Use this for last‑mile review. Pair it with the Syllabus for coverage and Practice to validate speed/accuracy.
AZ-900 at a glance (what Microsoft tests)
AZ-900 is concept + vocabulary: what a service does, when you’d use it, and the basics of identity/governance and cost/SLA.
Domain weighting (official ranges)
| Domain | Weight | Visual (relative) |
|---|
| Cloud concepts | 25–30% | ███████ |
| Azure architecture & services | 35–40% | ██████████ |
| Azure management & governance | 30–35% | █████████ |
1) Cloud concepts (must-know contrasts)
IaaS vs PaaS vs SaaS (responsibility + examples)
| Model | You manage | Provider manages | Azure examples | Exam cue |
|---|
| IaaS | OS, runtime, apps, data | Physical hosts, network, datacenter | Virtual Machines, VNets | “Need OS control / lift-and-shift” |
| PaaS | Apps + data (sometimes config) | OS, runtime, patching, platform | App Service, Azure SQL Database, Functions | “Minimize ops / managed service” |
| SaaS | Data you put in + access | Everything else | Microsoft 365, Dynamics 365 | “Use the product, not the platform” |
Shared responsibility (rule of thumb): move from IaaS → PaaS → SaaS and you manage less, but also have less low-level control.
Public vs private vs hybrid vs multicloud
| Model | What it means | Typical use |
|---|
| Public cloud | Services hosted by provider (Azure) | Most modern workloads |
| Private cloud | Cloud-like environment dedicated to one org | Strict control / legacy constraints |
| Hybrid | Connect on‑prem + cloud | Gradual migration, data residency |
| Multicloud | Use multiple public clouds | Risk reduction, best-of-breed |
Core “cloud benefits” vocabulary
| Term | Quick definition | What it implies |
|---|
| High availability | Stay up during failures | Redundancy (zones/regions), health probes |
| Scalability | Handle growth | Scale up (bigger) or out (more instances) |
| Elasticity | Scale automatically with demand | Scale out/in quickly; pay for what you use |
| Reliability | Consistent operation | Fewer outages, predictable performance |
| Resiliency | Recover quickly from failures | DR, backups, automated failover |
| Fault tolerance | Continue operating despite component failure | No single point of failure |
CapEx vs OpEx (classic exam concept)
| CapEx | OpEx |
|---|
| Upfront purchase (servers, datacenter) | Pay-as-you-go consumption |
| Fixed capacity, depreciation | Flexible capacity, variable spend |
| Slower to change | Faster to scale/change |
2) Azure global infrastructure (regions, zones, pairs)
| Concept | Meaning | AZ-900-level take |
|---|
| Geography | Large area (country/region group) | Helps with data residency/compliance framing |
| Region | One or more datacenters in an area | You choose region for latency/residency |
| Availability Zone | Separate datacenter(s) inside a region | Higher availability inside one region |
| Region pair | Two linked regions for DR planning | Cross-region resiliency patterns |
flowchart TD
GEO["Geography"] --> R1["Region A"]
GEO --> R2["Region B"]
R1 --> Z1["Zone 1"]
R1 --> Z2["Zone 2"]
R1 --> Z3["Zone 3"]
R1 --- RP["Paired region"]
RP --- R2
High-yield picks
- “Protect from a datacenter failure” → Availability Zones (when supported).
- “Protect from a regional failure” → multi-region strategy (often using a region pair).
- “Keep data in-country” → choose the right region/geography + the service’s data residency rules.
3) Azure hierarchy + resource organization (the mental model)
Scope and grouping
Scope order: Management Group → Subscription → Resource Group → Resource
| Layer | What it is | Why it exists |
|---|
| Tenant (Entra ID) | Identity boundary (directory) | Users, groups, app registrations |
| Management group | Group subscriptions | Apply governance (Policy/RBAC) at scale |
| Subscription | Billing + quota boundary | Separate environments, departments, projects |
| Resource group | Logical container | Manage lifecycle together (deploy/lock/delete) |
| Resource | The actual service | VM, VNet, storage account, etc. |
Rule of thumb: Organize by blast radius and billing (subscriptions), then by lifecycle (resource groups).
Azure Resource Manager (ARM)
- ARM is Azure’s control plane for creating/updating/deleting resources.
- Infrastructure as code options: ARM templates (JSON) and Bicep (simpler syntax).
