What is the difference between VPN Gateway and ExpressRoute in AZ-900?

VPN Gateway provides an encrypted connection from on-premises to Azure over the public internet. ExpressRoute provides a private connection via a connectivity provider, bypassing the public internet. The exam tests this distinction: ExpressRoute is the answer when the question specifies a private connection.

What is the Archive access tier in Azure Storage?

Archive is the lowest-cost storage tier for data that is rarely or never accessed. Data in Archive must be rehydrated before it can be read — it cannot be accessed directly. Archive is set at the blob level, not the storage account level. Only Azure Blob storage supports the Archive tier.

What does VNet peering do in Azure?

VNet peering connects two or more Azure virtual networks so they can communicate with each other as if they were on the same network. Azure virtual networks in the same region are not connected by default — peering must be explicitly configured.

What is Microsoft Defender for Cloud used for in AZ-900?

Microsoft Defender for Cloud provides a secure score, security recommendations, threat protection, and regulatory compliance dashboards. In the AZ-900 exam, it is the answer for reviewing a secure score, enabling JIT VM access, and evaluating whether an Azure environment meets regulatory requirements.

AZ-900 Domain 2: Azure Architecture & Services

📌

Domain 02 is the largest and most service-dense domain in AZ-900, accounting for 35–40% of the exam. It covers Azure’s physical and logical structure, and all four core service areas: compute, networking, storage, and identity/security. The table below maps every official sub-topic to the type of question you will face on it in the exam.

