Microsoft Azure Solutions Architect Expert Practice Test (AZ-305)

Configuring the databases to use read-access geo-redundant (RA-GRS) backup storage satisfies the requirements. With RA-GRS, Azure automatically copies each automated backup to the paired secondary region. If the primary region becomes unavailable, you can perform a geo-restore in the secondary region, meeting the recovery requirement without having to maintain an active replica. Because the backups are stored on low-cost RA-GRS Azure Blob Storage, no additional compute charges accrue. Zone-redundant backup storage protects only against zonal failures inside the same region. Active geo-replication keeps a live secondary database running, which contravenes the cost and management constraints. Long-term retention adds archival capability but does not guarantee cross-region availability or protection for recent backups.

Azure Front Door provides global HTTP/HTTPS load-balancing from Microsoft edge points of presence. It performs TLS termination, URL and path-based routing, and optional cookie-based session affinity, while continuously probing backend health. Because traffic is steered at Layer 7 through a single anycast IP that stays constant even when a backend becomes unhealthy, Front Door can redirect new connections to another healthy region within seconds and does not depend on client-side DNS TTL expiry. Azure Traffic Manager works only at the DNS layer, offers no path routing or SSL offload, and its fail-over speed is limited by DNS caching. Deploying Azure Application Gateway in each region behind Azure DNS still relies on DNS-based routing and lacks global anycast acceleration. A cross-region Azure Standard Load Balancer operates at Layer 4 without TLS termination or path-based routing, so it cannot satisfy the requirements.

Diagnostic settings can be deployed at scale by using built-in Azure Policy definitions. A single assignment can automatically enable diagnostic settings on subscriptions and resources, routing platform logs and metrics to multiple destinations: a Log Analytics workspace (where retention can be configured for 365 days or longer) and an Event Hub namespace. The workspace satisfies the audit-retention requirement, while the Event Hub feed is consumed by the SIEM. The solution is entirely managed and requires no custom code or ongoing maintenance. The other options either rely on custom runbooks, unsupported continuous export paths, or duplicate Sentinel deployments and therefore impose higher operational overhead or do not meet the technical requirements.

Multi-stage YAML pipelines in Azure DevOps meet all stated requirements. The pipeline definition is stored as code in the same Azure Repos repository, enabling versioning and collaboration. Build, test, and deployment jobs can target resources in any subscription through service connections, and stages can map to environments that support manual approval gates before production deployment. GitHub Actions would require moving the repository or linking an additional service, while Azure Automation runbooks and Deployment Center lack integrated build, test, and gated multi-stage release capabilities.

Azure AD Privileged Identity Management (PIM) for Azure RBAC allows you to create eligible, time-bound assignments that can require approval and automatically expire after a maximum of eight hours. By defining a custom RBAC role that contains only the Microsoft.Compute/virtualMachines/restart/action permission, you enforce least privilege. Assigning that role as eligible directly to each engineer at the subscription scope avoids the limitation that group assignments cannot be made eligible, yet still requires only a one-time setup per engineer. The PIM settings let a shift lead approve each activation request. The Contributor and Virtual Machine Contributor roles grant unnecessary permissions, and monthly access reviews or automation pipelines do not deliver the required per-shift, approval-based, time-bound access.

Azure AD Pass-through Authentication (PTA) uses lightweight agents to validate a user's password directly against the on-premises domain controller during sign-in, so no password hashes are ever stored in Azure AD. PTA supports Seamless Single Sign-On, allowing users to authenticate with their existing corporate credentials, and Azure AD Conditional Access can require MFA for all cloud sign-ins. This approach needs only a few agent installations and avoids the extra servers, proxy configuration, and certificate management overhead required by an AD FS farm. Password Hash Synchronization does not meet the requirement to avoid storing hashes in Azure AD, while Azure AD B2C is intended for external identities rather than corporate users. Therefore, implementing PTA with Seamless SSO and Azure AD MFA is the best fit.

Azure Container Apps natively runs container images without size limits, integrates with KEDA to scale on Azure Service Bus queue length, and can scale out rapidly (up to hundreds of replicas) or all the way to zero when the queue is empty, providing true serverless consumption pricing. Azure Container Instances lack event-driven autoscale and therefore would require additional orchestration logic. Azure Functions premium plan can run containers but keeps at least one instance warm, so it cannot scale to zero and incurs always-on costs. Azure Kubernetes Service offers full control and autoscaling, but cluster creation, node patching, and control-plane management contradict the requirement to minimize infrastructure management effort.

The Azure Migrate appliance performs agentless discovery of VMware vSphere inventories, streams performance counters for up to 30 days to build right-sizing recommendations, and supports agentless network dependency mapping by querying vCenter for traffic flows. When the collected data is uploaded to the Azure Migrate project, the service can generate readiness reports and TCO comparisons. The other options either require installing an agent on every VM (Site Recovery Mobility service), are deprecated and lack Azure-specific sizing (MAP Toolkit), or provide dependency data without integrated cost and sizing assessments (Azure Arc with dependency agent).

