You plan to migrate a web application to Azure. The web application is accessed by external users.
You need to recommend a cloud deployment solution to minimize the amount of administrative effort used to manage the web application.
What should you include in the recommendation?
SaaS provides a complete, ready-to-use application managed by the provider (for example, Microsoft 365). It minimizes administration the most, but you typically cannot deploy your own custom web application code as-is; you would be adopting a vendor’s application instead of hosting yours. For a migration of an existing custom web app, SaaS is usually not the correct fit unless you are replacing the app entirely.
PaaS is the best fit for migrating and hosting your own web application while minimizing administrative effort. Services like Azure App Service let you deploy code without managing servers, OS patching, or much of the runtime maintenance. You still control the application and configuration, but Microsoft manages the underlying platform, enabling easier scaling, high availability options, and integrated monitoring and security features.
IaaS (virtual machines) gives you the most control and is common for lift-and-shift migrations, but it requires the most administration. You are responsible for the OS, patching, web server/runtime configuration, scaling setup, backups, and ongoing maintenance. Because the requirement is to minimize administrative effort, IaaS is generally the least suitable option among the main service models.
DaaS (Database as a Service) refers to managed database offerings (for example, Azure SQL Database, Azure Cosmos DB) where the provider manages database infrastructure and many maintenance tasks. While DaaS can reduce database administration, it does not address hosting the web application itself. You would still need a compute/hosting model (PaaS or IaaS) for the web tier.
問題分析
Core concept: This question tests the cloud service models (IaaS, PaaS, SaaS) and how they affect operational responsibility. In AZ-900, “minimize administrative effort” typically means choosing the model where the cloud provider manages the most of the underlying platform while still allowing you to deploy your own application.
Why the answer is correct: Platform as a Service (PaaS) is designed for hosting applications without managing servers, operating systems, or much of the runtime patching. For a web application accessed by external users, a PaaS offering such as Azure App Service (Web Apps) is a common recommendation. With App Service, Microsoft manages the infrastructure, OS updates, many platform patches, and provides built-in capabilities (scaling, SSL binding, deployment slots), which significantly reduces administrative overhead compared to running VMs.
Key features and best practices: PaaS web hosting in Azure typically includes automated patching of the underlying OS, built-in load balancing, autoscale, monitoring integration (Azure Monitor/Application Insights), and simplified CI/CD integration (GitHub Actions/Azure DevOps). From an Azure Well-Architected Framework perspective, PaaS improves Operational Excellence (less toil, standardized deployments), Reliability (managed platform with HA options), and Security (managed patching, integration with Entra ID, managed certificates, private endpoints where applicable).
Common misconceptions: SaaS can sound like the lowest admin effort, but SaaS means you consume a complete application provided by a vendor (e.g., Microsoft 365, Dynamics 365). In this scenario you are migrating “a web application” you own, so you need a hosting platform rather than replacing it with a vendor’s finished product. IaaS (VMs) is often chosen for lift-and-shift, but it requires the most administration (OS patching, web server configuration, scaling, backups). “DaaS” is not the right model for hosting a web app; it refers to managed database services.
Exam tips: When the question says “minimize administrative effort” for hosting your own app, think PaaS. When it says “no code/consume a complete application,” think SaaS. When it says “maximum control/custom OS,” think IaaS. Also watch for wording like “web app hosting” which strongly maps to Azure App Service (PaaS).
This question requires that you evaluate the underlined text to determine if it is correct.
Resource groups provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions.
Instructions: Review the underlined text. If it makes the statement correct, select No change is needed. If the statement is incorrect, select the answer choice that makes the statement correct.
No change is needed is incorrect because resource groups do not provide compliance management across multiple subscriptions. A resource group is scoped to a single subscription and is mainly for organizing resources, applying RBAC at that scope, and managing lifecycle operations like deployment and deletion. While you can tag and control access at the resource-group level, that is not the same as defining and enforcing compliance rules. Cross-subscription compliance requires a governance service such as Azure Policy applied at an appropriate scope.
