🌐

Azure Networking Overview

Jun 11, 2025

Overview

This lecture covers core Azure networking concepts including virtual networks, subnets, IP types, routing, security, network components, and connectivity options, with practical steps for configuration and exam preparation.

Azure Virtual Networks & Subnets

  • A Virtual Network (VNet) is a network boundary within Azure for deploying resources.
  • VNets are divided into subnets, each with its own IP range, to control communication and security.
  • Subnets cannot use IPs 0, 1, 2, 3, and 255, as some are reserved by Azure.
  • VNets have soft (50) and hard (500) limits per subscription; limits can be increased by request.

IP Addressing

  • IPv4 uses 32-bit addresses (4 octets); IPv6 uses 128-bit alphanumeric addresses.
  • CIDR (Classless Inter Domain Routing) notation defines network and host portions, e.g., 10.1.1.0/24.
  • Public IPs are routable from the internet; private IPs are only for internal Azure communication.
  • Static IPs remain constant; dynamic IPs may change on VM restart.

Routing & Connectivity

  • Route Tables define how traffic moves between subnets, VNets, or on-premises networks.
  • User-Defined Routes enable custom traffic routing, including VPN or ExpressRoute paths.
  • VNet peering connects VNets in the same or different regions for private communications.
  • Gateway Transit allows one VNet to use another's VPN gateway for connectivity.

Security Components

  • Network Security Groups (NSGs) act as firewalls with inbound (ingress) and outbound (egress) rules.
  • Application Security Groups (ASGs) group VMs by role, simplifying NSG rule management.
  • Azure Firewall is a managed, scalable Layer 3/7 firewall integrated with Azure Firewall Manager.
  • DDoS protection is enabled by default at the VNet level, with optional standard upgrades.
  • Bastion Host allows secure VM access via browser over HTTPS (port 443), avoiding RDP/SSH exposure.

Advanced Networking Features

  • Service Endpoints secure traffic from a VNet to Azure services like Storage or SQL.
  • NAT Gateway provides outbound connectivity for subnets with address translation.
  • Azure DNS resolves domain names to IPs and can be customized beyond Azure's default DNS servers.
  • Azure Load Balancer distributes inbound/outbound traffic across backend VMs, supporting TCP/HTTP(S).
  • Application Gateway is a layer 7 load balancer supporting HTTP routing, path-based rules, and SSL termination.
  • Traffic Manager distributes client traffic using DNS-based routing for optimal performance and failover.

Hybrid Connectivity

  • ExpressRoute offers a dedicated, private connection between on-premises and Azure for high bandwidth.
  • VPN Gateway supports Site-to-Site (S2S) and Point-to-Site (P2S) encrypted connections over the public internet.
  • Local Network Gateway is the Azure representation of an on-premises VPN device.
  • Virtual WAN centralizes branch connectivity with Azure acting as a hub.

Architecture Models

  • Hub and Spoke model centralizes connectivity and security with a "hub" VNet connected to multiple "spoke" VNets.
  • Gateway Transit permits spoke VNets to use the hub VNet's VPN gateway for on-premises or internet communication.

Key Terms & Definitions

  • VNet (Virtual Network) β€” Logical network boundary in Azure hosting resources.
  • Subnet β€” Subdivision of a VNet with isolated IP ranges.
  • CIDR β€” Notation for specifying IP address and subnet mask (e.g., /24).
  • NSG (Network Security Group) β€” Firewall-like control for network traffic rules.
  • ASG (Application Security Group) β€” Logical group for VMs to simplify NSG rules.
  • Azure Firewall β€” Managed, scalable network firewall service.
  • Bastion Host β€” Secure browser-based VM access via HTTPS.
  • Service Endpoint β€” Direct, secure VNet connection to Azure services.
  • NAT Gateway β€” Provides outbound internet for subnets, hiding internal IPs.
  • DNS β€” Resolves hostnames to IP addresses.
  • Load Balancer β€” Distributes network traffic among resources.
  • Application Gateway β€” Layer 7 load balancer for web traffic.
  • Traffic Manager β€” DNS-based global traffic distribution.
  • ExpressRoute β€” Dedicated private connectivity to Azure, bypassing the public internet.
  • VPN Gateway β€” Facilitates secure VPN connections to Azure.
  • Local Network Gateway β€” Azure object representing on-premises VPN endpoint.
  • Virtual WAN β€” Central hub for managing branch and remote connectivity.
  • Peering β€” Connection between VNets for private communication.
  • Gateway Transit β€” Permits shared VPN gateway access between peered VNets.
  • Hub and Spoke Model β€” Centralized networking where hub VNet manages connectivity for spoke VNets.

Action Items / Next Steps

  • Review prior lessons on VNet basics and IP addressing for reinforcement.
  • Register for K21 Academy’s free master class (k21academy.com/az10402) for Azure certification prep.
  • Complete hands-on labs for VNet, subnet, NSG, route table, and VPN gateway setup as assigned.

Full transcript