SkarpSkarp

Chapter 9 of 20

Azure Networking Fundamentals: VNets, Connectivity, and Endpoints

Connect the dots between on-premises networks and Azure by learning how virtual networks, subnets, VPNs, and endpoints secure and route traffic in the cloud.

27 min readen

Big Picture: Why Azure Networking Matters

Where Networking Fits

You have seen Azure resources, groups, subscriptions, and compute options. Networking ties them together so resources talk to each other, the internet, and on-premises systems.

Key Building Blocks

You need to recognize VNets and subnets, connectivity options like VPN Gateway and ExpressRoute, public vs private endpoints, and how DNS resolves names to IPs in Azure.

Exam Context

These topics sit mainly in Azure Architecture and Services (38%) and also support Cloud Concepts and Management and Governance domains on AZ-900.

Scenario to Keep in Mind

Imagine moving a web app and database to Azure while keeping some systems on-premises. You must design VNets, choose connectivity, pick endpoints, and ensure name resolution.

Azure Virtual Networks (VNets): Your Private Network in Azure

What is a VNet?

An Azure Virtual Network (VNet) is a logically isolated private network in Azure where you place resources like VMs and some PaaS services.

Key Properties

VNets have private IP address spaces (for example 10.0.0.0/16), are scoped to a single region, and are isolated from other VNets and tenants.

VNet as Your Cloud LAN

Conceptually, a VNet is your on-premises LAN extended into Azure. Every VM must live in a subnet of a VNet and gets an IP from its address range.

Diagram Recognition

On AZ-900 diagrams, look for a big box labeled VNet with smaller subnet boxes and resources inside. That box represents your private network boundary.

Subnets, Network Security Groups, and Basic Segmentation

What is a Subnet?

A subnet is a smaller IP range inside a VNet, used to group and organize resources. Example: VNet 10.0.0.0/16 with subnets 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24.

Why Use Subnets?

Subnets help you organize workloads, apply different security controls, and influence routing. Web, app, and database tiers often live in separate subnets.

Network Security Groups

Network Security Groups (NSGs) contain allow or deny rules for traffic. You attach them to subnets or NICs to control which ports and sources are permitted.

Typical Exam Pattern

Expect questions where databases belong in restricted subnets and NSGs are used to filter network traffic, not to manage user identities or encrypt data.

Worked Example: Designing a Simple 3-Tier VNet

Scenario Requirements

Website must be public, API only for internal and web tier, database never directly internet-facing. This is a classic 3-tier application design.

VNet and Subnets

Create Prod-VNet (10.10.0.0/16) with WebSubnet, AppSubnet, and DbSubnet using /24 ranges to separate web, app, and database tiers.

NSG Design

NSG-Web allows HTTP/HTTPS from Internet; NSG-App allows from WebSubnet only; NSG-Db allows from AppSubnet only. All other inbound traffic is denied.

Reading the Diagram

In exam diagrams, look for which subnet has rules allowing internet traffic. That subnet is public-facing; others with restricted rules are internal-only tiers.

Connecting to the Internet and Between VNets

Internet Access Basics

Resources with public IPs can send and receive internet traffic. Without a public IP, they can usually go out but cannot be reached directly from the internet.

What is VNet Peering?

VNet peering links two VNets so traffic flows privately over the Microsoft backbone, not the public internet, as if they were one extended network.

Common Uses of Peering

Use peering for hub-and-spoke designs or to connect Dev, Test, and Prod VNets to shared services without exposing them to the internet.

Exam Distinction

VNet peering is Azure-internal VNet-to-VNet connectivity. VPN Gateways are for connecting on-premises networks or doing encrypted VNet-to-VNet over VPN.

Hybrid Connectivity: VPN Gateway vs ExpressRoute (Conceptual)

Why Hybrid Connectivity?

Most organizations keep some workloads on-premises and move others to Azure, so they need secure, reliable connections between on-prem networks and VNets.

