SkarpSkarp

Chapter 18 of 21

Domain Review: Cloud Concepts Deep Dive and Practice

Reinforce your understanding of cloud concepts with targeted review, comparisons, and scenario-based practice that mirror how AZ-900 tests these ideas.

27 min readen

Cloud Computing: Canonical Definition and Core Benefits

Canonical Definition

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale. Commit this exact wording to memory.

Breaking It Down

Computing services = servers, storage, databases, networking, software. Over the internet = you access Azure datacenters remotely instead of owning all the hardware.

Why Organizations Use Cloud

Key benefits: reduced CapEx, pay-as-you-go OpEx, scalability, elasticity, reliability, agility, global reach, and strong security/compliance investments from Microsoft.

Common Exam Traps

Watch for options that mix up CapEx vs OpEx, or treat elasticity as only scaling up (it is up and down). Also, cloud does not automatically eliminate all security responsibilities.

Deployment Models: Public, Private, Hybrid Cloud

Deployment vs Service Models

Deployment models = where/how infrastructure is hosted. Service models (IaaS/PaaS/SaaS) = what level of abstraction you consume. Do not mix them.

Public Cloud

Public cloud: provider owns and runs infrastructure, delivers resources over the public internet to multiple tenants. Azure is the key example for AZ-900.

Private Cloud

Private cloud: cloud resources used exclusively by a single organization, on-premises or hosted by a third party. Focus on exclusivity and single organization.

Hybrid Cloud

Hybrid cloud combines public and private clouds so data and apps can be shared. Think on-prem datacenter securely connected to Azure.

Exam Clues

Bursting to cloud, keeping sensitive data on-prem, or mixing environments usually signals hybrid cloud. Multiple tenants and public internet usually signals public cloud.

Service Models: IaaS, PaaS, SaaS (Canonical List)

Canonical Service Models

Memorize this list: 1) Infrastructure as a Service (IaaS), 2) Platform as a Service (PaaS), 3) Software as a Service (SaaS).

IaaS in Practice

IaaS provides virtualized servers, storage, networking on demand. You manage OS, runtime, data, and apps. Example: Azure Virtual Machines.

PaaS in Practice

PaaS gives you a full dev and deployment environment: infrastructure, middleware, tools. You focus on code and data. Example: Azure App Service.

SaaS in Practice

SaaS delivers complete apps over the internet on a subscription basis. You just use the app. Example: Microsoft 365.

Mixed-Model Questions

If a question says "host a web app on Azure without managing OS", that points to PaaS. If it says "lift-and-shift VMs", that points to IaaS.

Shared Responsibility Model and Security Basics

Canonical Definition

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Responsibility by Model

On-prem: you do everything. IaaS: Microsoft secures physical infra; you secure OS, apps, data. PaaS: Microsoft also secures OS/runtime. SaaS: Microsoft manages most; you manage identities and data.

Typical Exam Questions

Physical datacenter security = Microsoft. Data in your database or storage account = you. Identity configuration and access control = you.

Key Misconception

Cloud does not mean "no security work" for customers. You always own your data, identities, and how your users access resources.

Scenario Practice: Deployment vs Service Model

Scenario 1: Online Store

Azure App Service hosts a web app; customer avoids server/OS management. Deployment: public cloud. Service model: PaaS.

Scenario 2: Regulated Bank

Sensitive data stays on-prem; anonymized data goes to Azure ML via VPN. Deployment: hybrid cloud. Service model: PaaS (managed ML platform).

Scenario 3: Microsoft 365

Email and collaboration via Microsoft 365 subscription. Deployment: public cloud. Service model: SaaS.

Pattern Recognition

If you manage OS and VMs, think IaaS. If you just deploy code, think PaaS. If you simply use an app via subscription, think SaaS.

Cloud Pricing, CapEx vs OpEx, and Basic Trade-offs

CapEx vs OpEx

CapEx = big upfront hardware spend. OpEx = ongoing service charges. Cloud shifts you from CapEx-heavy to OpEx-focused spending.

Pricing Models

Pay-as-you-go suits variable or short-lived workloads. Long, predictable workloads often save with commitment-based discounts like reserved instances.

Cloud Pros and Cons

Pros: flexibility, scalability, global reach, less hardware work. Cons: ongoing OpEx, potential egress fees, risk of uncontrolled spending without governance.

Exam Clues

Avoiding upfront cost? Think OpEx/pay-as-you-go. Steady 24/7 load over years? Think reservation or commitment discounts.

Identity, Access, and Governance: Entra ID, RBAC, Azure Policy

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service for signing in to resources like Microsoft 365, Azure portal, and SaaS apps.

RBAC Basics

RBAC provides fine-grained access control for Azure resources using roles assigned to users, groups, and service principals at different scopes.

Azure Policy Basics

Azure Policy lets you define and enforce rules so resources stay compliant, e.g., only certain regions, required tags, or allowed SKUs.

Which Tool When?

Sign-in and identities? Entra ID. Who can do what on resources? RBAC. Enforce configuration rules and compliance? Azure Policy.

Thought Exercise: Fix the Misconceptions

Work through these common misconceptions by rewriting each statement in your own words (mentally or in notes) so that it becomes correct. This mirrors the reasoning you need in AZ-900 multiple-choice questions.

