Commonly Confused Services on AZ-305

Deciding signal

Azure Queue Storage is the simplest option — basic FIFO queue for decoupled message delivery, up to 64 KB per message, 7-day maximum retention. Service Bus is enterprise messaging with ordering guarantees, dead-letter queues, duplicate detection, sessions, and message sizes up to 256 KB (premium tier: 100 MB). It suits complex transactional message workflows. Event Grid routes discrete events (resource changes, custom events) to multiple subscribers simultaneously based on event type — it is push-based pub/sub for reactive event-driven architectures. Event Hubs is a high-throughput event streaming platform — it ingests millions of events per second with configurable retention and consumer groups, suited for telemetry, logging, and analytics pipelines.

Deciding signal

Application Gateway is regional Layer 7 — it load balances HTTP/HTTPS traffic within a region, terminates SSL, and includes a WAF. It does not operate globally. Azure CDN caches static assets (images, CSS, JavaScript) at edge POPs to reduce origin load for cacheable content. Traffic Manager routes DNS queries to different regional endpoints based on a routing method — it does not proxy or inspect HTTP traffic. Front Door is a global HTTP/HTTPS proxy with routing intelligence, WAF, URL-based routing, health-based failover, and CDN capabilities combined. When the scenario involves a regional web app with WAF and URL routing, Application Gateway. When it involves global users with HTTP routing and failover across regions, Front Door.

Deciding signal

AKS is managed Kubernetes — you interact with the full Kubernetes API, manage node pools, deploy operators, and configure the cluster. Required when Kubernetes API compatibility, custom operators, or specific cluster configuration is needed. Container Apps is a serverless container platform built on Kubernetes and KEDA — you deploy containers without managing the cluster, get automatic scaling including scale-to-zero, and pay only for what runs. Required when the team wants containers without Kubernetes operational overhead. Service Fabric is Microsoft-native distributed systems platform for stateful microservices and actor models — it predates Kubernetes and is used for scenarios requiring stateful service instances with built-in reliability. AKS is the modern default; Container Apps for serverless containers; Service Fabric for stateful actor-model microservices.

Deciding signal

Azure SQL Database is a fully managed OLTP relational database — strong consistency, ACID transactions, foreign keys, and complex joins. Best for structured transactional workloads. Cosmos DB is globally distributed with multi-region writes, sub-10ms latency at any scale, and flexible schemas via multiple APIs (Core SQL, MongoDB, Cassandra). Best for globally distributed, high-velocity, flexible-schema applications. Azure Synapse Analytics is an integrated analytics platform combining a dedicated SQL pool (data warehouse), serverless SQL, and Apache Spark — it is optimized for OLAP analytical queries over large datasets. The signal is workload type: OLTP transactions (SQL Database), low-latency global NoSQL (Cosmos DB), analytics and BI over large data (Synapse).

Deciding signal

VNet Peering provides direct, low-latency routing between two VNets — non-transitive, no gateway required. Best for a small number of VNets in direct relationships. Virtual WAN is a Microsoft-managed networking hub: it connects VNets, branch offices, and ExpressRoute/VPN circuits into a global hub-and-spoke topology with built-in routing and security integration. It is the right answer when the scenario involves dozens of VNets and branch locations needing centralized connectivity management. ExpressRoute connects on-premises to Azure via a private dedicated circuit. When the scenario describes scaling connectivity management across many VNets and sites, Virtual WAN. For direct Azure-to-Azure VNet connectivity, Peering.

Deciding signal

Azure Functions is stateless event-driven compute — triggered by HTTP, timers, queues, and other events, executes code, and exits. It has a 230-second synchronous timeout (longer via async). Logic Apps is a low-code/no-code workflow automation platform with 400+ connectors to SaaS services (Salesforce, SharePoint, ServiceNow) — the right answer when the automation involves integrating external services without writing code. Durable Functions extends Azure Functions with stateful orchestration — it supports long-running workflows, fan-out/fan-in, and human approval patterns using durable orchestrator and activity functions. When the scenario requires long-running stateful multi-step workflows with waits or approvals in code, Durable Functions.

Deciding signal

Entra B2B (Business-to-Business) enables partner organizations to access your applications using their own organizational identity — a supplier uses their company credentials to access your partner portal. It is for workforce-to-workforce federation. Entra External ID for customers (formerly B2C, Business-to-Consumer) is a CIAM platform for consumer-facing applications — it manages customer sign-up, sign-in, and profile with social identity provider support (Google, Facebook, Apple). Entra External Identities is the umbrella term covering both B2B and CIAM. The signal is who the external users are: partner employees using organizational credentials (B2B) or consumers using social or email accounts (External ID for customers/B2C).

Deciding signal

Azure Migrate is a discovery and migration hub: it discovers on-premises VMs, servers, and applications; assesses readiness and sizing; and orchestrates migration of VMs to Azure using the Migration tool (built on Site Recovery for server migration). Site Recovery is specifically a DR and business continuity service — it continuously replicates VMs for failover. When used for migration, it replicates and migrates servers to Azure. Azure Database Migration Service (DMS) migrates database schemas and data from on-premises database engines (SQL Server, MySQL, PostgreSQL, MongoDB, Oracle) to Azure database services. When the scenario involves assessing and discovering on-premises servers before migration, Azure Migrate. Database schema migration, DMS. Ongoing DR replication for regional failover, Site Recovery.

Deciding signal

Azure Key Vault stores secrets, encryption keys, and certificates in a multi-tenant managed service with FIPS 140-2 Level 2 validation. Most workloads use Key Vault. Managed HSM provides dedicated, single-tenant FIPS 140-2 Level 3 validated HSM hardware — required when regulations mandate customer-exclusive key custody in dedicated hardware. Managed Identity is not a key store — it is a system-assigned or user-assigned Azure AD identity for Azure resources that automatically obtains tokens to authenticate to services like Key Vault, eliminating the need to store credentials. The pattern is: Managed Identity authenticates to Key Vault; Key Vault stores secrets; Managed HSM is used when dedicated hardware is required for the keys.

Deciding signal

Application Gateway is a regional Layer 7 load balancer and WAF — it routes to backend pools within a region based on URL rules. Front Door is a global HTTP proxy with intelligent routing, WAF, and CDN capabilities across regions. API Management is a full API platform: it provides a developer portal, API versioning, throttling/rate limiting, subscription keys, OAuth integration, transformation policies, and backend abstraction. It is the right answer when the scenario involves managing a public API surface with developer onboarding, quotas, and transformation policies — not just routing or load balancing.