Microsoft Azure Fundamentals AZ-900: Understanding Core Azure Services
1. Introduction
When I teach AZ-900, I always tell people this part is way less about memorizing a pile of product names and way more about spotting the right Azure service for the job. Honestly, the exam tends to reward practical judgment. You’ve got to know when a fully managed service makes sense, when you really do need a VM, when object storage is the better fit than file storage, and when private connectivity is a better answer than encrypted access over the public internet.
A really solid rule of thumb is to pick the most managed Azure service that still checks the technical, compatibility, compliance, and operational boxes. Now, that’s not some absolute law for every real-world design, but for AZ-900 questions it’s a very good way to think things through. In the sections below, I’m walking through the main Azure service families that show up again and again on AZ-900: architecture, governance, compute, networking, storage, databases, security, and management.
2. Azure Basics and Architectural Building Blocks
Azure is absolutely a public cloud platform, but it’s also designed to play nicely in hybrid and multicloud environments. Honestly, that’s one of the reasons I like teaching it so much, because it doesn’t force everything into one neat little box. In cloud terms, public cloud means Microsoft owns and operates the infrastructure. Private cloud means one organization uses dedicated cloud infrastructure. Hybrid cloud combines on-premises and cloud resources, which is extremely common during phased migrations.
You also need the service models:
| Model | You Manage | Azure Manages | Example |
|---|---|---|---|
| IaaS | Guest OS, patching, app, data, identity and resource configuration | Physical datacenters, hardware, virtualization | Azure Virtual Machines |
| PaaS | Application code, app configuration, data, access decisions | Infrastructure, OS patching, platform runtime | Azure App Service, Azure SQL Database |
| SaaS | Data usage, user settings, limited configuration | Application, platform, infrastructure | Microsoft 365 |
This is the shared responsibility model. Now here’s the thing: responsibility doesn’t stay fixed. It shifts depending on the service model, and sometimes even on the specific features you’re using. And even with managed services, you’re still responsible for the important stuff like access control, data classification, and a lot of the configuration choices. Azure helps a ton, but it doesn’t remove your responsibility entirely.
Azure’s organizational hierarchy is also heavily tested:
Tenant sits at the identity boundary. Management groups organize multiple subscriptions. Subscriptions are billing, access, and quota boundaries. Resource groups are logical containers for related resources. Resources are the actual services, such as VMs or storage accounts.
That hierarchy matters because Azure RBAC and Azure Policy can be assigned at different scopes and inherited downward. A policy at a management group can affect all subscriptions below it. A role assignment at a resource group can apply to all resources inside it. This is why scope matters on the exam.
A few architectural terms need precise definitions:
- Region: a geographic area containing Azure datacenters.
- Availability Zone: a physically separate location within a region, with independent power, cooling, and networking. And just to make that crystal clear, a zone can actually include one or more datacenters, so don’t picture it as just one building on a map somewhere.
- Region Pair: a Microsoft-defined regional pairing used for certain resiliency and recovery strategies. Not every service automatically fails over across a paired region.
Also note that Availability Zones are only available in supported regions. Do not assume every Azure region has zonal support.
One more nuance beginners miss: a resource group is a logical container, not a network or geographic boundary. You can absolutely have resources in the same resource group living in different regions, while the resource group itself just has a metadata location.
3. Governance, Resiliency, and Core Cloud Benefits
AZ-900 really expects you to connect Azure services to actual business outcomes, not just repeat service definitions back at the exam. The common cloud benefits are still important: high availability, scalability, elasticity, agility, fault tolerance, and disaster recovery.
But here’s the thing: don’t blur them together as if they’re all the same idea, because they definitely aren’t.
High availability is about keeping services running. Fault tolerance is about continuing operation when components fail. Disaster recovery is about restoring service after a major event. Backup is not the same as replication: replication improves availability and durability, while backup helps with recovery from deletion, corruption, or ransomware scenarios.
When I’m thinking about governance, these are usually the first tools I’d reach for:
- Tags: metadata labels for cost tracking, ownership, or environment classification.
- Azure Policy: enforces or audits rules, such as allowed regions or required tags.
- Resource locks: help prevent accidental deletion or modification.
- Subscriptions: also act as quota and service limit boundaries.
Exam pattern: if the question is about organizing billing or applying governance across many subscriptions, think management groups, subscriptions, RBAC, Policy, and tags rather than individual workload services.
4. Azure Compute Services Explained
| Service | Best Use | Management Level | Common Exam Clue |
|---|---|---|---|
| Virtual Machines | Legacy apps, custom OS control | High customer management | Full server access |
| App Service | Web apps and APIs | Managed platform | Minimal admin for website/API |
| Functions | Event-driven code | Serverless-oriented | Run code on trigger |
| Container Instances | Single/simple containers | Managed container runtime | Run container without orchestration |
| Container Apps | Modern container apps or microservices without full Kubernetes management | More managed than AKS | Containerized app with scaling and less ops |
| AKS | Kubernetes orchestration | Shared responsibility | Microservices, orchestrated containers |
Azure Virtual Machines are IaaS. With a VM, you’re choosing the image, the VM size, the disk type, the network interface card, the subnet, and often a public IP address if the machine needs internet access. Azure takes care of the physical hardware underneath, but you still manage the guest operating system, patching, security hardening, application installs, backup decisions, and a lot of the resource configuration. If the exam says lift-and-shift, legacy server app, or custom OS settings, VMs are often the answer.
At a high level, a VM usually depends on a virtual network, a subnet, a network interface, a disk, and access controls like an NSG. For resiliency, Azure offers Availability Sets, Availability Zones, and Virtual Machine Scale Sets. Scale sets let you run a group of similar VMs and autoscale them, usually with a load balancer sitting in front.
Azure App Service is PaaS for web apps, APIs, and some background workloads. Azure takes care of the infrastructure underneath, the operating system patching, and the platform runtime. You still manage your code, app settings, identity integration, and data connections. Important App Service concepts include the App Service Plan that determines pricing tier, scale, and features, plus deployment slots for safer releases.
If the question says you need to host a web app with minimal admin work, App Service is usually the answer I’d lean toward.
Azure Functions is an event-driven compute service often described as serverless. That is correct at exam level, but note that Functions supports multiple hosting plans. It can fire off from HTTP triggers, timers, queue messages, blob events, and a bunch of other event types. A handy AZ-900 shortcut is to think of Functions when the code runs in response to events, not when you’re looking for a traditional hosted application. Just remember that’s a study shortcut, not some hard technical law.
Azure Container Instances (ACI) runs containers without managing VMs or a Kubernetes cluster.
It’s a really good fit for short-lived jobs, isolated workloads, or simpler container deployments where bringing in a big orchestration platform would honestly be overkill.
Azure Container Apps sits between ACI and AKS in complexity: it is a more managed platform for containerized apps, with scaling and microservice-friendly patterns, but without the full Kubernetes administration burden.
Azure Kubernetes Service (AKS) is managed Kubernetes.
Azure handles the Kubernetes control plane for you, but you’re still on the hook for node pools, workloads, networking choices, access controls, scaling policies, and the everyday cluster maintenance that comes with it.
AKS is the right answer when the workload really does need Kubernetes orchestration and the flexibility that comes with it.
And just because a question mentions containers doesn’t automatically mean AKS is the best fit. And sometimes, honestly, the simpler service is the better call.
Azure Virtual Desktop delivers full virtual desktops and published remote apps from Azure.
It’s really useful for centralized desktop delivery, remote workers, contractors, and situations where people mainly just need secure access to apps and desktops.
It commonly integrates with Microsoft Entra ID, networking, and profile storage.
Quick deployment examples:
az group create --name rg-az900-demo --location eastus
az vm list -o table
New-AzResourceGroup -Name rg-az900-demo -Location eastus
Troubleshooting compute basics: if a VM is unreachable, check VM state, public IP, NSG rules, guest firewall, route path, and VPN or ExpressRoute connectivity if applicable.
If an App Service app is down or just behaving oddly, I’d start with the basics: app status, custom domain and DNS, TLS binding, access restrictions, and the Azure Monitor metrics.
5.
Azure Networking Services Explained
Azure Virtual Network (VNet) is your private network in Azure. Subnets segment that network into smaller ranges for workload separation. Network Security Groups (NSGs) filter inbound and outbound traffic at the subnet or NIC level. On AZ-900, NSGs are one of the most important missing pieces if you only memorize VNet and subnet.
VNet peering connects VNets privately. Private endpoints let Azure PaaS services such as storage or databases be accessed through private IPs inside a VNet instead of public endpoints. This is a key security and isolation concept even at fundamentals level.
Traffic distribution services are easier if you separate them by scope and layer:
| Service | Scope | Layer | Best For |
|---|---|---|---|
| Load Balancer | Regional | Layer 4, which is the TCP and UDP layer | Used for balancing inbound and outbound network traffic at the transport layer |
| Application Gateway | Regional | Layer 7, which is the HTTP/HTTPS layer | Web traffic routing, WAF |
| Front Door | Global | Layer 7, which is the HTTP/HTTPS layer | Global web entry point, routing, acceleration, WAF |
| CDN | Global edge | Content delivery | Caching static or streaming content close to users |
Azure Load Balancer is a regional Layer 4 service for TCP/UDP traffic and supports both inbound and outbound scenarios. Application Gateway is a regional Layer 7 web traffic load balancer and can include a Web Application Firewall. Azure Front Door is a global HTTP/HTTPS entry point with routing, acceleration, and WAF integration. Azure CDN is primarily for caching and delivering content from edge locations. Front Door and CDN are related but not interchangeable.
For hybrid connectivity, VPN Gateway provides encrypted connectivity over the public internet. ExpressRoute provides private connectivity between on-premises infrastructure and Microsoft cloud services through a connectivity provider; traffic does not traverse the public internet. ExpressRoute can provide more predictable network characteristics, but do not assume it automatically means encryption unless separately configured.
Also know the basic VPN types: site-to-site connects networks, while point-to-site connects individual client devices.
Azure DNS is Microsoft’s managed hosting service for DNS domains. Azure also provides name resolution within VNets, and Private DNS Zones help with private name resolution for internal or private endpoint-based resources.
6. Azure Storage Services Explained
An Azure storage account is the namespace for services such as blobs, files, queues, and tables. Its redundancy choice, performance options, and account capabilities affect durability and supported scenarios.
| Service | Data Type | Best For | Exam Trap |
|---|---|---|---|
| Blob Storage | Object storage | Backups, media, logs, archives | Not a traditional SMB file share |
| Azure Files | File storage | Shared file access | Not the best answer for large object archives |
| Managed Disks | Block storage | VM OS and data disks | Not general shared storage |
| Queue Storage | Message storage | Simple app decoupling | Different from Service Bus |
| Table Storage | NoSQL key/attribute | Data that’s partly structured, but not as rigid as a traditional relational table | Not a relational database |
Blob Storage stores unstructured object data. It uses containers and supports access tiers such as Hot, Cool, and Archive for different cost and access patterns.
Hot is for data you access all the time, Cool is for data you don’t need very often, and Archive is for long-term retention when you almost never need to retrieve it.
Blob Storage also supports features like lifecycle management, versioning, and soft delete, and those are genuinely useful in real-world environments.
Azure Files provides managed file shares over SMB and, in some scenarios, NFS. It is a natural answer for shared folders and hybrid file access. Azure File Sync can help synchronize on-premises Windows Servers with Azure file shares.
Managed Disks are VM disks. At a high level, it’s enough to know the common disk types like Standard HDD, Standard SSD, and Premium SSD. If the workload is a VM, managed disks are part of the picture. Snapshots and backups are there to help with recovery.
Queue Storage is for simple message-based decoupling between application components. Azure Service Bus is a more advanced messaging service with richer enterprise features, so do not treat Queue Storage as the only Azure messaging option. Table Storage is a schemaless NoSQL key/attribute store for semi-structured data using partition and row keys.
Storage redundancy also needs precise wording:
- LRS: multiple synchronous copies in a single primary region location.
- ZRS: copies across availability zones in the primary region.
- GRS: LRS in the primary region plus asynchronous replication to a secondary region.
- GZRS: ZRS in the primary region plus asynchronous replication to a secondary region.
- RA-GRS/RA-GZRS: read access to the secondary region.
Security basics matter here too. Azure Storage supports encryption at rest, access keys, shared access signatures, RBAC-based access, network restrictions, and private endpoints. If you run into a storage access issue, check the credentials or role assignments, the public or private network settings, firewall restrictions, and DNS resolution first.
7. Azure Database Services Explained
Database questions usually come down to one first decision: relational or non-relational.
Azure SQL Database is a managed PaaS relational database service with built-in high availability as part of the service architecture. It’s a strong fit for transactional business applications, SQL queries, and structured schemas. At a high level, just know that Azure offers single databases, elastic pools, and Managed Instance for broader SQL Server compatibility scenarios.
Azure Cosmos DB is a fully managed globally distributed database service supporting multiple data models and APIs. It’s designed for low-latency, planet-scale applications and supports things like global replication, partitioning, configurable consistency levels, and throughput-based scaling. If the clue mentions global users, a flexible schema, or very low latency across regions, Cosmos DB is usually the answer.
Azure Database for MySQL and Azure Database for PostgreSQL are managed relational database services for teams that want those engines without managing the underlying infrastructure.
Security and access patterns matter here too. Managed databases often use firewall rules, private endpoints, Microsoft Entra authentication options, encryption, and monitoring. If the exam describes a traditional relational application, do not overreach and pick Cosmos DB just because it sounds more cloud-native.
8. Identity and Security Services Relevant to Core Azure Services
Microsoft Entra ID is Azure’s core identity and access service. It supports authentication, single sign-on, multifactor authentication, and integration with Azure RBAC. Even when a question is mainly about compute or storage, identity is often part of the correct design.
Managed identities let Azure resources authenticate to other Azure services without storing credentials in code. For example, an App Service app can use a managed identity to access Key Vault or Storage securely.
Azure Key Vault stores secrets, keys, and certificates. Microsoft Defender for Cloud provides security posture recommendations and threat protection capabilities. Azure Firewall is a managed network security service for controlling and logging traffic centrally. Combined with NSGs, private endpoints, and WAF-enabled services such as Front Door or Application Gateway, these help build layered security.
At AZ-900 level, remember the basics: use least privilege, prefer identity-based access over embedded secrets, understand encryption at rest and in transit, and know that security responsibility is shared between Microsoft and the customer.
9. Management, Deployment, Monitoring, and Diagnostics
Azure Portal is the GUI. Azure CLI and Azure PowerShell support scripting and automation. All of them interact with Azure Resource Manager (ARM), which is Azure’s deployment and management plane.
ARM templates are JSON-based infrastructure-as-code definitions, while Bicep is Microsoft’s preferred modern authoring experience for ARM deployments because it is simpler to read and write. A minimal Bicep example looks like this:
resource stg 'Microsoft.Storage/storageAccounts@2023-01-01' = { name: 'stgaz900demo123' location: resourceGroup().location sku: { name: 'Standard_LRS' } kind: 'StorageV2'}
Azure Monitor collects and analyzes metrics, logs, alerts, and telemetry. Log Analytics is commonly used for centralized log analysis. Application Insights helps monitor application performance. Azure Advisor provides best-practice recommendations for cost, reliability, performance, security, and operational excellence. Service Health helps you understand Azure platform incidents and planned maintenance.
Basic troubleshooting flow for AZ-900-style scenarios:
- Connectivity issue: check DNS, endpoint exposure, NSGs, firewalls, route path, and service state.
- Performance issue: check region placement, SKU or tier, scaling settings, and latency path.
- Storage access issue: check SAS, key, or RBAC, network restrictions, and private endpoint configuration.
- Database access issue: check firewall rules, credentials, private or public access, and service health.
10. How AZ-900 Tests Core Azure Services
| Requirement Clue | Likely Best Answer | Why Not the Common Wrong Answer |
|---|---|---|
| Legacy app, custom OS, full server control | Virtual Machines | App Service does not give guest OS control |
| Host website or API with minimal admin | App Service | VM works, but adds unnecessary management |
| Run code on timer, queue, HTTP trigger, or blob event | Functions | App Service is broader hosting, not the best event-driven clue |
| Single simple container | Container Instances or Container Apps | AKS may be overkill |
| Container orchestration, microservices | AKS | ACI does not provide full orchestration |
| Shared file share | Azure Files | Blob Storage is object storage, not a normal file share |
| Backups, media, logs, archive objects | Blob Storage | Azure Files is the wrong access pattern |
| VM disk storage | Managed Disks | Blob or File storage is not the VM disk abstraction |
| Relational SQL app | Azure SQL Database | Cosmos DB is not the default choice for relational workloads |
| Global low-latency flexible-schema app | Cosmos DB | Azure SQL Database is not the best global multi-model fit |
| Encrypted connection over internet | VPN Gateway | ExpressRoute is private dedicated connectivity |
| Private dedicated connection to Azure | ExpressRoute | VPN Gateway still uses the public internet path |
| Regional TCP/UDP balancing | Load Balancer | Front Door is global Layer 7 HTTP/HTTPS |
| Regional web traffic routing with WAF | Application Gateway | Load Balancer is Layer 4, not web-aware |
| Global web routing and acceleration | Front Door | CDN caches content but is not the same as a global app entry point |
Common confusion pairs:
- VM vs App Service: control vs managed web hosting.
- Blob vs Azure Files: object storage vs shared file storage.
- SQL Database vs Cosmos DB: relational vs globally distributed multi-model database.
- VPN Gateway vs ExpressRoute: encrypted internet path vs private dedicated connectivity.
- Region vs Availability Zone: geographic placement vs physically separate location within a region.
- Resource group vs subscription vs management group: logical grouping vs billing and access boundary vs cross-subscription governance.
Also know what the exam is not usually asking for: deep Kubernetes administration, advanced route table design, detailed SQL tuning, or expert ARM authoring. AZ-900 is about service purpose, shared responsibility, major tradeoffs, and basic architecture choices.
11. Conclusion
Core Azure Services becomes much easier once you stop treating Azure as a list of names and start treating it as a set of workload patterns. Compute is about how much control you need. Networking is about how traffic flows and how securely it connects. Storage is about data type and access pattern. Databases are about relational versus globally distributed flexible models. Governance and identity explain who can deploy, manage, and secure everything.
If you keep one exam mindset, make it this: choose the most managed Azure service that still satisfies the technical and business requirement. That approach will carry you through a large percentage of AZ-900 service questions.