Microsoft Azure Fundamentals AZ-900: Core Azure Services Explained
1. Why Core Azure Services Matter for AZ-900
The core Azure services section is where AZ-900 shifts from general cloud theory into practical service recognition. Most exam questions are really asking a simple question in disguise: which Azure service best fits this requirement? If you can quickly map phrases like full OS control, managed web hosting, event-driven code, globally distributed NoSQL, shared file access, or private dedicated connectivity to the right service, you are in good shape.
Start with service models. IaaS gives you the most control, such as Azure Virtual Machines. PaaS reduces infrastructure management, such as Azure App Service or Azure SQL Database. Serverless means Azure abstracts server management and often scales automatically, such as Azure Functions. For AZ-900, remember that serverless does not mean “no servers exist”; it means you do not manage them.
A useful way to think about Azure is control versus convenience. In general, the more control you want, the more of the day-to-day work you're going to keep on your own plate. And the more managed a service gets, the less time you’ll spend patching, scaling, and fussing over the plumbing underneath it.
- AZ-900 focuses more on recognition than configuration.
- For most questions, the first thing I’d do is figure out the broad category: compute, networking, storage, database, or management.
- Once you’ve got that category nailed down, it’s usually just a matter of matching the need to the right service model, whether that’s IaaS, PaaS, serverless, or SaaS.
2. Azure Architecture Basics You Need First
Before choosing services, you need a mental map of Azure structure. Azure resources are created inside a hierarchy: Management Group → Subscription → Resource Group → Resource. Management groups help govern multiple subscriptions. A subscription is a billing and administrative boundary. A resource group is a logical container for resources that share a lifecycle, but it is not a folder hierarchy, not a network boundary, and not a security boundary. Also, resources in the same resource group can exist in different regions.
Regions are geographic areas containing Azure datacenters. And honestly, region choice matters more than beginners sometimes realize — it can affect latency, compliance, data residency, and even which services are available to you. Region pairs are Microsoft-defined regional relationships used for resiliency and disaster recovery planning, but not every service automatically fails over across a pair. Customers still need to design for recovery. Availability Zones are separate physical datacenter locations within a region, each with independent power, cooling, and networking. They improve resiliency within a region when both the region and service support zones.
For deployment decisions, these basics matter. If your users are in Europe and you want to keep latency low, I’d usually start by putting the resources in a nearby Azure region. If you’re trying to improve availability for a VM-based app, it usually makes more sense to spread it across Availability Zones or run multiple instances behind a load balancer. If an organization wants governance across production and development subscriptions, management groups and policy become relevant.
Shared responsibility also matters. With VMs, Azure manages the physical datacenter, hardware, and hypervisor, while you manage the guest OS and applications. With App Service and Azure SQL Database, Microsoft manages much more of the platform. That difference appears often in AZ-900 questions.
3. Azure Compute Services
| Service | Primary use | Best clue |
|---|---|---|
| Azure Virtual Machines | IaaS compute with guest OS control | Full OS/admin control |
| Virtual Machine Scale Sets | Group of similar VMs with scaling | Scale-out VM workload |
| Azure App Service | Managed web apps and APIs | Managed web hosting |
| Azure Functions | Event-driven serverless execution | Triggered code |
| Azure Container Instances | Run containers without orchestration | Single/simple containers |
| Azure Kubernetes Service | Managed Kubernetes orchestration | Container orchestration |
| Azure Virtual Desktop | Desktop and app virtualization on Azure | Remote desktops/apps |
Azure Virtual Machines are the classic IaaS choice. When I’m teaching this, I usually point people to VMs when they need guest OS control, custom software, older applications, or they’re doing a lift-and-shift from on-premises. A VM setup usually comes with a VNet, a subnet, a network interface, maybe a public IP, NSG rules, an OS image, and managed disks. Azure handles the physical infrastructure underneath, but you’re still responsible for the guest OS, the installed software, and quite a bit of the security setup. If the exam says Windows Server migration, custom server configuration, or full administrative control, think VMs. Do not choose VMs first if a managed web platform would do the job more simply.
Virtual Machine Scale Sets let you deploy and manage a group of similar VMs and scale them in or out. They’re handy when you’ve got a stateless workload that can run across multiple VM instances, often sitting behind Azure Load Balancer. AZ-900 usually tests the idea, not the orchestration details: scale sets are for scale-out VM workloads, not for a single server that cannot be duplicated.
