to navigate

to select

to close

On this page

Advanced Networking

Basic Azure networking covers VNets, subnets, and NSGs. Production environments require advanced patterns: connecting multiple VNets, hybrid cloud connectivity, private service access, global load balancing, and secure cross-region traffic. This guide covers the patterns Azure architects use at scale.

Network Architecture Evolution

  Stage 1: Single VNet              → Dev/test
Stage 2: VNet Peering             → 2-4 VNets (mesh complexity grows)
Stage 3: Hub-Spoke (Azure VWAN)   → Centralized hub, 5+ spokes
Stage 4: Multi-Subscription       → Enterprise, team isolation
Stage 5: Hybrid Cloud             → ExpressRoute + VPN to on-premises

VNet Peering

Connect VNets privately over the Azure backbone — no internet traversal, low latency:

  # Create two VNets
az network vnet create \
  --resource-group rg-network \
  --name vnet-hub \
  --address-prefix 10.0.0.0/16 \
  --subnet-name GatewaySubnet \
  --subnet-prefix 10.0.1.0/24

az network vnet create \
  --resource-group rg-network \
  --name vnet-spoke-app \
  --address-prefix 10.1.0.0/16 \
  --subnet-name app-subnet \
  --subnet-prefix 10.1.1.0/24

# Peer hub to spoke
az network vnet peering create \
  --resource-group rg-network \
  --name hub-to-spoke-app \
  --vnet-name vnet-hub \
  --remote-vnet vnet-spoke-app \
  --allow-vnet-access \
  --allow-forwarded-traffic

# Peer spoke to hub (both directions required)
az network vnet peering create \
  --resource-group rg-network \
  --name spoke-app-to-hub \
  --vnet-name vnet-spoke-app \
  --remote-vnet vnet-hub \
  --allow-vnet-access \
  --allow-forwarded-traffic \
  --use-remote-gateways

VNet Peering vs Virtual WAN

Feature	VNet Peering	Virtual WAN Hub
Topology	Mesh or hub-spoke manual	Managed hub-and-spoke
Transitive routing	No (needs NVAs or VWAN)	Yes (via hub)
Max peerings per VNet	500	Thousands via VWAN
Setup complexity	Low (2 VNets)	Medium (hub design)
Best for	2-10 VNets	Enterprise, 10+ VNets

Important: VNet peering is non-transitive. Spoke A cannot reach Spoke B through the hub unless you deploy NVAs or use Virtual WAN.

Site-to-Site VPN

Connect on-premises data center to Azure over encrypted IPsec tunnels:

  # Create VPN Gateway (takes 30-45 minutes)
az network vnet subnet create \
  --resource-group rg-network \
  --vnet-name vnet-hub \
  --name GatewaySubnet \
  --address-prefix 10.0.255.0/27

az network public-ip create \
  --resource-group rg-network \
  --name pip-vpn-gateway \
  --allocation-method Dynamic

az network vnet-gateway create \
  --resource-group rg-network \
  --name vgw-hub \
  --public-ip-address pip-vpn-gateway \
  --vnet vnet-hub \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1 \
  --no-wait

# Create Local Network Gateway (on-premises)
az network local-gateway create \
  --resource-group rg-network \
  --name lng-onprem \
  --gateway-ip-address 203.0.113.10 \
  --local-address-prefixes 192.168.0.0/16

# Create VPN Connection
az network vpn-connection create \
  --resource-group rg-network \
  --name conn-hub-to-onprem \
  --vnet-gateway1 vgw-hub \
  --local-gateway2 lng-onprem \
  --shared-key 'ComplexPresharedKey123!'

Aspect	VPN Gateway	ExpressRoute
Bandwidth	Up to 10 Gbps (VpnGw5)	50 Mbps – 100 Gbps
Latency	Variable (internet)	Consistent, lower
Cost	Gateway hourly + data transfer	Circuit + port + data transfer
Setup time	Hours	Weeks (physical install)
Encryption	IPsec built-in	Private link (MACsec optional)

Run two VPN tunnels for redundancy. VPN throughput is suitable for backup and management traffic; use ExpressRoute for steady high-bandwidth workloads.

Azure ExpressRoute

Dedicated private connection from on-premises to Azure:

  # Create ExpressRoute circuit (via service provider portal first)
az network express-route create \
  --resource-group rg-network \
  --name er-circuit-prod \
  --peering-location "Equinix Ashburn" \
  --bandwidth-in-mbps 1000 \
  --provider "Equinix" \
  --sku-family MeteredData \
  --sku-tier Standard

# Create peering (private peering for VNet access)
az network express-route peering create \
  --resource-group rg-network \
  --circuit-name er-circuit-prod \
  --peering-type AzurePrivatePeering \
  --peer-asn 65001 \
  --vlan-id 100 \
  --primary-peer-subnet 10.0.0.0/30 \
  --secondary-peer-subnet 10.0.0.4/30

# Connect circuit to Virtual WAN or VNet Gateway
az network vpn-connection create \
  --resource-group rg-network \
  --name conn-er-to-hub \
  --vnet-gateway1 vgw-hub \
  --express-route-circuit2 er-circuit-prod \
  --routing-weight 100

Best practice: ExpressRoute as primary path, VPN as backup (ExpressRoute + VPN co-existence).

