Core Azure Services Demystified: A Practical Guide for AZ-900 Learners

1. Introduction to Microsoft Azure and Cloud Concepts

Let me start with a story—my first Azure project was a scramble. I was tasked with “migrating a handful of apps to the cloud,” and the Azure Portal looked like an alien control panel. What’s a Resource Group? Why does every click ask about subscriptions? Back then, documentation was sparse. But learning Azure basics became one of the best moves of my career. If you’re prepping for the AZ-900 or just exploring, you’re in good company—and the skills you gain here are universally valuable in IT, business, and beyond.

What is Azure? Microsoft Azure is basically your all-in-one, global cloud playground. Azure’s got pretty much every trick in the book—you want to run virtual machines? Sure. Need to stash away heaps of files or blast some number-crunching analytics? Easy. Fancy a bit of AI magic, or maybe hook up some smart gadgets? No problem. Seriously, if you can dream it up, there’s probably an Azure service for it. Imagine Azure as this never-ending toolbox that somehow keeps getting bigger—every time you turn around, Microsoft’s tossed in some new gadget. No matter if you’re hacking away on your own, leading a big-shot enterprise, just getting your startup off the ground, or even just dipping your toes in as a student, there’s a tool in there for you. Really getting the hang of Azure basics? That’s your golden ticket. All of a sudden, you’ve got the power to build, lock down, and grow solutions for pretty much any business out there—whether you’re helping your neighbor’s bakery with online orders or architecting something huge for a worldwide brand.

Alright, so let’s make sense of the big three cloud models—those are IaaS, PaaS, and SaaS. Here’s what actually makes each one different from the others.

Cloud models often trip up newcomers. Here’s a technical breakdown—plus my signature pizza shop analogy:

Why does this matter? Matching your project to the right model balances control, cost, and agility. For the exam and real-world, memorize which layers you manage for each model. Here’s a quick reference:

Migration tip: If your app is tightly coupled to legacy OS or specific settings, start with IaaS. If you want to modernize, aim for PaaS for lower ops overhead. SaaS is best for out-of-the-box business solutions.

Deployment Models: Public, Private, Hybrid (with Azure Arc)

Azure offers multiple deployment approaches:

• Public Cloud: Your workloads run on Azure’s shared infrastructure. You still get your own secure little corner, but since you’re splitting the underlying hardware with other folks, it’s easier on the wallet and you can ramp things up or down in no time. Best for: Most new applications, quick deployment, minimal regulatory constraints.
• Private Cloud: Dedicated resources, often via Azure Stack or on-premises. You call the shots, but you’ve also got more stuff to manage and it can get complicated pretty quickly. Best for: Sensitive workloads, strict compliance, or legacy integration.
• Hybrid Cloud: Mix of on-prem and Azure resources. Use Azure Arc to manage resources across hybrid/multi-cloud. Best for: Gradual migrations, data residency, or regulatory requirements.

Example scenario: Healthcare organizations often use hybrid to keep patient records on-premises but leverage Azure Synapse for analytics.
Compliance tip: Always assess data residency and sovereignty needs—match your region and model to legal requirements.

Test Yourself!

• Question: Which cloud model gives you full control over the operating system and applications?
  Answer: IaaS, or Infrastructure as a Service
• Question: Give an example of a hybrid cloud scenario.
  Answer: Keeping sensitive customer data on-premises but running analytics workloads in Azure.

2. Core Azure Architectural Components

Azure is organized like a digital metropolis—global, yet granularly structured. Here’s how to map the city:

Okay, let’s dig into what everyone really wonders—where in the world does your data actually live in Azure? We’ll talk regions, these things called availability zones, and how Azure keeps your stuff safe and close by.