  1. Misconception: "In the cloud, Microsoft is fully responsible for security, so we do not need to worry about it."
  • Fix it: Use the shared responsibility model. Who secures physical infrastructure? Who secures data and identities?
  1. Misconception: "Azure Virtual Machines are PaaS because Microsoft manages the hardware."
  • Fix it: Re-anchor on the canonical IaaS definition. What exactly does IaaS provide? What are you still responsible for on a VM?
  1. Misconception: "Hybrid cloud means using both Azure and another public cloud provider at the same time."
  • Fix it: Recall the canonical hybrid cloud definition. How is that different from multi-cloud?
  1. Misconception: "Using SaaS like Microsoft 365 means we no longer need to manage user permissions."
  • Fix it: Think about Entra ID and RBAC. What does the customer still manage in SaaS?
  1. Misconception: "Cloud computing always reduces total cost, no matter how we use it."
  • Fix it: Consider poor governance, idle resources, and data egress. How does good design and monitoring affect cost outcomes?

Self-check prompt: After you correct each statement, try to connect it to at least one Azure service (e.g., "For misconception 2, Azure Virtual Machines are IaaS because..."). This will reinforce mapping concepts to real services.

Quiz 1: Deployment vs Service Models

Test your ability to distinguish deployment models from service models.

Your company wants to move an existing on-premises web application to Azure by lifting and shifting the virtual machines with minimal changes. The app will run entirely on Azure infrastructure owned by Microsoft and shared with other customers. Which combination best describes this approach?

  1. Private cloud with Platform as a Service (PaaS)
  2. Public cloud with Infrastructure as a Service (IaaS)
  3. Hybrid cloud with Software as a Service (SaaS)
  4. Public cloud with Software as a Service (SaaS)
Show Answer

Answer: B) Public cloud with Infrastructure as a Service (IaaS)

The app runs on Azure infrastructure owned by Microsoft and shared with multiple tenants, which is public cloud. Lifting and shifting VMs means you are using virtualized computing resources (servers, storage, networking) on demand, which matches Infrastructure as a Service (IaaS). PaaS would hide VM/OS management, and SaaS would be consuming a complete application rather than running your own.

Quiz 2: Shared Responsibility and Governance

Check your understanding of security responsibilities and governance tools.

Which statement best aligns with the shared responsibility model for an application running on Azure App Service (PaaS)?

  1. Microsoft is responsible for physical security, network infrastructure, operating system, and the security of your application code.
  2. You are responsible for physical security, network infrastructure, and operating system, while Microsoft secures only the application runtime.
  3. Microsoft secures physical infrastructure, network, and operating system, while you secure your application code, data, and access control.
  4. Security responsibilities are the same as running entirely on-premises; Microsoft only provides billing and monitoring tools.
Show Answer

Answer: C) Microsoft secures physical infrastructure, network, and operating system, while you secure your application code, data, and access control.

In PaaS (such as Azure App Service), Microsoft secures the physical datacenters, network, and operating system and manages the platform. You still own and secure your application code, data, and how identities and access permissions are configured. That is exactly what the shared responsibility model describes.

Flashcards: Canonical Definitions and Lists

Use these flashcards to lock in the exact wording and canonical lists AZ-900 expects.

Cloud computing (definition)
Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
Public cloud (definition)
A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
Private cloud (definition)
A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
Hybrid cloud (definition)
A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
Cloud service models (canonical list)
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS).
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Shared responsibility model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Cloud deployment models (canonical list)
public cloud, private cloud, hybrid cloud.

Mini Case: Design and Reason Like AZ-900

Tie everything together with a short case similar to what you might see indirectly tested in AZ-900.

Case:

A university is modernizing its IT environment. Current situation:

  • On-premises datacenter with legacy student information system (SIS).
  • New requirement for a public-facing web portal where students can register for courses and pay fees.
  • Compliance rules require some student records to remain on-premises, but non-sensitive data can be processed in the cloud.
  • IT team wants to avoid managing more physical servers and prefers a managed platform for the new portal.

Your tasks (think through each):

  1. Deployment model:
  • Would you classify this as public, private, or hybrid cloud overall? Why?
  1. Service model for the web portal:
  • Given the desire to avoid OS/server management, which service model fits best: IaaS, PaaS, or SaaS? Which specific Azure service might you choose?
  1. Identity and access:
  • Which Azure service should handle student and staff sign-in to the portal? How does that relate to the shared responsibility model?
  1. Governance:
  • If the university wants to ensure resources are only deployed in specific Azure regions that meet data residency rules, which Azure governance feature would you recommend?
  1. Cost model:
  • Explain how moving the new portal to Azure changes the balance of CapEx vs OpEx for the university.

Self-check (sample reasoning):

  • Many learners will identify this as a hybrid cloud design, use PaaS (for example, Azure App Service) for the portal, rely on Microsoft Entra ID for identity, use Azure Policy to enforce regions, and describe the shift from CapEx-heavy on-prem to OpEx-focused cloud for the new workload.

Compare your reasoning to this outline and adjust any part that does not line up with the canonical definitions you reviewed.

Key Terms

OpEx
Operational Expenditure: ongoing costs for services and resources consumed over time, such as cloud subscriptions.
CapEx
Capital Expenditure: upfront investment in physical infrastructure such as servers and networking equipment.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
hybrid cloud
A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
public cloud
A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
Microsoft 365
A suite of Software as a Service (SaaS) productivity applications including Exchange Online, SharePoint Online, and Microsoft Teams.
private cloud
A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
cloud computing
Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
Azure App Service
A Platform as a Service (PaaS) offering in Azure for hosting web apps, REST APIs, and mobile back ends without managing infrastructure.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
shared responsibility model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself