blog > az9002024-describe-azure-architecture-and-services-35-40

AZ900:2024 Describe Azure architecture and services (35–40%)

by Yashlin Naidoo
Published on: 2/26/2024


This blog is part of a 3 part series covering the 2024 AZ900 study guide. While there is tremendous value in going through this blog even if you are not writing the exam , please be aware that the content is centered around the exam.

As with any exam , the curriculum and the course content will evolve over time , please pay attention to when this blog was written and take into account that the exam and its content may have changed.

At time of writing , you can find the official study guide here:

Study guide for Exam AZ-900: Microsoft Azure Fundamentals

Describe the core architectural components of Azure

  • Describe Azure regions, region pairs, and sovereign regions
  • Describe availability zones
  • Describe Azure datacenters
  • Describe Azure resources and resource groups
  • Describe subscriptions
  • Describe management groups
  • Describe the hierarchy of resource groups, subscriptions, and management groups

Azure Regions, Region Pairs, and Sovereign Regions

  • Azure Regions: An Azure region is a set of data centre’s deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. This geographic location within a country allows users to place their resources close to their users to meet data residency, compliance, and efficiency requirements.
  • Region Pairs: Each Azure region is paired with another region within the same geography (such as the US, Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources for backup and disaster recovery purposes while maintaining data residency requirements.
  • Sovereign Regions: Azure also operates sovereign regions for governments or countries with specific regulatory or compliance needs. Examples include Azure Government in the United States, Azure China operated by 21Vianet, and Azure Germany.

Availability Zones

Availability Zones are physically separate locations within an Azure region. Each zone is made up of one or more datacentre’s equipped with independent power, cooling, and networking. Availability Zones are designed to provide high availability by protecting applications and data from datacentre failures. They are suitable for building highly available applications within a single region.

Azure Datacentre’s

Azure datacentre’s are the foundational physical infrastructure where all Azure services are hosted. These datacentre’s are strategically located around the world and are designed to be secure, highly available, and sustainable. They house the servers, storage devices, networking equipment, and other components necessary to support cloud services.

Azure Resources and Resource Groups

  • Azure Resources: An Azure resource is an individual component of Azure services, such as a virtual machine, storage account, or SQL database. Resources are instances of services that you create to perform tasks.
  • Resource Groups: A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. It helps organize and manage resources as a single entity, based on lifecycle, permissions, or other criteria.


A subscription is a logical container used to manage access, billing, and the provision of resources. Users or organizations can have multiple subscriptions, and each subscription can have different billing and access management settings. Subscriptions act as a boundary for billing and resource management.

Management Groups

Management groups allow for efficient governance and management of multiple Azure subscriptions. They are containers that help you manage access, policy, and compliance across subscriptions. A management group can contain multiple subscriptions, and you can have a hierarchy of management groups to organize your subscriptions more effectively.

Hierarchy of Resource Groups, Subscriptions, and Management Groups

The hierarchy starts with the management group at the top level. Under management groups, you can have multiple subscriptions, which serve as containers for billing and resource management. Within each subscription, you can create one or more resource groups to organize resources. This hierarchical structure allows for scalable management and governance across large sets of resources and services within Azure. It enables the application of policies, access controls, and compliance settings at different levels (management group, subscription, resource group) for efficient administration and operation of Azure resources.

Describe Azure compute and networking services

  • Compare compute types, including containers, virtual machines, and functions
  • Describe virtual machine options, including Azure virtual machines, Azure Virtual Machine Scale Sets, availability sets, and Azure Virtual Desktop
  • Describe the resources required for virtual machines
  • Describe application hosting options, including web apps, containers, and virtual machines
  • Describe virtual networking, including the purpose of Azure virtual networks, Azure virtual subnets, peering, Azure DNS, Azure VPN Gateway, and ExpressRoute
  • Define public and private endpoints

Compare Compute Types

  • Containers: Containers offer a lightweight, efficient method of virtualization. They allow you to package your application and its dependencies into a container image, which can run consistently across any environment. Azure Container Instances (ACI) and Azure Kubernetes Service (AKS) are Azure’s primary container services, offering scalability and management of containerized applications.
  • Virtual Machines (VMs): VMs are software emulations of physical computers. They provide a more traditional way of application hosting, offering the flexibility of virtualizing your hardware, OS, and applications. Azure VMs are ideal for applications that require full control over the environment.
  • Functions: Azure Functions is a serverless compute service that lets you run event-triggered code without explicitly provisioning or managing infrastructure. It is ideal for small pieces of code or operations that need to scale in response to demand or events automatically.
  • Azure Logic Apps: Azure Logic Apps is a cloud platform designed for creating and running automated workflows with minimal coding. It allows integration and management of apps, data, services, and systems across various environments. By leveraging a visual designer and prebuilt operations, users can swiftly construct workflows for automating tasks, business processes, and workloads

Virtual Machine Options

  • Azure Virtual Machines: Provides scalable compute resources on demand, allowing you to run Windows Server and Linux virtual machines in the cloud.
  • Azure Virtual Machine Scale Sets (VMSS): These are used to deploy and manage a set of identical, auto-scaling VMs. VMSS allows your application to scale out and in as demand changes, without manual intervention.
  • Availability Sets: Designed to ensure that VMs are deployed across multiple isolated hardware nodes in a cluster, making sure that if a hardware or software failure within Azure occurs, only a subset of your VMs is impacted.
  • Azure Virtual Desktop: A desktop and app virtualization service running in the cloud. It allows you to set up a scalable and flexible environment to deliver desktops and applications to users.

