Physical Infrastructure
Azure infrastructure has two layers: physical infrastructure (where hardware lives) and management infrastructure (how you organize and govern resources).
At the foundation are DatacentersBuildings full of servers, networking, and power that form the foundation of Azure infrastructure. You never interact with them directly; Azure groups them into higher abstractions called regions. — you never interact with them directly. Azure groups datacenters into RegionsGeographic areas containing one or more datacenters connected by a low-latency network. Azure has 60+ regions worldwide. When you deploy a resource, you choose a region. Some services are global (Microsoft Entra ID, Azure DNS) and do not require a region choice., of which there are 60+ worldwide. For disaster recovery, most regions belong to Region PairsTwo regions within the same geography that are linked together. Platform updates roll out to one region at a time; GRS automatically replicates to the paired region; during broad outages, one region of each pair is prioritized for recovery. Most pairs are at least 300 miles apart. that are at least 300 miles apart. Some regions are Sovereign RegionsIsolated Azure instances operated for compliance or government requirements, such as Azure Government (US government agencies) and Azure China 21Vianet (operated by 21Vianet, physically isolated from global Azure). — isolated instances for government or compliance needs. Within a region, Availability ZonesPhysically separate datacenters within a single region, each with independent power, cooling, and networking. A region that supports AZs has a minimum of three zones. Use AZs to protect apps and data from datacenter-level failures. provide datacenter-level fault isolation — a region that supports AZs has at least three zones.
| Scope | Protects against | Example service use |
|---|---|---|
| Availability Set | Rack-level failure within a datacenter | Legacy VM HA |
| Availability Zone | Full datacenter failure within a region | Zone-redundant Storage, VMs |
| Region Pair | Region-wide disaster | GRS, Geo-replication |
Zonal services (e.g., VMs, managed disks) are pinned to a specific zone — you choose which zone. Zone-redundant services (e.g., Azure SQL Database, Zone-redundant Storage) spread automatically across zones; Microsoft handles replication.
Management Infrastructure
The management hierarchy is built from four levels. Individual ResourcesThe individual items you create in Azure: VMs, storage accounts, databases, etc. Every resource must belong to exactly one resource group. are always placed inside a Resource GroupsLogical containers that hold related resources for a solution. Resource groups cannot be nested. Deleting a resource group deletes all resources inside it. Resources in a group can span multiple regions, and the group itself has a region for metadata storage only., which cannot be nested and whose deletion removes all contained resources. Resource groups belong to SubscriptionsBilling and access-control boundaries that contain resource groups. A single Microsoft Entra tenant can have multiple subscriptions. Subscriptions serve as a billing boundary (separate invoices) and an access-control boundary (RBAC policies apply at subscription scope). — each subscription is a separate billing and access-control boundary. At the top, Management GroupsContainers that sit above subscriptions and allow you to apply governance at scale. Management groups can be nested up to 6 levels deep. Every directory has one Root Management Group. Policies and RBAC assigned at a management group are inherited by all subscriptions below. sit above subscriptions and can be nested up to 6 levels deep, with governance flowing down to all subscriptions below.
The Full Hierarchy (top to bottom)
Root Management Group
└── Management Group (optional, nestable 6 levels)
└── Subscription
└── Resource Group
└── Resource
Governance (Azure Policy, RBAC) flows downward through this hierarchy — settings at a higher scope apply to everything below.
Physical Redundancy Scopes — Choosing the Right Level
| Redundancy Scope | What It Protects Against | Azure Mechanism | Notes |
|---|---|---|---|
| Fault domain (within datacenter) | Single rack power/network failure | Availability Set | Legacy; same datacenter |
| Availability Zone | Full datacenter failure | AZ-aware deployments | Minimum 3 zones per region |
| Region Pair | Regional disaster / broad outage | GRS, Azure Site Recovery | 300+ miles apart |
Key design principle: For mission-critical workloads, combine AZ-aware deployment (datacenter-level HA) with geo-redundant replication (regional-level DR).
