SkarpSkarp

Chapter 16 of 21

Putting It Together: Designing Simple Azure Solutions at Fundamentals Level

Combine compute, storage, networking, identity, and governance pieces into small end-to-end solution sketches that mirror AZ-900 case-style questions.

27 min readen

From Requirements to Azure Sketch: How AZ-900 Scenarios Work

How AZ-900 Scenarios Feel

In AZ-900, you get short business scenarios and must pick the simplest Azure design that meets requirements like availability, cost, performance, and security.

Your Design Checklist

You map needs to: compute, storage, networking, identity, governance; choose IaaS/PaaS/SaaS; and factor in regions, Availability Zones, redundancy, and RBAC.

Core Components To Recognize

Know the 7 Azure core architectural components: Azure regions, region pairs, Availability Zones, Azure datacenters, Azure resources, resource groups, subscriptions.

Think in Simple Sketches

Picture a region, with compute and storage inside a virtual network, users coming through Microsoft Entra ID, and governance via subscriptions and policies.

Step 1: Decode the Scenario – What Really Matters?

Why Decoding Matters

Exam scenarios hide clues in the wording. You must spot signals about control, availability, security, and cost before choosing services.

Keyword Signals: Service Model

“Full control over OS” points to IaaS VMs. “Deploy a web app without managing servers” points to PaaS. “Use online email or CRM” points to SaaS.

Keyword Signals: Resiliency & Data

“Stay online if a datacenter fails” hints at Availability Zones or redundancy. “Data must remain in a country” hints at careful region selection.

Keyword Signals: Identity & Cost

“Centralized identity” maps to Microsoft Entra ID. “Only admins manage resources” maps to RBAC. “Minimize cost” often favors PaaS/SaaS and right-sizing.

Step 2: Choose IaaS, PaaS, or SaaS for the Core Need

Memorize These Definitions

Know IaaS, PaaS, SaaS exactly: IaaS gives virtualized servers, storage, networking; PaaS gives a full dev/deploy environment; SaaS delivers apps over the internet.

Control vs Convenience

IaaS = most control, most work. PaaS = you manage app and data, Azure manages platform. SaaS = least control, you just use the software.

Azure Examples

IaaS: Virtual Machines. PaaS: App Service, Azure SQL Database, Functions. SaaS: Microsoft 365, Dynamics 365, and other online apps.

Exam Pattern

“Lift and shift existing app, custom OS” → IaaS. “Build new web app quickly, auto-scale” → PaaS. “Subscribe to a complete CRM or email” → SaaS.

Step 3: Example – Simple Web App Design (PaaS-first)

Scenario Summary

Small company needs a marketing site and contact form, no server management, can handle traffic spikes, low cost, staff-only admin dashboard.

Compute & Data Choices

Pick PaaS: Azure App Service for the web app. Store contact data in Azure Storage or Azure SQL Database depending on complexity.

Networking & Identity

Use App Service’s public HTTPS endpoint. Secure the admin dashboard with Microsoft Entra ID sign-in integrated into App Service.

Governance & Resiliency

Group resources in one resource group inside a subscription, tag for cost tracking. One region with App Service redundancy is enough unless higher resiliency is required.

Step 4: Regions, Region Pairs, and Availability Zones in Designs

Know the Structure

Azure regions are geographic areas with datacenters; regions come in region pairs; Availability Zones are separate datacenters within a region.

Resource Organization

Azure resources live in resource groups, and those belong to subscriptions, which act as billing and access boundaries.

Design Rules of Thumb

Pick regions near users unless data residency requires otherwise. Use Availability Zones for datacenter failure, region pairs for regional disasters.

Exam Trap: Failure Scope

“Datacenter failure” → think zones. “Regional outage” → think multi-region using region pairs and geo-redundancy.

Step 5: Example – Lift-and-Shift VM with High Availability (IaaS)

Scenario Summary

Financial app on Windows + SQL needs quick migration, OS/DB control, survive datacenter failure, users in one country.

Compute, Region, and Network

Choose IaaS VMs in a virtual network, in a country-specific Azure region to meet data residency and latency needs.

High Availability Design

Place app and database VMs across Availability Zones, use managed disks and premium SSD for SQL, and a load balancer for app VMs.

Identity and Governance

Use Microsoft Entra ID for admin access, group resources in a resource group, and apply RBAC so only the ops team can manage them.

Step 6: Identity, RBAC, and Governance in Simple Architectures

Identity & Access Basics

Microsoft Entra ID provides identity and SSO. RBAC controls who can manage Azure resources. Azure Policy enforces rules over those resources.

Using RBAC Wisely

Assign built-in roles like Reader, Contributor, Owner at subscription or resource group scope, following least privilege for different teams.

Structuring Environments

Separate dev, test, and prod into different resource groups or subscriptions and apply different RBAC and policies to each environment.

Exam Clues

“Only networking team can change VNets” → RBAC. “Block deployments outside Europe” → Azure Policy. “Centralized sign-in” → Microsoft Entra ID.

Step 7: Design Walkthrough – You Pick the Services

Work through this thought exercise as if it were an exam question. Try to answer before reading the guided reasoning.

Scenario

A startup is building a simple mobile app backend. Requirements:

  • Public API for mobile apps.
  • Minimal management of servers.
  • Automatic scaling during traffic spikes.
  • Store user profiles and app data in a managed database.
  • Developers should deploy changes frequently with low friction.
  • Only the cloud team should be able to modify production resources.

