Cost Blind Spot — Azure Security Engineer (AZ-500)
The architecturally correct answer was also the most expensive. The exam wanted the cost-optimized option that still meets requirements.
The Premium Security Tier Costs Money the Scenario Cannot Spend
Defender for Cloud's enhanced security features provide runtime threat detection, vulnerability scanning, and adaptive application controls. The scenario mentions a cost-constrained pilot with three VMs and a six-month budget ceiling. Enabling Defender for Servers Plan 2 across all subscriptions exceeds the stated budget. The exam expects scoped enablement or a Defender for Cloud free-tier posture assessment. Security controls must fit the financial constraint, not just the threat model.
The Scenario
A company needs to generate thumbnails from user-uploaded images. You design a solution with Azure Kubernetes Service and GPU-enabled nodes for fast processing. The correct answer uses Azure Functions with a Consumption plan triggered by Blob Storage events — images are under 10MB, processing takes 2-3 seconds per image, and the scenario said "cost-optimize for variable upload volume." AKS with GPU nodes costs $1,000+/month in base compute even at idle. Functions at 100,000 executions/month costs under $2. The exam tests whether you recognize that "image processing" does not automatically mean "GPU compute."
How to Spot It
- •Azure Spot VMs give up to 90% savings over pay-as-you-go for fault-tolerant workloads. Batch rendering, data analysis, and dev/test environments are the canonical Spot workloads. If the scenario describes interruptible work, Spot VMs or Spot-enabled AKS node pools are the cost-optimized answer.
- •Azure Cosmos DB charges for provisioned RU/s even when idle. A database provisioned at 10,000 RU/s costs ~$580/month. If the scenario describes "occasional reads" or "variable traffic," serverless Cosmos DB (pay per RU consumed) or Azure SQL Serverless eliminates idle costs.
- •Azure Front Door Premium costs ~$330/month base. Azure CDN Standard costs ~$0.08/GB. For a static website serving 100GB/month, CDN costs $8 vs. Front Door at $330+. The exam tests whether you select the CDN tier that matches the traffic profile, not the one with the most features.
Decision Rules
When on-premises-to-Azure connectivity requirements are bounded by modest bandwidth, no latency SLA, and an explicit cost constraint, Azure VPN Gateway is the right-sized choice; ExpressRoute's dedicated circuit capacity is justified only when bandwidth, latency, or uptime SLA requirements exceed the VPN Gateway operational envelope — none of which apply to a sub-100 Mbps batch workload.
Whether to use Azure Virtual WAN with a secured virtual hub (managed transitivity, premium per-GB pricing) or Azure Virtual Network Manager hub-and-spoke connectivity configuration with UDR-based routing through a hub-resident NVA (explicit routing, predictable flat cost) to satisfy the inspection choke-point and fixed budget constraints simultaneously.
When encryption-in-transit is the dominant compliance constraint and bandwidth is moderate and predictable, the correct choice is the connectivity service that natively satisfies the encryption requirement via IPsec/IKEv2 rather than a premium private circuit that requires an additional encryption layer to achieve the same compliance outcome at significantly higher total cost.
Whether to express NSG allow-rules as explicit source/destination IP address prefixes per VM NIC or to bind VMs to Application Security Groups and write tier-to-tier rules against ASG names, where the IP-based approach satisfies the security control mechanically but scales to hundreds of rules requiring manual updates on every VM addition or IP change.
Domain Coverage
Difficulty Breakdown
Related Patterns