What the Exam Tests

Sub-domain / Topic	What kind of question to expect
Azure regions, region pairs & sovereign regions	Questions test whether you know the correct definition of an Azure region — specifically its relationship to data centres and the type of network connectivity between them. Questions test knowledge of Azure sovereign regions — you need to know how they differ from global Azure in terms of who operates them and which organisations are eligible to use them. Questions test more detailed characteristics of a specific sovereign region — you need to know how it compares to global Azure in terms of operational independence, feature availability, and access restrictions. Questions use true/false format to test whether you know how many Azure regions represent a given geographic area — you need to know that major geographies such as North America are covered by multiple regions, not a single one. Questions use true/false format to test whether data transfers between Azure services in different regions are always free — you need to know that cross-region data egress is not automatically free and that costs can apply depending on the transfer path.
Availability zones	Questions present a scenario requiring VM services to remain available if a single data centre fails, and ask which deployment approaches achieve this resilience — you need to know which constructs provide data-centre-level fault isolation and be able to distinguish them from constructs that group resources without providing physical redundancy.
Azure datacenters	Questions use true/false format to test foundational knowledge about the relationship between Azure regions and datacenters — you need to know that every Azure region contains at least one datacenter, and understand that regions are defined by their physical infrastructure presence.
Resource groups	Questions test the rules and constraints that govern resource groups — you need to know what is and is not permitted in terms of nesting, resource membership, and cross-region resource placement. Questions test how permissions interact with resource groups — you need to know how access granted at the resource group level applies to the resources within it. Questions test when resource group placement is significant for access management — you need to understand the relationship between grouping resources and delegating permissions across them simultaneously. Questions test where a newly created Azure resource is placed — you need to know the container that holds Azure resources and be able to distinguish it from other Azure constructs that might be confused with it.
Subscriptions	Questions present an organisational scenario requiring isolated resource management per team or department, and ask which Azure constructs can be used to achieve that separation — you need to know the role that subscriptions and resource groups play. Questions test what is and is not possible with Azure subscriptions — you need to know whether a single account can manage multiple subscriptions, and whether subscriptions support merging. Questions test the relationship between subscriptions and Microsoft Entra tenants — you need to know how many tenants a subscription can be associated with at one time, whether that association can be changed, and what happens to the tenant when a subscription expires. Questions test subscription administration rules — you need to know whether a subscription supports multiple account administrators, whether it can be managed by different account types, and how the subscription hierarchy relates to resource groups. Questions present a scenario where departments need separate billing and ask which Azure construct enables this — you need to know which Azure boundary governs billing and payment. Questions test whether resources can be moved between subscriptions and under what conditions — you need to know the flexibility that exists for resource movement across subscription boundaries.
Management groups	Questions test what management groups are used for — you need to know their purpose in the Azure organisational hierarchy and be able to distinguish them from other constructs used for resource grouping and governance.
Azure Virtual Machines	Questions test whether you know which Azure service provides a specific capability for virtual machines — you need to understand the purpose of VM-related services and be able to distinguish between closely related availability and resilience concepts. Questions test your ability to identify which Azure compute service matches a specific technical description of what it provides — you need to know how virtual machines are characterised at a conceptual level and how they differ from container and serverless alternatives. Questions test what additional infrastructure resource a VM requires at deployment — you need to know which dependent resource is mandatory and be able to distinguish it from optional components such as firewalls and public IP addresses.
VM Scale Sets & availability sets	Questions test whether you can identify the correct VM grouping mechanism for a given high-availability requirement — you need to know the specific concepts associated with each construct and which one they belong to.
Azure Virtual Desktop	Questions test the capabilities and constraints of Azure Virtual Desktop — you need to know what types of virtualisation it supports, which operating systems are valid for session hosts, and how the number of session hosts in a host pool relates to simultaneous user connections. Questions test what mechanism is used to grant access to Azure Virtual Desktop resources — you need to know which Azure access control system applies and be able to distinguish it from other grouping and tagging constructs.
Containers & Azure Kubernetes Service (AKS)	Questions test how to classify container-based services within Azure's broader service categories — you need to know which service category containers belong to and be able to distinguish it from other categories. Questions present a requirement to manage containers and ask which Azure services support this — you need to know which services are designed for container orchestration and management.
Azure Functions (serverless)	Questions test whether you can identify Azure Functions as the Azure service that represents serverless computing — you need to know that Azure Functions executes event-driven code without requiring the customer to manage underlying infrastructure, and be able to distinguish it from IaaS, storage, and dedicated hosting alternatives offered as distractors.
App Service & application hosting options	Questions present a scenario with a service model constraint and ask which combination of Azure services satisfies it — you need to be able to classify individual services correctly and identify which pairings meet the requirement. Questions test classification of specific services that might be confused with IaaS or PaaS — you need to know which storage and platform services are fully managed and which require customer infrastructure management, and be able to correctly classify them even when the description might suggest otherwise.
Virtual networks & subnets	Questions test whether you can identify the core capability that Azure Virtual Networks provide — you need to understand VNet's primary role and distinguish it from monitoring, security scanning, and cost management features. Questions present a scenario where one resource must be prevented from connecting to others in the same environment, and ask which approach achieves network-level isolation — you need to understand what VNet placement means for connectivity and distinguish it from other separation methods such as resource groups or OS differences. Questions use true/false format to test whether VNets deployed to the same Azure region are connected to each other by default — you need to know that VNets are isolated by default and that connectivity must be explicitly configured through peering or other mechanisms. Questions use true/false format to test VNet naming rules within a resource group — you need to know the scope at which VNet names must be unique and understand the constraints on naming across different resource groups and subscriptions. Questions use true/false format to test whether a VNet's address space must be unique within a subscription — you need to know the actual uniqueness requirement for VNet address spaces and understand where that constraint applies.
VNet peering	Questions test what VNet peering does and how it differs from other connectivity options — you need to know that it connects two or more virtual networks to form a single logical network, and be able to distinguish this from services that provide private connections to on-premises environments or encrypted tunnels over a public network.
VPN Gateway	Questions test what VPN Gateway provides and how it differs from ExpressRoute and VNet peering — you need to know that it provides an encrypted connection from on-premises to Azure over a public network, and understand when it is appropriate compared to private connectivity options. Questions present a scenario where an on-premises VPN appliance needs to be represented in Azure, and ask which resource type is used for this purpose — you need to know the specific Azure networking resource that represents an on-premises network gateway.
