1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. 70-534 - Architect ARM Networking

VPN and Express Route


Start course


This course covers the Architect ARM Networks part of the 70-534 exam, which is worth 5 - 10% of the exam. The intent of the course is to help fill in an knowledge gaps that you might have, and help to prepare you for the exam.


Welcome back! In this lesson we'll be talking about Virtual Private Networks abbreviated V-P-N. We'll be covering site-to-site VPNs, point-to-site VPNs, Express-Route, virtual network to virtual network VPNs and multi site VPNs.

Cloud migration is a long term process that can take time for companies. The bigger the company, the longer the process may take, and in some cases it can take years. and sometimes a complete migration isn't possible due to any number of reasons. So, hybrid solutions are often required.

Services will migrate from on-prem to cloud over time and needs to integrate seamlessly with on-prem services. Depending on your needs there are different options available to connect on-prem networks or devices to an Azure virtual network.

Point-to-site VPNs are the simplest way to access a remote virtual network, through the public Internet. This is accomplished by installing software on the client PC that needs to access the virtual network.

This provides you with an encrypted tunnel to connect the given client to the network, so that it can access the resources on that network. It's a useful solution when there's only a few users that need to connect to the VPN. Typical scenarios are cases of remote administration or troubleshooting.

Also, it's a good solution in a development scenario, for remote workers or for debugging sessions. It's not a great option when there are a lot of users that require a connection, since each connection needs to be managed separately.

There are other options, though, as we've mentioned. A site-to-site VPN is a single private connection from an on-prem network to the remote virtual network over the public Internet. And that projects an entire network on-prem to the remote Azure Virtual Network.

The single connection is shared among the on-prem nodes accessing the remote endpoints. A hardware appliance can be used to build the site-to-site VPN. Not all networking appliances, like consumer routers, implement supporting site-to-site VPNs. So, a network upgrade may be required.

There's also the possibility to use a software appliance, installed on a server on the LAN. For example, you could use Windows Server, which has routing service to connect LANs to VPNs.

Another option is ExpressRoute. ExpressRoute is a private connection for an on-prem data center to an Azure data center. It's a dedicated connection co-located in a third party connection provider and these are located all around the world.

Traffic doesn't travel across the public Internet, but is kept private to ensure reliability, low latency and security. The SLA's guaranteed by redundant connections to the Microsoft Edge network.

ExpressRoute is ideal for things like data storage access, backup and disaster recovery. It's also preferred to connect to Office 365 or Dynamic CRM Service Solutions. It's not going to be useful or cost-effective for everyone. Though, it can be a convenient option when you have frequent, big data transfers on a daily basis. So, make sure you evaluate ExpressRoute carefully before getting started with it.

Sometimes there's a need to create multiple virtual networks for security or for performance reasons. In this scenario you'd set up two VPN gateways to allow intra-region traffic between the virtual networks. This is called vNet-to-vNet VPN. This ensures multi-region availability of the cloud infrastructure.

And there are a lot of different scenarios for things like this. Maybe SQL server always on, deployed as an infrastructure as a service, or this can be useful for things like geographically distributed partitions in a no-SQL solution, deployed on VMs connected to different virtual networks.

Okay, that's going to wrap up this lesson and for that matter, the entire course. So, if you're ready to keep learning, then I'll see you in the next course!

About the Author

Learning paths15

Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.