Azure App Service is a PaaS platform for hosting web apps and APIs. It runs on an App Service plan, which determines compute size and scaling. Common features include custom domains, SSL/TLS, deployment slots, authentication integration, and pretty straightforward connectivity to databases. The exam distinction is pretty simple: App Service is built for hosted web apps and APIs, and you don’t have to manage the underlying OS. If the requirement sounds like, ‘we need to host a website, but we really don’t want to deal with patching servers,’ App Service is usually the first place I’d look.
Azure Functions is designed for event-driven code execution. Functions can kick off from HTTP requests, timers, storage events, queue messages, and a handful of other triggers too. On the Consumption plan, billing is based on executions and execution time, though other hosting plans exist. A practical example is file processing: a blob upload triggers a function, which processes the file or writes metadata to a queue. For AZ-900, the clue is not “small code” so much as triggered or event-driven execution. App Service and Functions can both expose HTTP endpoints, but they’re really designed for different usage patterns.
Azure Container Instances (ACI) fills an important gap. If you just need to run a container quickly and you don’t want to deal with VMs or Kubernetes, ACI is usually the simpler choice compared to AKS. It is often the best recognition choice for a single container or short-lived containerized task.
Azure Kubernetes Service (AKS) is for container orchestration. Azure manages a good portion of the Kubernetes control plane, but you’re still dealing with workloads, Kubernetes objects, networking choices, and often node pools and scaling behavior. AKS makes the most sense when you’re building microservices or a more structured container platform. It is powerful, but not the default answer for every container scenario. If the exam says orchestration, cluster, or microservices on Kubernetes, think AKS.
Azure Virtual Desktop (AVD) delivers remote desktops and remote applications from Azure. The terms you’ll usually hear around it are things like host pools, session hosts, user identity, and profile storage. Use AVD when people need a Windows desktop or remote app experience — not when you’re just trying to host a website.
Quick compute decision tree: full OS control = VM; scale-out identical VM app = VM Scale Sets; managed web app/API = App Service; triggered code = Functions; simple container = ACI; orchestrated containers = AKS; desktop delivery = AVD.
4. Azure Networking Services
| Service | Purpose | Key clue |
|---|---|---|
| Virtual Network (VNet) | Private network boundary in Azure | Private IP networking |
| Subnets | Segment a VNet | Network segmentation |
| Network Security Groups | Allow/deny traffic rules | Traffic filtering |
| VNet Peering | Private connection between VNets | Connect Azure networks privately |
| VPN Gateway | Encrypted hybrid connectivity over the internet | VPN tunnel |
| ExpressRoute | Private dedicated connectivity | Dedicated private connection |
| Load Balancer | Layer 4 TCP/UDP distribution | Network-level balancing |
| Application Gateway | Layer 7 web routing | HTTP/HTTPS, WAF, path routing |
| Front Door | Global Layer 7 entry for web apps | Global HTTP/HTTPS routing |
| Azure DNS | Authoritative DNS hosting | Name resolution |
VNet is the private network boundary for Azure resources. You define address spaces and create subnets to segment workloads such as web, app, and database tiers. NSGs apply inbound and outbound allow/deny rules to subnets or NICs. VNet peering connects VNets privately over the Azure backbone, which is useful for multi-network architectures.
VPN Gateway connects on-premises networks to Azure using encrypted tunnels over the public internet. It is usually the recognition answer for lower-cost hybrid connectivity. ExpressRoute provides private dedicated connectivity to Azure and can help with predictable connectivity and compliance requirements, but it is not inherently encrypted by default like a VPN tunnel. The exam trap is common: ExpressRoute is not just a faster VPN. If the wording says private dedicated connection, choose ExpressRoute. If it says encrypted tunnel over the internet, choose VPN Gateway.
Azure Load Balancer distributes TCP/UDP traffic and can be public or internal. Application Gateway is a regional Layer 7 service for HTTP/HTTPS traffic with features like path-based routing and Web Application Firewall support. Azure Front Door is a global Layer 7 entry service for internet-facing applications, providing intelligent routing, global failover, acceleration, and optional WAF capabilities. Here’s the memory trick I usually give people: Load Balancer is Layer 4, Application Gateway is regional Layer 7, and Front Door is global Layer 7.
Azure DNS hosts public and private DNS domains. It is not limited to Azure resources; it provides authoritative DNS hosting using Azure infrastructure. In private architectures, private DNS zones help resources resolve names inside VNets.
Security recognition: NSG = subnet/NIC filtering, Azure Firewall = centralized managed firewall, DDoS Protection = broader network attack protection, WAF = web-layer protection on Application Gateway or Front Door.
5. Azure Storage Services
| Service | Best for | Key distinction |
|---|---|---|
| Blob Storage | Unstructured object data | Objects, not file shares |
| Azure Files | Managed file shares | SMB/NFS shared access |
| Queue Storage | Application messages | Asynchronous messaging |
| Table Storage | Semi-structured NoSQL data is the kind of data that doesn’t always fit neatly into a rigid table format. | Key/attribute store |
| Managed Disks | VM OS and data disks | Block storage attached to VMs |
A storage account provides a unique namespace plus management, security, and billing scope for Azure Storage services such as blobs, files, queues, and tables. When you’re choosing a storage option, a really useful question is: am I storing an object, a file share, a disk, a message, or some kind of NoSQL data?
Blob Storage is object storage for documents, media, backups, logs, and analytics data. Inside a storage account, blob containers are what you use to organize blob data. At a high level, block blobs are usually used for documents and media, append blobs work well for logging, and page blobs are used when you need random read and write access. Blob Storage also gives you features like lifecycle management, versioning, soft delete, and even static website hosting. If the exam says unstructured data or archive, Blob Storage is a strong candidate.
Azure Files provides managed file shares accessible through SMB and, in some scenarios, NFS. It is the right answer for shared departmental drives, lift-and-share migrations, and hybrid file access. Azure File Sync can extend file shares between on-premises servers and Azure Files. The exam clue is shared file access.
Queue Storage stores messages for asynchronous communication between application components. Example: a web app accepts an order and places a message in a queue for background processing. Table Storage is a NoSQL key/attribute store for semi-structured data, useful for simple lookups like device metadata. Queue = messages; Table = records.
Managed Disks are Azure-managed block storage for VMs. They provide OS and data disks and come in performance tiers such as Standard HDD, Standard SSD, and Premium SSD. Managed disks are not general-purpose object storage.
Redundancy is an important AZ-900 topic. LRS replicates data synchronously three times within a single physical location in the primary region. ZRS replicates across availability zones in the primary region. GRS replicates to a secondary region. RA-GRS adds read access to that secondary region. GZRS combines zone redundancy in the primary region with geo-replication to a secondary region, and RA-GZRS adds read access to the secondary. More resiliency usually means higher cost.
Access tiers for blob data are also commonly tested: Hot for frequent access, Cool for infrequent access, and Archive for long-term retention. Archive is low cost for storage but slower to retrieve and may require rehydration before access.
6. Azure Database Services
| Service | Model | Best clue |
|---|---|---|
| Azure SQL Database | Managed relational PaaS | Standard relational app |
| Azure SQL Managed Instance | Managed relational with higher SQL Server compatibility | More SQL Server feature compatibility |
| SQL Server on Azure VM | IaaS relational database | Full SQL/OS control |
| Azure Database for PostgreSQL Flexible Server is Azure’s managed service for workloads built on PostgreSQL. | Managed PostgreSQL | PostgreSQL app |
| Azure Database for MySQL Flexible Server | Managed MySQL | MySQL app |
| Azure Cosmos DB | Globally distributed NoSQL | Global low-latency NoSQL |
The biggest database distinction on AZ-900 is relational versus NoSQL. Azure SQL Database is a managed relational database service in the Azure SQL family. It’s a strong choice for transactional business applications, and it reduces operational overhead because Azure takes care of things like backups, scaling options, and platform management for you. Azure SQL Managed Instance is the recognition-level middle ground between Azure SQL Database and SQL Server on a VM: more SQL Server compatibility than Azure SQL Database, but still managed. SQL Server on Azure VM is the answer when full control is required.
Azure Database for PostgreSQL Flexible Server is Azure’s managed service for workloads built on PostgreSQL. and Azure Database for MySQL Flexible Server are managed services for those engines. If the requirement specifically says PostgreSQL or MySQL, go with the matching managed service.