Management groups are used to organize subscriptions into a hierarchy and provide a scope for applying governance controls like Azure Policy and RBAC across multiple subscriptions. However, management groups themselves do not define or enforce compliance rules; they are a container/scope. To actually manage compliance, you must assign Azure Policy (or initiatives) at the management group scope. Therefore, replacing the text with “Management groups” would be incomplete and technically inaccurate for compliance enforcement.
Azure Policy is the Azure governance service used to create, assign, and manage policies that enforce or audit resource configurations for compliance. Policies can be assigned at broad scopes (management group or subscription) to cover multiple subscriptions and their resources consistently. It provides compliance reporting and can prevent non-compliant deployments using effects like Deny, or remediate using Modify/DeployIfNotExists. This directly matches the requirement to manage compliance across Azure resources spanning multiple subscriptions.
Azure App Service plans are a compute and pricing construct for hosting web apps, APIs, and functions, defining region, SKU, and scaling characteristics. They have nothing to do with governance, compliance evaluation, or enforcing configuration standards across resources or subscriptions. App Service plans apply only to App Service workloads and do not provide policy-based compliance controls. The scenario is about compliance management, which is addressed by Azure Policy, not hosting plans.
問題分析
Core concept:
This question tests your understanding of Azure governance and compliance tooling—specifically which Azure construct is used to manage and enforce compliance across resources and potentially across multiple subscriptions.
Why the answer is correct:
Resource groups are primarily a logical container for organizing and managing Azure resources (lifecycle, RBAC scoping, tagging) within a single subscription. They do not, by themselves, provide compliance enforcement across multiple subscriptions. Azure Policy is the governance service designed to define rules (policy definitions) and enforce/assess compliance (policy assignments) across scopes including management groups, subscriptions, and resource groups. Therefore, replacing “Resource groups” with “Azure policies” makes the statement correct.
Key features / configurations:
- Azure Policy definitions: JSON rules that describe allowed/denied configurations (e.g., allowed locations, required tags, allowed SKUs).
- Policy assignments and scope: Assign policies at management group, subscription, resource group, or resource level to evaluate/enforce compliance.
- Effects: Deny, Audit, Append, Modify, DeployIfNotExists (enforcement vs. reporting vs. remediation).
- Initiatives (policy sets): Group multiple policies to manage compliance frameworks at scale.
- Compliance reporting and remediation tasks: View compliance state and remediate non-compliant resources (often with managed identity for Modify/DeployIfNotExists).
Common misconceptions:
- Confusing resource groups (organization/lifecycle boundary) with governance/compliance enforcement (Azure Policy).
- Assuming management groups “provide compliance” directly; they provide hierarchy and scope for applying governance tools, but the compliance rules come from Azure Policy.
- Mixing up Azure Policy with RBAC: RBAC controls who can do what; Policy controls what configurations are allowed.
Exam tips:
- Azure Policy = enforce/assess configuration compliance (Deny/Audit/Modify/DeployIfNotExists).
- Management groups = organize subscriptions and provide a scope to apply Policy/RBAC across many subscriptions.
- Resource groups = organize resources within a subscription; useful for RBAC scoping and lifecycle management, not cross-subscription compliance.
- If the question says “compliance,” think Azure Policy (and sometimes Blueprints/Defender for Cloud), not resource groups.
3
問題 3
In which Azure support plans can you open a new support request?
Incorrect. Premier and Professional Direct do allow support requests, but they are not the only plans that do so. Developer and Standard also include technical support request capability, so this option is too narrow. It reflects a misunderstanding that only the highest enterprise tiers can open cases. Azure support request access begins at Developer, not only at the top tiers.
Incorrect. This option includes Standard, Professional Direct, and Premier, but it omits Developer. Developer is a paid Azure support plan that includes the ability to submit technical support requests, although with slower response targets than higher tiers. Because Developer is missing, this option is incomplete. The exam expects you to know that all paid plans from Developer upward support case creation.