Azure Key Vault Managed HSM is a fully managed, single-tenant HSM-as-a-service operated by Microsoft. The underlying nShield HSMs are validated to FIPS 140-2 Level 3, and the service integrates natively with Azure RBAC, letting you grant fine-grained roles such as Key Administrator or Key Reader. The Azure Key Vault Premium tier uses multi-tenant HSMs and is certified only to Level 2, while Azure Dedicated HSM-although Level 3 and single-tenant-requires customers to manage the appliance directly and does not leverage Azure RBAC. Azure Confidential Ledger is not intended for cryptographic key storage.

The only way to achieve a 99.99 percent virtual-machine connectivity SLA inside a single Azure region is to run at least two VM instances distributed across different availability zones and front them with a standard load-balancer-backed endpoint. A virtual machine scale set with zone distribution automates instance deployment and balancing while avoiding any additional licensing costs and requiring minimal management effort.

An availability set does not protect against a full datacenter (zone) outage and is covered by a 99.95 percent SLA. Azure Site Recovery normally fails over to a different region and requires manual or scripted orchestration, so it does not guarantee the required intra-regional 99.99 percent availability. Deploying the workload on dedicated hosts would add significant cost and still not provide zone redundancy unless combined with additional components, so it also fails to meet the requirements.

Azure Cosmos DB distributed across multiple regions with multi-region (multi-write) enabled is the only Azure data service that meets all stated objectives. The SLA guarantees 99.999 percent availability for both reads and writes and automatic regional failover in under 60 seconds. Cross-regional replication latency is typically under five seconds, satisfying the RPO requirement. A single-write Cosmos DB account delivers only 99.99 percent write availability. Azure Storage RA-GZRS offers eventual consistency and no defined RPO. Azure SQL Database active geo-replication provides 99.99 percent availability and an RPO typically under five seconds, but it does not reach the required 99.999 percent availability, making it unsuitable.

An Azure SQL Database elastic pool lets many databases share a pool of compute and storage (measured as eDTUs or vCores). Because tenant workloads peak at different times, the pool can be sized for the combined, rather than individual, demand. When a particular tenant experiences a spike, the service automatically allocates additional compute from the shared pool, while idle databases consume virtually no resources-reducing total cost and operational effort. Running every tenant as an individual serverless database would bill each database separately for its active compute, eliminating the benefit of resource sharing. Hosting all data in a single large database or in a managed instance would reserve dedicated compute continuously, driving costs higher. Therefore, an appropriately sized Azure SQL Database elastic pool best meets the requirements for cost efficiency, automatic bursting, and minimal maintenance.

Azure AD Application Proxy meets all the stated requirements. An Application Proxy connector installed inside the corporate network establishes only outbound connections to Azure, so no inbound firewall ports are required. When the on-premises API is published through Application Proxy, users authenticate with Azure AD, allowing authorization through Azure AD groups and enforcement of Conditional Access policies, including MFA.

A site-to-site VPN with an Azure Load Balancer still requires network publishing and does not, by itself, integrate with Azure AD Conditional Access. Deploying Azure AD Domain Services only provides domain join and Kerberos within Azure virtual networks; it neither publishes the on-premises API nor eliminates firewall changes. Implementing AD FS with Web Application Proxy introduces additional perimeter servers and still requires inbound HTTPS ports, increasing complexity compared to Application Proxy.

Azure SQL Managed Instance in the Business Critical tier is a fully managed PaaS offering that provides near-100% compatibility with on-premises SQL Server, so application code and database features rarely need modification after migration. Because it is a managed service, Microsoft handles OS and database patching and supplies automated backups with up to 35-day retention by default. The Business Critical tier uses a four-node Always On availability group architecture that can be configured as zone-redundant, giving synchronous replication across multiple availability zones within a region and ensuring high availability without additional administration. It also places the primary and replicas on local SSD storage, supporting single-digit-millisecond latency for both reads and writes.

In contrast, a single Azure SQL Database in the Premium tier might require feature changes due to lower compatibility and does not guarantee instance-level features. An Azure SQL Virtual Machine would still leave patching and backup management to the customer and would require manual configuration of an availability group. The Hyperscale service tier offers high scalability but provides asynchronous replicas only and is not designed primarily for synchronous zone-redundant HA. Therefore, the Managed Instance Business Critical tier best meets all stated requirements.

Virtual Machine Scale Sets (VMSS) let you deploy and manage a group of identical or near-identical VMs as a single resource. When you use zone-redundant VMSS with either Uniform or Flexible orchestration, the instances can be spread across multiple Availability Zones, which enables the 99.99 percent VM uptime SLA. VMSS also integrates with autoscale rules that add or remove instances based on performance metrics such as CPU utilization, eliminating manual effort. By storing a versioned Windows Server 2022 image in an Azure Compute Gallery (formerly Shared Image Gallery) and configuring the scale set to use that image, you can roll out OS and application updates simply by updating the image version and performing a rolling upgrade. Availability Sets (without scale sets) provide no built-in autoscale and only fault-domain redundancy. Dedicated hosts require more management and offer no native autoscale. Azure Batch supports autoscale but does not guarantee zone-level redundancy or the 99.99 percent VM SLA and is optimized for stateless batch, not long-running VM workloads.

Azure Front Door delivers a single anycast public endpoint announced from Microsoft's global edge, giving users one globally distributed hostname. Front Door performs layer-7 load balancing with built-in TLS/SSL offload, URL path-based routing, and health-probe-driven failover between multiple back-end regions. It also integrates directly with Azure Web Application Firewall policies, providing centralized protection against OWASP Top 10 threats.

Azure Traffic Manager offers only DNS-based redirection, not a single anycast IP, and cannot perform SSL offload or provide a WAF. Standard or cross-region Azure Load Balancer works at layer 4 and lacks path-based routing and WAF features. Azure Firewall is a stateful network firewall, not a global web front-end, and does not supply anycast endpoints or application-layer load-balancing capabilities. Therefore, Azure Front Door with WAF is the only option that satisfies every stated requirement.

Azure API Management (APIM) provides a developer-friendly façade over multiple back-end services. It can expose a single public endpoint that routes to different AKS services, enforce subscription keys and Azure AD authentication, apply policy-based rate limits and quotas per caller, perform request/response transformations, and enable in-memory response caching-all without changing the existing microservices. Azure Application Gateway lacks built-in developer subscription management and transformation policies. Azure Functions would require redeveloping proxy logic and does not provide turnkey quotas or caching across existing services. Azure Service Bus is a messaging service rather than an HTTP API gateway and cannot expose REST endpoints directly.

Azure Cosmos DB for NoSQL guarantees single-digit millisecond reads and writes and is schema-agnostic, making it well-suited for high-velocity, flexible JSON telemetry. Enabling autoscale throughput lets the service automatically adjust RU/s based on load, reducing cost when traffic is low. Azure Blob Storage is the most economical option for large binary objects such as JPEGs. A lifecycle management policy that moves blobs from the Hot tier to Cool after 30 days and to Archive after 180 days keeps frequently accessed images performant while minimizing long-term storage costs, and requires no manual administration.

Azure SQL Database Hyperscale offers strong relational capabilities but incurs higher costs and imposes rigid schemas, making it less appropriate for rapidly changing JSON telemetry; Azure Files and managed disks are costlier than object storage for large, infrequently accessed images. Azure Data Lake Storage Gen2 can store both data types but would not provide the required millisecond read latency without additional compute (for example, Azure Synapse or Data Explorer) and may raise overall cost and complexity. Redis is an in-memory cache, not a durable store for long-term telemetry or images. Therefore, using Cosmos DB with autoscale for telemetry plus tiered Azure Blob Storage for images best balances features, performance, and cost.

Azure SQL Managed Instance is a fully managed PaaS offering that delivers near-100 percent compatibility with the on-premises SQL Server engine. It supports key features such as SQL Agent, cross-database queries, SQL CLR, Service Broker, and linked servers, while automatically providing backups, patching, and built-in high availability. Azure SQL Database single databases or elastic pools lack full support for SQL Agent and Service Broker, requiring application changes or external job services. Running SQL Server on an Azure VM offers full feature parity but is an IaaS solution that leaves most administration tasks-backups, patching, and HA configuration-to the customer, conflicting with the requirement for a PaaS service. Therefore, Azure SQL Managed Instance best satisfies all stated constraints.

Azure Data Factory is Microsoft's fully managed data integration service. It provides more than 90 native connectors covering on-premises sources such as Oracle and SAP, and SaaS sources like Salesforce. Using a self-hosted integration runtime, it can securely pull data from on-premises systems into Azure Data Lake Storage Gen2. Data Factory's Mapping Data Flows offer a fully visual, code-free environment for complex data transformations that can write the results directly to an Azure Synapse Analytics dedicated SQL pool. Pipelines can be authored visually or as JSON, scheduled with triggers, and monitored from the built-in monitoring hub, all without managing underlying infrastructure.

Azure Logic Apps focuses on event-driven application and workflow integration rather than large-scale data movement and transformation. Azure Databricks provides powerful analytics and transformation but requires Spark knowledge and cluster management, and it lacks the breadth of ready-made connectors and low-code orchestration features. Azure Event Grid is used for event routing, not end-to-end data integration pipelines.