ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.4: Design identities and access for applicationsDomain 1Application IdentityManaged IdentityKey Vault

AZ-305 · Question 14 · Domain 1.4: Design identities and access for applications

You are designing an architecture for a multi-tier application. The application runs on a cluster of 10 Azure Virtual Machines that are part of a Virtual Machine Scale Set (VMSS).

The application needs to securely retrieve database connection strings from Azure Key Vault. The VMs are frequently scaled in and out based on demand. You need to design an identity solution for the VMs to authenticate to Key Vault that minimizes administrative overhead and prevents credential leakage.

Which identity solution should you recommend?

Answer options:

A.

A User-assigned managed identity attached to the VMSS.

B.

A System-assigned managed identity enabled on each VM instance.

C.

A Service Principal with a client secret stored in a configuration file on the VMs.

D.

Azure AD B2B guest accounts for the application service accounts.

How to approach this question

Differentiate between System-assigned (1:1 relationship with a resource) and User-assigned (1:N relationship, good for scale sets).

Full Answer

A.A User-assigned managed identity attached to the VMSS.✓ Correct
A User-assigned managed identity attached to the VMSS.
For workloads that run on multiple resources that share the same access requirements (like a VM Scale Set), a User-assigned managed identity is the best practice. It is created as a standalone Azure resource and assigned to the VMSS. When the VMSS scales out, the new instances automatically use the same identity. If you used System-assigned, every new VM would get a new identity, and you would have to dynamically update Key Vault access policies every time a scale-out occurred, causing massive administrative overhead.

Common mistakes

Choosing System-assigned managed identity because it's the default for single VMs, without considering the scaling dynamics of a VMSS.
13All questions15

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 1

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd is a global financial institution with 80 Azure subscriptions spread across 4 managem...MediumQ02Fabrikam Inc. operates a hybrid cloud environment with 500 on-premises VMware virtual machines ru...HardQ03A startup company has a single Azure subscription with a monthly budget of $5,000. The CFO want...EasyQ04You are designing an Azure Sentinel architecture for a Managed Security Service Provider (MSSP). ...MediumQ05A healthcare enterprise is migrating its infrastructure to Azure. They have strict compliance req...Hard
View all 55 questions →