These questions cover cloud concepts — the first domain of AZ-900 and the one that catches candidates who rely on memorising service names without understanding the underlying principles.
Question 1
A company wants to migrate their existing application servers to the cloud while retaining full control over the operating system, installed software, and network configuration. Which cloud service model is the best fit?
- A) Software as a Service (SaaS)
- B) Platform as a Service (PaaS)
- C) Infrastructure as a Service (IaaS)
- D) Function as a Service (FaaS)
Answer: C — Infrastructure as a Service (IaaS)
IaaS provides virtualised compute, storage, and networking. You manage everything from the OS upward — the provider manages the physical hardware and hypervisor. Azure Virtual Machines is a classic IaaS example.
The service model spectrum:
| Model | You manage | Provider manages | Azure examples |
|---|---|---|---|
| IaaS | OS, runtime, apps, data | Physical hardware, hypervisor | VMs, VNets, Disks |
| PaaS | Apps and data | OS, runtime, middleware | App Service, SQL Database |
| SaaS | Nothing (just configure) | Everything | Microsoft 365, Dynamics |
The key phrase in the question is "full control over the operating system" — that rules out PaaS (the provider manages the OS) and SaaS (no OS access at all).
</details>Question 2
Under the Azure shared responsibility model, who is responsible for patching the operating system on an Azure SQL Database?
- A) The customer — they must configure auto-patching
- B) Microsoft — Azure SQL Database is a managed PaaS service
- C) Both — Microsoft patches the OS, the customer patches the database engine
- D) A third-party managed service provider chosen by the customer
Answer: B — Microsoft
Azure SQL Database is a fully managed PaaS database. Microsoft handles patching of the underlying operating system, database engine updates, high availability, and backups. The customer is responsible for their data, access configuration, and application code — not infrastructure maintenance.
Shared responsibility by service model:
| Responsibility | On-premises | IaaS (VM) | PaaS | SaaS |
|---|---|---|---|---|
| Physical security | Customer | Microsoft | Microsoft | Microsoft |
| OS patching | Customer | Customer | Microsoft | Microsoft |
| Runtime/middleware | Customer | Customer | Microsoft | Microsoft |
| Application | Customer | Customer | Customer | Microsoft |
| Data | Customer | Customer | Customer | Customer |
This is one of the most-tested concepts on AZ-900 — know which responsibilities shift to Microsoft as you move up the service stack.
</details>Question 3
A healthcare organisation must keep patient records on-premises for regulatory reasons but wants to use Azure for all other workloads. Which cloud deployment model is appropriate?
- A) Public cloud — all workloads in Azure
- B) Private cloud — all workloads on-premises
- C) Hybrid cloud — regulated data on-premises, other workloads in Azure
- D) Community cloud — shared infrastructure across healthcare organisations
Answer: C — Hybrid cloud
A hybrid cloud combines on-premises (or private cloud) infrastructure with public cloud resources, connected via a network (typically VPN or ExpressRoute). This is the right model when some workloads can't move to the cloud due to regulatory, latency, or data sovereignty requirements.
Cloud deployment models:
| Model | Infrastructure | Use case |
|---|---|---|
| Public cloud | Provider-owned | Most workloads; pay-per-use |
| Private cloud | Organisation-owned | Compliance, full control required |
| Hybrid cloud | Both | Mix of regulated and unregulated workloads |
| Multi-cloud | Multiple providers | Avoid vendor lock-in, best-of-breed services |
The scenario describes the classic hybrid trigger: a regulatory constraint prevents moving specific data to the public cloud. Azure Arc, Azure Stack HCI, and ExpressRoute are the Azure services that enable hybrid connectivity and management.
</details>Key Takeaways
- IaaS = you control the OS and up; PaaS = you control the app and data; SaaS = you control nothing
- Managed PaaS services like Azure SQL Database shift OS and engine patching to Microsoft
- Hybrid cloud = on-premises + public cloud, connected — the right answer when regulation or sovereignty constrains data location