Azure Networking Guide: Complete Architecture Reference
Microsoft Azure provides enterprise-grade networking with deep integration into the Microsoft ecosystem. This guide covers Virtual Network fundamentals through advanced architectures—Front Door, ExpressRoute, and hybrid connectivity patterns.
Virtual Network (VNet) Fundamentals
Azure Virtual Networks are the foundation of Azure networking, similar to VPCs in AWS but with some key differences:
VNet Characteristics
- Regional scope: VNets exist in a single Azure region
- Address space: One or more CIDR blocks (can be added after creation)
- Subnets: Subdivisions that span all availability zones in the region
- No explicit route tables: Routes are associated with subnets via route tables
VNet Design Best Practices
- Plan address space carefully: Avoid overlaps with on-premise and other VNets
- Use Azure Virtual Network Manager: Centrally manage VNets across subscriptions
- Dedicated subnets for services: Some Azure services require dedicated subnets (App Service, SQL MI)
# Example VNet structure
VNet: production-vnet (East US)
├── Address Space: 10.0.0.0/16
├── Subnet: frontend (10.0.1.0/24)
├── Subnet: backend (10.0.2.0/24)
├── Subnet: database (10.0.3.0/24)
├── Subnet: AzureBastionSubnet (10.0.255.0/27) # Required name
└── Subnet: GatewaySubnet (10.0.254.0/27) # Required nameNetwork Security Groups (NSGs)
NSGs are Azure's stateful firewall, applied at the subnet or NIC level:
NSG Architecture
- Priority-based rules: Lower number = higher priority (100-4096)
- Default rules: Allow VNet-to-VNet, allow load balancer, deny all inbound
- Service tags: Pre-defined groups like Internet, VirtualNetwork, AzureLoadBalancer
- Application security groups (ASGs): Group VMs for easier rule management
NSG Best Practices
- Apply NSGs at the subnet level for consistent protection
- Use Application Security Groups instead of IP addresses for dynamic workloads
- Enable NSG Flow Logs for traffic analysis and troubleshooting
Azure Load Balancing Options
Azure offers multiple load balancing services for different use cases:
Azure Front Door
Global Layer 7 load balancer and CDN:
- Global: Anycast entry points at Microsoft's edge
- Features: CDN caching, WAF, SSL offload, path-based routing
- Health probes: Active probes to backends
- Use for: Global web applications, APIs, multi-region deployments
Azure Application Gateway
Regional Layer 7 load balancer:
- Regional: Deployed in a specific region
- Features: URL-based routing, SSL termination, WAF, cookie affinity
- V2 SKU: Autoscaling, zone redundancy
- Use for: Regional web applications, when Front Door isn't needed
Azure Load Balancer
Layer 4 load balancer:
- Public: Load balance internet traffic
- Internal: Load balance within VNet
- Standard SKU: Zone redundancy, outbound rules, HA ports
- Use for: Non-HTTP workloads, TCP/UDP services
Traffic Manager
DNS-based global load balancer:
- DNS-level: Returns optimal endpoint based on routing method
- Routing methods: Priority, weighted, performance, geographic, multivalue
- Use for: Multi-region active-passive, DNS-based failover
| Service | Layer | Scope | Best For |
|---|---|---|---|
| Front Door | 7 | Global | Global HTTP apps, CDN |
| Application Gateway | 7 | Regional | Regional HTTP apps |
| Load Balancer | 4 | Regional | TCP/UDP services |
| Traffic Manager | DNS | Global | DNS-based failover |
Hybrid Connectivity
Azure VPN Gateway
- Site-to-Site: IPSec VPN to on-premise networks
- Point-to-Site: Individual client VPN connections
- VNet-to-VNet: Connect VNets across regions
- SKUs: Basic (dev/test) through VpnGw5 (10 Gbps)
ExpressRoute
Private connectivity to Azure:
- Circuit sizes: 50 Mbps to 100 Gbps
- Peering types: Microsoft (O365, Azure public services), Private (VNets)
- Global Reach: Connect on-premise sites through Microsoft backbone
- FastPath: Bypass ExpressRoute gateway for ultra-low latency
# ExpressRoute architecture
On-Premise Router
│ (BGP)
▼
ExpressRoute Circuit (at Exchange Provider)
│
▼
Microsoft Enterprise Edge (MSEE)
│
├─── Microsoft Peering → M365, Azure Public Services
│
└─── Private Peering → ExpressRoute Gateway → VNetsFor BGP configuration, see BGP best practices.
VNet Connectivity
VNet Peering
- Regional peering: Connect VNets in the same region (high bandwidth, low latency)
- Global peering: Connect VNets across regions
- Non-transitive: A-B and B-C doesn't mean A-C (use hub-spoke for transitivity)
Virtual WAN
Microsoft-managed hub-and-spoke networking:
- Virtual hubs: Managed hubs in each region you need
- Spoke VNets: Connect VNets to hubs via peering
- Branch connectivity: VPN, ExpressRoute integration
- Routing: Automatic route propagation between spokes
Hub-Spoke Architecture
Traditional hub-spoke using VNet peering:
- Hub VNet: Shared services (firewall, VPN gateway, DNS)
- Spoke VNets: Workload VNets peered to hub
- Transit: Enable "Allow gateway transit" and "Use remote gateways"
Private Connectivity to Azure Services
Service Endpoints
- Direct connectivity from VNet to Azure PaaS services
- Traffic stays on Azure backbone
- No private IP—uses service's public IP but via Azure backbone
Private Link / Private Endpoints
- Private IP: Azure service gets a private IP in your VNet
- No internet exposure: Service accessible only via private IP
- DNS integration: Private DNS zones for automatic resolution
- Supported services: Storage, SQL, Cosmos DB, Key Vault, and many more
Azure Firewall
Managed, cloud-native network firewall:
- Fully stateful: Tracks connections across all ports
- Threat intelligence: Block known malicious IPs and domains
- Application rules: FQDN-based filtering
- Network rules: IP and port-based filtering
- Forced tunneling: Route all traffic through firewall
Azure DNS
- Public DNS zones: Host domains on Azure's Anycast DNS
- Private DNS zones: DNS resolution within VNets
- Private resolver: DNS forwarding for hybrid scenarios
- Alias records: Point directly to Azure resources (auto-updates on IP change)
Network Monitoring
- Network Watcher: Diagnostics, packet capture, flow logs
- NSG Flow Logs: Traffic metadata for analysis
- Connection Monitor: Monitor connectivity between endpoints
- Traffic Analytics: Visualize flow log data
Key Takeaways
- VNets are regional; use peering or Virtual WAN for multi-region connectivity
- Choose Front Door for global HTTP; Application Gateway for regional
- ExpressRoute provides predictable, private connectivity
- Use Private Link for secure access to Azure PaaS services
- Virtual WAN simplifies large-scale hub-spoke architectures
Need Azure Networking Help?
We specialize in Azure network architecture. Contact us for a consultation.