This chapter provides a deep dive into the three main types of cloud services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Understanding these service models is critical for the AZ-900 exam, as they form the foundation of how organizations consume cloud resources. This objective area (Cloud Concepts) carries approximately 25-30% of the exam weight, and questions on service types frequently appear. By the end of this chapter, you will be able to differentiate IaaS, PaaS, and SaaS, describe their use cases, and identify which model Azure services like Virtual Machines, App Service, and Microsoft 365 belong to.
Jump to a section
Imagine you want to host a pizza party. With On-Premises (On-Prem), you do everything: grow the wheat, raise the cow for cheese, make the sauce, build the oven, and bake the pizza. You own all the ingredients and equipment. Infrastructure as a Service (IaaS) is like ordering a pre-built oven and ingredients delivered to your home. You still have to assemble and bake the pizza yourself. Platform as a Service (PaaS) is like ordering a pizza kit: the dough is pre-made, sauce is ready, cheese is shredded—you just put it together and bake. You don't manage the oven or ingredients. Software as a Service (SaaS) is ordering a fully baked pizza delivered to your door. You just eat. In Azure, IaaS gives you virtual machines, storage, and networking—you manage the OS and apps. PaaS gives you managed services like Azure SQL Database or App Service—you focus on code, not infrastructure. SaaS gives you ready-to-use software like Microsoft 365. The key mechanism: each model shifts responsibility from you to the cloud provider. In IaaS, you manage the 'pizza assembly' (OS, middleware, runtime). In PaaS, the provider manages the runtime and middleware; you manage only your application and data. In SaaS, the provider manages everything except your data and access. This mirrors how Azure's shared responsibility model works: the more managed the service, the less you handle.
What Are Cloud Service Models and Why Do They Matter?
Cloud service models define the level of control, flexibility, and management you have over cloud resources. They are essentially different 'layers' of abstraction. The business problem they solve is: how much do you want to manage yourself versus hand off to the cloud provider? The three models—IaaS, PaaS, SaaS—form a spectrum from maximum control (IaaS) to minimum control (SaaS). For AZ-900, you must know the characteristics, typical use cases, and examples of each model.
Infrastructure as a Service (IaaS)
IaaS provides on-demand access to virtualized computing resources—virtual machines, storage, and networking—over the internet. You provision these resources in Azure and have full control over the operating system, applications, and middleware. The provider manages the physical hardware, hypervisor, and network infrastructure.
How It Works: You create a virtual machine (VM) using an Azure VM image. Azure allocates CPU, memory, and disk from its physical servers. You then install and configure the OS, any runtime (like .NET or Java), and your applications. You are responsible for patching the OS, managing security, and configuring backups. Azure handles hardware failures, network connectivity, and physical security.
Key Components: - Azure Virtual Machines (VMs): Compute instances with customizable sizes (e.g., B-series, D-series). - Azure Virtual Network (VNet): Isolated network for VMs. - Azure Managed Disks: Persistent block storage for VMs. - Azure Load Balancer: Distributes traffic across VMs.
Pricing Models: Pay-as-you-go (per second for VMs), reserved instances (1 or 3-year terms for discounts), and spot instances (deep discount but can be evicted).
Comparison to On-Premises: On-premises, you buy servers, racks, cooling, and power. You manage everything. With IaaS, you avoid capital expenditure but still have operational overhead for OS and app management.
Azure Portal/CLI Touchpoints: - Portal: Navigate to 'Virtual Machines' to create and manage VMs. - CLI example to create a VM:
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keysPlatform as a Service (PaaS)
PaaS provides a managed platform for developing, running, and managing applications without the complexity of infrastructure. You deploy your code; Azure handles the runtime, middleware, OS, and hardware.
How It Works: You create an Azure App Service (e.g., Web App) and upload your code (e.g., a .NET or Node.js app). Azure automatically provisions the underlying VM(s), installs the required runtime, and scales the app based on demand. You never see or manage the OS. You only manage your application code and configuration.
Key Components: - Azure App Service: Host web apps, REST APIs, and mobile backends. - Azure SQL Database: Managed relational database with built-in high availability and backups. - Azure Functions: Serverless compute for event-driven code. - Azure Logic Apps: Workflow automation.
Pricing Models: Consumption-based (pay per execution for Functions), tiered (App Service plans: Free, Shared, Basic, Standard, Premium).
Comparison to On-Premises: On-premises, you would need to set up a web server (IIS, Apache), a database server, and manage patches. With PaaS, you skip all that.
Azure Portal/CLI Touchpoints: - Portal: 'App Services' to create and manage web apps. - CLI example to create a web app:
az webapp create \
--resource-group myResourceGroup \
--plan myAppServicePlan \
--name myUniqueAppName \
--runtime "DOTNET|6.0"Software as a Service (SaaS)
SaaS provides ready-to-use software applications over the internet. You access them via a web browser or client app. The provider manages everything: infrastructure, platform, and application. You only manage your data and user access.
How It Works: You sign up for Microsoft 365, and you get email (Exchange Online), collaboration (Teams), and productivity apps (Word, Excel). Microsoft handles server uptime, security patches, feature updates, and scaling.
Key Components: - Microsoft 365 (Office 365, Exchange, Teams). - Dynamics 365 (CRM/ERP). - Azure DevOps (source control, CI/CD). - Third-party SaaS like Salesforce or Dropbox running on Azure.
Pricing Models: Subscription-based per user per month (e.g., Microsoft 365 Business Basic at $6/user/month).
Comparison to On-Premises: On-premises, you would install Office on each PC, run your own Exchange server, and manage updates. With SaaS, you just pay and use.
Azure Portal/CLI Touchpoints: SaaS services are typically managed through separate portals (e.g., admin.microsoft.com for Microsoft 365). However, Azure AD is used for identity.
Comparing IaaS, PaaS, and SaaS
| Aspect | IaaS | PaaS | SaaS | |--------|------|------|------| | You Manage | OS, middleware, runtime, data, apps | Data, apps | Data, users | | Provider Manages | VMs, storage, networking, physical hardware | OS, middleware, runtime, VMs, storage, networking | Everything except data and users | | Example Azure Service | Virtual Machines | App Service, Azure SQL Database | Microsoft 365 | | Use Case | Lift-and-shift migration, custom infrastructure | Web app development, APIs | Email, collaboration, CRM | | Flexibility | High | Medium | Low | | Management Effort | High | Medium | Low |
The exam expects you to match services to models: Virtual Machines -> IaaS, App Service -> PaaS, Microsoft 365 -> SaaS. Also know that some services blur lines: Azure Functions is PaaS (serverless) but can be considered FaaS (Function as a Service). For AZ-900, stick to the three main models.
Shared Responsibility Model
Each service model shifts responsibility. In IaaS, you secure the OS and apps; Azure secures the physical host. In PaaS, Azure secures the runtime and OS; you secure your code and data. In SaaS, Azure secures the application; you secure your data and access. This is a common exam topic: 'Who is responsible for patching the OS?' Answer: For IaaS, you. For PaaS, Azure. For SaaS, Azure.
Identify Business Requirements
Before choosing a service model, determine what your organization needs. Ask: Do we need full control over the OS and middleware? If yes, IaaS is likely. Do we want to focus only on code and data? Then PaaS. Do we want a ready-to-use application? Then SaaS. Also consider compliance, existing skills, and budget. For AZ-900, you won't need to make this decision, but you must understand the trade-offs. For example, a company migrating a legacy on-premises app might choose IaaS to avoid rewriting code. A startup building a new web app might choose PaaS for faster development. A non-profit needing email might choose SaaS.
Choose the Appropriate Azure Service
Map the requirement to an Azure service. For IaaS, you would create a Virtual Machine. For PaaS, you might create an App Service or Azure SQL Database. For SaaS, you subscribe to Microsoft 365 or Dynamics 365. The Azure portal organizes these services under categories like Compute (IaaS: VMs), Web (PaaS: App Service), and Productivity (SaaS: Microsoft 365). The exam tests your ability to identify which service belongs to which model. For instance, Azure Container Instances is considered IaaS (or CaaS), but for AZ-900, know it's a compute service. Use the portal's search bar to find services quickly.
Configure and Deploy
Deployment steps vary by model. For IaaS: choose an image, size, networking, and storage. You then connect via RDP/SSH and configure the OS. For PaaS: select a runtime stack, pricing tier, and deployment source (Git, local code). Azure handles the rest. For SaaS: sign up, assign licenses to users, and configure settings. In the CLI, you might use 'az vm create' for IaaS, 'az webapp create' for PaaS. The exam doesn't require CLI proficiency, but familiarity helps. Remember: IaaS deployment is more complex; PaaS is simpler; SaaS is simplest.
Manage and Monitor
Management responsibilities differ. With IaaS, you must patch the OS, install antivirus, and configure backups. Azure provides tools like Azure Backup and Update Management. With PaaS, Azure manages the OS and runtime; you manage app settings, scaling, and monitoring via Application Insights. With SaaS, you manage user accounts, data retention, and compliance settings. The exam may ask: 'Who is responsible for applying OS patches to a virtual machine?' Answer: The customer (IaaS). For a web app on App Service: Azure (PaaS). Monitoring is often done via Azure Monitor across all models.
Scale and Optimize Costs
Scaling differs: IaaS requires adding more VMs or resizing existing ones. PaaS often supports auto-scaling (e.g., App Service can automatically increase instance count based on CPU). SaaS scales transparently (Microsoft 365 handles millions of users). Cost optimization: IaaS savings via reserved instances and spot VMs; PaaS via scaling down during low traffic; SaaS via subscription tier selection. The exam may test that PaaS can be more cost-effective than IaaS for variable workloads due to auto-scaling. Also know that IaaS gives more control over costs through VM sizes and shutdown schedules.
Scenario 1: Lift-and-Shift Migration with IaaS
A mid-sized company running a legacy .NET application on on-premises Windows Servers wants to move to Azure without rewriting the application. They choose IaaS: they create Azure Virtual Machines with the same OS version, install the application, and configure networking. This is called a 'lift-and-shift' migration. The team uses Azure Site Recovery to replicate VMs and then fails over. Costs: They pay per hour for VMs plus storage. They must still patch the OS, manage backups, and handle scaling manually. Common mistake: Forgetting to deallocate VMs when not in use, leading to unnecessary costs. Also, they might choose the wrong VM size (too small causing performance issues, or too large wasting money). Azure Advisor helps right-size VMs.
Scenario 2: Modern Web Application with PaaS
A startup is building a new e-commerce web app. They choose PaaS: Azure App Service for the frontend and Azure SQL Database for the backend. They deploy code via GitHub Actions. Azure automatically scales the app during peak shopping seasons. The team never manages servers; they focus on features. Costs: They pay for the App Service plan (e.g., Standard tier) and database DTUs. They can scale down during off-peak hours. Common issues: Misconfiguring connection strings, not enabling auto-scaling rules, or choosing an expensive tier unnecessarily. PaaS also handles SSL certificates and custom domains easily.
Scenario 3: Enterprise Collaboration with SaaS
A global company with 10,000 employees needs email, video conferencing, and document collaboration. They subscribe to Microsoft 365 E3. Users access Outlook, Teams, and SharePoint from anywhere. The IT team manages user accounts via Azure AD and enforces compliance policies. They don't worry about server uptime or updates. Costs: $36/user/month. Common pitfalls: Over-licensing (assigning E3 to users who only need email), not configuring data loss prevention, or failing to train users on security features. SaaS reduces IT overhead but requires careful identity and access management.
Objective Code: Describe the different types of cloud services (IaaS, PaaS, SaaS) – AZ-900 Objective 1.2
The exam expects you to:
Define each service model.
Identify which Azure services belong to which model (e.g., Virtual Machines = IaaS, App Service = PaaS, Microsoft 365 = SaaS).
Understand the shared responsibility model for each.
Recognize use cases and benefits.
Common Wrong Answers and Why Candidates Choose Them
1. 'IaaS provides the most control but the least flexibility.' *Why wrong:* IaaS actually provides the most flexibility (you can install any OS or software). The correct statement: IaaS provides the most control but also the most management responsibility.
2. 'PaaS is best for lift-and-shift migrations.' *Why wrong:* Lift-and-shift typically requires IaaS because you need to keep the same OS and configuration. PaaS would require rewriting the app to fit the platform.
3. 'In SaaS, the customer is responsible for patching the application.' *Why wrong:* In SaaS, the provider patches the application. The customer is only responsible for data and user access.
4. 'Azure Functions is an example of IaaS.' *Why wrong:* Azure Functions is serverless PaaS (or FaaS). Candidates confuse it with VMs because it runs code, but it's managed.
5. 'IaaS is always cheaper than PaaS.' *Why wrong:* IaaS can be cheaper if you manage reserved instances and deallocate VMs, but PaaS can be cheaper for variable workloads because you pay only for what you use without managing idle VMs.
Specific Terms and Values
IaaS: Virtual Machines, Virtual Network, Managed Disks.
PaaS: App Service, Azure SQL Database, Azure Functions, Logic Apps.
SaaS: Microsoft 365, Dynamics 365, Azure DevOps.
Shared Responsibility: For IaaS, customer manages OS and apps; for PaaS, customer manages data and apps; for SaaS, customer manages data and users.
Edge Cases and Tricky Distinctions
Azure Container Instances (ACI): This is IaaS (or CaaS) because you manage the container, but Azure manages the host. For AZ-900, classify it as compute (IaaS-like).
Azure Kubernetes Service (AKS): Managed Kubernetes is PaaS (or CaaS) because Azure manages the master node. You manage worker nodes (IaaS aspect). The exam may ask: 'Which service model is AKS?' Answer: PaaS (since it's a managed service).
