and cannot enforce location restrictions. This solution is reactive, not proactive.
- A
Create a resource lock on the subscription to prevent all resource creation.
Why wrong: Resource locks (CanNotDelete or ReadOnly) are designed to protect resources from accidental deletion or modification, not to block the creation of new resources. A resource lock on the subscription would prevent deletion of the subscription itself, but it does not block deployments of virtual machines in disallowed regions.
- B
Configure an Azure Policy with the Deny effect assigned to the subscription scope.
Azure Policy with the Deny effect evaluates resource creation or update requests and denies them if they do not comply with the policy rules (e.g., VM location). The denial includes a clear error message explaining which policy prevented the action. This is the standard method to enforce location restrictions proactively.
- C
Assign an Azure RBAC role that denies create permissions for VMs in disallowed regions.
Why wrong: Azure RBAC roles manage permissions based on actions (e.g., Microsoft.Compute/virtualMachines/write) but cannot easily restrict by resource property such as region. Even with a custom role, you would need to specify each disallowed region in NotActions, which is cumbersome and error-prone. Azure Policy is the correct service for rules based on resource properties.
- D
Set up a budget alert in Cost Management to notify when a VM is created in a disallowed region.
Why wrong: Azure Cost Management budget alerts are designed to track spending and send notifications when costs exceed thresholds. They do not prevent resource creation and cannot enforce location restrictions. This solution is reactive, not proactive.
A company wants to replicate its on-premises production environment to Azure for disaster recovery purposes. In the event of an on-premises outage, they can quickly start the replicated environment in Azure. Which cloud benefit does this best describe?
Trap 1: Scalability
Scalability is about handling growth, not recovering from outages.
Trap 2: High availability
High availability focuses on minimizing downtime within the same environment, not replication to another site.
Trap 3: Elasticity
Elasticity is about dynamic resource scaling, not disaster recovery.
- A
Scalability
Why wrong: Scalability is about handling growth, not recovering from outages.
- B
High availability
Why wrong: High availability focuses on minimizing downtime within the same environment, not replication to another site.
- C
Business continuity
Business continuity includes disaster recovery and ensures the organization can continue operations during and after a disruptive event.
- D
Elasticity
Why wrong: Elasticity is about dynamic resource scaling, not disaster recovery.
A company wants to use a cloud service that provides a fully managed database, including automated backups, patching, and high availability, without managing any underlying servers. Which cloud service model is this?
Trap 1: Infrastructure as a Service (IaaS)
IaaS would require managing the database on a VM.
Trap 2: Software as a Service (SaaS)
SaaS provides complete applications, not just database services.
Trap 3: Container as a Service (CaaS)
CaaS allows running containers, not managed databases.
- A
Infrastructure as a Service (IaaS)
Why wrong: IaaS would require managing the database on a VM.
- B
Platform as a Service (PaaS)
PaaS includes managed database services like Azure SQL Database.
- C
Software as a Service (SaaS)
Why wrong: SaaS provides complete applications, not just database services.
- D
Container as a Service (CaaS)
Why wrong: CaaS allows running containers, not managed databases.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.