Start course

Microsoft Azure supports a variety of options for both internal and external networking. In this course, you will learn how to design a network implementation using the appropriate Azure services.

Some of the highlights include:

  • Configuring virtual networks to connect Azure resources to each other
  • Deploying public and private load balancers to distribute incoming traffic to a pool of backend VMs
  • Load balancing across multiple regions using Azure Traffic Manager
  • Connecting on-premises networks to Azure either directly using ExpressRoute or over the internet through a site-to-site or point-to-site VPN
  • Overriding system default routes to meet your own custom routing needs
  • Protecting your applications from attacks with a web application firewall
  • Using network security groups to create a demilitarized zone (DMZ)
  • Building hybrid applications that include both Azure and on-premises resources using Azure Relay
  • Copying on-premises data to Azure using Data Factory, the Self-hosted Integration Runtime, and the On-Premises Data Gateway

Learning Objectives

  • Design Azure virtual networks
  • Design external connectivity for Azure virtual networks
  • Design network security strategies for Azure
  • Design connectivity for hybrid Azure applications

Intended Audience

  • People who want to become Azure cloud architects
  • People preparing for a Microsoft Azure certification exam


  • General knowledge of IT infrastructure and networking

I hope you enjoyed learning about Azure’s network services. Let’s do a quick review of what you learned.


An Azure virtual network has an IP address space and at least one subnet. IP addresses are assigned by an Azure DHCP server. VMs in a virtual network can communicate with each other using Azure-provided name resolution. You can provision your own DNS server in the vnet to resolve other addresses. Use Azure DNS Private Zones if you need custom domain names or name resolution between virtual networks. To accept inbound connections from the internet, assign public IP addresses to resources in a vnet. A virtual network service endpoint lets you extend the address space in your vnet to services that can’t reside in a vnet, such as Azure Storage and Azure SQL Database.


Azure Load Balancer acts as a frontend that distributes incoming traffic to a pool of backend VMs. It supports TCP and UDP applications. By default, the load balancer sends a probe to each backend VM every 15 seconds. If a health probe fails, then the VM is removed from the pool. A public load balancer has a public IP address for internet-facing applications. When a VM initiates an outbound connection, the load balancer performs network address translation. An internal load balancer doesn’t have a public IP address.


The other way to provide load balancing is to use Azure Application Gateway, which operates at layer 7 of the network stack. It can route based on the URL, redirect all HTTP requests to HTTPS, serve traffic to multiple websites, support WebSockets, and handle SSL offloading.


To provide load balancing across multiple regions, use Azure Traffic Manager, which redirects traffic at the DNS level. Performance routing directs a request to the closest region. Priority routing redirects requests to the next best region if there’s an outage. Weighted routing distributes requests either evenly among the endpoints or according to weights. Geographic routing directs a request to a specific region based on the client’s location.


ExpressRoute provides a redundant layer 3 connection between your on-premises location and Azure. You can connect using a colocation provider, a WAN provider, or a point-to-point ethernet provider. Routing is handled using BGP.


To connect over the internet instead, deploy an Azure VPN Gateway in a virtual network. In a site-to-site configuration, you create an IPsec tunnel to the gateway through an on-premises VPN device. In a multi-site configuration, there’s a VPN device at each remote location, but still only one VPN Gateway in the Azure virtual network. Point-to-site connections use certificate-based authentication instead of a VPN device. This configuration is intended for individual computers or devices.


Multi-site and point-to-site configurations have to use route-based routing, which is dynamic. Site-to-site connections can use either route-based or policy-based routing, which is static. Policy-based routing requires more maintenance, so it should only be used when necessary. Also, a VPN gateway can only be configured to support one type of routing, so a site-to-site configuration that uses policy-based routing can’t share a VPN gateway with multi-site or point-to-site configurations. If you have an ExpressRoute connection, you can set up a site-to-site connection as a failover in case your primary connection goes down.


Virtual network peering allows instances in two virtual networks to communicate with each over the Microsoft backbone network, even if they’re in different regions.


Each subnet in a virtual network has a route table with system default routes in it. You can override these routes with custom routes, also known as user-defined routes.


If you put an Azure Kubernetes Service cluster in a subnet of a virtual network, then the nodes in the cluster can use the Azure Container Networking Interface plugin to communicate with the rest of the network.


The Web Application Firewall that comes with the Azure Application Gateway protects against attacks, such as SQL injection and cross-site scripting. You can run it in either detection or prevention mode. Alternatively, you could use a network virtual appliance from a third-party vendor. These appliances should be put in a demilitarized zone that keeps unwanted traffic from getting through to your backend network.


A network security group contains rules that allow or deny traffic to resources in a subnet of a virtual network. You can also apply NSGs to the network interfaces of specific VMs if they were deployed using Resource Manager.


Service tags simplify your rules. For example, the VirtualNetwork tag includes the virtual network address space, all connected on-premises address spaces, and all peered virtual networks or virtual networks connected through a VPN gateway.


By default, the outbound rules allow all outgoing internet traffic. To force all internet-bound traffic to go through an inspection and auditing system first, use forced tunneling to your on-premises network.


Azure WCF Relay lets you expose Windows Communication Foundation (or WCF) services in on-premises applications to Azure without having to open a port on your firewall. Azure Relay Hybrid Connections is a newer service that does the same thing for WebSockets and HTTP rather than WCF. You can also use Hybrid Connections from within Azure App Service, but you have to install a Hybrid Connection Manager in the network where the database resides. The Azure Data Management Gateway, now known as the Self-hosted Integration Runtime, lets Azure Data Factory copy data between Azure and on-premises data stores. The Azure On-Premises Data Gateway connects on-premises data sources with Azure Analysis Services.


To copy on-premises data using Data Factory, first install the Self-hosted Integration Runtime on-premises, register it with Azure, and connect it to your local data source. Next, create a linked service that accesses the data source via the integration runtime. Also create a linked service for the Azure data sink. Then create datasets for the data source and data sink. Finally, create a pipeline and a copy activity.


An Azure-SSIS Integration Runtime is an Azure cluster that lets you run SQL Server Integration Services packages.


To join a VM to a domain, make sure it’s in a virtual network that’s connected to the one where your Azure Active Directory managed domain resides.


Now you know how to design Azure virtual networks; design external connectivity for Azure virtual networks; design network security strategies for Azure; and design connectivity for hybrid Azure applications.


To learn more about Azure’s network services, you can read Microsoft’s documentation. Also watch for new Microsoft Azure courses on Cloud Academy, because we’re always publishing new courses. Please give this course a rating, and if you have any questions or comments, please let us know. Thanks and keep on learning!

About the Author
Learning Paths

Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).