Azure Networking, key concepts

1. Virtual Network (VNet)

What it is: A logically isolated network for your Azure resources — like a virtual version of a traditional on-premises network.

Key Components:

Subnets (e.g., App subnet, DB subnet)
IP address ranges (CIDR)
NSG (Network Security Groups)
Route Tables
Service Endpoints
Private Endpoints

Real-World Example:

You’re hosting a 3-tier web app:

Web App in App Subnet
API in Logic Apps/Subnet
DB in DB Subnet Use NSGs to allow only API access to DB and restrict all external traffic.

2. Network Security Group (NSG)

What it is: Rules that allow/deny traffic at subnet or NIC level.

Use Case: Allow port 443 only for public access to a web app, while port 1433 (SQL Server) is only open to internal subnet.

3. Azure Firewall vs NSG vs Application Gateway WAF

4. Application Gateway (Layer 7 Load Balancer)

With WAF (Web Application Firewall)

SSL Termination
Path-based routing
Rewrite headers, Custom probes

Real-World Example:

Use URL path-based routing to route:

/api/* → App Service A
/admin/* → App Service B

5. Azure Load Balancer

Types:

Basic — limited scope, non-zonal
Standard — zone-aware, HA

Use Case:

Backend VMs in VMSS behind Load Balancer for app scaling.

6. Azure Front Door (Global Anycast CDN + WAF)

Geo-redundant, works across regions
Smart routing (latency-based)
SSL offloading + Caching

Example:

Your web app is deployed in East US and West Europe. Azure Front Door automatically routes Indian users to East US (lowest latency).

7. Private Link / Private Endpoint

Securely access Azure PaaS (like Azure SQL, Blob, etc.) via private IP.

Use Case:

Your app in VNet needs to access an Azure SQL DB without exposing it to the public internet.

8. Service Endpoint vs Private Endpoint

Service endpoints

Service endpoints extend your virtual network private address space and the identity of your virtual network to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your virtual network to the Azure service always remains on the Microsoft Azure backbone network.

Azure Private Link

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Traffic between your virtual network and the service travels through the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your customers.

9. ExpressRoute

Private dedicated fiber connection from on-prem to Azure (not over public internet).

Use Case: A bank hosts sensitive apps in Azure but uses ExpressRoute to comply with regulatory needs.

10. VPN Gateway

Site-to-site or point-to-site connection to Azure via IPsec/IKE.

Scenario: Your dev team connects from home via VPN Gateway for secure dev/

1. Virtual Network (VNet)

What it is: A logically isolated network for your Azure resources — like a virtual version of a traditional on-premises network.

Key Components:

Subnets (e.g., App subnet, DB subnet)
IP address ranges (CIDR)
NSG (Network Security Groups)
Route Tables
Service Endpoints
Private Endpoints

Real-World Example:

You’re hosting a 3-tier web app:

Web App in App Subnet
API in Logic Apps/Subnet
DB in DB Subnet Use NSGs to allow only API access to DB and restrict all external traffic.

2. Network Security Group (NSG)

What it is: Rules that allow/deny traffic at subnet or NIC level.

Use Case: Allow port 443 only for public access to a web app, while port 1433 (SQL Server) is only open to internal subnet.

3. Azure Firewall vs NSG vs Application Gateway WAF

4. Application Gateway (Layer 7 Load Balancer)

With WAF (Web Application Firewall)

SSL Termination
Path-based routing
Rewrite headers, Custom probes

Real-World Example:

Use URL path-based routing to route:

/api/* → App Service A
/admin/* → App Service B

5. Azure Load Balancer

Types:

Basic — limited scope, non-zonal
Standard — zone-aware, HA

Use Case:

Backend VMs in VMSS behind Load Balancer for app scaling.

6. Azure Front Door (Global Anycast CDN + WAF)

Geo-redundant, works across regions
Smart routing (latency-based)
SSL offloading + Caching

Example:

Your web app is deployed in East US and West Europe. Azure Front Door automatically routes Indian users to East US (lowest latency).

7. Private Link / Private Endpoint

Securely access Azure PaaS (like Azure SQL, Blob, etc.) via private IP.

Use Case:

Your app in VNet needs to access an Azure SQL DB without exposing it to the public internet.

8. Service Endpoint vs Private Endpoint

Service endpoints

Azure Private Link

9. ExpressRoute

Private dedicated fiber connection from on-prem to Azure (not over public internet).

Use Case: A bank hosts sensitive apps in Azure but uses ExpressRoute to comply with regulatory needs.

10. VPN Gateway

Site-to-site or point-to-site connection to Azure via IPsec/IKE.

Scenario: Your dev team connects from home via VPN Gateway for secure dev/