SkarpSkarp

Chapter 4 of 20

Cloud Service Models: IaaS, PaaS, and SaaS Compared

Peek under the hood of common cloud solutions to see which layers you manage versus the provider, and match real services to IaaS, PaaS, or SaaS for exam scenarios.

27 min readen

Big Picture: Where Service Models Fit

From Cloud Basics to Service Models

You already know what cloud computing is and how deployment models work. Now we focus on service models: IaaS, PaaS, and SaaS, which describe how much of the stack you manage.

Canonical Cloud Definition

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale. Service models describe how those services are packaged.

Three Levels of Service

Infrastructure level (VMs, storage, networks) → IaaS. Platform level (runtime, databases, dev tools) → PaaS. Application level (finished apps) → SaaS. Higher level means less you manage.

Visualizing the Stack

Imagine a stack: hardware → OS → middleware → app → data. As you move from IaaS to PaaS to SaaS, the provider manages more layers; you give up some control but gain simplicity.

Canonical Definitions: IaaS, PaaS, SaaS

Memorize These Definitions

You must know the exact definitions of IaaS, PaaS, and SaaS. Exam questions often test small wording differences, so treat these as quotes to memorize.

IaaS Definition

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

PaaS Definition

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

SaaS Definition

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Spotting Them in Scenarios

IaaS = you manage OS and apps. PaaS = you manage code and data. SaaS = you just use the app. Exam scenarios will describe needs like control vs convenience instead of naming the model.

The Responsibility Stack: Who Manages What?

Shared Responsibility Reminder

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Seven-Layer Stack

Think of 7 layers: datacenter, hardware, virtualization, OS, middleware/runtime, app code, and data/identity. Service models decide who manages which layers.

On-Prem vs IaaS

On-prem: you manage all 7 layers. IaaS: provider manages datacenter, hardware, virtualization; you manage OS, middleware, apps, and data.

PaaS and SaaS Split

PaaS: provider manages up through middleware; you manage app code and data. SaaS: provider manages up through the app; you mainly manage data, users, and access.

Exam Angle

Questions often ask who patches the OS (IaaS: you; PaaS/SaaS: provider) or who updates the app (SaaS: provider). Remember: you always own data and access.

IaaS in Practice: Azure Virtual Machines and More

Core IaaS Example: Azure VMs

Azure Virtual Machines are classic IaaS: you get virtual servers, pick the OS, install software, and handle patching. Microsoft manages the hardware and hypervisor.

Other Azure IaaS Services

Azure Virtual Network, Azure Disk Storage, and Azure Load Balancer are also IaaS. They give you raw infrastructure building blocks you configure yourself.

Your Responsibilities in IaaS

In IaaS you manage OS updates, middleware like web servers, your application code, and data protection inside the OS and apps.

When to Choose IaaS

Use IaaS for lift-and-shift migrations, custom OS configurations, or when you need to install specific security tools or drivers.

Common Exam Trap

If a question mentions full OS control or installing custom security software, think IaaS. Azure VMs hosting a website are still IaaS, not PaaS.

PaaS in Practice: Azure App Service, Functions, and Databases

Core PaaS Example: Azure App Service

Azure App Service lets you deploy web apps and APIs without managing the OS or web server. You push code; Azure handles runtime, scaling, and patching.

Serverless PaaS: Azure Functions

With Azure Functions you write small functions and let Azure run them on demand. You never see servers, but it is still a form of PaaS.

Data PaaS: Azure SQL and Cosmos DB

Azure SQL Database and Azure Cosmos DB provide managed databases. Azure patches and runs the engine; you design schemas and manage data.

Your Focus in PaaS

In PaaS you focus on application code, configuration, and data. Azure manages OS, runtime, and much of the scaling and availability.

Exam Clues for PaaS

Phrases like "focus on code, not servers" or "automatically scale the web app" usually indicate PaaS services such as Azure App Service or Azure Functions.

SaaS in Practice: Microsoft 365 and Other Apps

Core SaaS Example: Microsoft 365

Microsoft 365 is classic SaaS: Exchange Online, SharePoint Online, Teams, and Office apps delivered as a subscription. Microsoft runs and updates everything.

More SaaS: Dynamics 365 and Others

Dynamics 365 (CRM/ERP) and consumer services like Outlook.com and OneDrive are also SaaS: full applications delivered over the internet.

Your Role in SaaS

In SaaS you manage users and access with Microsoft Entra ID, configure security and compliance settings, and decide how your organization uses the application.

When SaaS Fits Best

Use SaaS for email, collaboration, and business apps where building your own would be expensive or unnecessary. You want functionality, not infrastructure.

Exam Clues for SaaS

Phrases like "use email without managing servers" or "subscription-based Office apps" point to SaaS, especially Microsoft 365.

Thought Exercise: Stack Responsibility Scenarios

Work through these short scenarios to mentally map responsibilities. There are no right/wrong buttons here; the goal is to explain to yourself who manages what.

  1. Scenario A: Your company lifts an on-prem HR system into Azure by creating Azure VMs and installing the same software.
  • Question: Which model is this (IaaS/PaaS/SaaS)? List three things your team must manage.
  • Suggested answer to compare: IaaS; you handle OS patching, app updates, and in-VM firewall rules.
  1. Scenario B: Developers push a web API to Azure App Service. They configure auto-scale rules and connection strings to Azure SQL Database.
  • Question: Name two layers Azure manages for you and two you still manage.
  • Suggested answer: Azure manages OS and web server runtime; you manage code and data (tables, queries).
  1. Scenario C: Your organization subscribes to Microsoft 365. Users access Outlook, Teams, and OneDrive. IT configures MFA and retention policies.
  • Question: What does Microsoft manage, and what does your IT team manage?
  • Suggested answer: Microsoft manages infrastructure, OS, and the apps; IT manages identities, access policies, and data governance.

Pause for a moment and say your answers out loud or write them down. If you cannot clearly state responsibilities, re-read the responsibility stack step. This kind of reasoning is exactly what AZ-900 scenarios expect.

Quick Check 1: Classify the Service Model

Answer this classification question to reinforce what you just learned.

Your team wants to deploy a web application in Azure but does NOT want to manage the underlying operating system or web server. They only want to deploy code and configure scaling rules. Which cloud service model best fits this requirement?

  1. Infrastructure as a Service (IaaS)
  2. Platform as a Service (PaaS)
  3. Software as a Service (SaaS)
  4. Hybrid cloud
Show Answer

Answer: B) Platform as a Service (PaaS)

This scenario describes developers focusing on code while Azure manages the OS and web server. That matches Platform as a Service (PaaS), such as Azure App Service. IaaS would require OS management. SaaS would be using a finished app, not deploying your own code. Hybrid cloud is a deployment model, not a service model.

Quick Check 2: Who Is Responsible?

Test your understanding of the shared responsibility split across models.

In which cloud service model is the CUSTOMER responsible for applying security patches to the operating system of the virtual machine?

  1. Infrastructure as a Service (IaaS) only
  2. Platform as a Service (PaaS) only
  3. Software as a Service (SaaS) only
  4. All three: IaaS, PaaS, and SaaS
Show Answer

Answer: A) Infrastructure as a Service (IaaS) only

Only in IaaS does the customer manage the operating system. In PaaS and SaaS, the provider manages the OS and applies security patches. The customer always owns their data and access, but OS patching is an IaaS responsibility.

Flashcards: Core Definitions and Examples

Use these flashcards to lock in key definitions and Azure examples. Try to answer from memory before flipping.

Infrastructure as a Service (IaaS) – canonical definition
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
Platform as a Service (PaaS) – canonical definition
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS) – canonical definition
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Example: Azure Virtual Machines
Azure Virtual Machines are IaaS. You manage the OS, middleware, and apps; Azure manages datacenter, hardware, and virtualization.
Example: Azure App Service (Web Apps)
Azure App Service is PaaS. Azure manages the OS and web server; you deploy and configure your application code.
Example: Microsoft 365
Microsoft 365 is SaaS. Microsoft provides and updates the full application suite; you manage users, access, and data settings.
Who patches the OS in IaaS?
In IaaS, the customer is responsible for patching and securing the operating system of the virtual machines.
Who patches the OS in PaaS and SaaS?
In PaaS and SaaS, the cloud provider (for example, Microsoft) patches and maintains the operating system and underlying infrastructure.
Key clue for PaaS in exam questions
Look for phrases like "focus on writing code, not managing servers" or "automatically scale the web app" – these usually indicate PaaS.
Key clue for SaaS in exam questions
Look for phrases like "use email and collaboration tools without managing servers" or "subscription-based access to Office apps" – these indicate SaaS.

Comparing Models Side-by-Side (Plus Common Exam Traps)

Control vs Convenience Spectrum

IaaS gives maximum control over OS and network. PaaS balances control and convenience. SaaS gives maximum convenience but little control over app internals.

Azure Examples by Model

IaaS: Azure VMs, VNets. PaaS: Azure App Service, Azure Functions, Azure SQL Database. SaaS: Microsoft 365, Dynamics 365, other apps integrated with Microsoft Entra ID.

Trap: Service vs Deployment Models

Public, private, and hybrid cloud are deployment models, not service models. You can run IaaS, PaaS, or SaaS in a public cloud like Azure.

Trap: Browser Does Not Equal SaaS

A web app you deploy to Azure App Service runs in a browser but is PaaS. SaaS means the provider owns and runs the whole app, like Microsoft 365.

Trap: Databases and SaaS Duties

Managed databases like Azure SQL Database are PaaS. And even in SaaS you still manage identities, permissions, and data governance.

Key Terms

Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
hybrid cloud
A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
public cloud
A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
private cloud
A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
cloud computing
Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
role-based access control
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
shared responsibility model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself