This chapter covers hybrid cloud benefits and use cases, a core concept in Domain: Cloud Concepts (Objective 1.3), which typically weighs 25-30% of the AZ-900 exam. Hybrid cloud is one of the most frequently tested scenarios because it represents the real-world strategy for most enterprises—combining on-premises, private cloud, and public cloud into a unified, flexible infrastructure. You'll learn exactly what hybrid cloud is, why organizations adopt it, and how Azure enables it, all with an eye toward the specific facts and distinctions the exam expects.
Jump to a section
Imagine you run a small delivery business from your home garage. You own a reliable but older van that can only carry 500 packages per day. Some days, you get a surge of 800 orders. You can't afford to buy a second van that would sit idle most of the time. Your solution? Partner with a ride-sharing company that has thousands of drivers on standby. On a normal day, you use your own van for the first 500 deliveries, and when demand spikes, you instantly hire extra drivers from the ride-sharing company to handle the overflow. You only pay for the extra drivers when you use them. The ride-sharing company handles all the logistics—driver background checks, insurance, maintenance—while you keep your own van for predictable daily routes. This is exactly how hybrid cloud works: your on-premises infrastructure (your van) handles steady-state workloads, and the public cloud (ride-sharing fleet) provides elastic capacity for bursts, disaster recovery, or new projects. The key mechanism is that both environments are connected via a secure, dedicated network link (like a private highway between your garage and the ride-sharing hub), allowing workloads to move seamlessly without re-architecting. You manage everything from a single dashboard, just as a dispatcher sees both your van and the hired drivers on one screen.
What Is Hybrid Cloud and the Business Problem It Solves
Hybrid cloud is a computing environment that connects an organization's on-premises infrastructure (or private cloud) with a public cloud provider's infrastructure, allowing data and applications to be shared between them. The business problem it solves is the trade-off between control and elasticity. On-premises gives you full control over security, compliance, and performance, but it requires large upfront capital expenditure (CapEx) and has limited scalability. Public cloud offers unlimited scalability and pay-as-you-go pricing (OpEx), but some organizations cannot move all workloads due to regulatory requirements, latency constraints, or existing investments. Hybrid cloud bridges this gap: you keep sensitive or latency-critical workloads on-premises while leveraging the cloud for burst capacity, disaster recovery, development/testing, and new innovations.
How It Works — Step-by-Step Mechanism
Connectivity: A dedicated, private network link (e.g., Azure ExpressRoute or a VPN gateway) connects your on-premises network to an Azure virtual network (VNet). This link is low-latency and secure, often using MPLS or encrypted tunnels.
Identity: Azure Active Directory (Azure AD) extends your on-premises Active Directory to the cloud, enabling single sign-on and consistent access policies across both environments.
Orchestration: Tools like Azure Arc allow you to manage servers, Kubernetes clusters, and data services across on-premises, multi-cloud, and edge environments from a single Azure portal.
Data and Application Mobility: You can replicate databases (e.g., SQL Server Always On Availability Groups), synchronize files (Azure File Sync), or run containers that can be deployed anywhere.
Management and Monitoring: Azure Monitor and Azure Security Center provide unified visibility and security policies across both environments.
Key Components, Tiers, and Pricing Models
Azure Stack Hub: An extension of Azure that runs in your on-premises datacenter, providing Azure services (IaaS and PaaS) in a disconnected or connected environment. It is sold as an integrated hardware system or as a software solution for validated hardware. Pricing includes the cost of the hardware plus Azure services consumed.
Azure Arc: A management layer that extends Azure Resource Manager to non-Azure resources (on-premises, other clouds, edge). You pay for Arc-enabled services (e.g., SQL Server, Kubernetes) based on usage.
ExpressRoute: A dedicated private connection from your on-premises network to Azure, bypassing the internet. Pricing depends on bandwidth (50 Mbps to 10 Gbps) and data transfer (metered or unlimited).
VPN Gateway: An encrypted tunnel over the internet. Pricing is based on gateway type (basic, VpnGw1-5) and hours of operation.
