Microsoft Azure Fundamentals (AZ-900) Deep-Dive Exam Prep

cloud computing

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

public cloud

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

private cloud

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

hybrid cloud

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Cloud computing (canonical definition)

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

CapEx vs OpEx (in cloud context)

CapEx: large upfront spending on physical assets like servers and data centers. OpEx: ongoing operating expenses; in cloud you typically pay monthly for services instead of buying hardware.

Consumption-based pricing

A cloud billing model where you pay based on actual resource usage (e.g., compute hours, storage GB, data transfer), often called pay-as-you-go.

Elasticity

The ability of a system to automatically add or remove resources to match changing demand in near real time.

Scalability

The ability of a system to handle increased workload by adding resources, either by scaling up (bigger instances) or scaling out (more instances).

Agility

How quickly you can provision, change, and deprovision resources, enabling rapid experimentation and faster time to market.

Cloud deployment models (canonical list, in order)

The three cloud deployment models, in order, are: 1) public cloud, 2) private cloud, 3) hybrid cloud.

Public cloud (canonical definition)

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

Private cloud (canonical definition)

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

Hybrid cloud (canonical definition)

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Key exam clue for public cloud

Look for phrases like: provider-owned infrastructure, delivered over the public internet, pay-as-you-go, rapid scaling, and multiple tenants sharing resources.

Key exam clue for private cloud

Look for: exclusive use by a single organization, strict regulatory or data residency requirements, and environments that may be on-premises or hosted but not shared.

List the three cloud service models in canonical order.

Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS).

Define Infrastructure as a Service (IaaS).

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Define Platform as a Service (PaaS).

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Define Software as a Service (SaaS).

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

In IaaS, who manages the operating system?

In Infrastructure as a Service (IaaS), the customer manages the operating system, including installation, configuration, and patching.

In PaaS, what does the customer mainly focus on?

In Platform as a Service (PaaS), the customer mainly focuses on application code, configuration, and data, while Microsoft manages infrastructure, OS, and middleware/runtime.

shared responsibility model

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Software as a Service (SaaS)

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

List the seven Azure core architectural components in order.

1. Azure regions 2. region pairs 3. Availability Zones 4. Azure datacenters 5. Azure resources 6. resource groups 7. subscriptions

What is an Azure region?

An Azure region is a set of datacenters deployed within a specific geographic area, connected through a dedicated high-bandwidth, low-latency network, and exposed as a named location where you deploy services.

What is an Azure datacenter?

An Azure datacenter is a physical facility that houses servers, storage, networking equipment, power, and cooling. Multiple nearby datacenters are grouped to form an Azure region.

What are Availability Zones?

Availability Zones are physically separate locations within an Azure region, each made up of one or more datacenters with independent power, cooling, and networking, designed to provide high availability within the region.

What is a region pair?

A region pair is a logical relationship between two Azure regions within the same geography that supports disaster recovery, prioritized regional recovery, and staggered platform updates.

How do Availability Zones and region pairs differ?

Availability Zones provide resiliency within a single region (against datacenter or zone failures), while region pairs provide cross-region resiliency (against regional disasters and for geo-replication).

Azure resource

Any manageable item in Azure, such as a virtual machine, storage account, web app, database, or virtual network. It is the fundamental unit you deploy, configure, and monitor in Azure.

Resource group

A logical container that holds related Azure resources. It provides a shared lifecycle and a scope for management operations, RBAC, and Azure Policy assignments.

Subscription

A logical container that groups resource groups and resources for purposes of billing, service limits (quotas), and broad access control boundaries.

Management group

A container for managing access, policy, and compliance across multiple Azure subscriptions. It sits above subscriptions in the hierarchy and lets you apply RBAC and Azure Policy to all child subscriptions.

Hierarchy order (top to bottom)

Management groups → Subscriptions → Resource groups → Resources.

Scope options for RBAC and Azure Policy

You can assign RBAC roles and Azure Policy at four main scopes: management group, subscription, resource group, and resource.

Azure Virtual Machine (VM)

An Infrastructure as a Service (IaaS) compute option where Azure provides virtualized hardware, storage, and networking, and you manage the operating system, patches, middleware, and applications.

Virtual Machine Scale Set (VMSS)

An Azure service that manages a group of load-balanced, identical VMs, enabling automatic scale-out and scale-in based on demand using a common VM template.

Azure App Service (Web App)

A Platform as a Service (PaaS) offering for hosting web applications and APIs, where Azure manages the underlying infrastructure, OS, and runtime, and you focus on your app code and configuration.

Web App for Containers

An App Service feature that lets you deploy and run your own Docker container images as web apps, combining container flexibility with PaaS management benefits.

Azure Functions

Azure's serverless compute service that runs small pieces of code (functions) in response to events, automatically handling scaling and infrastructure, with pay-per-execution billing in the consumption plan.

