Text preview & study summary

Microsoft AZ-204 AZ-305 AZ-400 AZ-500 - Developer Architect DevOps Security

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A solutions architect designs a microservices architecture on Azure. Services need to communicate asynchronously, and each service should only receive messages relevant to it (e.g., "OrderCreated" events go to both inventory and shipping services). Which Azure messaging architecture achieves fan-out?

Answer choices

  • A. Azure Service Bus Queue

  • B. Azure Service Bus Topic with subscriptions and filters (Correct)

  • C. Azure Storage Queue

  • D. Azure Event Hubs

Explanation

Azure Service Bus Topics implement pub/sub with fan-out: publishers send messages to a Topic; multiple subscriptions (one per consumer service) independently receive all or filtered messages. Subscription filters (SQL or correlation filter) allow each subscription to receive only relevant messages. Example: InventoryService subscription filters for `EventType = 'OrderCreated'`; ShippingService has its own subscription. Service Bus Queue is one-to-one (one consumer per message). Storage Queue is simpler but lacks Topic/subscription semantics. Event Hubs is optimized for high-volume streaming data (different use case).

Question 2

An architect designs a solution for processing high-volume IoT events. The solution receives 1 million events per hour, needs real-time stream processing, and must store processed results in Azure Synapse Analytics. Which Azure architecture is recommended?

Answer choices

  • A. IoT devices → Azure Queue Storage → Azure Functions → Azure SQL

  • B. IoT devices → Azure IoT Hub → Azure Stream Analytics → Azure Synapse Analytics (Correct)

  • C. IoT devices → Azure Event Grid → Azure Logic Apps → Cosmos DB

  • D. IoT devices → Service Bus → APIM → Azure SQL

Explanation

Azure IoT reference architecture: (1) Azure IoT Hub — purpose-built for IoT device connectivity (bidirectional communication, device registry, message routing, 1M+ messages/hour). (2) Azure Stream Analytics — managed real-time stream processing with SQL-like query language, temporal windowing, anomaly detection. (3) Azure Synapse Analytics — cloud data warehouse for storing processed results and enabling analytics. Queue Storage lacks IoT device management. Event Grid is for discrete events, not IoT telemetry streams. Service Bus is for application messaging, not IoT at scale.

Question 3

A company deploys microservices to Azure Kubernetes Service. Security requirements state that pods must not run as root. Which Kubernetes/AKS security control enforces this?

Answer choices

  • A. Azure AD RBAC for Kubernetes

  • B. Kubernetes Pod Security Admission (PSA) with "restricted" or "baseline" policy (Correct)

  • C. AKS network policy with Cilium

  • D. Azure Defender for Containers runtime threat detection

Explanation

Kubernetes Pod Security Admission (PSA) — the replacement for deprecated PodSecurityPolicy — enforces security standards at the admission controller level. The "restricted" standard enforces: `runAsNonRoot: true`, drops all capabilities, disallows privilege escalation. The "baseline" standard prevents known privilege escalation vectors. PSA is applied at namespace level with labels. Pods violating the policy are rejected. Azure AD RBAC controls who can interact with Kubernetes resources (not pod security contexts). Network policies control traffic. Defender for Containers detects runtime threats but doesn't prevent non-root misconfiguration at admission.

Question 4

An Azure Security Engineer must ensure that all Azure VMs have Microsoft Defender for Endpoint (MDE) installed and configured. Which solution automates this across the organization?

Answer choices

  • A. Manually install MDE agent on each VM

  • B. Azure Policy with DeployIfNotExists effect and Guest Configuration or Defender for Cloud auto-provisioning (Correct)

  • C. Azure Update Management

  • D. Azure Automation runbook

Explanation

Microsoft Defender for Cloud's auto-provisioning feature automatically deploys the Microsoft Defender for Endpoint agent (and other agents like Log Analytics Agent/Azure Monitor Agent) to all VMs in enrolled subscriptions. Combined with Azure Policy (DeployIfNotExists), it ensures new VMs are automatically protected without manual intervention. Azure Policy ensures compliance at scale. Azure Update Management handles OS patching. Automation runbooks can deploy agents but lack the continuous compliance enforcement that Policy provides. Defender for Cloud auto-provisioning is the recommended enterprise solution.

Question 5

A DevOps engineer uses Azure Container Apps for microservices. A new service version is deployed, and the engineer wants 20% of traffic routed to the new version while monitoring for errors. Which Azure Container Apps feature enables this?

Answer choices

  • A. Container App revision management with traffic splitting (Correct)

  • B. AKS Horizontal Pod Autoscaler

  • C. Azure Load Balancer weighted rules

  • D. App Service deployment slots

Explanation

Azure Container Apps uses revision-based traffic splitting for canary deployments. Each deployment creates a new revision. Traffic weights (0-100%) can be assigned to multiple revisions simultaneously. Example: Revision 1 (old) = 80%, Revision 2 (new) = 20%. Monitor metrics in Application Insights during the canary phase. When satisfied, shift to 100% new. AKS HPA is for pod scaling. Azure Load Balancer doesn't support weighted revision routing for Container Apps. App Service deployment slots are for App Service, not Container Apps.