AZ-900 Azure Services — Domain 2 Study Notes 2026

Domain 2 Overview: Azure Architecture and Services

Domain 2 — Azure Architecture and Services — carries the most weight of any section on the AZ-900 exam, accounting for 35–40% of your total score. Candidates who score well here almost always pass. Candidates who skip it almost always fail.

This domain tests your ability to identify and differentiate the core Azure services that power real workloads. You do not need to know how to configure or deploy these services — you need to know what they do, when to use them, and how they relate to each other.

The four major topic areas are:

• Azure Compute Services — Virtual Machines, App Service, Azure Functions, Container Instances, Azure Kubernetes Service
• Azure Networking — Virtual Networks, VPN Gateway, ExpressRoute, Azure DNS, Content Delivery Network
• Azure Storage — Blob, Disk, File, Queue, and Table storage
• Azure Identity, Access, and Security — Microsoft Entra ID (formerly Azure AD), RBAC, Zero Trust, Microsoft Defender for Cloud

For a broader overview of all three AZ-900 domains, see our AZ-900 complete study guide. If you want to test your readiness right now, jump into our AZ-900 practice tests.

Compute Services

Azure compute services let you run applications and workloads in the cloud. The exam expects you to match a scenario to the right compute option.

Azure Virtual Machines (VMs)

VMs are Infrastructure as a Service (IaaS). You get full control over the OS, software stack, and configuration. Use VMs when you need to lift-and-shift on-premises servers or when you need a specific OS version. VMs are the most flexible compute option but require the most management.

Exam tip: VM Scale Sets let you automatically scale VMs up or down based on demand. Azure Spot VMs offer discounted pricing for interruptible workloads.

Azure App Service

App Service is a Platform as a Service (PaaS) offering for hosting web applications, REST APIs, and mobile backends. You choose the language runtime (.NET, Node.js, Python, Java, PHP) and Azure manages the underlying infrastructure.

Exam tip: App Service Plans define the compute resources. Multiple apps can share one plan. App Service Environments (ASE) provide isolated, dedicated hosting for high-scale or security-sensitive workloads.

Azure Functions

Azure Functions is a serverless compute service. You write small pieces of code (functions) that run in response to triggers — HTTP requests, timer schedules, queue messages, blob uploads, etc. You pay only for the time your function executes.

Exam tip: Functions = serverless = event-driven = no server management. The Consumption Plan scales automatically and bills per execution. Compare this to App Service where you pay for the plan even when idle.

Azure Container Instances (ACI)

ACI lets you run Docker containers without managing any underlying VMs. It is the fastest way to get a container running in Azure. Use ACI for simple container workloads, burst scenarios, or batch jobs that need isolation.

Azure Kubernetes Service (AKS)

AKS is a managed Kubernetes service for orchestrating multiple containers at scale. Azure manages the Kubernetes control plane for free; you only pay for the worker node VMs. Use AKS for complex, multi-container applications that need auto-scaling, rolling updates, and service discovery.

Exam tip: ACI = simple, single container, fast start. AKS = complex, multi-container, production-grade orchestration.

Azure Virtual Desktop

Azure Virtual Desktop (AVD) delivers Windows desktops and applications from the cloud. It enables remote work scenarios and replaces traditional VDI infrastructure.

Azure Networking

Networking connects Azure resources to each other, to on-premises networks, and to the internet. The exam focuses on understanding what each component does, not on configuration details.

Azure Virtual Network (VNet)

A VNet is the fundamental networking building block. It is a logically isolated network in Azure where you place resources (VMs, databases, etc.). VNets can be segmented into subnets.

Resources in the same VNet communicate by default. Communication between VNets requires VNet Peering. Resources on-premises require a VPN or ExpressRoute.

Network Security Groups (NSGs)

NSGs are the Azure firewall equivalent at the subnet or NIC level. They contain rules that allow or deny inbound and outbound traffic based on source/destination IP, port, and protocol. NSGs are stateful — if you allow inbound traffic, the response is automatically allowed outbound.

VPN Gateway

VPN Gateway creates an encrypted tunnel over the public internet between Azure and your on-premises network (or between two Azure VNets). It uses IPSec/IKE protocols. This is the standard choice for connecting a remote office or home network to Azure.

Exam tip: VPN Gateway = encrypted connection over the internet. It is lower cost than ExpressRoute but shares public internet bandwidth.

Azure ExpressRoute

ExpressRoute provides a dedicated, private connection from your on-premises network to Azure, bypassing the public internet entirely. It is provided through a connectivity partner (ISP or network provider).

Exam tip: ExpressRoute = private, dedicated, higher bandwidth, lower latency, higher cost. Use for regulated industries (finance, healthcare) or large data transfer scenarios. VPN Gateway = cheaper, uses internet, good for most businesses.

Azure DNS

Azure DNS hosts your DNS domains and resolves DNS queries using Azure's global infrastructure. It integrates with other Azure services and supports both public and private DNS zones (for name resolution within VNets).

Azure Content Delivery Network (CDN)

Azure CDN caches static content (images, videos, scripts) at Point of Presence (POP) locations around the world, serving content to users from the nearest location. This reduces latency and offloads traffic from your origin server.

Azure Load Balancer and Application Gateway

Azure Load Balancer distributes traffic at Layer 4 (TCP/UDP) across VMs. Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer that also includes a Web Application Firewall (WAF). Azure Front Door adds global routing and CDN capabilities.

Azure Storage Services

Azure Storage is a massively scalable, durable cloud storage platform. Every Azure Storage account supports multiple storage services.

Azure Blob Storage

Blob (Binary Large Object) storage handles unstructured data — images, videos, documents, backups, log files, and big data. Objects are stored in containers within a storage account.

Blob storage has three access tiers:

• Hot — frequently accessed data (higher storage cost, lower access cost)
• Cool — infrequently accessed, stored for at least 30 days
• Archive — rarely accessed, stored for at least 180 days (lowest storage cost, highest retrieval cost/latency)

Exam tip: Archive tier data must be rehydrated before it can be read. This can take hours. Use it for compliance backups and old data you rarely need.

Azure Files

Azure Files provides fully managed file shares in the cloud, accessible via the SMB (Server Message Block) and NFS protocols. You can mount Azure file shares on Windows, Linux, and macOS — just like a traditional network share. Use it to replace on-premises file servers.

Azure Queue Storage

Queue Storage stores large numbers of messages that can be accessed from anywhere via HTTP/HTTPS. Each message can be up to 64 KB. Queues decouple application components — a producer writes messages, a consumer reads and processes them asynchronously.

Azure Table Storage

Table Storage is a NoSQL key-attribute store for structured, non-relational data. It is highly scalable and cost-effective for large amounts of structured data that does not require complex joins or foreign keys.

Azure Managed Disks

Managed Disks are block-level storage volumes used as the hard drives for Azure VMs. Types include Ultra Disk, Premium SSD, Standard SSD, and Standard HDD. Azure manages the underlying storage infrastructure.

Storage Redundancy Options

The exam tests your knowledge of storage redundancy:

• LRS (Locally Redundant Storage) — 3 copies in one datacenter in one region
• ZRS (Zone-Redundant Storage) — 3 copies across 3 availability zones in one region
• GRS (Geo-Redundant Storage) — LRS + async replication to a paired region (6 total copies)
• GZRS (Geo-Zone-Redundant Storage) — ZRS + async replication to a paired region (highest durability)

Exam tip: LRS is cheapest. GZRS is most resilient. RA-GRS and RA-GZRS allow read access to the secondary region.

Identity, Access, and Security

Microsoft Entra ID (formerly Azure Active Directory)

Microsoft Entra ID is Azure's cloud-based identity and access management (IAM) service. It authenticates users and authorizes access to Azure resources, Microsoft 365, and third-party SaaS applications.

Key concepts:

• Tenant — a dedicated Entra ID instance for your organization
• User accounts — cloud identities, guest users, synced on-premises identities
• Groups — assign permissions to a group rather than individual users
• Service Principals / Managed Identities — identities for applications and Azure services

Exam tip: Entra ID is NOT the same as Windows Server Active Directory. Entra ID is cloud-native and uses different protocols (OAuth 2.0, OpenID Connect). Azure AD Connect syncs on-premises AD users to Entra ID.

Azure Role-Based Access Control (RBAC)

RBAC controls who can do what to which Azure resources. You assign a role to a security principal (user, group, service principal) at a specific scope (management group, subscription, resource group, or resource).

Built-in roles include:

• Owner — full access including ability to assign roles to others
• Contributor — full access except cannot assign roles
• Reader — read-only access
• User Access Administrator — manage user access to Azure resources

Exam tip: RBAC controls access to Azure management operations. It does not control access to data within resources (e.g., who can read data in a storage account — that uses storage-level permissions).

Zero Trust Security Model

Zero Trust is a security philosophy built on three principles:

1. Verify explicitly — always authenticate and authorize based on all available signals (identity, location, device health, service, data classification)
2. Use least privilege access — limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA)
3. Assume breach — minimize blast radius, segment access, verify end-to-end encryption

Exam tip: Zero Trust replaces the old "trust but verify" perimeter model with "never trust, always verify."

Microsoft Defender for Cloud

Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) tool. It continuously assesses your Azure environment against security best practices and provides a Secure Score to track your security posture.

It offers recommendations to remediate misconfigurations and advanced threat protection for VMs, databases, containers, and more.

Azure Key Vault

Azure Key Vault stores and manages secrets, keys, and certificates securely. Applications retrieve secrets at runtime without hard-coding them in code. Key Vault integrates with Managed Identities so applications can access secrets without credentials.

Conditional Access

Conditional Access is a policy engine in Microsoft Entra ID that enforces access controls based on signals like user identity, device compliance, location, and app sensitivity. Example: require MFA when signing in from outside the corporate network.

How to Study Domain 2 Effectively

The best approach is scenario-based learning. Microsoft does not ask "what is Blob Storage?" — they ask "which service should you use to store images uploaded by users?" Practice translating business requirements into the correct Azure service.

Use these resources alongside these study notes:

• Our AZ-900 study guide covers all three domains with an integrated learning path
• The Microsoft Certified Azure Fundamentals overview explains the exam format, registration, and scoring
• Read the how to pass AZ-900 guide for proven exam strategies and test-taking tips
• Use AZ-900 practice tests to simulate exam conditions and identify weak spots

After completing Domain 2, review Domain 1 (Cloud Concepts) and Domain 3 (Azure Management and Governance) to get the full picture. Practice tests are the fastest way to identify gaps — aim for consistent 80%+ scores before scheduling the real exam.

For a video-based review, check our AZ-900 video answers to common practice questions.