This chapter explains the three core cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Understanding these models is critical for the AZ-900 exam because they form the foundation of cloud computing and appear in multiple objectives, including 1.2. This objective area carries approximately 15-20% of exam weight, so mastering these concepts is essential. By the end of this chapter, you will be able to differentiate the models, identify their use cases, and answer exam questions accurately.
Jump to a section
Imagine you want to host a pizza party. In an on-premises model, you do everything: grow the wheat, mill the flour, make the dough, prepare toppings, bake the pizza, serve it, and clean up. That’s like managing your own data center. Now, consider cloud service models. Infrastructure as a Service (IaaS) is like ordering a pre-made pizza crust from a store. You still add your own sauce, cheese, and toppings, and you bake it in your oven. You control the toppings and baking, but the crust is provided. Platform as a Service (PaaS) is like ordering a pizza with all toppings already on it, but you still bake it at home. The store provides the entire pizza (platform), you just put it in the oven and serve. Software as a Service (SaaS) is like going to a pizzeria and eating a fully cooked pizza there. You don’t do any preparation or baking; you just consume. In cloud terms: IaaS gives you virtual machines, storage, and networking (the crust). PaaS gives you a managed platform like Azure App Service (the topped pizza). SaaS gives you ready-to-use software like Office 365 (the eaten pizza). The key mechanism: each model shifts responsibility from you to the provider. With IaaS, you manage the OS, middleware, and apps. With PaaS, you manage only the app and data. With SaaS, you manage nothing but usage. This mirrors the pizza analogy: you control less as you move from IaaS to SaaS.
What Are Cloud Service Models?
Cloud service models define the level of control, responsibility, and flexibility you have when using cloud resources. They answer the question: 'What do I manage, and what does the cloud provider manage?' The three models—IaaS, PaaS, and SaaS—form a spectrum from maximum user control (IaaS) to maximum provider control (SaaS).
The Business Problem They Solve
Before cloud computing, organizations had to build and maintain their own data centers. This required significant capital expenditure (CapEx) for hardware, software, and facilities. Cloud service models allow businesses to shift from CapEx to operational expenditure (OpEx), paying only for what they use. Each model addresses different needs: IaaS provides raw infrastructure for custom environments, PaaS accelerates application development without managing underlying platforms, and SaaS delivers ready-to-use software.
How IaaS Works
IaaS provides virtualized computing resources over the internet. You get virtual machines (VMs), storage, and virtual networks. You are responsible for managing the operating system, middleware, runtime, data, and applications. The provider manages the physical hardware, hypervisor, and networking infrastructure.
Step-by-step mechanism: 1. You create a VM in Azure using the portal, CLI, or SDK. 2. You choose the VM size (CPU, RAM), operating system (Windows, Linux), and storage type (HDD, SSD). 3. Azure provisions the VM on a hypervisor running on physical servers in a datacenter. 4. You connect to the VM via RDP (Windows) or SSH (Linux) and configure it. 5. You install software, apply updates, and manage security.
Key components: - Virtual Machines: Compute resources with configurable OS. - Virtual Networks: Isolated network segments with subnets, IP addresses, and firewalls. - Storage Accounts: Blob, file, queue, and table storage. - Load Balancers: Distribute traffic across VMs.
Tiers and pricing: - Basic and Standard tiers for VMs. - Pay-as-you-go, reserved instances, and spot instances. - Costs include compute, storage, and data egress.
On-premises equivalent: - Physical servers, network switches, and storage arrays. - You manage everything, but with IaaS, you avoid hardware procurement and maintenance.
How PaaS Works
PaaS provides a managed platform for developing, running, and managing applications. You deploy your code, and the provider handles the OS, middleware, runtime, and infrastructure. You only manage the application and data.
Step-by-step mechanism: 1. You create an App Service plan (defines compute resources). 2. You create a web app within the plan. 3. You deploy your code via Git, FTP, or CI/CD pipeline. 4. Azure automatically provisions the web server, load balancer, and scaling. 5. You monitor application performance using Azure Monitor.
Key components: - Azure App Service: Host web apps, REST APIs, mobile backends. - Azure Functions: Event-driven serverless compute. - Azure SQL Database: Managed relational database. - Azure Kubernetes Service (AKS): Managed container orchestration.
Tiers and pricing: - App Service plans: Free, Shared, Basic, Standard, Premium. - Costs based on plan tier, number of instances, and storage. - Serverless options (Consumption plan) charge per execution.
On-premises equivalent: - You would need to set up web servers (IIS, Apache), databases, load balancers, and patching. PaaS eliminates this overhead.
How SaaS Works
SaaS provides fully functional software applications accessed over the internet. Users do not manage any infrastructure or platform; they simply use the software. The provider handles everything: hardware, OS, runtime, data storage, and application updates.
Step-by-step mechanism: 1. You subscribe to a SaaS offering (e.g., Office 365, Dynamics 365). 2. You log in via a web browser or client app. 3. The provider manages availability, security, updates, and backups. 4. You use the software as needed, often with multi-tenant architecture.
Key components: - Microsoft 365: Office apps, email, collaboration. - Dynamics 365: CRM and ERP. - Azure Active Directory (for identity).
Tiers and pricing: - Per-user per-month subscriptions, often with multiple plans (Basic, Standard, Premium). - Some SaaS offers free tiers with limited features.
On-premises equivalent: - Installing and maintaining software on local machines or servers. SaaS eliminates installation and maintenance.
Comparison of Responsibility
The shared responsibility model varies by service model:
On-premises: You manage everything.
IaaS: You manage OS, data, apps; provider manages physical infrastructure.
PaaS: You manage data and apps; provider manages everything else.
SaaS: You manage nothing; provider manages all.
Azure Portal and CLI Touchpoints
IaaS:
- Azure portal: Virtual Machines, Storage accounts, Virtual Networks.
- CLI: az vm create, az network vnet create.
PaaS:
- Azure portal: App Services, Azure SQL databases, Function Apps.
- CLI: az webapp create, az functionapp create.
SaaS: - Typically managed through separate portals (e.g., admin.microsoft.com). - Azure AD integration for identity.
Concrete Business Scenarios
IaaS scenario: A company lifts and shifts a legacy application to Azure VMs to avoid hardware refresh costs. They manage the OS and app but benefit from Azure’s global datacenters and pay-as-you-go pricing.
PaaS scenario: A startup builds a web app using Azure App Service. They focus on code, while Azure handles scaling, patching, and load balancing. This reduces time to market and operational overhead.
SaaS scenario: A small business uses Office 365 for email and collaboration. They pay per user per month and never worry about server maintenance or software updates.
Identify the service model
Determine what you need to manage. If you need full control over the OS and applications, IaaS is appropriate. If you want to focus only on code and data, choose PaaS. If you need ready-to-use software, select SaaS. This decision is based on the level of responsibility you want to retain.
Select the Azure service
For IaaS, choose Virtual Machines, Storage Accounts, and Virtual Networks. For PaaS, select App Service, Azure Functions, or Azure SQL Database. For SaaS, subscribe to Microsoft 365, Dynamics 365, or other SaaS offerings. Each service has specific configuration options and pricing tiers.
Configure resources
In IaaS, you configure VM size, OS, and network settings. In PaaS, you set the App Service plan tier and scaling options. In SaaS, you choose a subscription plan and assign users. Azure portal or CLI guides you through these steps, often with default values.
Deploy and manage
For IaaS, deploy by connecting to the VM and installing software. For PaaS, deploy code via Git or CI/CD. For SaaS, users simply log in. Management tasks vary: IaaS requires patching the OS; PaaS may require application updates; SaaS requires no management from the user.
Monitor and optimize costs
Use Azure Cost Management to track spending. IaaS costs include compute, storage, and data transfer. PaaS costs depend on plan tier and usage. SaaS costs are subscription-based. Right-sizing resources and using reserved instances can reduce IaaS costs. For PaaS, scaling down during low usage saves money.
Scenario 1: E-commerce Platform Migration (IaaS) A retail company with a legacy .NET application running on physical servers wants to migrate to Azure without rewriting the app. They choose IaaS by creating Azure VMs with Windows Server. They replicate the on-premises environment: two VMs for the web tier behind a load balancer, and two VMs for the database tier running SQL Server. They also set up a virtual network with subnets and network security groups. The team configures the VMs with the same OS and software as on-premises. After migration, they benefit from Azure's high availability (99.95% SLA) and pay-as-you-go pricing, avoiding hardware refresh costs. A common mistake is not using availability sets, which can cause downtime during maintenance.
Scenario 2: Startup Web Application (PaaS) A startup builds a social media analytics web app. They choose Azure App Service (PaaS) to host the frontend and Azure Functions for background processing. They deploy code via GitHub Actions. Azure automatically scales the app based on traffic (autoscaling). They use Azure SQL Database for storage, which handles backups and patching. The team focuses on features, not infrastructure. Cost is low initially (Free tier) and scales with success. Misconfiguration: not setting scaling limits can lead to unexpected costs during traffic spikes.
Scenario 3: Enterprise Email and Collaboration (SaaS) A multinational corporation needs email, calendar, and document collaboration for 10,000 employees. They subscribe to Microsoft 365 E3. IT assigns licenses and configures policies via the admin center. Users log in with their Azure AD credentials and use Outlook, Teams, and SharePoint. Microsoft handles updates, spam filtering, and data redundancy across datacenters. The company avoids maintaining Exchange servers. Pitfall: not configuring retention policies can lead to data loss during legal holds.
This section aligns with AZ-900 objective 1.2: 'Describe the differences between IaaS, PaaS, and SaaS'. The exam expects you to identify which model a given scenario describes and to understand the shared responsibility model.
Common wrong answers and why candidates choose them: 1. 'IaaS provides the highest level of control over applications.' Wrong because IaaS gives control over OS and apps, but PaaS and SaaS also allow some control (e.g., app code in PaaS). The exam tests that IaaS gives control over the OS and infrastructure. 2. 'PaaS is best for lift-and-shift migrations.' Wrong because lift-and-shift typically uses IaaS to replicate on-premises environments. PaaS requires application modification. 3. 'SaaS requires you to manage the operating system.' Wrong because SaaS providers manage everything; users only use the software. 4. 'All three models have the same security responsibility.' Wrong because security responsibility shifts: in IaaS you secure the OS and apps; in PaaS you secure data and access; in SaaS you secure user accounts.
Specific terms to memorize: - IaaS: Virtual machines, storage, networking. - PaaS: App Service, Azure SQL Database, Azure Functions. - SaaS: Microsoft 365, Dynamics 365. - Shared responsibility: On-premises (you manage everything), IaaS (you manage OS and above), PaaS (you manage app and data), SaaS (you manage nothing).
Edge cases: - Serverless (Azure Functions) is a subset of PaaS (or considered Function as a Service). The exam may ask if it's PaaS or IaaS; it's PaaS. - Containers (AKS) can be IaaS or PaaS depending on management. AKS is PaaS for orchestration, but you manage container images. - Hybrid models: Some services blend models (e.g., Azure SQL Database is PaaS, but you can manage some settings).
Memory trick: Use the 'Pizza as a Service' analogy: IaaS = DIY crust, PaaS = pre-topped pizza, SaaS = eaten pizza. For responsibility, remember: 'You manage less as you go up the stack: IaaS -> PaaS -> SaaS'.
IaaS (Infrastructure as a Service) provides virtualized computing resources; you manage the OS and above.
