Azure Compute Services
Azure offers several compute models. Choosing the right one depends on how much control you need over the underlying infrastructure.
| Service | Control level | Best for |
|---|---|---|
| Virtual Machines (IaaS) | Full OS control | Lift-and-shift, custom software |
| VM Scale Sets | Full OS control, auto-scale | Large-scale, elastic workloads |
| Azure Virtual Desktop | Desktop OS control | Remote desktops, VDI |
| App Service (PaaS) | Code + config only | Web apps, APIs, mobile backends |
| Azure Container Instances | Container runtime | Simple, isolated containers |
| Azure Kubernetes Service (AKS) | Orchestrated containers | Complex microservices |
| Azure Functions (serverless) | Code only | Event-driven, short-duration tasks |
Virtual Machines (VMs)IaaS compute that gives full control over the OS, software, and configuration. The customer is responsible for OS updates, patches, and security. Best for lift-and-shift migrations and workloads needing custom OS-level configuration. are the most flexible compute option — you control the OS, software, and configuration, at the cost of managing patching and security yourself. For elastic workloads, VM Scale SetsAzure service that automatically creates and manages a group of identical, load-balanced VMs. They scale out (add VMs) or scale in (remove VMs) based on demand or a schedule. VMs can be distributed across availability zones for built-in high availability. automatically create and remove identical VMs based on demand or a schedule.
Availability Sets are an older HA mechanism for VMs within a single datacenter. They use:
- Fault domains — groups of VMs sharing a common power source and network switch (up to 3).
- Update domains — groups of VMs that can be rebooted together during maintenance (Azure ensures not all update domains reboot simultaneously).
Azure Virtual Desktop (AVD)A cloud-hosted desktop and app virtualization service. Key benefits: multi-session Windows 10/11, use your own licenses (Windows Enterprise), and desktops are accessible from anywhere. enables remote work scenarios where desktops and apps are streamed from Azure rather than run locally.
Containers vs. VMs
Containers package an app and its dependencies but share the host OS kernel — they do not virtualize hardware. They start in seconds and are much smaller than VMs. For simple isolated tasks, Azure Container Instances (ACI)The simplest way to run a container in Azure without managing VMs or orchestrators. Best for simple, isolated tasks and dev/test scenarios. is the fastest path. For complex microservices at scale, Azure Kubernetes Service (AKS)Managed Kubernetes for orchestrating many containers at scale with automatic bin-packing, self-healing, and rolling updates. provides managed orchestration with self-healing and rolling updates. For event-driven workloads with no infrastructure to manage, Azure FunctionsA serverless compute model that runs event-triggered code without provisioning or managing servers. Billed only for execution time. Triggers include HTTP requests, timers, queue messages, and blob storage events. Functions are stateless by default; Durable Functions add stateful workflows. runs code in response to triggers and bills only for actual execution time.
Azure Networking Services
An Azure Virtual Network (VNet)The fundamental building block for private networking in Azure. A VNet enables Azure resources to communicate securely with each other, the internet, and on-premises networks. VNets are scoped to a single region and can be divided into subnets. is the foundational private network construct in Azure — scoped to a single region and divided into subnets. To connect two VNets so their resources communicate as if on the same network, you use VNet PeeringConnects two VNets so their resources can communicate as if on the same network. Can be within a region (VNet peering) or across regions (global VNet peering). Peering is non-transitive — A-B and B-C peering does NOT give A access to C., which is non-transitive by default. For DNS hosting, Azure DNSA hosting service for DNS domains using Azure infrastructure. Supports public DNS zones (internet-facing) and private DNS zones (within VNets). Azure DNS is NOT a domain registrar — you register domains elsewhere then delegate to Azure DNS. supports both public and private DNS zones but is not a domain registrar.
Subnets are IP address subdivisions within a VNet. Azure reserves 5 IP addresses per subnet (first 4 and last 1). Network Security Groups (NSGs) are typically applied at the subnet level to filter traffic.
Connecting to On-Premises Networks
For encrypted connectivity over the public internet, Azure VPN GatewaySends encrypted traffic between a VNet and an on-premises network over the public internet using IPsec/IKE tunnels. Types: Site-to-Site (S2S for offices), Point-to-Site (P2S for remote workers), and VNet-to-VNet (connecting Azure VNets). supports Site-to-Site, Point-to-Site, and VNet-to-VNet connections. For a private, dedicated circuit that never touches the public internet, Azure ExpressRouteProvides a private, dedicated connection from on-premises to Azure through a connectivity provider — traffic does NOT travel over the public internet. Offers higher reliability, faster speeds, consistent latency, and higher security than VPN Gateway. delivers higher reliability, faster speeds, and consistent latency through a connectivity provider.
| Feature | VPN Gateway | ExpressRoute |
|---|---|---|
| Transport | Public internet (encrypted) | Private dedicated circuit |
| Max speed | Up to ~10 Gbps | Up to 100 Gbps |
| Latency | Variable | Predictable, consistent |
| Cost | Lower | Higher |
| Setup time | Hours | Weeks (provider provisioning) |
Public and Private Endpoints
For maximum security, use Private endpointsUse a private IP address from your VNet to connect to a specific Azure service instance. Traffic stays within the Microsoft network — never traversing the public internet. Powered by Azure Private Link. The service's public endpoint can be disabled entirely. to connect to PaaS services via a private IP from your VNet — the service's public endpoint can be disabled entirely. Service endpoints extend your VNet identity to Azure services over the Microsoft backbone, but the service still has a public endpoint (access is restricted to your VNet). Private endpoints are more secure because they remove the service from public internet exposure entirely.
