Course Navigation
6 min read·Lesson 7 of 10

Azure Networking

Learn how Azure networking works — Virtual Networks, subnets, NSGs, load balancers, Application Gateway, VPN Gateway, and ExpressRoute.

Azure networking provides the connectivity fabric for all Azure resources. Unlike GCP's global VPC, Azure Virtual Networks are regional — but they're flexible and composable through peering and hybrid connectivity options.

Virtual Network (VNet)

A VNet is Azure's isolated private network. Key properties:

  • Regional scope: Each VNet is confined to a single region. Resources in different regions need VNet Peering to communicate privately.
  • Address space: Defined with one or more CIDR blocks (e.g., 10.0.0.0/16)
  • Subnets: Divide the VNet's address space. Resources are placed in subnets. Each subnet gets a portion of the VNet CIDR.
  • DNS: Azure-provided DNS or custom DNS servers per VNet

Network Security Groups (NSGs)

NSGs are stateful firewall rules applied at the subnet level or network interface (NIC) level. Each rule specifies source, destination, port, protocol, and allow/deny action.

  • Rules are evaluated in priority order (lower number = higher priority)
  • Default rules allow VNet-internal traffic and Azure Load Balancer traffic; deny all inbound internet
  • Application Security Groups (ASGs) let you group VMs by role and reference the group in NSG rules — cleaner than listing IPs

Azure Load Balancer (L4)

Azure Load Balancer distributes inbound TCP and UDP traffic across a backend pool of VMs. It operates at Layer 4 (transport layer).

  • Public Load Balancer: Routes internet traffic to VMs
  • Internal Load Balancer: Routes private VNet traffic between tiers
  • Supports health probes, session persistence (sticky sessions), and HA ports mode

Application Gateway (L7)

Application Gateway is an L7 load balancer with URL-based routing, SSL termination, and an optional Web Application Firewall (WAF) (OWASP CRS rules).

  • Route requests to different backend pools based on URL path (/api/* → API pool, /images/* → storage)
  • SSL offload — decrypt HTTPS at the gateway, send HTTP to backends
  • WAF_v2 protects against OWASP Top 10 attacks

Azure Front Door

Azure Front Door is a global, anycast L7 load balancer and CDN platform. Use it when you need to route users to the nearest healthy backend across multiple regions. Includes WAF and DDoS protection.

VNet Peering

VNet Peering connects two VNets privately over Azure's backbone network — traffic never traverses the internet. Peering can be:

  • Regional peering: Same region
  • Global peering: Different regions

Hybrid Connectivity

OptionBandwidthBest For
Azure VPN GatewayUp to 10 GbpsEncrypted IPsec to on-premises, branch offices
ExpressRoute50 Mbps – 100 GbpsPrivate dedicated circuit, highest reliability
ExpressRoute Global ReachExpressRoute speedConnect two on-premises sites via Azure

Azure Bastion

Azure Bastion is a fully managed PaaS that provides secure, browser-based RDP and SSH access to VMs — directly in the Azure portal, over TLS. VMs do not need a public IP, and SSH/RDP ports do not need to be exposed to the internet.

Key Takeaways

  • Azure VNets are regional (unlike GCP's global VPCs); connect regions using VNet Peering.
  • Network Security Groups (NSGs) control inbound/outbound traffic at subnet or NIC level.
  • Azure Load Balancer operates at L4; Application Gateway at L7 with WAF capabilities.
  • VPN Gateway provides encrypted IPsec tunnels to on-premises; ExpressRoute provides private dedicated circuits.
  • Azure Bastion provides secure browser-based VM access without exposing public IPs or SSH/RDP ports.

Test your knowledge

Try exam-style practice questions to reinforce what you've learned.

Practice Questions →