Last updated: May 2026

Azure Networking Beginner AZ-104 ⏱ 12 min read

Azure Networking Overview

Networking is the backbone of everything in Azure. Every VM, every database, every app service communicates through Azure's networking layer. Understanding how Azure networking works — VNets, subnets, security groups, load balancers, gateways — is one of the most important skills for AZ-104 and for real-world Azure architecture. This overview maps out the entire networking landscape before you dive into each service.

What you'll learn The Azure networking stack from the ground up · VNets and subnets · Network security · Load balancing options · Connectivity services (VPN, ExpressRoute) · DNS in Azure · Traffic routing services · How all components fit together in a real architecture

Table of Contents

The Azure Networking Stack
Core Networking Components
Network Security Layer
Load Balancing Options
Hybrid Connectivity
DNS in Azure
Traffic Routing Services
Typical Azure Network Architecture
Practice Questions

The Azure Networking Stack

Azure networking works in layers — each layer handles a different aspect of connectivity. Think of it like this:

Layer	What It Does	Azure Services
Connectivity	Connect resources together or to on-premises	VNet, VNet Peering, VPN Gateway, ExpressRoute
Security	Control what traffic is allowed	NSG, Azure Firewall, DDoS Protection
Load Balancing	Distribute traffic across multiple backends	Load Balancer, Application Gateway, Front Door, Traffic Manager
Name Resolution	Translate names to IP addresses	Azure DNS, Private DNS Zones
Monitoring	Observe network behaviour	Network Watcher, Flow Logs, Connection Monitor

Core Networking Components

Virtual Network (VNet)

A VNet is your private network in Azure — an isolated, logically defined network that your Azure resources live in. All VMs, databases, and other resources must be in a VNet to communicate privately. A VNet has an IP address space (e.g., 10.0.0.0/16) which you divide into subnets.

Subnet

A subnet is a segment within a VNet. You deploy resources into specific subnets to organise them and apply security policies. For example: a web subnet for front-end VMs, an app subnet for application servers, a data subnet for databases.

Network Interface Card (NIC)

Every VM has at least one NIC — the virtual network adapter connecting it to a subnet. The NIC has a private IP (from the subnet) and optionally a public IP.

Public IP Address

Resources need a public IP to be reachable from the internet. Public IPs can be dynamic (changes on stop/start) or static (fixed). Standard SKU is recommended for production.

Network Security Layer

Network Security Group (NSG)

An NSG is a virtual firewall — a set of inbound and outbound rules that allow or deny network traffic. NSGs can be applied to subnets or individual NICs. Rules are evaluated in priority order (lower number = higher priority).

Azure Firewall

A managed, cloud-native network firewall with advanced features — FQDN filtering, threat intelligence, central policy management across VNets. More powerful than NSGs but costs more.

Azure DDoS Protection

Protects Azure resources from Distributed Denial of Service attacks. Basic tier is free and automatically applied. Standard tier adds adaptive tuning, attack analytics, and SLA guarantees.

Load Balancing Options

Azure has four load balancing services — choosing the right one depends on the traffic type and use case:

Service	Layer	Scope	Best For
Azure Load Balancer	Layer 4 (TCP/UDP)	Regional	Internal/external VM load balancing
Application Gateway	Layer 7 (HTTP/HTTPS)	Regional	Web apps, URL-based routing, WAF
Azure Front Door	Layer 7 (HTTP/HTTPS)	Global	Global web apps, CDN, WAF
Traffic Manager	DNS-based	Global	DNS routing between regions/endpoints

💡

Quick Decision Guide Non-HTTP traffic or internal VMs → Load Balancer · HTTP/HTTPS within one region → Application Gateway · HTTP/HTTPS globally or need CDN → Front Door · Multi-region DNS failover → Traffic Manager

Hybrid Connectivity

VNet Peering

Connects two VNets so resources in each can communicate privately. Traffic stays on Microsoft's backbone — low latency, no internet. Can peer VNets in the same region (regional peering) or different regions (global peering).

VPN Gateway

Creates an encrypted tunnel over the internet between your on-premises network and Azure VNet (Site-to-Site VPN), or between individual computers and Azure (Point-to-Site VPN).

Azure ExpressRoute

A dedicated private connection from your on-premises network to Azure — not over the internet. Higher bandwidth, lower latency, and consistent performance compared to VPN. More expensive and requires working with a connectivity provider.

DNS in Azure

Azure DNS

Host your public DNS domains in Azure. Manage DNS records (A, CNAME, MX, TXT) for your custom domains using Azure infrastructure.

Private DNS Zones

DNS resolution for private resources within VNets. Allows VMs to resolve each other by name (e.g., vm1.internal.com) without going through public DNS.

Traffic Routing Services

Route Tables (UDR — User Defined Routes)

Override Azure's default routing to force traffic through specific paths — for example, route all outbound traffic through Azure Firewall for inspection.

Service Endpoints

Extend VNet identity to Azure services (Storage, SQL) so traffic between your VNet and those services travels on the Microsoft backbone rather than the internet — without needing private endpoints.

Private Endpoints

Give Azure services (Storage, SQL, Key Vault) a private IP within your VNet. Completely removes public internet exposure for those services.

Typical Azure Network Architecture

A typical production architecture layers these services together:

Layer	Service	Purpose
Global entry	Azure Front Door	Global HTTP routing, WAF, CDN
Regional load balancing	Application Gateway	URL routing, SSL termination, WAF
Web tier subnet	VMs + NSG	Web servers, allow port 80/443 inbound
App tier subnet	VMs + NSG	App servers, allow only from web tier
Data tier subnet	SQL + NSG	Databases, allow only from app tier
Management subnet	Azure Bastion	Secure admin access, no public ports
On-premises link	VPN Gateway / ExpressRoute	Hybrid connectivity

💡

AZ-104 Exam Tip Azure Networking is the most heavily tested area in AZ-104. Know VNets, subnets, NSGs thoroughly. Understand the four load balancing services and when to use each. Know the difference between VNet Peering, VPN Gateway, and ExpressRoute. These concepts appear in nearly every practice exam.

📝 Practice Questions

Click an option to check your answer. AZ-104 style questions.

Q1. Which Azure service provides Layer 7 (HTTP/HTTPS) load balancing with Web Application Firewall at the global level?

A Azure Load Balancer

B Application Gateway

C Azure Front Door

D Traffic Manager

Q2. What is the difference between VNet Peering and VPN Gateway for connecting two VNets?

A VNet Peering is more expensive but provides higher bandwidth

B VNet Peering uses Microsoft backbone (faster, cheaper); VPN Gateway creates an encrypted tunnel (more overhead)

C VNet Peering only works within the same region; VPN Gateway works globally

D VPN Gateway supports cross-subscription VNets; VNet Peering does not

Q3. Which service provides a dedicated private connection from on-premises to Azure — not over the internet?

A VPN Gateway

B VNet Peering

C Azure ExpressRoute

D Azure Bastion

Q4. A company needs to route internal VM-to-VM traffic through Azure Firewall for inspection. What networking feature enables this?

A Network Security Groups (NSG)

B User Defined Routes (Route Tables)

C Service Endpoints

D Private Endpoints

Q5. What is the purpose of Azure Private DNS Zones?

A To host public DNS domains for internet-facing websites

B To resolve private resource names within VNets without public DNS

C To block DNS lookups from reaching the internet

D To protect DNS servers from DDoS attacks

Next → Virtual Networks (VNet)

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.