Correct. Developer, Standard, Professional Direct, and Premier are the Azure support plans that allow customers to open support requests for technical issues. These are the paid support tiers, and they differ mainly in response times, advisory features, and the scope of support provided. Basic does not include technical support, which is why it must be excluded from the correct option. On AZ-900, when asked which support plans let you open a support request, the expected answer is the set of paid plans beginning with Developer.
Incorrect. This option wrongly includes Basic. Basic provides access to documentation, community resources, and billing/subscription support, but it does not include Azure technical support request capability in the support-plan comparison typically tested on AZ-900. Therefore, including Basic makes the option too broad. The correct boundary is that technical support starts with Developer, not Basic.
問題分析
Core concept: This question tests knowledge of Azure support plans and which plans allow you to create a support request for Azure services. In AZ-900, Microsoft distinguishes the free Basic plan from paid support plans that include the ability to submit technical support requests. The correct answer is the option that includes Developer, Standard, Professional Direct, and Premier, but excludes Basic. A common misconception is to assume Basic qualifies because billing and subscription help exists, but exam questions about Azure support plans typically refer to technical support request capability. Exam tip: remember the progression Basic < Developer < Standard < Professional Direct < Premier, and that technical support starts at Developer, not Basic.
4
問題 4
HOTSPOT -
You need to identify which blades in the Azure portal must be used to perform the following tasks:
✑ View security recommendations.
✑ Monitor the health of Azure services.
✑ Browse available virtual machine images.
Which blade should you identify for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
パート1:
Monitor the health of Azure services:
Correct: A (Monitor). Monitoring the health of Azure services is done through the Azure Monitor blade, which includes Service Health capabilities. Azure Service Health provides visibility into service issues, planned maintenance, and health advisories that may affect your subscriptions and regions. This is an operational monitoring function (observe, detect, respond), which is exactly what Azure Monitor is designed for.
Why the others are wrong:
- B (Subscriptions) is for subscription-level administration (access control, policies, cost management entry points), not for tracking platform incidents.
- C (Marketplace) is for discovering and deploying solutions/images, not for health monitoring.
- D (Advisor) provides recommendations (including reliability guidance), but it does not serve as the primary blade for real-time service health status and incident tracking.
パート2:
Browse available virtual machine images:
Correct: C (Marketplace). Browsing available virtual machine images is done via Azure Marketplace. Marketplace is the catalog of Microsoft and partner offerings, including VM images (for example, Windows Server, Ubuntu, Red Hat, and many third-party appliances). When you create a VM, the image selection experience is backed by Marketplace listings.
Why the others are wrong:
- A (Monitor) is for metrics, logs, alerts, and service health—not for selecting deployable images.
- B (Subscriptions) manages subscription scope and settings; it doesn’t provide an image catalog.
- D (Advisor) provides optimization and best-practice recommendations (cost, security, reliability, performance, operational excellence), not a browsing experience for VM images.
パート3:
View security recommendations:
Correct: D (Advisor). Viewing security recommendations is a core capability of Azure Advisor, which provides guidance across multiple categories, including Security. Advisor recommendations help improve your security posture (for example, enabling MFA, applying NSG rules appropriately, or improving resource configurations). This aligns with Azure Well-Architected Framework guidance by identifying actionable improvements.
Why the others are wrong:
- A (Monitor) focuses on telemetry and health/alerts, not prescriptive security recommendations.
- B (Subscriptions) is administrative scope management and doesn’t generate security recommendations.
- C (Marketplace) is a catalog for solutions and images; it does not analyze your deployed resources to produce security recommendations.
Note: In broader Azure, Microsoft Defender for Cloud is also a major source of security posture recommendations, but among the provided options, Advisor is the correct blade.
5
問題 5
DRAG DROP -
Match the Azure service to the correct definition.
Instructions: To answer, drag the appropriate Azure service from the column on the left to its description on the right. Each service may be used once, more than once, or not at all.
NOTE: Each correct selection is worth one point.
Select and Place:
パート1:
Provides the platform for serverless code
Correct: B. Azure Functions. Azure Functions is Azure’s serverless compute offering for running code in response to triggers (HTTP requests, timers, queue messages, Event Grid events, etc.). You don’t provision or manage servers; scaling is handled by the platform, and pricing is typically consumption-based (pay per execution and resources used), which is a key serverless characteristic.
Why others are wrong:
A. Azure Databricks is a big data analytics and ML platform built on Apache Spark, not a general serverless code runtime.
C. Azure App Service is a PaaS for hosting web apps/APIs with managed infrastructure, but it’s not the primary “serverless code” platform.
D. Azure Application Insights is for monitoring/telemetry and diagnostics, not for executing code.
パート2:
A big data analysis service for machine learning
Correct: A. Azure Databricks. Azure Databricks is a managed analytics platform optimized for Apache Spark, commonly used for big data processing, data engineering, and machine learning at scale. It integrates with Azure storage services (like ADLS Gen2) and supports collaborative notebooks, ML libraries, and scalable clusters—making it a strong match for “big data analysis service for machine learning.”
Why others are wrong:
B. Azure Functions is for event-driven serverless compute, not a big data analytics engine.
C. Azure App Service hosts web applications and APIs; it’s not designed for distributed big data processing.
D. Azure Application Insights provides application monitoring and diagnostics, not analytics/ML processing.
パート3:
Detects and diagnoses anomalies in web apps
Correct: D. Azure Application Insights. Application Insights is an APM feature within Azure Monitor that collects telemetry from applications (requests, dependencies, exceptions, performance counters, traces) and helps detect, investigate, and diagnose issues. It supports features like smart detection (automatic anomaly detection), application maps, distributed tracing, and end-to-end transaction diagnostics—directly matching “detects and diagnoses anomalies in web apps.”
Why others are wrong:
A. Azure Databricks focuses on data analytics and ML, not web app anomaly detection.
B. Azure Functions runs serverless code; it can emit logs/telemetry but doesn’t provide the anomaly detection/diagnostics platform itself.
C. Azure App Service hosts web apps, but monitoring/anomaly detection is provided by tools like Application Insights rather than App Service alone.
パート4:
Hosts web apps
Correct: C. Azure App Service. Azure App Service is a fully managed PaaS for hosting web apps, REST APIs, and mobile back ends. It provides built-in capabilities such as deployment slots, autoscaling, custom domains, TLS/SSL, authentication/authorization integration, and support for multiple runtimes (e.g., .NET, Java, Node.js, Python). This aligns precisely with “hosts web apps.”
Why others are wrong:
A. Azure Databricks is an analytics/ML platform, not a web hosting service.
B. Azure Functions can expose HTTP-triggered endpoints, but it’s primarily serverless functions rather than a general web app hosting platform.
D. Azure Application Insights monitors applications; it does not host them.
6
問題 6
Your company plans to deploy several custom applications to Azure. The applications will provide invoicing services to the customers of the company. Each application will have several prerequisite applications and services installed.
You need to recommend a cloud deployment solution for all the applications.
What should you recommend?
SaaS is a complete, vendor-managed application delivered over the internet (e.g., Microsoft 365). You do not deploy your own custom applications into a SaaS offering; you simply configure and use it. Because the requirement is to deploy several custom invoicing applications with prerequisites, SaaS does not fit the scenario. SaaS minimizes management but also provides the least control over the underlying platform and software stack.
PaaS provides a managed application platform (e.g., Azure App Service) where you deploy code while Azure manages the OS and much of the runtime. PaaS is ideal when your app fits supported frameworks and you don’t need to install custom OS-level prerequisites. The question emphasizes multiple prerequisite applications and services installed, which often requires OS access and custom installers, making PaaS less appropriate for this requirement.
IaaS (e.g., Azure Virtual Machines) is best when you must install and manage prerequisite applications and services, control the OS, and customize the full software stack. This matches the scenario of deploying custom invoicing applications with several dependencies. With IaaS, you can standardize deployments using custom images and automation, and you retain flexibility for legacy components or specialized middleware that may not be supported in PaaS.
