aka.

ms/AFUN20 #MSIgniteTheTour
Azure Networking Basics
Christina Warren
Senior Cloud Advocate, Microsoft
@film_girl

aka.ms/AFUN20 #MSIgniteTheTour
Resources

Session Resources Hub

aka.ms/AFUN20

Session Code on GitHub

aka.ms/AFUN20Repo

All Event Session Resources 

aka.ms/mymsignitethetour

aka.ms/AFUN20 #MSIgniteTheTour
High Level Azure Services
Management Platform as a Services (PaaS) Security
Azure Security
Monitor Compute/Containers Web/Mobile DevOps/Developer Center

Log Functions Kubernetes Lab

Web Apps Logic Apps API Apps Azure DevOps Azure AD
Analytics Service Services

Azure Container Notification SignalR Application Azure AD for

Instance Service Fabric Mobile Apps SDK
Policy Hubs Service Insights Domain Services

Azure Azure AD
Bluepirnts Integration IoT AI Analytics Data Services B2C

Azure API Cognitive SQL Data SQL SQL Data DDoS

Logic Apps IoT Hub
Backup Management Services Warehouse Database Warehouse Protection

Site Machine Azure Database for

Service Bus Event Grid IoT Central Cosmos DB Key Vault
Recovery Learning Studio Databricks MySQL

Azure Time Series Machine Apache Database for Multi-Factor

Migrate Media/CDN Insights Learning Service Spark PostgreSQL Data Factory Authentication

Databox Content Azure Bot Stream Database for Azure Cache

Media Services Azure ATP
Family Protection Digital Twins Services Analytics MariaDB for Redis

Cost Content Delivery Azure Data Lake Database Table Role- based
Video Indexer IoT Edge
Management Network Search Storage Gen2 Migration Service Storage access control

Infrastructure as a Services (IaaS)

Compute Storage Networking
Virtual Linux
Disk Managed Virtual VPN Express Load Azure Virtual Network
Machine Virtual
Storage Disks Network Gateway Route Balancer Firewall WAN Watcher
Scale Sets Machine

Azure Datacenter Infrastructure

aka.ms/AFUN20 #MSIgniteTheTour
What is an Azure Network
and how do you plan for it?

aka.ms/AFUN20 #MSIgniteTheTour
The Azure Virtual Network

Azure Virtual Network enables you to create

private networks in the cloud with full control
over IP addresses, DNS servers, security rules,
and traffic flows

aka.ms/AFUN20 #MSIgniteTheTour
Naming
All Azure Resources have a name. The name must be unique within a
scope, but that can differ for each resource type

Virtual network names must be unique within a resource group but

can be duplicated between a subscription or
Azure region

Define and use a consistent naming convention so that

it’s easier to manage resources as you grow your network

aka.ms/AFUN20 #MSIgniteTheTour
Regions
A region is an Azure data center within a specific geographic location.
All Azure resources are created
in an Azure region and subscription

A resource can only be created in a virtual network that exists in the

same region and subscription as the resource

You can however, connect virtual networks that exist

in different subscriptions and regions

aka.ms/AFUN20 #MSIgniteTheTour
aka.ms/AFUN20 #MSIgniteTheTour
Subscriptions
You can deploy as many virtual networks as required within each
subscription, up to the limit, which varies per service
See https://aka.ms/netlimits

You can create multiple virtual networks per subscription and per
region and you can create multiple subnets within each virtual
network

aka.ms/AFUN20 #MSIgniteTheTour
/Upcoming Session alert

AFUN70: Keeping Costs Down in Azure

Thursday 12:15 – 13:00 Paris South

AFUN80: What You Need to Know About Governance in

Azure
Thursday 14:00 – 14:45 Paris South

aka.ms/AFUN20 #MSIgniteTheTour
Exploring the Azure
Networking Portal

aka.ms/AFUN20 #MSIgniteTheTour
Azure Connectivity Options

aka.ms/AFUN20 #MSIgniteTheTour
Virtual Network to Virtual Network (VNet Peering)

Virtual network peering enables you to seamlessly connect two

Azure virtual networks. Once peered, the virtual networks
appear as one, for connectivity purposes
• VNet peering—connecting VNets within the same Azure region
• Global VNet peering—connecting VNets across Azure regions

After virtual networks are peered, resources in either virtual network

can directly connect with resources in the peered virtual network

aka.ms/AFUN20 #MSIgniteTheTour
VNet Peering 

aka.ms/AFUN20 #MSIgniteTheTour
VPN Connections—Hybrid Networking Scenarios

Cloud Customer Segment & workloads

Secure point-to-site • Developers

connectivity • Small scale deployments
Virtual network (Point-to-Site) • Connect from anywhere

Secure site-to-site • SMB, Enterprises

VPN connectivity • Connect to Azure compute
Virtual network (Site-to-Site) • IaaS and PaaS workloads

• SMB & Enterprises

Private site-to-site • Mission critical workloads
connectivity • Backup/DR, media, HPC
ExpressRoute • Connect to all hardware

aka.ms/AFUN20 #MSIgniteTheTour
Site-to-Site VPN to Azure VNet (VPN Gateway)
A VPN gateway is a virtual network gateway that is used to
send encrypted traffic between an Azure virtual network
and an on-premises location over the public Internet

You can also use a VPN gateway to send encrypted traffic between
Azure virtual networks over the Microsoft network

Each virtual network can only have one VPN gateway, but you can
create multiple connections to the same gateway

aka.ms/AFUN20 #MSIgniteTheTour
What is Azure ExpressRoute?

Use Azure ExpressRoute to create private

connections between Azure data centers
and infrastructure on your environment.
ExpressRoute connections don’t go over
the public Internet, and they offer more
reliability, faster speeds and lower latencies
than typical Internet connections

aka.ms/AFUN20 #MSIgniteTheTour
ExpressRoute or Site-to-Site VPN Gateway?

ExpressRoute is a direct, private connection from your

WAN to Microsoft Services

A VPN Gateway has bandwidth is typically capped at under 1Gbps

aggregate, whereas ExpressRoute can go all the way up to 10Gbps

Pricing varies depending on the service you choose

aka.ms/AFUN20 #MSIgniteTheTour
 You can use them together

aka.ms/AFUN20 #MSIgniteTheTour
Azure CDN

aka.ms/AFUN20 #MSIgniteTheTour
Azure CDN

Azure Content Delivery Network (CDN) offers developers a global

solution for rapidly delivering high-bandwidth content to users by
caching their content at strategically placed physical nodes across
the world
Offers dynamic site acceleration, CDN caching rules, HTTPS custom
domain support, geo-filtering, file compression, and diagnostic logs

Offerings include Azure CDN Standard from Microsoft, Azure CDN

Standard from Akamai, Azure CDN Standard from Verizon, and
Azure CDN Premium from Verizon

aka.ms/AFUN20 #MSIgniteTheTour
Connect a CDN to an
Existing Storage Account
Christina Warren

aka.ms/AFUN20 #MSIgniteTheTour
Security

aka.ms/AFUN20 #MSIgniteTheTour
Network Security
Network security

Network Security Groups

Network Virtual appliances

Routing​ tables

Border gateway protocol

(BGP) routes

aka.ms/AFUN20 #MSIgniteTheTour
Filter Traffic
Network Security Groups

With Network Security

Groups, multi-tier
application architectures
can be hosted in Azure 

aka.ms/AFUN20 #MSIgniteTheTour
Network Virtual Appliances
Overview
 VMs that perform specific network functions
 Focus: Security (Firewall, IDS, IPS), Router/VPN, ADC
(Application Delivery Controller), WAN Optimization
 First and third-party appliances

Scenarios
 IT policy and compliance—consistency between
on-premises and Azure
 Supplement/complement Azure capabilities

Azure Marketplace
 Available through Azure Certified program to ensure
quality and simplify deployment
 You can also bring your own appliance and license

aka.ms/AFUN20 #MSIgniteTheTour
Routing Traffic
Routing tables

Routing Table Dest 1

Client 1
Route 1 Route 2

Next Hop 1
Next Hop 3
Next Hop 2

Next Hop
List
aka.ms/AFUN20 #MSIgniteTheTour
Routing Traffic
Border gateway protocol (BGP) routes

aka.ms/AFUN20 #MSIgniteTheTour
/Upcoming Session alert

AFUN40: Azure Security Fundamentals

Wednesday 14:00 – 14:45 Paris South

aka.ms/AFUN20 #MSIgniteTheTour
Managing and Optimizing

aka.ms/AFUN20 #MSIgniteTheTour
Resiliency
The ability of a system to recover from failures and continue
to function. It's not about avoiding failures, but responding
to failures in a way that avoids downtime or data loss

Disaster recovery High availability

The ability to recover from rare, The ability for an app to continue running in
but major incidents a healthy state, without significant downtime

aka.ms/AFUN20 #MSIgniteTheTour
Azure Load Balancer
Allows you to scale your applications and create high
availability
and resiliency for your services and applications
Public
A public Load Balancer maps the public
IP address and port number of incoming
traffic to the private IP address and port
number of the VM and vice versa.

Internal
An internal Load Balancer directs traffic
only to resources that are inside a virtual
network or that use a VPN to access
Azure infrastructure.

aka.ms/AFUN20 #MSIgniteTheTour
Public Load Balancer
A public Load Balancer maps the public IP address and port number of
incoming traffic to the private IP address and port number of the VM

Automatic reconfiguration
Instantly reconfigures itself as you scale
instance up or down

Outbound connections (SNAT)

All outbound flows from private IP addresses
inside your virtual network to public IP
addresses on the internet can be translated
to a frontend IP address of the Load Balancer

Default Distribution Mode

Azure Load Balancer distributes traffic
evenly amongst multiple VM instance

aka.ms/AFUN20 #MSIgniteTheTour
Internal Load Balancer
An internal Load Balancer directs traffic only to resources
inside a virtual network or that use a VPN to access Azure
infrastructure
Within a virtual network

Cross-premises virtual network

Multi-tier applications

Line-of-business applications

aka.ms/AFUN20 #MSIgniteTheTour
Azure Application Gateway (V2)
Azure Application Gateway is a web traffic load balancer that
enables you to manage traffic to your web applications

Scalable

Web Application Firewall

SSL Offload

Integrated with Other Azure services

aka.ms/AFUN20 #MSIgniteTheTour
Azure Availability Zones
Fault-isolated locations within
an Azure region

Redundant power, networking,

cooling, and networking

99.99% SLA on virtual

machines

aka.ms/AFUN20 #MSIgniteTheTour
Azure Traffic Manager
Azure Traffic Manager is a DNS-based traffic load balancer that enables
you to distribute traffic optimally to services across global Azure regions

Global DNS load balancing

Automatic failover when an endpoint goes down

Combine with hybrid applications

Supports external, non-Azure endpoints so
that it can be used with hybrid cloud and
on-premises deployments

Distribute traffic for complex deployments

Use nested Traffic Manager profiles for sophisticated,
flexible rules for complex deployments

aka.ms/AFUN20 #MSIgniteTheTour
Azure Front Door
Azure Front Door Service provides a scalable and secure entry point
for fast delivery of your global web applications

SSL offload and application acceleration

Global HTTP load balancing with instant

failover

Application Firewall and DDoS

protection

Centralized traffic orchestration view

aka.ms/AFUN20 #MSIgniteTheTour
Traffic Manager or Front Door?
Traffic Manager
Any protocol: Because Traffic Manager works at the
DNS layer, you can route any type of network traffic;
HTTP, TCP, UDP, etc.
On-premise routing: With routing at a DNS layer,
traffic always goes from point to point. Routing from
your branch office to your on-premises datacenter can
take a direct path; even on your own network using
Traffic Manager
Billing format: DNS-based billing scales with your
users and for services with more users, plateaus
to reduce cost at higher usage
aka.ms/AFUN20
Front Door
HTTP acceleration: With Front Door traffic is proxied at
the Edge of Microsoft’s network. Because of this, HTTP(S)
requests see latency and throughput improvements
reducing latency for SSL negotiation and using hot
connections from AFD to your application
Independent scalability: Because Front Door works with
the HTTP request, requests to different URL paths can
be routed to different backend/regional service pools
(microservices) based on rules and the health of each
application microservice
Inline security: Front Door enables rules such as rate
limiting and IP ACL-ing to let you protect your backends
before traffic reaches your application
#MSIgniteTheTour
Traffic Manager or Front Door?

aka.ms/AFUN20 #MSIgniteTheTour
/Docs alert
Explore overviews, tutorials,
samples, and more.

aka.ms/AFUN20 #MSIgniteTheTour
/MS Learn alert
Complete interactive learning
exercises, watch videos, and
practice and apply your new
skills.
aka.ms/AFUN20MSLearnCollection

aka.ms/AFUN20 #MSIgniteTheTour
/Microsoft Certification alert
• Microsoft Certified:
Azure Fundamentals
aka.ms/AzureFunCert

• Microsoft Certified:
Azure Administrator Associate
aka.ms/AzureAdminCert Get hired, stay ahead, and receive the
recognition you deserve

aka.ms/AFUN20 #MSIgniteTheTour
Resources

Session Resources Get Certified

aka.ms/AFUN20

Session Code on GitHub You’re

• Microsoft on Azure
Certified: yourFundamentals
way
aka.ms/AFUN20Repo
to being certified!
aka.ms/AzureFunCert

• Microsoft Certified: Azure Administrator Associat

aka.ms/app10certification
aka.ms/AzureAdminCert
All Event Resources 
aka.ms/mymsignitethetour

aka.ms/AFUN20 #MSIgniteTheTour
Exclusive offer for Microsoft Ignite The Tour attendees
Free Certification Exam
on fundamentals, role-based, or specialty certifications*  
Now is your chance
to stand out among your peers.
Get certified and prove your expertise to
employers and peers and get the recognition and
opportunities you've earned. Take advantage
of this offer by scheduling a free exam online
today.

Learn more about Microsoft Certifications

Microsoft.com/Certifications

Begin with free online training

aka.ms/FreeExam_MSIgnite Microsoft.com/Learn
Limited to one (1) per attendee. Subject to terms and conditions.
Please see website for details.
*Free exams include only those with the following prefixes:
Find a Learning Partner to help you prepare
AI, AZ, DP, MB, MD, MS, and PL aka.ms/LearningPartner

aka.ms/AFUN20 #MSIgniteTheTour
Invent with purpose.