Core Azure Services Demystified: A Practical Guide for AZ-900 Success

1. Introduction to Microsoft Azure & Cloud Fundamentals

Have you ever looked at one of those fancy cloud diagrams and caught yourself thinking, “Okay, but… where’s the real, physical server hiding?” I promise, you’re in good company if you have. Honestly, almost everyone new to cloud has the same question cross their mind at least once. When I bring Azure to on-prem teams (which, let’s face it, happens a lot these days), there’s always someone who pipes up with, “Wait a minute, isn’t all this just someone else’s computer?” And sure, that’s technically not wrong—but wow, there’s so much more to it than that. Azure is really Microsoft’s giant, globe-spanning platform that dishes up everything you could want—virtual machines, AI, databases, networking, analytics, you name it. Here’s the really cool part: you basically get to fire up whatever you need, exactly when you need it, from anywhere, and you’re only on the hook for what you actually use. No more paying for stuff that sits idle!

Switching over to the cloud isn’t just some passing buzzword—it totally flips how we do IT on its head, in a good way. All of a sudden, you can ramp things up or down in a snap, connect with folks all over the world, and not lose sleep over dropping a pile of cash up front. You can actually put your energy into innovating (instead of babysitting hardware in some basement). You know all those time-consuming chores—patching servers, installing updates, staying on top of security patches? Yeah, the things nobody loves doing? Well, here’s some good news: Azure actually handles all of that for you—so honestly, you get to relax and stop stressing about those never-ending maintenance tasks. Whether you’re a massive business or you’re just dipping your toes into IT, the way Azure lets you adapt and stay up no matter what—that’s a total game-changer.

Let’s roll up our sleeves and talk through a handful of cloud fundamentals you’ll absolutely want to keep handy for the AZ-900—think of these as your must-have tools for both the exam and real life. No joke—get comfortable with these ideas, because you’re going to see them all over the place, whether you’re working in Azure or sitting for the exam.

• IaaS, PaaS, SaaS: Three essential service models:
• Infrastructure as a Service (IaaS): You manage the OS, middleware, and runtime; Azure manages the hardware, virtualization, and networking.
• Platform as a Service (PaaS): Azure manages OS, runtime, and platform; you manage only applications and data.
• Software as a Service (SaaS): Everything is managed by the provider; you just use the app.

• Okay, let’s pop the hood for a sec and see what’s really going on under the surface with all this cloud wizardry. So what’s the real deal when folks start tossing around terms like public cloud, private cloud, or even hybrid cloud? Let’s untangle that together. But here’s the thing—what does all this actually look like when you’re hands-on and setting something up for your company or project? Bottom line? Forget the fancy cloud lingo for a minute—the real questions you’re probably wondering are: Who’s looking after all this behind the scenes, and, seriously, where’s my data actually living? That’s really the heart of it—when you get down to it, that’s what everyone really cares about, isn’t it?
• Public Cloud: Shared infrastructure (e.g., Azure, AWS, GCP).
• Private Cloud: Dedicated resources, often on-premises.
• Hybrid Cloud: Integration of public and private clouds—for example, using Azure VPN Gateway or ExpressRoute to securely connect your datacenter to Azure for seamless operations.
• Regions and Availability Zones: Regions are global hubs (e.g., East US, West Europe). Within many regions, multiple Availability Zones (physically separate datacenters) offer resilience and high availability. But heads up—not every region has these Availability Zones yet. Got something you absolutely can’t afford to go down—like payments or customer logins? Then stick around, because this is where zones and regions really matter. Honestly, before you hit ‘deploy,’ it’s smart to double-check what’s actually available in your chosen region. Some Azure regions are kind of like the big cities—with tons of amenities, extra backup options, and all the newest features. Others? Other regions? They might be more like small towns—still solid, but without quite as many frills or redundancies built in yet. Before you get all excited and smash that Deploy button, take a second to check Microsoft’s docs. Make sure your chosen region actually has the features and redundancy you want—trust me, it saves lots of headaches. That one extra minute could save you from an ‘uh-oh’ moment down the road!

Exam Tip: Understand which party (you or Microsoft) manages each layer in IaaS/PaaS/SaaS. Oh, and don’t be surprised if you get scenario questions that make you think through real-world situations.