PaaS (Platform as a Service) provides a managed platform; you manage only your application and data.
SaaS (Software as a Service) provides ready-to-use software; you manage nothing.
The shared responsibility model shifts from full user control (on-premises) to full provider control (SaaS).
Common IaaS services: Azure Virtual Machines, Storage Accounts, Virtual Networks.
Common PaaS services: Azure App Service, Azure SQL Database, Azure Functions.
Common SaaS services: Microsoft 365, Dynamics 365.
AZ-900 objective 1.2: Describe differences between IaaS, PaaS, and SaaS.
These come up on the exam all the time. Here's how to tell them apart.
IaaS (Infrastructure as a Service)
Provides virtual machines, storage, and networking.
You manage OS, middleware, runtime, data, and apps.
Best for lift-and-shift migrations.
More control over the environment.
Requires more management effort.
PaaS (Platform as a Service)
Provides managed platform for app development.
You manage only apps and data.
Best for cloud-native application development.
Less control, but less management overhead.
Includes built-in scaling and high availability.
Mistake
IaaS means you manage nothing.
Correct
IaaS means you manage the operating system, middleware, runtime, data, and applications. The provider manages only the physical hardware, hypervisor, and networking infrastructure.
Mistake
PaaS requires you to manage the virtual machines.
Correct
PaaS abstracts away the VMs. You do not manage the OS or infrastructure; you only deploy and manage your application and data.
Mistake
SaaS is always more expensive than IaaS.
Correct
SaaS can be more cost-effective for standardized needs because you avoid infrastructure and maintenance costs. For custom environments, IaaS may be cheaper.
Mistake
You cannot use IaaS for modern applications.
Correct
IaaS is suitable for any application that requires full control, including modern apps with custom configurations. However, PaaS is often better for cloud-native apps.
Mistake
All cloud services fit neatly into one model.
Correct
Some services blur the lines. For example, Azure Functions is PaaS (serverless), but you still write code. Containers can be IaaS (if you manage the VMs) or PaaS (if using AKS).
The main difference is the level of management responsibility. In IaaS, you manage the operating system, middleware, runtime, data, and applications, while the provider manages the physical infrastructure. In PaaS, the provider manages the OS, middleware, and runtime, so you only manage your application and data. This means PaaS reduces operational overhead but gives you less control. For example, with Azure VMs (IaaS), you must patch the OS; with Azure App Service (PaaS), the provider patches the OS automatically.
Azure Functions is a PaaS (or serverless) service. It provides a managed platform where you write and deploy code without managing infrastructure. The provider automatically scales and handles the runtime. Although you write code, you do not manage servers or OS, which aligns with PaaS characteristics.
Yes, you can run a database on IaaS by installing database software (e.g., SQL Server, MySQL) on an Azure VM. You are responsible for managing the database software, backups, and patching. Alternatively, you can use PaaS database services like Azure SQL Database, which handles these tasks for you.
A typical question presents a scenario (e.g., 'A company wants to migrate a legacy app without modifying code') and asks which model to use. The answer is IaaS because it allows full control and replication of the on-premises environment. Another common question asks about the shared responsibility model: 'Who is responsible for patching the OS in PaaS?' The answer is the provider.
PaaS is often best for startups because it reduces infrastructure management. They can focus on building their application without worrying about servers, OS updates, or scaling. SaaS is also good for non-core functions like email. IaaS may require more IT expertise.
The shared responsibility model defines what the cloud provider manages and what the customer manages. For on-premises, the customer manages everything. For IaaS, the provider manages physical infrastructure; the customer manages OS, data, and apps. For PaaS, the provider manages the platform; the customer manages apps and data. For SaaS, the provider manages everything.
Yes, hybrid architectures are common. For example, you might use IaaS for a legacy database, PaaS for a web app, and SaaS for email. Azure supports integration across models, such as using Azure AD for identity across all services.
You've just covered IaaS, PaaS, and SaaS Explained — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?