Azure spans 60+ regions worldwide, each with multiple, physically distinct Availability Zones (AZs) for resilience. Imagine Azure regions as big cities, and each Availability Zone is its own neighborhood—scattered across town, but still part of the same city limits. Every zone’s got its own corner, out in a different part of the city—totally separate in case something goes sideways. Each neighborhood is an Availability Zone—it’s separate from the others but still part of the same overall city. Every zone’s got its own power, internet, and backup systems—so if something wild happens in one neighborhood, the rest are still up late, lights on, no worries. If one of those neighborhoods has a problem, the rest don’t even blink—they just keep humming along like nothing happened. So, if a data center suddenly conks out or gets swamped, the rest of the zones just pick up the slack. Your app fans won’t even notice a ripple. Business as usual! You keep the lights on and your customers don’t even realize anything happened.

• Region selection matters: Data residency, latency, and compliance depend on it. And trust me—if you’re in finance, healthcare, or pretty much any field where auditors love to dig—making sure your Azure region matches those data rules is an absolute must.
• Availability Zones: Deploying across AZs protects against datacenter failures—crucial for high-availability apps.
• Resiliency tip: Always check the Azure products by region documentation before deploying critical workloads; not all services are available everywhere.

Some Azure services hang out in just one zone, others will stretch across a bunch for extra armor, and a few are built to span whole regions. So you can pick how tough you want your setup to be.

Alright, let’s unravel how Azure sorts your stuff. Between management groups, subscriptions, and resource groups, it’s basically Azure’s way of keeping your cloud projects organized—otherwise, it’d all be a hot mess.

• Management Groups: Topmost containers—apply policies and RBAC across multiple subscriptions (e.g., by department).
• Subscriptions: Billing boundaries and security fences for resources. It makes sense to split your subscriptions for things like production, development, or even for each part of your company, just to keep costs and permissions tidy.
• Resource Groups: Logical collections of related resources (VMs, storage, networking) for lifecycle and access management.

Best practice: Design your hierarchy around business, security, and lifecycle needs. Apply RBAC at the right level—never give “Owner” rights to everyone in a subscription.

Sample: Creating a Resource Group via CLI

az group create --name MyResourceGroup --location eastus

Applying RBAC at Resource Group Level (CLI)

az role assignment create --assignee john.doe@contoso.com --role "Contributor" --resource-group MyResourceGroup (That’s how you hand someone Contributor rights to a particular resource group, in case you’re curious.)

Test Yourself!

• Question: In Azure, which component defines a billing boundary?
  Answer: Subscription
• Question: What’s the difference between a region and an availability zone?
  Answer: A region is a set of datacenters in a geographic area; an availability zone is a physically separate datacenter within a region.

3. Core Azure Products and Solutions (Condensed & Balanced)

Alright, let’s dive straight into the world of compute in Azure! We’ve got those familiar VMs when you need total control, App Service if you just want to launch a website without fuss, containers if you’re feeling adventurous and want to try out AKS or ACI, and Azure Functions are my go-to for all those behind-the-scenes jobs you want to automate and then forget about.

• Virtual Machines (VMs): Full OS control; ideal for lift-and-shift or custom workloads. You patch, secure, and maintain.
• Azure App Service: Managed hosting for web apps, REST APIs, and mobile backends in multiple languages (.NET, Java, Node.js, Python, PHP). The best part? And the best part? App Service is like having a techie friend who takes care of all the boring stuff: scaling, patching, general maintenance—you name it. Seriously, you won’t be losing sleep over midnight server crashes—App Service handles the heavy lifting so you can actually enjoy your weekends.
• Containers: AKS (Azure Kubernetes Service) is for orchestrated, scalable microservices; ACI (Azure Container Instances) is for quick, serverless container runs.
• Azure Functions: Event-driven, serverless—great for automation, background jobs, and microservices.

Scaling: Use VM Scale Sets (VMSS) for autoscaling VMs. App Service Plans provide scaling settings for web apps. Scaling containers with AKS is actually pretty fun—set up your rules and it’ll fire up more pods as the crowds roll in, or shut some down when things are quiet.
Cost optimization: Deallocate unused VMs and leverage reserved instances for predictable long-term needs.

Some classic gotchas and fixes:

• VM won’t deploy? Check quota limits and region availability.
• App won’t scale? Double-check that your scaling rules are actually set, and that you’re on the right App Service Plan for what you need—otherwise, you might wonder why your app isn’t auto-scaling the way you expect.

Let’s chat about Azure networking for a sec—so that’s things like VNets, subnets, peering, load balancers, application gateways, VPN, ExpressRoute, and DNS.

• Virtual Network (VNet): Isolated, private IP space for your resources. Segment with subnets for security.
• Subnetting: Use subnets for app tiers (web, app, DB). Network Security Groups—or NSGs—are basically the security guards at the gates of your cloud empire. They check who’s coming and going at the subnet or VM level and only let in the traffic you actually want.
• VNet Peering: Connect VNets across regions for secure, low-latency communication.
• Load Balancer: Distributes TCP/UDP traffic across resources. App Gateway: Layer 7 (HTTP/S) load balancing and Web Application Firewall (WAF).
• VPN Gateway/ExpressRoute: VPN creates an encrypted tunnel over the public internet; ExpressRoute provides private, dedicated connectivity. ExpressRoute supports BGP for advanced routing.
• Azure DNS: Host DNS zones and manage records for public/private domains.

Quick Lab: Set up VNet Peering via CLI:

az network vnet peering create \ --name MyVNetToPeer \ --resource-group MyResourceGroup \ --vnet-name MyVNet1 \ --remote-vnet MyVNet2ResourceID \ --allow-vnet-access

NSG Rule Example: Allow SSH from a specific IP:

az network nsg rule create \ --resource-group MyResourceGroup \ --nsg-name MyNSG \ --name AllowSSH \ --protocol Tcp \ --priority 1000 \ --destination-port-range 22 \ --access Allow \ --source-address-prefix 203.0.113.5 \ (Just pointing out where you specify which source IP can access your resource.) --direction Inbound

Common Issues: Overlapping address spaces between on-prem and Azure break VPNs; NSG misconfigurations block legitimate traffic.

Now for storage—let’s run through storage accounts, blobs, files, disks, redundancy choices, and access controls.

• Azure Storage Account: Root container for Blobs, Files, Queues, Tables.
• Blob Storage: Unstructured data (images, backups). And here’s a money-saving tip: when you’re dropping stuff into blob storage, pick the access tier that fits—Hot if you need it all the time, Cool if you only peek at it every once in a while, or Archive if you just want to lock it away for a rainy day.
• Azure Files: Managed SMB and NFS shares; mountable on Windows and Linux VMs.
• Disks: Persistent storage for VMs; choose SSD or HDD, and set redundancy.
• Redundancy options: LRS (Locally Redundant Storage, single datacenter), GRS (Geo-Redundant), ZRS (Zone-Redundant), RA-GRS (read-access GRS). Let’s be real—before you pick how much backup you need, ask yourself: Would losing this data make you want to quit or have the compliance folks breathing down your neck? If so, crank up the redundancy! If the answer is yes, go for more redundancy. That’s your answer. That’ll tell you how bulletproof your storage setup really needs to be. Bottom line? Give your data as much padding as you need—because trust me, disasters and eagle-eyed auditors have a knack for showing up when you least expect.
• Security: Data is encrypted at rest and in transit by default. Have you ever wanted to share a file with someone for just a short while, but didn’t want to hand over the keys to the whole house? That’s where things like temporary access links (Shared Access Signatures) save your bacon. Shared Access Signatures, or SAS, are your solution—they’re like tossing someone a guest pass that auto-expires, so you never have to remember to take their key back.

Enable Soft Delete & Lifecycle Management: Protect against accidental deletion and automate tiering to reduce costs.

Now, let’s talk about Azure’s database lineup—there’s Azure SQL if you’re into good old-fashioned relational databases, Cosmos DB for the NoSQL and global crowd, plus fully-managed MySQL and PostgreSQL if you love open source.

• Azure SQL Database: Managed, scalable SQL with built-in backups, patching, geo-replication, and security. When you’re setting one up, you get to choose between DTUs (think of these like points measuring combined power) or vCores (which are real CPU and memory numbers). Go with whatever matches how you like to track performance and manage your budget.
• Cosmos DB: Globally distributed NoSQL. The cool part? Cosmos DB talks in lots of languages—SQL, MongoDB, Cassandra, Gremlin, and even Table storage APIs. It’ll even copy your data to multiple regions automatically and keep things lightning-quick (we’re talking under 10ms for reads and writes).
• Azure Database for MySQL/PostgreSQL: Fully managed open source. You don’t have to worry about backups, ramping up or down, or security—they’re all built in from the start.

