SkarpChapter 7 of 21
Azure Networking Fundamentals: Virtual Networks, Connectivity, and Endpoints
Connect the dots between on-premises and Azure with a clear picture of virtual networks, subnets, VPNs, and public vs private endpoints.
Big Picture: Why Azure Networking Matters
Where Networking Fits
You have seen Azure regions, Availability Zones, and compute services. Networking is the glue that lets these pieces talk to each other securely and reliably.
Exam Relevance
For AZ-900, you must recognize the main networking building blocks and when to use them, not design complex topologies.
What You Will Learn
You will learn VNets, subnets, VNet peering, VPN Gateway, ExpressRoute, and public vs private endpoints, plus common secure patterns.
City Analogy
Think of Azure as a city: regions are districts, datacenters are buildings, VNets are private floors, subnets are rooms, endpoints are doors and windows.
Azure Virtual Networks (VNets): Your Private Network in Azure
What Is a VNet?
An Azure Virtual Network (VNet) is a logically isolated private network in Azure where you place resources like VMs and some PaaS services.
Core Properties
VNets are isolated, use private IP ranges you choose, live in a single region, and can connect to other VNets, the internet, and on-premises.
Regions and Zones
A VNet is created in one region but can span multiple Availability Zones in that region, hosting resilient workloads.
Exam Clues
Phrases like "isolate Azure resources" or "control private IP space" usually point to using an Azure Virtual Network.
Subnets, Network Security Groups, and Name Resolution Basics
Subnets Organize a VNet
Subnets are smaller IP ranges inside a VNet used to group resources, often by function, such as web, app, and database tiers.
Security Boundaries
Subnets often align with security boundaries. Each subnet can have its own rules and policies applied.
Network Security Groups
NSGs are basic firewalls you attach to subnets or NICs, with rules that allow or deny traffic by IP, port, and protocol.
Name Resolution
Azure provides basic internal DNS so VMs can resolve each other by name. You can also use custom DNS for hybrid setups.
Designing a Simple 3-Tier App VNet
Scenario Overview
Company deploys a 3-tier app: web front end (public), app tier (internal), and database (highly restricted) in Azure.
VNet and Address Space
Create one VNet in East US with address space 10.0.0.0/16 to host all tiers and allow room to grow.
Subnets per Tier
Define web-subnet 10.0.1.0/24, app-subnet 10.0.2.0/24, and db-subnet 10.0.3.0/24 to separate tiers.
Securing Traffic
Use NSGs so internet reaches only web-subnet, web talks to app, app talks to db, and db has no direct internet access.
Connecting VNets: VNet Peering and Global Reach
Why Multiple VNets?
You may create separate VNets for different apps or teams, or to build hub-and-spoke designs with shared services.
What Is VNet Peering?
VNet peering links two VNets so resources communicate over private IPs, as if on the same network.
Key Characteristics
Peering can be regional or global, uses the Microsoft backbone, requires non-overlapping IPs, and is non-transitive by default.
Exam Clue
If two Azure VNets must talk privately, choose VNet peering, not VPN Gateway or ExpressRoute.
Hybrid Connectivity: VPN Gateway vs ExpressRoute
Hybrid Cloud Reminder
Hybrid cloud combines public and private clouds so data and applications can be shared between them. Azure supports this with network connectivity.
VPN Gateway Overview
VPN Gateway uses encrypted tunnels over the public internet between your on-premises VPN device and an Azure VNet.
ExpressRoute Overview
ExpressRoute provides a private, dedicated connection from your network to Azure through a connectivity provider, avoiding the public internet.
Exam Distinction
Internet-based, lower cost, quick setup → VPN Gateway. Private, predictable, higher performance → ExpressRoute.
Public Endpoints vs Private Endpoints for Azure Services
What Is an Endpoint?
An endpoint is how clients connect to a service, often via a DNS name and IP address, either public or private.
Public Endpoints
Public endpoints are reachable over the internet using a public IP or DNS name, suitable for public websites or APIs.
Private Endpoints
A private endpoint gives a PaaS resource a private IP from your VNet, keeping traffic on the Microsoft backbone, not the internet.
Exam Clues
Need private VNet-only access to a PaaS service? Choose a private endpoint. Need users on the internet to reach it? Use a public endpoint.
Secure Access Patterns: Internet and On-Premises
Pattern 1: Public Web App
A web app in Azure exposes a public endpoint for users, while app and database tiers remain in private subnets.
Securing the Public App
Use HTTPS, possibly a Web Application Firewall, and NSGs or just-in-time access to protect management ports.
Pattern 2: Private Database Access
An Azure SQL Database uses a private endpoint in a VNet, with on-premises connectivity via VPN Gateway or ExpressRoute.
Reading Exam Scenarios
Keywords like "internet users" point to public endpoints; "internal only" and "no public access" point to private endpoints plus hybrid connectivity.
Thought Exercise: Choose the Right Connectivity
Work through these short scenarios mentally. There are no right/wrong buttons here; use it to practice your reasoning before the quizzes.
- Scenario A
- A startup hosts a small web app on Azure VMs. They need their office network to reach the VMs privately, but cost is a big concern. Occasional latency spikes are acceptable.
- Ask yourself:
- Which hybrid option fits: VPN Gateway or ExpressRoute?
- Do they need public endpoints, private endpoints, or both?
- Scenario B
- A bank migrates its core payment system database to Azure SQL Database. Regulations require that database traffic must not traverse the public internet. They already have a high-capacity MPLS link to a connectivity provider.
- Ask yourself:
- Which connectivity option is more appropriate?
- Should the database use a public endpoint, private endpoint, or both?
- Scenario C
- Two departments in the same company each have their own VNet in the same Azure region. They now want their applications to talk to each other using private IP addresses only.
- Ask yourself:
- Which feature lets you connect these VNets?
After you decide, check yourself:
- Scenario A: VPN Gateway + likely a public endpoint for internet users; office traffic uses the VPN.
- Scenario B: ExpressRoute + private endpoint for the database; public access disabled.
- Scenario C: VNet peering between the two VNets.
Quiz 1: VNets, Subnets, and Peering
Test your understanding of VNets, subnets, and VNet peering.
Your company has two applications in the same Azure region. Each app is deployed in its own VNet with non-overlapping IP ranges. The apps must communicate using private IP addresses only, with low latency, and without sending traffic over the public internet. Which Azure feature should you use?
- Azure Virtual Network peering between the two VNets
- Azure VPN Gateway with a site-to-site VPN between the VNets
- ExpressRoute circuit between the two VNets
- Assign public IP addresses to the VMs and use NSGs to restrict access
Show Answer
Answer: A) Azure Virtual Network peering between the two VNets
VNet peering is designed to connect two VNets so resources communicate over private IPs using the Microsoft backbone, with low latency and without using the public internet. VPN Gateway and ExpressRoute are mainly for connecting Azure to external networks. Public IPs would expose the VMs to the internet, which the scenario does not want.
Quiz 2: Hybrid Connectivity and Endpoints
Check your understanding of VPN Gateway, ExpressRoute, and endpoints.
A healthcare provider needs a highly reliable, private connection from its on-premises datacenter to Azure for large, sensitive medical imaging files. Regulations state that traffic must not traverse the public internet. Which combination best meets this requirement?
- VPN Gateway plus public endpoints on all storage accounts
- ExpressRoute plus private endpoints for storage accounts
- VNet peering plus public endpoints for storage accounts
- Assign public IPs to storage accounts and restrict access with NSGs
Show Answer
Answer: B) ExpressRoute plus private endpoints for storage accounts
ExpressRoute provides a private, dedicated connection that does not traverse the public internet, which fits the regulatory requirement. Private endpoints give storage accounts private IPs in the VNet, so access stays on the Microsoft backbone. VPN Gateway uses the public internet, VNet peering is VNet-to-VNet only, and public IPs would expose storage to the internet.
Key Term Flashcards: Azure Networking Fundamentals
Use these cards to reinforce the core terms you need for AZ-900 networking questions.
- Azure Virtual Network (VNet)
- A logically isolated private network in Azure where you place resources like virtual machines and some PaaS services, using a private IP address space you control.
- Subnet
- A smaller IP range within a VNet used to organize and isolate resources, often aligning with application tiers or security boundaries.
- Network Security Group (NSG)
- A set of inbound and outbound security rules that act like a basic firewall for subnets or network interfaces, controlling traffic based on IP, port, and protocol.
- VNet peering
- An Azure feature that connects two VNets so resources can communicate using private IP addresses over the Microsoft backbone network.
- VPN Gateway
- An Azure service that provides secure, encrypted connectivity over the public internet between an on-premises VPN device and an Azure VNet.
- ExpressRoute
- An Azure service that provides a private, dedicated connection between your on-premises network and Azure through a connectivity provider, bypassing the public internet.
- Public endpoint
- An internet-accessible IP address or DNS name for an Azure resource, allowing clients on the public internet to connect (subject to security controls).
- Private endpoint (Private Link)
- A network interface with a private IP from your VNet that connects privately to a specific Azure PaaS resource, keeping traffic off the public internet.
- Hybrid connectivity
- Any network connection that links on-premises or private cloud environments with Azure, typically using VPN Gateway or ExpressRoute.
Key Terms
- Subnet
- A smaller IP range within a VNet used to organize and isolate resources, often aligning with application tiers or security boundaries.
- VPN Gateway
- An Azure service that provides secure, encrypted connectivity over the public internet between an on-premises VPN device and an Azure VNet.
- ExpressRoute
- An Azure service that provides a private, dedicated connection between your on-premises network and Azure through a connectivity provider, bypassing the public internet.
- VNet peering
- An Azure feature that connects two VNets so resources can communicate using private IP addresses over the Microsoft backbone network.
- Public endpoint
- An internet-accessible IP address or DNS name for an Azure resource, allowing clients on the public internet to connect (subject to security controls).
- Hybrid connectivity
- Any network connection that links on-premises or private cloud environments with Azure, typically using VPN Gateway or ExpressRoute.
- Azure Virtual Network (VNet)
- A logically isolated private network in Azure where you place resources like virtual machines and some PaaS services, using a private IP address space you control.
- Network Security Group (NSG)
- A set of inbound and outbound security rules that act like a basic firewall for subnets or network interfaces, controlling traffic based on IP, port, and protocol.
- Private endpoint (Private Link)
- A network interface with a private IP from your VNet that connects privately to a specific Azure PaaS resource, keeping traffic off the public internet.