This chapter covers Azure networking concepts essential for the AZ-900 exam. You'll learn about Virtual Networks, subnets, peering, VPN Gateway, ExpressRoute, Load Balancer, Traffic Manager, Azure DNS, Azure Firewall, and CDN. Networking is a core part of Azure Architecture Services (Objective 2.3) and typically appears in 10-15% of exam questions. Understanding these concepts is critical because networking is the backbone of any cloud deployment.
Jump to a section
Imagine Azure networking as a city's transit system. Your Azure Virtual Network (VNet) is the city boundary—a district where all your buildings (virtual machines, databases) are located. Subnets are neighborhoods within that district, each with its own local traffic rules (network security groups). The Azure VPN Gateway is like a secure tunnel under the river connecting your city to another city (your on-premises data center), allowing private cars (encrypted traffic) to pass without going through the public highway (the internet). Azure ExpressRoute is a dedicated, private highway built just for your company—no sharing, no traffic jams, and a guaranteed speed. Azure Load Balancer is a traffic cop at a busy intersection that distributes incoming cars (requests) evenly across multiple lanes (servers) so no lane gets backed up. Azure DNS is like the city's phone book—it translates building names (domain names) into street addresses (IP addresses). Azure Firewall is the city's security checkpoint at the border, inspecting every vehicle (packet) entering or leaving the city and blocking suspicious ones. Finally, Azure Content Delivery Network (CDN) is a network of satellite depots (edge locations) around the world that store copies of your city's most popular goods (static content) so people can grab them quickly without traveling all the way to your city.
What is Azure Networking and the Business Problem It Solves
Azure networking provides a set of services that connect cloud resources to each other and to on-premises networks. The business problem is: how do you securely and reliably connect distributed resources—virtual machines, databases, web apps—across the globe while controlling traffic, ensuring high availability, and minimizing latency? On-premises, you'd use physical routers, switches, firewalls, and leased lines. In Azure, these are virtualized and delivered as services.
How It Works: Azure Virtual Network (VNet)
An Azure Virtual Network (VNet) is a logically isolated network in the Azure cloud. Think of it as your own private network in Azure. When you create a VNet, you define an IP address space using CIDR notation (e.g., 10.0.0.0/16). You then divide this space into subnets (e.g., 10.0.1.0/24 for web servers, 10.0.2.0/24 for databases). Resources like VMs are placed into subnets. VNets are region-specific—you cannot span a VNet across regions, but you can connect VNets via peering or VPN.
Key Components
Subnets: Segments within a VNet. Each subnet has its own IP range. Network Security Groups (NSGs) and route tables can be applied per subnet.
Network Security Groups (NSGs): A firewall for inbound/outbound traffic to subnets or NICs. They contain rules that allow or deny traffic based on source/destination IP, port, and protocol. Default rules allow all outbound and deny all inbound from the internet.
Azure DNS: Hosts DNS domains and provides name resolution using Microsoft Azure infrastructure. You can use Azure DNS for public or private domains.
Azure Load Balancer: Distributes incoming traffic among healthy VM instances. It operates at Layer 4 (TCP/UDP). You can use it for internal or external traffic.
Azure Application Gateway: A Layer 7 load balancer with web application firewall (WAF) capabilities. It can route traffic based on URL path, host headers, etc.
Azure VPN Gateway: Sends encrypted traffic between an Azure VNet and an on-premises location over the public internet. Two types: policy-based (static routing) and route-based (dynamic routing).
Azure ExpressRoute: A dedicated private connection from on-premises to Azure, bypassing the internet for higher reliability, lower latency, and higher security.
Azure Traffic Manager: DNS-based traffic load balancer that distributes traffic to endpoints across global Azure regions based on routing methods (performance, weighted, priority, geographic).
Azure Firewall: A managed, cloud-based network security service that protects your VNet resources. It's a stateful firewall with built-in high availability and unlimited scalability.
Azure Content Delivery Network (CDN): Caches static content (images, videos, CSS) at edge locations worldwide to reduce latency for users.
Pricing Models
Most networking services have a consumption-based pricing model. For example, VNet itself is free, but you pay for data transfer outbound. VPN Gateway charges per hour plus data transfer. ExpressRoute charges per month based on bandwidth and circuit type (metered vs. unlimited). Load Balancer charges per hour per rule and per GB of data processed.
Comparison to On-Premises
On-premises, you need to buy, configure, and maintain physical routers, switches, firewalls, and load balancers. Scaling requires hardware procurement. In Azure, you provision these services instantly via the portal, CLI, or ARM templates. Azure handles redundancy and patching. However, you lose physical control and must manage virtual configurations.
Azure Portal and CLI Touchpoints
Azure Portal: Navigate to 'Virtual networks' to create and manage VNets. Use 'Network Watcher' for monitoring.
Azure CLI: Use az network vnet create to create a VNet, az network nsg create for NSGs, az network lb create for load balancers.
Example: Create a VNet with subnet:
az network vnet create \
--name MyVNet \
--resource-group MyRG \
--location eastus \
--address-prefix 10.0.0.0/16 \
--subnet-name default \
--subnet-prefix 10.0.1.0/24Create a Virtual Network
In the Azure portal, search for 'Virtual networks' and click 'Create'. Provide a subscription, resource group, name, and region. Define the IP address space (e.g., 10.0.0.0/16) and at least one subnet (e.g., 10.0.1.0/24). Azure automatically creates default DNS settings. You can add multiple subnets later. Behind the scenes, Azure allocates a logical network isolated to your subscription. Default limits: up to 1000 VNets per subscription per region.
Add Network Security Groups
After creating the VNet, create an NSG to control traffic. Go to 'Network security groups', click 'Create', specify resource group, name, and region. Then add inbound/outbound rules. For example, allow HTTP (port 80) from the internet. Associate the NSG with a subnet or NIC. Azure enforces rules in priority order (lower number = higher priority). Default rules deny all inbound from internet and allow all outbound.
Deploy Virtual Machines into Subnets
When creating a VM, select the VNet and subnet. Each VM gets a private IP automatically (DHCP). Optionally assign a public IP for internet access. Azure assigns a dynamic private IP by default; you can reserve a static IP. The VM's NIC is attached to the subnet, and NSG rules apply. For high availability, deploy multiple VMs in an availability set or availability zone behind a load balancer.
Configure VNet Peering
To connect two VNets (same or different regions), use VNet peering. In the portal, go to the first VNet, select 'Peerings', click 'Add'. Provide the second VNet's resource ID and configure settings like 'Allow gateway transit'. Azure establishes a connection with no downtime. Traffic between peered VNets stays on the Microsoft backbone. Note: you cannot peer VNets with overlapping IP ranges.
Set Up VPN Gateway
To connect on-premises to Azure, create a VPN gateway. First, create a gateway subnet in your VNet (named 'GatewaySubnet' with /27 or larger). Then create a VPN gateway (requires ~45 minutes). Configure the on-premises VPN device with the gateway's public IP and shared key. Azure supports IKEv1 and IKEv2. Once connected, traffic is encrypted over the internet. Pricing is per hour plus data transfer.
Scenario 1: E-commerce Website with Global Users
A retail company launches an e-commerce site on Azure VMs in the East US region. To handle traffic spikes, they deploy a load balancer distributing requests across three VMs. They use Azure CDN to cache product images at edge locations worldwide, reducing load on origin servers and improving page load times for customers in Europe and Asia. They also set up Azure Traffic Manager with performance routing to direct users to the closest regional deployment (East US for US, West Europe for EU). Cost: CDN egress costs are lower than origin traffic. If misconfigured—e.g., missing NSG rules—the site could be vulnerable to DDoS attacks.
Scenario 2: Hybrid Cloud for a Financial Services Firm
A bank has an on-premises data center with legacy applications. They want to extend to Azure for burst capacity and disaster recovery. They set up an ExpressRoute circuit with a 1 Gbps connection to Azure, bypassing the internet for low latency and compliance. They create a VNet with subnets for web, app, and database tiers. They use Azure Firewall to inspect traffic between tiers and to the internet. They also deploy Azure VPN Gateway as a backup connection. Common mistake: not planning IP address ranges, causing overlaps and inability to connect. Cost: ExpressRoute monthly fee + data transfer; they choose the metered billing model for predictable costs.
Scenario 3: SaaS Application with Multi-Region Deployment
A SaaS provider runs their application in both US East and US West. They use VNet peering to connect the two VNets, allowing low-latency communication between databases. They use Azure Load Balancer in each region for high availability. They also use Traffic Manager with priority routing to failover to West if East goes down. They implement Azure DNS for custom domain names. A pitfall: forgetting to update DNS records after a failover test, causing prolonged downtime. They monitor with Azure Monitor and Network Watcher.
AZ-900 Objective 2.3: Describe Azure networking services
The exam tests your ability to identify the correct service for a given scenario. Key areas: VNet, subnets, peering, VPN Gateway, ExpressRoute, Load Balancer, Traffic Manager, DNS, Firewall, CDN.
Most Common Wrong Answers and Why Candidates Choose Them
Choosing VPN Gateway when ExpressRoute is needed: Candidates see 'secure connection to on-premises' and pick VPN Gateway. But if the scenario mentions 'dedicated private connection', 'low latency', or 'compliance', ExpressRoute is correct. VPN Gateway uses the public internet; ExpressRoute is private.
Confusing Load Balancer and Traffic Manager: Load Balancer distributes traffic within a region (Layer 4). Traffic Manager distributes traffic globally (DNS-based). If the scenario says 'global distribution' or 'multiple regions', it's Traffic Manager. If 'within a region' or 'high availability for VMs', it's Load Balancer.
Thinking VNet peering requires VPN: VNet peering is direct, uses Microsoft backbone, no encryption. VPN Gateway uses the internet with encryption. Candidates often think peering needs a gateway.
Mixing up NSG and Azure Firewall: NSG is a basic stateless/stateful firewall (stateful for inbound, stateless for outbound) at subnet/NIC level. Azure Firewall is a managed, stateful firewall with advanced features (FQDN filtering, threat intelligence). Exam questions may ask for 'centralized firewall'.
Specific Terms and Values
VNet peering: supports transitive routing only if using hub-spoke with gateway transit.
VPN Gateway: SKUs (Basic, VpnGw1-5). Basic does not support BGP.
ExpressRoute: bandwidths (50 Mbps to 10 Gbps).
Load Balancer: SKUs (Basic, Standard). Standard requires NSG association.
Traffic Manager: routing methods (performance, weighted, priority, geographic, multivalue, subnet).
Edge Cases
VNet peering between regions (global peering) is supported but incurs data transfer costs.
Azure Firewall is deployed in a hub VNet and requires a route table to direct traffic.
CDN can be used with Azure Storage, Web Apps, or custom origins.
Memory Trick
Use the acronym 'VSLT-FED' for the main services: Virtual Network, Subnets, Load Balancer, Traffic Manager, Firewall, ExpressRoute, DNS. Or think: 'VNet is the house, subnets are rooms, NSGs are door locks, Load Balancer is a butler, Traffic Manager is a GPS, ExpressRoute is a private driveway, Firewall is a security guard, DNS is a phonebook, CDN is a storage shed at the mall.'
Azure VNet is the fundamental building block for private networks in Azure; it is region-specific and can be divided into subnets.
NSGs are stateful firewalls for inbound traffic (stateless for outbound) that filter at Layer 3/4; they can be applied to subnets or NICs.
VNet peering connects two VNets directly using the Microsoft backbone, with no encryption; global peering works across regions.
Azure Load Balancer distributes traffic within a region at Layer 4; Azure Traffic Manager distributes traffic globally at DNS level.
Azure VPN Gateway provides encrypted site-to-site connections over the internet; ExpressRoute provides private, dedicated connections.
Azure Firewall is a managed, stateful firewall with high availability and scalability, suitable for centralized network security.
Azure CDN caches content at edge locations to reduce latency; it integrates with Azure Storage, Web Apps, and other origins.
Azure DNS allows you to host your DNS domains and manage records; supports private zones for internal name resolution.
All networking services have consumption-based pricing; data transfer costs apply for outbound traffic.
Default limits: up to 1000 VNets per subscription per region; up to 500 VNet peerings per VNet.
These come up on the exam all the time. Here's how to tell them apart.
Azure VPN Gateway
Uses public internet with encryption
Lower cost per month
Bandwidth up to 1.25 Gbps (aggregate)
Variable latency due to internet
SLA: 99.9% for gateway availability (not connection)
Azure ExpressRoute
Dedicated private connection, no internet
Higher monthly cost
Bandwidth up to 10 Gbps
Consistent low latency
SLA: 99.95% for circuit availability
Mistake
Azure VNet spans multiple regions automatically.
Correct
A VNet is scoped to a single region. To connect resources across regions, you must use VNet peering (global peering) or VPN gateways.
Mistake
VPN Gateway and ExpressRoute are interchangeable for site-to-site connectivity.
Correct
VPN Gateway uses encrypted tunnels over the public internet, while ExpressRoute is a dedicated private connection that bypasses the internet. ExpressRoute offers higher reliability, lower latency, and higher bandwidth options.
Mistake
Network Security Groups (NSGs) can block traffic at the application layer (Layer 7).
Correct
NSGs operate at Layer 3 and 4 (IP and port/protocol). For Layer 7 filtering, you need Azure Application Gateway with WAF or Azure Firewall.
Mistake
Azure Load Balancer can distribute traffic across multiple regions.
Correct
Azure Load Balancer works within a single region. For global distribution, use Azure Traffic Manager or Azure Front Door.
Mistake
VNet peering encrypts traffic between VNets.
Correct
VNet peering uses the Microsoft backbone network, but traffic is not encrypted by default. For encryption, use VPN Gateway or an encrypted application protocol.
Azure Load Balancer distributes incoming traffic among healthy VMs in a single region at Layer 4 (TCP/UDP). It's used for high availability within a region. Azure Traffic Manager is a DNS-based traffic load balancer that distributes traffic across endpoints in different regions globally. It uses routing methods like performance, weighted, or priority. For AZ-900, remember: Load Balancer = regional, Traffic Manager = global.
No. You can use VNet peering to connect two VNets in the same region directly. VNet peering uses the Microsoft backbone and does not require a VPN gateway. It's free for same-region peering (only data transfer charges apply). VPN Gateway is needed for connecting to on-premises or for cross-region peering if you want encryption.
NSG is a distributed firewall that filters traffic at the subnet or NIC level. It works at Layers 3 and 4 (IP, port, protocol). It is stateless for outbound and stateful for inbound. Azure Firewall is a managed, centralized firewall service with advanced features like FQDN filtering, threat intelligence, and high availability. It is stateful for both directions. For exam: NSG for basic per-subnet filtering, Azure Firewall for enterprise-grade central security.
Yes. Azure DNS Private Zones allow you to register and resolve custom domain names within a VNet without a custom DNS server. You can link private zones to one or more VNets. This is useful for internal services like databases or microservices. For exam: know that Azure DNS supports both public and private zones.
Azure ExpressRoute is a dedicated private connection from your on-premises network to Azure, bypassing the internet. It offers higher reliability, lower latency, and higher security. Use it when you need consistent performance, large data transfers, or compliance requirements (e.g., financial services). It's more expensive than VPN Gateway but provides a better SLA (99.95%).
Azure CDN caches static content (like images, CSS, JavaScript) at edge servers located around the world. When a user requests content, it's served from the nearest edge location, reducing latency and load on the origin server. It also supports dynamic site acceleration and can be integrated with Azure Storage, Web Apps, and other services. For exam: know that CDN is for static content caching and global performance improvement.
An NSG has three default inbound rules: DenyAllInbound (denies all inbound traffic from the internet), AllowVNetInBound (allows inbound from within the VNet), and AllowAzureLoadBalancerInBound (allows Azure Load Balancer probes). Three default outbound rules: AllowVnetOutBound (allows outbound to VNet), AllowInternetOutBound (allows outbound to internet), and DenyAllOutBound (not present by default; actually there is no default deny outbound—outbound is allowed by default). Correction: default outbound rules allow all outbound traffic (AllowInternetOutBound and AllowVnetOutBound).
You've just covered Azure Networking Concepts Overview — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?