ExpressRoute	Questions test technical facts about how ExpressRoute works — you need to know the routing protocol it uses, how it connects to Azure, and what configuration flexibility it supports. Questions test at which OSI layer ExpressRoute operates — you need to know its position in the network stack and be able to distinguish it from other OSI layers. Questions test which service provides a private connection from on-premises networks to Microsoft cloud — you need to distinguish ExpressRoute from VPN Gateway and VNet peering based on the nature of the connection.
Azure Storage services (Blob, Files, Queue, Table)	Questions test whether you know which storage service supports on-premises synchronisation — you need to understand each service's primary purpose and which one is the correct target for this use case. Questions test which storage account configurations are supported across different account types — you need to know the capabilities and limitations of different storage account tiers. Questions test each storage service by its primary use case — you need to know the distinct purpose of each service and be able to match a described requirement to the correct one. Questions present a scenario requiring client machines to map a network drive to Azure storage, and ask which storage solution satisfies this — you need to know which storage service type supports this access pattern. Questions test the correct technical description of each storage service — you need to understand the precise purpose of each type and be able to match a detailed description of its optimised use case to the correct service name. Questions present a task requiring creation of an Azure file share and ask which Azure construct you must use — you need to know that file shares are provisioned within storage accounts, and be able to distinguish this from resource groups, database services, and portal quickstart tools.
Storage tiers (Hot, Cool, Archive)	Questions test what is required before data in the Archive tier can be accessed — you need to know the process involved and understand how it differs from other tiers. Questions test which storage service supports the Archive access tier — you need to know which services are eligible and which are not. Questions use true/false format to test whether the Archive tier is configured at the storage account level or the blob level — you need to know the correct scope at which Archive is applied and be able to reject the misconception that it is an account-wide setting. Questions use true/false format to test the recommended use case for the Hot access tier — you need to know that it is optimised for data that is accessed and modified frequently, and understand how this distinguishes it from Cool and Archive. Questions use true/false format to test whether the Cool access tier is the recommended choice for long-term backups — you need to know which tier is specifically designed for infrequently accessed data held over longer periods, and be able to distinguish this from Archive.
Storage redundancy (LRS, GRS, ZRS)	Questions test how many copies of data each redundancy option maintains — you need to know the replication count for each option and be able to select the correct figure from a list of plausible numbers. Questions test what the default replication behaviour of Azure Storage is, and correct common misconceptions — you need to know the minimum number of copies maintained by default and understand which assumptions about cross-region replication are incorrect for certain redundancy options.
AzCopy, Azure Storage Explorer & Azure File Sync	Questions test which tool is used to synchronise on-premises file data with Azure storage — you need to know the specific storage target each tool works with and be able to distinguish between them. Questions test what each of these three tools does and does not do — you need to understand the distinct purpose of each tool and be able to correct common misconceptions about their capabilities.
Azure Migrate & Azure Data Box	Questions test what each migration tool is used for and how they differ — you need to know which is a physical transfer service and which handles cloud migration assessment and orchestration, and be able to distinguish both from other storage and synchronisation tools.
Microsoft Entra ID & Microsoft Entra Domain Services	Questions test whether you understand how Microsoft Entra ID integrates with on-premises directory services and third-party identity providers — you need to know what can be synchronised and federated to support Azure resource access. Questions test whether Azure provides built-in identity and access services and what those services cover. Questions test the full scope of what Microsoft Entra can manage — you need to know whether it can control access to on-premises applications, whether it provides single sign-on, and which types of devices can be registered in a tenant. Questions test the architecture requirements of Microsoft Entra ID — you need to know whether it requires specific infrastructure components such as domain controllers on virtual machines to function. Questions test the scope of services that Microsoft Entra ID provides authentication for, and how licensing within a tenant works.
Authentication — SSO, MFA & passwordless	Questions test whether you can distinguish authentication from authorisation — you need to know the precise definition of each term and understand that they describe different stages of the access process. Questions test the prerequisites, scope, and valid methods of Azure MFA — you need to know what is and is not required to implement MFA, which account types it can be applied to, and what constitutes a valid verification method. Questions test the relative security level of different authentication approaches — you need to understand how password-only, multi-factor, and passwordless methods compare and be able to rank them in order of security strength. Questions test a more granular understanding of SSO — you need to know whether it requires a specific application to function, and be able to distinguish correctly between what authentication and authorisation each describe.
Microsoft Entra Conditional Access	Questions test whether you understand what Conditional Access does and how to describe its function — you need to know its role in the sign-in process and be able to distinguish it from related identity and device management tools. Questions test the mechanism by which Conditional Access makes its access decisions — you need to understand what inputs it evaluates during the sign-in process to determine whether to allow or deny a request. Questions present a scenario where access to Entra-integrated applications must be restricted based on device compliance, such as requiring the latest security patches — you need to know that Conditional Access policies can enforce device health conditions and be able to distinguish this from Azure Policy, firewall rules, and bastion host services.
Azure RBAC	Questions test whether you know where role assignments are configured in the Azure portal — you need to know which blade is used to assign roles at the resource group scope. Questions test the flexibility and constraints of RBAC — you need to know whether custom roles can be created, whether a user account can hold multiple roles simultaneously, and whether the same role can be assigned to multiple users at a given scope.
Defense-in-depth	Questions test whether you can match specific security controls to the correct layer of the defense-in-depth model — you need to know which control belongs to which layer and be able to identify the right one when the same options are presented across multiple questions. Questions test the ordering of the defense-in-depth layers — you need to know the sequence of layers from outermost to innermost and be able to place each named layer correctly within that sequence.
Microsoft Defender for Cloud	Questions test what Microsoft Defender for Cloud enables in terms of VM access security — you need to know which specific access control feature it provides and be able to distinguish it from other security and networking tools that serve different purposes. Questions test which Azure service is used to evaluate whether an environment meets regulatory compliance requirements — you need to know that Defender for Cloud provides compliance assessment and be able to distinguish it from health monitoring, advisory, and service status tools. Questions present a scenario where an administrator needs to review their subscription's secure score, and ask which service to use — you need to know that Microsoft Defender for Cloud surfaces the secure score and be able to distinguish it from Azure Monitor, Azure Advisor, and support tooling.

← Domain 01 : Cloud Concepts Domain 03 : Management & Governance →

Describe Azure Architecture and Services

Discussions (0)