Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

Cloud deployment models (list all 3)

public cloud, private cloud, hybrid cloud

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

What is Azure Policy?

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

What is hybrid cloud?

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

What is public cloud?

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

End-to-End Scenario Review: Designing Simple Azure Solutions — Microsoft Azure Fundamentals (AZ-900) Deep-Dive Exam Prep

Module Overview: How AZ-900 Uses Scenarios

Why Scenario Practice Matters

This capstone module helps you turn short business stories into Azure solution designs, mirroring how AZ-900 tests you with scenario-style questions.

What You Will Practice

For each scenario, you will identify requirements, pick a deployment and service model, choose Azure services and governance controls, and spot common exam traps.

Canonical Building Blocks

You will apply the core lists: deployment models, service models, architectural components, and management tools, rather than memorizing them in isolation.

End Goal

By the end, you should be able to read a scenario and quickly justify your choices for model, services, and governance using clear, exam-ready reasoning.

Step 1: Rapid Requirement Triage (What Really Matters?)

Read for Requirements, Not Buzzwords

Do not jump to a favorite service. First, extract the essentials: deployment, service model, security/compliance, cost, and reliability/monitoring.

Deployment Clues

On-premises that must stay suggests hybrid cloud; all-new workloads often fit public cloud; single-organization use of cloud resources hints at private cloud.

Service Model Clues

Control over OS and patching points to IaaS; focus on code, not servers, suggests PaaS; consuming a finished app like email is classic SaaS.

Security, Cost, Reliability

Look for compliance words, cost phrases, and availability needs. Map them to regions, Azure Policy, RBAC, pricing models, zones, and monitoring tools.

Scenario 1: Simple Startup Web App (Choosing PaaS vs IaaS)

Startup Scenario Summary

A small startup needs a public website and API in two weeks, has no on-premises systems, wants minimal management, low initial cost, and possible rapid growth.

Deployment and Service Model

Deployment: public cloud fits, since they are happy with shared infrastructure. Service model: PaaS is best because they want to avoid OS and web server management.

Recommended Azure Services

Use Azure App Service for the website and API, Azure SQL Database or Cosmos DB for data, Azure Storage for static files, and Azure Monitor plus Application Insights.

Governance and Exam Traps

Secure access with Microsoft Entra ID and RBAC, enforce region with Azure Policy, and avoid traps like unnecessary VMs, Azure VMware Solution, or multi-region DR.

Thought Exercise: Adjust Scenario 1 for Higher Control

Imagine the same startup scenario, but with one key change:

"The startup hires an experienced IT admin who insists on full control over the operating system, wants to install custom security agents, and plans to run some legacy components that require Windows Server features not supported on PaaS."

Reflect and answer for yourself (no auto-grading here):

How does this change the service model choice?

Would you still choose PaaS? Or move to Infrastructure as a Service (IaaS) with Azure Virtual Machines?

What Azure services would you now emphasize?

Think about Azure Virtual Machines, Azure Virtual Network, Network Security Groups, and perhaps Azure Bastion for secure admin.

What are the trade-offs?

More control vs more management (patching, backups, scaling).

Governance angle

How could Azure Policy and role-based access control (RBAC) help ensure the new admin cannot accidentally deploy very large, expensive VMs or open RDP to the internet?

Write down a short 3–4 sentence answer explaining your new design and the reasoning. This mirrors what you will mentally do on the exam: adjust your design when one requirement changes.

Scenario 2: Regulated Healthcare App (Compliance and Governance First)

Healthcare Scenario Summary

An EU healthcare provider needs a patient portal, must comply with GDPR, keep some legacy systems on-premises, and ensure strong access control and EU-only data.

Deployment and Service Models

Deployment: hybrid cloud because both on-premises and Azure are used. Service model: mainly PaaS for new web apps, with possible IaaS for any lifted legacy parts.

Key Azure Services

Use Azure App Service, Azure SQL Database with encryption, VPN Gateway or ExpressRoute for secure connectivity, plus Azure Monitor and Log Analytics for auditing.

Identity, Governance, and Traps

Centralize identity with Microsoft Entra ID, apply RBAC, and enforce region and encryption via Azure Policy. Avoid traps that ignore hybrid needs or governance tools.

Quiz 1: Picking Models and Controls

Check your understanding of Scenarios 1 and 2.

A company in a regulated industry wants to keep some systems on-premises, deploy new web apps in Azure, and automatically prevent resources from being created outside its home country. Which combination best fits?

Public cloud only, SaaS model, and use Network Security Groups to block non-local regions
Hybrid cloud, mix of PaaS and IaaS, and use Azure Policy to restrict allowed regions
Private cloud, IaaS only, and use Azure Resource Manager templates to restrict locations
Public cloud, SaaS only, and rely on Microsoft Entra ID to choose regions automatically

Show Answer

Answer: B) Hybrid cloud, mix of PaaS and IaaS, and use Azure Policy to restrict allowed regions

The scenario clearly mixes on-premises and Azure, which is hybrid cloud. They are building new web apps (PaaS likely) and may lift some workloads (IaaS). To automatically prevent deployments outside a region, Azure Policy is the correct governance tool. Network Security Groups control traffic, not deployment locations; ARM templates can specify regions but do not enforce global policy by themselves.

Scenario 3: Global E-commerce Site (Regions, Zones, and Monitoring)

E-commerce Scenario Summary

A retailer needs a global, highly available e-commerce site for customers in North America and Europe, with variable traffic and strong uptime requirements.

