SkarpSkarp

Chapter 19 of 21

Domain Review: Azure Architecture and Services Deep Dive and Practice

Consolidate your knowledge of Azure’s core architecture and services with structured review and mini-scenarios that feel like the real exam.

27 min readen

Azure Core Architecture: The Canonical Components

Canonical Components

Know this exact canonical list: Azure regions, region pairs, Availability Zones, Azure datacenters, Azure resources, resource groups, subscriptions.

Physical Layers

Physical side: Azure datacenters are facilities. Azure regions are sets of datacenters in a location. Availability Zones are separate datacenters within one region.

Region Pairs

Each region is linked to another as a region pair in the same geography, used for platform-level disaster recovery and prioritized recovery.

Logical Layers

Logical side: subscriptions contain resource groups, which contain Azure resources like VMs, storage accounts, VNets, and web apps.

Exam Pattern

Common exam twist: They ask whether to use a region, subscription, or resource group to group or manage items. Grouping by lifecycle = resource group.

Regions, Region Pairs, and Availability Zones in Scenarios

Regions: Why They Matter

Regions are geographic groupings of datacenters. You choose them for latency, data residency (e.g., GDPR), and which Azure services are available.

Availability Zones

Availability Zones are separate datacenters within one region, giving high availability against datacenter failures while keeping data in that region.

Region Pairs

Region pairs are two regions in the same geography. Microsoft uses them for staggered updates and prioritized recovery during major outages.

When to Use Zones

If a scenario says “survive datacenter failure in a region” or “higher uptime SLA” for VMs, think of using multiple Availability Zones.

When to Use Region Pairs

If a scenario says “survive regional disasters” or “cross-region replication,” think region pairs and options like geo-redundant storage.

Region and Availability Scenario Walkthroughs

Scenario 1: EU HR App

HR app for Germany, EU-only data, needs to survive datacenter failure. Use an EU region (e.g., West Europe) and deploy across multiple Availability Zones.

Scenario 2: Regional Disaster

E-commerce in East US must survive full region loss. Use East US with its paired region (e.g., West US) and cross-region replication like GRS.

Scenario 3: UK and India Users

UK data must stay in UK. Place workloads in UK South/West for UK and Central India for India, possibly split by resource groups or subscriptions.

Pattern Reminder

Think: Regions = location, Zones = intra-region resilience, Region pairs = cross-region DR in exam questions.

Choosing Compute Services: VMs, App Service, Containers, and Serverless

VMs: Full Control

Azure Virtual Machines give IaaS. You manage OS, patches, and apps. Best for lift-and-shift or when you need full OS control.

App Service: Managed Web Apps

Azure App Service is PaaS for web apps/APIs. You deploy code; Azure handles OS, scaling, SSL, and easy Microsoft Entra ID integration.

Containers: ACI vs AKS

Use ACI for simple, short-lived container workloads. Use AKS for full Kubernetes orchestration and complex microservices.

Azure Functions: Serverless

Azure Functions run small pieces of code in response to events, with automatic scaling and pay-per-execution pricing.

Exam Mapping

Watch for keywords: “lift and shift” → VMs, “web app no OS management” → App Service, “event-driven code” → Functions.

Networking and Storage: Picking the Right Building Blocks

Virtual Network Basics

A VNet is your private network in Azure. You define address spaces, subnets, and security rules, and connect VMs and services inside it.

Hybrid Connectivity

Use VPN Gateway for encrypted tunnels over the internet. Use ExpressRoute for private, dedicated connectivity not traversing the public internet.

Load Balancing and WAF

Azure Load Balancer is L4 for TCP/UDP. Application Gateway is L7 for HTTP/HTTPS, with features like WAF and URL-based routing.

Storage Account Services

A storage account offers blobs, file shares, queues, and tables. Blobs for objects, Files for SMB shares, Queues for messages, Tables for NoSQL.

Redundancy Levels

LRS = within one datacenter, ZRS = across zones in a region, GRS/GZRS = to a secondary region for disaster recovery.

Microsoft Entra ID, RBAC, and Azure Policy in Architectures

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service for signing in to Microsoft 365, Azure, and many SaaS apps.

RBAC

Role-based access control (RBAC) provides fine-grained authorization for Azure resources based on roles assigned to users, groups, and service principals.

Azure Policy

Azure Policy lets you create and assign rules so Azure resources stay compliant with corporate standards and SLAs.

Identity vs Authorization

Entra ID answers “Who are you?”; RBAC answers “What can you do?”; Azure Policy answers “What configurations are allowed or enforced?”

Exam Cues

SSO and sign-in → Entra ID. Grant or restrict actions on resources → RBAC. Enforce configuration rules at scale → Azure Policy.

Mini Architecture Thought Exercises

Exercise 1: Web App

Marketing website, no OS management, auto-scale, users in Western Europe. Think: App Service in West Europe with multiple instances or zones.

Exercise 2: Hybrid Link

Need encrypted connection from on-premises to Azure VNet, no private circuit. Answer: VPN Gateway over the public internet.

Exercise 3: Governance

Enforce allowed regions and geo-redundant storage. Use Azure Policy at subscription or management group scope.

Quick Check: Core Architecture and Services

Answer each question, then read the explanation to reinforce patterns AZ-900 likes to test.

You are designing a solution where an internal line-of-business app must be migrated from on-premises to Azure with minimal changes. The app runs on Windows Server and requires full control over the OS and custom security software. Which Azure compute option is the BEST fit?

