Notes For AZ-900 : Azure Fundamentals
In my first ever blog, I will go through the notes I made while preparing for AZ-900 exam. This includes easy to understand cloud and specifically Azure service concepts.
About AZ-900
AZ-900 is an exam to showcase your foundational knowledge of cloud in general and Microsoft Azure in particular. This is 45 minutes test where you will be tested on below topics:
- Describe cloud concepts (25–30%)
- Describe Azure architecture and services (35–40%)
- Describe Azure management and governance (30–35%)
For more information click here and let's get started with the cloud concepts.
1 Describe Cloud Concepts
1.1 What's Cloud?
Cloud computing is the delivery of computing, storage, and networking services over the internet, allowing organisations to scale their IT operations without needing to manage physical infrastructure.
LAYMAY'S TERM
In layman's terms, it's like renting a computer (and its power) instead of buying and maintaining the hardware yourself. It's same as using public transport instead of buying a car.
1.2 Why Cloud?
Cloud is popular because it provides flexibility and power. It makes scaling application up or down easy as per the usage traffic. It provides pay as you go model i.e. you pay for the resource you use. This avoid cost of buying physical devices and their maintenance.
1.2.1 Benefits of Cloud Computing
Availability and uptime
| Aspect | Availability | Uptime |
|---|---|---|
| What it is | A guarantee or expected performance | Actual recorded time system is online |
| Measurement | Typically % in SLAs (e.g., 99.99%) | Time duration (e.g., 24 days up) |
| Purpose | Shows reliability promise | Shows performance history |
| Related to | Service Level Agreements (SLAs) | Monitoring & performance tools |
Scalability, Elasticity and Agility
| Aspect | Scalability | Elasticity | Agility |
|---|---|---|---|
| Focus | Capacity to handle growth | Automatic response to demand changes | Speed of development and innovation |
| Trigger | Planned or predicted need | Real-time or unpredictable demand | Business or project needs |
| Manual/Auto | Manual or automatic | Always automatic | Not about scaling, but about speed |
| Goal | Improve performance | Optimize performance and cost | Move quickly and respond to change |
| Example | Add 3 more servers for new users | Auto-scale web app during traffic spike | Deploy new app feature in hours |
High availability, fault tolerance, disaster recovery, reliability, resiliency
| Aspect | High Availability | Fault Tolerance | Disaster Recovery | Reliability | Resiliency |
|---|---|---|---|---|---|
| Focus | Minimize downtime | Zero disruption | Post-failure recovery | Consistent operation | Fast recovery |
| What it Ensures | System is up and running most of the time | System keeps running without interruption | Data and systems can be restored after disaster | System works correctly over time | System can recover from issues gracefully |
| Failure Handling | Fast failover, minimal downtime | Seamless operation during failure | Recovery plan, not real-time | Prevent failure via good design | Auto-recovery and self-healing |
| Example | Load-balanced VMs in different zones | RAID 10 disks; clustered DB | Restore VM from backup after ransomware | App gives same output for same input always | Retry logic in app; queue resubmission |
Security and Governance
| Aspect | Security | Governance |
|---|---|---|
| Purpose | Protect cloud resources from threats and unauthorized access | Control how resources are created, managed, and used |
| Focus | Protection (data, apps, networks, identities) | Compliance, cost control, policy enforcement |
| Key Question | “Is it safe?” | “Is it under control and following rules?” |
| Examples | Azure AD, Firewalls, NSGs, Azure DDoS Protection, Encryption | Azure Policy, Management Groups, RBAC, Cost Management, Cloud Adoption Framework |
| Primary Tools | Microsoft Defender for Cloud, Azure DDoS Protection | Azure Policy, Azure Blueprints, Management Groups |
| Who uses it? | Security teams, IT admins | Cloud admins, compliance officers, governance teams |
Manageability and Predictability
| Aspect | Manageability | Predictability |
|---|---|---|
| Definition | How easily you can control, monitor, and operate resources | How consistently a system behaves in terms of performance or cost |
| Focus | Control and visibility over cloud resources | Consistency and lack of surprises |
| Key Question | “Can we manage and monitor it easily?” | “Will it behave the same every time?” |
| Tools/Examples | Azure Monitor, Azure Portal, Azure Resource Manager | Consistent VM pricing, reliable app response time |
| Who benefits? | Admins, DevOps, Support teams | Finance teams, developers, users |
1.3 Cost models in cloud computing
There are several cloud computing costing models according to usage and requirements. The prominent price model concepts are:
Economies of Scale mean that cloud providers such as Microsoft save costs by ordering their servers in large quantities. Their cost is thus lowered, thereby they are able to offer their services cheaper to customers.