Azure Cosmos DB is a globally distributed NoSQL database service with multiple APIs, including SQL/Core, MongoDB, Cassandra, Gremlin, and Table. It’s built for low-latency global applications, flexible data models, and horizontal scale. At a fundamentals level, know the clues: global distribution, NoSQL, flexible schema, multi-region access. It is not the default answer for every database question.
7. Management, Monitoring, Identity, and Security Basics
Azure Portal is the graphical interface. Azure Resource Manager (ARM) is the management plane for Azure resources and supports declarative deployments through ARM templates and Bicep, a higher-level language that compiles to ARM templates. Azure CLI, Azure PowerShell, and Cloud Shell are command-line management tools.
Azure Monitor provides metrics, logs, alerts, and dashboards. Log Analytics stores and queries log data, and Application Insights focuses on application telemetry. Azure Advisor gives recommendations around cost, reliability, security, performance, and operational excellence. Azure Service Health shows personalized service issues affecting your resources, while Azure Status provides a broader platform-wide service status view.
Microsoft Entra ID (formerly Azure Active Directory) is the identity system used for authentication. RBAC controls authorization to Azure resources. A common exam distinction is simple: Entra ID answers who are you?; RBAC answers what are you allowed to do?
Across core services, security themes repeat: encryption at rest, encryption in transit, least privilege, managed identities, private endpoints, NSGs, and WAF protection for web applications.
8. Commonly Confused Azure Services
VM vs App Service: VM when you need guest OS control; App Service when you need managed web hosting.
App Service vs Functions: App Service for hosted web apps/APIs; Functions for event-driven execution.
ACI vs AKS: ACI for simple containers; AKS for orchestrated container platforms.
VPN Gateway vs ExpressRoute: VPN Gateway uses encrypted tunnels over the internet; ExpressRoute is private dedicated connectivity.
Load Balancer vs Application Gateway vs Front Door: Load Balancer is Layer 4, Application Gateway is regional Layer 7, Front Door is global Layer 7.
Blob Storage vs Azure Files vs Managed Disks: Blob = objects, Files = shared file access, Managed Disks = VM disks.
Azure SQL Database vs SQL Managed Instance vs Cosmos DB: Azure SQL Database = managed relational app database; Managed Instance = more SQL Server compatibility; Cosmos DB = globally distributed NoSQL.
9. Practical Scenarios, Troubleshooting, and Exam Cues
Modern web app: Front Door routes global users to App Service, the app stores relational data in Azure SQL Database, uploads land in Blob Storage, and Azure Functions processes new files. Monitor and alerts track health.
Hybrid legacy app: An on-premises business app is lifted to Azure VMs, uses managed disks, stores shared documents in Azure Files, and connects back to the datacenter through VPN Gateway or ExpressRoute depending on requirements.
Containerized platform: Front-end traffic hits Application Gateway or Front Door, then reaches AKS, while Cosmos DB stores globally distributed application data.
Remote workforce: Azure Virtual Desktop delivers desktops and remote apps, identity comes from Entra ID, and user data can be stored in Azure Files.
Basic troubleshooting checklist: if users cannot reach an app, check DNS, Front Door/Application Gateway/Load Balancer path, NSG or firewall rules, and Azure Monitor metrics. If a VM cannot connect privately, verify VNet, subnet, peering, gateway, and NSG settings. If a Function is not triggering, verify the trigger type, storage connection, permissions, and Monitor logs.
Keyword-to-service cheat sheet: full OS control = VM; managed web hosting = App Service; triggered/event-driven = Functions; simple container = ACI; container orchestration = AKS; remote desktops = AVD; encrypted tunnel = VPN Gateway; private dedicated connection = ExpressRoute; shared files = Azure Files; unstructured object storage = Blob Storage; VM disk = Managed Disks; relational managed SQL = Azure SQL Database; globally distributed NoSQL = Cosmos DB.
What AZ-900 expects: know what each service is for, how it compares with similar services, and which requirement points to which answer. What it does not expect: deep subnet sizing, Kubernetes internals, SQL tuning, routing protocols, or template syntax mastery.
If you keep the core memory frameworks in mind, the exam gets much easier: control vs convenience for compute, private connectivity vs app delivery for networking, object vs file vs disk vs message vs NoSQL table for storage, and relational vs globally distributed NoSQL for databases.