When you hear “moving to Azure,” think global, flexible resources—scaling, secure, and ready for your needs. The rest of this guide breaks down Azure’s core services and how you can use them, both for certification and real-world projects.

2. Core Azure Architectural Components

Deploying to Azure requires understanding its organizational hierarchy—a bit like structuring your own digital workspace. Each component has a role:

• Management Groups: Top-level containers for organizing multiple subscriptions, applying governance and policy at scale.
• Subscriptions: Billing boundaries and quotas. Honestly, in big organizations, folks tend to carve Azure up into multiple subscriptions. You know, sometimes Finance wants to keep a tight leash on their spending, Legal likes their own set of rules, or maybe it’s just best if different teams don’t end up stepping on each other’s toes. Ever considered slicing your Azure up into multiple subscriptions? Honestly, splitting things up like this is just smart—it keeps different teams from stepping on each other’s toes, and let’s be honest, it really helps make sure nobody accidentally spends a fortune. In my experience, this is the kind of thing that saves your sanity later—especially as your cloud usage grows. The beauty of it is, every team, department, or project gets their own little fenced-in playground—so it’s much easier to keep track of spending and make sure nobody’s eating up another team’s resources.
• Resource Groups: Logical containers for resources (VMs, storage, etc.). Here’s a little pro tip I wish someone had told me earlier: if there’s even a tiny chance you’ll want to pack up and delete a whole project—or move the whole thing in one go—just group all those resources together right from the start. Trust me, future-you will thank you. Honestly, it’s a total lifesaver when you’re doing some spring cleaning, or you want to experiment with a change and not risk accidentally nuking something mission-critical. Seriously, it just makes the whole cleanup or moving process so much less painful. Like all the resources for a particular app, or separate out Dev, Test, and Prod for sanity’s sake.
• Resources: Individual services (VMs, databases, VNets, etc.). And here’s a rule: every single resource you create has to be in a resource group. No exceptions.

Practical Example: An enterprise might have Management Groups for each business unit, Subscriptions for each environment, Resource Groups for each application, and Resources (VMs, DBs, VNets) inside those groups.

Dependencies & Relationships: Many Azure resources are interdependent. Let’s say you want to fire up a shiny new VM. Azure will want to know where to put it (that’s your Resource Group), what network it should connect to (think VNet), and where you’re planning to store its virtual hard drive (so, which Storage Account). You’ll see these prompts all the time. Bottom line: everything in Azure is connected in some way. One decision leads to another. Same story with App Services—they need to be tied to an App Service Plan before you’re off to the races.

Resource Locks: Use Read-only or Delete locks on critical resources/groups to prevent accidental modification or deletion.

Exam Tip: Resource Groups are mandatory; resources can be moved (with limits). Subscriptions act as your bouncers for costs and quotas. Seriously, splitting things up by subscription is your best friend for making sure you don’t get a nasty surprise on your Azure bill. Each group only spends what it’s allowed—and you won’t ever get that ‘who maxed out the corporate credit card?!’ moment.

Troubleshooting: If you can’t deploy a resource, check subscription quotas, region availability, and access permissions.

3. Azure Compute Services

When it comes to actually running your apps or workloads, Azure’s got a whole buffet of compute options, each tailored for a different job.

• Azure Virtual Machines (VMs): Fully customizable servers (Windows/Linux). What’s great is, with a VM, you’re calling the shots—pick your operating system, handle patching, install whatever apps you want. You get full control. Honestly, VMs are life-savers if you need to move some legacy app to the cloud or you’re running something quirky that the standard platforms just can’t support.
• Virtual Machine Scale Sets (VMSS): Automatically scale VMs up/down based on demand. Scale Sets are perfect if you’re running something like web servers where you just want to toss more VMs at the problem during busy times, or if you’re chewing through massive data jobs in batches.
• Azure App Service: Managed PaaS for web apps/APIs. What I love about App Service? You can completely ignore the whole operating system side of things—no more patching, no more OS headaches. With App Service, you literally just hit a few buttons, deploy your app, and voilà—you’re good to go. It takes care of scaling for you, lets you slap on your own custom domain, add SSL for security, and tweak settings however you like. Honestly, once you’ve set up App Service, you barely have to lift a finger. It needs so little babysitting that, honestly, after a while you might forget you’re even running it.
• Azure Functions: Serverless compute—run code in response to events. Pay only for execution time.
• Azure Container Instances (ACI): Run containers without managing servers; great for burst workloads or testing.
• Azure Kubernetes Service (AKS): Managed Kubernetes for orchestrating containers at scale. Use for microservices architectures.
• Azure Batch: Run large-scale parallel and high-performance computing (HPC) workloads.