Capital Expenditure (CapEx) is when huge amounts are spent up-front by a company in acquiring items such as servers and storage. This is an on-premises setup. The arrangement accords control to you but demands a huge upfront cost.
Operational Expenditure (OpEx) is the spending incurred in the regular day-to-day use. No buying of hardware takes place in the cloud. One instead uses a resource and pays for the use. Avoiding large upfront costs makes for easier scaling of applications.
The Consumption-Based Model is one of the cloud models of billing. It is a pay-for-what-you-use basis- per minute, per GB, per function run, etc. It is a kind of OpEx and hence supports cost savings.
The Fixed Price Model means a fixed amount has to be paid regardless of whether the resources get utilized or not. Fixed costs are ideally good when your utilization is regular. But also, you are paying for the capacity you do not use.
TL;DR
| Concept | Description | Quick Notes |
|---|---|---|
| Economies of Scale | 1. Cost Efficiency Through Large-Scale Operations 2. Tech-giants like Microsoft can purchase/use servers at a larger scale | Lower cost per unit |
| CapEx (Capital Expenditure) | 1. Upfront Investment in Physical Infrastructure 2. Associated with on-premises infrastructure | High upfront cost |
| OpEx (Operational Expenditure) | 1. Pay-as-You-Go(use) Model for Day-to-Day Operations 2. Associated with cloud | Low upfront cost and pay as you go. |
| Consumption Based Model | 1. Pay per what you use 2. Unit of time or capacity (per minute, per GB, per execution) | Low upfront cost and pay as you go. |
| Fixed Price Model | 1. You provision resources and pay for them even if not used 2. Predictable cost if usage is known | Ensures cost consistency |
- Cloud increases OpEx and decreases CapEx.
- OpEx is a broad financial term where Consumption based is a specific pricing method used within the OpEx
1.4 Cloud Deployment Models
There are 3 types of cloud deployment models as follows
Public Cloud: In this cloud model, the entire infrastructure is owned and managed by the cloud provider (such as Microsoft Azure, AWS, or Google Cloud). Consequently, you do not have to procure any physical servers by yourself. The payment model is 'pay as you use-it kind of thing,' wherein you pay for the services you consume. You basically get-the-scale-quickly, require less technical expertise, and need no upkeep. If setting up or maintaining your data centre does not appeal to you, public cloud is a perfect fit. You can think of it just like public transportation: you don't possess the bus or train, but it's there for you to use when you need it.
Private Cloud: A company might construct its own cloud environment within its very own data centre. Thus, it has complete control over security, configuration settings, and data. Perfect for running legacy applications and abiding by strict compliance regulations. In return for this control over your data, you are required to purchase, manage, and maintain the associated hardware and software. Choose this model if you want more control and don't mind the responsibility. Like owning a car, you dictate how it is used, but you must also pay for it and give it any necessary maintenance.
Hybrid Cloud: This is a mixture of both public and private clouds. One half of an operation runs in an on-premise data centre, whereas the other half runs in the public cloud. That sort of situation gives one all the benefits of both clouds — agility, control, and cost-saving. For example, sensitive data can remain in the private cloud, whereas less critical applications can run in the public cloud. It's like driving all the way to the train station and then hopping onto the train.
TL;DR
| Type | What It Is | Advantages | Analogy | When to Use |
|---|---|---|---|---|
| Public Cloud | Hosted on provider’s hardware | No maintenance, pay-as-you-go, scalable, easy to use | Public transport (bus/train) | When you don’t want to manage a data center |
| Private Cloud | Built in your own data center | More control, supports legacy systems, good for compliance | Private vehicle (car/bike) | When you need control and can manage infrastructure |
| Hybrid Cloud | Mix of public and private clouds | Flexible, use best of both models | Drive + train combo | When you want to balance control, cost, and flexibility |
1.5 Cloud Geography
1.5.1 Datacenter
- A datacenter is a physical building full of servers, networking gear, and storage.
- Microsoft owns and manages these buildings across the globe.
- Datacenters are the hardware foundation of the cloud.
1.5.2 Availability Zone (AZ)
- An Availability Zone is a physically separate datacenter within the same region.
- Each zone has independent power, cooling, and networking.
- Designed for high availability — if one zone fails, the other still works.
- Not all regions have AZs, but regions with AZs have at least 3 zones.
1.5.3 Region
- A region is a geographic area where Microsoft has data centers.
- Example: East US, West Europe, Southeast Asia.
- Each region contains at least one or more datacenters.
- You choose a region to host your resources close to your users for better performance and compliance.
1.5.4 Region Pair (Azure specific)
- Microsoft created pairs in every region with another region (usually nearby).
- Used for disaster recovery and data backup.
- Ensures business continuity during major outages or disasters.
1.5.5 Geographies (Azure specific)
- A geography is a group of regions, grouped by country or continent.
- Helps with data residency, compliance, and sovereignty.
- Example: The "US" geography includes East US, West US, etc.
TL;DR
| Term | What It Is | Key Notes |
|---|---|---|
| Datacenter | Physical building with servers, storage, and networking | Microsoft-owned; foundation of the cloud |
| Availability Zone (AZ) | Separate datacenter within a region | Independent power/cooling/networking; high availability; not in all regions |
| Region | Geographic area with one or more datacenters | You choose this to deploy resources; improves performance and compliance |
| Region Pair | Two regions paired for disaster recovery | Enables backup, redundancy, and business continuity |
| Geography | Group of regions within a country/continent | Ensures data residency, sovereignty, and legal compliance |
Datacenter < Availability Zone < Region < Region Pair < Geographies
1.6 Cloud Service Models and Shared Responsibility
1.6.1 Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) gives you virtual machines, storage, and networking over the internet. The cloud provider manages the physical infrastructure, but you take care of installing and managing the operating system, applications, and security. It’s useful for developers who need full control or when moving existing systems to the cloud (lift-and-shift). Think of it like renting a bare apartment — you bring your own furniture and belongings.
Use cases of IaaS
- Hosting websites or web apps.
- Running development and testing environments.
- Migrating existing on-premises servers to the cloud.
- Running databases or custom business applications.
1.6.2 Platform as a Service
Platform as a Service (PaaS) provides a ready-to-use platform to develop, test, and run applications without worrying about the underlying hardware or operating system. You just manage your code and data, and the provider takes care of the rest. It's perfect for building web apps quickly. Think of it like a furnished apartment — just bring your belongings and move in.
Use cases of PaaS
- Web App Hosting
- API Development and Management
- Database as a Service
- Application Development and Testing
1.6.3 Software as a Service
Software as a Service (SaaS) delivers fully functional software over the internet. You don’t worry about installation, updates, or maintenance. You simply log in and use it. Examples include email services like Gmail or collaboration tools like Microsoft 365. It’s like booking a hotel — everything is ready for you.
Use cases of SaaS
- Email and collaboration tools (e.g., Microsoft 365, Gmail)
- Customer Relationship Management (e.g., Salesforce)
- Project management (e.g., Trello, Asana)
- Office productivity (e.g., Google Docs, Word Online)
1.6.4 Function as a Service
Function as a Service (FaaS), also known as Serverless, lets you run small pieces of code triggered by events without managing any servers. You only focus on writing code, and it scales automatically. It’s great for automation, real-time file processing, and microservices. Think of it like a taxi — you only pay for the ride when you need it.
Use cases of FaaS
- Image or file processing on upload
- Real-time notifications or alerts
- Scheduled cleanup or automation tasks
- Event-driven microservices backend
1.6.5 Container as a Service
Container as a Service (CaaS) helps manage and run containerised applications. The provider handles orchestration tools like Kubernetes, while you manage the app code and container setup. It’s ideal for running scalable microservices and CI/CD pipelines. Think of it like a shipping yard — the provider manages the cranes and tracks, you just ship your containers.
Use cases of CaaS
- Deploy and manage microservices
- CI/CD pipeline automation
- Portable application workloads
- Scalable API backend using containers
1.6.6 Backend as a Service
Backend as a Service (BaaS) gives you ready-to-use backend tools like authentication, databases, and APIs. It’s great for building mobile or web apps quickly without setting up a whole backend. You just focus on the front end and user logic. Think of it like using LEGO blocks — you snap together prebuilt parts.
Use cases of CaaS
- Mobile app backend with authentication and DB
- Rapid MVP development
- Real-time chat or notifications
- Serverless API integration for frontend apps
TL;DR
| Type | What You Get | You Manage | Provider Manages | When to Use | Examples |
|---|---|---|---|---|---|
| IaaS | Virtual machines, storage, networking | OS, apps, data, security | Hardware, virtualization, networking | Full control, custom apps, dev/test, migration | Azure VMs, AWS EC2 |
| PaaS | A platform to build and run apps | Your apps and data | Infra, OS, runtime, middleware | Quick app development, APIs, web apps | Azure App Service, Google App Engine |
| SaaS | Ready-to-use software | User settings and data | Everything (infra to software updates) | Email, CRM, docs, collaboration tools | Microsoft 365, Google Workspace |
| FaaS/Serverless | Code runs on trigger, no server needed | Code and business logic | Infra, auto-scaling, runtime | Microservices, automation, event-based tasks | AWS Lambda, Azure Functions |
| CaaS | Container management and scaling | Container code and config | Orchestration tools, networking, infra | Microservices, containers, CI/CD | AKS, Amazon EKS, GKE |
| BaaS | Prebuilt backend services (auth, DB, etc.) | Frontend, user logic | Backend services, APIs, auth, DB | Quick backend for apps, MVPs, mobile/web dev | Firebase, Supabase, AWS Amplify |
2. Describe Azure Architecture and Services
2.1 Azure Compute Services
2.1.1 Azure Virtual Machine (IaaS)
Azure VM is a virtualisation of OS and key example of Infrastructure as a Service (IaaS) because Microsoft provides and manages the underlying physical servers, storage, and networking. You, the user, get control over the virtual machine’s operating system, applications, and data.
This means you don’t have to buy or maintain any hardware. You simply create, configure, and use the VM through the Azure portal or tools. You pay only for the resources you use, like CPU, memory, and storage.
Virtual Machine Scale Sets
- Allow you to create and manage a group of identical, load-balanced VMs.
- The number of VM instances can automatically increase or decrease in response to demand or based on a schedule
- Focus is scalability and capacity
Virtual Machine Availability Sets
- Help build a more resilient, highly available environment by staggering VM updates and ensuring varied power and network connectivity
- This is achieved using Fault Domain (Groups your VMs by common power source and network switch. By default, an availability set will split your VMs across up to three fault domains.) and Update Domains (allows you to apply updates while knowing that only one update domain grouping will be offline at a time)
- Focus is resiliency and availability
Why use Azure VM?
