Microsoft AZ-900

Yes is incorrect because regions are larger geographic constructs that contain one or more datacenters, so deploying across regions addresses a broader failure domain than the one described. Although a multi-region design can certainly improve overall availability, it is not the Azure feature typically used to satisfy a requirement about a single datacenter failing. For AZ-900 questions, the expected match for datacenter-level fault tolerance is Availability Zones rather than multiple regions.

A Dev/Test subscription is a specific offer intended to reduce costs for development and testing workloads (often via Visual Studio subscriptions). It is not a prerequisite to use Azure Cost Management. Cost Management can analyze costs for many subscription types, including Dev/Test, but you do not need Dev/Test to access the service.

Software Assurance is a licensing benefit associated with Microsoft volume licensing (e.g., Windows Server/SQL Server benefits, Azure Hybrid Benefit eligibility). It does not grant access to Azure Cost Management. Cost Management is tied to Azure billing and scopes (billing account/subscription), not to Software Assurance entitlements.

An Enterprise Agreement (EA) is a large-organization purchasing agreement and is not required to use Azure Cost Management. While EA customers commonly use Cost Management at scale (often with advanced chargeback/showback needs), the tooling is available for non-EA customers as well. EA is a purchasing model, not a functional prerequisite.

SaaS provides a complete, ready-to-use application managed by the provider (for example, Microsoft 365). It minimizes administration the most, but you typically cannot deploy your own custom web application code as-is; you would be adopting a vendor’s application instead of hosting yours. For a migration of an existing custom web app, SaaS is usually not the correct fit unless you are replacing the app entirely.

IaaS (virtual machines) gives you the most control and is common for lift-and-shift migrations, but it requires the most administration. You are responsible for the OS, patching, web server/runtime configuration, scaling setup, backups, and ongoing maintenance. Because the requirement is to minimize administrative effort, IaaS is generally the least suitable option among the main service models.

DaaS (Database as a Service) refers to managed database offerings (for example, Azure SQL Database, Azure Cosmos DB) where the provider manages database infrastructure and many maintenance tasks. While DaaS can reduce database administration, it does not address hosting the web application itself. You would still need a compute/hosting model (PaaS or IaaS) for the web tier.

Incorrect. A Canadian government contractor is not automatically eligible for Azure Government. Azure Government is a U.S. sovereign cloud intended for U.S. government entities and approved U.S. government contractors. Canadian public sector organizations typically use commercial Azure regions in Canada (or other arrangements), but they do not qualify for Azure Government based solely on being a government contractor.

Incorrect. A European government contractor is not eligible for Azure Government by default. Azure Government is restricted to U.S. government entities and validated U.S. government contractors. European contractors may use commercial Azure regions in Europe or other sovereign solutions, but they cannot use Azure Government unless they meet specific U.S. eligibility requirements (which this option does not imply).

Incorrect. A European government entity is not eligible for Azure Government. The service is a U.S. sovereign cloud environment with restricted access for U.S. public sector customers and approved contractors. European government entities generally use commercial Azure in European regions or other sovereign offerings, but not Azure Government.

Azure CLI is a command-line tool for managing Azure resources, including App Service. However, it typically requires a local installation and a supported OS/shell environment. An iPhone is not a standard platform for installing and running Azure CLI natively, so it’s not considered a complete solution for managing web app settings directly from the phone in an exam context.

Windows PowerShell is a scripting and automation environment commonly used to manage Azure (often via the Az PowerShell module). However, it assumes a Windows (or at least a compatible PowerShell runtime) environment. An iPhone does not natively provide a standard Windows PowerShell execution environment, so it’s not a complete solution for managing settings from the phone.

Azure Storage Explorer is a client application designed to manage Azure Storage resources (blobs, files, queues, and tables). It is not intended for configuring or managing Azure App Service web app settings. Additionally, it’s a desktop tool rather than a mobile-first management option, making it unsuitable for this requirement.

Elasticity refers to automatically adding or removing resources to match demand (for example, autoscaling during peak usage and scaling in when demand drops). While elasticity improves cost efficiency and performance under variable load, it does not inherently protect against a datacenter outage unless combined with a fault-tolerant multi-zone or multi-region design.

Scalability is the ability to increase capacity to handle growth, either vertically (bigger VM) or horizontally (more instances). Like elasticity, scalability focuses on capacity and performance, not resiliency. A scalable system can still be taken down if all instances are in a single datacenter and that datacenter becomes unavailable.

Low latency means minimizing network delay so users get faster responses, often achieved by choosing closer regions, using CDNs, or optimizing routing. Latency is a performance characteristic, not an availability strategy. A low-latency deployment can still experience downtime if it lacks redundancy across datacenters or zones.

Dedicated hardware is not a standard characteristic of the public cloud. Public cloud typically uses shared physical infrastructure with logical isolation (multi-tenancy). While Azure offers dedicated options (e.g., Azure Dedicated Host, isolated SKUs) for compliance or licensing needs, these are specialized services rather than the defining model for public cloud.

Unsecured connections are not a characteristic of public cloud. Public cloud services are designed to be secured through strong identity (Microsoft Entra ID), encryption in transit/at rest, network controls (NSGs, firewalls), and private connectivity options (VPN/ExpressRoute, Private Link). Security is a shared responsibility, not an inherent weakness of public cloud.

Limited storage is the opposite of a typical public cloud characteristic. Public cloud platforms provide scalable storage that can grow on demand (e.g., Azure Blob Storage, managed disks, Azure Files) with various performance and redundancy tiers. While quotas and service limits exist, the model is generally elastic and expandable rather than inherently limited.