問題分析
Core concept: This question tests the cloud service models (SaaS, PaaS, IaaS) and when to choose each based on responsibility boundaries and deployment requirements.
Why the answer is correct: The scenario describes deploying several custom applications, and each application has multiple prerequisite applications and services that must be installed. That requirement strongly indicates you need maximum control over the operating system, runtime, middleware, and the ability to install and manage dependencies exactly as required. Infrastructure as a Service (IaaS) (for example, Azure Virtual Machines) provides that flexibility: you provision compute, storage, and networking, then you install and configure the OS, application stack, and prerequisites. This aligns with “lift-and-shift” or “custom stack” deployments where the platform must match specific dependency versions or where installers and services must run with OS-level access.
Key features and best practices: In Azure IaaS, you can use VM images (Marketplace, custom images, or Azure Compute Gallery) to standardize builds, and automation tools such as ARM/Bicep, Terraform, or VM extensions/Desired State Configuration to install prerequisites consistently. For scale and resiliency, you can use Availability Sets or Virtual Machine Scale Sets and place VMs across Availability Zones where available. From an Azure Well-Architected Framework perspective, IaaS requires more operational excellence (patching, monitoring, backups) but gives you control to meet reliability and security requirements when dependencies are complex.
Common misconceptions: PaaS is often preferred for custom apps because it reduces management overhead, but PaaS typically restricts OS-level customization and may not support arbitrary prerequisite installers/services. SaaS is the least suitable because it is a finished application you consume, not a deployment target for your own custom applications.
Exam tips: When you see “custom applications” plus “several prerequisite applications and services installed,” think IaaS/VMs because it implies OS control and custom dependency installation. Choose PaaS when the app can fit within managed runtimes (App Service, Azure SQL, Functions) without needing OS-level installs. Choose SaaS when you are buying/consuming a complete application (e.g., Microsoft 365, Dynamics 365).
7
問題 7
Which service provides network traffic filtering across multiple Azure subscriptions and virtual networks?
Azure Firewall is a managed, stateful firewall that provides centralized network traffic filtering (L3-L7) for multiple VNets using hub-and-spoke designs, VNet peering, and/or Virtual WAN secured hubs. It supports Firewall Policy to manage rules consistently and can be used across multiple subscriptions by placing it in a shared hub subscription and routing spoke traffic through it.
An application security group (ASG) is not a traffic filtering service by itself. It is a logical grouping of virtual machine NICs used within network security group (NSG) rules to simplify rule management (e.g., “web tier” to “app tier”). ASGs don’t provide centralized inspection across VNets/subscriptions; they only help define sources/destinations in NSG rules.
Azure DDoS Protection helps protect public-facing endpoints in Azure from distributed denial-of-service attacks (volumetric and protocol attacks). It improves availability during attacks and provides telemetry and attack analytics, but it is not designed for general-purpose network traffic filtering or policy enforcement across multiple VNets and subscriptions.
A network security group (NSG) provides stateful L3/L4 filtering for inbound/outbound traffic at the subnet or NIC level within a VNet. While NSGs are fundamental and widely used, they are not a centralized multi-VNet, multi-subscription traffic filtering service. They lack advanced L7 capabilities and centralized inspection patterns that Azure Firewall provides.
問題分析
Core Concept:
This question tests understanding of Azure network security controls and which service can centrally filter and control network traffic at scale across multiple virtual networks (VNets) and even multiple subscriptions.
Why the Answer is Correct:
Azure Firewall is a managed, stateful network security service designed for centralized traffic filtering. It can be deployed into a hub virtual network and used to control traffic for many spoke VNets (hub-and-spoke topology) connected via VNet peering, and it can be shared across multiple subscriptions using Azure Firewall policies and Azure Virtual WAN secured hub (or by placing the firewall in a shared services subscription). This makes it the best fit for “across multiple Azure subscriptions and virtual networks.”
