This chapter covers the three fundamental cloud deployment models: public, private, and hybrid cloud. Understanding these models is essential for the AZ-900 exam because they form the foundation of cloud architecture decisions. The 'Cloud Concepts' objective area (including this topic) typically accounts for 15–20% of the exam questions. By the end of this chapter, you will be able to define each model, compare their advantages and disadvantages, and identify the appropriate use cases for each. You will also understand how Azure supports hybrid scenarios, which is a key differentiator for Microsoft.
Jump to a section
Imagine you run a growing company. You have three options for office space. Private cloud is like owning your own building. You buy the land, construct the building, install all the plumbing and electrical, hire a maintenance team, and pay for security. You have full control over everything, but you also bear all the costs—mortgage, property taxes, repairs, and upgrades—whether you use the space fully or not. This is analogous to on-premises infrastructure: you own the servers, storage, and network, and you are responsible for everything from power to patching. Public cloud is like renting a coworking space. You pay a monthly fee for a desk, internet, and access to meeting rooms. The coworking company handles cleaning, maintenance, and utilities. You can scale up by renting more desks during busy seasons and downsize when things slow, paying only for what you use. This is like Azure: Microsoft owns the hardware, you consume resources on demand. Hybrid cloud is like owning a small building for your core team but renting additional coworking desks for temporary projects or overflow. You keep sensitive data in your owned building (private cloud) but leverage the public cloud for burst capacity or specific workloads. The two environments are connected by a secure network—like a private tunnel between your building and the coworking space—allowing data and applications to move seamlessly. This combination gives you control over critical assets while enjoying the flexibility and cost savings of the public cloud for the rest.
What Are Cloud Deployment Models?
Cloud deployment models define where the infrastructure for your applications and data resides, who manages it, and how you access it. The three primary models are public, private, and hybrid. Each model addresses different business needs regarding control, security, scalability, and cost.
Public Cloud: The Shared, On-Demand Model
In a public cloud, a third-party provider like Microsoft Azure owns and manages the entire infrastructure—servers, storage, networking, and data centers. As a customer, you provision and use resources (virtual machines, databases, etc.) over the internet, paying only for what you consume (pay-as-you-go pricing).
How it works: - Azure operates massive data centers around the world. These data centers house thousands of servers, storage arrays, and network equipment. - You create an Azure subscription, and within that subscription, you can create resources like VMs, web apps, or databases using the Azure portal, CLI, or APIs. - Azure abstracts the underlying hardware. You do not know which physical server your VM runs on, nor do you care. Azure manages hardware failures, maintenance, and upgrades. - You can scale resources up or down instantly. For example, during a holiday sales spike, you can add more VM instances to handle traffic, then remove them when traffic subsides.
Key characteristics: - Multi-tenant: Multiple customers share the same physical infrastructure, but their data and workloads are isolated using virtualization and network segmentation. - Elasticity: Resources can be scaled automatically based on demand. - No capital expenditure: You pay operational expenses (OpEx) only for what you use. - High availability: Azure offers SLAs (e.g., 99.9% uptime for VMs) and provides built-in redundancy across regions.
Business problem solved: A startup with limited capital needs to launch a web app quickly without buying servers. Public cloud allows them to spin up infrastructure in minutes and pay as they grow.
Private Cloud: Dedicated Infrastructure, Full Control
A private cloud is a cloud environment dedicated to a single organization. It can be hosted on-premises (in your own data center) or by a third-party provider exclusively for you. The key is that the infrastructure is not shared with other organizations.
How it works: - You own or lease the hardware (servers, storage, network). You install a hypervisor (like Hyper-V or VMware) to virtualize resources. - You deploy a cloud management platform (like Azure Stack HCI or VMware vSphere) to provide self-service provisioning, orchestration, and metering. - Users within your organization can request VMs or storage through a portal, and the platform automatically provisions them on the available hardware. - You are responsible for all maintenance: patching OS, replacing failed disks, upgrading firmware, managing power and cooling.
Key characteristics: - Single-tenant: No resource sharing with other organizations. - Full control: You decide hardware, software, security policies, and compliance measures. - Higher cost: You bear capital expenditure (CapEx) for hardware and ongoing operational costs for staff, power, and cooling. - Limited scalability: Scaling requires purchasing and installing new hardware, which can take weeks.
