Free AZ-305 Practice Questions with Detailed Explanations

Test your Azure Solutions Architect Expert readiness with 25 free practice questions covering identity, storage, business continuity, and infrastructure design.

22 min read
Updated April 2026
AZ-305 Expert

The AZ-305 (Designing Microsoft Azure Infrastructure Solutions) is the Expert-level exam for Azure Solutions Architects. It tests your ability to design complex Azure solutions — not just know what services exist, but recommend the RIGHT service for a given set of requirements, trade-offs, and constraints. Expect architecture decision scenarios, not configuration details.

These 25 questions represent the hardest question style on the exam: multi-requirement scenarios where you must weigh cost, scalability, SLA, compliance, and simplicity simultaneously. You need AZ-104 (or equivalent experience) before taking AZ-305.

What You'll Get:

  • 25 scenario-based architecture questions across all exam domains
  • Multi-requirement trade-off questions — real Expert-level format
  • Detailed explanations covering why each option is right or wrong
  • Scoring guide to assess your readiness

What These Questions Cover

6
Identity & Governance
Entra ID, RBAC, Policy, Management Groups
6
Data Storage
Storage accounts, databases, data lakes
6
Business Continuity
HA, DR, backup, Azure Site Recovery
7
Infrastructure
Compute, migration, networking, monitoring

📝 Practice Test Instructions

  • • Each question has ONE best answer — architecture questions require choosing the BEST fit
  • • Focus on requirements: cost, SLA, RPO/RTO, scalability, compliance
  • • Note your answers before scrolling to the answer key
  • • Aim to complete all 25 questions in 30 minutes
🔑

Identity, Governance & Monitoring

Questions 1–6

1

Management Groups and Policy

Your organization has 8 Azure subscriptions across 3 business units. Each business unit must have its own set of Azure Policies enforced consistently. Corporate security policies must apply to ALL subscriptions. New subscriptions should automatically inherit corporate policies.

What is the BEST governance design?

A)Create a Management Group hierarchy: Root (corporate policies) → Business Unit MGs (BU-specific policies) → subscriptions. Policies at each level inherit downward.
B)Apply Azure Policy to each subscription individually
C)Use Azure Blueprints to apply policies to each subscription separately
D)Create a single subscription and use resource groups for business unit separation
2

Azure AD B2B vs B2C

Contoso is building two applications: (1) An internal collaboration portal for partner company employees who need to access Contoso's SharePoint using their own company credentials. (2) A public e-commerce website where millions of external customers can sign up with email, Google, or Facebook.

Which identity solution should be used for each application?

A)Both should use Azure AD B2C
B)Application 1: Azure AD B2B (external guest collaboration). Application 2: Azure AD B2C (customer identity management)
C)Both should use Azure AD B2B
D)Application 1: Custom identity provider. Application 2: Azure AD B2B
3

Managed Identity

An Azure Function needs to retrieve secrets from Azure Key Vault to connect to a database. The current approach hard-codes a service principal client ID and secret in application settings. The security team wants to eliminate stored credentials entirely.

What is the recommended approach?

A)Store the service principal credentials in Azure Key Vault instead of app settings
B)Use a User-Assigned Managed Identity shared across all functions in the subscription
C)Assign a System-Assigned Managed Identity to the Azure Function and grant it Key Vault Secrets User role — no credentials needed
D)Rotate the service principal secret every 30 days using Azure Key Vault rotation
4

Azure Monitor and Log Analytics

You are designing a centralized monitoring solution for 12 Azure subscriptions across 4 regions. The security team needs all security events in one place for SIEM integration. The operations team needs application performance metrics. Both teams need data from all subscriptions.

What is the BEST monitoring architecture?

A)Create one Log Analytics workspace per subscription (12 total)
B)Create one workspace per region (4 total) and query across workspaces
C)Use Azure Monitor Metrics only — no Log Analytics needed for centralized monitoring
D)Create a centralized Log Analytics workspace, configure diagnostic settings in all subscriptions to send to it, and connect it to Microsoft Sentinel for SIEM
5

Azure RBAC Design

Your organization needs to ensure: (1) The DevOps team can deploy resources to production but cannot change RBAC assignments. (2) The security team can view all resources across all subscriptions for auditing but cannot modify anything. (3) Only two senior architects can manage role assignments.

Which RBAC role assignments satisfy ALL three requirements?

A)DevOps: Contributor (no RBAC rights). Security: Reader at Management Group. Architects: User Access Administrator
B)DevOps: Owner. Security: Reader. Architects: User Access Administrator
C)DevOps: Owner. Security: Security Reader. Architects: Owner
D)All three teams: Owner with resource locks applied
6

Azure Cost Management

Your organization wants to: (1) Prevent any single team from spending more than $10,000/month in their subscription. (2) Get an alert when spending reaches 80% of the budget. (3) Automatically shut down non-production VMs when the budget is exceeded.

Which Azure Cost Management features address all three requirements?

A)Azure Policy to block resource creation above a cost threshold
B)Azure Budgets with alert thresholds at 80% and 100%, plus a budget action group that triggers an Azure Automation runbook to stop VMs
C)Azure Advisor cost recommendations with automated remediation
D)Azure Reservations with a spending cap
🗄️

Data Storage Solutions

Questions 7–12

7

Storage Account Redundancy

A financial services company stores transaction audit logs in Azure Blob Storage. Requirements: (1) Data must survive a complete Azure region failure. (2) Read access to the secondary region must be available even when the primary region is degraded. (3) Cost should be optimized.

Which Azure Storage redundancy option meets ALL requirements?

A)Zone-Redundant Storage (ZRS)
B)Geo-Redundant Storage (GRS)
C)Read-Access Geo-Redundant Storage (RA-GRS)
D)Locally Redundant Storage (LRS) with manual backup to another region
8

Azure SQL vs Cosmos DB

You need to design a data store for an e-commerce product catalog. Requirements: (1) Globally distributed across 5 regions with < 10ms read latency everywhere. (2) Schema-flexible — product attributes vary significantly by category. (3) Automatic scaling with no capacity planning. (4) 99.999% availability SLA.

Which Azure database service BEST meets all requirements?

A)Azure SQL Database Hyperscale
B)Azure Cache for Redis
C)Azure SQL Database Business Critical with geo-replication
D)Azure Cosmos DB with multi-region writes
9

Azure SQL Tiers

A healthcare application uses Azure SQL Database. Requirements: (1) < 1ms I/O latency for OLTP workloads. (2) Built-in high availability with 99.99% SLA. (3) In-memory read replica for reporting queries without impacting the primary. (4) Supports up to 4 TB database size.

Which Azure SQL Database service tier meets ALL requirements?

A)Business Critical
B)General Purpose
C)Hyperscale
D)Standard (DTU-based)
10

Azure Data Lake vs Blob Storage

A data engineering team needs to store 500 TB of raw log files from IoT devices, run Apache Spark analytics jobs on the data, apply hierarchical security (folder-level ACLs per team), and integrate with Azure Synapse Analytics.

Which storage service is BEST suited for this big data analytics scenario?

A)Azure Blob Storage (GPv2) with hot tier
B)Azure Data Lake Storage Gen2 (ADLS Gen2)
C)Azure Files with premium tier
D)Azure Table Storage
11

Storage Lifecycle Management

Your organization stores documents in Azure Blob Storage. Access patterns: frequent access for 30 days, occasional access for 31-90 days, rarely accessed after 90 days, must be retained for 7 years but never accessed after 1 year.

Which storage configuration minimizes cost while meeting all access and retention requirements?

A)Store everything in Hot tier for 7 years
B)Store in Cool tier for 7 years to balance cost and access speed
C)Use lifecycle management policies: Hot (0-30 days) → Cool (31-90 days) → Cold (91-365 days) → Archive (366 days - 7 years), then delete
D)Use Azure Backup to archive data after 90 days
12

Database Migration Strategy

A company needs to migrate a 10 TB SQL Server 2016 database to Azure with: (1) Minimal downtime (< 4 hours cutover window). (2) No application code changes. (3) Automatic patching and backups managed by Azure. (4) The same SQL Server feature set the app relies on (SQL Agent, CLR, linked servers).

Which Azure SQL migration target is the BEST fit?

A)Azure SQL Database (single database)
B)Azure Synapse Analytics dedicated SQL pool
C)SQL Server on Azure Virtual Machine
D)Azure SQL Managed Instance
🔄

Business Continuity Solutions

Questions 13–18

13

RTO vs RPO

A business-critical payment processing system has these requirements: "We can tolerate losing at most 5 minutes of transaction data. The system must be back online within 30 minutes of a failure."

How do these requirements translate into DR metrics?

A)RPO = 5 minutes (max data loss), RTO = 30 minutes (max downtime)
B)RTO = 5 minutes, RPO = 30 minutes
C)Both are RTO measurements at different severity levels
D)RPO = 30 minutes, RTO = 5 minutes
14

Azure Site Recovery

Your organization runs 50 on-premises VMware VMs hosting critical business applications. You need a disaster recovery solution that: (1) Replicates VMs to Azure continuously. (2) Allows test failovers without impacting production. (3) Achieves RPO of < 15 minutes and RTO of < 1 hour.

Which Azure service is purpose-built for this use case?

A)Azure Backup
B)Azure Site Recovery (ASR)
C)Azure Migrate
D)Azure VM replication via Azure Backup agent
15

Azure VM High Availability

You are deploying a 3-tier application (web, app, database) on Azure VMs. Each tier must tolerate a single VM failure without any downtime. The app tier specifically must survive an Azure datacenter failure within the same region.

What should you use for the app tier VMs to survive datacenter failure within the same region?

A)Place all app tier VMs in the same Availability Set
B)Deploy app tier VMs in two separate regions with Traffic Manager
C)Distribute app tier VMs across Availability Zones (zone-redundant deployment)
D)Use Azure VMSS with fault domains configured
16

Azure Backup Strategy

Your organization needs to back up: 100 Azure VMs, 20 SQL databases on Azure VMs, and file shares on Azure Files. The backup policy requires: 30-day daily retention, 12-month monthly retention, and backups stored in a vault that protects against accidental deletion by admins.

Which Azure Backup features meet ALL requirements?

A)Azure Backup Center with a single backup policy for all workloads
B)Azure Backup with Storage Accounts (no vault needed) and resource locks
C)Azure Site Recovery for VMs plus manual database exports to blob storage
D)Azure Backup with Recovery Services Vault, multiple backup policies for each workload type, and soft-delete enabled on the vault
17

Multi-Region Architecture

A global SaaS application must achieve 99.99% availability. The architecture runs in Azure East US. You need to design a multi-region failover. Traffic must automatically route to the secondary region (West US) if East US becomes unavailable. RTO < 5 minutes.

Which traffic routing solution achieves automatic failover with < 5 minute RTO?

A)Azure Front Door with origin groups and health probes (anycast-based, faster failover)
B)Azure Traffic Manager with Priority routing and health probes
C)Azure Load Balancer Standard with cross-region configuration
D)Azure DNS with low TTL and manual failover
18

Azure SQL Business Continuity

A mission-critical Azure SQL Database needs: (1) RPO of 0 seconds (zero data loss) for planned maintenance. (2) RTO < 30 seconds for regional failover. (3) The secondary database must be readable for reporting. (4) Automatic failover without manual intervention.