Key Features / Best Practices:
Azure Firewall provides stateful L3-L7 filtering, application (FQDN) rules, network rules, DNAT, and threat intelligence-based filtering. It integrates with Azure Monitor for logging and analytics. For enterprise-scale designs aligned to the Azure Well-Architected Framework (Security and Reliability pillars), a common pattern is central inspection in a hub VNet with forced tunneling/UDRs from spokes to the firewall, plus Firewall Policy for consistent rule management across environments and subscriptions.
Common Misconceptions:
NSGs and ASGs are often confused with Azure Firewall. NSGs filter traffic at the subnet/NIC level within a single VNet scope (though they can be created in different subscriptions, they are not a centralized multi-VNet filtering service). ASGs are only a way to group NICs for NSG rules; they are not a standalone filtering service. Azure DDoS Protection focuses on volumetric attack mitigation, not general traffic filtering.
Exam Tips:
When you see “centralized,” “across multiple VNets,” “hub-and-spoke,” or “shared service across subscriptions,” think Azure Firewall (or sometimes Virtual WAN security). When you see “subnet/NIC rules,” think NSG. When you see “group VMs for NSG rules,” think ASG. When you see “mitigate DDoS attacks,” think Azure DDoS Protection.
8
問題 8
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
パート1:
Azure Firewall will encrypt all the network traffic sent from Azure to the Internet.
Azure Firewall will not automatically encrypt all network traffic sent from Azure to the Internet. Azure Firewall is primarily a managed, stateful firewall used to control and inspect traffic (for example, application and network rules, threat intelligence-based filtering, logging). It can enforce where traffic is allowed to go and can help with governance of outbound connectivity, but it does not transparently encrypt every outbound flow.
Encryption in transit to the Internet is typically achieved by using protocols such as HTTPS/TLS, SSH, or by tunneling traffic through VPN/IPsec or other secure tunnels. Azure Firewall can coexist with these mechanisms (for example, allowing only HTTPS outbound, or forcing traffic through an NVA/VPN), but the firewall itself is not an “encrypt all egress traffic” service.
Therefore, the correct answer is No. Answering Yes would confuse traffic filtering/inspection with cryptographic protection.
パート2:
A network security group (NSG) will encrypt all the network traffic sent from Azure to the Internet.
A Network Security Group (NSG) does not encrypt traffic. NSGs are used to allow or deny inbound and outbound traffic to Azure resources at Layer 3/4 using rules based on source/destination IP, port, and protocol. They are essentially access control lists (ACLs) for Azure VNets and NICs.
Because NSGs only control whether traffic is permitted, they do not provide confidentiality or encryption for the packets that are allowed. If a VM sends HTTP traffic to the Internet and the NSG allows it, the traffic remains unencrypted unless the application uses an encrypted protocol (for example HTTPS) or a tunnel is established.
So the correct answer is No. Selecting Yes would incorrectly attribute encryption capabilities to a service whose purpose is segmentation and traffic filtering, not cryptography.
パート3:
Azure virtual machines that run Windows Server 2016 can encrypt network traffic sent to the Internet.
Azure virtual machines running Windows Server 2016 can encrypt network traffic sent to the Internet, but this is achieved through the OS/application configuration and the protocols used, not because Azure automatically encrypts all outbound traffic. For example, a Windows Server VM can use HTTPS (TLS) for web traffic, establish an IPsec VPN tunnel, use SSH (via installed components), or use other encrypted application protocols.
In exam terms, the key is that a VM is capable of generating encrypted traffic (encryption in transit) when configured appropriately. This is different from NSGs or Azure Firewall, which are primarily traffic control/inspection services.
Therefore, the statement is true (Yes): the VM can encrypt traffic to the Internet by using encryption-enabled protocols and configurations. The nuance is “can,” not “will always.”
9
問題 9
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company plans to migrate all its data and resources to Azure.
The company's migration plan states that only Platform as a Service (PaaS) solutions must be used in Azure.
You need to deploy an Azure environment that meets the company migration plan.
Solution: You create an Azure App Service and Azure SQL databases.
