aka.

ms/AFUN20 #MSIgnite
Azure Networking Basics
Christina Warren
Senior Cloud Advocate, Microsoft
@film_girl

aka.ms/AFUN20 #MSIgnite
Resources

Session Resources Hub

aka.ms/AFUN20

Session Code on GitHub

aka.ms/AFUN20Repo

All Event Session Resources 

aka.ms/mymsignitethetour

aka.ms/AFUN20 #MSIgnite
High Level Azure Services
Management Platform as a Services (PaaS) Security
Azure Security
Monitor Compute/Containers Web/Mobile DevOps/Developer Center

Log Functions Kubernetes Lab

Web Apps Logic Apps API Apps Azure DevOps Azure AD
Analytics Service Services

Azure Container Notification SignalR Application Azure AD for

Instance Service Fabric Mobile Apps SDK
Policy Hubs Service Insights Domain Services

Azure Azure AD
Bluepirnts Integration IoT AI Analytics Data Services B2C

Azure API Cognitive SQL Data SQL SQL Data DDoS

Logic Apps IoT Hub
Backup Management Services Warehouse Database Warehouse Protection

Site Machine Azure Database for

Service Bus Event Grid IoT Central Cosmos DB Key Vault
Recovery Learning Studio Databricks MySQL

Azure Time Series Machine Apache Database for Multi-Factor

Migrate Media/CDN Insights Learning Service Spark PostgreSQL Data Factory Authentication

Databox Content Azure Bot Stream Database for Azure Cache

Media Services Azure ATP
Family Protection Digital Twins Services Analytics MariaDB for Redis

Cost Content Delivery Azure Data Lake Database Table Role- based
Video Indexer IoT Edge
Management Network Search Storage Gen2 Migration Service Storage access control

Infrastructure as a Services (IaaS)

Compute Storage Networking
Virtual Linux
Disk Managed Virtual VPN Express Load Azure Virtual Network
Machine Virtual
Storage Disks Network Gateway Route Balancer Firewall WAN Watcher
Scale Sets Machine

Azure Datacenter Infrastructure

aka.ms/AFUN20 #MSIgnite
What is an Azure Network
and how do you plan for it?

aka.ms/AFUN20 #MSIgnite
The Azure Virtual Network

Azure Virtual Network enables you to create

private networks in the cloud with full control
over IP addresses, DNS servers, security rules,
and traffic flows

aka.ms/AFUN20 #MSIgnite
Naming
All Azure Resources have a name. The name must be unique within a
scope, but that can differ for each resource type

Virtual network names must be unique within a resource group but

can be duplicated between a subscription or
Azure region

Define and use a consistent naming convention so that

it’s easier to manage resources as you grow your network

aka.ms/AFUN20 #MSIgnite
Regions
A region is an Azure data center within a specific geographic location.
All Azure resources are created
in an Azure region and subscription

A resource can only be created in a virtual network that exists in the

same region and subscription as the resource

You can however, connect virtual networks that exist

in different subscriptions and regions

aka.ms/AFUN20 #MSIgnite
aka.ms/AFUN20 #MSIgnite
Subscriptions
You can deploy as many virtual networks as required within each
subscription, up to the limit, which varies per service
See https://aka.ms/netlimits

You can create multiple virtual networks per subscription and per
region and you can create multiple subnets within each virtual
network

aka.ms/AFUN20 #MSIgnite
/Upcoming Session alert

AFUN70: Keeping Costs Down in Azure

9:15– 10:00am Wednesday OCC W420/Chapin Theatre

AFUN80: What You Need to Know About Governance in Azure

10:30 - 11:15 am Wednesday OCC W420/Chapin Theatre

aka.ms/AFUN20 #MSIgnite
Exploring the Azure
Networking Portal
Christina Warren

aka.ms/AFUN20 #MSIgnite
Azure Connectivity Options

aka.ms/AFUN20 #MSIgnite
Virtual Network to Virtual Network (VNet Peering)

Virtual network peering enables you to seamlessly connect two

Azure virtual networks. Once peered, the virtual networks
appear as one, for connectivity purposes
• VNet peering—connecting VNets within the same Azure region
• Global VNet peering—connecting VNets across Azure regions

After virtual networks are peered, resources in either virtual network

can directly connect with resources in the peered virtual network

aka.ms/AFUN20 #MSIgnite
VNet Peering 

aka.ms/AFUN20 #MSIgnite
VPN Connections—Hybrid Networking Scenarios

Cloud Customer Segment & workloads

Secure point-to-site • Developers

connectivity • Small scale deployments
Virtual network (Point-to-Site) • Connect from anywhere

Secure site-to-site • SMB, Enterprises

VPN connectivity • Connect to Azure compute
Virtual network (Site-to-Site) • IaaS and PaaS workloads

• SMB & Enterprises

Private site-to-site • Mission critical workloads
connectivity • Backup/DR, media, HPC
ExpressRoute • Connect to all hardware

aka.ms/AFUN20 #MSIgnite
Site-to-Site VPN to Azure VNet (VPN Gateway)
A VPN gateway is a virtual network gateway that is used to
send encrypted traffic between an Azure virtual network
and an on-premises location over the public Internet

You can also use a VPN gateway to send encrypted traffic between
Azure virtual networks over the Microsoft network

Each virtual network can only have one VPN gateway, but you can
create multiple connections to the same gateway

aka.ms/AFUN20 #MSIgnite
What is Azure ExpressRoute?

Use Azure ExpressRoute to create private

connections between Azure data centers
and infrastructure on your environment.
ExpressRoute connections don’t go over
the public Internet, and they offer more
reliability, faster speeds and lower latencies
than typical Internet connections

aka.ms/AFUN20 #MSIgnite
ExpressRoute or Site-to-Site VPN Gateway?

ExpressRoute is a direct, private connection from your

WAN to Microsoft Services

ExpressRoute is a direct, private connection from your

WAN to Microsoft Services

A VPN Gateway has bandwidth is typically capped at under 1Gbps

aggregate, whereas ExpressRoute can go all the way up to 10Gbps

Pricing varies depending on the service you choose

aka.ms/AFUN20 #MSIgnite
 You can use them together

aka.ms/AFUN20 #MSIgnite
Azure CDN

aka.ms/AFUN20 #MSIgnite
Azure CDN

Azure Content Delivery Network (CDN) offers developers a global

solution for rapidly delivering high-bandwidth content to users by
caching their content at strategically placed physical nodes across
the world
Offers dynamic site acceleration, CDN caching rules, HTTPS custom
domain support, geo-filtering, file compression, and diagnostic logs

Offerings include Azure CDN Standard from Microsoft, Azure CDN

Standard from Akamai, Azure CDN Standard from Verizon, and
Azure CDN Premium from Verizon

aka.ms/AFUN20 #MSIgnite
Connect a CDN to an
Existing Storage Account
Christina Warren

aka.ms/AFUN20 #MSIgnite
Security

aka.ms/AFUN20 #MSIgnite
Network Security
Network security

Network Security Groups

Network Virtual appliances

Routing​ tables

Border gateway protocol

(BGP) routes

aka.ms/AFUN20 #MSIgnite
Filter Traffic
Network Security Groups

With Network Security

Groups, multi-tier
application architectures
can be hosted in Azure 

aka.ms/AFUN20 #MSIgnite
Network Virtual Appliances
Overview
 VMs that perform specific network functions
 Focus: Security (Firewall, IDS, IPS), Router/VPN, ADC
(Application Delivery Controller), WAN Optimization
 First and third-party appliances

Scenarios
 IT policy and compliance—consistency between
on-premises and Azure
 Supplement/complement Azure capabilities

Azure Marketplace
 Available through Azure Certified program to ensure
quality and simplify deployment
 You can also bring your own appliance and license

aka.ms/AFUN20 #MSIgnite
Routing Traffic
Routing tables

Routing Table Dest 1

Client 1
Route 1 Route 2

Next Hop 1
Next Hop 3
Next Hop 2

Next Hop
List
aka.ms/AFUN20 #MSIgnite
Routing Traffic
Border gateway protocol (BGP) routes

aka.ms/AFUN20 #MSIgnite
/Upcoming Session alert

AFUN40: Azure Security Fundamentals

1:00 – 1:45pm OCCC WF 1-2 (Tangerine Ballroom)

aka.ms/AFUN20 #MSIgnite
Managing and Optimizing

aka.ms/AFUN20 #MSIgnite
Resiliency
The ability of a system to recover from failures and continue
to function. It's not about avoiding failures, but responding
to failures in a way that avoids downtime or data loss

Disaster recovery High availability

The ability to recover from rare, The ability for an app to continue running in
but major incidents a healthy state, without significant downtime

aka.ms/AFUN20 #MSIgnite
Azure Load Balancer
Allows you to scale your applications and create high availability
and resiliency for your services and applications
Public
A public Load Balancer maps the public
IP address and port number of incoming
traffic to the private IP address and port
number of the VM and vice versa.