- Flexibility: You can run any software or custom apps on the VM.
- Scalability: Easily increase or decrease resources based on your needs.
- Cost-effective: Avoid large upfront costs by paying only for what you use.
- Control: Full access to the VM’s OS and environment, like you own the server.
Example use cases:
- Hosting websites or web apps.
- Running development and testing environments.
- Migrating existing on-premises servers to the cloud.
- Running databases or custom business applications.
2.1.2 Azure Virtual Desktop (DaaS)
Azure Virtual Desktop (AVD) is a cloud-based desktop and app virtualisation service from Microsoft. It lets users access a Windows desktop environment remotely from anywhere, using any device.
- Microsoft manages the infrastructure and session management.
- You manage the virtual machines, apps, and user settings.
- It's a mix of IaaS and PaaS, commonly referred to as DaaS (Desktop as a Service).
- Ideal for remote work, secure access, and centralised management.
2.1.2 Azure Container Instance (PaaS)
Azure Container Instances (ACI) let you run containers without managing servers or VMs. It’s a quick and easy way to run a single container or a group of containers directly in the cloud.
- No VM management required, just define the container and Azure runs it
- Ideal for burst workloads, jobs, or testing and Fast startup
- You only pay while the container runs
- Use case include Short-lived tasks, data processing, API microservices
2.1.3 Azure Kubernetes Service (PaaS)
Azure Kubernetes Service (AKS) is a managed container orchestration service that uses Kubernetes to deploy, scale, and manage containerized applications
- You manage containers, workloads, networking, and scaling
- Azure manages Kubernetes control plane (master nodes)
- It supports CI/CD, auto-scaling, monitoring
- Use case include Large-scale microservices apps, production workloads, DevOps
2.1.3 Azure App Service (PaaS)
Azure App Service is a Platform as a Service (PaaS) that lets you build, host, and scale web apps easily without managing infrastructure.
- You can deploy web apps, REST APIs, and mobile backends.
- Supports multiple languages like .NET, Java, Node.js, Python, PHP, and Ruby.
- Microsoft manages the servers, OS, scaling, and security patches.
- Built-in features include CI/CD, auto-scaling, custom domains, SSL, authentication.
- You only manage your app code — not the server it's running on.
- Use cases includes webapps, web APIs, web/mobile backend, cron jobs
2.1.4 Azure Server-less Services
| Services | Information |
|---|---|
 | A cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows. You can choose from a gallery of hundreds of pre- built connectors for MSFT & 3rd party services. Logic App is the foundation for Power Automate (MS Flow) |
 | An event driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure as well as on-premises systems. |
 | Enables you to easily manage events across many different Azure services and applications. Once a subscription is created, Event Grid will push events to the configured destination. Makes it easy for any developer to utilize the “push” model instead of the inefficient “pull” across their Serverless architecture. |
- Power Automate is designed for end users to automate personal or team workflows with a low-code interface.
- Azure Logic Apps is built for developers and IT pros to create enterprise-grade integration workflows with advanced capabilities and scalability.
2.2 Azure Network Services
| Service | Information |
|---|---|
 | A logical representation of your network in Azure. Provides isolation, supports hybrid connectivity (e.g., Site-to-Site VPN), and forms the backbone for deploying Azure resources. |
 | Subdivides a VNET's address space into smaller segments. Enables resource grouping, traffic routing, and isolation of workloads. |
 | A secure, encrypted connection over the internet between an on-premises network and Azure VNET. Essential for hybrid cloud setups. |
 | Connects two or more VNETs seamlessly, allowing resources to communicate across VNETs with low latency and high bandwidth. |
 | Provides a private, high-speed connection from on-premises networks to Azure through a connectivity provider—bypassing the public internet. |
 | A hosting service for DNS domains. Offers name resolution for both internal and external domains using Azure infrastructure. |
 | Secures access to entire PaaS services within a VNET, but traffic can still route over the public internet infrastructure. |
 | Maps a specific PaaS resource to a private IP within a VNET. Traffic stays entirely within the Microsoft backbone network—ideal for secure access from on-premises. |
2.3 Azure Network Security Services
| Service | Information |
|---|---|
 | A layered (defense in depth) approach that does not rely on a single method to protect your environment. Incorporates multiple defensive mechanisms. |
 | Network Security Groups (NSGs) contain rules to allow or deny inbound/outbound traffic to Azure resources. Rules can filter by IP, port, and protocol. |
 | Azure Firewall is a fully stateful, managed firewall service with built-in high availability and cloud scalability. It protects Azure Virtual Networks. |
 | Azure DDoS Protection (Standard) offers enhanced mitigation against distributed denial-of-service attacks, with logging, alerting, and telemetry support. |
2.4 Azure Storage Services
| Image | Information |
|---|---|
 | Optimized for storing massive amounts of unstructured data such as text or binary content. Supports hot, cool, and archive access tiers. Ideal for backups, streaming, and serving documents or media files. |
 | Fully managed file shares accessible via SMB and NFS protocols. Suitable for cloud-based file storage, lift-and-shift applications, and on-prem integration using Azure File Sync. |
 | Managed block-level storage volumes used with Azure VMs. Available in Standard HDD/SSD, Premium SSD, and Ultra Disk. Designed for high availability, durability, and performance. |
 | A service that stores structured NoSQL data in Azure, including a schemaless key/attribute store |
 | A service for storing large numbers of messages, accessible from anywhere via authenticated HTTP or HTTPS calls |
- Structured data contains rows and columns, such as an Excel spreadsheet or relational database. For ex: MySQL, PostgreSQL.
- Unstructured data cannot be contained in a row-column database and does not have an associated data model. For ex: Image, Video files, Social media posts.
2.5 Azure Storage Tiers
Azure storage contains hot, cool, cold and archive access tiers to store blob object data in a cost-effective manner
-
Archive
- An offline tier optimised for storing data that is rarely accessed, and that has flexible latency requirements, on the order of hours
- Should be stored a minimum of 180 days.
- Lowest storage costs, but high access costs.
-
Cold
- An online tier optimised for storing data that is rarely accessed or modified, but still requires fast retrieval.
- Should be stored a minimum of 90 days
- Lower storage costs and higher access costs compared to Cool
-
Cool
- An online tier optimised for storing data that is infrequently accessed or modified.
- Should be stored a minimum of 30 days
- Lower storage costs and higher access costs compared to Hot
-
Hot
- An online tier optimised for storing data that is accessed or modified frequently.
- Should be stored and retrieved quickly
- Highest storage costs, but the lowest access costs.
2.6 Azure Storage Redundancy Options
- LRS (Locally Redundant Storage): Copies your data three times within a single data center in one region.
- ZRS (Zone-Redundant Storage): Stores copies of your data across three different availability zones within one region.
- GRS (Geo-Redundant Storage): Replicates your data to a secondary region hundreds of miles away for disaster recovery.
- GZRS (Geo-Zone-Redundant Storage): Combines ZRS and GRS to replicate data across zones in one region and to another region for high durability.