Scaling/Optimization: Use auto-shutdown for test/dev VMs. And by the way, you can easily set up autoscale for your App Service or Scale Sets—just tell Azure what to watch for (like CPU or memory usage), and it’ll add or remove instances as needed, automatically. Automation Accounts provide capabilities for scheduled tasks and automation.

Security: Enable Just-In-Time (JIT) VM access via Microsoft Defender for Cloud (Standard tier)—limits exposure of management ports. Use Managed Identities for secure service-to-service authentication.

Troubleshooting:

• VM won’t deploy? Check quota, region availability, or required dependent resources (VNet, storage).
• Cannot RDP/SSH? Check NSG rules, VM firewall, and whether the public IP is assigned.

Ever wondered what it’s like to actually spin something up using the CLI? Curious how this actually works? Let’s dive in and see for ourselves! Here’s how I usually show folks the basics—step by step. Go ahead and give this a shot yourself, or just watch how it unfolds, step by step—totally up to you:

az group create --name myRG --location eastus # This creates a new resource group in the East US region. az vm create --resource-group myRG --name demoVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys # Spins up a new Ubuntu VM and generates SSH keys.

For containers, deploy with:

az container create --resource-group myRG --name mycontainer --image mcr.microsoft.com/azuredocs/aci-helloworld --dns-name-label myacilab --ports 80 # Launches a container instance with a public DNS name and port 80 open.

Exam Tip: Know when to use VMs, App Service, AKS, or Functions. Oh, and don’t be surprised if you get scenario questions that make you think through real-world situations.

4. Azure Networking Services

Honestly, if your networking isn’t solid, your cloud setup just isn’t going anywhere. Networking is basically the glue holding all your Azure pieces together. If you haven’t set up your Azure networking properly, all your stuff is basically stranded—like laptops stuck on their own desert islands, unable to send messages or work together. Not a good look!

• Virtual Network (VNet): Your private network in Azure; you pick the IP range and subnets.
• Subnets: Segment your VNet for isolation (e.g., web, app, DB tiers).
• Network Security Groups (NSGs): Firewall rules at subnet or NIC level. With NSGs, you lay down the law—setting up exactly what traffic is allowed in or out. Super helpful for those ‘lock it down tight’ scenarios.
• VNet Peering: Seamless, private connectivity between VNets (in the same or different regions).
• Service Endpoints/Private Endpoints: Securely connect to Azure services over private IPs—remove need for public internet exposure.
• VPN Gateway & ExpressRoute: Connect on-premises networks (via IPsec VPN or dedicated circuit) to Azure for hybrid scenarios.
• Azure Firewall & Application Gateway (WAF): Advanced security and load balancing. Honestly, I like to imagine WAF as your web app’s bouncer—if some sketchy traffic tries to sneak in, WAF checks their credentials and throws them out before they even get close to causing trouble.
• DNS Zones: Host and manage DNS for your domains within Azure.

Scenario: For a hybrid cloud, set up a VPN Gateway or ExpressRoute for secure connection to Azure. Picture this: your company’s got stuff running in spots all over the map—maybe a few things in Europe, other apps in the US. With VNet peering, you’re basically setting up a private, direct line so everything can chat securely and fast, even if your resources are on opposite sides of the planet. The nice thing is, all your apps and servers can pass data between each other behind closed doors—no eavesdroppers, and nothing slips onto the public internet by accident.

Okay, that’s plenty of talk—how about we dive in and actually spin something up for real? Let’s grab all these networking building blocks and snap them together—this is how things really come alive once you get your hands dirty. Time to actually try this yourself. Let me show you a quick CLI recipe that ties this all together—you’ll see how the networking parts play off each other.

az network vnet create --resource-group myRG --name myVNet --address-prefix 10.0.0.0/16 --subnet-name web --subnet-prefix 10.0.1.0/24 # Sets up a VNet and web subnet in one shot. az network vnet peering create --name PeerVnet --resource-group myRG --vnet-name myVNet --remote-vnet /subscriptions/xxxx/resourceGroups/myRG2/providers/Microsoft.Network/virtualNetworks/myVNet2 --allow-vnet-access # This command sets up a direct, private connection between two VNets—so they can chat without ever touching the public internet.-allow-vnet-access # Connects two VNets so resources can chat privately.

NSG Example:

az network nsg rule create --resource-group myRG --nsg-name myNSG --name AllowWeb --protocol Tcp --direction Inbound --priority 100 --source-address-prefixes * --source-port-ranges * --destination-address-prefixes * --destination-port-ranges 80 --access Allow # Adds an NSG rule to let web traffic through.

Troubleshooting:

• VM not accessible? Check NSGs, routing, or if a public IP is attached. Use Network Watcher for diagnostics.
• Latency between VNets? If you really care about speed between VNets, VNet peering is usually faster and more reliable than VPN.

Security: Use NSGs to restrict inbound/outbound traffic. Private Endpoints prevent data exfiltration risks.

Exam Tip: Understand difference between NSG, Application Gateway, Azure Firewall, and how peering/service endpoints work.

5. Azure Storage Services

Let’s be real: everything you do in Azure pretty much relies on storage. Doesn’t matter if it’s a backup, a simple doc, or a monster data lake powering analytics—storage is the unsung hero under it all.

• Blob Storage: Object storage for unstructured data. Supports Hot, Cool, and Archive access tiers for cost optimization.
• File Storage: Managed SMB/NFS shares. Standard shares support up to 100 TiB (with large file shares enabled); premium shares also support 100 TiB with higher performance.
• Queue Storage: Messaging between app components.
• Table Storage: NoSQL key-value store for fast lookups.
• Disk Storage: Managed persistent disks for VMs (Standard/Premium, HDD/SSD).

Redundancy Options:

• LRS (Locally Redundant Storage): 3 copies in one datacenter.
• ZRS (Zone-Redundant Storage): 3 copies across availability zones in a region.
• GRS (Geo-Redundant Storage): 3 copies locally, 3 in paired region.
• GZRS: Combines ZRS and GRS for both local and geo redundancy.

Lifecycle Management: Automate tiering of blobs from Hot to Cool/Archive or set rules for auto-deletion to reduce costs.

Security: Encryption at rest is ON by default. Use Azure Key Vault for customer-managed keys if required. Secure access with Shared Access Signatures (SAS) or Azure AD.

Practical Example: Enable lifecycle management in the portal (“Lifecycle Management” blade) and create a rule to move blobs to Archive after 60 days.

Mount Azure Files:

• Windows: net use Z: \\storageacct.file.core.windows.net\share /user:Azure\storagekey
• Linux: mount -t cifs //storageacct.file.core.windows.net/share /mnt/azure -o vers=3.0,username=storageacct,password=storagekey,dir_mode=0777,file_mode=0777,serverino

Troubleshooting:

• “Account name already exists” error? Storage account names are globally unique.
• SMB mount fails? Check firewall, networking, and if “secure transfer required” is enabled.

Exam Tip: Know differences between Blob, File, Disk, and redundancy options. And make sure you really understand lifecycle management tricks and how access works for each storage type.

Some limits do change, so always check Microsoft’s docs for the latest on how big you can grow each type of storage.

6. Azure Database Services

If you need a database, Azure’s got your back on both sides—classic SQL and NoSQL—fully managed, no matter your preference.

• Azure SQL Database: PaaS SQL in single, elastic pool, or managed instance forms. vCore-based pricing is now standard; DTU tiers are legacy but still supported.
• Azure Cosmos DB: Globally distributed NoSQL supporting document, key-value, graph, and column-family models. Cool thing about Cosmos? You get to pick how consistent your data is, replicate it to pretty much anywhere, and it auto-partitions your workloads to keep things snappy. You barely have to lift a finger.
• Azure Database for MySQL/PostgreSQL: Managed open-source DBs with built-in HA, scaling, and patching.

