Cyber Intelligence
Azure Architecture and Services · 35-40% of exam

L8. Core Networking: VNet, Load Balancer, VPN Gateway, and ExpressRoute

Video generating

Check back soon for the video lesson on Core Networking: VNet, Load Balancer, VPN Gateway, and ExpressRoute

Azure Virtual Network is the foundation of cloud networking. The AZ-900 exam tests VNet, subnets, peering, Load Balancer, VPN Gateway, and ExpressRoute.

Azure Virtual Network (VNet)

A Virtual Network (VNet) is a logically isolated network in Azure. It is the fundamental building block for your private network in Azure. Key VNet features:

  • Subnets: segment a VNet into smaller address spaces; each resource is placed in a subnet
  • VNet peering: connect two VNets so resources can communicate as if on the same network (works across regions as "global VNet peering")
  • Network Security Groups (NSGs): filter inbound and outbound traffic to/from subnets or network interfaces using rules

Azure Load Balancer

Distributes incoming network traffic across multiple backend VMs to ensure no single VM is overwhelmed.

  • Layer 4 (Transport): operates at TCP/UDP level
  • Public Load Balancer: distributes internet traffic to VMs
  • Internal Load Balancer: distributes traffic within a VNet

Azure Application Gateway

  • Layer 7 (HTTP/HTTPS): can route based on URL path or hostname
  • Includes a Web Application Firewall (WAF) for OWASP protection
  • Use when you need URL-based routing or WAF capabilities

Azure VPN Gateway

Creates an encrypted tunnel (IPsec/IKE) between Azure and an on-premises network or between two Azure VNets.

  • Site-to-site VPN: connects on-premises networks to Azure over the internet
  • Point-to-site VPN: connects individual client devices to Azure
  • Traffic travels encrypted over the public internet

Azure ExpressRoute

ExpressRoute provides a private, dedicated connection from on-premises to Azure that does NOT travel over the public internet.

  • Higher reliability, lower latency, higher throughput than VPN
  • Requires a connectivity provider (network service provider)
  • Typically more expensive than VPN Gateway

Azure Content Delivery Network (CDN)

Caches content at edge locations worldwide to reduce latency for global users.

ServiceLayerUse Case
Load BalancerLayer 4Distribute VM traffic
Application GatewayLayer 7URL routing, WAF
VPN GatewayNetworkEncrypted on-premises connection
ExpressRouteNetworkPrivate dedicated on-premises connection
Azure DNSDNSHost DNS zones in Azure
Exam tip: ExpressRoute = private, dedicated, not over the internet. VPN Gateway = encrypted but still over the internet.

Exam Focus Points
  • Azure VNet is a logically isolated private network; subnets segment a VNet into smaller ranges
  • VNet peering connects two VNets so resources communicate privately, including across regions
  • Load Balancer operates at Layer 4 (TCP/UDP); Application Gateway operates at Layer 7 (HTTP/HTTPS) and includes WAF
  • VPN Gateway creates an encrypted IPsec tunnel over the public internet to on-premises networks
  • ExpressRoute provides a private dedicated connection to Azure that bypasses the public internet entirely
Knowledge Check

1. A company needs a high-reliability, low-latency private connection from their on-premises datacenter to Azure that does not traverse the public internet. Which service should they use?

2. Which Azure load balancing service operates at Layer 7 and can route traffic based on URL path?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.

Start AZ-900 prep free10-day free trial available