  1. Azure App Service
  2. Azure Virtual Machines
  3. Azure Functions
  4. Azure Container Instances
Show Answer

Answer: B) Azure Virtual Machines

**Correct: Azure Virtual Machines.** - The scenario needs **full control over the OS** and custom security software, and it is a classic **lift-and-shift** case. That points directly to **IaaS VMs**. - **Azure App Service** hides the OS and is best for web apps where you do not need OS-level control. - **Azure Functions** is serverless and best for small, event-driven pieces of code, not full server apps. - **Azure Container Instances** run containers without managing servers, but you do not get the same OS-level customization as a full VM.

Quick Check: Regions, Identity, and Governance

Another short quiz to reinforce region, identity, and policy concepts.

Your organization wants to ensure that all Azure resources are created only in the "North Europe" and "West Europe" regions. Administrators should be blocked from creating resources in any other region. Which Azure feature should you use?

  1. Microsoft Entra ID
  2. role-based access control (RBAC)
  3. Azure Policy
  4. Azure Virtual Network service endpoints
Show Answer

Answer: C) Azure Policy

**Correct: Azure Policy.** - **Azure Policy** is used to **create, assign, and manage policies that enforce rules and effects over your resources**, including allowed locations. - You can define a policy that restricts allowed regions to North Europe and West Europe and assign it at subscription or management group scope. - **Microsoft Entra ID** handles identity and sign-in, not region restrictions. - **RBAC** controls **who** can perform actions, not **where** resources can be created. - **Virtual Network service endpoints** secure traffic to Azure services, but they do not restrict where resources may be deployed.

Flashcards: Must-Know Terms for AZ-900 Architecture

Use these flashcards to reinforce key definitions and canonical lists that frequently appear in AZ-900 architecture questions.

Azure core architectural components (canonical list)
The canonical list is: **Azure regions**, **region pairs**, **Availability Zones**, **Azure datacenters**, **Azure resources**, **resource groups**, **subscriptions**.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
When to use Availability Zones vs region pairs
Use **Availability Zones** to protect against datacenter failure **within a region**. Use **region pairs** and cross-region replication to protect against **entire region** failures and for disaster recovery.
Best compute choice: lift-and-shift legacy app
**Azure Virtual Machines** (IaaS) – full OS control, good for migrating existing on-premises apps with minimal changes.
Best compute choice: simple web app, no OS management
**Azure App Service** – PaaS web hosting with managed OS, easy scaling, and built-in integration with Microsoft Entra ID.
Best networking choice: secure tunnel over internet from on-premises
**VPN Gateway** – creates an encrypted tunnel over the public internet between on-premises networks and an Azure Virtual Network.
Best storage choice: large unstructured files (images, video, backups)
**Azure Blob storage** in a **storage account**, with redundancy level chosen based on availability and disaster recovery needs.
Redundancy levels: LRS, ZRS, GRS/GZRS
LRS: copies data within one datacenter. ZRS: across Availability Zones in a region. GRS/GZRS: to a secondary region (often in the region pair) for disaster recovery.

Key Terms

Azure Files
Fully managed SMB file shares in Azure that can be mounted by Windows, Linux, and macOS systems.
VPN Gateway
An Azure service that provides encrypted site-to-site or point-to-site VPN connections over the public internet.
Azure Policy
An Azure service used to create and assign policies that enforce configuration rules and compliance across resources.
ExpressRoute
A private, dedicated connection between on-premises networks and Azure that does not traverse the public internet.
region pairs
Pairs of Azure regions in the same geography used by Microsoft for disaster recovery, prioritized recovery, and staggered platform updates.
Azure regions
Geographic areas containing one or more Azure datacenters, chosen for latency, data residency, and service availability.
Managed disks
Block-level storage volumes used with Azure Virtual Machines, managed by Azure for availability and durability.
subscriptions
Billing and administrative boundaries in Azure that contain resource groups and resources.
Azure Functions
A serverless compute service that runs event-driven code without managing infrastructure.
Azure resources
Individual services you deploy in Azure such as virtual machines, storage accounts, databases, and virtual networks.
resource groups
Logical containers in Azure that hold related resources for unified management of lifecycle, access, and policies.
Azure App Service
A PaaS offering for building, hosting, and scaling web apps, REST APIs, and mobile backends.
Azure datacenters
Physical facilities housing Azure servers, storage, networking, power, and cooling infrastructure.
Availability Zones
Physically separate datacenters within an Azure region that provide high availability and fault isolation.
Azure Blob storage
Object storage for unstructured data such as images, documents, and backups, provided through an Azure Storage account.
Microsoft Entra ID
Microsoft’s cloud-based identity and access management service for authenticating users and providing access to resources like Microsoft 365 and the Azure portal.
Azure Load Balancer
A layer-4 load balancing service that distributes TCP/UDP traffic across healthy instances of services like VMs.
Azure Storage account
An Azure resource that provides Blob, File, Queue, and Table storage services with configurable redundancy.
Azure Virtual Machines
IaaS compute resources in Azure that provide full control over the operating system and installed software.
Azure Application Gateway
A layer-7 HTTP/HTTPS load balancer with features such as SSL termination, URL-based routing, and web application firewall (WAF).
Azure Virtual Network (VNet)
The fundamental private network in Azure where you define address spaces, subnets, and security rules for resources.
Azure Kubernetes Service (AKS)
A managed Kubernetes service in Azure for running containerized applications at scale.
Azure Container Instances (ACI)
A service that runs containers on demand in Azure without managing servers or clusters.
role-based access control (RBAC)
An Azure authorization system that grants fine-grained access to resources based on roles assigned to identities.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself