AZ-900 Core Solutions and Management Tools on Azure: A Practical Guide for Beginners
1. Azure Structure and the AZ-900 Exam Mindset
Core solutions and management tools are where Azure stops feeling like a list of product names and starts making sense as a platform. For AZ-900, the goal is not deep administration. It’s really about knowing what each service does, where it fits, and how to tell it apart from the ones that look almost the same at first glance.
The full Azure governance context is best understood as Microsoft Entra tenant (formerly Azure AD) → management groups → subscriptions → resource groups → resources. The tenant is the identity boundary. Management groups organize subscriptions. Subscriptions are billing boundaries and common governance scopes. Resource groups organize related resources for deployment and lifecycle management. Resources are the actual services such as VMs, VNets, and storage accounts.
Azure resources are deployed into regions, which are sets of one or more datacenters within a defined latency perimeter. Availability Zones are separate physical locations within a region, each with independent power, cooling, and networking. Most regions have a paired region in the same geography for resilience planning, but region pairs do not mean your workloads fail over automatically; failover depends on the service and your architecture.
One exam theme appears everywhere: shared responsibility. With IaaS, Microsoft takes care of the physical datacenter, the physical network, and the hypervisor, while you’re still on the hook for the operating system, applications, data, and a lot of the configuration. With PaaS and serverless, Microsoft handles a lot more of the platform for you, but you still need to manage identities, data, access, and the service settings that matter.
2. Core Azure Compute Solutions
| Service | Best Exam Cue | Primary Use |
|---|---|---|
| Azure Virtual Machines | Need full OS control | IaaS compute |
| Azure App Service | Managed web app or API hosting | PaaS web platform |
| Azure Kubernetes Service, or AKS, which is really Azure’s managed Kubernetes option. | Need container orchestration | Managed Kubernetes service |
| Azure Functions | Event-driven code execution | Serverless compute |
| Azure Container Instances | Run a container quickly without a cluster | Simple isolated container workloads |
| Azure Virtual Desktop | Centralized desktops and remote apps | Desktop virtualization |
Azure Virtual Machines are cloud-hosted servers. You still choose the image, VM size, disks, networking, and operating system settings, so you’ve got a lot of control. That’s great when you need flexibility, but it does come with more responsibility too. In practice, a VM usually lives inside a virtual network, sits in a subnet, uses a network interface, and often has a Network Security Group, or NSG, attached to help control traffic. Managed disks handle the storage side for the VM, giving you the OS disk and, if needed, extra data disks too. When I teach AZ-900, I usually say VMs make the most sense when you need legacy app compatibility, custom software, or full administrative control. If you’re coming from an on-prem background, that usually clicks pretty quickly.
Azure App Service is a managed platform for web apps and APIs. So instead of standing up and maintaining a server yourself, you drop your code into an App Service plan and let Azure take care of the platform side in the background. The big things I’d remember are built-in scaling, custom domains, TLS support, deployment slots, and that nice built-in monitoring integration. Honestly, those are the hints that usually point you straight to App Service on the exam. If the question says “host a website without managing the OS,” App Service is usually the better fit than a VM.
AKS is a managed container orchestration service. The easiest way I explain it is this: a container packages an app with everything it needs so it behaves consistently almost anywhere, and Kubernetes is the traffic controller that keeps all those containers organized across multiple machines. With AKS, Azure takes care of a big chunk of the control plane for you, and honestly, that can take a huge amount of pressure off the team. But you’re still responsible for the workloads themselves, the node pools, the networking choices, and the regular care and feeding of the cluster. If a scenario mentions microservices, scaling lots of containers, or needing orchestration, AKS is usually the better match than Container Instances. That’s the common exam clue.
Azure Functions runs code based on triggers such as HTTP requests, timers, queue messages, or blob events. It is best known for event-driven execution and automatic scaling. For AZ-900, remember Functions as the “run code when something happens” service, even though more advanced patterns such as durable workflows also exist.
Azure Container Instances runs containers without requiring you to manage VMs or a Kubernetes cluster. In practice, that makes it a great fit for bursty workloads, quick test runs, scheduled jobs, or those one-off containers that don’t really need the overhead of a full orchestration platform. Honestly, if you just want something to run and get out of the way, this is a very clean option. It usually isn’t the best choice for large-scale, tightly coordinated microservices, because that’s where Kubernetes starts to make a lot more sense pretty quickly.
Azure Virtual Desktop delivers centrally managed virtual desktops and remote applications from Azure, including common multi-session Windows scenarios. Recognize host pools, session hosts, and centralized access as the main ideas.
Exam discriminator: VM = maximum control, App Service = managed web hosting, Functions = event-driven serverless, AKS = orchestrated containers, ACI = simple container execution, AVD = virtual desktops.
3. Core Azure Networking Solutions
Azure Virtual Network (VNet) is the private network boundary in Azure. It gives Azure resources their IP addressing, subnet layout, routing, and isolation, so it’s really the foundation for private networking in the platform. Subnets let you separate workloads, and NSGs filter traffic using allow/deny rules. VNet peering connects VNets privately over the Azure backbone.
VPN Gateway provides encrypted connectivity over the public internet between Azure and another network. ExpressRoute provides private dedicated connectivity through a provider. For AZ-900, the clean distinction is simple: VPN Gateway uses the internet with encryption; ExpressRoute uses private connectivity.
Load Balancer distributes traffic at Layer 4 using IP and port information. It can be public or internal. Application Gateway is Layer 7 for HTTP and HTTPS, supports path-based routing, and is commonly associated with Web Application Firewall (WAF). Azure Front Door is a global HTTP and HTTPS entry service for web applications, useful for global routing, acceleration, and edge presence. If a question mentions path-based routing or WAF for a web app, Application Gateway is usually the one to think about. If it mentions global web entry and acceleration, think Front Door.
Azure DNS hosts DNS zones and records for public name resolution; it does not register domains by itself. For private name resolution inside Azure networks, recognize Azure Private DNS as the related service. Common record types include A, CNAME, and MX.
Also recognize private endpoints at a high level: they provide private IP-based access to supported Azure services over a VNet, reducing public exposure.
| Comparison | Best Answer Trigger |
|---|---|
| VPN Gateway vs ExpressRoute | Encrypted internet vs private dedicated circuit |
| Load Balancer vs Application Gateway | Layer 4 traffic vs Layer 7 web routing |
| Application Gateway vs Front Door | Regional web gateway vs global web entry |
| Azure DNS vs Azure Private DNS | Public DNS hosting vs private internal name resolution |
4. Core Azure Storage Solutions
Most Azure storage starts with a storage account, which is the top-level resource that can contain services such as Blob, Files, Queues, and Tables. For AZ-900, the main thing is to focus on how the data will be used.
Blob Storage is object storage for unstructured data such as images, backups, logs, and media. Azure Files provides managed file shares using SMB and, in some cases, NFS support. Managed Disks provide block storage for VM OS and data disks. Queue Storage stores simple messages between application components. Table Storage is a NoSQL key-attribute store for structured non-relational data.
| Storage Type | Best Fit |
|---|---|
| Blob | Backups, images, documents, logs, media |
| Files | Shared file access and lift-and-shift file shares |
| Managed Disks | VM OS disks and VM data disks |
| Queue | Simple application messaging |
| Table | Simple NoSQL structured data |
Access tiers help optimize cost. Hot is for frequently accessed data. Cool has lower storage cost but higher access cost for infrequently used data. Archive is lowest-cost storage for long-term retention with slower retrieval and rehydration. The exam point is that lower-cost tiers often increase retrieval cost and delay.
Redundancy options are highly testable. LRS keeps copies in a single datacenter. ZRS replicates across availability zones in a region. GRS replicates to a secondary region. GZRS combines zone redundancy in the primary region with geo-replication to a secondary region. Read-access variants such as RA-GRS and RA-GZRS allow read access to the secondary location.
From a security angle, it’s worth recognizing access methods like access keys, shared access signatures, or SAS, and Microsoft Entra-based access with RBAC. Also keep in mind that secure transfer, encryption at rest, and private endpoints are common protection features you’ll see on Azure storage.
5. Azure Management Interfaces and Deployment Tools
Azure Portal is the browser-based GUI. Azure CLI is cross-platform command-line management. Azure PowerShell is PowerShell-based management. Azure Cloud Shell provides browser-based Bash or PowerShell with Azure tools preinstalled; it uses associated storage for persistence.
These tools interact with Azure Resource Manager (ARM), the management plane for deploying and managing Azure resources through resource providers. This is different from the data plane, which is the direct operation of the service itself, such as reading blob data inside a storage account.
Infrastructure as Code means defining infrastructure declaratively so deployments are repeatable and consistent. Azure supports this through ARM templates and Bicep. Bicep is the more readable Microsoft-supported option, and under the hood it gets compiled into ARM templates. That’s one reason a lot of people prefer it once they start working with Azure deployments regularly. Declarative deployments are idempotent, meaning rerunning them aims to reach the desired state rather than blindly duplicating resources.
Here are two quick examples just to show the idea in a practical way.
az group create --name rg-demo --location eastus # Creates a resource group in East US
New-AzResourceGroup -Name rg-demo -Location eastus # Creates a resource group with PowerShell
Azure Resource Graph is for querying resources at scale, not deploying them. A few good examples would be finding all your VMs, listing resources that are missing tags, or building an inventory of storage accounts across several subscriptions. Azure Marketplace is the catalog for Microsoft and third-party solutions.
6. Monitoring, Health, and Diagnostic Tools
| Tool | Primary Use |
|---|---|
| Azure Monitor | Metrics, logs, alerts, dashboards, and workbooks are the main things to recognize here. |
| Application Insights | Application telemetry and performance monitoring |
| Azure Service Health | Personalized platform issues and maintenance affecting your resources |
| Azure Status | Broad Azure service availability information |
| Azure Advisor | Recommendations for reliability, security, performance, operational excellence, and cost optimization are the kinds of suggestions you’ll see from Azure Advisor. |
Azure Monitor collects and analyzes telemetry such as metrics and logs. Metrics are numeric time-series values, like CPU percentage or request count, and they’re really useful when you want to spot trends or spot trouble early. Logs are event records and diagnostic data, often stored in a Log Analytics workspace. Monitor also supports alerts and action groups. Telemetry can vary a little from one service to another, so you won’t always see the exact same metrics on every resource. That’s normal, and it’s one reason you need to pay attention to the service type when you’re troubleshooting.
Application Insights is commonly used for app-level observability, including request rates, failures, dependencies, and traces. For a slow web app, this is often the first really useful place to look once you’ve ruled out basic platform issues.
Diagnostic workflow: if you suspect a Microsoft platform issue, check Service Health or Azure Status. If the workload itself seems to be acting up, Azure Monitor and Application Insights are usually the next places I’d look. If the environment needs improvement, check Advisor.
7. Governance, Identity, Security, and Cost Management
Microsoft Entra ID provides identity for users, groups, applications, service principals, and managed identities. Subscriptions are associated with a tenant, and access to Azure is commonly authorized through Entra identities plus RBAC.
RBAC answers who can do what. Role assignments can be applied at management group, subscription, resource group, or resource scope and inherit downward. Azure Policy answers what is allowed or required. Policy effects include deny, audit, append, and deployIfNotExists. Locks protect resources from accidental change. Tags add metadata for organization and cost reporting, but they do not control access and do not automatically inherit from resource groups to resources.
| Control | Main Purpose |
|---|---|
| RBAC | Permissions |
| Policy | Compliance and standards |
| Locks | Prevent deletion or modification |
| Tags | Organization and cost tracking |
For security, recognize Microsoft Defender for Cloud as the service that provides security posture management and recommendations. Azure Key Vault stores secrets, keys, and certificates securely. Managed identities let Azure services authenticate without storing credentials in code. You’ll also want to know the basics of least privilege, MFA, encryption at rest, encryption in transit, and network isolation, because those ideas pop up all over Azure security.
Cost Management + Billing supports cost analysis, budgets, alerts, and forecasting. Common optimization patterns include right-sizing VMs, following Advisor recommendations, and moving data that isn’t accessed very often data to cooler storage tiers, and using tags such as CostCenter, Owner, and Environment for chargeback.
One current terminology note: Azure Blueprints has been deprecated. Modern governance emphasis is on management groups, policy initiatives, RBAC, tags, locks, and Infrastructure as Code approaches such as ARM templates and Bicep.
8. Hybrid Management with Azure Arc
Azure Arc extends Azure management to resources outside native Azure-hosted environments, including servers, Kubernetes clusters, and some data services across on-premises, edge, and other clouds. Arc does not move those resources into Azure or convert them into native Azure resources. It lets you project them into Azure for visibility, governance, and management.
For AZ-900, the big value is consistency: you can onboard non-Azure resources, apply Policy, use Monitor, and manage everything through an Azure-centered operating model.
9. Quick Real-World Scenarios
| Scenario | Likely Azure Services | Why |
|---|---|---|
| Host a company web app globally | App Service, Front Door, Azure DNS, Monitor | Managed web hosting, global entry, DNS, observability |
| Migrate a file share with hybrid access | Azure Files, Azure File Sync, VPN Gateway or ExpressRoute | Cloud file shares plus hybrid synchronization |
| Protect and govern production subscriptions | Management groups, Policy, RBAC, locks, tags, Defender for Cloud | Governance, least privilege, compliance, protection |
10. AZ-900 High-Value Confusion Points and Final Exam Tips
Most-tested pairs: Monitor vs Service Health vs Advisor; RBAC vs Policy; VPN Gateway vs ExpressRoute; Load Balancer vs Application Gateway vs Front Door; Blob vs Files vs Disks; Portal, CLI, and PowerShell vs ARM.
Exam wording triggers:
- “Event-driven” → Azure Functions
- “Private dedicated connectivity” → ExpressRoute
- “Path-based routing for web traffic” → Application Gateway
- “Global web entry” → Front Door
- “Recommendations to reduce cost” → Advisor
- “Planned maintenance affecting your subscription” → Service Health
- “Deny resources in unapproved regions” → Azure Policy
- “Need full control of OS” → Virtual Machines
What you do not need for AZ-900: deep Kubernetes administration, detailed ARM schema authoring, advanced network design, or extensive CLI memorization. Focus on service purpose, category, and comparison.
If you remember one model, use this: compute runs workloads, networking connects them, storage holds data, management tools deploy them, monitoring observes them, governance controls them, and Azure Arc extends that model beyond Azure. That is the core of this exam domain and a strong foundation for everything that comes after AZ-900.