Which Azure SQL Business Continuity feature meets ALL requirements?

A)Active geo-replication with manual failover
B)Auto-failover group with read-scale secondary
C)Azure SQL Database Backup with geo-restore
D)Zone-redundant Azure SQL Database Business Critical

Infrastructure Solutions

Questions 19–25

19

Compute Selection

A startup is building a new web API. Requirements: (1) Auto-scales from 0 to 1000 requests/second. (2) No infrastructure management. (3) Pay only when code executes (cost-effective for unpredictable traffic). (4) Stateless request handling. (5) Maximum execution time of 5 minutes per request.

Which Azure compute service BEST meets all requirements?

A)Azure Virtual Machines with autoscale
B)Azure Container Apps
C)Azure Functions (Consumption plan)
D)Azure App Service (Free tier)
20

Container Strategy

A development team has containerized a microservices application with 15 services. Requirements: (1) Services must auto-scale independently. (2) Service-to-service networking with internal DNS. (3) No Kubernetes expertise in the team. (4) KEDA-based event-driven scaling for queue processors. (5) Managed infrastructure.

Which Azure service is the BEST fit?

A)Azure Kubernetes Service (AKS)
B)Azure App Service with containers
C)Azure Container Instances
D)Azure Container Apps
21

Migration Strategy

A company wants to migrate 200 on-premises VMs to Azure. They need to: (1) Assess VM dependencies before migration. (2) Estimate Azure costs for each VM. (3) Test migrate VMs before final cutover. (4) Replicate VMs with minimal disruption to production.

Which Azure service provides this end-to-end VM migration capability?

A)Azure Migrate
B)Azure Site Recovery
C)Azure Database Migration Service
D)Azure Import/Export service
22

App Service vs AKS

You need to choose between Azure App Service and Azure Kubernetes Service for a web application. The application: (1) Is a single .NET web app (no microservices). (2) Needs auto-scale and SSL termination. (3) The team has no container or Kubernetes experience. (4) Must deploy in < 30 minutes from scratch.

Which service is the BEST fit and why?

A)AKS — more scalable and future-proof
B)Azure App Service — purpose-built for web apps, no container/k8s knowledge needed, deploys in minutes, built-in autoscale and SSL
C)Azure Container Instances — simplest container hosting
D)Azure Functions — best for web APIs
23

Landing Zone Design

Your organization is establishing an Azure landing zone for enterprise adoption. You need: connectivity hub, identity services, policy enforcement, and isolation between workloads. The design must scale to 50+ subscriptions over 3 years.

Which reference architecture provides the recommended pattern for enterprise-scale Azure governance?

A)Single subscription with resource group separation
B)Multiple independent subscriptions with no central governance
C)Azure Landing Zone (ALZ) accelerator with Management Groups, hub-spoke networking, and centralized policy
D)Azure Blueprints applied to each new subscription manually
24

Key Vault Architecture

Your application stores secrets in Azure Key Vault. Requirements: (1) Secrets must be accessible even if a single Azure datacenter fails. (2) All secret access must be logged for compliance. (3) If a secret is accidentally deleted, it must be recoverable for 90 days. (4) The Key Vault itself must not be permanently deleted by mistake.

Which Key Vault configuration meets ALL requirements?

A)A single Key Vault with access logging enabled
B)Key Vault with private endpoint and access policies
C)Two Key Vaults in different regions with manual secret replication
D)Zone-redundant Key Vault with diagnostic logging to Log Analytics, soft-delete enabled (90-day retention), and purge protection enabled
25

Well-Architected Framework

You are reviewing an architecture for a customer-facing application. You identify: VMs are over-provisioned by 70%, there is no health monitoring, deployments cause 20-minute downtime windows, there is no encryption for data at rest, and the architecture cannot scale beyond current capacity.

Which Microsoft Azure Well-Architected Framework pillars are violated by these issues, in order?

A)Cost Optimization (over-provisioning), Reliability (no monitoring, downtime), Security (no encryption), Performance Efficiency (can't scale), Operational Excellence (manual deployments)
B)Security, Reliability, Performance Efficiency, Cost Optimization, Operational Excellence
C)All five pillars are fine — these are minor operational concerns
D)Only the Security pillar is violated

✋ Stop Here Before Scrolling!

Have you answered all 25 questions? Complete the test before checking the answers below.

Pro tip: AZ-305 is about choosing the BEST option given constraints — practice explaining WHY each option is wrong too

📝 Answer Key with Detailed Explanations

Review each explanation carefully, even for questions you answered correctly

Quick Answer Reference

Q1
A
Q2
B
Q3
C
Q4
D
Q5
A
Q6
B
Q7
C
Q8
D
Q9
A
Q10
B
Q11
C
Q12
D
Q13
A
Q14
B
Q15
C
Q16
D
Q17
A
Q18
B
Q19
C
Q20
D
Q21
A
Q22
B
Q23
C
Q24
D
Q25
A
1

Question 1: Management Groups and Policy

✓ Correct Answer: A) Management Group hierarchy with inherited policies

Why this is correct:

Management Groups create a hierarchical structure above subscriptions. Policies applied at a parent Management Group automatically inherit to all child groups and subscriptions. The Root MG is the parent of all MGs — apply corporate policies there. Business Unit MGs sit below Root and can have additional BU-specific policies. New subscriptions placed under a MG automatically inherit its policies.

Why other answers are incorrect:

B: Per-subscription policy assignment doesn't scale — 8 subscriptions now, potentially hundreds later. Each new subscription requires manual policy assignment.
C: Azure Blueprints help with initial subscription setup but don't provide ongoing inherited policy enforcement like Management Groups do.
D: A single subscription violates separation of concerns and billing isolation between business units.