Backup & Restore: Azure SQL and managed DBs offer automated backups (up to 35 days retention by default). Want to undo a mistake and go back to a specific moment? Yep, you can just use the portal to quickly restore your database to an exact point—it’s ridiculously easy. Cosmos DB is even fancier: it keeps copies of your data all over the world and can flip over to another region in a heartbeat if there’s a problem.

Security: Always use encrypted connections (SSL/TLS). Oh, and definitely lock down your SQL firewalls. Only let the good guys in—trusted IPs, nothing else. Use Private Endpoints to restrict DB access to private networks.

Migrations: Azure Database Migration Service provides capabilities to move on-prem SQL or NoSQL DBs to Azure.

Troubleshooting:

• Cannot connect? Check DB firewall, VNet rules, and client IP restrictions.
• Performance issues? Use Query Performance Insight for Azure SQL or Metrics blade for Cosmos DB.

Exam Tip: Understand when to choose single DB, elastic pool, or managed instance—and Cosmos DB consistency levels (strong, bounded staleness, eventual, etc.).

When it comes to pricing, don’t wing it—use Microsoft’s Azure Pricing Calculator to see what fits your budget and region.

7. Azure Identity & Access Management

As of June 2024, Azure Active Directory is now Microsoft Entra ID. Seriously, you’ll see Entra ID and Azure AD used interchangeably in docs and on the portal—don’t let it throw you.

• Microsoft Entra ID: Centralized cloud identity for users, devices, and apps. It handles single sign-on, OAuth, SAML, and even business-to-business and business-to-consumer setups.
• Role-Based Access Control (RBAC): Assign granular permissions (Owner, Contributor, Reader, custom roles) at resource, group, or subscription levels.
• Conditional Access: Enforce MFA, block risky logins, require compliant devices.
• Managed Identities: Securely assign Azure identities to VMs or services, enabling keyless authentication between Azure resources.
• Hybrid Identity: Use Azure AD Connect to synchronize on-premises AD with Entra ID for seamless sign-in.

Enabling MFA & Conditional Access (Portal): Go to Entra ID > Security > Conditional Access > New Policy. Pro tip: Always set your policies so admin logins require MFA—makes life a lot harder for attackers.

Assigning RBAC (CLI):

az role assignment create --assignee user@domain.com --role Contributor --scope /subscriptions/xxxx/resourceGroups/myRG # This assigns the Contributor role for a user at a specific resource group scope.

Troubleshooting:

• Stuck because a user can’t get to what they need? Check RBAC assignments at the resource, group, and subscription levels.
• MFA not prompted? Double-check those Conditional Access policies and make sure the user actually registered for the right authentication methods.

Security Best Practice: Always grant least privilege, review assignments quarterly, and enable MFA for all privileged accounts.

Exam Tip: Know the difference between RBAC, resource-level IAM, and directory-level roles.

8. Let’s chat about how you keep your Azure stuff running smoothly (and not lose your mind in the process):

Azure’s management stack is robust and extensible:

• Azure Portal: Central UI for all Azure management.
• Azure CLI & PowerShell: Command-line and scripting for automation.
• ARM (Azure Resource Manager): Infrastructure-as-Code (IaC) platform—use ARM templates, Bicep (modern DSL), or Terraform for declarative deployments.
• Azure Monitor: Centralized monitoring for metrics, logs, and alerts.
• Log Analytics: Unified log collection and querying across resources.
• Application Insights: Deep application-level monitoring and performance insights.
• Azure Advisor: Recommendations for cost, reliability, security, and performance.
• Azure Policy: Enforce organizational standards (e.g., allowed regions, tag enforcement). Azure Blueprints is being deprecated—use Policy initiatives and Landing Zones for new deployments.

Sample Alert (Portal): Go to Monitor > Alerts > New Alert Rule. Just pick your target (like a VM), tell Azure what to watch for (maybe CPU spikes over 80%), and set an action—could be an email, a webhook, or fire off some automation.

Cost Management:

• Budgets: Set monthly or project-level thresholds; get alerts on overspend.
• Cost Analysis: Visualize usage by service, region, or tag.
• Tagging: Use tags (Environment, Owner, Project) for tracking/cost allocation.

Resource Locks: Prevent accidental deletion/modification of critical resources.

Troubleshooting: For deployment errors, check the "Deployments" blade for detailed logs. Use Log Analytics for deeper diagnostics.

Exam Tip: Know the difference between monitoring tools (Azure Monitor vs. App Insights) and when to use which.

9. Security, Compliance & Governance

Cloud security is a shared responsibility: Microsoft secures the cloud infrastructure; you secure your data, identities, and apps.

• Microsoft Defender for Cloud: Unified security management, threat protection, and compliance dashboard (formerly Azure Security Center).
• Azure Key Vault: Secure storage for secrets, certificates, and keys. Use managed HSM for regulatory compliance.
• Encryption: At-rest and in-transit encryption is enabled by default. Use customer-managed keys for higher control.
• Azure Policy: Enforce compliance (e.g., allowed regions, mandatory tags, encryption required). Assign initiatives for broad coverage.
• Azure Sentinel: Cloud-native SIEM for advanced threat detection and incident response.
• Secure Score & Security Baselines: Regularly assess and improve your security posture.

Compliance: Azure meets global/regional standards (ISO 27001, HIPAA, GDPR, FedRAMP, SOC 1/2/3, etc.). Microsoft's official documentation provides a comprehensive list of compliance certifications and details.

Data Residency & Sovereignty: Azure lets you choose data regions and provides region locking for compliance-sensitive workloads. Policies can restrict deployments to specific geographies.

Practical Example: Use Policy to enforce encryption at rest for all storage accounts, and Key Vault for central secret management.

Incident Response: Defender for Cloud alerts on threats and misconfigurations. Use Sentinel for advanced correlation and investigation.

Exam Tip: Understand the shared responsibility model; know which Azure services help meet compliance needs.

10. Azure Resource Tagging and Cost Management

Effective cloud governance starts with resource tagging and cost controls:

• Tags: Key-value pairs assigned to resources (e.g., Environment=Prod, Owner=Finance). Useful for tracking, automation, and cost allocation.
• Budgets: Set spending limits at subscription or resource group level; receive alerts when approaching thresholds.
• Cost Analysis: Break down spending by tag, resource, or time period via the Cost Management blade.
• Resource Locks: Prevent accidental deletion or changes to critical infrastructure.

Practical Example: Tag all resources in a project with “Project=AppX” and set a monthly budget. Use Cost Analysis to monitor spend.

Exam Tip: Know how tags, budgets, and resource locks support policy, compliance, and cost management.

11. Hybrid Cloud & Azure Arc

Azure enables seamless hybrid cloud integration:

• VPN Gateway/ExpressRoute: Connect on-premises networks to Azure securely.
• Azure AD Connect (Hybrid Identity): Synchronize on-prem AD with Entra ID.
• Azure Arc: Manage on-premises servers, Kubernetes clusters, and databases as Azure resources. Supports policy, monitoring, and automation across environments.

Scenario: Use Azure Arc to manage security policy and updates across both on-prem Windows servers and Azure VMs from a single pane of glass.

Troubleshooting: Hybrid connectivity issues often relate to misconfigured VPNs or firewalls. Use Network Watcher and VPN diagnostics for troubleshooting.

12. Disaster Recovery & Business Continuity

Azure provides built-in resilience:

• Azure Site Recovery (ASR): Replicate VMs across regions for failover. Supports both Azure and on-premises workloads.
• Azure Backup: Centralized, encrypted, long-term backup for VMs, files, and databases. Configure backup policies and retention.
• Cross-region replication: Use GRS/GZRS storage and geo-replicated databases for high availability.

Practical Example: Enable Azure Backup on a VM from the portal; set daily backup and 30-day retention. Test restore to a new VM.

Exam Tip: Know which services support geo-replication, backup, and failover—and when to use them.

13. Automation & DevOps on Azure

Modern cloud operations leverage automation:

• ARM/Bicep/Terraform: Define infrastructure as code for repeatable, version-controlled deployments.
• Azure DevOps & GitHub Actions: Automate build, test, and deployment pipelines for applications and infrastructure.
• Automation Accounts: Run PowerShell or Python scripts on schedule or in response to events.