Region Pairs — Key Benefits Table
| Benefit | Detail |
|---|---|
| Sequential platform updates | One region updated at a time — reduces risk of simultaneous outage |
| Automatic data replication | GRS, GZRS, and Azure Site Recovery use pairs for secondary storage |
| Recovery prioritization | During a broad Azure outage, one paired region is recovered first |
| Data residency | Pairs stay within the same geopolitical boundary for compliance |
Management Hierarchy — Scope and Inheritance
| Level | What it holds | Governance applied here |
|---|---|---|
| Root Management Group | All management groups | Broadest policies (apply to entire tenant) |
| Management Group | Subscriptions and child MGs | Org/division-level policies |
| Subscription | Resource groups | Environment or department-level policies |
| Resource Group | Resources | Solution-level tagging, access, policies |
| Resource | Individual Azure service | Resource-level RBAC, locks |
Inheritance is top-down and automatic. A policy assigned at the subscription scope applies to all resource groups and resources within without additional configuration.
Resource Group Rules — Common Exam Traps Clarified
| Statement | True or False |
|---|---|
| A resource group can contain other resource groups | FALSE — groups cannot be nested |
| A resource must belong to exactly one resource group | TRUE |
| Deleting a resource group leaves its resources intact | FALSE — all resources are also deleted |
| Resources in a group must be in the same region as the group | FALSE — resources can be in any region |
| A subscription can belong to multiple management groups | FALSE — one management group only |
Explore Azure Physical and Management Infrastructure
Step 1 — Browse Azure Regions
- Navigate to azure.microsoft.com/explore/global-infrastructure/geographies.
- Select any geography (e.g., United States) and identify the paired regions listed.
- Note which regions have Availability Zones marked.
Step 2 — View the Management Group Hierarchy
- Sign in to portal.azure.com.
- Search for Management groups in the top search bar.
- Click on Tenant Root Group to see the hierarchy root.
- Note any child management groups and their subscriptions below.
Step 3 — Inspect a Resource Group
- Navigate to Resource groups → select any existing group.
- Click Overview — note the group's own Location (metadata region) and observe that contained resources may be in different regions.
- Under Settings → Locks — observe where Delete or ReadOnly locks would be placed.
Step 4 — Explore Subscription Scope
- Navigate to Subscriptions → select your subscription.
- Click Access control (IAM) — observe RBAC assignments at subscription scope.
- Click Resource providers — see which Azure services are registered for this subscription.
AZ-900 Exam Focus
Exam Trap
"Availability Zone = a single datacenter" — False. An AZ is a group of one or more physically separate datacenters within a region. The defining characteristic is independent power, cooling, and networking — not that it is exactly one building.
Exam Trap
"A resource group must be in the same region as its resources" — False. The resource group has a region for its own metadata, but resources inside it can be in any region. The group's region is irrelevant to the resources it contains.
Exam Trap
"You can nest resource groups" — False. Resource groups cannot contain other resource groups. Only management groups can be nested (up to 6 levels).
Exam Trap
"A subscription can belong to multiple management groups" — False. A subscription can only be in one management group at a time.
Exam Trap
"Sovereign regions have all Azure services" — False. Sovereign regions (Azure Government, Azure China 21Vianet) often have a limited subset of services compared to global Azure.
Must Memorize
Hierarchy top to bottom: Root Management Group → Management Group → Subscription → Resource Group → Resource
Governance flows: Downward (top-down inheritance, automatic)
Nesting allowed: Management Groups only (6 levels) — NOT Resource Groups
Question — click to flip
Q: What are Availability Zones and what do they protect against?
Question — click to flip
Q: What is the difference between a region pair and availability zones?
Question — click to flip
Q: Can a resource group contain resources from multiple regions?
Question — click to flip
Q: What is the Azure management hierarchy from broadest to narrowest scope?
Question — click to flip
Q: What happens when you delete a resource group?
Question — click to flip
Q: What are Azure Sovereign Regions? Give two examples.