Azure Fundamentals — Core Concepts
Understand the core Azure building blocks — regions, availability zones, resource groups, subscriptions, and the shared responsibility model.
What you'll learn
- Explain the Azure global infrastructure (regions, AZs, geographies)
- Understand the Azure hierarchy: management groups → subscriptions → resource groups → resources
- Differentiate IaaS, PaaS, and SaaS with Azure examples
- Describe the shared responsibility model
Relevant for certifications
What is Microsoft Azure?
Azure is Microsoft's public cloud platform — a global network of data centres that lets you rent computing resources (servers, storage, networking, AI services, databases) instead of owning physical hardware.
Think of it this way
Azure is like renting space in a world-class data centre, with the ability to scale up or down in seconds and pay only for what you use.
Azure Global Infrastructure
Regions
A region is a geographical area containing one or more data centres. Azure has 60+ regions across the globe (e.g., UK South, East US, West Europe).
When you deploy a resource, you choose a region. Key considerations:
- Latency — choose a region close to your users
- Data residency — some regulations require data to stay in specific geographies
- Service availability — not all services are available in every region
Availability Zones (AZs)
An Availability Zone is a physically separate data centre within a region. Each AZ has independent power, cooling, and networking.
Region: UK South
├── Availability Zone 1 (Data Centre A)
├── Availability Zone 2 (Data Centre B)
└── Availability Zone 3 (Data Centre C)
Deploying across multiple AZs protects against single data-centre failures. This is called zone-redundant deployment.
Warning
Not all Azure regions have Availability Zones. Always check the Azure documentation when designing for high availability.
Region Pairs
Azure pairs each region with another region in the same geography. If one region has a catastrophic failure, the paired region is used for recovery. Example: UK South is paired with UK West.
The Azure Hierarchy
Understanding the Azure management hierarchy is essential for AZ-104 and real-world deployments:
Azure Active Directory Tenant
└── Management Groups (optional grouping)
└── Subscriptions (billing boundary)
└── Resource Groups (logical containers)
└── Resources (VMs, storage, databases…)
Tenants
A tenant is an instance of Azure Active Directory (now called Microsoft Entra ID). It represents your organisation in Azure. One organisation can have multiple subscriptions but typically one tenant.
Subscriptions
A subscription is the billing and access control boundary. Everything you deploy in Azure is under a subscription.
- Each subscription has its own billing account
- You can apply policies and RBAC at the subscription level
- Useful for separating environments (Dev, Test, Prod) or departments
Resource Groups
A resource group is a logical container for related resources. Think of it as a folder.
Best practices:
- Group resources that share the same lifecycle (deploy/delete together)
- Use naming conventions:
rg-projectname-environment-region - Apply tags on resource groups to propagate to child resources
Resources
A resource is any Azure service you deploy — a VM, a storage account, a virtual network, a database, etc.
Service Models: IaaS, PaaS, SaaS
| Model | You manage | Azure manages | Example |
|---|---|---|---|
| IaaS | OS, runtime, apps, data | Hardware, network, virtualisation | Azure VMs |
| PaaS | Apps, data | Everything below the app layer | Azure App Service, Azure SQL |
| SaaS | Nothing (just use it) | Everything | Microsoft 365, Dynamics 365 |
Interview shortcut
IaaS gives you the most control. SaaS gives you the least. PaaS is in the middle — Azure manages the platform, you manage the code and data.
Shared Responsibility Model
Azure's shared responsibility model defines what you are responsible for versus what Azure manages, depending on the service model.
On-Premises: YOU manage everything
IaaS: Azure → physical + network + hypervisor | You → OS + runtime + apps + data
PaaS: Azure → everything below apps | You → apps + data
SaaS: Azure → everything | You → data (sometimes)
Warning
Data classification, access control, and your application's security are always your responsibility, regardless of service model.
Key Azure Services Overview
| Category | Common Services |
|---|---|
| Compute | Virtual Machines, App Service, Azure Functions, AKS |
| Storage | Blob Storage, File Storage, Queue Storage, Table Storage |
| Networking | Virtual Network, Load Balancer, Application Gateway, VPN Gateway |
| Databases | Azure SQL, Cosmos DB, Azure Database for PostgreSQL/MySQL |
| Identity | Microsoft Entra ID (Azure AD), RBAC |
| Monitoring | Azure Monitor, Log Analytics, Application Insights |
| Security | Defender for Cloud, Key Vault, Sentinel |
Common Interview Questions
Q: What is the difference between a region and an availability zone? A region is a geographical area with one or more data centres. An availability zone is a physically separate data centre within a region with independent power, cooling, and networking. AZs protect against data-centre-level failures; regions protect against regional disasters.
Q: What is an Azure resource group and what are the rules? A resource group is a logical container for Azure resources. Every resource must belong to exactly one resource group. Resources in different regions can be in the same resource group. Deleting a resource group deletes all resources inside it.
Q: What is the difference between IaaS and PaaS? With IaaS (e.g., Azure VMs), you manage the OS, runtime, and application — Azure provides the hardware and virtualisation layer. With PaaS (e.g., App Service), Azure manages the OS and runtime — you only manage your application and data. PaaS is faster to deploy but less customisable.
Common Mistakes
- Confusing subscriptions and resource groups — subscriptions are billing boundaries; resource groups are logical groupings within a subscription
- Assuming all regions have AZs — only specific regions support Availability Zones
- Putting unrelated resources in one group — if resources have different lifecycles, they should be in separate groups
What to Learn Next
After this foundation, continue with:
- Azure Networking Basics — VNets, subnets, NSGs
- Azure Virtual Machines — compute fundamentals
- Azure Identity and RBAC — how access control works