Azure File Sync: Transforms Windows Server into a cache of an Azure file share. Pricing is based on the amount of data synced and transactions.
How It Compares to On-Premises Equivalent
A traditional on-premises environment is isolated—no elastic capacity, no pay-as-you-go, and no global reach. To handle a spike, you must over-provision hardware that sits idle most of the time. Hybrid cloud allows you to "burst" into the cloud during spikes (cloud bursting), then release resources when demand drops. For disaster recovery, on-premises requires a second datacenter (costly); hybrid cloud uses Azure as a recovery site (pay only for storage and compute during failover). The on-premises equivalent of Azure Stack Hub is simply buying more servers, but you lose the consistent Azure management experience and the ability to use cloud-native services locally.
Azure Portal and CLI Touchpoints
To set up a hybrid connection via VPN in the Azure portal: 1. Create a virtual network (VNet) in Azure. 2. Create a gateway subnet and a VPN gateway. 3. Configure the on-premises VPN device with the Azure gateway's public IP and shared key. 4. Verify connectivity by pinging a VM in the VNet from on-premises.
Using Azure CLI to create a VPN gateway:
az network vnet create --name MyVNet --resource-group MyRG --location eastus --address-prefix 10.0.0.0/16
az network vnet subnet create --name GatewaySubnet --resource-group MyRG --vnet-name MyVNet --address-prefix 10.0.1.0/27
az network public-ip create --name MyVPNGatewayIP --resource-group MyRG --allocation-method Dynamic
az network vnet-gateway create --name MyVPNGateway --resource-group MyRG --vnet MyVNet --public-ip-address MyVPNGatewayIP --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1For Azure Arc, you install the Azure Connected Machine agent on your on-premises Windows or Linux server, then register it in Azure. The CLI command:
azcmagent connect --resource-group MyRG --location eastus --subscription-id <sub-id>Concrete Business Scenarios
Retail: A clothing retailer uses hybrid cloud to process payment transactions on-premises (to meet PCI DSS compliance) while running its e-commerce website in Azure. During Black Friday, the website auto-scales to handle 10x traffic, while the payment system stays on-premises.
Manufacturing: A factory uses Azure Stack Hub to run real-time machine learning models on the factory floor (low latency, no internet dependency) while sending aggregated data to Azure for long-term analytics and training new models.
Healthcare: A hospital keeps patient records on-premises due to HIPAA regulations but uses Azure for running analytics and AI diagnostics on de-identified data. Azure File Sync keeps a local cache of the file share for fast access.
Assess Workloads and Compliance Needs
Begin by identifying which workloads must stay on-premises due to regulatory compliance (e.g., GDPR, HIPAA), latency requirements, or legacy dependencies. For example, a bank's core transaction system may need to reside on-premises because of regulatory data residency rules. Document the performance, security, and availability requirements for each workload. This assessment determines the hybrid architecture—whether you need Azure Stack Hub for local Azure services, a simple VPN for cloud bursting, or Azure Arc for unified management. Mistaking a workload as cloud-ready when it requires on-premises control is a common mistake that leads to compliance violations.
Establish Secure Network Connectivity
Create a dedicated, private connection between your on-premises network and Azure. For mission-critical workloads, use Azure ExpressRoute, which provides a private, reliable connection with bandwidth up to 10 Gbps and no data transfer over the internet. For lower-cost scenarios, use a site-to-site VPN over the internet with Azure VPN Gateway. The connection must be redundant (multiple circuits or tunnels) to meet SLAs. Azure also supports a VPN gateway SKU (VpnGw1-5) based on throughput needs. Behind the scenes, Azure creates a gateway subnet in your VNet and routes traffic through the gateway. Without this connectivity, hybrid cloud is impossible—it's the foundation.
Extend Identity and Access Management
Integrate your on-premises Active Directory with Azure AD using Azure AD Connect. This synchronizes user accounts, groups, and passwords so that users can authenticate with the same credentials across both environments. Enable single sign-on (SSO) for seamless access to cloud applications. For additional security, implement Azure AD Conditional Access policies that require multi-factor authentication (MFA) for cloud resources. The synchronization is one-way by default (on-premises to Azure AD) but can be made bidirectional for password writeback. This step ensures that access control is consistent and manageable from a single pane of glass.
