1 of 7 sections visited
Azure regions
A region is a geographic area containing one or more nearby, low-latency connected data centers. When you deploy a resource in Azure, you select the region where it will live. Azure automatically manages load balancing within each region.
Global scale
60+ regions in 140+ countries — the largest global network of any cloud provider.
Why region matters
Some services and VM types are only available in specific regions. Choose a region close to users for lower latency. Data residency compliance may restrict which regions you can use.
Global services
Some services don't require a region: Microsoft Entra ID, Azure Traffic Manager, Azure DNS — these are globally distributed by design.
Exam tip: Know the global services that don't require region selection: Entra ID, Traffic Manager, DNS. Also know: choose the region closest to users for best performance.
Availability zones
Physically separate data centers within a single Azure region. Each zone has independent power, cooling, and networking. If one zone fails, the others continue operating.
Minimum per region
At least 3 separate zones in every region that supports them — ensuring two remain operational if one fails.
Connectivity
Connected via private high-speed fiber optic networks. Low single-digit millisecond inter-zone latency.
Isolation boundary
Hardware failures, power outages, and cooling issues in one zone do not affect adjacent zones.
Region pairs & sovereign regions
Region pairs
Most Azure regions are paired with another region 300+ miles away in the same geography. If one region has a major outage, services fail over to the paired region automatically. Planned maintenance is staggered across pairs so both regions are never updated simultaneously.
Examples
West US ↔ East US. North Europe ↔ West Europe. Southeast Asia ↔ East Asia.
Azure Government (US)
Physically and logically isolated from commercial Azure. Data centers operated by US citizens only. Additional compliance checks. For US government agencies and partners.
Azure China
Isolated environment operated by 21Vianet (not Microsoft directly). Required by Chinese law. Same underlying Azure technology.
Architecture layers — protection comparison
| Concept | What it is | Protects against |
|---|---|---|
| Availability Set | VMs spread across update and fault domains within one data center | Rack-level power/network failures; planned maintenance downtime |
| Availability Zone | Separate data center buildings within one region | Entire data center outage (power, cooling, hardware) |
| Region pair | Two regions 300+ miles apart in same geography | Region-wide disasters (earthquakes, major outages) |
| Sovereign region | Isolated Azure for government/regulatory compliance | Data sovereignty and regulatory requirements |
Azure management hierarchy
Azure uses a four-level hierarchy. Each level inherits policies and permissions from the level above it.
Management groups — containers grouping subscriptions. Apply governance at scale. Max 10,000 per directory, 6 levels deep.
↓
Subscriptions — unit of billing and access management. Generates its own invoice. Two boundaries: billing and access management.
↓
Resource groups — logical containers for related resources. Actions (delete, access grant) apply to all resources within. Cannot be nested.
↓
Resources — individual Azure components (VMs, databases, VNets, storage accounts). Every resource belongs to exactly one resource group.
Inheritance chain: Policies, permissions, and access controls flow downward. A policy at management group level automatically applies to all subscriptions, resource groups, and resources beneath it. Tags do NOT inherit.
Resource groups, subscriptions & management groups
Resource groups
Logical containers. Deleting a group deletes all resources inside. Access grants at the group level apply to all resources within. Cannot be nested. Each resource belongs to exactly one group at a time.
Subscriptions
Billing boundary (each generates its own invoice) and access management boundary (separate RBAC policies per subscription). Common patterns: one subscription per department, per environment (dev/test/prod), or per geography.
Management groups
Group subscriptions for governance at scale. Policies and RBAC assigned at management group level are inherited by all subscriptions beneath. Max 10,000 per directory, max 6 levels of depth (excluding root and subscription level). Each group/subscription has only one parent.
Virtual Machines (VMs)
IaaS — virtualized servers. Full control over the OS, installed software, and configuration. Provider manages physical hardware; you manage everything inside the VM.
When to use
Full OS control needed, lift-and-shift migration, custom software requirements, legacy applications, specific OS version requirements.
Limitation
Each VM runs only one OS. "Always on" — you pay while the VM is running even if idle, unless you deallocate it.
VM Scale Sets & Availability Sets
| Feature | VM Scale Sets | Availability Sets |
|---|---|---|
| Purpose | Auto-scale identical load-balanced VMs | Protect VMs from planned/unplanned downtime |
| How it works | Adds/removes VM instances based on demand rules | Spreads VMs across update domains and fault domains |
| Max scale | Up to 1,000 VM instances | N/A (not a scaling feature) |
| Cost | Pay for running VMs | Free — pay only for VM instances |
| Protects against | Traffic spikes, single point of failure | Rack-level failure (fault domain), maintenance downtime (update domain) |
Azure Virtual Desktop & App Service
Azure Virtual Desktop
Cloud-hosted Windows desktop accessible from any device. Data stays in Azure — not on user devices. Supports multi-session (multiple users share one VM). Supports MFA and RBAC. Ideal for BYOD, remote workers, and centralized desktop management.
