Commonly Confused Services on AZ-900

Deciding signal

Blob Storage stores unstructured data — images, documents, videos, backups — accessed over HTTP with a flat namespace. It is the right answer for storing any binary or text object. Azure Files provides fully managed SMB and NFS file shares mountable on Windows, Linux, and macOS — the right answer when the scenario involves a shared file system accessible by multiple VMs or applications using standard file protocols. Queue Storage provides simple message queuing for decoupling application components — messages up to 64 KB, retention up to 7 days. Table Storage is NoSQL key-value storage for structured, schemaless data — less capable than Cosmos DB but cheaper for simple tabular data. The signal is the access pattern: object storage (Blob), shared file system mount (Files), lightweight message queue (Queue), simple tabular NoSQL (Table).

Deciding signal

Azure Functions is event-driven serverless compute — triggered by events (HTTP, timer, queue message) with automatic scaling and consumption-based billing. Best for short tasks. App Service is a PaaS platform for hosting web apps, REST APIs, and mobile backends in multiple languages — it manages the underlying infrastructure. Best for persistent web applications. Container Apps is a serverless containers platform — it runs containers with automatic scaling including scale-to-zero, without managing Kubernetes directly. Best for containerized microservices. AKS is managed Kubernetes — you retain full Kubernetes API control, custom operators, and cluster configuration. Best when Kubernetes expertise and full orchestration control are required.

Deciding signal

Microsoft Entra ID (formerly Azure Active Directory) is the identity provider: it stores users, groups, and service principals, and handles authentication (who you are). Azure RBAC assigns roles to identities at a specific scope (resource, resource group, subscription, management group) — it controls what authenticated identities can do. Subscriptions are billing and resource isolation boundaries; management groups are hierarchical containers for applying governance policies across subscriptions. The exam tests whether candidates know that Entra ID authenticates, RBAC authorizes, and the subscription/management group hierarchy defines the governance scope.

Deciding signal

Azure Monitor is the umbrella platform that collects metrics and logs from all Azure resources and feeds them into Log Analytics workspaces or Application Insights. Log Analytics is a workspace where logs from Monitor, VMs, containers, and other sources are stored and queried using Kusto Query Language (KQL). Application Insights is an APM service specifically for application telemetry — request rates, response times, exceptions, dependencies, and user behavior. When the scenario involves querying logs from multiple Azure resources or security logs, Log Analytics. When it involves instrumenting an application to capture request traces and exceptions, Application Insights.

Deciding signal

Azure SQL Database is a fully managed relational database — SQL Server compatibility, ACID transactions, foreign keys, and complex joins. Best for structured relational workloads. Cosmos DB is a globally distributed, multi-model database with single-digit millisecond latency at any scale — it supports multiple APIs (SQL/Core, MongoDB, Cassandra, Table, Gremlin). Best for globally distributed workloads requiring low latency and flexible schemas. Azure Table Storage is simple, cheap NoSQL key-value storage — it is less capable than Cosmos DB but lower cost for workloads that do not need global distribution or multiple APIs. When cost is the constraint and the data model is simple, Table Storage. When global distribution and SLA-backed latency matter, Cosmos DB.

Deciding signal

VPN Gateway creates an encrypted IPsec/IKE tunnel from an on-premises device to Azure over the public internet. It is fast to set up, cost-effective, and suitable when consistent high bandwidth and dedicated latency are not critical requirements. ExpressRoute provides a private dedicated circuit from your data center to Azure through a connectivity provider — it bypasses the public internet, offers guaranteed bandwidth SLAs, and provides lower and more consistent latency. ExpressRoute takes weeks to provision and costs significantly more. When the scenario describes predictable latency, high bandwidth, and security requirements for a large enterprise connection, ExpressRoute. When it describes a faster, lower-cost hybrid connection, VPN Gateway.

Deciding signal

Azure CDN caches static content (images, CSS, JavaScript, video) at edge POPs, reducing origin load and improving download speed for cacheable assets. It does not provide global load balancing of dynamic traffic. Azure Front Door is a global HTTP/HTTPS load balancer with routing rules, WAF integration, SSL offload, and intelligent routing across backend origins — it handles both static and dynamic traffic with URL-based routing. Traffic Manager is a DNS-based traffic routing service — it does not proxy traffic (no content delivery or HTTP termination), it just resolves DNS to different IP addresses based on routing policies (performance, weighted, geographic, priority). When the scenario involves HTTP routing with WAF and health-based failover, Front Door. When it involves DNS-based routing to regional endpoints without HTTP inspection, Traffic Manager.

Deciding signal

Defender for Cloud (formerly Azure Security Center) assesses and protects Azure workloads — VMs, databases, containers, storage. It provides a secure score, hardening recommendations, and threat detection for Azure resources. Microsoft Sentinel is a cloud-native SIEM and SOAR — it aggregates logs from Azure, on-premises, and third-party sources, applies ML analytics to detect threats, and provides playbooks for automated response. Entra ID Protection detects risky sign-ins and compromised user accounts using ML on identity signals. When the scenario involves protecting Azure resources and improving their security configuration, Defender for Cloud. When it involves aggregating logs for threat hunting and incident response across an entire environment, Sentinel. When it involves detecting compromised user accounts or risky login behavior, Entra ID Protection.

Deciding signal

Azure RBAC assigns permissions to identities — it controls what actions a user, group, or service principal can perform on resources. It answers "who can do what." Azure Policy evaluates resource properties against defined rules and either audits or enforces compliance — it answers "are resources configured correctly?" For example, RBAC might allow a user to create storage accounts; Azure Policy might enforce that all storage accounts must be created with HTTPS-only access enabled. Policy can deny non-compliant resource creation or remediate existing resources. They are complementary: RBAC controls user actions; Policy controls resource configuration regardless of who created them.

Deciding signal

Reserved Instances provide up to 72% savings versus pay-as-you-go in exchange for a 1- or 3-year commitment to a specific VM size in a specific region. Best for stable, predictable workloads. Spot VMs offer deep discounts (up to 90%) on unused Azure capacity, but Azure can evict them with 30 seconds notice when capacity is needed. Best for interruptible batch jobs or stateless workloads. Azure Hybrid Benefit allows using existing on-premises Windows Server or SQL Server licenses with Software Assurance on Azure VMs, reducing the cost of the licensing component. These are not mutually exclusive — Hybrid Benefit and Reserved Instances can be combined.