🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 3
Domain 3 — Module 5 of 5 100%
18 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 3: Application Delivery Services Premium ⏱ ~10 min read

Choosing the Right Load Balancer

The definitive decision guide for Azure's four load balancers — Load Balancer, Traffic Manager, Application Gateway, and Front Door. Master the exam elimination technique.

Choosing the Right Load Balancer

This is the module that ties Domain 3 together. The exam frequently presents a scenario and asks you to choose the right load balancer. This decision matrix and elimination technique will serve you well.

🎬 Video coming soon

Load Balancer Decision Guide

Load Balancer Decision Guide

~10:00
☕ Simple explanation

Azure has four load balancers: Load Balancer (traffic light — fast, simple, any vehicle), Traffic Manager (GPS — tells you which road, doesn’t drive), Application Gateway (smart toll booth — inspects tickets, routes to right lane), Front Door (international airport hub — global, caches, security screening).

Decision framework: Is traffic HTTP(S)? Yes: App Gateway or Front Door. No: Load Balancer or Traffic Manager. Is scope global? Global: Front Door or Traffic Manager. Regional: App Gateway or Load Balancer. Need CDN/WAF? Front Door. DNS-only failover? Traffic Manager.

The Four-Way Comparison

Azure Load Balancing Services
FeatureLoad BalancerTraffic ManagerApp GatewayFront Door
LayerLayer 4 (TCP/UDP)DNSLayer 7 (HTTP/S)Layer 7 (HTTP/S)
ScopeRegional (cross-region with global tier)GlobalRegionalGlobal
Proxies trafficYes (pass-through)No (DNS redirect only)Yes (full proxy)Yes (full proxy)
URL/path routingNoNoYesYes
TLS terminationNoNoYesYes
WAFNoNoYes (add-on)Yes (built-in)
CDN / CachingNoNoNoYes
Private Link originsNoNoNoYes (Premium)
Non-HTTP trafficYes (any TCP/UDP)Yes (DNS — any protocol)NoNo
Session affinitySource IP (2/3-tuple)NoCookie-basedCookie-based
Health probesTCP, HTTP, HTTPSHTTP, HTTPS, TCPHTTP, HTTPSHTTP, HTTPS

Decision Flowchart

Use this flowchart when the exam presents a load balancing scenario:

Step 1: Is the traffic HTTP/HTTPS?

  • No → Load Balancer (for TCP/UDP) or Traffic Manager (for DNS-based routing of any protocol)
  • Yes → Continue to Step 2

Step 2: Does it need global distribution?

  • No (single region) → Application Gateway
  • Yes (multi-region) → Continue to Step 3

Step 3: Does it need CDN, caching, or Private Link origins?

  • Yes → Front Door (Premium if Private Link needed)
  • No → Traffic Manager (if DNS-only is acceptable) or Front Door (if you need proxy/WAF)

Common Combinations

Load balancers work together, not in isolation:

Front Door + Application Gateway: Front Door handles global distribution, CDN, and edge WAF. Application Gateway handles regional routing, path-based rules, and additional WAF. This is the most common enterprise web app pattern.

Traffic Manager + Load Balancer: Traffic Manager provides global DNS routing to regional Load Balancers. Used for non-HTTP workloads (databases, gaming, IoT) that need global failover.

Front Door + Load Balancer: Front Door handles global HTTP entry. Load Balancer distributes within a region to non-HTTP backend tiers (e.g., TCP-based microservices behind an API layer).

💡 Exam Elimination Guide

When you see a load balancing question, eliminate options using these rules:

“Non-HTTP protocol” mentioned → Eliminate Application Gateway and Front Door. Answer is Load Balancer or Traffic Manager.

“URL routing” or “path-based routing” needed → Eliminate Load Balancer and Traffic Manager. Answer is Application Gateway or Front Door.

“Global CDN” or “caching at edge” → Only Front Door provides this. Eliminate all others.

“Private Link origin” or “backend with no public IP” → Only Front Door Premium. Eliminate all others.

“DNS-based only” or “no proxy needed” → Traffic Manager. It’s the only one that doesn’t proxy traffic.

“Regional, internal workload” → Internal Load Balancer or Application Gateway (internal frontend).

“Session affinity with cookies” → Application Gateway or Front Door. Load Balancer uses source IP only.

“Layer 4, high throughput, HA ports” → Standard Load Balancer with HA ports.

Practice this elimination technique with every load balancing question you encounter.

Key Takeaways

  • Non-HTTP traffic: Load Balancer (L4) or Traffic Manager (DNS)
  • Regional HTTP: Application Gateway
  • Global HTTP with CDN/WAF: Front Door
  • Private Link origins: Front Door Premium only
  • DNS-only (no proxy): Traffic Manager only
  • Combinations are common in enterprise architectures

Test Your Knowledge

Question

Which load balancer provides CDN caching at edge locations?

Click or press Enter to reveal answer

Answer

Azure Front Door only. Application Gateway, Load Balancer, and Traffic Manager do not provide CDN caching.

Click to flip back
Question

Which load balancer works with non-HTTP protocols like TCP and UDP?

Click or press Enter to reveal answer

Answer

Azure Load Balancer (Layer 4) handles TCP/UDP directly. Traffic Manager works at DNS level and can route any protocol. Application Gateway and Front Door only handle HTTP/HTTPS.

Click to flip back
Question

Which is the only load balancer that doesn't proxy traffic?

Click or press Enter to reveal answer

Answer

Traffic Manager. It works at the DNS layer — it returns the IP of the best endpoint and the client connects directly. All others (LB, AG, FD) proxy or pass-through the actual traffic.

Click to flip back
Knowledge Check

Ravi needs to load-balance a TCP-based database replication protocol across VMs in a single region. Which service should he use?
Knowledge Check

Elena needs global HTTP load balancing with CDN caching, managed WAF rules, and origins that have no public IPs. Which service and tier?

Next up: Private Link and Private Endpoints — Start Domain 4 by making Azure PaaS services accessible only through your private network.

← Previous

Azure Front Door: Global Delivery

Next →

Private Link and Private Endpoints

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.