Migration: Use Azure Database Migration Service for seamless lift-and-shift. And hey, if you want to sleep soundly at night, set up geo-replication or failover groups—so your data stays available even if an entire Azure region has an off day.

ARM Template: Azure SQL Database (Stable API Version)

{ "$schema": "", // Here’s where Azure checks for the ground rules your template will follow. "contentVersion": "1.0.0.0", // This is simply the version number—basically your way of saying, 'Hey, this is my latest and greatest draft.' "resources": [ { "type": "Microsoft.Sql/servers/databases", // Translation: 'Azure, spin up a SQL database for me, please!' "apiVersion": "2022-02-01", // Always double-check this—using the newest API version helps make sure you get all the cool features. "name": "[concat(parameters('sqlServerName'), '/', parameters('databaseName'))]", // This is where you mash together the server and database names you defined up front—kind of like digital Legos.d of like digital LEGO. "location": "[parameters('location')]", // Pick which Azure region you want your database to call home. "properties": { "collation": "SQL_Latin1_General_CP1_CI_AS", // That’s just the default way SQL sorts and matches up text—if you’re unsure, leave it. Honestly, unless you have a special need, just stick with the default. "maxSizeBytes": "2147483648", // Tells Azure how big you want to let this database get before it cries uncle. "sampleName": "AdventureWorksLT" }, "sku": { "name": "S0", "tier": "Standard" } } ] }

Troubleshooting: Can’t connect? First thing’s first: peek at your firewall settings and make sure they’re not slamming the door in your face. You can flip on the option that allows all Azure services to connect, but be careful—it’s like opening the gates wide, so only use it if you really know what you’re doing. If you went the private endpoint route, don’t overlook your NSG or VNet rules—those often cause connection headaches if you’re not careful.

Test Yourself!

• Question: Which Azure storage solution is best for shared folders accessed by multiple VMs?
  Answer: Azure Files
• Question: What service would you use for a globally distributed NoSQL database?
  Answer: Azure Cosmos DB

4. Now for the fun part—let’s jump into how you actually manage, keep an eye on, and automate your stuff in Azure. This is the point where you really start to feel like you’ve got the keys to the kingdom.

Whether you like point-and-click or command lines, Azure’s got you covered: there’s the Azure Portal (all web-based), Azure CLI, PowerShell, and Cloud Shell (a browser shell packed with tools).

• Azure Portal: Web UI for visual management. The portal’s great for poking around, learning, or spinning up a few things here and there.
• Azure CLI/PowerShell: Automate provisioning, scripting, and bulk management. CLI works everywhere, whether you’re on Windows, Mac, or Linux. PowerShell is fantastic if you’re deep in Windows territory and want every bell and whistle.
• Cloud Shell: Browser-based CLI/PowerShell with pre-installed tools and persistent storage. Accessible via the portal (“>_” icon).

Tip: For repeated deployments, use CLI/PowerShell or templates. Manual portal work is fine for small, ad-hoc tasks.

ARM Templates & Bicep: Infrastructure as Code

• ARM Templates: JSON files describing resources and configurations. Use parameters, variables, and outputs for reusability. Deploy via CLI, PowerShell, or Portal.
• Bicep: A more readable, declarative language compiled to ARM. Great for large, maintainable deployments.

Deployment troubleshooting: If a template fails, review “Deployments” in the Portal for detailed error logs. Pro tip: if a deployment fails, it’s probably because you’ve hit quota limits, got a typo in your parameters, or tried to deploy things in the wrong order—happens to everyone!

Let’s not forget monitoring—Azure Monitor watches over your resources, Log Analytics lets you dig into logs, and Application Insights checks your actual app’s health.

• Azure Monitor: Central platform for collecting metrics, logs, and setting up alerts. Use Log Analytics for querying logs, Application Insights for app-level performance monitoring.
• Diagnostic Settings: Enable resource diagnostics to stream logs to Log Analytics, Event Hubs, or Storage.

Configure an alert for CPU spikes (Portal): Monitor > Alerts > New Alert Rule > Choose Resource > Condition: CPU Percentage > Set Threshold > Action Group (email, SMS, etc.).

Advisor, Cost Management, and Tagging

• Azure Advisor: Personalized recommendations for cost, security, high availability, and performance.
• Cost Management & Billing: Monitor usage, set budgets, analyze spending trends, and receive alerts. And don’t forget about tagging—add things like cost center or environment to all your resources so it’s a breeze to track costs or organize stuff later.

Tagging best practice: Apply tags at creation—e.g., Environment=Production, Owner=ProjectX, CostCenter=Finance. And if you want to enforce tagging and other good practices, Azure Policy’s got your back.

Test Yourself!

• Question: Where can you find cost-saving recommendations for your Azure resources?
  Answer: Azure Advisor
• Question: What tool lets you manage and automate resource deployments as code?
  Answer: ARM Templates (or Bicep)

5. Specialized Azure Solutions (Expanded)

• IoT Hub: Securely connect, manage, and ingest telemetry from millions of devices. You can even plug in Stream Analytics or Azure Storage to crunch numbers or stash all that data in real time.
• Azure Synapse Analytics: Unified analytics platform combining data warehousing, big data, and data integration. And if you’re wondering about size, Synapse can handle petabyte-sized data lakes—yep, petabytes!
• Cognitive Services: Pre-built AI APIs for vision, speech, language, and decision-making. You can add things like facial recognition or sentiment analysis to your app without ever cracking open a machine learning textbook.
• Azure DevOps: CI/CD pipelines, agile boards, repositories. It’s all about automating your builds, tests, and deployments so your team can ship better code, faster.
• Logic Apps: Automate workflows across services (e.g., send emails when new files arrive in Blob Storage).
• Azure Machine Learning: Build, train, and deploy custom ML models at scale.
• Azure Marketplace: Discover and deploy third-party software, services, and managed solutions directly to your environment.

Case Study: Migrating a legacy order tracking platform to Azure using IoT Hub for device ingestion, Cosmos DB for data storage, and Synapse for analytics improved delivery accuracy and customer satisfaction.

Test Yourself!

• Question: Which Azure service would you use to analyze petabytes of data across data lakes?
  Answer: Azure Synapse Analytics
• Question: How can you add facial recognition to your app without building your own ML model?
  Answer: Azure Cognitive Services

6. Security, Identity, and Compliance (Expanded)

• Microsoft Entra ID (formerly Azure Active Directory, AAD): Central identity platform for single sign-on (SSO), multi-factor authentication (MFA), conditional access, and integration with on-premises AD using Azure AD Connect.
• Managed Identities: Securely assign Azure resources an identity to access other resources without managing credentials.
• RBAC (Role-Based Access Control): Assign granular permissions at subscription, resource group, or resource level. Always prefer least-privilege assignments.
• Conditional Access: Enforce policies based on user, location, device state, risk—e.g., require MFA for external logins.
• Privileged Identity Management (PIM): Just-in-time privileged access, approval workflows, and auditing for sensitive admin roles.
• Microsoft Defender for Cloud (formerly Security Center): Unified security management and threat protection. Receive actionable recommendations and monitor compliance.
• Network Security Groups (NSGs): Firewall rules controlling traffic at subnet/VM level. Always restrict inbound traffic to only what’s necessary.
• Azure Key Vault: Store and manage secrets, keys, and certificates securely. Integrate with apps and automation for secure access.
• Azure Policy: Enforce organization-wide governance—e.g., restrict allowed VM sizes/regions, require encryption, or enforce tagging.
• Compliance: Azure maintains hundreds of certifications (GDPR, HIPAA, ISO 27001, etc.). Use the Trust Center for up-to-date status. Note: Compliance is a shared responsibility—using certified platforms doesn’t make your workloads compliant by default.

