Near-Right Architecture — Azure Solutions Architect (AZ-305)
Two options were architecturally valid — you picked the one that violates a constraint buried in the scenario. Read constraints before evaluating answers.
When the Constraint Beats the Clean Design
A retail client specifies a hard monthly cost ceiling, and one distractor delivers a fully functional multi-tier Azure architecture that still overshoots it. The architecture works. It is still wrong. Every AZ-305 scenario carries a constraint that ranks above general correctness: a regulatory boundary, a staffing limit, a hard cost cap. The option that satisfies the stated constraint beats the option that satisfies the most requirements in aggregate. Spot the constraint first, then evaluate which answer respects it. If you cannot identify the constraint within the first two sentences, re-read the scenario before looking at the options.
The Scenario
The question asks you to design a globally distributed web application with real-time bidirectional communication via WebSockets. Two options: Azure Front Door with backend pools, or Traffic Manager with regional Application Gateways. Both achieve global distribution. But Front Door operates at Layer 7 with HTTP/HTTPS — it supports WebSocket connections. Traffic Manager is DNS-based and does not proxy traffic at all, so it cannot maintain WebSocket connections across failovers. The trap is that Traffic Manager sounds like the "global load balancer" answer, but it only does DNS resolution, not connection proxying.
How to Spot It
- •Azure Front Door vs. Traffic Manager is a Layer 7 vs. DNS-level distinction. If the scenario needs connection proxying, SSL offloading, or WebSocket support, Traffic Manager is eliminated. If it only needs DNS-based routing with health probes, Front Door may be over-engineering.
- •Pay attention to "real-time," "bidirectional," or "persistent connections." These require a proxy-based load balancer (Front Door, Application Gateway), not DNS-only routing (Traffic Manager).
- •When both architectures distribute traffic globally, the tiebreaker is always in the connection semantics — HTTP request-response vs. persistent connections vs. raw TCP.
Decision Rules
Whether to replicate the NAS file server to an Azure VM using Azure Site Recovery (near-right IaaS rehost that preserves full operational overhead) or migrate content directly to Azure Blob Storage using an Azure Migrate-assessed transfer path (correct managed target that satisfies the CAF operational reduction mandate and respects wave-dependency ordering).
Whether to assign Azure Policy at the Management Group scope (single assignment, inherited by all child subscriptions) versus assigning Policy per subscription or delegating to Azure Blueprints, which provisions compliant environments but does not continuously enforce policy across already-deployed resources.
Whether to assign Azure Policy at the Management Group scope for persistent, continuously evaluated enforcement that auto-inherits to all current and future child subscriptions, versus deploying an Azure Blueprint containing a Policy artifact at the Management Group scope, which enforces the control only at provisioning time and does not re-evaluate compliance on existing resources.
Determine whether Azure SQL Database General Purpose with zone-redundant configuration already satisfies the stated 99.99% SLA, making Business Critical tier or Azure SQL Managed Instance unnecessary and cost-violating over-provisioning.
Whether the workload's combination of container packaging, event-driven burst scaling, scale-to-zero economics, and a team with zero Kubernetes operational capacity disqualifies AKS and makes Azure Container Apps the only tier that satisfies all stated constraints simultaneously.
Whether Azure Container Apps or AKS is the correct compute tier for a containerized, scale-to-zero, stateless microservice when the team explicitly lacks Kubernetes cluster management expertise and cannot absorb ongoing cluster operational burden.
Whether to route platform diagnostic logs through Azure Monitor Diagnostic Settings into the Log Analytics workspace in addition to configuring workspace-based Application Insights, versus relying on Application Insights alone as the complete observability solution.
Whether to satisfy the 180-day compliance retention requirement by routing Azure resource diagnostic logs through Azure Monitor diagnostic settings into a Log Analytics workspace (correct platform-layer path) versus relying on Application Insights, which captures only application-instrumented telemetry and creates a platform-layer observability blind spot that fails the stated compliance constraint.
Choose Azure Service Bus over Azure Event Hubs when the communication pattern is transactional command messaging requiring per-session FIFO ordering and dead-letter handling, even when throughput is within both services' ranges.
Whether to scope the RBAC role assignment to the target resource group (or storage account) versus the subscription, given that the workload boundary is explicitly narrow and the least-privilege constraint is the stated requirement.
Whether satisfying a centralized L7 egress inspection mandate requires Azure Firewall deployed in the hub rather than Azure Application Gateway, which is an ingress-scoped control incapable of inspecting outbound traffic flows.
Domain Coverage
Difficulty Breakdown
Related Patterns