Deploy Hybrid Management with Azure Arc
Install the Azure Connected Machine agent on your on-premises servers to register them with Azure Arc. This enables you to manage those servers alongside Azure VMs in the Azure portal—apply policies, inventory software, and run custom scripts. For Kubernetes clusters, enable Azure Arc-enabled Kubernetes to manage containerized applications across environments. Azure Arc also extends Azure Policy and Azure Monitor to non-Azure resources. Behind the scenes, the agent creates an outbound connection to Azure Resource Manager, allowing Azure to query and control the server. This step is optional but highly recommended for unified operations.
Enable Data and Application Mobility
Configure data replication and synchronization between on-premises and Azure. For file shares, use Azure File Sync to keep a local cache of your Azure file share on a Windows Server, enabling fast local access while centralizing data in Azure. For databases, use SQL Server Always On Availability Groups to replicate data to Azure VMs or Azure SQL Database. For containers, use Azure Kubernetes Service (AKS) with Azure Arc to deploy workloads anywhere. This mobility allows you to run workloads where it makes sense—for example, keep a database on-premises for low latency but replicate to Azure for disaster recovery. The exam focuses on the concept that hybrid cloud enables seamless movement of workloads.
Monitor and Optimize with Unified Tools
Use Azure Monitor to collect logs and metrics from both on-premises and cloud resources. Create dashboards and alerts for performance, health, and security. Azure Security Center (now part of Microsoft Defender for Cloud) provides unified security recommendations and threat detection across all environments. Periodically review cost and usage to optimize resource allocation—for example, move underutilized on-premises workloads to the cloud or right-size cloud resources. This step closes the loop, ensuring that the hybrid environment is efficient, secure, and aligned with business goals. Neglecting monitoring is a common pitfall that leads to blind spots and unexpected costs.
Scenario 1: Financial Services Compliance and Cloud Bursting A multinational bank must comply with local data residency laws that require customer transaction data to remain within the country. The bank runs its core banking system on-premises in a Tier IV datacenter. However, its risk analysis engine, which processes large datasets to detect fraud, needs massive compute power only during end-of-month reconciliation. The bank uses a hybrid cloud model: the core system stays on-premises, while the risk analysis engine runs in Azure, bursting to thousands of VMs during peak times. The connection uses Azure ExpressRoute with local peering to keep traffic within the region. Azure AD Connect syncs user accounts so analysts can access both environments with the same credentials. Azure Policy enforces that no sensitive data leaves the on-premises boundary. The cost model: the bank pays only for the compute hours used during bursts, avoiding the need to over-provision on-premises servers. If the hybrid connection fails (e.g., ExpressRoute circuit outage), the risk analysis engine cannot access the on-premises database, so the bank must have a backup VPN connection and failover procedures.
Scenario 2: Retail with Seasonal Spikes A large e-commerce retailer runs its product catalog and inventory system on-premises because of legacy dependencies on a mainframe. During holiday seasons, traffic surges 20x. The retailer uses Azure for its customer-facing web application and mobile backend. During normal days, the web app runs on a few VMs in Azure. During Black Friday, Azure Auto Scale adds hundreds of VMs automatically. The on-premises inventory system is replicated to Azure SQL Database using transactional replication, so the cloud web app can read inventory levels without hitting the mainframe. Azure Traffic Manager routes users to the nearest datacenter. The retailer also uses Azure CDN to cache static content. If the replication lag becomes too high during peak, customers see outdated stock information, leading to overselling. The team monitors replication latency with Azure Monitor and sets alerts to throttle traffic if lag exceeds 30 seconds.