Resources Required for Virtual Machines

To run a virtual machine in Azure, you typically need:

  • Compute resources: CPU and memory allocation.
  • Storage: Disk storage for the VM’s operating system and additional data storage.
  • Networking: A virtual network (VNet) for the VM to connect to, along with an IP address, and optionally, a domain name system (DNS) setting for name resolution.

Application Hosting Options

  • Web Apps: Azure App Service is a fully managed platform for building, deploying, and scaling web apps. It supports multiple languages and frameworks and offers auto-scaling and integrated CI/CD pipelines.
  • Containers: Containers can be hosted on Azure Container Instances for simple applications or Azure Kubernetes Service for orchestration and management of containers at scale.
  • Virtual Machines: For applications requiring specific OS configurations, dedicated resources, or custom hosting environments, VMs provide the most control and flexibility.

Virtual Networking

  • Azure Virtual Networks (VNets): Provides isolation and segmentation of the network in Azure, allowing you to securely connect Azure resources to each other.
  • Subnets: Within a VNet, subnets allow you to segment the network further and allocate a portion of the VNet’s IP address range to specific resources. Subnets is part of network security
  • Peering: Connects two VNets, enabling resources in one VNet to communicate with resources in another VNet, either within the same Azure region or across Azure regions.
  • Azure DNS: Provides domain name system services to Azure resources, translating domain names to IP addresses.
  • Azure VPN Gateway: Enables secure connectivity between an Azure VNet and your on-premises network over the internet.
  • ExpressRoute: Provides a private, dedicated, high-throughput network connection between your on-premises infrastructure and Azure datacenters.

Public and Private Endpoints

  • Public Endpoints: These are accessible over the internet, allowing services to be accessed globally. They are associated with a public IP address.
    • Private Endpoints: Connect to Azure services securely from within a VNet using a private IP address, ensuring that data is not exposed to the public internet.

Network Security Groups

A basic way to protect an Azure Virtual Network subnet is through the use of Network Security Groups (NSGs). NSGs act as a firewall for your subnets, allowing you to define inbound and outbound security rules that control traffic to and from resources in a Virtual Network subnet. These rules can specify allowed or denied traffic based on source and destination IP addresses, ports, and protocols.

Azure DDoS Protection

Azure DDoS Protection offers two types of DDoS protection services:

  • Network Protection protects against volumetric attacks that target the network infrastructure. This type of protection is available for all Azure resources that are deployed in a virtual network.
  • IP Protection protects against volumetric and protocol-based attacks that target specific public IP addresses. This type of protection is available for public IP addresses that are not deployed in a virtual network.

Describe Azure storage services

  • Compare Azure Storage services
  • Describe storage tiers
  • Describe redundancy options
  • Describe storage account options and storage types
  • Identify options for moving files, including AzCopy, Azure Storage Explorer, and Azure File Sync
  • Describe migration options, including Azure Migrate and Azure Data Box

Compare Azure Storage Services

  • Azure Blob Storage: Designed for storing large amounts of unstructured data, such as text or binary data, which can be accessed from anywhere in the world via HTTP or HTTPS.
  • Azure File Storage: Offers fully managed file shares in the cloud that are accessible via the industry-standard Server Message Block (SMB) protocol. Ideal for lift-and-shift scenarios for legacy applications that rely on file shares.
  • Azure Queue Storage: Provides messaging for workflow processing and for communication between components of cloud services.
  • Azure Table Storage: A NoSQL data store for semi-structured data. It’s ideal for storing large volumes of data without the need for a complex relational database.
  • Azure Disk Storage: Provides high-performance, durable block storage for Azure Virtual Machines. You can choose between SSD and HDD options depending on your performance and pricing needs.

Storage Tiers

  • Hot: Optimized for storing data that is accessed frequently.
  • Cool: A lower-cost tier for data that is infrequently accessed and stored for at least 30 days.
  • Archive: The lowest-cost tier for data that is rarely accessed and stored for at least 180 days with flexible latency requirements.

Redundancy Options

  • Locally-redundant storage (LRS): Stores three copies of data within a single data center.
  • Zone-redundant storage (ZRS): Spreads data across multiple data centers within or across regions to protect from data center failures.
  • Geo-redundant storage (GRS): Replicates data to a secondary region, far away from the primary region, providing higher levels of durability.
  • Geo-zone-redundant storage (GZRS): Combines the high availability of ZRS with the protection of GRS by spreading replicas across multiple data centers in the primary region and replicating to a secondary region.

Storage Account Options and Storage Types

  • General-purpose v2 accounts (GPv2): Offer the latest features and support all the data objects available in Azure Storage, including blobs, files, queues, and tables.
  • Blob storage accounts: Specialized for storing blob data and offer unique performance and pricing models.
  • Premium storage accounts: Provide high-performance storage for VM disks, supporting only block blobs and append blobs on the Blob service.

Options for Moving Files

  • AzCopy: A command-line utility designed for copying data to/from Azure Blob, File, and Table storage, optimized for performance and reliability.
  • Azure Storage Explorer: A graphical tool for managing Azure Storage, including blobs, files, queues, and tables, allowing users to upload, download, and manage data across subscriptions.
  • Azure File Sync: Syncs your on-premises file servers with Azure Files, providing cloud benefits while maintaining performance and compatibility of a local file server.

Migration Options

  • Azure Migrate: Provides a centralized hub to assess and migrate to Azure on-premises servers, infrastructure, applications, and data.
  • Azure Data Box: Physical devices for transferring large amounts of data to Azure. Ideal for scenarios where uploading data over the internet is too slow or not feasible.

Describe Azure identity, access, and security

  • Describe directory services in Azure, including Microsoft Entra ID and Microsoft Entra Domain Services
  • Describe authentication methods in Azure, including single sign-on (SSO), multi-factor authentication (MFA), and passwordless
  • Describe external identities in Azure, including business-to-business (B2B) and business-to-customer (B2C)
  • Describe Microsoft Entra Conditional Access
  • Describe Azure role-based access control (RBAC)
  • Describe the concept of Zero Trust
  • Describe the purpose of the defense-in-depth model
  • Describe the purpose of Microsoft Defender for Cloud

Directory Services in Azure

  • Microsoft Entra Identity Directory (formerly Azure Active Directory or Azure AD): This is a cloud-based identity and access management service, enabling employees to sign in and access resources
  • Microsoft Entra Domain Services: Offers domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory. This allows you to migrate legacy directory-aware applications running on-premises to Azure, without needing to manage a domain controller.

Microsoft Entra Identity Directory

Microsoft Entra Identity Directory offers various licenses to cater to different organizational needs, including:

  1. Free: Provides user and group management, on-premises directory synchronization, basic reports, and self-service password change for cloud users.
  2. Office 365 apps: Comes with Office 365 subscriptions, offering similar capabilities as Azure AD Free, with some additional features specific to Office 365 services.
  3. Premium P1: Offers advanced features like self-service password reset with AD write-back, conditional access, Group-based access management, and more.
  4. Premium P2: Includes all features of P1 with the addition of Azure AD Identity Protection, Privileged Identity Management (PIM), and Access Reviews

Authentication Methods in Azure

  • Single Sign-On (SSO): Allows users to log in once and access a range of applications and services without having to log in again for each service.
  • Multi-Factor Authentication (MFA): Adds an additional layer of security by requiring two or more verification methods to verify the user’s identity before granting access to resources.
  • Passwordless Authentication: Enables users to access applications and services without the need for a password. This can be achieved through methods like biometrics, security tokens, or SMS/email verification codes.

External Identities in Azure

  • Business-to-Business (B2B): Allows secure sharing of your company’s applications and services with guest users from any other organization while maintaining control over your own corporate data.
  • Business-to-Customer (B2C): A customer identity access management solution that provides business-facing customer applications a scalable and secure user authentication, self-service registration, user profiling, and identity protection.

Microsoft Entra Conditional Access

This is a tool within Microsoft Entra Identity Directory that enables you to implement automated access control decisions for accessing your cloud apps based on conditions. It helps secure organizational resources by ensuring that only the right people under the right conditions can access your apps and data.

Azure Role-Based Access Control (RBAC)

Azure RBAC is a method to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC ensures that only authorized users can perform certain actions, such as read, write, or delete access to specific resources.

The Concept of Zero Trust

Zero Trust is a security model that assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches “never trust, always verify.” It is centered around the principle of least privileged access and requires verifying who is requesting access, the context of the request, and the risk of the access environment.

The Purpose of the Defense-in-Depth Model

This is a layered approach to security that uses multiple security measures to protect the integrity of information. It aims to provide redundancy in case one system fails or is breached by an attacker. This model is based on the military principle that it’s more difficult for an enemy to beat a multilayered defence system than to penetrate a single barrier.

The Purpose of Microsoft Defender for Cloud

Formerly known as Azure Security Center, Microsoft Defender for Cloud is a tool that provides unified security management and advanced threat protection across hybrid cloud workloads. It helps you strengthen your security posture, protect against threats, and streamline security management without compromising on speed and efficiency. It integrates with a wide range of Azure services to offer a comprehensive security solution for cloud resources.


Yashlin Naidoo

Location Icon
Cascades Office Park, Wasbank St,
Little Falls,
Roodepoort, 1724,
Gauteng, South Africa
Runninghill Logo
Stay connected
LinkedinX platformFacebook