Does this meet the goal?
Yes. Azure App Service is a PaaS service because Microsoft manages the underlying servers, operating systems, and runtime infrastructure while you deploy your application code. Azure SQL Database is also a PaaS service because it provides a managed relational database engine without requiring you to maintain the host machines or SQL Server installation. Since both components in the solution are PaaS offerings, the proposed environment satisfies the company's requirement to use only PaaS solutions.
No is incorrect because the proposed solution does not include any IaaS components. If the solution had used Azure Virtual Machines or SQL Server on Azure VMs, it would have violated the PaaS-only requirement because those require infrastructure management. Here, both App Service and Azure SQL Database are managed platform services, so the goal is met.
問題分析
Core Concept:
This question tests whether you can identify Azure Platform as a Service (PaaS) offerings. The company requires that only PaaS solutions be used in Azure, so the proposed services must both be managed platform services rather than infrastructure you manage yourself.
Why the Answer is Correct:
Azure App Service is a PaaS offering for hosting web apps, APIs, and mobile back ends without managing the underlying virtual machines or operating systems. Azure SQL Database is also a PaaS offering that provides a managed relational database service with Microsoft handling much of the infrastructure, patching, backups, and high availability. Because both services are PaaS, the solution meets the stated goal.
Key Features / What to Know:
- Azure App Service is a fully managed platform for application hosting.
- Azure SQL Database is a managed database platform service, not a SQL Server running on a VM.
- PaaS reduces administrative overhead compared to IaaS because Azure manages the underlying infrastructure.
- The requirement says only PaaS solutions must be used, so services like Azure Virtual Machines would not fit.
Common Misconceptions:
A common mistake is confusing Azure SQL Database with SQL Server installed on Azure Virtual Machines. The former is PaaS, while the latter is IaaS because you manage the VM and OS. Another misconception is thinking any hosted service in Azure is automatically PaaS; exam questions often test whether you can distinguish managed platform services from infrastructure services.
Exam Tips:
- Look for keywords like managed, no OS management, automatic patching, and built-in scaling to identify PaaS.
- App Service, Azure SQL Database, and Functions are common PaaS examples in AZ-900.
- Virtual Machines, virtual networks, and storage accounts are not all PaaS by default, so read each service carefully in context.
10
問題 10
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure environment. You need to create a new Azure virtual machine from a tablet that runs the Android operating system.
Solution: You use PowerShell in Azure Cloud Shell.
Does this meet the goal?
Yes. Azure Cloud Shell provides a hosted PowerShell environment that runs in Azure and is accessed through a web browser, so the local operating system does not need to support native PowerShell installation. An Android tablet can open the Azure portal, launch Cloud Shell, and run Azure PowerShell commands to create a virtual machine. This satisfies the goal because the requirement is to create the VM from the tablet, not to run locally installed administrative tools on the device.
No is incorrect because it assumes that creating the virtual machine requires a locally installed Windows-based PowerShell environment. In reality, Azure Cloud Shell removes that dependency by providing PowerShell as a managed browser session. Since Cloud Shell is accessible from mobile devices, including Android tablets, the operating system of the tablet is not a blocker. The only practical requirements are browser access, connectivity, and sufficient Azure permissions.
問題分析
Core concept: Azure Cloud Shell is a browser-accessible command-line environment hosted by Microsoft that supports both Bash and PowerShell. Why correct: Because Cloud Shell runs in Azure rather than on the local device, an Android tablet can be used to create and manage Azure resources, including virtual machines, through the Azure portal or supported browser. Key features: Cloud Shell provides authenticated access to Azure, includes Azure PowerShell modules and Azure CLI, and does not require local installation of management tools on the tablet. Common misconceptions: Many learners confuse local PowerShell requirements with Cloud Shell capabilities, assuming a mobile device cannot be used because it does not natively run Windows PowerShell. Exam tips: If a question mentions Cloud Shell, focus on the fact that it is browser-based and device-independent, provided the user has internet access and appropriate Azure permissions.