💡 Key Concept:

Management Group hierarchy: Tenant Root Group → (optional intermediate MGs) → Subscriptions. Policy and RBAC assignments inherit downward. Can have up to 6 levels deep. Subscriptions can only be in ONE Management Group at a time.

2

Question 2: Azure AD B2B vs B2C

✓ Correct Answer: B) Application 1: Azure AD B2B. Application 2: Azure AD B2C

Why this is correct:

B2B (Business-to-Business) is for external partner/organization users who authenticate with their OWN organization's identity provider — they use their company credentials to access your resources as guests. B2C (Business-to-Consumer) is for consumer/customer identity management at massive scale, supporting social logins (Google, Facebook), email OTP, and custom branded sign-up flows.

Why other answers are incorrect:

A: B2C for partner employees would force them to create new accounts — B2B lets them use existing company credentials.
C: B2B for millions of external consumers doesn't scale for consumer-grade registration flows with social logins.
D: Custom identity providers add unnecessary complexity when Azure provides the right tools for each scenario.

💡 Key Concept:

B2B = federate partner identities (they bring their own IdP). B2C = consumer identity management (you manage sign-up, social login, MFA). Easy memory: B2B = partner employees, B2C = external customers/public.

3

Question 3: Managed Identity

✓ Correct Answer: C) System-Assigned Managed Identity with Key Vault Secrets User role

Why this is correct:

System-Assigned Managed Identity eliminates ALL stored credentials. Azure automatically manages the identity's lifecycle (creates it when the resource is created, deletes it when the resource is deleted). The function authenticates to Key Vault using its managed identity — no client ID, no secret, no rotation needed. Granting Key Vault Secrets User role (RBAC) allows reading secrets.

Why other answers are incorrect:

A: Storing the service principal secret in Key Vault still requires credentials to ACCESS Key Vault — circular dependency and still a secret to manage.
B: User-Assigned Managed Identity is appropriate for shared identity across multiple resources — for a single Azure Function, System-Assigned is simpler and tied to the function lifecycle.
D: Rotating secrets every 30 days reduces exposure window but still leaves credentials in application settings — doesn't eliminate stored credentials.

💡 Key Concept:

System-Assigned vs User-Assigned MI: System-Assigned = 1:1 with the Azure resource, auto-deleted with resource. User-Assigned = standalone resource, can be assigned to multiple resources, survives resource deletion. Use User-Assigned when you need the same identity on multiple resources.

4

Question 4: Centralized Monitoring

✓ Correct Answer: D) Centralized Log Analytics workspace with Sentinel

Why this is correct:

A single centralized Log Analytics workspace allows all subscriptions to send diagnostic data to one place. Queries run across all data in one workspace — no cross-workspace join complexity. Microsoft Sentinel connects to the Log Analytics workspace and provides SIEM/SOAR on top. Application Insights (for app performance) can also send to the same workspace.

Why other answers are incorrect:

A: One workspace per subscription creates 12 silos — cross-subscription queries require union queries across workspaces, SIEM integration is complex, and management overhead is high.
B: Four regional workspaces reduce (but don't eliminate) cross-workspace query complexity, and regions don't align with business boundaries — the subscription boundary matters more for security data.
C: Azure Monitor Metrics are real-time numeric telemetry — they don't provide the log correlation, security event analysis, or long-term retention that Log Analytics workspaces provide.

💡 Key Concept:

Azure Monitor architecture: Azure Monitor collects → Metrics (numeric, 93-day retention, free) → Metrics Explorer. Logs (text, configurable retention) → Log Analytics Workspace → KQL queries. Sentinel sits on top of a Log Analytics workspace for SIEM.

5

Question 5: Azure RBAC Design

✓ Correct Answer: A) DevOps: Contributor. Security: Reader at MG. Architects: User Access Administrator

Why this is correct:

Contributor grants create/delete/modify rights but NOT RBAC management rights — perfect for DevOps. Reader at Management Group inherits Reader to all subscriptions/resources — perfect for cross-subscription auditing without modify access. User Access Administrator specifically grants the ability to manage role assignments — only what architects need.

Why other answers are incorrect:

B: Owner includes RBAC management — DevOps shouldn't be able to change role assignments.
C: Owner for architects is broader than needed (they'd have Contributor rights too). Security Reader is a specific role for security-related data — broader Reader is more appropriate for general auditing.
D: Owner + resource locks doesn't remove RBAC management rights — all three teams would have full access.

💡 Key Concept:

RBAC roles to memorize: Owner (everything + RBAC). Contributor (everything except RBAC). Reader (view only). User Access Administrator (RBAC only, no resource management). Assign minimum required privilege — never Owner unless RBAC management is needed.

6

Question 6: Azure Cost Management

✓ Correct Answer: B) Azure Budgets with alert thresholds and action groups triggering Automation runbooks

Why this is correct:

Azure Budgets allow you to: set a spending limit ($10,000/month), configure alert thresholds at percentages (80% alert + 100% action), and trigger action groups when thresholds are reached. Action groups can call webhooks, which can trigger Azure Automation runbooks to stop VMs programmatically.

Why other answers are incorrect:

A: Azure Policy can block resource CREATION based on SKU type or count, but cannot dynamically block spending based on real-time cost tracking.
C: Azure Advisor provides cost recommendations for rightsizing — it's advisory only, not automated enforcement with thresholds.
D: Azure Reservations are pre-committed pricing discounts — they don't enforce spending caps or generate threshold alerts.

💡 Key Concept:

Azure Budget automation: Budget threshold reached → triggers Action Group → Action Group calls Automation webhook → Runbook stops non-prod VMs. Budget alerts are near-real-time but have up to 12-hour latency. Cost analysis ≠ Budget — budgets enforce, analysis reports.