Business problem solved: A bank must keep customer financial data on-premises due to regulatory compliance. A private cloud allows them to get some benefits of cloud (self-service, automation) while maintaining physical control.
Hybrid Cloud: The Best of Both Worlds
A hybrid cloud combines public and private clouds, allowing data and applications to be shared between them. The two environments are connected via a secure network (typically VPN or Azure ExpressRoute) and operate as a unified infrastructure.
How it works: - You run some workloads on-premises (private cloud) and others in Azure (public cloud). - You establish connectivity: either a site-to-site VPN over the internet or a dedicated private connection via Azure ExpressRoute. - You can use Azure services to manage and monitor both environments from a single pane of glass (e.g., Azure Arc, Azure Monitor). - Workloads can be moved between environments based on need. For example, you might keep sensitive data on-premises but use Azure for compute-intensive analytics on that data.
Key characteristics: - Flexibility: You choose where to run each workload based on cost, compliance, latency, or other factors. - Consistent platform: Azure provides tools (like Azure Stack HCI and Azure Arc) that make the on-premises environment feel like an extension of Azure. - Complexity: You must manage two environments, network connectivity, and data synchronization. - Cost optimization: You can use public cloud for burst capacity instead of over-provisioning your private cloud.
Business problem solved: A retailer runs its core transaction system on-premises for low latency but uses Azure for seasonal peak traffic and analytics. Hybrid cloud allows seamless scaling without abandoning existing investments.
Comparing Deployment Models
| Feature | Public Cloud | Private Cloud | Hybrid Cloud | |---------|--------------|---------------|--------------| | Ownership | Cloud provider | Organization | Both | | Scalability | Instant, elastic | Limited by hardware | Elastic via public cloud | | Cost Model | OpEx only | CapEx + OpEx | Mixed | | Control | Low | High | Medium | | Security | Shared responsibility | Organization's sole responsibility | Shared with segregation | | Example Use Case | Dev/test, web apps | Regulated data, legacy apps | Bursting, disaster recovery |
Azure-Specific Considerations
Azure supports all three models: - Public: Standard Azure services (VMs, App Service, SQL Database). - Private: Azure Stack HCI (hyperconverged infrastructure for on-premises) or Azure Private Edge Zones. - Hybrid: Azure Arc (management across environments), Azure ExpressRoute (dedicated private connection), and Azure Backup / Azure Site Recovery (disaster recovery to Azure).
The exam will expect you to know the definitions, advantages, and disadvantages of each model. You should also understand that hybrid cloud is not a separate type of cloud but a combination of public and private.
Choose a Workload
Identify an application or data set you want to move to the cloud or connect across environments. For example, a customer-facing web app with variable traffic. Consider its sensitivity (regulatory requirements), performance needs (latency), and cost profile. This step determines which deployment model is suitable. For the exam, know that workloads with predictable, steady usage may suit private cloud, while variable or new workloads favor public cloud.
Assess Compliance and Security
Determine if your workload must comply with regulations like GDPR, HIPAA, or PCI DSS that restrict data location or require physical control. If yes, private or hybrid cloud may be necessary. If no, public cloud is often the most cost-effective. Azure provides compliance certifications and tools like Azure Policy to enforce rules. The exam may ask which model is required for certain compliance scenarios.
Select a Cloud Deployment Model
Based on steps 1 and 2, choose public, private, or hybrid. For a greenfield startup with no legacy, public cloud is typical. For an enterprise with existing data centers, hybrid cloud allows gradual migration. For highly regulated industries, private cloud (or a dedicated host in Azure) might be mandated. The exam tests your ability to match business requirements to the correct model.
Provision the Environment
For public cloud: create an Azure subscription and deploy resources via portal, CLI, or ARM templates. For private cloud: set up Azure Stack HCI or VMware on your hardware and configure the management plane. For hybrid: establish connectivity (VPN or ExpressRoute) and optionally deploy Azure Arc to unify management. Azure portal provides wizards for common hybrid scenarios like connecting on-premises networks to Azure.