Azure DevOps: Is it SaaS? Yes, because it's a hosted service you access via browser. But it can also be used as a platform for CI/CD.
Memory Trick
Use the acronym 'I P S' (IaaS, PaaS, SaaS) and associate with 'You manage more, provider manages more': - I = I manage (Infrastructure: OS, apps) - P = Provider manages platform (runtime, middleware) - S = SaaS is fully managed by provider
For exam questions asking 'Who manages X?', think: If it's a VM, you manage OS. If it's a web app, Azure manages runtime. If it's Office 365, Microsoft manages the app.
IaaS provides virtualized compute, storage, and networking; you manage the OS and apps. Example: Azure Virtual Machines.
PaaS provides a managed platform for deploying apps; you manage only code and data. Example: Azure App Service.
SaaS provides ready-to-use software; you manage only data and users. Example: Microsoft 365.
The shared responsibility model shifts: IaaS = you manage more; SaaS = provider manages more.
IaaS is ideal for lift-and-shift migrations; PaaS is for modern app development; SaaS is for productivity and collaboration.
Azure Functions is PaaS (serverless); Azure Container Instances is IaaS (or CaaS).
For AZ-900, know at least two examples per model and be able to match services to models.
Pricing models: IaaS (pay-as-you-go, reserved, spot); PaaS (consumption, tiered); SaaS (per-user subscription).
These come up on the exam all the time. Here's how to tell them apart.
IaaS (Infrastructure as a Service)
Customer manages OS, middleware, runtime, data, and applications.
Provider manages physical hardware, hypervisor, storage, and networking.
Example: Azure Virtual Machines, Azure Virtual Network.
Use case: Lift-and-shift migration, custom infrastructure needs.
Higher management effort but full control.
PaaS (Platform as a Service)
Customer manages only data and applications.
Provider manages OS, middleware, runtime, and infrastructure.
Example: Azure App Service, Azure SQL Database.
Use case: Web app development, API hosting, database management.
Lower management effort but less control.
Mistake
IaaS means you have no control over the hardware.
Correct
You have no control over the physical hardware, but you have full control over the virtual hardware (VM specs, OS, networking). You can choose CPU, memory, and disk sizes.
Mistake
PaaS always costs more than IaaS.
Correct
PaaS can be more cost-effective for variable workloads because you don't pay for idle capacity. IaaS may be cheaper for predictable, always-on workloads with reserved instances.
Mistake
SaaS applications cannot be customized.
Correct
SaaS applications like Microsoft 365 offer customization through add-ins, custom fields, and APIs. However, you cannot modify the core application code.
Mistake
Azure Functions is an example of IaaS.
Correct
Azure Functions is a serverless compute service (PaaS/FaaS). You upload code and Azure runs it on demand. You never manage servers.
Mistake
In PaaS, the customer is responsible for patching the operating system.
Correct
In PaaS, the cloud provider patches the OS. The customer is only responsible for their application and data.
IaaS provides virtualized infrastructure (VMs, storage, networking) that you manage. PaaS provides a managed platform for running applications (you manage code/data). SaaS provides ready-to-use software (you manage data/users). The key difference is the level of control and management responsibility. For AZ-900, remember: IaaS = most control, SaaS = least control.
Azure Virtual Machines is the primary example of IaaS. Other IaaS services include Azure Virtual Network, Azure Load Balancer, and Azure Managed Disks. These give you virtualized infrastructure components you configure and manage.
Azure App Service is PaaS. You deploy your web application code, and Azure manages the underlying VMs, runtime, and OS. You do not have access to the VM's OS; you only manage your application settings and scaling.
The cloud provider (Azure) is responsible for patching the OS in PaaS services like Azure App Service or Azure SQL Database. The customer is only responsible for their application code and data. This is a common exam question.
Yes, IaaS is ideal for 'lift-and-shift' migrations where you move an existing application to the cloud without changes. You create VMs with the same OS and install the application. This avoids rewriting code but still requires you to manage the OS and patching.
Microsoft 365 (formerly Office 365) is the most common example of SaaS on Azure. Others include Dynamics 365 and Azure DevOps. These are fully managed applications accessed via a web browser or client app.
IaaS pricing is typically per hour or per second for VMs, plus storage and networking costs. PaaS pricing can be consumption-based (e.g., per execution for Functions) or tiered (e.g., App Service plan). SaaS pricing is usually per-user per-month subscription. IaaS offers reserved instances for discounts; PaaS and SaaS have limited reservation options.
You've just covered Types of Cloud Services: Deep Dive — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?