7

Question 7: Storage Redundancy

✓ Correct Answer: C) Read-Access Geo-Redundant Storage (RA-GRS)

Why this is correct:

RA-GRS replicates data to a secondary region (geo-redundant) AND provides read access to the secondary endpoint even while the primary region is healthy or degraded. This satisfies: survives regional failure (geo), readable secondary without waiting for failover (RA), and is cost-optimized compared to RA-GZRS.

Why other answers are incorrect:

A: ZRS protects against datacenter (zone) failure within a region — it does NOT survive a complete regional failure.
B: GRS replicates to a secondary region but the secondary endpoint is NOT readable until Microsoft initiates a failover — doesn't satisfy requirement #2.
D: Manual backup to another region creates RPO gaps (how often is backup performed?) and doesn't provide instant failover or read access.

💡 Key Concept:

Storage redundancy hierarchy: LRS (3 copies, 1 datacenter) < ZRS (3 zones, 1 region) < GRS (2 regions, secondary not readable) < RA-GRS (2 regions, secondary readable) < GZRS (ZRS primary + GRS) < RA-GZRS (highest durability + read access). Cost increases with each tier.

8

Question 8: Cosmos DB

✓ Correct Answer: D) Azure Cosmos DB with multi-region writes

Why this is correct:

Cosmos DB is designed for global distribution with < 10ms p99 reads/writes, schema-flexible (NoSQL — JSON documents perfect for variable product attributes), auto-scale serverless or autoscale provisioned throughput, and a 99.999% SLA with multi-region writes. No other Azure database service offers all four simultaneously.

Why other answers are incorrect:

A: Azure SQL Hyperscale scales to 100 TB and supports fast reads, but SQL is schema-fixed, supports at most 4 readable replicas (not 5 write regions), and has a lower SLA than Cosmos DB multi-region.
B: Azure Cache for Redis is an in-memory key-value cache — not a primary database for persistent product catalog data.
C: SQL Database Business Critical has geo-replication (up to 4 secondaries) but is schema-fixed (relational), and geo-replicas are read-only — doesn't meet multi-region write requirement.

💡 Key Concept:

Cosmos DB key metrics: 99.999% SLA (5 nines) with multi-region writes. < 10ms p99 latency. Multiple APIs: Core (SQL), MongoDB, Cassandra, Gremlin, Table. RU/s = throughput unit. Serverless vs Provisioned vs Autoscale.

9

Question 9: Azure SQL Tiers

✓ Correct Answer: A) Business Critical

Why this is correct:

Business Critical tier uses local SSD storage for < 1ms I/O latency, includes a built-in readable secondary replica for reporting workloads (at no extra cost), supports up to 4 TB, and provides 99.99% SLA with built-in HA using Always On Availability Groups internally.

Why other answers are incorrect:

B: General Purpose uses remote storage (Azure Premium Storage) — not < 1ms I/O latency. It also doesn't include a built-in readable replica.
C: Hyperscale supports up to 100 TB and has fast I/O, but readable replicas are an add-on, and the internal architecture is different (log service-based, not AG-based).
D: Standard DTU-based is a legacy tier with limited performance — doesn't meet the latency or built-in replica requirements.

💡 Key Concept:

Azure SQL tiers: General Purpose = balanced price/performance, remote storage. Business Critical = highest performance, local SSD, built-in read replica, highest HA. Hyperscale = massive scale (100 TB+), fast snapshots. Choose by: GP for most workloads, BC for low-latency OLTP, Hyperscale for very large databases.

10

Question 10: Azure Data Lake Storage Gen2

✓ Correct Answer: B) Azure Data Lake Storage Gen2 (ADLS Gen2)

Why this is correct:

ADLS Gen2 is built on Blob Storage but adds: hierarchical namespace (folders with true POSIX-compliant ACLs for folder-level security), optimized for big data analytics (columnar reads, Parquet support), native Spark connector, and direct integration with Azure Synapse Analytics. It's designed exactly for this scenario.

Why other answers are incorrect:

A: Blob Storage GPv2 supports hot/cool/archive but lacks hierarchical namespace (ACLs are per-blob, not folder-level) and big data analytics optimization.
C: Azure Files is a fully managed SMB/NFS file share — optimized for lift-and-shift file server scenarios, not 500 TB analytics workloads.
D: Azure Table Storage is a key-value NoSQL store — not designed for large binary file storage or Spark analytics.

💡 Key Concept:

ADLS Gen2 key features over Blob Storage: Hierarchical namespace (HNS) enables folder-level ACLs and atomic directory operations. Better performance for analytics (optimized reads). Synapse native integration. Enable HNS when creating the storage account — cannot enable post-creation.

11

Question 11: Storage Lifecycle Management

✓ Correct Answer: C) Lifecycle management: Hot → Cool → Cold → Archive → Delete

Why this is correct:

Azure Blob Storage lifecycle management policies automatically move blobs between tiers based on age. The optimal tier progression minimizes cost: Hot (frequent access) → Cool (infrequent, 30-day minimum) → Cold (rare, 90-day minimum) → Archive (offline, very cheap, 180-day minimum). Delete after 7 years satisfies retention.

Why other answers are incorrect:

A: Storing everything in Hot tier for 7 years is 5-10x more expensive than necessary — Hot tier has the highest storage cost.
B: Cool tier for 7 years is cheaper than Hot but more expensive than progressively tiering down to Archive for rarely accessed data.
D: Azure Backup is designed for VM and database protection, not blob storage lifecycle management — and doesn't automatically tier data between storage tiers.

💡 Key Concept:

Blob tier costs (approximate): Hot = highest storage cost, lowest access cost. Cool = lower storage, higher access. Cold = even lower storage, higher access. Archive = lowest storage (60-70% cheaper than Hot), very high access cost + rehydration delay. Match tier to access frequency.

12

Question 12: SQL Managed Instance

✓ Correct Answer: D) Azure SQL Managed Instance

Why this is correct:

Azure SQL Managed Instance provides near 100% SQL Server compatibility — including SQL Agent, CLR, linked servers, cross-database queries, and DTC. It's fully PaaS (automated patching and backups). Migration uses Azure Database Migration Service with online migration for < 4 hour downtime. It supports up to 8 TB.

Why other answers are incorrect:

A: Azure SQL Database (single database) doesn't support SQL Agent, CLR, cross-database queries, or linked servers — it would require significant application changes.
B: Azure Synapse dedicated SQL pool is an MPP data warehouse — not an OLTP SQL Server replacement.
C: SQL Server on Azure VM is IaaS — you manage OS patching, SQL patching, backups, and HA yourself. Not fully automated.

💡 Key Concept:

SQL migration target decision: Need SQL Agent/CLR/linked servers → SQL Managed Instance. Cloud-native, no compatibility concerns → Azure SQL Database. Need full SQL Server control/features → SQL on Azure VM. Data warehouse/analytics → Synapse Analytics.

13

Question 13: RTO vs RPO

✓ Correct Answer: A) RPO = 5 minutes (max data loss), RTO = 30 minutes (max downtime)

Why this is correct:

RPO (Recovery Point Objective) = maximum acceptable data loss, measured as time. "We can tolerate losing 5 minutes of data" = RPO of 5 minutes. RTO (Recovery Time Objective) = maximum acceptable downtime — how long the system can be unavailable. "Back online within 30 minutes" = RTO of 30 minutes.

Why other answers are incorrect:

B: RTO and RPO are swapped — RPO is data loss tolerance (5 min), RTO is recovery time (30 min).
C: RPO and RTO are different metrics — they measure different dimensions (data loss vs downtime), not the same thing at different severity levels.
D: Still swapped — RPO measures data loss, RTO measures recovery time.

💡 Key Concept:

Memory trick: RPO = "Point" of last good data (how far back do we go?). RTO = "Time" to recover (how long until we're back?). Lower RPO = more frequent backups/replication. Lower RTO = faster failover/recovery mechanisms.

14

Question 14: Azure Site Recovery

✓ Correct Answer: B) Azure Site Recovery (ASR)

Why this is correct:

Azure Site Recovery provides continuous replication of VMware/Hyper-V/physical VMs to Azure. It achieves RPO of seconds to minutes (not hours like backup) via continuous replication. Test failovers run in an isolated network without impacting production. RTO is typically 15-30 minutes for orchestrated failover.

Why other answers are incorrect:

A: Azure Backup takes periodic snapshots (hourly at best) — RPO would be 1+ hours, not < 15 minutes. It's for data protection, not DR with low RPO/RTO.
C: Azure Migrate is for one-time migration of VMs to Azure — not ongoing replication for DR.
D: Azure Backup agent backs up files/folders — not entire VM replication for DR orchestration.

💡 Key Concept:

ASR vs Azure Backup: ASR = continuous replication + DR orchestration + test failovers (for DR, low RPO/RTO). Backup = periodic snapshots for data protection and recovery (higher RPO, higher RTO). Use BOTH for comprehensive protection.

15

Question 15: Availability Zones

✓ Correct Answer: C) Distribute VMs across Availability Zones

Why this is correct:

Availability Zones are physically separate datacenters within a region with independent power, cooling, and networking. Distributing VMs across AZs (e.g., 1 VM in zone 1, 1 in zone 2, 1 in zone 3) means a complete datacenter failure only affects 1/3 of your VMs — the others continue serving traffic.

Why other answers are incorrect:

A: Availability Sets protect against hardware failures within a single datacenter (using fault domains and update domains) — they do NOT protect against full datacenter failure.
B: Multi-region deployment provides the highest resilience but the question asks specifically for surviving datacenter failure within the same region — AZs are the right scope.
D: VMSS with fault domains is essentially an Availability Set concept — same limitation as option A.

💡 Key Concept:

Availability Sets vs Availability Zones: Sets = multiple VMs spread across fault/update domains within a datacenter (protects against rack/host failure). Zones = multiple VMs in different datacenters within a region (protects against datacenter failure). Zones provide better SLA (99.99% vs 99.95%).

16

Question 16: Azure Backup Strategy

✓ Correct Answer: D) Recovery Services Vault with backup policies, soft-delete, and purge protection

Why this is correct:

Recovery Services Vault supports all required workloads: Azure VMs, SQL on Azure VMs, and Azure Files. You create separate backup policies for each workload with the required retention (30 daily, 12 monthly). Soft-delete protects against accidental deletion by retaining deleted backup data for 14+ days. Purge protection prevents permanent deletion even by admins for a configurable period.

Why other answers are incorrect:

A: Backup Center is a management view across multiple vaults — it doesn't replace individual vault configuration or allow a single policy for all workload types.
B: Storage accounts without a vault don't provide the workload-aware backup (SQL transaction log backups, for example) or the policy management capabilities. Resource locks prevent deletion but don't provide backup versioning.
C: ASR doesn't back up SQL databases with transaction log shipping — manual DB exports have high RPO.

💡 Key Concept:

Recovery Services Vault soft-delete: Deleted backup data retained for 14 days by default (configurable). Purge protection: once enabled, the vault and backup data cannot be permanently deleted for the configured retention period — even by global admins.

