Interview Prep · Architect · Published June 2026

Top 10 AZ-305 interview questions for Azure architect loops in 2026

Published June 25, 2026 · ~8 min read · No Microsoft, training-vendor, or bootcamp revenue
ArchitectTarget level
3–5 yrsAzure design experience
$145–185kSolutions Architect US
+$25–40kTypical lift over AZ-104
TL;DR — the 30-second version

The AZ-305 exam proves you can pick a service. The Azure architect interview proves you can pick the right one when it costs ten times more and a wrong call gets noticed. These ten questions are what comes up in 2026 Azure Solutions Architect and Principal Cloud Engineer loops — landing zones, networking topology, identity boundaries, data tier choice, DR design, and the FinOps conversation. They test design judgment, trade-off explanations, and the operational depth a hiring manager wants from someone they pay $145–185k.

If you’re still weighing the cert, start with our AZ-305 ROI breakdown and the foundational AZ-104 interview questions first.

The 10 questions

1. Hub-and-spoke vs Azure Virtual WAN — when do you pick which?

Hub-and-spoke is the default for one to three regions with a stable, small-branch footprint: one VNet hub per region, spokes peered in, Azure Firewall or an NVA in the hub, and a VPN or ExpressRoute gateway terminating on-prem traffic. Predictable, well-understood, and route tables you can read in your head.

Virtual WAN earns its premium at 10+ branches, multi-region any-to-any with transit between ExpressRoute and VPN, or when a managed Microsoft backbone is required for SD-WAN integration with Cisco Viptela, Aruba EdgeConnect, or Fortinet Secure SD-WAN. The trade-off: vWAN is a managed service with less knob-level control and a meaningfully higher monthly bill at small scale.

Pick hub-and-spoke first. Migrate to vWAN when branch count or any-to-any transit makes hub-and-spoke route tables a Tuesday-morning maintenance window. The interview signal is that you can name the threshold, not that you reflexively pick the newest service.

2. Azure Front Door vs Application Gateway vs Load Balancer vs Traffic Manager — what goes where?

Four products, four jobs. Memorize the layers, because architect loops will sketch a diagram and ask you to label the boxes.

A typical production stack: Front Door (WAF) at the edge → Application Gateway per region inside the spoke → Standard Load Balancer or AKS Ingress in front of the workload. The non-obvious signal: explain why you don’t put App Gateway and Front Door in the same diagram for purely regional workloads — double WAF cost and double TLS terminations for no resilience win.

3. How do you design Entra ID Conditional Access for a mid-size enterprise?

Start from personas and named locations, not from individual policies. The reference layout interviewers like:

Two non-negotiables architects get burned on if they skip them: at least two break-glass accounts excluded from every CA policy (because one Conditional Access mistake at 3 a.m. has locked entire tenants out), and What-If + report-only rollout before every enforce flip. The interview signal is that you understand CA as layered defense with a recovery path, not a single “require MFA” checkbox.

4. Walk me through the Azure landing zone you would deploy on day one.

Azure Landing Zone (the modern name for CAF Enterprise Scale) is the answer. The layout interviewers expect:

  1. Management Group hierarchy: Tenant Root > Platform / Landing Zones / Decommissioned / Sandbox. Platform splits into Identity, Management, Connectivity.
  2. Azure Policy initiatives applied at MG level: Microsoft Cloud Security Benchmark + ISO 27001 + an internal CIS overlay. Audit-then-deny rollout.
  3. Connectivity subscription: hub VNet, ExpressRoute or VPN gateway, Azure Firewall Premium, Private DNS resolver, central DNS zones.
  4. Identity subscription: Entra Domain Services if any legacy AD-joined workloads remain. Otherwise the identity plane sits in Entra ID at tenant level.
  5. Management subscription: central Log Analytics workspace, Microsoft Sentinel, Azure Backup vaults, Azure Monitor action groups.
  6. Workload subscriptions peered as spokes, deployed via Bicep or Terraform from a central repo with PR gates and policy-as-code.

The architect signal is three things: you separate platform from workload, you scale policy via Management Groups instead of per-subscription assignments, and you treat the landing zone as code with a deployment pipeline from day one. Candidates who describe ClickOps in the Portal score one tier below candidates who say “all of this is Bicep, gated by a PR review and an Azure DevOps pipeline.”

5. Storage replication — LRS, ZRS, GRS, RA-GZRS — how do you pick?

Four tiers, doubling in cost. The trap is reflexively picking GRS for “production.”

Architect-level traps: GRS replication is asynchronous (RPO ~15 min, occasionally higher under regional stress), and account failover is a one-way door under the legacy customer-managed failover model — you cannot fail back without re-replication. The right answer is “ZRS by default; GZRS only when we’ve modeled the RPO and the read pattern justifies the double cost.”

6. Design a DR strategy for a tier-1 Azure-hosted application with RPO 15 min, RTO 1 hour.

Warm Standby in the paired region. The layers:

  1. Compute: AKS or VMSS in primary region active, secondary region scaled to a minimal footprint with the same Bicep templates and a pipeline that can scale it on declared failover (declarative target, not a manual runbook).
  2. Data: Azure SQL Hyperscale with active geo-replication (sub-second RPO, async commit), or Cosmos DB with multi-region writes if the workload tolerates eventual consistency. Storage on RA-GZRS plus Object Replication for hot containers.
  3. Networking: Azure Front Door with health-probe-driven priority routing — primary at priority 1, secondary at priority 2. Private DNS zones replicated to both regions. Hub VNet provisioned in both regions, ExpressRoute circuit at both ends.
  4. Identity: Entra is global, no DR design needed there.
  5. Operations: runbook + automated failover scripts versioned in the same repo as the infrastructure.

The architect-level closer: a DR design that has never been rehearsed has an effective RTO of “maybe.” The plan is the quarterly failover game day with measured RTO, not the diagram. Interviewers want to hear you mention it before they ask.

7. How do you enforce governance and cost discipline across 200 subscriptions?

Policy at scope, tags at deploy, chargeback as the cultural lever.

Senior architects describe the cultural lever as much as the technical controls. That’s the signal.

8. Private Endpoint vs Service Endpoint vs Public Access — when do you use each?

Three tiers, decreasing public exposure.

The 2026 architect default: Private Endpoint for any production PaaS hosting customer data, with Private DNS zones centralized in the connectivity hub and resolved via Azure Private DNS resolver. The detail interviewers probe on: DNS. Private Endpoints fail silently when a spoke can’t resolve the privatelink zone — central DNS resolution is half the design.

9. Cosmos DB vs Azure SQL Hyperscale vs PostgreSQL Flexible Server — design call.

Pick by access pattern, not by vendor preference. The decision matrix:

The trap: candidates default to Cosmos because it’s the modern Azure-branded service. The architect-level call is “I’d run the read/write mix, latency target, consistency model, and TCO through a decision matrix — here are the four questions I’d ask the product team first.” Naming the questions matters more than naming the service.

10. AKS in an enterprise landing zone — what does your reference architecture look like?

AKS shows up in roughly two-thirds of 2026 architect loops. The expected layout:

The interview signal is depth on the operational layer — upgrades, surge capacity, PDB strategy, observability — not just the day-one diagram. AZ-305 candidates who can sketch the diagram but stall on “walk me through a control-plane upgrade” flag as junior. Read up on AKS LTS releases and node OS upgrades before the loop.

What these questions test

The AZ-305 exam screens for service-by-service knowledge. The architect interview screens for design judgment: which service, why this one over that one, where the trade-off bites, and what you do when it bites. Every answer above pivots on a trade-off (hub-and-spoke vs vWAN, ZRS vs GZRS, Private Endpoint vs Service Endpoint, Cosmos vs SQL) and on operational evidence (Log Analytics queries, KQL, Bicep templates, game days). Memorize the metric and service names — privatelink.* DNS zones, Microsoft.Network/azureFirewalls, Workload Identity, Application Gateway for Containers. Architect interviewers screen on whether you reach for them unprompted.

Practice AZ-305 right now — no signup

CertQuests has engineer-written AZ-305 design-scenario questions with full explanations on every answer. Free, no account required.

Frequently asked questions

Hub-and-spoke vs Virtual WAN — when do you pick which in 2026?

Hub-and-spoke is the default at one to three regions with a small-branch footprint. Virtual WAN earns its premium at 10+ branches, multi-region any-to-any transit, or SD-WAN integration. Pick hub-and-spoke first; migrate to vWAN when branch count or transit complexity makes hub-and-spoke route tables unmanageable.

Front Door vs Application Gateway vs Load Balancer vs Traffic Manager?

Front Door is global L7 (anycast edge + WAF). Application Gateway is regional L7 inside a VNet (WAF + mTLS + URL rewrite). Standard Load Balancer is regional L4 (TCP/UDP, no inspection). Traffic Manager is DNS-based global routing without proxying. Typical stack: Front Door at the edge → App Gateway per region → LB in front of the workload.

How do you design Entra ID Conditional Access at enterprise scale?

Persona-based policy: block legacy auth everywhere, require MFA for all users, require compliant device for privileged roles, sign-in/user-risk gating via Identity Protection, PIM for every Global Admin and Owner. Two non-negotiables: two FIDO2 break-glass accounts excluded, and What-If + report-only before every enforce flip.

How do you pick LRS vs ZRS vs GRS vs RA-GZRS?

LRS for dev/test, ZRS as the production default (zone resilience in one region), GRS/RA-GRS when cross-region resilience and a 15-minute RPO justify the cost, GZRS/RA-GZRS for the highest tier (zone + geo). Cost roughly doubles per tier. Don’t default to GRS without modeling the read pattern — geo-replication is async with a one-way failover under the legacy model.

What does a tier-1 Azure DR design look like for RPO 15 min, RTO 1 hour?

Warm Standby in the paired region: compute scaled-down with the same Bicep templates and a pipeline that can scale on declared failover, SQL Hyperscale with active geo-replication or Cosmos multi-region, Storage on RA-GZRS, Front Door with health-probe priority routing, Private DNS replicated to both regions. The closer: a quarterly failover game day with measured RTO — designs that have never been rehearsed have an effective RTO of “maybe.”

How we wrote this

No Microsoft, training-vendor, or bootcamp revenue. Questions were sourced from Azure architect and principal cloud engineer interview reports on Reddit (r/AZURE, r/cscareerquestions), the Microsoft Tech Community, LinkedIn interview threads, and the Azure architecture review channels on Microsoft Learn, cross-referenced against the Microsoft Cloud Adoption Framework, the Azure Architecture Center, and the BLS Occupational Outlook for compensation context. Tell us what you’d update.

Last reviewed: June 25, 2026.