Azure · AZ-305

Scope Overreach — Azure Solutions Architect (AZ-305)

You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.

AKS and Service Fabric at the Wrong Scale

AKS feels like the defensible choice for any production containerized workload, which is exactly why it appears in overreach traps. A scenario describing a few microservices with predictable load and no multi-region requirement does not justify persistent cluster management, node pool tuning, or advanced scheduling overhead. Azure Container Apps or App Service handles that workload with less operational surface. Reach for Container Apps or App Service first, and only escalate to AKS when the scenario explicitly names service mesh, autoscaling rules, or persistent routing as requirements. When none of those are present, the simpler service is the correct answer.

14%of exam questions affected (28 of 200)

The Scenario

A team needs to restrict access to a Storage Account so only resources in their virtual network can reach it. You design Azure Private Link for private IP connectivity, Azure Firewall for traffic inspection, and Network Security Groups for subnet-level filtering. The correct answer is enabling a Service Endpoint on the VNet subnet and adding a network rule on the Storage Account to allow only that VNet. The scenario said "restrict to VNet" — not "implement zero-trust network architecture." Service Endpoints are free, require no DNS changes, and take 30 seconds to configure.

How to Spot It

  • Azure Service Endpoints vs. Private Endpoints is the most common scope overreach test. Service Endpoints (free, VNet-scoped access restriction) are correct when you just need to limit network access. Private Endpoints ($0.01/hour, private IP in your VNet) are correct when you need private IP addressing, on-premises access via VPN/ExpressRoute, or cross-region private connectivity.
  • Azure Firewall costs ~$912/month base. If the scenario does not mention traffic inspection, threat intelligence, or centralized network security policy, adding Azure Firewall is scope overreach.
  • The exam tests whether you solve exactly the stated problem. If your answer addresses security threats, compliance requirements, or scaling concerns the scenario never mentioned, you have expanded scope beyond what was asked.

Decision Rules

Whether to assign an Azure Policy initiative at the Management Group scope—inheriting enforcement to all child subscriptions automatically—versus deploying an Azure Blueprint per subscription or applying individual Policy assignments at each subscription, where the governing constraint is least-privilege continuous compliance with minimum administrative overhead.

Azure Management GroupsAzure PolicyAzure Blueprints

Whether to assign a built-in RBAC Reader role once at Management Group scope—where inheritance propagates to all child subscriptions automatically—versus deploying Azure Blueprints artifacts to distribute role assignments across each subscription as a versioned, packaged environment artifact.

Azure Management GroupsAzure Role-Based Access Control (RBAC)Microsoft Entra ID

Whether to assign the Key Vault Secrets User role scoped to the specific Key Vault resource via a system-assigned Managed Identity, versus assigning a broader role (Contributor or Key Vault Administrator) at subscription or resource-group scope—with the correct answer determined by matching identity type and RBAC scope to the narrowest boundary that satisfies the workload requirement.

Azure Managed IdentitiesAzure Role-Based Access Control (RBAC)Azure Key Vault

Assign Contributor scoped to the single named resource group to an Entra service principal with workload identity federation — not scoped to the parent subscription — satisfying both no-stored-credentials and least-privilege simultaneously.

Microsoft Entra IDAzure Role-Based Access Control (RBAC)Azure Managed Identities

Which RBAC role and scope pairing satisfies both the no-stored-credentials constraint and the least-privilege constraint for a managed identity that needs data-plane read access to one Key Vault instance?

Azure Managed IdentitiesAzure Key VaultAzure Role-Based Access Control (RBAC)

Whether satisfying 'all PaaS access must remain off the public internet' requires Azure Private Link—eliminating the public endpoint at the PaaS layer with no topology changes—or Azure Firewall with forced tunneling—centralized L7 egress inspection that oversolves the constraint and mandates hub-level architectural changes not called for in the scenario.

Azure Private LinkNetwork Security Groups (NSGs)Azure Firewall

Whether NSG subnet rules (L3/L4 port-level restriction, no routing change) or Azure Firewall with UDR-based forced routing (L7 centralized inspection) is the minimum-scope control that satisfies an intra-VNet east-west segmentation requirement when routing complexity minimization is a stated constraint.

Network Security Groups (NSGs)Azure FirewallAzure Virtual Network

Domain Coverage

Design Identity, Governance, and Monitoring SolutionsDesign Infrastructure Solutions

Difficulty Breakdown

Hard: 24Expert: 4

Related Patterns

Security And Governance Boundary16% of examMulti-Account Governance10% of examMulti-Service Tradeoff30% of exam
Start training this trap →

See all AZ-305 traps →