17

Question 17: Multi-Region Failover

✓ Correct Answer: A) Azure Front Door with origin groups and health probes

Why this is correct:

Azure Front Door uses anycast — traffic is directed to the nearest Front Door PoP globally, and health probes detect regional failures in seconds. Failover happens at the DNS + anycast routing level — when East US origins fail health checks, Front Door automatically routes to West US origins. Typical failover time is < 2 minutes.

Why other answers are incorrect:

B: Traffic Manager uses DNS-based routing — DNS TTL means clients may continue trying the failed region for minutes after failure (DNS caching). Typical failover is 1-5+ minutes depending on TTL and probe intervals.
C: Azure Load Balancer Standard does support cross-region now, but it's limited compared to Front Door's global PoP network and WAF/CDN capabilities.
D: Manual DNS failover requires human intervention and DNS propagation time — definitely not < 5 minute RTO.

💡 Key Concept:

Front Door vs Traffic Manager for failover: Front Door = anycast, PoP-level routing, WAF/CDN included, sub-minute failover typical, Layer 7. Traffic Manager = DNS-based, no edge processing, 1-5 minute failover typical, protocol-agnostic. For web apps, Front Door is preferred.

18

Question 18: SQL Auto-failover Groups

✓ Correct Answer: B) Auto-failover group with read-scale secondary

Why this is correct:

Auto-failover groups provide: automatic failover without manual intervention (the read/write listener endpoint automatically points to the primary), a readable secondary (fulfills reporting requirement), and the read-scale endpoint is separate from the write endpoint. With synchronous commit mode for planned failovers, you get zero data loss (RPO=0). RTO < 30 seconds is achievable with automatic failover.

Why other answers are incorrect:

A: Active geo-replication provides a readable secondary but failover is MANUAL — someone must initiate it. Doesn't meet "automatic failover without manual intervention."
C: Geo-restore uses storage-level backups — RPO is up to 1 hour and RTO can be hours depending on database size. Doesn't meet either requirement.
D: Zone-redundant SQL provides high availability within a region only — doesn't provide regional failover. The secondary is built-in but doesn't do cross-region replication.

💡 Key Concept:

Active geo-replication vs Auto-failover groups: Active geo-replication = manual failover, up to 4 secondaries, database-level. Auto-failover groups = automatic failover, server-level (all databases), listener endpoints that auto-redirect. Use failover groups when automatic failover is required.

19

Question 19: Azure Functions

✓ Correct Answer: C) Azure Functions (Consumption plan)

Why this is correct:

Azure Functions Consumption plan: scales from 0 to thousands of instances automatically (including scale-to-zero — cost-effective for unpredictable traffic), pay-only-when-executing billing, no server management, stateless execution, and supports up to 10-minute execution timeout (the 5-minute limit is well within this). It perfectly matches all 5 requirements.

Why other answers are incorrect:

A: Azure VMs with autoscale still require VM management (OS updates, etc.), have minimum instance costs, and don't scale to zero — not cost-effective for unpredictable traffic.
B: Azure Container Apps is excellent for containerized microservices but requires containerizing the app. For a simple stateless API, Functions is simpler and scales to zero better.
D: App Service Free tier is limited to 1 GB RAM, no custom domains with SSL, and has significant limitations — not for production workloads.

💡 Key Concept:

Compute decision: Short-lived, event-driven, scale-to-zero → Functions. Web app, long-running, team knows .NET/Node → App Service. Containerized, microservices, no k8s expertise → Container Apps. Complex orchestration, full k8s control → AKS.

20

Question 20: Azure Container Apps

✓ Correct Answer: D) Azure Container Apps

Why this is correct:

Azure Container Apps is purpose-built for microservices: manages Kubernetes underneath without exposing k8s complexity, provides per-service auto-scaling, built-in service discovery with DNS, native KEDA (Kubernetes Event-Driven Autoscaling) support for queue/event-based scaling, and is fully managed. No Kubernetes expertise needed.

Why other answers are incorrect:

A: AKS provides full Kubernetes control but requires significant k8s expertise for cluster management, networking, scaling, and operations — the team explicitly lacks this.
B: App Service with containers supports single containers and basic multi-container (Docker Compose) but doesn't natively support KEDA or per-service auto-scaling at the microservices level.
C: Azure Container Instances run individual containers but don't manage inter-service networking, load balancing between instances, or scale sets of containers — it's for simple single-container scenarios.

💡 Key Concept:

Container Apps vs AKS: Container Apps = managed Kubernetes, no k8s knowledge needed, built-in KEDA/Dapr, per-revision scaling, serverless. AKS = full k8s control, requires expertise, custom networking, any k8s add-on. Use Container Apps unless you need k8s-specific features.

21

Question 21: Azure Migrate

✓ Correct Answer: A) Azure Migrate

Why this is correct:

Azure Migrate is the hub for Azure migration that provides: dependency analysis (maps VM-to-VM communications to identify migration groups), Azure cost estimation (right-sizes based on actual utilization), test migration capability (migrates to an isolated network first), and replication with ASR integration. All four requirements are covered.

Why other answers are incorrect:

B: Azure Site Recovery handles the replication piece but is just one component — it doesn't provide discovery, dependency analysis, or cost estimation. ASR is integrated INTO Azure Migrate.
C: Azure Database Migration Service is specifically for database migrations (SQL, MySQL, MongoDB) — not for VM migrations.
D: Azure Import/Export is for shipping physical disks with large datasets to/from Azure — not for VM migration.

💡 Key Concept:

Azure Migrate components: Discovery and Assessment (inventories VMs, recommends Azure sizing), Business Case (ROI analysis), Migrate (orchestrates migration using ASR for VMs, DMS for databases). All in one hub at migrate.azure.com.