High availability is about keeping an application running despite failures by using redundancy (multiple instances, zones, regions) and failover. While it improves resiliency and supports uptime SLAs, it typically increases cost because you run extra capacity. It does not specifically address the need to reduce resources during low-demand periods, so it’s not the best cost-management benefit for this usage pattern.

High latency means slower response times between users and the application, usually caused by distance, network congestion, or inefficient architecture. It is not a benefit of cloud services and does not support cost management. In exam terms, latency is something you try to minimize using regions close to users, CDNs, caching, and optimized networking—not something you select as an advantage.

Load balancing distributes incoming traffic across multiple instances to improve performance and reliability. It helps handle high traffic, but it doesn’t inherently reduce costs because you still must provision (or scale) the instances behind the load balancer. Load balancing is often used together with elasticity (autoscaling + load balancing), but by itself it doesn’t address scaling down during low usage.

A complete migration to the public cloud can reduce CapEx by eliminating on-prem hardware purchases and can lower some OpEx through managed services. However, “complete migration” is not always the most cost-minimizing recommendation when an organization already has substantial on-premises investment and only needs extra capacity. Migration projects also introduce transition costs, time, and potential refactoring.

An additional data center increases both CapEx and OpEx. You must purchase land/space, servers, networking, and storage, and you must pay ongoing costs for power, cooling, physical security, maintenance, and staffing. This directly conflicts with the requirement to minimize capital and operational expenditure and does not provide the elasticity benefits of cloud.

A private cloud provides cloud-like management and virtualization but is still owned and operated by the organization (or dedicated hosting). It typically requires significant upfront investment in hardware and ongoing operational management, so it does not minimize CapEx/OpEx compared to using public cloud resources on demand. It also lacks the same elasticity and pay-as-you-go economics.

Premier support can provide architectural guidance and extensive proactive services, so it would satisfy the technical requirement. However, it is a high-end enterprise support offering intended for organizations needing broad, ongoing support management and proactive engagement. Because the question specifically asks to minimize costs, Premier is more expensive than necessary. Professional Direct provides the needed architectural advisory capability at a lower cost.

Developer support is intended for trial, development, and non-production use cases rather than enterprise architectural review needs. It offers limited support scope and does not include the advisory architecture services implied by a formal architectural review request. Although it is cheaper, it does not meet the requirement. Cost minimization only applies after the functional requirement is satisfied.

Standard support provides technical support for production workloads, including faster response and 24/7 access for certain severities, but it is primarily a reactive support plan. It does not include the advisory or architecture review services associated with Professional Direct. The question is specifically about requesting an architectural review from Microsoft, which requires more than standard technical support. Therefore, Standard is insufficient even though it costs less.

Answering "Yes" is incorrect because DDoS Protection does not control whether HTTP traffic is permitted to reach a VM. Even with DDoS Standard enabled, if VM1 lacks a public IP (or a public load balancer/app gateway front end) or if an NSG blocks TCP/80, HTTP access from the Internet will fail. DDoS protection is additive security for already-public resources; it does not publish services or open ports. You still need explicit networking configuration to expose VM1 over HTTP.

No change is needed is incorrect because resource groups do not provide compliance management across multiple subscriptions. A resource group is scoped to a single subscription and is mainly for organizing resources, applying RBAC at that scope, and managing lifecycle operations like deployment and deletion. While you can tag and control access at the resource-group level, that is not the same as defining and enforcing compliance rules. Cross-subscription compliance requires a governance service such as Azure Policy applied at an appropriate scope.

Management groups are used to organize subscriptions into a hierarchy and provide a scope for applying governance controls like Azure Policy and RBAC across multiple subscriptions. However, management groups themselves do not define or enforce compliance rules; they are a container/scope. To actually manage compliance, you must assign Azure Policy (or initiatives) at the management group scope. Therefore, replacing the text with “Management groups” would be incomplete and technically inaccurate for compliance enforcement.

Azure App Service plans are a compute and pricing construct for hosting web apps, APIs, and functions, defining region, SKU, and scaling characteristics. They have nothing to do with governance, compliance evaluation, or enforcing configuration standards across resources or subscriptions. App Service plans apply only to App Service workloads and do not provide policy-based compliance controls. The scenario is about compliance management, which is addressed by Azure Policy, not hosting plans.

A load balancer distributes network traffic across multiple VMs (Layer 4) to improve availability and scale for inbound or internal traffic. It does not create a private connection from on-premises to Azure; it only balances traffic once it is already in Azure (or coming from the internet/VNet). Therefore it is not a required resource for enabling on-premises client communication to Azure VMs.

An application gateway is a Layer 7 (HTTP/HTTPS) load balancer with features like SSL termination, path-based routing, and WAF. It is used to publish and protect web applications, not to establish hybrid network connectivity. Even if you wanted to expose a web app to on-premises users, it would not replace the need for a VPN/ExpressRoute gateway for private network communication.

A virtual network provides the private IP address space and subnets where Azure VMs reside. While a VNet is foundational for hosting VMs, the question focuses on enabling on-premises clients to communicate with those VMs. The specific hybrid connectivity requirements from the options are the Virtual Network Gateway and the GatewaySubnet; the VNet is assumed to already exist because the environment contains VMs.

Answering "Yes" assumes that Azure Firewall is the required and sufficient control to expose VM1 over HTTP. However, Azure Firewall is not automatically in the inbound path for Internet-to-VM traffic and does not publish services without explicit DNAT configuration and routing. Without those specific configurations (and typically corresponding NSG allowances), modifying the firewall would not make VM1 accessible over TCP/80 from the Internet.