4) Core Azure services (concept-level service picker)
Compute
| Need | Best fit | Why |
|---|
| Full OS control / lift-and-shift | Virtual Machines | You manage OS patches and configuration |
| Auto-scale VMs as a group | VM Scale Sets | Scale out/in based on rules |
| Host a web app/API without server management | App Service | Managed platform, scaling, deployment slots |
| Run event-driven code | Azure Functions | Trigger-based, pay per execution (plan-dependent) |
| Run containers without managing servers | Container Instances | Simple “run a container” |
| Orchestrate many containers | AKS | Kubernetes management layer |
Networking
| Service | What it does | Exam cue |
|---|
| Virtual Network (VNet) | Private network in Azure | “Isolated network, subnets, peering” |
| Network Security Group (NSG) | Allow/deny network traffic | “Firewall-like rules at subnet/NIC” |
| VPN Gateway | Encrypted tunnel over internet | “Site-to-site or point-to-site VPN” |
| ExpressRoute | Private dedicated connection | “Low latency, private, enterprise connectivity” |
| Load Balancer | Layer 4 traffic distribution | “TCP/UDP load balancing” |
| Application Gateway | Layer 7 routing + WAF option | “HTTP routing, TLS offload, WAF” |
| Front Door | Global layer 7 entry + WAF/CDN | “Global users, edge routing” |
| Private Endpoint | Private IP to a PaaS service | “Access PaaS privately from VNet” |
Storage
| Type | What it’s for | Example |
|---|
| Blob | Object storage | Images, backups, logs |
| Files | Managed SMB file shares | Lift-and-shift shared folders |
| Queue | Simple messaging queue | Background processing buffer |
| Table | NoSQL key-value (legacy style) | Simple structured data |
| Disks | Block storage for VMs | OS/data disks |
Databases (fundamentals)
| Category | Best-known Azure services | When to pick |
|---|
| Relational | Azure SQL Database, SQL Managed Instance | Structured data, SQL queries, ACID |
| NoSQL | Cosmos DB | Global distribution, flexible schema, low latency |
| Open-source managed | Azure Database for PostgreSQL/MySQL | Managed engines without VM ops |
5) Storage redundancy + access tiers (high-yield tables)
Redundancy options (durability vs resiliency)
| Redundancy | Protects against | Cross-region | Zone-aware | Notes |
|---|
| LRS | Disk/server/rack failures | ✖ | ✖ | Cheapest; single datacenter |
| ZRS | Datacenter (zone) failure | ✖ | ✔ | Replicates across zones |
| GRS | Regional outage (async copy) | ✔ | ✖ | Replicates to paired region |
| GZRS | Zone + regional outage patterns | ✔ | ✔ | Zones + paired region copy |
| RA-GRS / RA-GZRS | Adds readable secondary | ✔ | — | Read from secondary endpoint |
Blob access tiers
| Tier | Optimized for | Typical use |
|---|
| Hot | Frequent access | Active data |
| Cool | Infrequent access | Backups, older logs |
| Archive | Rare access, long retention | Compliance, long-term storage |
6) Identity, security, and governance (who vs guardrails)
Authentication vs authorization
- Authentication: prove who you are (sign-in)
- Authorization: what you can do after sign-in (permissions)
Microsoft Entra ID (Azure AD)
- Identity service for users, groups, app registrations, and sign-in policies.
- Common concepts: tenant, users/groups, MFA, SSO.
RBAC vs Policy vs Locks (classic AZ-900 table)
| Control | What it answers | Example use | Think “…” |
|---|
| RBAC | “Who can do what?” | Grant read access to a resource group | Permissions |
| Azure Policy | “What’s allowed?” | Require tags; restrict regions/SKUs | Compliance |
| Resource locks | “Can it be deleted/changed?” | Prevent deleting a production VNet | Protection |
Key security services (concept-level)
| Service | What it does | Exam cue |
|---|
| Key Vault | Store secrets/keys/certs securely | “Store connection strings / rotate secrets” |
| Defender for Cloud | Security posture + recommendations | “Improve security score / harden resources” |
| DDoS Protection | Protect from DDoS attacks | “Public endpoints under attack” |
7) Monitoring and service health (what to use when)
| Need | Best-known tool/service | What you get |
|---|
| Resource metrics + alerts | Azure Monitor | Metrics, alerts, dashboards |
| Central log search | Log Analytics | KQL queries over logs |
| App performance monitoring | Application Insights | Tracing, failures, dependencies |
| Best-practice recommendations | Azure Advisor | Cost, reliability, security suggestions |
| Azure incidents + advisories | Service Health | Outage notifications, RCA, planned maintenance |
8) Pricing + cost management (what moves the bill)
Common cost drivers
- Compute: VM size, hours, autoscale, reserved vs on-demand
- Storage: GB stored, redundancy choice, access tier, operations
- Networking: data egress (outbound), gateways, load balancing
- Licensing: OS/SQL licenses (look for Azure Hybrid Benefit)
- Pricing calculator: estimate Azure spend for a design
- TCO calculator: compare on‑prem vs Azure cost
- Cost Management: budgets, alerts, and cost analysis reporting
“Discounting” vocabulary (concept-level)
| Option | What it trades | When it fits |
|---|
| Reservations | Commitment for lower price | Steady, predictable usage |
| Savings plan for compute | Commit spend/hour for compute discounts | Flexible compute usage |
| Spot | Interruptible capacity | Fault-tolerant batch jobs |
9) SLA math + service lifecycle (fast rules)
Downtime allowances (quick table)
| SLA | Downtime / month (30d) | Downtime / year |
|---|
| 99% | ~7h 18m | ~3d 15h |
| 99.9% | ~43m | ~8h 46m |
| 99.95% | ~22m | ~4h 23m |
| 99.99% | ~4m | ~52m |
Formula: downtime = (1 − SLA) × total time
Composite SLA (two components)
If services are in series (both must work), multiply availabilities:
- Example: 99.9% × 99.9% = 99.8001% overall
Preview vs GA (fundamentals view)
| Stage | What it implies | Exam note |
|---|
| Preview | Feature still maturing | SLAs/support may be limited |
| GA | Generally available | Full SLA/support expectations |
10) Fast scenario pickers (most-tested patterns)
- “Grant a user access to manage resources” → RBAC (at the right scope).
- “Require all resources to have tags / restrict regions” → Azure Policy.
- “Prevent deletion of a critical resource” → Resource lock.
- “Store secrets/keys/certs” → Key Vault.
- “Private access to a PaaS service” → Private Endpoint (+ correct DNS).
- “Connect on-prem to Azure privately” → ExpressRoute (vs VPN over internet).
- “Estimate cost” → Pricing calculator; “compare on-prem vs cloud” → TCO calculator.
- “Find outages and planned maintenance” → Service Health.
Mini-glossary (quick recall)
Tenant (identity boundary) • Subscription (billing/quota) • Resource group (lifecycle container) • RBAC (permissions) • Policy (compliance) • Availability Zone (datacenter separation) • Region pair (cross-region DR planning) • Private Endpoint (private IP to PaaS).