22

Question 22: App Service vs AKS

✓ Correct Answer: B) Azure App Service

Why this is correct:

Azure App Service is a fully managed PaaS designed specifically for web applications. It provides built-in auto-scale, SSL/TLS certificate management, deployment slots, CI/CD integration, and can deploy from code (no containers needed). A single .NET web app can be deployed in minutes. No container or Kubernetes knowledge required.

Why other answers are incorrect:

A: AKS is more scalable for complex microservices at scale, but introduces Kubernetes complexity that the team lacks expertise in — over-engineered for a single web app.
C: Container Instances run containers but aren't designed for web app hosting with auto-scale and SSL management — they lack built-in load balancing and scale groups.
D: Azure Functions is designed for event-driven, short-running functions — a full web app with request routing is better suited for App Service.

💡 Key Concept:

Right-size your compute choice: Don't use AKS for simple apps just because it's powerful. Azure App Service handles the vast majority of web app scenarios with zero infrastructure management. Reserve AKS for complex microservices with teams that know Kubernetes.

23

Question 23: Azure Landing Zone

✓ Correct Answer: C) Azure Landing Zone (ALZ) accelerator with Management Groups, hub-spoke networking, and centralized policy

Why this is correct:

Azure Landing Zone (Cloud Adoption Framework) provides reference architectures for enterprise Azure governance. It includes: Management Group hierarchy for policy inheritance, hub-spoke or Virtual WAN networking for connectivity, centralized Log Analytics, policy-as-code for compliance, and subscription vending for scale. Designed to scale to hundreds of subscriptions.

Why other answers are incorrect:

A: Single subscription with resource groups violates enterprise isolation requirements and doesn't scale to 50+ subscriptions.
B: Independent subscriptions with no central governance create ungoverned sprawl — no consistent security, no policy enforcement, no centralized networking.
D: Azure Blueprints (deprecated in favor of Deployment Stacks and Policy) applies configuration at subscription creation — but doesn't provide the ongoing governance hierarchy that Management Groups and Landing Zone provide.

💡 Key Concept:

Azure Landing Zone pillars: Management Groups + Policy (governance), Hub-spoke/VWAN networking (connectivity), Identity (Entra ID, PIM), Security (Defender for Cloud, Sentinel), Platform subscriptions (Management, Identity, Connectivity), Workload subscriptions (application landing zones).

24

Question 24: Key Vault Architecture

✓ Correct Answer: D) Zone-redundant Key Vault with soft-delete, purge protection, and diagnostic logging

Why this is correct:

Zone-redundant Key Vault (Premium or Standard with ZRS) survives datacenter failure within a region. Soft-delete with 90-day retention allows recovery of accidentally deleted secrets. Purge protection prevents permanent deletion even by admins. Diagnostic logging to Log Analytics captures all access for compliance audit trails.

Why other answers are incorrect:

A: A single Key Vault without zone redundancy fails if the datacenter it's in fails.
B: Private endpoint secures network access — but doesn't address the availability, recovery, and purge protection requirements listed.
C: Two Key Vaults in different regions require application code to handle primary/secondary logic and manual secret synchronization — complex, error-prone, and not needed when zone redundancy meets the requirement.

💡 Key Concept:

Key Vault best practices: Enable soft-delete (now ON by default, 7-90 days). Enable purge protection for production (prevents permanent deletion). Diagnostic logs to Log Analytics for every key/secret access. Separate Key Vaults per environment (dev/test/prod). Private endpoints for VNet access control.

25

Question 25: Well-Architected Framework

✓ Correct Answer: A) Cost Optimization, Reliability, Security, Performance Efficiency, Operational Excellence

Why this is correct:

Each issue maps to a WAF pillar: Over-provisioned VMs = Cost Optimization (paying for unused capacity). No health monitoring = Reliability (can't detect or respond to failures). No encryption at rest = Security (data exposure risk). Cannot scale = Performance Efficiency (system can't meet demand). Deployment downtime = Operational Excellence (need zero-downtime deployment practices).

Why other answers are incorrect:

B: The pillar order is wrong — security is listed first but the first issue (over-provisioning) maps to Cost Optimization.
C: Multiple critical WAF violations are present — these are major architectural concerns, not minor issues.
D: All five pillars are violated — only calling out Security misses Cost Optimization, Reliability, Performance, and Operational Excellence violations.

💡 Key Concept:

Azure Well-Architected Framework: Reliability (HA, DR, monitoring), Security (identity, data protection, threat detection), Cost Optimization (right-sizing, reserved instances, lifecycle), Operational Excellence (CI/CD, monitoring, observability), Performance Efficiency (scaling, caching, latency optimization). Use Azure Advisor and the WAF assessment tool.

📊 How Did You Score?

23–25
Exam Ready
Excellent! Schedule your exam.
19–22
Almost There
Review BC/DR and data storage decisions.
14–18
Keep Studying
Focus on architecture trade-offs and constraints.
0–13
More Study Needed
Ensure AZ-104 fundamentals are solid first.

Ready for More AZ-305 Practice?

These 25 questions are just a sample. The actual AZ-305 exam has 40–60 questions.

MSCertQuiz AZ-305 includes 500 questions covering:

  • ✓ Identity, governance, and management group design scenarios
  • ✓ All database and storage architecture decisions with trade-offs
  • ✓ Business continuity — HA, DR, backup, ASR deep-dive
  • ✓ Compute, migration, and networking architecture
  • ✓ Well-Architected Framework applied to real scenarios

$14.99 One-Time Payment

Lifetime access • No subscription • 500 questions

Try 40 Free QuestionsGet 500 Questions — $14.99

📚 Related AZ-305 Resources

📖

AZ-104 Study Guide

AZ-104 is the recommended prerequisite — ensure those fundamentals are solid

🎯

AZ-305 Certification Page

Full exam details, prerequisites, and domain breakdown