Compute Options — Detailed Comparison
| Dimension | VMs | VM Scale Sets | App Service | ACI | AKS | Azure Functions |
|---|---|---|---|---|---|---|
| Control level | Full OS | Full OS | Code + config | Container only | Workload-level | Code only |
| Auto-scale | Manual or VMSS | Yes (automatic) | Yes | No | Yes (pods) | Yes (consumption plan) |
| Billing model | Per VM/hour | Per VM/hour | Per plan | Per second | Per node | Per execution |
| Best for | Lift-and-shift | Stateless web tiers | Web apps / APIs | Simple containers | Microservices | Event-driven functions |
| Service type | IaaS | IaaS | PaaS | PaaS | PaaS | PaaS/Serverless |
VPN Gateway vs. ExpressRoute — Decision Framework
| Scenario | Choose VPN Gateway | Choose ExpressRoute |
|---|---|---|
| Budget-conscious | Yes | No (higher cost) |
| Needs private circuit | No | Yes |
| Setup within hours | Yes | No (weeks) |
| Bandwidth > 10 Gbps | No | Yes (up to 100 Gbps) |
| Consistent latency required | No | Yes |
| Remote workers (P2S) | Yes | No |
Private Endpoint vs. Service Endpoint
| Attribute | Private Endpoint | Service Endpoint |
|---|---|---|
| IP type | Private IP from VNet | Uses VNet identity |
| Public endpoint | Can be disabled | Still exists |
| Traffic path | Stays on Microsoft backbone | Microsoft backbone |
| Resource scope | Specific resource instance | Service-wide |
| Security level | Higher | Good |
| Powered by | Azure Private Link | VNet service endpoints |
VNet Peering — Transitivity Rule
VNet peering is non-transitive by default:
A ↔ B (peered)
B ↔ C (peered)
A ✗ C (NOT automatically connected)
To enable A-to-C connectivity: either peer A directly with C, or route through a hub VNet appliance (hub-and-spoke topology).
Explore Compute and Networking in the Azure Portal
Step 1 — View VM Scale Set configuration
- Sign in to portal.azure.com.
- Search for Virtual Machine Scale Sets and open the service.
- Select + Create — observe the Scaling tab where you configure auto-scale rules.
- Note the Availability zone options — VMs can be distributed across zones for HA.
- Cancel without creating.
Step 2 — Create a Virtual Network (or browse one)
- Navigate to Virtual networks.
- Select an existing VNet (or create one) and open it.
- Click Subnets — observe subnet address ranges and any NSG associations.
- Click Peerings — see where VNet peering connections would be listed.
Step 3 — Explore VPN Gateway vs. ExpressRoute
- Search for VPN gateways — note the GatewaySubnet requirement visible during creation.
- Search for ExpressRoute circuits — observe the provider and peering location dropdowns.
- Compare the Availability options — ExpressRoute shows provider-based setup; VPN Gateway shows policy vs. route-based options.
Step 4 — View Private Endpoints
- Search for Private endpoints in the portal.
- Select + Create and browse the resource types available (Storage, SQL, Key Vault, etc.).
- Observe that a private endpoint creates a network interface with a private IP inside your VNet.
- Cancel without creating.
AZ-900 Exam Focus
Exam Trap
"VNet peering is transitive" — False. VNet peering is non-transitive by default. A peering B, and B peering C, does NOT give A access to C without additional configuration. This is a high-frequency AZ-900 trap.
Exam Trap
"ExpressRoute traffic goes over the internet" — False. ExpressRoute uses a private, dedicated connection through a connectivity provider — never the public internet. This is the primary differentiator from VPN Gateway.
Exam Trap
"Availability Sets protect against datacenter failure" — False. Availability Sets protect against rack-level failures within a single datacenter. For datacenter-level failure protection, use Availability Zones.
Exam Trap
"A VNet can span multiple Azure regions" — False. A VNet is scoped to a single region. Use VNet peering (including global VNet peering) to connect VNets across regions.
Exam Trap
"Azure DNS can register domain names" — False. Azure DNS hosts DNS zones but is not a domain registrar. You register domains with a third-party registrar and then delegate to Azure DNS.
Exam Tip
ExpressRoute = private, no internet. Whenever an exam question mentions "private connection," "dedicated circuit," "not over the public internet," or "high bandwidth," the answer is ExpressRoute — not VPN Gateway.
Must Memorize
VPN Gateway: public internet · encrypted · Site-to-Site / Point-to-Site / VNet-to-VNet
ExpressRoute: private circuit · connectivity provider · up to 100 Gbps · no public internet
Question — click to flip
Q: What is the key difference between VPN Gateway and ExpressRoute?
Question — click to flip
Q: Is VNet peering transitive? What does that mean?
Question — click to flip
Q: What is the difference between a private endpoint and a service endpoint?
Question — click to flip
Q: What are Availability Sets and what do they protect against?
Question — click to flip
Q: What type of Azure compute is best for a short event-triggered task billed only per execution?
Question — click to flip
Q: What does Azure DNS host, and what is it NOT able to do?