Manage and Monitor
Once the environment is running, use Azure Monitor to track performance and costs. For hybrid, Azure Arc provides a single view of resources across on-premises and Azure. Implement policies (Azure Policy) to enforce governance. For private cloud, you manage hardware health separately. The exam focuses on Azure tools for managing hybrid environments, such as Azure Arc and Azure Monitor.
Scenario 1: E-Commerce Startup Using Public Cloud A new online retailer launches a platform for handmade goods. They have no existing IT infrastructure and a limited budget. They choose Azure public cloud. They deploy a web app using Azure App Service, store product images in Azure Blob Storage, and use Azure SQL Database for inventory. During Black Friday, traffic spikes 10x. Azure Autoscale automatically adds more App Service instances, and the database scales up. After the sale, resources scale down, and they pay only for what they used. The startup avoids buying servers that would sit idle most of the year. If they had chosen private cloud, they would have needed to purchase enough capacity for peak traffic, wasting capital.
Scenario 2: Hospital Using Private Cloud for Patient Records A hospital must store electronic health records (EHR) on-premises due to government regulations that data cannot leave the country. They build a private cloud using Azure Stack HCI in their data center. Doctors and nurses access the system via a local portal. The hospital retains full control over data and compliance. However, they also run a public-facing appointment booking system in Azure public cloud to handle variable patient demand. The two systems are not connected, so no hybrid model is needed. If they had used public cloud for EHR, they would violate compliance.
Scenario 3: Manufacturer Using Hybrid Cloud for Burst Computing A manufacturing company runs its ERP system on-premises in a private cloud. Twice a year, they run complex supply chain simulations that require massive compute power for a week. Instead of buying extra servers for these peaks, they use Azure public cloud. They set up a site-to-site VPN between their on-premises network and Azure. When a simulation starts, they deploy hundreds of VMs in Azure, run the simulation, then tear them down. The ERP data stays on-premises, but the compute is done in the cloud. This hybrid approach saves 60% compared to provisioning for peak. Common mistakes: forgetting to secure the VPN connection or not monitoring data transfer costs, which can be significant.
Objective Code: AZ-900: Describe cloud concepts (15–20% of exam). Specifically, Objective 1.3: Describe the differences between public, private, and hybrid cloud models.
What the exam tests: - Definitions: You must be able to define each model in one sentence. - Advantages and disadvantages: Know at least three pros and cons for each. - Use cases: Given a scenario (e.g., 'A company has strict data sovereignty requirements'), choose the appropriate model. - Hybrid cloud characteristics: Understand that hybrid is a combination, not a third independent model.
Common wrong answers and why: 1. 'Private cloud is always on-premises.' This is false. Private cloud can be hosted off-premises by a third party exclusively for you. The key is single-tenancy, not location. 2. 'Hybrid cloud is a third type of cloud.' The exam considers hybrid as a combination of public and private, not a separate deployment model. 3. 'Public cloud is always cheaper than private cloud.' Not necessarily. For predictable, steady workloads, private cloud can be cheaper over time due to no vendor markup. Public cloud is cheaper for variable workloads. 4. 'Private cloud provides no scalability.' It does scale, but within the limits of your hardware. It is not as elastic as public cloud.
Specific terms and values: - 'Multi-tenant' is associated with public cloud. - 'Single-tenant' with private cloud. - 'Capital expenditure (CapEx)' vs. 'Operational expenditure (OpEx)' – public cloud is OpEx; private cloud involves CapEx. - 'Elasticity' is a key feature of public cloud.
Edge cases: - A community cloud (not on the exam) is sometimes confused with hybrid. Ignore it. - 'Azure Stack' (now Azure Stack HCI) is a private cloud solution that can be used in hybrid scenarios. The exam may ask which Azure service enables a hybrid cloud (Azure Arc, ExpressRoute, VPN Gateway).
Memory trick: Think of Public = Provider-owned (Microsoft), Private = Personal (your own), Hybrid = Half-and-half (both). For exam questions, look for keywords: 'shared infrastructure' → public; 'dedicated' → private; 'connected' → hybrid.
Public cloud: provider-owned, multi-tenant, pay-as-you-go, elastic, low control.
Private cloud: organization-owned/leased, single-tenant, CapEx + OpEx, limited scalability, high control.
Hybrid cloud: combination of public and private, connected via VPN or ExpressRoute, offers flexibility and cost optimization.
Azure supports hybrid with services like Azure Arc, Azure Stack HCI, and ExpressRoute.
The exam focuses on matching business requirements (cost, compliance, scalability) to the correct deployment model.
Common exam keywords: 'multi-tenant' = public, 'single-tenant' = private, 'connected' = hybrid.
Private cloud can be on-premises or off-premises; location is not the defining factor.
These come up on the exam all the time. Here's how to tell them apart.
Public Cloud
Infrastructure owned and managed by cloud provider (e.g., Microsoft).
Multi-tenant: resources shared across multiple customers, isolated virtually.
Pay-as-you-go (OpEx), no upfront capital investment.
Elastic scalability: resources can be added/removed instantly.
Lower control over hardware and security policies; shared responsibility model.
Private Cloud
Infrastructure owned and managed by the organization (or dedicated provider).
Single-tenant: no sharing of physical resources with other organizations.
Capital expenditure (CapEx) for hardware plus ongoing operational costs.
Limited scalability within hardware capacity; scaling requires purchasing new gear.
Full control over hardware, security, and compliance; organization bears all responsibility.
Mistake
Private cloud must be located on-premises.
Correct
Private cloud can be hosted off-premises by a third party, as long as the infrastructure is dedicated to a single organization. The defining factor is single-tenancy, not physical location.
Mistake
Hybrid cloud is a distinct third deployment model like public and private.
Correct
Hybrid cloud is a combination of public and private clouds that are connected. It is not a separate model but a composition. The exam treats it as a scenario, not a standalone model.
Mistake
Public cloud is always cheaper than private cloud.
Correct
For steady, predictable workloads, private cloud can be cheaper over time because you avoid vendor markups. Public cloud is cheaper for variable or short-term workloads due to its pay-as-you-go model.
Mistake
Private cloud offers no scalability.
Correct
Private cloud can scale, but within the limits of your owned hardware. Scaling requires purchasing and installing new equipment, which takes time. It lacks the instant, elastic scalability of public cloud.
Mistake
In a public cloud, you share the same virtual machine with other customers.
Correct
Multi-tenancy means you share the physical hardware, not the virtual machine. Each VM is isolated. Your VM's resources are dedicated to you, but the underlying server may host VMs from other customers.
Public cloud uses shared infrastructure owned by a provider (like Azure), while private cloud uses dedicated infrastructure for a single organization. Public cloud is multi-tenant, pay-as-you-go, and highly elastic. Private cloud is single-tenant, often involves upfront hardware costs, and offers more control but less scalability. For AZ-900, remember that public cloud is OpEx, private cloud is CapEx.
Yes. Private cloud is defined by single-tenancy, not physical location. A third-party provider can host dedicated hardware for your organization in their data center, and that is still a private cloud. The exam may test this distinction—many candidates incorrectly think private cloud must be on-premises.
Hybrid cloud connects a public cloud (like Azure) with a private cloud (on-premises or hosted) via a secure network. Use it to keep sensitive data on-premises for compliance while leveraging public cloud for compute bursts, disaster recovery, or new workloads. It offers flexibility and cost optimization. Azure provides services like Azure Arc and ExpressRoute to enable hybrid scenarios.
No. Hybrid cloud is a combination of public and private clouds that are interconnected. It is not a third independent model. The exam considers it as a scenario or architecture, not a deployment model in itself. You should know that it blends characteristics of both.
Public cloud is typically best because it requires no upfront capital and allows you to pay only for what you use. Startups can scale quickly without over-investing in hardware. For AZ-900, match 'limited budget' and 'variable demand' to public cloud.
Key services include Azure Arc (management across environments), Azure ExpressRoute (dedicated private connection), VPN Gateway (site-to-site VPN), Azure Stack HCI (on-premises private cloud), and Azure Backup/Site Recovery (disaster recovery to Azure). The exam may ask which service connects on-premises to Azure with a private connection—answer is ExpressRoute.
High upfront capital cost, limited scalability (must buy hardware for peak), ongoing operational overhead (staff, power, cooling, maintenance), and slower provisioning. However, it offers maximum control and compliance. For the exam, remember that private cloud is less elastic than public cloud.
You've just covered Public, Private, and Hybrid Cloud — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?