Lab Example: Deploy an Azure Web App via GitHub Actions:

1. Create an App Service in Azure.
2. Push your code to GitHub and configure the built-in Azure Web App workflow.
3. On push, code is automatically built and deployed to Azure.

Exam Tip: Understand differences between ARM, Bicep, and Terraform; know DevOps integration points.

14. Business Scenarios & Industry Applications

Azure supports every vertical—retail, healthcare, finance, education, manufacturing, and beyond—by matching services to specific requirements.

• Retail: Scale e-commerce sites with App Service, SQL Database, and CDN for global performance.
• Healthcare: Ensure HIPAA compliance with encrypted storage (Blob), Key Vault, and Policy enforcement.
• Finance: Use multi-region SQL/Cosmos DB, Azure Firewall, and Site Recovery for high-availability trading platforms.
• Education: Remote learning with App Service and Azure Files for content distribution.
• Manufacturing: Real-time IoT data ingestion into Cosmos DB, Stream Analytics, and Power BI for analytics.

Practical Scenario: For a highly available web app: App Service (front end), Azure SQL (back end), Blob Storage (media), WAF and NSGs for security, and GRS for backup.

15. Pricing, SLAs, and Support

Azure pricing is transparent and flexible—always use the Azure Pricing Calculator provided by Microsoft for accurate estimates.

• Pay-as-you-go: Pay only for what you use.
• Reserved Instances: Commit to 1/3 years for discounts (up to 72%).
• Spot VMs: Deep discounts for interruptible workloads.
• Free Tier: Many services offer trial or limited free usage—Microsoft provides up-to-date details on free offerings.

*As of June 2024; always check the calculator for your region and currency.

SLAs: Guarantee minimum uptime. For example, Azure SQL Database offers 99.99% (less than 1 hour downtime/year).

Optimization: Shut down unused resources, use reserved instances, set budgets and alerts, and review Advisor recommendations.

Support: Multiple plans from free to Premier 24x7. Free support covers billing and documentation.

Exam Tip: Know how pricing is calculated (compute by hours, storage by GB/month, etc.) and which services have which SLAs.

16. Hands-on Labs and Demos

The best way to learn Azure is by doing. Here are concise labs you can try—most are free or low cost.

Lab 1: Deploy a Linux VM (CLI)

az login az group create --name LabRG --location eastus az vm create --resource-group LabRG --name labVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys az vm open-port --port 22 --resource-group LabRG --name labVM

Troubleshooting: If SSH fails, check NSG rules and public IP assignment.

Lab 2: Secure Storage with Private Endpoint

• Create a Storage Account (portal or CLI).
• Go to Networking > Add Private Endpoint; select your VNet and subnet.
• Test access from a VM in the VNet—public access is blocked; only private network traffic is allowed.

Lab 3: Create a Budget and Tag Resources

• In Cost Management + Billing, create a new Budget for your subscription.
• Tag all deployed resources with Project=LabTest.
• Verify cost breakdown by tag in Cost Analysis.

Lab 4: Setup Monitoring and Alerts

• Go to Monitor > Alerts > New Alert Rule; set CPU > 80% on a VM.
• Configure Log Analytics workspace; connect VM diagnostics for performance and security monitoring.

Cleanup: Always delete test resource groups to avoid unexpected charges:

az group delete --name LabRG

17. Troubleshooting and Diagnostics

• Compute: VM won’t start—check quotas, region availability, required dependencies (VNet, storage).
• Networking: Connectivity issues—verify NSG rules, routing tables, VNet peering, private endpoint configuration.
• Storage: Access errors—check permissions, SAS tokens, firewall, and network restrictions.
• Database: Connection failures—check firewall, VNet rules, and authentication method.
• Identity: Login failures—review Conditional Access policies, user status, MFA registration.

Diagnostic Tools: Use Network Watcher, Log Analytics, and Azure Portal activity logs.

