50 az-305 Practice Questions: Question Bank 2025

A company is migrating several apps to Azure. They want to ensure all new and existing resources are tagged with CostCenter and Owner, and any noncompliant resource should be denied at deployment time. The solution must be centrally managed across multiple subscriptions. What should you use?

You need to centralize diagnostic logs from Azure resources across several subscriptions into a single workspace for querying and alerting. You also want to keep access to logs limited to a dedicated operations team. What is the best approach?

An application stores images and videos in Azure. The data is read frequently but is written only during uploads. The solution must support lifecycle management to automatically move older objects to a lower-cost tier while remaining accessible. Which storage option best fits?

A business requires a web application to remain available if an entire Azure region becomes unavailable. The application is stateless and uses a managed database that supports geo-replication. Which design provides the most straightforward regional failover for the web tier?

You have a hub-and-spoke network architecture. Spoke VNets must use the hub’s Azure Firewall for all outbound internet traffic, and the design must minimize administrative overhead when adding new spokes. What should you implement?

A company is designing access for administrators. They want administrators to have eligible (not permanent) access to high-privilege roles and require approval and MFA for activation. What should you recommend?

You need to design a data platform where analytical queries run against large volumes of parquet files stored in Azure Data Lake Storage Gen2. The solution should allow serverless, on-demand querying without managing infrastructure. Which option should you choose?

An application uses Azure SQL Database and has a strict recovery point objective (RPO) of 5 minutes and recovery time objective (RTO) of 30 minutes for regional outages. The solution must support rapid failover to a secondary region. What should you implement?

You are designing a private, large-scale PaaS architecture. Multiple spoke VNets across subscriptions must access Azure Storage and Azure SQL without using public endpoints. You want to centralize DNS resolution and avoid creating custom DNS servers. Which design best meets the requirements?

A company runs a mission-critical workload on Azure Kubernetes Service (AKS). They require protection against both zone failure and region failure. They also want to minimize data loss for the application state stored in an Azure-managed database. Which architecture is most appropriate?

You manage multiple Azure subscriptions for different business units. You need to ensure that any resource created in those subscriptions automatically receives required tags (CostCenter, DataClassification) and that noncompliant deployments are denied. Which solution should you design?

An application stores documents in Azure Blob Storage. The documents must remain in one Azure region for compliance, and access must be possible only from private IP addresses within the company network. Which design meets the requirement with the least public exposure?

You deploy a workload across multiple Azure regions and require automatic failover with minimal administrative overhead for name resolution. Which service should you use to direct users to the healthiest endpoint?

A company wants centralized monitoring for 50 subscriptions. They need to query logs across all subscriptions and create alerts based on those queries. Which design is most appropriate?

You are designing a database tier for a globally distributed application. The data must support low-latency reads in multiple regions and automatic multi-region replication with a single-digit millisecond read latency target. Which option best fits these requirements?

You need to design business continuity for an Azure SQL Database used by a critical application. The requirement is to restore the database to a specific point in time within the last 24 hours, even if the primary region is unavailable. Which design best meets the requirement?

A web application hosted on Azure App Service must consume an internal API hosted on an Azure VM in a virtual network. The API must not be exposed publicly. Which approach should you recommend?

Your organization uses a hub-and-spoke topology. You must ensure that all internet-bound traffic from spoke VNets is inspected by a central firewall in the hub. Which design is most appropriate?

You are designing a solution that uses Azure Storage accounts with customer-managed keys (CMK). Security requires that key usage is auditable and that the Storage account can still access keys even if a regional dependency fails. Which design best meets these requirements?

A trading platform runs on Azure Kubernetes Service (AKS) and requires near-zero data loss for its stateful components. The platform uses managed disks for persistent volumes. You must design a regional disaster recovery strategy that can fail over to another region with minimal data loss and acceptable recovery time. Which approach is most appropriate?

Your organization has multiple Azure subscriptions and wants developers to deploy resources only in approved regions. You must ensure the restriction is enforced consistently and cannot be bypassed by deploying through ARM, Terraform, or the Azure portal. What should you implement?

You need a monitoring solution that allows querying across metrics and logs, and you want to create a dashboard that correlates VM CPU metrics with application exceptions. Which Azure service should you use as the primary workspace and query engine?

You are designing storage for an application that writes millions of small JSON documents per hour and requires low-latency reads using a key-based lookup. The data model evolves frequently and needs automatic indexing. Which data storage option best fits?

A company runs a 3-tier web application on Azure VMs in a single region. The business requires failover to a secondary region with minimal administrative effort. During a regional outage, the application should start in the secondary region using pre-created images and network settings. Which solution best meets these requirements?

You are designing network connectivity for multiple spoke VNets that must privately access Azure PaaS services such as Storage and Key Vault without traversing the public internet. You also want DNS resolution of the private endpoints to work across all spokes. What should you implement?

A company uses Azure API Management (APIM) to expose internal APIs. They require that the gateway is not publicly accessible and that backend APIs are reachable only through private networking. Which configuration best meets the requirement?

You need to design governance for an enterprise where resource naming must follow a convention (for example, <org>-<app>-<env>-<region>-<instance>) and any non-compliant deployments should be blocked. What is the best approach?

You are designing a highly available NVA-based firewall solution in a hub VNet. The solution must support active/active appliances, scale out when throughput increases, and provide symmetric routing for inbound and outbound flows. Which Azure design is most appropriate?

A SQL Server workload runs on Azure VMs and must meet an RPO of 5 minutes and RTO of 30 minutes for regional disasters. The database size is 6 TB. You want near-continuous data replication to a secondary region and the ability to quickly bring the database online there. What should you recommend?

You are designing a data lake on Azure Data Lake Storage Gen2. Multiple teams need fine-grained access control at the folder and file level, and access must be enforceable by the storage service itself (not only by the data processing engine). Which authorization model should you use?

You manage multiple Azure subscriptions under a single tenant. You need to ensure that no one can create public IP addresses in a specific production subscription, while still allowing them in development subscriptions. The solution must be centrally managed and auditable. What should you use?

An application writes audit logs that must be kept for 7 years. The logs are rarely accessed after 90 days, but when accessed they must be retrievable without manual restore operations. Which Azure Storage approach best meets the requirement?

You need to improve observability for a microservices workload running in Azure Kubernetes Service (AKS). You must be able to correlate application traces across services, view container metrics, and query logs centrally. What should you implement?

A company requires that all PaaS services supporting private connectivity must be reachable only via private IP addresses from their virtual networks. They want a scalable design that avoids managing per-service firewall allow lists. What should you recommend?

You are designing multi-region disaster recovery for an Azure SQL Database used by a customer-facing application. The requirement is automatic failover to a secondary region with minimal administrative effort, and the application should connect using a stable endpoint. What should you use?

You need to grant an external consulting company access to manage only a specific resource group in your subscription. Their access must expire automatically after 30 days, and you must be able to review and approve the access request. What should you use?

You are designing storage for a media processing pipeline that requires extremely high IOPS and low latency for temporary working data. The data can be lost if a node fails, and it is recreated from source. Which storage option is the best fit?

A global web application runs in two Azure regions in an active-active design. Users must be routed to the closest healthy region, and failover must be automatic if a region becomes unavailable. The solution must support HTTP/HTTPS and provide health probes. What should you recommend?

You have an on-premises network connected to Azure using ExpressRoute. Multiple VNets in different regions require connectivity to on-premises, and you must minimize operational overhead and ensure transitive connectivity between VNets. Which design should you choose?

You must design a secure solution for an internal application that uses Azure Storage accounts and Azure SQL Database. Requirements: (1) No public network access to either service, (2) Name resolution must work from multiple VNets and on-premises, (3) Centralized governance to prevent accidental public exposure. What is the best overall approach?

You manage multiple Azure subscriptions and need to ensure that any user who creates a virtual machine must apply tags for CostCenter and DataClassification. The requirement must be enforced automatically at deployment time. What should you use?

A team needs a simple way to store and rotate secrets (connection strings and API keys) used by Azure App Service and Azure Functions. The solution must support access control via Azure AD and provide auditing of secret access. What should you recommend?

You need to give a vendor temporary access to a single Azure subscription to troubleshoot resources. The access must expire automatically after 8 hours and the vendor should only have the minimum permissions required. What should you use?

A financial services application stores transaction data in Azure SQL Database. You must provide protection against accidental deletion or corruption and allow point-in-time restoration for up to 30 days. What is the recommended approach?

You are designing a landing zone. The security team requires that all PaaS services that support it must be accessible only via private IPs from your virtual networks, and public network access must be disabled whenever possible. Which approach best meets this requirement across services?

An organization runs multiple Azure Kubernetes Service (AKS) clusters across regions. They need centralized collection of container logs and performance metrics, and they must correlate cluster telemetry with VM and PaaS telemetry in a single workspace. What should you recommend?

You need to design storage for a media workflow that writes large video files and then performs parallel processing across thousands of files. The workload requires POSIX-like file semantics and must be mountable by Linux VMs and containers. Which storage option is the best fit?

A company requires that all resources across subscriptions send activity and resource logs to a central location. The logs must be retained long term and queried frequently by security analysts. Which architecture is recommended?

You are designing a highly available web application deployed across two Azure regions. Users must be routed to the closest healthy region, and failover must occur automatically when a region becomes unavailable. The solution should operate at the DNS level and support endpoint health probes. What should you use?

You must design a governance model that ensures teams can deploy resources, but only from approved configurations. Specifically, certain VM SKUs and regions are allowed, and all deployments must include a standard set of security settings. The solution should be manageable at scale and support versioning and approvals. What should you recommend?