Internal
An internal Load Balancer directs traffic
only to resources that are inside a virtual
network or that use a VPN to access
Azure infrastructure.

aka.ms/AFUN20 #MSIgnite
Public Load Balancer
A public Load Balancer maps the public IP address and port number of incoming traffic
to the private IP address and port number of the VM

Automatic reconfiguration
Instantly reconfigures itself as you scale
instance up or down

Outbound connections (SNAT)

All outbound flows from private IP addresses
inside your virtual network to public IP
addresses on the internet can be translated
to a frontend IP address of the Load Balancer

Default Distribution Mode

Azure Load Balancer distributes traffic
evenly amongst multiple VM instance

aka.ms/AFUN20 #MSIgnite
Internal Load Balancer
An internal Load Balancer directs traffic only to resources inside a virtual
network or that use a VPN to access Azure infrastructure

Within a virtual network

Cross-premises virtual network

Multi-tier applications

Line-of-business applications

aka.ms/AFUN20 #MSIgnite
Azure Application Gateway (V2)
Azure Application Gateway is a web traffic load balancer that
enables you to manage traffic to your web applications

Scalable

Web Application Firewall

SSL Offload

Integrated with Other Azure services

aka.ms/AFUN20 #MSIgnite
Azure Availability Zones
Fault-isolated locations within
an Azure region

Redundant power, networking,

cooling, and networking

99.99% SLA on virtual

machines

aka.ms/AFUN20 #MSIgnite
Azure Traffic Manager
Azure Traffic Manager is a DNS-based traffic load balancer that enables
you to distribute traffic optimally to services across global Azure regions

Global DNS load balancing

Automatic failover when an endpoint goes down

Combine with hybrid applications

Supports external, non-Azure endpoints so
that it can be used with hybrid cloud and
on-premises deployments

Distribute traffic for complex deployments

Use nested Traffic Manager profiles for sophisticated,
flexible rules for complex deployments

aka.ms/AFUN20 #MSIgnite
Azure Front Door
Azure Front Door Service provides a scalable and secure entry point
for fast delivery of your global web applications

SSL offload and application acceleration

Global HTTP load balancing with instant failover

Application Firewall and DDoS protection

Centralized traffic orchestration view

aka.ms/AFUN20 #MSIgnite
Traffic Manager or Front Door?
Traffic Manager Front Door
HTTP acceleration: With Front Door traffic is proxied at
Any protocol: Because Traffic Manager works at the the Edge of Microsoft’s network. Because of this, HTTP(S)
DNS layer, you can route any type of network traffic; requests see latency and throughput improvements
HTTP, TCP, UDP, etc. reducing latency for SSL negotiation and using hot
connections from AFD to your application

On-premise routing: With routing at a DNS layer, Independent scalability: Because Front Door works with
traffic always goes from point to point. Routing from the HTTP request, requests to different URL paths can
your branch office to your on-premises datacenter can be routed to different backend/regional service pools
take a direct path; even on your own network using (microservices) based on rules and the health of each
Traffic Manager application microservice

Billing format: DNS-based billing scales with your Inline security: Front Door enables rules such as rate
users and for services with more users, plateaus limiting and IP ACL-ing to let you protect your backends
to reduce cost at higher usage before traffic reaches your application

aka.ms/AFUN20 #MSIgnite
Traffic Manager or Front Door?

aka.ms/AFUN20 #MSIgnite
/MS Learn alert
Complete interactive learning
exercises, watch videos, and
practice and apply your new
skills.
aka.ms/AFUN20MSLearnCollection

aka.ms/AFUN20 #MSIgnite
/Microsoft Certification alert
• Microsoft Certified:
Azure Fundamentals
aka.ms/AzureFunCert

• Microsoft Certified:
Azure Administrator Associate
aka.ms/AzureAdminCert Get hired, stay ahead, and receive the
recognition you deserve

aka.ms/AFUN20 #MSIgniteTheTour
#MSIgnite
Exclusive offer for Microsoft Ignite attendees
Now is your chance
to stand out among your peers.   
Free Certification Exam
on fundamentals, role-based, or specialty certifications*   Get certified and prove your expertise to
employers and peers and get the recognition and
opportunities you've earned. Take advantage
of this offer by scheduling a free exam online
today.

Learn more about Microsoft Certifications

Microsoft.com/Certifications

Begin with free online training

Microsoft.com/Learn
aka.ms/FreeExam_MSIgnite
Limited to one (1) per attendee. Subject to terms and conditions. Find a Learning Partner to help you prepare
Please see website for details. aka.ms/LearningPartner
*Free exams include only those with the following prefixes:
AI, AZ, DP, MB, MD, MS, and PL

aka.ms/AFUN20 #MSIgnite
Resources

Session Resources Get Certified

aka.ms/AFUN20

Session Code on GitHub You’re

• Microsoft on Azure
Certified: yourFundamentals
way
aka.ms/AFUN20Repo
to being certified!
aka.ms/AzureFunCert

• Microsoft Certified: Azure Administrator Associat

aka.ms/app10certification
aka.ms/AzureAdminCert
All Event Resources 
aka.ms/mymsignitethetour

aka.ms/AFUN20 #MSIgnite
Invent with purpose.