AZ-900

Microsoft Azure Fundamentals

40–60 questions · 60 minutes · Pass at 700/1000 · $165 USD

60+
Regions
More than any other cloud provider
3+ per region
Availability Zones
Fault-isolated data centers
200+
Services
Compute, AI, storage, security, and more
90+
Compliance
Industry certifications worldwide
Domain 1 of 3

Cloud Concepts

25–30% of exam

Benefits of Cloud Services

  • High availability — SLA-backed uptime guarantees (Azure VMs: 99.9%–99.99% depending on config)
  • Scalability — vertical (scale up: bigger VM) and horizontal (scale out: more VMs)
  • Reliability and predictability — fault tolerance, disaster recovery, redundant infrastructure
  • Security — physical security, network controls, identity management
  • Governance — policy enforcement, compliance, auditing
  • Manageability — Azure Portal, CLI, PowerShell, REST API, ARM templates
  • CapEx vs OpEx — cloud converts capital expenses to operational expenses
  • Consumption-based model — pay only for what you use

Cloud Service Types

  • IaaS — most control; you manage OS, middleware, runtime, data, apps. Azure: Virtual Machines, VNet
  • PaaS — focus on your app; Azure manages OS, runtime, middleware. Azure: App Service, Azure SQL Database
  • SaaS — use the software as-is; Azure manages everything. Examples: Microsoft 365, Dynamics 365
  • Serverless (subset of PaaS) — event-driven, no server management. Azure: Azure Functions, Logic Apps

Cloud Deployment Models

  • Public Cloud — resources owned and operated by Microsoft (Azure); shared hardware, multi-tenant
  • Private Cloud — cloud infrastructure operated exclusively by a single organization; on-premises or colocation
  • Hybrid Cloud — combines public and private cloud; connected via Azure VPN Gateway or ExpressRoute
  • Multi-Cloud — using Azure + another provider (AWS, GCP) for different workloads
Domain 2 of 3

Azure Architecture & Services

35–40% of exam

Core Architectural Components

  • Azure Regions — 60+ regions worldwide; each region has 1+ data centers; choose region close to users
  • Region Pairs — most regions are paired for disaster recovery (East US ↔ West US)
  • Availability Zones — physically separate data centers within a region; protection from data center failure
  • Resource Group — logical container for Azure resources; organize by project, environment, or lifecycle
  • Azure Subscription — billing and access control boundary; one account can have many subscriptions
  • Management Groups — group subscriptions for policy and access control across your organization
  • Azure Resource Manager (ARM) — management layer for all Azure resources; handles RBAC, locks, tags

Compute Services

  • Azure Virtual Machines — IaaS; choose OS, size, region; you manage OS patches and software
  • VM Scale Sets — auto-scale group of identical VMs; built-in load balancing
  • Azure App Service — PaaS for web apps, APIs, and mobile backends; supports .NET, Node, Python, Java, PHP
  • Azure Container Instances (ACI) — run containers without managing VMs; serverless containers
  • Azure Kubernetes Service (AKS) — managed Kubernetes; Microsoft manages the control plane
  • Azure Functions — serverless event-driven code; triggers include HTTP, timer, queue, blob, Cosmos DB
  • Azure Logic Apps — low-code workflow automation; integrate services with connectors
  • Azure Virtual Desktop — cloud-hosted Windows desktop and apps; remote work solution

Storage Services

  • Azure Blob Storage — unstructured object storage; Hot (frequent), Cool (infrequent, 30-day min), Cold (90-day min), Archive (180-day min) tiers
  • Azure Files — fully managed SMB/NFS file shares; mount to Windows, Linux, macOS
  • Azure Queue Storage — store millions of messages for async processing
  • Azure Table Storage — NoSQL key-value store; schemaless; good for structured non-relational data
  • Azure Disk Storage — block storage for VMs; Managed Disks handle replication automatically
  • Azure Data Lake Storage Gen2 — Blob Storage optimized for analytics workloads; hierarchical namespace
  • Storage redundancy: LRS (local, 3 copies in 1 DC), ZRS (3 AZs), GRS (region + paired region), GZRS (ZRS + GRS)

Networking

  • Azure Virtual Network (VNet) — your private network in Azure; subnets, IP ranges, routing
  • Network Security Groups (NSGs) — firewall rules at subnet or NIC level; allow/deny inbound and outbound
  • Azure Load Balancer — distribute traffic across VMs; Layer 4 (TCP/UDP); internal or public
  • Azure Application Gateway — Layer 7 load balancer; SSL termination, URL routing, WAF integration
  • Azure VPN Gateway — encrypted VPN connection between Azure VNet and on-premises
  • Azure ExpressRoute — dedicated private connection to Azure; not over public internet; higher reliability
  • Azure DNS — host your DNS domains in Azure; ultra-low latency, high availability
  • Azure CDN — content delivery network; cache content at edge for low latency
  • Azure Traffic Manager — DNS-based traffic routing; failover, performance, weighted, geographic policies
  • Azure Front Door — global load balancing + CDN + WAF in one service; layer 7
  • Azure Bastion — secure RDP/SSH to VMs without exposing public IP addresses

Identity & Security

  • Microsoft Entra ID (formerly Azure AD) — cloud identity and access management; users, groups, apps
  • Azure RBAC — role-based access control; Owner, Contributor, Reader + 100s of built-in roles
  • Multi-Factor Authentication (MFA) — second verification factor; always enable for admins
  • Conditional Access — grant/block access based on conditions (user, location, device, risk)
  • Zero Trust — verify explicitly, use least privilege, assume breach
  • Microsoft Defender for Cloud — unified security management; security posture + threat protection
  • Azure Key Vault — store and manage secrets, keys, and certificates; hardware HSM backing available
  • Azure DDoS Protection — Basic (free, automatic) and Standard (enhanced, with cost)
  • Microsoft Sentinel — cloud-native SIEM and SOAR; collect, detect, investigate, respond
  • Azure Policy — enforce organizational standards; audit non-compliant resources; auto-remediation
Domain 3 of 3

Azure Management & Governance

30–35% of exam

Management Tools

  • Azure Portal — web-based GUI; manage all resources visually
  • Azure CLI — cross-platform command-line tool; runs on Windows, macOS, Linux
  • Azure PowerShell — PowerShell module for managing Azure resources; preferred on Windows
  • Azure Cloud Shell — browser-based shell (Bash or PowerShell); no installation needed
  • ARM Templates — JSON-based IaC; declare desired state of Azure resources
  • Bicep — simplified DSL for ARM templates; cleaner syntax, same capabilities
  • Azure Arc — extend Azure management to on-premises servers, Kubernetes, and other clouds

Cost Management

  • Azure Pricing Calculator — estimate cost before deploying resources
  • Azure Cost Management + Billing — analyze, monitor, and optimize Azure spending
  • Azure Budgets — set spending thresholds; receive alerts; auto-action to stop resources
  • Azure Reservations — commit to 1 or 3 years for up to 72% savings on VMs, SQL, Cosmos DB
  • Azure Spot VMs — use unused Azure capacity at deep discounts; can be evicted with 30-second notice
  • Azure Hybrid Benefit — use existing Windows Server or SQL Server licenses on Azure; save up to 85%
  • Total Cost of Ownership (TCO) Calculator — compare on-premises vs Azure costs
  • Factors affecting cost: resource type, consumption, maintenance, geography, network traffic, subscription type, marketplace

Governance & Compliance

  • Azure Policy — define rules resources must follow; built-in policies for common requirements
  • Resource Locks — prevent accidental deletion or modification; CanNotDelete or ReadOnly
  • Azure Blueprints — package of policies, roles, and ARM templates; deploy governed environments consistently
  • Microsoft Purview — unified data governance; data catalog, data classification, compliance management
  • Azure compliance offerings — HIPAA, PCI DSS, SOC 1/2/3, ISO 27001, FedRAMP, GDPR
  • Trust Center — learn about Microsoft security, privacy, and compliance practices
  • Service Trust Portal — download compliance reports, audit results, and Microsoft security documents

Monitoring

  • Azure Monitor — platform for collecting, analyzing, and acting on telemetry from Azure resources
  • Azure Log Analytics — query and analyze log data using KQL (Kusto Query Language)
  • Application Insights — APM tool; monitor live apps, detect anomalies, diagnose performance issues
  • Azure Service Health — personalized alerts for Azure service issues, planned maintenance, and advisories
  • Azure Advisor — personalized best practice recommendations: Cost, Security, Reliability, Performance, Operational Excellence

Exam Tips

🏗️

Understand the management hierarchy: Management Groups → Subscriptions → Resource Groups → Resources. Know why each level exists.

🔑

Microsoft Entra ID (Azure AD) handles identity. Azure RBAC handles resource access. They are separate — know the difference.

📦

Know Azure Storage tiers: Hot, Cool, Cold, Archive. Know the minimum retention days for each tier.

💰

Azure Reservations, Hybrid Benefit, and Spot VMs are the three main cost savings mechanisms. Know when each makes sense.

🔒

Zero Trust means verify explicitly, use least privilege, and assume breach. Conditional Access enforces it in Entra ID.

📋

Azure Policy enforces rules on resources. Azure Blueprints packages policies, roles, and templates for governed environments. Know the difference.