Azure Container Instances (ACI)

A service for running containers directly in Azure without managing servers or orchestration, suitable for simple or short-lived container workloads.

Azure Virtual Network (VNet)

A logically isolated private network in Azure where you define address spaces and subnets and place resources such as VMs and some PaaS services via private endpoints.

Subnet

A smaller IP range within a VNet’s address space used to group and organize resources, apply security (for example NSGs), and control routing.

Network Security Group (NSG)

A set of allow/deny rules that filter inbound and outbound network traffic to Azure resources at the subnet or network interface level based on IP, port, and protocol.

VNet peering

A feature that connects two Azure VNets so that traffic flows privately over the Microsoft backbone network, making them behave like one extended network.

VPN Gateway

A virtual network gateway that provides encrypted VPN tunnels over the public internet between on-premises networks (or other VNets) and an Azure VNet.

ExpressRoute

A service that provides a private, dedicated connection between your on-premises network and Azure, offering more predictable latency and higher bandwidth than typical internet VPNs.

Azure Blob Storage

An Azure storage service for massive amounts of unstructured data such as text and binary objects (images, videos, backups, logs), accessed via HTTP/HTTPS using URLs, SDKs, or REST APIs.

Azure Files

A fully managed file share service in Azure, accessible over SMB or NFS, ideal for lift-and-shift scenarios where applications expect traditional network file shares.

Azure Disk Storage

Block-level storage designed to be attached to Azure virtual machines as OS or data disks, providing high performance and low latency for VM workloads.

Azure Queue Storage

A simple messaging service for storing and retrieving small messages, enabling decoupled and asynchronous communication between application components.

Azure Table Storage

A NoSQL key/attribute store for semi-structured data, offering scalable and low-cost storage for structured but schema-flexible datasets.

Locally redundant storage (LRS)

A redundancy option that keeps three synchronous copies of your data within a single datacenter in one region, protecting against hardware failures but not datacenter or regional loss.

Microsoft Entra ID (canonical definition)

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Cloud-only identity

An identity model where all user accounts are created and managed directly in Microsoft Entra ID, with no dependency on on-premises Active Directory.

Hybrid identity

An identity model where user accounts originate in on-premises Active Directory and are synchronized to Microsoft Entra ID, allowing users to use the same credentials for on-prem and cloud resources.

Single sign-on (SSO)

An authentication capability that lets users sign in once and then access multiple applications, such as Azure, Microsoft 365, and SaaS apps, without re-entering their credentials each time.

Multi-factor authentication (MFA)

An authentication method that requires two or more verification factors, such as a password plus a phone notification or hardware key, to increase sign-in security.

Passwordless authentication

Sign-in methods that remove passwords from daily use, relying instead on strong credentials like biometrics, FIDO2 security keys, or app-based approvals.

Role-based access control (RBAC) – canonical definition

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

RBAC: Role

A role in Azure RBAC is a collection of allowed actions (permissions), such as read, write, or delete operations on specific types of Azure resources.

RBAC: Scope

Scope defines where a role assignment applies. Common scopes are subscription, resource group, and individual resource. Permissions assigned at a higher scope inherit down to lower scopes.

Least privilege

A security principle where users and applications are granted only the minimum permissions and scope necessary to perform their tasks, and no more.

Zero Trust (high-level idea)

Zero Trust is a security approach that assumes breach and never trusts by default. It emphasizes verifying explicitly, using least privilege access, and designing systems so that compromise of one component does not compromise everything.

Defense-in-depth

A layered security strategy that uses multiple, overlapping controls (identity, network, compute, data, monitoring) so that if one layer fails, others still protect the environment.

Azure pricing calculator

A web-based tool used to estimate the monthly cost of proposed Azure solutions before deployment by configuring services, regions, SKUs, and usage assumptions.

Azure Cost Management + Billing

An Azure service that helps you monitor, analyze, and optimize actual and forecasted cloud spending, set budgets and alerts, and understand costs across subscriptions and resource groups.

Pay-as-you-go pricing

A consumption-based model where you pay for Azure resources based on actual usage (for example, VM uptime, GB stored, GB transferred) with no long-term commitment.

Reservations (Reserved Instances / Reserved Capacity)

Pricing options where you commit to using specific Azure resources (such as VMs or databases) in a region for 1 or 3 years in exchange for a discount compared to pay-as-you-go rates.

Spot VMs

Deeply discounted virtual machines that use unused Azure capacity and can be evicted when Azure needs the capacity back; suitable for interruptible workloads, not critical production.

Right-sizing

The practice of selecting resource sizes (such as VM SKUs or service tiers) that closely match workload requirements to avoid overpaying for unnecessary capacity.

Azure Policy (canonical definition)

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Resource lock: Delete (CanNotDelete)

A Delete lock allows authorized users to read and modify a resource but prevents them from deleting it until the lock is removed, protecting against accidental deletion.

Resource lock: Read-only (ReadOnly)

A Read-only lock allows only read operations on a resource and blocks both updates and deletions, effectively freezing configuration unless the lock is removed.

Tags (purpose in governance)

Tags are key-value pairs attached to resources that support governance and cost management by categorizing resources for organization, reporting, and automation (for example, Environment=Prod, CostCenter=HR).

Azure Policy vs RBAC (core difference)

Azure Policy enforces configuration rules and compliance over resources; RBAC controls who can perform which actions on those resources.

Best tool: Prevent accidental deletion of a production resource group

Apply a Delete resource lock to the production resource group.

List the four Azure management tools you must know for AZ-900.

The four Azure management tools are: "Azure portal", "Azure PowerShell", "Azure Command-Line Interface (CLI)", "Azure Resource Manager templates".

What is the Azure portal?

The Azure portal is a web-based graphical interface for managing Azure resources using dashboards, blades, and wizards, ideal for interactive, visual management and learning.

What is Azure PowerShell best used for?

Azure PowerShell is a scripting and automation tool for managing Azure resources using PowerShell cmdlets, especially suitable for Windows admins and environments that already use PowerShell.

What is the Azure Command-Line Interface (CLI)?

The Azure Command-Line Interface (CLI) is a cross-platform command-line tool for managing Azure resources, popular with developers and Linux/macOS users, and ideal for scripting in shells like Bash.

Conceptually, what are Azure Resource Manager templates?

Azure Resource Manager templates are JSON-based definitions for deploying infrastructure as code, describing the desired state of Azure resources so that Azure Resource Manager can deploy them consistently.

Which tool is most appropriate for a non-technical stakeholder who wants to check resource status and costs visually?

The Azure portal, because it provides visual dashboards, charts, and an easy-to-navigate web interface.

Infrastructure as Code (IaC)

A practice where you define and manage infrastructure (such as networks, VMs, and services) using machine-readable definition files instead of manual configuration, enabling consistent, repeatable deployments.

Azure Resource Manager (ARM)

The deployment and management service for Azure that provides a management layer to create, update, and delete resources in your Azure account, and that all tools (portal, CLI, PowerShell, templates) use.

ARM template

A JSON file that defines Azure resources and their configuration in a declarative way for Azure Resource Manager to deploy.

Bicep

A domain-specific language for Azure that provides a more concise and readable way to define infrastructure as code, which then compiles to ARM JSON templates.

Declarative deployment

An approach where you specify the desired end state of your infrastructure, and the platform (ARM) figures out the necessary create, update, or delete operations to reach that state.

Idempotent deployment

A deployment that can be run multiple times and still produce the same end result, without creating duplicate resources or unexpected changes.

Azure Monitor

The central Azure service for collecting, analyzing, and acting on telemetry from Azure resources, applications, and some external workloads. It works with metrics, logs, alerts, and dashboards.

Metric (in Azure Monitor)

A numeric value collected at regular intervals (time-series data), such as CPU percentage or request count. Metrics are lightweight and ideal for near real-time monitoring and threshold alerts.

Log (in Azure Monitor)

A detailed record with multiple fields, often including text, such as activity logs, resource logs, and application logs. Logs are stored in Log Analytics and are used for troubleshooting, auditing, and deep analysis.

Alert rule

A configuration in Azure Monitor that defines which signal to watch (metric, log, or activity log), the condition that triggers an alert, and the actions to take when that condition is met.

Action group

A reusable set of notification and action preferences (email, SMS, push, webhooks, Logic Apps, Functions, ITSM) that Azure Monitor uses when an alert is fired.

Azure Service Health

An Azure experience that provides information about Azure platform service issues, planned maintenance, and health advisories that affect your subscriptions and resources.

Governance (in Azure context)

The process of defining and enforcing rules, policies, and standards across Azure environments (for example, allowed regions, required tags, access models) to meet regulatory and internal requirements.

Management (in Azure context)

Day-to-day operational tasks on Azure resources (for example, creating VMs, patching, scaling, responding to alerts) performed within the boundaries set by governance.

Azure Policy (definition)

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

role-based access control (RBAC) (definition)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Shared responsibility model (definition)

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Scope (in RBAC and Azure Policy)

The level at which a role or policy is applied: management group, subscription, resource group, or individual resource. Child scopes inherit from parent scopes unless overridden.

cloud computing

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

Cloud deployment models (list all 3)

public cloud, private cloud, hybrid cloud

public cloud

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

private cloud

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

hybrid cloud

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Cloud service models (list all 3)

Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS)

cloud computing

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

public cloud

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

private cloud

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

hybrid cloud

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.