SkarpSkarp

Chapter 3 of 21

Cloud Deployment Models and the Shared Responsibility Model

Navigate how organizations choose between public, private, and hybrid clouds, and see exactly where Azure’s responsibilities end and yours begin in the shared responsibility model.

27 min readen

Big Picture: Deployment Models and Responsibility Boundaries

Module Focus

In this module you will learn how organizations deploy cloud and who is responsible for what in Azure, so you can answer AZ-900 scenario questions confidently.

Key Goals

You will be able to define public, private, hybrid cloud, and the shared responsibility model, compare the deployment models, and explain where Azure’s responsibilities end and yours begin.

Cloud Reminder

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

Deployment vs Service Models

Deployment models (public, private, hybrid) describe where and how cloud runs. Service models (IaaS, PaaS, SaaS) describe what part of the stack you manage versus the provider.

Public Cloud: Definition, Characteristics, and Azure Examples

Public Cloud Definition

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

Key Properties

Provider-owned infrastructure, access over the public internet, and multi-tenancy where many customers share hardware but are logically isolated.

Azure Public Cloud Examples

Azure Virtual Machines, Azure Storage, Azure SQL Database, Azure Functions, and Azure Kubernetes Service are all public cloud services.

Benefits and Use Cases

Public cloud is cost-effective, scalable, globally available, and great for startups, web apps, and analytics that need rapid growth.

Exam Trap

Public cloud does not mean public data. It refers to shared infrastructure accessed over the internet, with strong isolation and access controls.

Private Cloud: Definition, Characteristics, and When It Makes Sense

Private Cloud Definition

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

Exclusive Use

Only one organization uses the private cloud environment. No other customer’s workloads share that infrastructure.

Location Options

Private cloud can run in your own datacenter or be hosted by a third party, but it remains dedicated to your organization.

Pros and Cons

Pros: control, customization, data residency. Cons: higher cost, more management effort, less elastic scaling than public cloud.

Exam Clue Phrases

Look for phrases like “single organization only”, “must stay on-premises”, or “strict regulations” to identify private cloud scenarios.

Hybrid Cloud: Definition, Data Flows, and Azure Reality

Hybrid Cloud Definition

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Combined Environment

In hybrid cloud, some workloads run in Azure public cloud and others in your private or on-premises environment, connected securely.

Visual Picture

Picture two circles: on-prem/private and Azure. A VPN or ExpressRoute line connects them so apps and data can flow between both.

Azure Hybrid Tools

Azure Arc, VPN Gateway, ExpressRoute, and Azure File Sync help you integrate and manage hybrid environments.

Exam Clue Phrases

Phrases like “keep some workloads on-premises while using Azure” or “integrate on-prem with cloud” point to hybrid cloud.

Comparing Public, Private, and Hybrid: Scenario Walkthroughs

Scenario 1: Startup

A global streaming startup with no datacenter, tight budget, and spiky traffic is best served by public cloud services like Azure App Service and Azure SQL.

Scenario 2: Government

A government tax agency with strict data residency rules and its own secure datacenter is a strong candidate for a private cloud deployment.

Scenario 3: Retail Hybrid

A retail chain modernizing apps in Azure while keeping legacy ERP on-prem, connected via VPN or ExpressRoute, is using hybrid cloud.

How to Read Scenarios

Look for clues about location (on-prem vs cloud), exclusivity (single org vs shared), and integration needs to choose public, private, or hybrid.

Service Models Refresher: IaaS, PaaS, SaaS (Needed for Shared Responsibility)

IaaS Definition

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

PaaS Definition

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

SaaS Definition

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Azure Examples

IaaS: Azure VMs. PaaS: Azure App Service, Azure SQL Database. SaaS: Microsoft 365 and Dynamics 365.

Control vs Convenience

IaaS gives you most control but more work. SaaS gives least control but minimal management. PaaS sits in the middle.

Shared Responsibility Model: Core Definition and Layers

Shared Responsibility Definition

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Of vs In the Cloud

Microsoft secures the cloud itself (of the cloud). You secure what you put in the cloud (in the cloud), such as apps, data, and access.

Layered View

From bottom to top: physical datacenters, hardware, virtualization, OS, middleware, apps, and data/identities/devices.

Responsibility Trend

Azure always handles lower layers. Your responsibility grows toward the top of the stack and varies by IaaS, PaaS, or SaaS.

Azure Responsibilities vs Customer Responsibilities (IaaS, PaaS, SaaS)

Azure Always Owns

Azure is always responsible for datacenter physical security, power, cooling, hardware, and the virtualization layer that runs your workloads.

IaaS Responsibilities

With Azure VMs, you manage the guest OS, patches, firewall inside the VM, applications, data, backups, and identity and access.

PaaS Responsibilities

With Azure App Service or Azure SQL Database, Azure manages OS and runtime. You manage app code, configuration, data, and access control.

SaaS Responsibilities

With SaaS like Microsoft 365, the provider runs the app. You still manage users, roles, data, retention, and device security.

Exam Reminder

Even with SaaS, Azure is not responsible for your internal misuse of data or weak access controls. Those remain your responsibility.

Thought Exercise: Draw Your Own Responsibility Line

Use this short activity to internalize the shared responsibility model.

  1. Pick a workload you know (or imagine one):
  • Example A: A simple website.
  • Example B: An internal HR system.
  • Example C: A data analytics dashboard.
  1. Decide a service model you might use on Azure:
  • IaaS (Azure Virtual Machines)
  • PaaS (Azure App Service, Azure SQL Database)
  • SaaS (Microsoft 365 or a SaaS HR system)
  1. List what you think Azure handles vs what you handle. Use a quick table in your notes:
  • For your chosen service model, write two columns:
  • Left: “Azure handles…”
  • Right: “We handle…”
  1. Check yourself using these guiding questions:
  • Who patches the OS?
  • Who configures network access rules?
  • Who creates and manages user accounts?
  • Who decides data retention and classification?
  • Who is responsible if a stolen laptop with cached data is misused?
  1. Adjust your list:
  • Shift anything related to physical security, hardware, and hypervisor to Azure.
  • Shift anything related to your users, data, app code, and device security to your side.

Keep your notes. When you hit the next mock exam in this course, compare your answers to how the exam phrases responsibility questions.

Quick Check: Deployment Models

Test your understanding of public, private, and hybrid cloud.

An organization wants to keep its core banking system in its own datacenter but use Azure for a new mobile banking app that must access on-premises data. Which deployment model best describes this setup?

  1. Public cloud
  2. Private cloud
  3. Hybrid cloud
  4. Multi-tenant SaaS
Show Answer

Answer: C) Hybrid cloud

This is hybrid cloud: a computing environment that combines public and private clouds, allowing data and applications to be shared between them. The on-prem core system is private, the Azure mobile app is public cloud, and they are connected.

Quick Check: Shared Responsibility in Azure

Now test your understanding of who is responsible for what.

You deploy an application using Azure App Service and Azure SQL Database (both PaaS). Which of the following is primarily YOUR responsibility?

  1. Physical security of the Azure datacenters where the app runs
  2. Patching the Windows Server operating system that hosts Azure App Service
  3. Configuring user access and protecting sensitive data stored in the database
  4. Maintaining the hypervisor that runs the underlying virtual machines
Show Answer

Answer: C) Configuring user access and protecting sensitive data stored in the database

With PaaS, Azure handles the OS and underlying platform (datacenters, hypervisor, OS). You are responsible for your application, configuration, user access, and data protection, so configuring access and protecting data is your responsibility.

Key Term Flashcards: Deployment and Responsibility

Flip through these cards to reinforce the canonical definitions and core ideas.

Public cloud (definition)
A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
Private cloud (definition)
A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
Hybrid cloud (definition)
A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
Shared responsibility model (definition)
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
IaaS (definition)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
PaaS (definition)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
SaaS (definition)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Azure responsibility: always
Azure is always responsible for physical datacenter security, power, cooling, hardware, and the virtualization layer that runs your workloads.
Customer responsibility: always
You are always responsible for your data, identities and access control, and how you configure and use cloud services to meet your compliance needs.
Hybrid exam clue
If a scenario mentions keeping some workloads on-premises while also using Azure and sharing data or apps between them, it is describing hybrid cloud.

Key Terms

Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
hybrid cloud
A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
public cloud
A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
private cloud
A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
shared responsibility model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself