Domain 2 โ Azure Architecture and Services โ carries the most weight of any section on the AZ-900 exam, accounting for 35โ40% of your total score. Candidates who score well here almost always pass. Candidates who skip it almost always fail.
This domain tests your ability to identify and differentiate the core Azure services that power real workloads. You do not need to know how to configure or deploy these services โ you need to know what they do, when to use them, and how they relate to each other.
The four major topic areas are:
For a broader overview of all three AZ-900 domains, see our AZ-900 complete study guide. If you want to test your readiness right now, jump into our AZ-900 practice tests.
Run workloads in Azure: Virtual Machines, App Service, Azure Functions (serverless), Container Instances, and Azure Kubernetes Service (AKS). Understand when to pick each one.
Connect resources securely: Virtual Networks (VNets), VPN Gateway, ExpressRoute, Azure DNS, Network Security Groups, and Azure CDN. Know the difference between VPN and ExpressRoute.
Store any type of data: Blob Storage (unstructured), Azure Files (SMB/NFS), Queue Storage (messaging), Table Storage (NoSQL), and Managed Disks (VM disks). Know the redundancy options.
Control access and defend resources: Microsoft Entra ID, RBAC, Conditional Access, Azure Key Vault, Zero Trust model, and Microsoft Defender for Cloud.
Azure compute services let you run applications and workloads in the cloud. The exam expects you to match a scenario to the right compute option.
VMs are Infrastructure as a Service (IaaS). You get full control over the OS, software stack, and configuration. Use VMs when you need to lift-and-shift on-premises servers or when you need a specific OS version. VMs are the most flexible compute option but require the most management.
Exam tip: VM Scale Sets let you automatically scale VMs up or down based on demand. Azure Spot VMs offer discounted pricing for interruptible workloads.
App Service is a Platform as a Service (PaaS) offering for hosting web applications, REST APIs, and mobile backends. You choose the language runtime (.NET, Node.js, Python, Java, PHP) and Azure manages the underlying infrastructure.
Exam tip: App Service Plans define the compute resources. Multiple apps can share one plan. App Service Environments (ASE) provide isolated, dedicated hosting for high-scale or security-sensitive workloads.
Azure Functions is a serverless compute service. You write small pieces of code (functions) that run in response to triggers โ HTTP requests, timer schedules, queue messages, blob uploads, etc. You pay only for the time your function executes.
Exam tip: Functions = serverless = event-driven = no server management. The Consumption Plan scales automatically and bills per execution. Compare this to App Service where you pay for the plan even when idle.
ACI lets you run Docker containers without managing any underlying VMs. It is the fastest way to get a container running in Azure. Use ACI for simple container workloads, burst scenarios, or batch jobs that need isolation.
AKS is a managed Kubernetes service for orchestrating multiple containers at scale. Azure manages the Kubernetes control plane for free; you only pay for the worker node VMs. Use AKS for complex, multi-container applications that need auto-scaling, rolling updates, and service discovery.
Exam tip: ACI = simple, single container, fast start. AKS = complex, multi-container, production-grade orchestration.
Azure Virtual Desktop (AVD) delivers Windows desktops and applications from the cloud. It enables remote work scenarios and replaces traditional VDI infrastructure.
Networking connects Azure resources to each other, to on-premises networks, and to the internet. The exam focuses on understanding what each component does, not on configuration details.
A VNet is the fundamental networking building block. It is a logically isolated network in Azure where you place resources (VMs, databases, etc.). VNets can be segmented into subnets.
Resources in the same VNet communicate by default. Communication between VNets requires VNet Peering. Resources on-premises require a VPN or ExpressRoute.
NSGs are the Azure firewall equivalent at the subnet or NIC level. They contain rules that allow or deny inbound and outbound traffic based on source/destination IP, port, and protocol. NSGs are stateful โ if you allow inbound traffic, the response is automatically allowed outbound.
VPN Gateway creates an encrypted tunnel over the public internet between Azure and your on-premises network (or between two Azure VNets). It uses IPSec/IKE protocols. This is the standard choice for connecting a remote office or home network to Azure.
Exam tip: VPN Gateway = encrypted connection over the internet. It is lower cost than ExpressRoute but shares public internet bandwidth.
ExpressRoute provides a dedicated, private connection from your on-premises network to Azure, bypassing the public internet entirely. It is provided through a connectivity partner (ISP or network provider).
Exam tip: ExpressRoute = private, dedicated, higher bandwidth, lower latency, higher cost. Use for regulated industries (finance, healthcare) or large data transfer scenarios. VPN Gateway = cheaper, uses internet, good for most businesses.
Azure DNS hosts your DNS domains and resolves DNS queries using Azure's global infrastructure. It integrates with other Azure services and supports both public and private DNS zones (for name resolution within VNets).
Azure CDN caches static content (images, videos, scripts) at Point of Presence (POP) locations around the world, serving content to users from the nearest location. This reduces latency and offloads traffic from your origin server.
Azure Load Balancer distributes traffic at Layer 4 (TCP/UDP) across VMs. Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer that also includes a Web Application Firewall (WAF). Azure Front Door adds global routing and CDN capabilities.
Azure Storage is a massively scalable, durable cloud storage platform. Every Azure Storage account supports multiple storage services.
Blob (Binary Large Object) storage handles unstructured data โ images, videos, documents, backups, log files, and big data. Objects are stored in containers within a storage account.
Blob storage has three access tiers:
Exam tip: Archive tier data must be rehydrated before it can be read. This can take hours. Use it for compliance backups and old data you rarely need.
Azure Files provides fully managed file shares in the cloud, accessible via the SMB (Server Message Block) and NFS protocols. You can mount Azure file shares on Windows, Linux, and macOS โ just like a traditional network share. Use it to replace on-premises file servers.
Queue Storage stores large numbers of messages that can be accessed from anywhere via HTTP/HTTPS. Each message can be up to 64 KB. Queues decouple application components โ a producer writes messages, a consumer reads and processes them asynchronously.
Table Storage is a NoSQL key-attribute store for structured, non-relational data. It is highly scalable and cost-effective for large amounts of structured data that does not require complex joins or foreign keys.
Managed Disks are block-level storage volumes used as the hard drives for Azure VMs. Types include Ultra Disk, Premium SSD, Standard SSD, and Standard HDD. Azure manages the underlying storage infrastructure.
The exam tests your knowledge of storage redundancy:
Exam tip: LRS is cheapest. GZRS is most resilient. RA-GRS and RA-GZRS allow read access to the secondary region.
Microsoft Entra ID is Azure's cloud-based identity and access management (IAM) service. It authenticates users and authorizes access to Azure resources, Microsoft 365, and third-party SaaS applications.
Key concepts:
Exam tip: Entra ID is NOT the same as Windows Server Active Directory. Entra ID is cloud-native and uses different protocols (OAuth 2.0, OpenID Connect). Azure AD Connect syncs on-premises AD users to Entra ID.
RBAC controls who can do what to which Azure resources. You assign a role to a security principal (user, group, service principal) at a specific scope (management group, subscription, resource group, or resource).
Built-in roles include:
Exam tip: RBAC controls access to Azure management operations. It does not control access to data within resources (e.g., who can read data in a storage account โ that uses storage-level permissions).
Zero Trust is a security philosophy built on three principles:
Exam tip: Zero Trust replaces the old "trust but verify" perimeter model with "never trust, always verify."
Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) tool. It continuously assesses your Azure environment against security best practices and provides a Secure Score to track your security posture.
It offers recommendations to remediate misconfigurations and advanced threat protection for VMs, databases, containers, and more.
Azure Key Vault stores and manages secrets, keys, and certificates securely. Applications retrieve secrets at runtime without hard-coding them in code. Key Vault integrates with Managed Identities so applications can access secrets without credentials.
Conditional Access is a policy engine in Microsoft Entra ID that enforces access controls based on signals like user identity, device compliance, location, and app sensitivity. Example: require MFA when signing in from outside the corporate network.
The best approach is scenario-based learning. Microsoft does not ask "what is Blob Storage?" โ they ask "which service should you use to store images uploaded by users?" Practice translating business requirements into the correct Azure service.
Use these resources alongside these study notes:
After completing Domain 2, review Domain 1 (Cloud Concepts) and Domain 3 (Azure Management and Governance) to get the full picture. Practice tests are the fastest way to identify gaps โ aim for consistent 80%+ scores before scheduling the real exam.
For a video-based review, check our AZ-900 video answers to common practice questions.