With LRS and ZRS, redundancy is limited to the private region only
2.7 Azure Identity Services
| Service | Information |
|---|---|
 | Authentication (AuthN) verifies a user's identity, while Authorization (AuthZ) determines what actions or resources the authenticated user is allowed to access. |
 | A cloud-based identity and access management system by Microsoft. It allows users to sign in and access both internal tools (like apps on a company network) and external resources (like Microsoft 365, Azure portal, and third-party SaaS apps). |
2.8 Azure Authorisation Methods
| Method | Information |
|---|---|
 | Lets users sign in once and access multiple apps without needing to log in again. This approach is called "modern authentication." |
 | Adds extra security by requiring two or more types of authentication: something you know (like a password), something you have (like a device), or something you are (like a fingerprint). |
 | A mobile app used to log in to Entra ID accounts. It also works for verifying identity during password resets or MFA checks. Available on Android and iOS. |
 | Used by Entra ID to bring signals together, to make decisions, and enforce organisational policies |
 Windows Hello for Business | A built-in Windows feature that replaces passwords with strong two-factor authentication, supporting Microsoft, Active Directory, Entra ID accounts, and FIDO2-compatible services. |
 | zure RBAC helps you manage: who has access to Azure resources, what they can do with those resources which resources/areas they have access to. Built on Azure Resource Manager and provides fine-grained access management of Azure resources. |
| OATH Tokens | Follows an open standard to generate one-time passcodes (OTP). Can be software-based (apps using a secret key from Entra ID) or hardware-based (devices like key fobs that refresh codes every 30–60 seconds). |
| FIDO2 / Passwordless | Uses public-key encryption and a physical device (like a USB key or NFC card) to log in without a password. |
2.8.1 External Identities
B2B collaboration
Let external users sign into your apps using their own Entra ID or social accounts. Ideal for integrating partners with minimal setup.
B2B direct connect
Create direct, two-way trust relationships with other Entra ID organizations for ongoing, secure collaboration with trusted partners.
Business-to-Consumer (B2C)
Let customers access your apps using Entra ID B2C. Supports both Entra ID and social logins for identity and access management.
Entra ID multi-tenant organization
Link and manage multiple tenants in a single Entra ID setup using cross-tenant sync. Great for large enterprises, testing environments, or mergers.
2.8.2 Zero Trust
Zero Trust is a security concept and framework that assumes no user or device, inside or outside the network, should be trusted by default. Instead, every access request must be verified before granting permission, regardless of the user’s location.
- Verify explicitly: Always authenticate and authorize based on all available data points (user identity, location, device health, etc.).
- Use least privilege access: Limit user access with just enough permissions to perform their tasks.
- Assume breach: Design systems assuming attackers may already be inside the network, so continuous monitoring and validation are required.
2.9 Azure Governance Features
A unified infrastructure security management system that strengthens the security posture of your cloud and on-premises data centers. Provides security guidance for compute, data, network, storage, app, and other services
Includes support for both Azure and on- premises workloads, as well as other public clouds (AWS, GCP). Multi-cloud support
3. Describe Azure Management and Governance
3.1 Azure management Groups and sub-services
| Service | Information |
|---|---|
 | Management groups provide a level of scope above subscriptions. Each directory is given a single top-level management group called the "Root" |
 | Subscription is a logical container used to provision resources in Azure. Used for different payment methods or to isolate resources between departments, projects, etc |
 | A container that holds related resources for an Azure solution. Used to group resources that share a common resource lifecycle. |
 | An entity managed by Azure, like a virtual machine, virtual network, or storage account. |
3.2 Azure Cost Management
| Services | Information |
|---|---|
 | Factors that can affect Azure resource costs include resource types, services, locations, ingress and egress traffic |
 | Factors that can reduce costs include reserved instances, reserved capacity, hybrid use benefit, spot pricing |
 | Reserve virtual machines in advance and save up to 72 percent compared to PAYG pricing with 1-yr or 3-yr commitment |
 | Achieve significant savings on Azure SQL Database, Azure Cosmos DB and Azure Synapse Analytics and Azure Cache for Redis. Enables you to more easily manage costs across predictable and variable workloads and help optimise budgeting and forecasting. |
 | A licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. Let’s you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure |
 | Access unused Azure compute capacity at deep discounts—up to 90 percent compared to pay-as-you-go prices |
 | Interactive calculator that allows you to estimate the expected monthly Azure costs. Choose regions, services, options, and SKUs. |
 | A tool that helps estimate cost savings you can achieve by migrating application workloads to Azure. Allows you to compare the TCO of different Azure services and regions and provides a detailed breakdown of cost of components and potential saving |
 | A suite of tools provided by Microsoft that help you analyze, manage, and optimize costs of your workloads after you deploy |
 | A name and a value pair used to logically organise Azure resources, resource groups, and subscriptions into a logical taxonomy. Tags can be the basis for applying business policies or tracking costs. You can also enforce tagging rules with Azure policies |
3.3 Azure Governance Features
3.3.1 Basics of Governance
3.3.1.1 Azure Policy
Azure Policy helps you enforce rules and effects over your resources so they stay compliant with your corporate standards.
- Example: You can create a policy to allow only certain VM sizes or enforce the use of tags on resources.
- Policies can audit, deny, or modify resource properties.
- Policies are evaluated continuously and automatically.
3.3.1.2 Initiative (Policy Set)
An Initiative is a collection of Azure policies grouped together to achieve a broader goal or compliance requirement.
- Example: You can create an initiative to meet ISO 27001 compliance by grouping multiple relevant policies.
- Initiatives make it easier to manage and assign many policies at once.
3.3.1.3 Azure Blueprints
Azure Blueprints allow you to orchestrate the deployment of resource templates, role assignments, policy assignments, and resource groups as a single package.
- Ideal for standardising environments (like dev, test, and production) across subscriptions.
- Blueprints can include:
- ARM templates (for deploying infrastructure)
- Policy assignments
- Role-Based Access Control (RBAC)
- Resource groups
TL;DR
| Feature | Purpose |
|---|---|
| Policy | Enforce individual rules (e.g., tags, location) |
| Initiative | Group multiple policies together |
| Blueprint | Package policies, roles, and templates for environment setup |
3.3.2 Azure Governance Services
| Service | Information |
|---|---|
 | A unified data governance service that helps organisations manage and govern their on-premises, multi-cloud, and SaaS data. Automates data discovery by providing data scanning and classification for assets across the organisation's data estate. |
 | Prevent other users in your organisation from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. |
3.4 Azure management Tools
| Service | Information |
|---|---|
 | A web-based, unified console where you can manage your Azure subscription using a graphical user interface. |
 | An interactive, authenticated, browser- accessible shell for managing Azure resources. It includes both Bash and PowerShell options |
 | A set of cmdlets for managing Azure resources directly from the PowerShell command line. |
 | App for iOS and Android that enables managing, tracking health and status, and troubleshooting your Azure resources |
 | The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. Available on Windows, macOS, and Linux, Docker, and Azure Cloud Shell |
 | A JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. Templates use declarative syntax and are idempotent, which means you can deploy many times and get same resources and state. Used in deployment automation in infrastructure as code |
 | Provides a consistent development, operations, and security model to run applications on new and existing hardware. Simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. |
 | It provides a management layer that enables you to create, update, and delete resources in your Azure account. |
 | is the management of infrastructure (networks, VMs, load balancers, and connection topology) described in code just as the same source code generates the same binary, code in the IaC model results in the same environment every time it is applied. IaC is a key DevOps practice and is used in conjunction with continuous integration and continuous delivery (CI/CD). |
3.5 Azure Monitoring Tools
| Service | Information |
|---|---|
 | Scans your Azure configuration and recommends changes to optimize deployments, increase security, and save you money. Analyzes the configuration of the resource deployed in the Azure subscriptions |
 | A service that collects monitoring telemetry from a variety of on-premises and Azure sources. Can monitor resources like app, VMs, guest OS, containers, DBs, security, and network events. Azure Monitor aggregates and stores this telemetry in an Azure Log Analytics instance. A proactive way to detect and address issues before they become critical. ou can create alerts on any metric or log data source in the Azure Monitor data platform. Types include metric, log, activity, service health, resource health, smart detection, and Prometheus |
 | An extension of Azure Monitor and provides application performance monitoring (APM) features. Application Insights monitors the availability, performance, and usage of your web applications. |
 | Notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. |