Over-Provisioning — Azure Administrator (AZ-104)
You provisioned more capacity or redundancy than the scenario required. The exam rewards right-sizing.
Reserved capacity feels safe. The exam disagrees.
The scenario mentions batch processing jobs that run for two hours each night. Candidates see "performance-critical" and select reserved VM instances or large Standard SKUs. What the exam tests is whether you recognize that short-lived, predictable workloads are exactly the profile Spot VMs or Azure Batch were designed for. Reserving always-on capacity for an intermittent workload pays a premium the scenario's cost constraint explicitly disqualifies.
The Scenario
A team needs storage for application logs. Logs are written continuously but only accessed during incident investigations — maybe once per quarter. You choose Premium Blob Storage for fast write performance. The correct answer is Standard Hot for recent logs (first 30 days) with a lifecycle management policy that moves data to Cool tier after 30 days and Archive after 90 days. Premium storage costs $0.15/GB/month; Standard Hot costs $0.018/GB/month; Cool costs $0.01/GB/month; Archive costs $0.002/GB/month. For 1TB of logs, Premium costs $150/month vs. a tiered approach averaging under $20/month.
How to Spot It
- •Azure Blob Storage tiers exist for different access patterns. Premium is for low-latency, high-transaction workloads (databases on disk). Hot is for frequently accessed data. Cool is for 30+ day retention. Archive is for 180+ day retention with hours of rehydration time. The exam tests whether you match the tier to the access frequency.
- •Azure Cosmos DB provisioned throughput at 400 RU/s (minimum) costs ~$23/month per container. If the scenario describes "occasional reads" or "low-traffic API," serverless Cosmos DB charges per RU consumed with no minimum, which can be pennies per month for light workloads.
- •Auto-scale and elastic tiers (Azure SQL Serverless, Cosmos DB autoscale, App Service auto-scaling) are the exam-preferred answer for unpredictable workloads. Fixed provisioned capacity is correct only when the scenario provides specific, stable throughput numbers.
Decision Rules
Whether to assign an Azure Policy definition once at the management group scope—where it cascades automatically to all child subscriptions—or once per subscription, where the latter constitutes over-provisioning of administrative assignments that provides identical enforcement coverage at 20x the maintenance cost.
Assign Virtual Machine Contributor scoped to the target resource group rather than assigning the broader Contributor role at the same resource-group scope or assigning any role at subscription scope.
Whether to configure Entra ID dynamic group membership rules (which implicitly require an Entra ID P1 license) or to automate static group membership updates via Azure PowerShell scripts that run within the Entra ID Free tier.
Whether to configure a Blob Storage lifecycle management policy that tiers blobs to Cool or Archive after the 7-day active window, rather than retaining every object in Hot tier for the full 90-day retention period.
Whether ACI's fixed per-container-group allocation satisfies a scale-to-zero and traffic-splitting constraint, or whether Container Apps' managed scaling and ingress rules are required — with ACI being the over-provisioning trap and Container Apps the right-sized answer.
Whether to use Azure Container Apps with HTTP-triggered KEDA autoscaling (including scale-to-zero) or Azure Container Instances with a fixed replica count sized for peak load — the correct choice turns entirely on whether the service can eliminate idle capacity cost during the 16-hour zero-traffic window.
Whether to front the backend application tier with an internal Azure Load Balancer carrying a private frontend IP, or with a Standard Azure Load Balancer assigned a Public IP Address.
Determine whether the 24-hour RPO, 4-hour file-restore RTO, and cost-minimization constraint is best satisfied by scheduled snapshot backup (Azure Backup via Recovery Services Vault) or by continuous VM replication (Azure Site Recovery), recognizing that continuous replication over-provisions resilience and cost well beyond what the stated targets require.
Choose Azure Backup Vault with a managed disk snapshot policy rather than Azure Site Recovery or Recovery Services Vault VM backup, because the 4-hour RPO and 2-hour disk-level RTO are fully satisfied by periodic snapshots without the cost and complexity of continuous replication.
Whether to route inter-spoke traffic via hub-spoke VNet peering plus spoke-subnet UDRs pointing to the hub NVA, or to provision direct full-mesh peering between all spoke VNets.
Whether a targeted Azure Monitor metric alert rule on the storage throttling metric satisfies signal-completeness at lower cost, or whether full Azure Monitor Insights for Storage (Log Analytics workspace plus all diagnostic categories) is required to meet the alerting SLA.
Domain Coverage
Difficulty Breakdown
Related Patterns