VPN Gateway Overview

VPN Gateway is a virtual network gateway that uses encrypted IPsec tunnels over the public internet to connect on-premises VPN devices or other VNets.

ExpressRoute Overview

ExpressRoute provides a private, dedicated connection via a connectivity provider. Traffic does not traverse the public internet and latency is more predictable.

Choosing Between Them

Use VPN Gateway when you need lower cost and flexibility. Use ExpressRoute when you need higher bandwidth, lower latency, or stricter compliance and reliability.

Public vs Private Endpoints for Azure Services

Why Endpoints Matter

PaaS services like Storage and SQL Database are not inside your VNet by default. Endpoints control whether clients reach them via public or private IPs.

Public Endpoints

Public endpoints expose a public IP and DNS name on the internet. Access can be restricted with firewalls, but traffic conceptually uses the public network.

Private Endpoints

Private endpoints create a private IP in your VNet for a specific service. Traffic stays on the Microsoft backbone and is reachable only from private networks.

Picking the Right Endpoint

If you must minimize internet exposure and keep traffic private, choose private endpoints. If you need broad internet reach, use public endpoints with proper security.

DNS and Name Resolution Basics in Azure

What DNS Does

DNS converts human-friendly names into IP addresses. In Azure, it lets VMs and services find each other using names instead of hard-coded IPs.

Azure-provided and Custom DNS

VNets can use Azure’s built-in DNS or custom DNS servers, such as on-premises AD DNS, for integrated name resolution across environments.

Private DNS Zones

Private DNS zones work with private endpoints so that service names resolve to private IPs in your VNet instead of public addresses.

Common DNS Exam Clue

If a scenario says private endpoints exist but names do not resolve, the likely fix is linking the VNet to a private DNS zone or configuring DNS servers.

Thought Exercise: Choosing Connectivity and Endpoints

Work through this scenario mentally. You do not need to configure anything; just reason it out.

Scenario

Contoso has:

  • An on-premises datacenter with an internal HR system.
  • A new payroll application hosted on Azure VMs.
  • An Azure SQL Database that stores payroll data.

Requirements:

  1. HR staff in the on-premises office must access the payroll app securely.
  2. The payroll app VMs must access Azure SQL Database without exposing the database to the internet.
  3. Budget is limited; they prefer not to pay for a dedicated private circuit.

Questions to think about

  1. For on-premises to Azure connectivity, which is more appropriate, VPN Gateway or ExpressRoute? Why?
  2. For the Azure SQL Database, should Contoso use a public endpoint or a private endpoint? Why?
  3. Where should the private endpoint (if you choose it) be placed: in the VNet of the payroll app, or in some other VNet?

Suggested reasoning path

  • Start by classifying requirements: hybrid connectivity, security, cost.
  • Map each requirement to a networking feature: VPN Gateway vs ExpressRoute, public vs private endpoint.
  • Visualize the diagram: on-premises network on the left, Azure VNet with payroll VMs and SQL on the right, plus a gateway and possibly a private endpoint.

Pause for a moment and decide your answers before moving on to the quizzes. Try to explain each choice in one or two sentences, as you would on an oral exam.

Quiz 1: VNets, Subnets, and Hybrid Connectivity

Check your understanding of VNets, subnets, and on-premises connectivity.

Your company has a VNet in Azure with separate subnets for web and database tiers. They want to connect their on-premises datacenter to this VNet over an encrypted tunnel using the public internet, with minimal cost. Which Azure feature best fits this requirement?

  1. VNet peering
  2. VPN Gateway
  3. ExpressRoute
  4. Private endpoint
Show Answer

Answer: B) VPN Gateway

**VPN Gateway** is correct because it provides encrypted VPN tunnels over the public internet between on-premises networks and Azure VNets at relatively low cost. VNet peering connects only Azure VNets. ExpressRoute uses a private dedicated circuit and is typically more expensive. A private endpoint exposes a specific PaaS resource via a private IP but does not itself connect on-premises networks.

Quiz 2: Public vs Private Endpoints and DNS

Test your understanding of endpoints and name resolution.

You deployed an Azure Storage account and created a private endpoint for it in your VNet. VMs in the same VNet cannot access the storage account using its usual public DNS name. What is the most likely missing configuration?

  1. Assigning a public IP address to the VMs
  2. Creating a VPN Gateway in the VNet
  3. Linking the VNet to an Azure private DNS zone for the storage account
  4. Enabling VNet peering between subnets in the same VNet
Show Answer

Answer: C) Linking the VNet to an Azure private DNS zone for the storage account

When you use a **private endpoint**, you typically need a **private DNS zone** linked to the VNet so that the storage account name resolves to the private IP in the VNet. Assigning public IPs to VMs does not fix name resolution. A VPN Gateway is for on-premises connectivity, not internal DNS. You do not peer subnets inside the same VNet; peering is between separate VNets.

Key Networking Terms Review

Flip the cards to reinforce core Azure networking concepts for AZ-900.

Azure Virtual Network (VNet)
A logically isolated private network in Azure where you define address spaces and subnets and place resources such as VMs and some PaaS services via private endpoints.
Subnet
A smaller IP range within a VNet’s address space used to group and organize resources, apply security (for example NSGs), and control routing.
Network Security Group (NSG)
A set of allow/deny rules that filter inbound and outbound network traffic to Azure resources at the subnet or network interface level based on IP, port, and protocol.
VNet peering
A feature that connects two Azure VNets so that traffic flows privately over the Microsoft backbone network, making them behave like one extended network.
VPN Gateway
A virtual network gateway that provides encrypted VPN tunnels over the public internet between on-premises networks (or other VNets) and an Azure VNet.
ExpressRoute
A service that provides a private, dedicated connection between your on-premises network and Azure, offering more predictable latency and higher bandwidth than typical internet VPNs.
Public endpoint
An internet-accessible endpoint for an Azure service that uses a public IP and DNS name, optionally restricted by firewalls or IP rules.
Private endpoint
A network interface with a private IP from your VNet that securely connects to a specific Azure PaaS resource so traffic stays on the Microsoft backbone.
Private DNS zone
An Azure DNS feature that lets you manage DNS records for a domain within one or more VNets, commonly used so private endpoints resolve to private IP addresses.
Hybrid connectivity
A design where on-premises networks are securely connected to Azure VNets, typically using VPN Gateway or ExpressRoute.

Key Terms

Subnet
A smaller IP range within a VNet’s address space used to group and organize resources, apply security, and control routing.
VPN Gateway
A virtual network gateway that provides encrypted VPN tunnels over the public internet between on-premises networks (or other VNets) and an Azure VNet.
ExpressRoute
A service that provides a private, dedicated connection between your on-premises network and Azure, offering more predictable latency and higher bandwidth than typical internet VPNs.
VNet peering
A feature that connects two Azure VNets so that traffic flows privately over the Microsoft backbone network, making them behave like one extended network.
Public endpoint
An internet-accessible endpoint for an Azure service that uses a public IP and DNS name, optionally restricted by firewalls or IP rules.
Private DNS zone
An Azure DNS feature that lets you manage DNS records for a domain within one or more VNets, commonly used so private endpoints resolve to private IP addresses.
Private endpoint
A network interface with a private IP from your VNet that securely connects to a specific Azure PaaS resource so traffic stays on the Microsoft backbone.
Hybrid connectivity
A design where on-premises networks are securely connected to Azure VNets, typically using VPN Gateway or ExpressRoute.
DNS (Domain Name System)
The system that translates human-readable names (like myapp.contoso.com) into IP addresses that computers use to communicate.
Azure Virtual Network (VNet)
A logically isolated private network in Azure where you define address spaces and subnets and place resources such as VMs and some PaaS services via private endpoints.
Network Security Group (NSG)
A set of allow/deny rules that filter inbound and outbound network traffic to Azure resources at the subnet or network interface level based on IP, port, and protocol.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself