Azure Fundamentals AZ-900

The shared responsibility model is one of the most tested AZ-900 concepts. Remember: in IaaS, the customer has the most responsibility; in SaaS, the provider has the most. Regardless of the service model, the customer is always responsible for their data, accounts, identities, and access management. The provider is always responsible for the physical datacenter, network, and hosts. PaaS sits in between — the provider manages the OS and runtime, the customer manages the application and data.

The AZ-900 exam frequently tests the economic benefits of cloud computing. Know that the shift from CapEx to OpEx is a key driver for cloud adoption — organizations avoid large upfront costs and pay only for consumed resources. Understand the difference between scalability (the ability to add capacity) and elasticity (automatic scaling based on demand). For SLAs, know that more 9s means less downtime: 99.9% allows ~8.7 hours/year, 99.99% allows ~52 minutes/year, 99.999% allows ~5 minutes/year.

For the exam, be prepared to identify which cloud model fits a given scenario. Hybrid cloud is increasingly the most common enterprise approach because it provides flexibility — regulated data stays on-premises while scalable workloads run in Azure. Remember that public cloud does not mean less secure; Azure invests billions in security and compliance. The key differentiator is who manages the infrastructure: you (on-prem/IaaS), shared (PaaS), or the provider (SaaS).

The AZ-900 exam tests your understanding of Azure's global infrastructure. Know that availability zones provide high availability within a region (protect against datacenter failure), while region pairs provide disaster recovery across regions (protect against regional failure). A common exam question: availability zones are connected by high-speed private fiber, not the public Internet. Remember that sovereign regions like Azure Government have separate endpoints and certifications (FedRAMP, DoD).

Understanding the Azure resource hierarchy is critical for the AZ-900 exam. A key concept is inheritance: if you assign an Azure Policy at the management group level, it automatically applies to all subscriptions, resource groups, and resources below. Remember that a resource can only exist in one resource group, but resources in different resource groups can communicate with each other. Subscriptions have limits (quotas) that can be increased by contacting Azure support.

ARM is a foundational concept for the AZ-900 exam. The key takeaway is that ARM provides a single, consistent management plane — regardless of how you interact with Azure (portal, CLI, API), the request flows through ARM. ARM templates enable repeatable deployments: you can deploy the same template to dev, staging, and production environments with parameter files for environment-specific values. Know that Bicep is the recommended way to write ARM templates due to its cleaner syntax.

The AZ-900 exam tests your ability to choose the right compute service for a scenario. Use VMs when you need full OS control. Use App Service when you want to deploy web apps without managing infrastructure. Use ACI for simple container workloads and AKS for complex container orchestration at scale. Use Azure Functions for event-driven, short-duration code. A key exam theme: moving from VMs to App Service to Functions represents increasing levels of abstraction and decreasing management responsibility.

For the exam, understand that VNets are the foundation of Azure networking. Key comparison: VPN Gateway uses encrypted tunnels over the public Internet (cheaper, moderate bandwidth), while ExpressRoute is a private connection that bypasses the Internet (more expensive, higher bandwidth and reliability). NSGs are stateful — if you allow inbound traffic, the return outbound traffic is automatically allowed. Remember that VNet peering connects VNets across regions with low latency using the Microsoft backbone network, not the public Internet.

Storage tiers are a frequently tested topic on the AZ-900 exam. Know that Hot is for data accessed often, Cool is for data stored at least 30 days, Cold is for data stored at least 90 days, and Archive is for data stored at least 180 days with hours of retrieval latency. All Azure Storage services are accessed through a storage account, which provides a unique namespace (e.g., mystorageaccount.blob.core.windows.net). Storage redundancy options range from LRS (3 copies in one datacenter) to GZRS (6 copies across availability zones and regions).

For the AZ-900 exam, focus on when to use each database service. Azure SQL Database is the go-to choice for traditional relational workloads with Microsoft SQL Server compatibility. Cosmos DB is the answer when the scenario mentions global distribution, multi-region writes, or low-latency NoSQL. A key differentiator: Cosmos DB offers five consistency levels (Strong, Bounded Staleness, Session, Consistent Prefix, Eventual) that let you balance between consistency and performance. All managed database services handle backups, patching, and HA automatically.

Microsoft Entra ID (Azure AD) is one of the most heavily tested topics on the AZ-900 exam. Know that Entra ID is not the same as on-premises Active Directory Domain Services (AD DS) — Entra ID is a cloud identity provider using modern protocols (OAuth, OIDC, SAML), while AD DS is for on-premises domain management (Kerberos, LDAP). Azure AD Connect synchronizes identities between on-premises AD and Entra ID for hybrid scenarios. Conditional Access is the Zero Trust engine — it evaluates every access request in real time.

Defense in depth and Zero Trust are foundational security concepts for the AZ-900 exam. The key difference: defense in depth focuses on layers of protection, while Zero Trust focuses on verifying every request regardless of location. Remember that the traditional perimeter model (trust everything inside the firewall) is obsolete — Zero Trust treats every request as if it originates from an untrusted network. For the exam, be able to name the defense-in-depth layers and the three Zero Trust principles.

For the AZ-900 exam, know the purpose of each security tool. Defender for Cloud provides posture management and recommendations (check your secure score). Key Vault stores secrets securely (never store secrets in code or config files). DDoS Protection defends against volumetric attacks. Azure Firewall provides network-level traffic filtering. Sentinel provides SIEM/SOAR capabilities for security operations. A common exam scenario: "Where should you store connection strings?" — the answer is Azure Key Vault.

Azure Policy is a core governance topic on the AZ-900 exam. Key distinction: Azure Policy enforces organizational standards on resources (e.g., "VMs must use managed disks"), while RBAC controls who can perform actions (e.g., "developers can create VMs"). Policies are inherited through the management hierarchy — a policy assigned to a management group applies to all subscriptions and resources beneath it. Blueprints differ from ARM templates by maintaining a relationship with the deployed resources for ongoing governance.

RBAC is frequently tested on the AZ-900 exam. Remember the principle of least privilege: assign the narrowest role at the narrowest scope. A common exam question: "A developer needs to deploy VMs but should not manage access" — the answer is Contributor (not Owner). Resource locks are a safety mechanism — use CanNotDelete on production resource groups and ReadOnly on compliance-critical resources. Even Owners must explicitly remove a lock before they can delete the protected resource.

Cost management is a significant portion of the AZ-900 exam. Know the difference between the two calculators: Pricing Calculator estimates Azure costs for new deployments, TCO Calculator compares on-premises costs versus Azure costs for migration decisions. Tags do not inherit by default — you must apply them at each resource level or use Azure Policy to enforce tagging. Azure Reservations provide the biggest savings for predictable workloads, while Spot VMs offer the deepest discounts for fault-tolerant, interruptible workloads like batch processing.

The AZ-900 exam tests your understanding of when to use each management tool. Use the Azure portal for visual, interactive management. Use Azure CLI or PowerShell for repeatable, scriptable automation — both are functionally equivalent, so choose based on your scripting preference (Bash vs PowerShell). Cloud Shell is convenient because it requires no local installation and is always up to date. All management tools communicate with the same Azure Resource Manager (ARM) API, so they produce identical results.

Azure Monitor is the umbrella monitoring service for the AZ-900 exam. Know that it collects two types of data: metrics (numbers, real-time, stored for 93 days) and logs (text/structured data, stored in Log Analytics, queried with KQL). Application Insights is specifically for monitoring application performance and user behavior. A common exam question: "How do you monitor the performance of a web app?" — the answer is Application Insights. Alerts are the actionable component that turns monitoring data into automated responses.

For the AZ-900 exam, understand the distinction between these three services. Azure Advisor is your proactive optimization tool — it tells you what you should improve. Azure Monitor is your operational monitoring tool — it tells you what is happening right now. Service Health is your platform status tool — it tells you if Azure itself has issues. A common exam question: "You want to reduce your Azure costs. Which service provides recommendations?" — the answer is Azure Advisor (Cost category).