Domain 1
Cloud Concepts (25–30%)
This domain is mostly definitions and mental models. If you understand why companies move to cloud (OpEx vs CapEx, no upfront hardware) and can explain IaaS/PaaS/SaaS with examples, you'll be fine here.
| Term | What it means | Azure example or exam note |
|---|---|---|
| IaaS | You manage OS, runtime and up — cloud manages physical hardware | Azure Virtual Machines |
| PaaS | You manage just your app and data, everything else is handled | App Service, Azure SQL Database |
| SaaS | You just use the software, nothing to manage | Microsoft 365, Dynamics 365 |
| Public cloud | Infrastructure owned and operated by a cloud provider, shared across customers | Azure is a public cloud |
| Private cloud | Cloud infrastructure used exclusively by one organization | On-premises datacenter or Azure Stack |
| Hybrid cloud | Combination of public and private cloud | Most enterprises use this model |
| CapEx | Capital expenditure — large upfront hardware investments | Traditional on-premises model |
| OpEx | Operational expenditure — pay as you go, no big upfront cost | Cloud model |
| High availability | System stays up even if one component fails, via redundancy | 99.9% SLA on most Azure services |
| Scalability | Ability to handle increased load (vertical = bigger machine, horizontal = more machines) | Scale up vs scale out |
| Elasticity | Automatically adjusts capacity based on actual demand | Azure Autoscale |
| Fault tolerance | System continues functioning despite individual failures | Availability Zones |
| Shared responsibility | Microsoft manages physical infra, you manage data and apps | Responsibility shifts with IaaS→PaaS→SaaS |
Domain 2
Azure Architecture & Services (35–40%)
This is the biggest chunk of the exam and where most people lose points. There are a lot of services and they all sound similar. The trick is to group them by category and learn when you'd use one vs another — not just what they are.
Compute
| Service | Type | When to use it |
|---|---|---|
| Azure Virtual Machines | IaaS | Full OS control, lift-and-shift, legacy apps |
| Azure App Service | PaaS | Web apps and APIs without managing servers |
| Azure Functions | Serverless | Short event-driven tasks, pay only when running |
| Azure Container Instances (ACI) | PaaS | Quick container deployment, no orchestration needed |
| Azure Kubernetes Service (AKS) | PaaS | Container orchestration at scale |
| Azure Virtual Desktop | DaaS | Windows desktop and apps delivered from the cloud |
Storage
| Service | Use it for |
|---|---|
| Blob Storage | Unstructured data: images, videos, backups, logs |
| Azure Files | Shared file system (SMB/NFS) — like a network drive in the cloud |
| Azure Disk | Persistent disks attached to virtual machines |
| Azure Queue Storage | Message queuing between application components |
| Azure Table Storage | NoSQL key-value store for semi-structured data |
Networking
| Service | Purpose |
|---|---|
| Virtual Network (VNet) | Your private network in Azure — resources communicate inside it |
| Subnet | Logical division within a VNet for organizing and securing resources |
| Network Security Group (NSG) | Firewall rules controlling inbound and outbound traffic |
| Azure Load Balancer | Distributes network traffic across multiple VMs (Layer 4) |
| Azure Application Gateway | HTTP(S) load balancer with routing rules and WAF (Layer 7) |
| Azure DNS | Host your DNS domains and records in Azure |
| VPN Gateway | Encrypted tunnel from your on-premises network to Azure (over internet) |
| ExpressRoute | Private dedicated connection from on-premises to Azure — no public internet |
| Azure CDN | Deliver content from edge nodes close to your users |
Domain 3
Management & Governance (30–35%)
This domain trips people up because it's about the meta-layer of Azure — how you organize, control costs, set policy and monitor things. Spend extra time on RBAC and the organizational hierarchy (Management Groups → Subscriptions → Resource Groups → Resources).
| Concept | What it does |
|---|---|
| Management Group | Container for organizing multiple subscriptions — apply policy at scale |
| Subscription | Billing boundary and access management container — everything lives inside one |
| Resource Group | Logical container for related resources that share the same lifecycle |
| Azure Resource Manager (ARM) | The management layer for all Azure deployments — handles all API calls |
| RBAC | Role-based access control — grant least-privilege access to who needs what |
| Azure Policy | Define and enforce compliance rules across resources (e.g. allowed regions) |
| Resource Tags | Key-value metadata on resources for cost tracking and organization |
| Azure Cost Management | Monitor, allocate and optimize Azure spending |
| Azure Pricing Calculator | Estimate monthly costs before you deploy |
| TCO Calculator | Compare cost of on-premises infrastructure vs moving to Azure |
| Azure Monitor | Collect metrics and logs from your resources, set alerts |
| Azure Service Health | Real-time status of Azure services in your regions |
| Azure Advisor | Personalized recommendations for reliability, security, cost, performance |
| Microsoft Defender for Cloud | Unified security posture management and threat protection |
| Azure Arc | Manage non-Azure resources (on-premises servers, other clouds) through Azure |
Want to actually use all of this?
Azure 30 walks you through 30 days of real Cloud Shell tasks, one per day. Each maps to an AZ-900 exam topic. Days 1–5 are completely free — no credit card.