1.3 Cloud Deployment Models (Public, Private, Hybrid)

Quick Answer: Public cloud = shared, provider-owned infrastructure (Azure). Private cloud = dedicated to one organization. Hybrid cloud = public + private connected together. Multi-cloud = services from two or more providers at once.

Deployment models describe where and for whom the cloud runs, separate from service models (which describe abstraction). AZ-900 tests these mostly through scenarios, so learn the trigger phrases.

Public Cloud

A public cloud is owned and operated by a third party (Microsoft for Azure) and serves many customers from shared hardware over the internet.

• Characteristics: provider-owned, multi-tenant, internet-accessible (or via private links like ExpressRoute), pay-as-you-go, near-unlimited scale, no hardware to buy.
• Advantages: no CapEx, high agility, elastic scale, global reach, consumption pricing.
• Disadvantages: less direct control over hardware/compliance; possible "noisy neighbor" contention; some regulated data may not be permitted.
• Azure examples: Azure VMs, Azure Storage, Azure App Service — all public-cloud services.

Private Cloud

A private cloud is dedicated to a single organization, hosted in its own data center or by a third party, offering cloud-like self-service within an isolated boundary.

• Characteristics: single-tenant, on-prem or hosted, full control of security and data sovereignty, requires CapEx and skilled staff (if on-prem).
• Advantages: maximum control, deep customization, easier strict regulatory compliance (government, healthcare, finance), supports legacy apps that cannot move.
• Disadvantages: higher cost, capacity limited by owned hardware, slower provisioning, heavier staffing.
• Azure private-cloud solutions: Azure Stack Hub and Azure Stack HCI bring Azure services into your own data center.

Hybrid Cloud

A hybrid cloud combines public and private environments and lets data and applications move between them. It is the most common enterprise deployment model.

• Characteristics: integrates Azure with on-prem/hosted private cloud; you place each workload where it fits best.
• Advantages: keep regulated data on-prem while bursting other workloads to Azure; cost optimization (steady-state private, variable public); cloud-based disaster recovery for on-prem systems; gradual, paced migration.
• Disadvantages: operational complexity, integration effort, broader skill requirements across both environments.
• Azure hybrid solutions: Azure Arc, Azure Stack, Azure ExpressRoute (private dedicated connection), Azure VPN Gateway (encrypted tunnel over the internet).

Multi-Cloud

A multi-cloud strategy uses two or more providers at once (Azure + AWS, Azure + Google Cloud).

• Why: avoid vendor lock-in, choose best-of-breed services, meet customer or regulatory mandates.
• Cost: higher management overhead and broader skill needs.
• Azure tool: Azure Arc governs resources across Azure, other clouds, and on-prem from one control plane.

Deployment Model Comparison

On the Exam — trigger phrases:

• "Use existing on-prem hardware and Azure together" or "keep sensitive data on-prem while using Azure for the website" = hybrid.
• "Dedicated to one company, full control, strict regulation, on-prem" = private.
• "No hardware, pay-as-you-go, shared with other customers" = public.
• "Spread workloads across Azure and AWS" = multi-cloud.

Azure Arc — Extend Azure Anywhere

Azure Arc projects the Azure control plane onto resources that live outside Azure, so you manage them with the same governance (Azure Policy, RBAC, tags) you use in Azure:

• Arc-enabled servers — manage Windows/Linux machines hosted on-prem or in other clouds.
• Arc-enabled Kubernetes — govern any CNCF-conformant cluster, wherever it runs.
• Arc-enabled data services — run Azure SQL Managed Instance and PostgreSQL on your own infrastructure.
• Arc-enabled app services — run App Service, Functions, and Logic Apps on any Kubernetes cluster.

Common Trap: Do not confuse the connectivity tools with the management tool. ExpressRoute/VPN Gateway create the network link for hybrid; Azure Arc provides unified management and governance across hybrid and multi-cloud. A question asking how to manage on-prem servers from the Azure portal points to Arc, not ExpressRoute.

Hybrid Connectivity: ExpressRoute vs VPN Gateway

Because hybrid is the most tested deployment model, know the two ways to connect on-premises networks to Azure:

ExpressRoute traffic never touches the public internet, which is why regulated industries prefer it; VPN Gateway is faster to deploy and cheaper but rides the internet and inherits its variability.

Service Models vs Deployment Models — Do Not Mix Them Up

AZ-900 often combines both axes in one question, and students conflate them. They are independent: a service model (IaaS/PaaS/SaaS) describes how much of the stack the provider manages, while a deployment model (public/private/hybrid/multi-cloud) describes where and for whom the infrastructure runs. You can run IaaS in a public cloud, a private cloud, or a hybrid arrangement. If a stem asks "who patches the OS," answer with a service model; if it asks "where does the workload physically run and who owns the hardware," answer with a deployment model.

Worked Scenario: Picking a Deployment Model

A bank is bound by regulations that forbid storing core transaction data outside its own data centers, yet it wants the elastic scale of Azure for a customer mobile app that has unpredictable load. The correct answer is hybrid cloud: the regulated transaction system stays on a private cloud on-premises, the mobile back end runs in the Azure public cloud, and the two are joined by ExpressRoute for a private, high-bandwidth link, all governed centrally through Azure Arc.

This single example exercises the deployment-model vocabulary, the connectivity tools, and the management tool together — a realistic AZ-900 scenario format.