Azure App Service
PaaS for hosting web apps, REST APIs, and mobile backends. You deploy code; Azure manages servers, OS, scaling, and load balancing. Supports .NET, Java, Ruby, Node.js, PHP, Python. Works on Windows and Linux. Built-in DevOps integration with GitHub, Azure DevOps, and Docker Hub.
Compute options comparison
| Service | Model | Best for |
|---|---|---|
| Virtual Machines | IaaS | Full OS control, lift-and-shift, custom software |
| VM Scale Sets | IaaS | Auto-scaling identical VMs, up to 1,000 instances |
| Azure Virtual Desktop | IaaS/PaaS | Remote Windows desktop, BYOD, centralized management |
| App Service | PaaS | Web apps / REST APIs, focus on code not servers |
| Azure Functions | PaaS (serverless) | Short event-driven tasks, pay per execution |
| Container Instances (ACI) | PaaS | Simplest container deployment, burst workloads |
| Container Apps | PaaS (serverless) | Microservices, scale-to-zero containers |
| AKS | PaaS | Production Kubernetes, large-scale containers |
VMs vs containers
VMs virtualize hardware — each VM has its own full OS, consuming significant memory. Containers virtualize the OS — multiple containers share the same OS kernel, making them far more lightweight and portable. Many more containers than VMs can run on the same hardware.
Azure container services
Container Instances (ACI)
Fastest, simplest way to run a container in Azure — no VMs or orchestrators to manage. PaaS. Best for simple containerized tasks, burst workloads, dev/test, and short-lived jobs. Billed per second of compute time only while running.
Container Apps
Fully managed serverless container platform for microservices. Abstracts Kubernetes complexity. Supports automatic scale-to-zero — pay nothing when no traffic is present. Language and runtime agnostic — any container image works.
Azure Kubernetes Service (AKS)
Managed Kubernetes service. Azure manages the Kubernetes control plane; you manage workloads and worker nodes. Best for large-scale production containerized apps. Includes built-in DevOps pipelines and security features.
Azure Functions — serverless compute
Event-driven serverless compute. Code runs only when triggered by an event — no server management, no idle cost.
Event triggers
HTTP requests, timers (scheduled), messages from Service Bus or Event Hub, file uploads to Blob Storage, database changes.
What you don't manage
Servers, containers, operating systems, scaling infrastructure — none of this is your concern. Azure provisions exactly the compute needed per execution.
Best for
Short-lived operations (under 10 minutes). Processing files, responding to webhooks, scheduled data cleanup, glue code between services. NOT suited for long-running processes.
Auto-scaling
Automatically scales from 1 to thousands of concurrent executions. No scaling rules to configure.
Azure Virtual Networks (VNets)
The fundamental networking building block. A logically isolated private network in Azure for your resources to communicate through.
IP address space
Define a private IP range (e.g. 10.0.0.0/16). This range is used internally and cannot be routed on the public internet. Subdivide into subnets to organize resources and apply granular security.
Public vs private endpoints
Public endpoints have public IP addresses accessible from anywhere. Private endpoints have private IPs within the VNet's address space — not reachable from the public internet.
VNet peering
Connects two separate VNets privately over Microsoft's backbone — never the public internet. Non-transitive: if A peers with B and B peers with C, A cannot reach C through B. Each peering must be explicitly created.
Network Security Groups (NSGs)
Virtual firewalls with inbound/outbound rules controlling traffic by source/destination IP, port, and protocol. Attachable to subnets or individual network interfaces.
How rules work
Rules are evaluated in priority order — lower numbers first. When a matching rule is found, Azure applies its action (allow or deny) and stops processing. The final default rule denies all unmatched traffic.
Default rules
6 default rules are created automatically and cannot be deleted: allow VNet-to-VNet, allow Azure Load Balancer, deny all inbound; allow VNet-to-VNet outbound, allow internet outbound, deny all outbound.
Reusability
One NSG can be attached to multiple subnets and network interfaces. A single policy protects many resources.
Azure DNS
Hosting service for DNS zones providing name resolution using Microsoft's global infrastructure. DNS translates human-readable domain names to IP addresses.
What it hosts
DNS zones — collections of DNS records (A, CNAME, MX, etc.) that map domain names to IP addresses or other values.
Auto-integration
When an Azure web app moves to a new server, its DNS record can update automatically — no manual changes during deployments.
Cannot register domains
Azure DNS hosts DNS zones — it does not register domain names. Register through a domain registrar, then delegate to Azure DNS.
VPN Gateway vs ExpressRoute
| Factor | VPN Gateway | ExpressRoute |
|---|---|---|
| Connection path | Over the public internet (encrypted) | Private dedicated circuit — never touches public internet |
| Security | Encrypted, but travels through internet infrastructure | Higher — private network, no internet exposure |
| Latency | Variable — depends on internet congestion | Low and predictable — dedicated bandwidth |
| Bandwidth | Up to ~10 Gbps | 50 Mbps to 100 Gbps |
| Cost | Lower — no physical circuit required | Higher — requires connectivity provider coordination |
| Microsoft 365 | Not supported | Supported — one circuit reaches both Azure and M365 |
| Best for | Branch offices, remote users, cost-sensitive hybrid connectivity | Production workloads with strict performance needs, financial/regulated environments |
Exam rule: "Never traverse the public internet" or "private dedicated connection" = ExpressRoute. "Secure connection over the internet" = VPN Gateway.
VPN Gateway — deep dive
What it does
Creates an encrypted "tunnel" over the public internet between Azure VNets and on-premises locations. Data is encrypted before leaving and decrypted only at the destination — interception is practically useless.
Use cases
Site-to-site VPN (on-premises to Azure), point-to-site VPN (remote users to Azure), VNet-to-VNet VPN (two Azure VNets in different regions).
Entry point
Each VNet can have only one VPN gateway. That gateway can connect to multiple on-premises sites or VNets simultaneously.
ExpressRoute — deep dive
Private connection
Traffic travels from your facility to a connectivity provider's exchange point, then through Microsoft's global network directly to Azure data centers. Never exposed to public internet routing, DDoS attacks, or packet sniffing.
ExpressRoute Global Reach
Connect multiple on-premises sites through Microsoft's network. An office in Asia and data center in Europe, both connected via ExpressRoute, can exchange data without touching the public internet.
What it connects
Azure services and Microsoft 365 (Exchange, SharePoint, Teams). One circuit reaches both simultaneously.
Key terms — flash reference
Region
Geographic area with one or more nearby low-latency connected data centers. 60+ regions in 140 countries.
Availability zone
Physically separate data center within a region, independent power/cooling/networking. Min 3 per supported region.
Region pair
Two Azure regions 300+ miles apart in same geography. Automatic failover during region-wide disasters.
Management group
Container grouping subscriptions for governance at scale. Max 10,000 per directory, 6 levels deep.
Subscription
Unit of billing and access management. Generates its own invoice. Billing + access boundaries.
Resource group
Logical container for related resources. Actions apply to all resources within. Cannot be nested.
VM Scale Sets
Auto-scales identical load-balanced VMs. Up to 1,000 instances. Handles demand spikes automatically.
Availability Sets
Protects VMs from planned/unplanned downtime using update domains and fault domains. Free.
App Service
PaaS for web apps and REST APIs. Deploy code; Azure manages servers, OS, and scaling.
Azure Functions
Serverless event-driven compute. Pay per execution. Auto-scales. Resources deallocated after execution.
VNet
Logically isolated private network. Divided into subnets. Resources communicate privately by default.
NSG
Virtual firewall with priority-based rules. 6 default undeletable rules. Attachable to subnets or NICs.
VPN Gateway
Encrypted connection over public internet. Variable latency. Lower cost.
ExpressRoute
Private dedicated circuit. Never touches public internet. Up to 100 Gbps. Predictable low latency.
A company wants VMs to stay available if an Azure data center loses power. All VMs are in the same data center. What should they configure?
Availability Zones. AZs are physically separate data centers in the same region with independent power. Distributing VMs across 3 zones means a power outage in one zone leaves VMs in the other two unaffected. Availability Sets only protect against rack-level failures within one data center.
A financial institution needs a private, dedicated, high-bandwidth connection from their data center to Azure that never traverses the public internet. Which service?
Azure ExpressRoute. ExpressRoute provides a private dedicated connection to Microsoft's network through a connectivity provider — traffic never touches the public internet. VPN Gateway would use the public internet (encrypted) and would not meet the "never traverse the public internet" requirement.
What is the difference between availability zones, availability sets, and region pairs?▼
Availability Sets protect against rack-level failures within a single data center — they use update domains (rolling maintenance) and fault domains (separate power/network). They do NOT protect against an entire data center going offline. Availability Zones protect against data center-level failures — deploying VMs across three separate zones means one entire data center going dark still leaves two zones operational. Region pairs protect against region-wide disasters — if a catastrophic event affects an entire Azure region, its paired region (300+ miles away) continues serving traffic. Use availability sets when zones are not available. Use availability zones for production workloads needing data-center resilience. Use region pairs for disaster recovery replication across geographies.
What are the two types of boundaries a subscription provides?▼
Subscriptions provide billing boundaries and access management boundaries. The billing boundary means each subscription generates its own invoice — organizations use multiple subscriptions to separate Azure costs by department, project, or environment for accurate internal chargeback. The access management boundary means different Azure RBAC policies can be applied to different subscriptions — one team's subscription can have completely different access rules from another's, preventing accidental cross-team resource modification. For enterprises, this provides both financial accountability and security isolation.