Shared Responsibility Matrix

Business Continuity and Disaster Recovery

• Azure Site Recovery: Replicate and failover VMs/workloads across regions for disaster recovery.
• Azure Backup: Protect on-premises and Azure data with automated, geo-redundant backups.

Practical Troubleshooting Scenario

Issue: User can’t access a VM.
Possible causes: RBAC assignment missing, NSG blocking RDP/SSH, or missing network route.
Resolution: Verify user role assignment at subscription/resource group, check NSG rules, and confirm VM’s public IP and route.

Test Yourself!

• Question: Who configures firewall rules and user permissions in Azure?
  Answer: The customer (you), as part of the shared responsibility model.
• Question: What features help prevent unauthorized account access?
  Answer: Multi-factor authentication (MFA), Conditional Access, and Privileged Identity Management.

7. Business Applications, Real-World Scenarios, and Governance (Condensed)

• IT Modernization: Migrate VMs to Azure, then re-platform as App Service for agility.
• Business Continuity: Use geo-redundant storage, cross-region load balancing, Site Recovery, and Azure Backup for always-on operations.
• Application Hosting and Analytics: Host scalable web apps with App Service/Containers; analyze big data with Synapse and Cosmos DB.
• Identity Management: Centralize user access with Entra ID, enable SSO and MFA for security.
• IoT and Automation: Harness IoT Hub for connected devices and Logic Apps for workflow automation.
• DevOps and Integration: Automate build/deploy with Azure DevOps; deploy third-party apps via Azure Marketplace.

Decision trade-offs: VMs give ultimate control, but require patching; App Service is easier to scale and manage, but less flexible for custom configs. Cloud delivers agility, but requires new governance skills—use Azure Policy and Blueprints for standardized deployments.

8. Summary, Exam Preparation, and Quick Reference (Condensed)

Core Takeaways

• Azure covers IaaS, PaaS, SaaS, and multiple deployment models.
• Regions, zones, subscriptions, and resource groups are foundational for security and cost control.
• Core resources: Compute (VMs, App Service, AKS/ACI, Functions), Networking (VNet, Load Balancer, App Gateway, VPN, ExpressRoute, DNS), Storage (Blobs, Files, Disks), Databases (SQL, Cosmos DB, MySQL/PostgreSQL).
• Management and automation: Portal, CLI, PowerShell, ARM/Bicep, Advisor, Monitor, Cost Management, and tagging.
• Security/compliance: Entra ID (AAD), RBAC, NSGs, Defender for Cloud, Policy, Key Vault, and compliance frameworks.
• Specialized services: IoT, Synapse, Cognitive Services, DevOps, Logic Apps, Azure Marketplace.

Exam Tips & Pitfalls

• Reread questions carefully—watch for “best choice” or “choose all that apply.”
• Practice hands-on in the free Azure Sandbox or trial subscription.
• Memorize the shared responsibility model and core service categories with quick charts.
• Review Advisor and Cost Management dashboards for optimization clues.
• Use flashcards for acronyms and service names.
• If uncertain, rule out obviously incorrect options and make an educated guess.

Quick Reference Table: Core Services for AZ-900

Practical Exam Prep Steps

• Set up a free trial or use Microsoft Learn Sandbox for hands-on labs.
• Create and tag a resource group, deploy a VM, configure storage and networking.
• Write (or review) an ARM template for multi-resource deployment—test error handling.
• Assign RBAC roles and test access with different user accounts.
• Configure NSGs and test connectivity using built-in diagnostics.
• Set up Azure Monitor alerts and Cost Management budgets.
• Simulate failover with Azure SQL geo-replication or Site Recovery.
• Enable MFA and Conditional Access in Entra ID and test login scenarios.

Don’t just memorize—experiment and break things (safely)! Mistakes and troubleshooting are the best teachers in the cloud.

The cloud can seem daunting, but every expert started at the beginning. Learn the basics, get hands-on, leverage community resources, and you’ll master the fundamentals. You’re ready for AZ-900 and beyond—good luck, and may your Azure journey be smooth and rewarding!

— Dr. Jen Li