Microsoft Azure AZ-900 Cheat Sheet
The core Azure services, concepts, and tools worth memorising for AZ-900 — on one page.
A lot of AZ-900 is knowing which Azure service does what. Get these core services and concepts straight and most scenario questions answer themselves.
Cloud models to keep straight
Two model questions come up constantly. Service models — IaaS (you manage the OS and up), PaaS (you manage just your app and data), SaaS (you just use the software). Deployment models — public (shared Azure), private (your own dedicated infrastructure), hybrid (a mix).
The cloud provider secures the cloud infrastructure; you secure what you put in it. Data, accounts, and access are always your responsibility in every model — that's the single most-tested governance idea on AZ-900.
Core Azure services by category
You don't need deep configuration knowledge — just what each service is for.
| Category | Service | Use it for |
|---|---|---|
| Compute | Virtual Machines | Full control of an OS you manage (IaaS) |
| Compute | App Service | Host web apps/APIs without managing servers (PaaS) |
| Compute | Azure Functions | Run small pieces of code on demand — serverless |
| Compute | AKS / Container Instances | Run containers (managed Kubernetes / single containers) |
| Networking | Virtual Network (VNet) | Private network for your Azure resources |
| Networking | VPN Gateway | Encrypted site-to-site connection over the internet |
| Networking | ExpressRoute | Private, dedicated connection that bypasses the public internet |
| Storage | Blob Storage | Massive unstructured object storage (files, images, backups) |
| Database | Azure SQL Database | Managed relational (SQL) database — PaaS |
| Database | Azure Cosmos DB | Globally distributed NoSQL database, low latency |
LRS keeps 3 copies in one datacenter (cheapest). ZRS spreads copies across availability zones in one region. GRS copies your data to a second region — so if a whole region fails, your data survives. If a question asks for protection against a regional outage, the answer is geo-redundant (GRS/GZRS).
Management and cost tools
Area 3 is largely 'which tool does this?'. Learn these pairings.
| Tool | What it does |
|---|---|
| Pricing Calculator | Estimate the cost of Azure services before you deploy |
| Total Cost of Ownership (TCO) | The concept of comparing on-premises vs cloud cost; Microsoft now builds this into the Azure Migrate business case (the standalone TCO Calculator was retired) |
| Microsoft Cost Management | Track and analyse your actual spending after deployment |
| Azure Policy | Enforce rules/standards on resources (governance & compliance) |
| Resource locks | Prevent accidental deletion or changes to critical resources |
| Tags | Label resources (e.g. by department) for organisation and cost reporting |
| Azure Advisor | Personalised recommendations (cost, security, reliability, performance) |
| Azure Monitor | Collect metrics/logs and alert on the health of your resources |
| Azure Service Health | Status of Azure itself — outages and planned maintenance |
From widest to narrowest: Management groups → Subscriptions → Resource groups → Resources. A resource lives in exactly one resource group; policies and access applied higher up flow down.
- Service models: IaaS (OS up to you), PaaS (just your app), SaaS (just use it).
- Data, identities and access are YOUR responsibility in every model.
- GRS/GZRS protects against a whole-region outage; LRS/ZRS do not.
- Resource hierarchy: management group → subscription → resource group → resource.
- Pricing Calculator estimates cost before deploying; Cost Management tracks actual spend after; TCO is the on-prem-vs-cloud comparison (now via the Azure Migrate business case).
Frequently asked questions
What are the core Azure service categories for AZ-900?
Compute (Virtual Machines, App Service, Functions, containers), Networking (Virtual Network, VPN Gateway, ExpressRoute), Storage (Blob and others), and Databases (Azure SQL Database, Cosmos DB).
Which storage redundancy protects against a whole region failing?
Geo-redundant options — GRS or GZRS — copy your data to a second region. LRS (single datacenter) and ZRS (zones within one region) do not survive a full regional outage.
Independent study resource. Not affiliated with, authorized, endorsed by, or sponsored by CompTIA, Amazon Web Services, Microsoft, or ISC2. All trademarks are the property of their respective owners and are used here for identification only. All practice questions are original.