Deployment, Service Model, and Components

Use public cloud with mainly PaaS services. Design across Azure regions, region pairs, and Availability Zones, organizing resources via resource groups and subscriptions.

Key Azure Services and Monitoring

Choose App Service or AKS for the app, SQL Database or Cosmos DB for data, Front Door or Traffic Manager for global routing, and Azure Monitor plus Service Health.

Scaling and Common Traps

Enable autoscale for traffic spikes, consider reserved capacity, and avoid confusing zones with region pairs or misusing Service Health for app-level monitoring.

Quiz 2: Monitoring and Architecture Traps

Test your understanding of Scenario 3 and common distractors.

An AZ-900 question describes a global web app deployed in two Azure regions. The team wants to be notified if Azure has an outage in one region, and to route users to the other region automatically. Which combination best addresses both needs?

Use Azure Monitor for platform outages and Azure Load Balancer for global routing
Use Azure Service Health for platform outages and Azure Front Door for global routing
Use Application Insights for platform outages and Azure Traffic Manager for global routing
Use Azure Policy for platform outages and Azure Virtual Network peering for global routing

Show Answer

Answer: B) Use Azure Service Health for platform outages and Azure Front Door for global routing

Azure Service Health is the correct tool to track Azure platform incidents and planned maintenance. For global HTTP(S) routing between regions, Azure Front Door is a good choice. Azure Load Balancer is regional, Application Insights focuses on app telemetry, and Azure Policy enforces configuration, not outage detection or routing.

Scenario 4: Lift-and-Shift Migration (IaaS and Shared Responsibility)

Lift-and-Shift Scenario Summary

A company wants to move existing VMware-based apps to Azure with minimal changes, reducing hardware maintenance and improving disaster recovery.

Deployment, Service Model, and IaaS Definition

Use public cloud with IaaS: Infrastructure as a Service provides virtualized servers, storage, and networking on demand, matching the need for OS-level control.

Services and Shared Responsibility

Key services: Azure VMs, Azure Migrate, VNets, NSGs, Backup, Site Recovery. Azure secures the infrastructure; you still secure OS, apps, and data.

Governance Tools and Traps

Manage via Azure portal, PowerShell, CLI, and ARM templates. Use Azure Policy to enforce VM standards and avoid the trap of assuming Azure patches your OS.

Flashcards: Core Models and Governance Tools

Flip the cards to reinforce key definitions and mappings that appear repeatedly in AZ-900 scenarios.

cloud computing: Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
Cloud deployment models (list all 3): public cloud, private cloud, hybrid cloud
public cloud: A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
private cloud: A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
hybrid cloud: A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
Cloud service models (list all 3): Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS)
Infrastructure as a Service (IaaS): Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
Platform as a Service (PaaS): Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS): Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Azure core architectural components (list all 7): Azure regions, region pairs, Availability Zones, Azure datacenters, Azure resources, resource groups, subscriptions
Azure management tools (list all 4): Azure portal, Azure PowerShell, Azure Command-Line Interface (CLI), Azure Resource Manager templates
Microsoft Entra ID: Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
role-based access control (RBAC): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy: Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
shared responsibility model: The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Scenario Drill: Spot the Distractor

Read this mini-scenario and then mentally choose the best answer and the distractor.

Scenario:

"A small accounting firm wants to use email, document storage, and collaboration tools without managing any servers. They want a predictable monthly subscription and automatic updates of the software. They also want to sign in with corporate accounts and control access to documents based on job roles."

Possible high-level solutions (do not see this as a formal multiple choice; just reason it through):

A. Deploy Azure Virtual Machines running Windows Server and install email and collaboration software.

B. Use a SaaS productivity suite integrated with Microsoft Entra ID and configure role-based access control (RBAC) on Azure resources.

C. Build a custom collaboration app on Azure App Service and Azure SQL Database.

Reflect:

Which option best matches the requirement "use email, document storage, and collaboration tools without managing any servers" and "automatic updates"?
Which option is a classic distractor for AZ-900, because it is technically possible but clearly overkill and contradicts the desire to avoid server management?
How does the phrase "predictable monthly subscription" point you toward Software as a Service (SaaS)?

Write down your reasoning in 2–3 sentences. Then compare mentally:

Correct direction: SaaS productivity suite (for example, Microsoft 365) integrated with Microsoft Entra ID.
Distractor: hosting your own collaboration stack on VMs (IaaS) or custom-building a full app on PaaS when the need is standard office productivity.

Key Terms

Azure Policy: Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
hybrid cloud: A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
public cloud: A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
region pairs: Region pairs are two Azure regions within the same geography that are paired to provide reliability and recovery options.
Azure Monitor: Azure Monitor is a service that collects, analyzes, and acts on telemetry data from your Azure and on-premises environments to help you maximize performance and availability.
Azure regions: Azure regions are sets of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network.
private cloud: A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
subscriptions: Subscriptions are logical containers used to provision and manage Azure resources, providing boundaries for billing, access control, and policies.
cloud computing: Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
resource groups: Resource groups are logical containers for Azure resources that share a lifecycle, making it easier to manage and organize resources.
Availability Zones: Availability Zones are physically separate locations within an Azure region with independent power, cooling, and networking to increase availability.
Microsoft Entra ID: Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Azure Service Health: Azure Service Health is a suite of services that provides personalized alerts and guidance when Azure service issues or planned maintenance affect you.
shared responsibility model: The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Platform as a Service (PaaS): Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS): Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
role-based access control (RBAC): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Infrastructure as a Service (IaaS): Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.