Azure Private Link

Access Azure PaaS services over private IP addresses in your VNet — no public internet exposure:

  # Create private endpoint for Azure SQL
az network private-endpoint create \
  --resource-group rg-webapp-prod \
  --name pe-sql-webapp \
  --vnet-name vnet-spoke-app \
  --subnet app-subnet \
  --private-connection-resource-id /subscriptions/SUB_ID/resourceGroups/rg-webapp-prod/providers/Microsoft.Sql/servers/sql-webapp-prod \
  --group-id sqlServer \
  --connection-name sql-connection

# Create private DNS zone for SQL
az network private-dns zone create \
  --resource-group rg-webapp-prod \
  --name privatelink.database.windows.net

az network private-dns link vnet create \
  --resource-group rg-webapp-prod \
  --zone-name privatelink.database.windows.net \
  --name sql-dns-link \
  --virtual-network vnet-spoke-app \
  --registration-enabled false

Private Link works with Storage, SQL, Key Vault, Cosmos DB, App Service, and hundreds of other services.

Azure Front Door

Global Layer 7 load balancer with WAF, SSL termination, and path-based routing:

  # Create Front Door profile (Standard/Premium)
az afd profile create \
  --profile-name fd-webapp-prod \
  --resource-group rg-webapp-prod \
  --sku Standard_AzureFrontDoor

# Add origin group and origin
az afd origin-group create \
  --origin-group-name og-webapp \
  --profile-name fd-webapp-prod \
  --resource-group rg-webapp-prod \
  --probe-path /health \
  --probe-request-type GET \
  --probe-protocol Https \
  --sample-size 4 \
  --successful-samples-required 3

az afd origin create \
  --origin-name origin-eastus \
  --origin-group-name og-webapp \
  --profile-name fd-webapp-prod \
  --resource-group rg-webapp-prod \
  --host-name my-webapp-prod.azurewebsites.net \
  --origin-host-header my-webapp-prod.azurewebsites.net \
  --priority 1 \
  --weight 1000 \
  --enabled-state Enabled

Front Door features: global anycast, automatic failover, WAF (Premium), caching, URL rewrite, and Private Link origins.

Real-World Scenario: Enterprise Hub-Spoke

Component	Configuration
Hub VNet	10.0.0.0/16 — VPN Gateway, Azure Firewall, Bastion
Spoke: App	10.1.0.0/16 — App Service VNet integration, private endpoints
Spoke: Data	10.2.0.0/16 — SQL, Storage private endpoints only
Spoke: AKS	10.3.0.0/16 — Azure CNI, AGIC ingress
On-premises	ExpressRoute primary + VPN backup
Global entry	Front Door Premium with WAF → regional App Services
DNS	Azure Private DNS zones for all private endpoints

Common Mistakes

Overlapping VNet address spaces — peering fails if CIDRs overlap; plan IP allocation centrally
Expecting transitive peering — Spoke-to-Spoke requires NVA or Virtual WAN
Public PaaS endpoints in production — use Private Link for SQL, Storage, Key Vault
Single VPN tunnel — always configure redundant tunnels for HA
No NSGs on subnets — peering does not replace subnet-level security
GatewaySubnet too small — use /27 minimum for VPN/ExpressRoute gateways

Troubleshooting

Issue	Diagnosis	Fix
Peering shows Disconnected	Address space overlap or missing reverse peering	Verify CIDRs; create both peering directions
VPN tunnel down	Shared key mismatch or on-prem config	Reset shared key; verify IKE/IPsec settings
Private endpoint DNS fails	Missing Private DNS zone or VNet link	Create zone and link to consumer VNet
Front Door 502	Origin unhealthy or wrong host header	Check probe path; verify origin host header
ExpressRoute BGP down	Provider-side issue or wrong VLAN	Contact provider; verify peering config

  # Verify VPN connection status
az network vpn-connection show \
  --resource-group rg-network \
  --name conn-hub-to-onprem \
  --query "connectionStatus" -o tsv

# List effective NSG rules on a NIC
az network nic list-effective-nsg \
  --resource-group rg-webapp-prod \
  --name nic-app-01

Best Practices

Plan IP address space centrally — document allocations in a spreadsheet or IPAM tool
Use hub-spoke or Virtual WAN for enterprise topologies — avoid full mesh peering
Deploy Azure Firewall or NVAs in the hub for centralized egress filtering
Enable Private Link for all PaaS services in production
Use Front Door or Traffic Manager for global routing and DR failover
Implement DDoS Protection Standard on production VNets
Monitor with NSG flow logs and Azure Network Watcher

Next: Disaster Recovery.

Azure Container Instances and Container Apps

Disaster Recovery on Azure

Advanced Networking

Network Architecture Evolution link

VNet Peering link

VNet Peering vs Virtual WAN link

Site-to-Site VPN link

Azure ExpressRoute link

Azure Private Link link

Azure Front Door link

Real-World Scenario: Enterprise Hub-Spoke link

Common Mistakes link

Troubleshooting link

Best Practices link