Scenario 3: Healthcare with Data Sovereignty A hospital network stores electronic health records (EHRs) on-premises to comply with HIPAA. They want to use Azure AI services to analyze medical images for early disease detection. The solution is a hybrid architecture: the hospital runs Azure Stack Hub on-premises to host the AI model inference, keeping all patient data within the hospital network. The model is trained in Azure using de-identified images from multiple hospitals, then deployed to Azure Stack Hub for inference. Azure Arc manages the on-premises Kubernetes cluster running the inference service. If the internet connection goes down, the inference service continues to run locally. The hospital pays for Azure Stack Hub hardware and software, plus Azure AI training costs. A common mistake is thinking that Azure Stack Hub is a cloud service—it's an on-premises product that requires upfront hardware investment.
Objective Code: AZ-900 Domain: Cloud Concepts (15-20%) — Objective 1.3: Describe the benefits and considerations of using hybrid cloud.
The exam tests your understanding of hybrid cloud as a strategic model, not the technical details of implementation. You must know:
The definition: Hybrid cloud combines public cloud, private cloud, and on-premises infrastructure, allowing data and applications to be shared.
Key benefits: Flexibility, scalability, cost optimization (use on-premises for predictable workloads, cloud for bursts), compliance (keep sensitive data on-premises), and disaster recovery (cloud as backup site).
Key considerations: Complexity (managing two environments), security (need for consistent policies), latency (network connectivity), and cost (data transfer charges).
Common Wrong Answers and Why Candidates Choose Them 1. "Hybrid cloud is only for disaster recovery." — Candidates see DR as a common use case and assume it's the only one. Reality: Hybrid cloud also enables cloud bursting, development/testing, and extending on-premises capabilities. 2. "Hybrid cloud requires a dedicated physical connection." — Candidates confuse ExpressRoute as mandatory. Reality: You can use VPN over the internet, though ExpressRoute is preferred for performance. 3. "Hybrid cloud means you can't use public cloud services." — Candidates think hybrid is purely on-premises + private cloud. Reality: Hybrid cloud includes public cloud as an integral part. 4. "All workloads must be moved to cloud eventually." — Candidates misunderstand hybrid as a temporary state. Reality: Many organizations stay hybrid indefinitely due to compliance or latency.
Specific Terms and Values - Azure Stack Hub: The only Azure service that runs on-premises as an extension of Azure. Know that it provides IaaS and PaaS services locally. - Azure Arc: Management plane for non-Azure resources. Not a compute service—it's a management tool. - ExpressRoute: Private connection; SLA of 99.95% availability. - VPN Gateway: Encrypted tunnel over internet; typical SLA 99.95% for active-active mode.
Edge Cases and Tricky Distinctions - The exam may ask: "Which scenario is NOT a benefit of hybrid cloud?" A trap answer: "Reducing latency for all workloads." Actually, hybrid cloud can increase latency for workloads that need to communicate across the connection. The benefit is flexibility, not latency reduction. - Another trick: "Hybrid cloud eliminates the need for on-premises IT staff." False—you still need staff to manage on-premises components.
Memory Trick For benefits, remember FOC-DR: Flexibility, Operational efficiency, Cost optimization, Disaster Recovery. For considerations, remember C-SEC: Complexity, Security, Expense (data transfer), Connectivity.
Hybrid cloud combines on-premises, private cloud, and public cloud with orchestration between them.
Key benefits: flexibility, scalability, cost optimization, compliance, and disaster recovery.
Azure ExpressRoute provides a dedicated private connection with up to 10 Gbps bandwidth and 99.95% SLA.
Azure VPN Gateway provides encrypted connectivity over the internet with various SKUs (Basic, VpnGw1-5).
Azure Arc extends Azure management to any infrastructure—on-premises, multi-cloud, edge.
Azure Stack Hub brings Azure services to your datacenter for disconnected or low-latency scenarios.
Hybrid cloud is NOT the same as multi-cloud; multi-cloud involves multiple public clouds, not on-premises.
Common exam scenario: cloud bursting—using public cloud for peak demand while keeping steady workloads on-premises.
These come up on the exam all the time. Here's how to tell them apart.
Hybrid Cloud
Includes on-premises infrastructure
Requires network connectivity (VPN/ExpressRoute)
Allows sensitive data to stay on-premises
Higher management complexity
Best for regulated industries or latency-sensitive workloads
Public Cloud Only
All resources are in the cloud
No on-premises hardware to manage
Data must leave your premises
Simpler management (single environment)
Best for startups or greenfield projects
Mistake
Hybrid cloud is the same as multi-cloud.
Correct
Hybrid cloud connects on-premises/private cloud with public cloud. Multi-cloud uses multiple public cloud providers (e.g., Azure and AWS) but does not necessarily include on-premises. The exam distinguishes these clearly: hybrid includes on-premises; multi-cloud does not.
Mistake
You need Azure Stack Hub to have a hybrid cloud.
Correct
Azure Stack Hub is one option for running Azure services on-premises, but hybrid cloud can be achieved with just a VPN connection and Azure Arc. Many hybrid setups use Azure VMs for bursting without any on-premises Azure service.
Mistake
Hybrid cloud always reduces costs.
Correct
Hybrid cloud can reduce costs by avoiding over-provisioning, but it also introduces data transfer costs, additional management overhead, and the need for dedicated connectivity. Total cost of ownership (TCO) must be evaluated case by case.
Mistake
All on-premises workloads can be moved to the cloud with hybrid cloud.
Correct
Hybrid cloud allows some workloads to remain on-premises, but not all workloads are suitable for hybrid due to extreme latency sensitivity, legacy dependencies, or regulatory constraints. Some workloads may need to stay fully on-premises.
Mistake
Hybrid cloud is only for large enterprises.
Correct
Small and medium businesses also use hybrid cloud—for example, using a VPN to back up on-premises data to Azure or using Azure File Sync to centralize file shares. The exam does not restrict hybrid cloud to any organization size.
Hybrid cloud combines on-premises/private cloud with public cloud (e.g., Azure + your datacenter). Multi-cloud uses multiple public cloud providers (e.g., Azure + AWS) but does not include on-premises. The exam expects you to know that hybrid cloud always involves an on-premises component. A memory aid: hybrid = mix of private and public; multi = many public clouds.
No. Azure Stack Hub is one option for running Azure services on-premises, but you can achieve hybrid cloud with just a VPN connection and Azure Arc. Many organizations use hybrid cloud simply by connecting their on-premises network to Azure via VPN and extending management with Azure Arc. Azure Stack Hub is for scenarios where you need Azure services locally (e.g., disconnected environments).
Cloud bursting is a hybrid cloud scenario where an application runs on-premises under normal load but 'bursts' into the public cloud during peak demand. For example, a retail website uses on-premises servers for baseline traffic but automatically provisions Azure VMs during Black Friday. This is enabled by a VPN or ExpressRoute connection, and often uses Azure Load Balancer to distribute traffic. The benefit is that you only pay for cloud resources when needed.
Key challenges include: (1) Complexity—managing two environments with different tools and processes; (2) Security—ensuring consistent policies across on-premises and cloud; (3) Latency—network connectivity can introduce delays for workloads that require real-time communication; (4) Cost—data transfer charges and the cost of dedicated connectivity (ExpressRoute) can add up. The exam may ask you to identify these as considerations.
Yes. Azure AD Connect syncs on-premises Active Directory with Azure AD, enabling single sign-on and consistent access policies. You can also enable password hash sync, pass-through authentication, or federation with ADFS. This is a core component of any hybrid cloud deployment because it ensures users can authenticate to both environments with the same credentials.
Azure Arc is a management tool that extends Azure Resource Manager to non-Azure resources, including on-premises servers, Kubernetes clusters, and even other clouds. It allows you to apply Azure policies, monitor with Azure Monitor, and manage resources from the Azure portal. Azure Arc is a key enabler of hybrid cloud because it provides a unified management plane across environments.
It depends. Hybrid cloud can be more expensive due to the costs of on-premises hardware, maintenance, and connectivity (ExpressRoute or VPN). However, for workloads with predictable baseline demand and occasional spikes, hybrid can be cheaper than running everything in the cloud 24/7. The exam expects you to understand that cost optimization is a benefit, but it requires careful planning.
You've just covered Hybrid Cloud Benefits and Use Cases — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?