18. AZ-900 Exam Preparation Guide (June 2024)

The AZ-900 Microsoft Azure Fundamentals exam covers basic cloud concepts, core Azure services, security, compliance, pricing, and support. Here’s how to prepare effectively:

• Microsoft's official AZ-900 skills outline provides all domains and objectives for the exam.
• Deploy at least one VM, storage account, database, and network via portal and CLI; practice tagging and RBAC assignment.
• Quiz yourself with scenario-based questions (see below).
• Understand service model differences (IaaS/PaaS/SaaS), deployment models, redundancy, and compliance tools.
• Review Microsoft’s shared responsibility model and core security/compliance features.
• Microsoft Learn’s Azure Fundamentals learning path offers free labs and exercises for hands-on practice.
• Practice cost estimation using the Azure Pricing Calculator.
• Do not over-focus on memorization—understand scenarios and “why” to use each service.

Exam Domain Mapping

Common Pitfalls and How to Avoid Them

• Mixing up service models (e.g., thinking App Service is IaaS).
• Granting Owner role instead of least privilege.
• Deploying resources in the wrong region for compliance.
• Forgetting to delete test resources—incurring charges.
• Not understanding redundancy options and their costs.
• Confusing NSG (network firewall) with Application Gateway (Layer 7 load balancer).
• Not setting up MFA or Conditional Access for admins.
• Assuming all features are available in all regions—always check region support.
• Misunderstanding the shared responsibility model (who secures what).
• Not applying tags—causing chaos in cost management and reporting.

Practice Questions

1. You need a fully managed database that can scale globally with low-latency multi-region writes. Which service do you choose?
   Answer: Azure Cosmos DB (PaaS, NoSQL, global distribution).
2. How do you ensure a storage account is only accessible from your corporate network?
   Answer: Use Private Endpoint or set storage firewall to allow only your corporate public IP ranges.
3. Which service provides threat monitoring and security recommendations across all Azure resources?
   Answer: Microsoft Defender for Cloud.
4. What’s the best way to grant an app permission to access a storage account without storing credentials?
   Answer: Use a Managed Identity assigned to the app and RBAC on the storage account.
5. Which Azure feature helps prevent accidental deletion of a production resource group?
   Answer: Apply a Delete Lock to the resource group.
6. For high availability, what’s the key difference between deploying VMs in an Availability Set vs. Availability Zones?
   Answer: Availability Sets protect against hardware failure in a single datacenter. Availability Zones protect against datacenter failures within a region.
7. How can you enforce that all resources are tagged with “Environment”?
   Answer: Use Azure Policy to require the “Environment” tag on all resources.
8. Your web app needs to scale automatically based on traffic. What should you use?
   Answer: App Service with autoscale rules or Virtual Machine Scale Set (VMSS).
9. What tool gives you recommendations to reduce Azure spend and improve reliability?
   Answer: Azure Advisor.
10. How do you migrate an on-prem SQL Server to Azure with minimal downtime?
    Answer: Use Azure Database Migration Service.

Cheat Sheets: Quick Comparisons

CLI/Portal/ARM/Bicep Syntax Quick Reference:

{ "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2023-09-01", ...
}

{ "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2023-05-01", ...
}

Performance & Security Quick Tips

• Always deploy in multiple AZs for HA if supported.
• Use Private Endpoints and NSGs for secure networking.
• Enable Defender for Cloud and review Secure Score regularly.
• Set up autoscaling for web and compute workloads.
• Tag, lock, and monitor all resources; automate remediation where possible.

19. Summary and Next Steps

Azure is a vast, ever-evolving platform, but mastery begins with core concepts:

• Understand fundamental cloud concepts (IaaS/PaaS/SaaS, regions, redundancy).
• Know the architecture (management groups, subscriptions, resource groups).
• Deploy and secure core services (VMs, networking, storage, databases).
• Implement identity, security, compliance, and cost controls.
• Explore hybrid, automation, and business continuity features.

Keep Practicing: Use the Azure portal, CLI, and templates. Build, break, and fix. Leverage the free tier and hands-on labs. Bookmark official documentation and Azure updates for the latest features and best practices.

Final Exam Prep: Review scenario-based questions, cheat sheets, and domain mappings above. Focus on understanding, not just memorization.

Next Steps: Advance to more specialized certifications (AZ-104, AZ-204, AZ-305) or real-world projects. Stay curious and keep experimenting—the cloud rewards lifelong learners.

Happy Azure-ing, and best of luck on your AZ-900 journey! Master these fundamentals and you’ll be ready for both the exam and real-world success.