Azure Networking Concepts
Studying for AZ-104 or prepping for interviews? This post will walk you through all major Azure networking concepts using real-world analogies β because once you can see it in your head, you can answer it out loud.
𧱠Azure Virtual Network (VNet)
What it is: Your own private space in the Azure cloud.
π§ Analogy: A city where only your buildings (VMs, apps, databases) live. No one outside can enter unless you say so.
- You divide it into subnets (neighborhoods).
- You control who enters each neighborhood.
πͺ Network Security Groups (NSG)
What it is: A set of rules to allow or deny network traffic.
π§ Analogy: A security guard at the entrance of each neighborhood or building.
- Inbound Rule: βOnly let delivery trucks (port 80) in.β
- Outbound Rule: βDonβt let anyone leave through port 22.β
π NSGs are stateful β if you let traffic in, the response is automatically allowed out.
π£οΈ User Defined Routes (UDR)
What it is: Custom paths for traffic to follow inside Azure.
π§ Analogy: Like giving custom driving directions. βDonβt take the highway, take the scenic route through my checkpoint.β
- You can route all traffic through a firewall, even if Azureβs default would bypass it.
- Helps in forcing traffic inspection, logging, or monitoring.
π₯ Firewall VM / NVA
What it is: A virtual appliance that filters traffic.
π§ Analogy: A toll booth + security scanner for vehicles (packets).
- You use UDRs to send all outbound traffic through it.
- You use NSGs to allow traffic only from trusted sources.
π Make sure traffic has a way back (return route), or it gets dropped.
π Azure Internet Gateway
What it is: A built-in gateway for internet access.
π§ Analogy: A default highway exit that lets any resident leave the city.
- Every subnet has access to it unless you override it with a UDR.
π Route Loops & Return Paths
What it is: A potential problem when traffic routes in circles.
π§ Analogy: A mail truck that keeps getting redirected back to where it came from β forever.
- Azure blocks circular routes.
- Always define return routes carefully when using UDR + firewalls.
π VNet Peering
What it is: A way to connect two VNets privately.
π§ Analogy: Building a bridge between two cities so they can share roads, water, electricity β but still govern themselves.
- Low latency, high-speed connection
- Great for multi-region or multi-team setups
π Service Endpoints
What it is: A way for your VNet to access Azure services (like Storage, SQL) over Azureβs internal network.
π§ Analogy: Imagine using a private tunnel inside Azureβs campus to reach the post office (Storage) β even though the post office still has a public entrance.
- You still need to allow the subnet in the serviceβs firewall.
- Doesnβt give the service a private IP.
π Private Endpoint
What it is: A way to give an Azure service a private IP in your VNet.
π§ Analogy: You move the post office inside your own city. Now only people from your city can go there, and it doesnβt even have a public entrance anymore.
- Best for truly private connections
- Needs DNS to resolve the name (e.g.,
storageaccount.blob.core.windows.net) to the new private IP
π App Service Networking
Azure Web Apps are PaaS services β they float outside your VNet unless you configure them.
β VNet Integration
What it is: Allows your Web App to talk to private resources.
π§ Analogy: Giving your coffee shop (Web App) a side door to visit other places in the city.
- Egress only (can reach out, not be reached)
- Good for calling DBs or private APIs
π Private Endpoint for Web App
What it is: Gives your Web App a private IP so only VNet users can access it.
π§ Analogy: You move your coffee shop inside a secure business park. Only employees inside can visit.
- Use this to lock down front-end access
- Combine with access restrictions for full lockdown
π°οΈ VPN Gateway
What it is: A secure IPsec tunnel between your office and Azure.
π§ Analogy: A secure underground tunnel from your office to your Azure city.
- Uses public internet but encrypts the tunnel
- Great for hybrid connectivity
- Slower than ExpressRoute
π€οΈ ExpressRoute
What it is: A dedicated private fiber connection to Azure.
π§ Analogy: A high-speed private bullet train from your corporate HQ straight to Azure.
- More reliable, no internet
- Used by banks, hospitals, large enterprises
π§ͺ Hybrid Connections
What it is: A way for Web Apps to talk to on-prem services over TCP, without VNet integration.
π§ Analogy: Think of it like a walkie-talkie between your app and your internal database.
- Lightweight, easy to set up
- Limited use cases (TCP only)
π¦ Azure DNS & Records
π§ Analogy:
DNS is like a phonebook that converts names (e.g., myapp.com) to phone numbers (IP addresses).
| Record Type | Analogy |
|---|---|
| A | Direct phone number |
| CNAME | Nickname or alias |
| MX | Where to send mail |
| NS | Directory for a neighborhood |
Use this for custom domains, private resolution, and DNS delegation.
π Storage Access Types
| Type | Analogy | Who Can Access |
|---|---|---|
| Anonymous Access | The front door is wide open | Anyone |
| SAS Token | A time-bound, single-use guest pass | Anyone w/ link |
| Service Endpoint | A side tunnel for residents of your subnet | Your VNet only |
| Private Endpoint | You relocated the storage unit inside your city | Private IP only |
π Turn anonymous access off and use SAS + private endpoint for secure architectures.
π₯ Resource Firewalls
What it is: Firewall settings for services like Storage, Key Vault, etc.
π§ Analogy: Only let specific delivery trucks (subnets/IPs) into the building.
- You can allow specific VNets via service endpoints
- Or allow only private endpoint access
- Deny all public traffic by default
π― Final Cheat Sheet for AZ-104 + Interviews
| Concept | Think Of It Like… | Why It Matters |
|---|---|---|
| VNet/Subnet | A city with neighborhoods | Base for everything |
| NSG | Security guards | Traffic control |
| UDR | Custom GPS routes | Redirect for inspection |
| Firewall VM | Toll booth + scanner | Enforce security |
| Private Endpoint | Moving service into your city | True private access |
| Service Endpoint | Private tunnel to public building | Simple secure access |
| Peering | Road between cities | Multi-VNet comms |
| VPN Gateway | Tunnel from office | On-prem hybrid |
| ExpressRoute | Bullet train from HQ | Fast, reliable hybrid |
| SAS Token | Temporary access badge | Scoped sharing |