Pause now and decide:

  1. Would you choose IaaS, PaaS, or SaaS for the API?
  2. Which Azure compute and database services would you use?
  3. How would you handle identity and access for admins?

Guided reasoning (check your thinking)

  1. They want minimal server management and auto-scaling → PaaS.
  2. Compute: Azure App Service or Azure Functions for the API.

Database: Azure SQL Database or Azure Cosmos DB depending on data model. At fundamentals level, Azure SQL Database is a safe default for relational data.

  1. Use Microsoft Entra ID for admin sign-in to the Azure portal. Put production resources in a `rg-prod` resource group and assign appropriate RBAC roles (for example, Contributor) only to the cloud team.

Reflect: Did your choices match this? If not, which requirement did you interpret differently?

Step 8: Quick Check – Service Model and Resiliency

Answer this AZ-900-style question and then read the explanation.

A company wants to move its on-premises email system to the cloud. They do NOT want to manage servers or software updates and prefer to pay a monthly subscription per user. Which type of cloud service model best fits this requirement?

  1. Infrastructure as a Service (IaaS)
  2. Platform as a Service (PaaS)
  3. Software as a Service (SaaS)
  4. Hybrid cloud
Show Answer

Answer: C) Software as a Service (SaaS)

They want a complete email application delivered over the internet on a subscription basis and do not want to manage servers or software. This exactly matches **Software as a Service (SaaS)**. IaaS and PaaS would still require them to manage parts of the stack. Hybrid cloud is a deployment model, not a service model, so it does not answer the question.

Step 9: Quick Check – Regions, Zones, and Governance

Test your understanding of resiliency and governance choices.

Your app must remain available if a single datacenter in an Azure region fails. Cost is a concern, and the business does NOT require protection from a full regional outage. What is the MOST appropriate design choice at fundamentals level?

  1. Deploy the app in two different Azure regions in the same region pair
  2. Deploy the app across multiple Availability Zones within a single Azure region
  3. Deploy the app in a single Availability Zone with a backup in on-premises servers
  4. Use Azure Policy to block deployments outside the primary region
Show Answer

Answer: B) Deploy the app across multiple Availability Zones within a single Azure region

The requirement is about surviving a **datacenter failure within a region**, not a full regional outage. The correct approach is to deploy across **multiple Availability Zones** in one region. Multi-region deployment (option 1) is possible but goes beyond what is required and costs more. On-premises backup is not asked for, and Azure Policy controls where resources can be deployed, not availability.

Step 10: Flashcards – Core Terms for Solution Design

Use these flashcards to reinforce key terms that appear in AZ-900 solution questions.

Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Azure regions
Geographic areas that contain one or more Azure datacenters, such as "West Europe" or "East US".
region pairs
Linked Azure regions in the same geography used for disaster recovery and coordinated platform updates.
Availability Zones
Physically separate locations within an Azure region, with independent power, cooling, and networking, used to protect apps from datacenter failures.
resource groups
Logical containers in Azure that hold related resources for an application or workload and act as a scope for management and RBAC.

Step 11: Mini Case Study – End-to-End Design and Cost Awareness

Bring everything together with this mini case. Think it through before reading the suggested design.

Scenario

A university department wants to host a small internal web portal for students to:

  • View course materials and announcements.
  • Submit simple forms.

Requirements:

  • Access only for students and staff with university accounts.
  • Low cost; department has a limited budget.
  • Basic resilience: acceptable to have short outages during rare failures, but not frequent downtime.
  • Minimal admin effort; the IT team is small.
  • Must keep data within the same country as the campus.

Your task

  1. Choose: IaaS, PaaS, or SaaS for the portal.
  2. Pick a region strategy.
  3. Choose compute, storage, identity, and governance elements.

Suggested fundamentals-level design

  1. Service model: PaaS – use Azure App Service for the portal to minimize admin effort.
  2. Region: Select the nearest Azure region in the same country to meet data residency and latency needs.
  3. Compute & storage: App Service for the web app; Azure SQL Database or Azure Storage for course materials and form submissions, depending on structure.
  4. Identity: Integrate App Service with Microsoft Entra ID, synchronized with on-premises university accounts if needed, so only students and staff can sign in.
  5. Governance & cost: Place resources in a dedicated resource group (for example, `rg-uni-portal`) under the university subscription. Use RBAC so only the IT team can modify resources. Apply tags like `dept=cs`, `env=prod` for chargeback. No multi-region deployment to keep costs low, relying on the region’s built-in redundancy.

Compare your design: where did you match, and where did you over- or under-engineer?

Key Terms

Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
region pairs
Linked Azure regions in the same geography used for disaster recovery and coordinated platform updates.
Azure regions
Geographic areas that contain one or more Azure datacenters, such as "West Europe" or "East US".
subscriptions
Azure billing and access boundaries that contain resource groups and resources and are associated with an Azure account.
Azure resources
Individual services you create in Azure, such as virtual machines, storage accounts, databases, and web apps.
resource groups
Logical containers in Azure that hold related resources for an application or workload and act as a scope for management and RBAC.
Availability Zones
Physically separate locations within an Azure region, with independent power, cooling, and networking, used to protect apps from datacenter failures.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself