L8. Core Networking: VNet, Load Balancer, VPN Gateway, and ExpressRoute
Video generating
Check back soon for the video lesson on Core Networking: VNet, Load Balancer, VPN Gateway, and ExpressRoute
Azure Virtual Network is the foundation of cloud networking. The AZ-900 exam tests VNet, subnets, peering, Load Balancer, VPN Gateway, and ExpressRoute.
Azure Virtual Network (VNet)
A Virtual Network (VNet) is a logically isolated network in Azure. It is the fundamental building block for your private network in Azure. Key VNet features:
- Subnets: segment a VNet into smaller address spaces; each resource is placed in a subnet
- VNet peering: connect two VNets so resources can communicate as if on the same network (works across regions as "global VNet peering")
- Network Security Groups (NSGs): filter inbound and outbound traffic to/from subnets or network interfaces using rules
Azure Load Balancer
Distributes incoming network traffic across multiple backend VMs to ensure no single VM is overwhelmed.
- Layer 4 (Transport): operates at TCP/UDP level
- Public Load Balancer: distributes internet traffic to VMs
- Internal Load Balancer: distributes traffic within a VNet
Azure Application Gateway
- Layer 7 (HTTP/HTTPS): can route based on URL path or hostname
- Includes a Web Application Firewall (WAF) for OWASP protection
- Use when you need URL-based routing or WAF capabilities
Azure VPN Gateway
Creates an encrypted tunnel (IPsec/IKE) between Azure and an on-premises network or between two Azure VNets.
- Site-to-site VPN: connects on-premises networks to Azure over the internet
- Point-to-site VPN: connects individual client devices to Azure
- Traffic travels encrypted over the public internet
Azure ExpressRoute
ExpressRoute provides a private, dedicated connection from on-premises to Azure that does NOT travel over the public internet.
- Higher reliability, lower latency, higher throughput than VPN
- Requires a connectivity provider (network service provider)
- Typically more expensive than VPN Gateway
Azure Content Delivery Network (CDN)
Caches content at edge locations worldwide to reduce latency for global users.
| Service | Layer | Use Case |
|---|---|---|
| Load Balancer | Layer 4 | Distribute VM traffic |
| Application Gateway | Layer 7 | URL routing, WAF |
| VPN Gateway | Network | Encrypted on-premises connection |
| ExpressRoute | Network | Private dedicated on-premises connection |
| Azure DNS | DNS | Host DNS zones in Azure |
- ✓Azure VNet is a logically isolated private network; subnets segment a VNet into smaller ranges
- ✓VNet peering connects two VNets so resources communicate privately, including across regions
- ✓Load Balancer operates at Layer 4 (TCP/UDP); Application Gateway operates at Layer 7 (HTTP/HTTPS) and includes WAF
- ✓VPN Gateway creates an encrypted IPsec tunnel over the public internet to on-premises networks
- ✓ExpressRoute provides a private dedicated connection to Azure that bypasses the public internet entirely
1. A company needs a high-reliability, low-latency private connection from their on-premises datacenter to Azure that does not traverse the public internet. Which service should they use?
2. Which Azure load balancing service operates at Layer 7 and can route traffic based on URL path?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.