πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-305 Domain 4
Domain 4 β€” Module 10 of 12 83%
28 of 30 overall

AZ-305 Study Guide

Domain 1: Design Identity, Governance, and Monitoring Solutions

  • Monitoring & Logging Design
  • Choosing Authentication Methods
  • Designing Identity Management
  • Authorizing Access to Resources
  • Secrets, Keys & Certificates
  • Governance at Scale
  • Compliance & Identity Governance

Domain 2: Design Data Storage Solutions

  • Relational Data: Choosing Your SQL Platform
  • Database Performance & Scalability
  • Database Security & Compliance
  • Cosmos DB & Semi-Structured Data
  • Blob, Data Lake & Azure Files
  • Data Integration & Analytics

Domain 3: Design Business Continuity Solutions

  • Recovery Objectives: RPO, RTO & SLA Free
  • Backup & Recovery for Compute Free
  • Backup for Databases & Unstructured Data Free
  • High Availability for Compute Free
  • High Availability for Data Free

Domain 4: Design Infrastructure Solutions

  • Compute Design: VMs & When to Use Them
  • Container Solutions: AKS, ACI & Container Apps
  • Serverless & Batch Processing
  • Messaging Architecture
  • Event-Driven Architecture
  • API Integration & Caching
  • App Configuration & Automated Deployment
  • Migration Strategy & Assessment
  • Executing Migrations
  • Network Connectivity: Internet & Hybrid
  • Network Security & Performance
  • Load Balancing & Routing

AZ-305 Study Guide

Domain 1: Design Identity, Governance, and Monitoring Solutions

  • Monitoring & Logging Design
  • Choosing Authentication Methods
  • Designing Identity Management
  • Authorizing Access to Resources
  • Secrets, Keys & Certificates
  • Governance at Scale
  • Compliance & Identity Governance

Domain 2: Design Data Storage Solutions

  • Relational Data: Choosing Your SQL Platform
  • Database Performance & Scalability
  • Database Security & Compliance
  • Cosmos DB & Semi-Structured Data
  • Blob, Data Lake & Azure Files
  • Data Integration & Analytics

Domain 3: Design Business Continuity Solutions

  • Recovery Objectives: RPO, RTO & SLA Free
  • Backup & Recovery for Compute Free
  • Backup for Databases & Unstructured Data Free
  • High Availability for Compute Free
  • High Availability for Data Free

Domain 4: Design Infrastructure Solutions

  • Compute Design: VMs & When to Use Them
  • Container Solutions: AKS, ACI & Container Apps
  • Serverless & Batch Processing
  • Messaging Architecture
  • Event-Driven Architecture
  • API Integration & Caching
  • App Configuration & Automated Deployment
  • Migration Strategy & Assessment
  • Executing Migrations
  • Network Connectivity: Internet & Hybrid
  • Network Security & Performance
  • Load Balancing & Routing
Domain 4: Design Infrastructure Solutions Premium ⏱ ~20 min read

Network Connectivity: Internet & Hybrid

VNets, VPN Gateway, ExpressRoute, Virtual WAN, Private Link, and NAT Gateway β€” design network connectivity that securely connects Azure to the internet and on-premises networks.

Network connectivity design

β˜• Simple explanation

Networking is the plumbing of your Azure architecture. Three connectivity questions: How do Azure resources talk to each other? How does Azure connect to on-premises? How does Azure connect to the internet?

VNets are your private networks in Azure. VPN Gateway connects Azure to on-prem over encrypted tunnels. ExpressRoute is a private, dedicated connection (no internet). Private Link keeps PaaS services off the public internet.

Network connectivity architecture covers:

  • Virtual Networks (VNets): IP address space, subnets, DNS, peering
  • Hybrid connectivity: VPN Gateway (S2S, P2S), ExpressRoute, Virtual WAN
  • Private connectivity to PaaS: Private Link, Service Endpoints
  • Internet connectivity: Public IPs, NAT Gateway, Azure Firewall egress

Azure-to-on-premises connectivity

Hybrid Connectivity Options
FactorVPN Gateway (S2S)ExpressRouteVirtual WAN
Connection typeEncrypted tunnel over internetPrivate dedicated connection (no internet)Hub service managing VPN + ER + branch
BandwidthUp to 10 Gbps (VpnGw5)50 Mbps - 100 GbpsAggregated (multiple connections)
LatencyVariable (internet path)Low, predictableLow (direct routing)
RedundancyActive-active gateway (2 tunnels)Two circuits (different peering locations)Built-in redundancy across hubs
Setup timeHoursWeeks (circuit provisioning)Hours (software-defined)
Cost~$150-3,000/mo (gateway)~$250-50,000/mo (circuit + gateway)~$0.25/hr per hub + connections
Best forSmall-medium orgs, dev/test, backup connectionEnterprise, high-bandwidth, low-latency, complianceLarge enterprise with many branches and Azure regions

πŸ—οΈ Priya’s hybrid connectivity:

  • Phase 1 (migration): S2S VPN β€” quick to set up, handles initial migration traffic
  • Phase 2 (production): ExpressRoute β€” dedicated 1 Gbps circuit for production workloads
  • VPN as backup: S2S VPN runs alongside ExpressRoute β€” automatic failover if ExpressRoute circuit fails

πŸ›οΈ David’s large-scale design: Government agencies with 50+ branch offices use Virtual WAN:

  • Central hub per Azure region β€” automatically meshes with other hubs
  • Branch offices connect via SD-WAN appliances
  • ExpressRoute for main data centres, VPN for smaller branches
  • Integrated Azure Firewall in each hub
πŸ’‘ Exam tip: ExpressRoute vs VPN β€” know the decision factors

Choose VPN when: Budget is limited, internet bandwidth is sufficient, setup needs to be quick, backup connection for ExpressRoute.

Choose ExpressRoute when: Compliance requires private connectivity (data never traverses internet), need guaranteed bandwidth/latency, high data volumes (100s of GB daily), SLA requirements.

Choose both when: ExpressRoute for primary traffic, VPN as automatic failover (resilience pattern).

Private connectivity to PaaS services

Private Link vs Service Endpoints
FactorPrivate Link (Private Endpoints)Service Endpoints
How it worksCreates a private IP in YOUR VNet for the PaaS serviceOptimises route to PaaS (still uses service's public IP internally)
Traffic pathStays on Azure backbone via private IPStays on Azure backbone but uses public endpoint
On-prem accessYes β€” reachable from on-prem via VPN/ERNo β€” VNet only
DNSRequires Private DNS Zone for name resolutionNo DNS changes needed
Cross-regionYes β€” Private Endpoint can be in different regionNo β€” same region only
NSG supportYesLimited
CostPer-endpoint + data processingFree
Best forFull private access (recommended for production)Quick, free network restriction (dev/test)

🏦 Elena’s zero-trust network: FinSecure Bank uses Private Link for every PaaS service:

  • Azure SQL β†’ Private Endpoint (no public endpoint)
  • Storage accounts β†’ Private Endpoint (public access disabled)
  • Key Vault β†’ Private Endpoint
  • All accessible from on-prem via ExpressRoute + private DNS resolution

Internet connectivity

ComponentPurpose
Public IPDirect internet access for a resource (VM, load balancer)
NAT GatewayOutbound internet for subnet β€” predictable IP, no SNAT exhaustion
Azure FirewallCentralised egress filtering β€” FQDN rules, threat intelligence
Application GatewayInbound L7 load balancing with WAF
Front DoorGlobal inbound edge with WAF + caching

πŸš€ Marcus’s internet pattern:

  • Inbound: Front Door (global edge) β†’ Application Gateway (regional WAF) β†’ Container Apps
  • Outbound: NAT Gateway per subnet (predictable IPs for allow-listing) β†’ Azure Firewall (FQDN filtering)
  • No public IPs on any workload resource β€” all access through Front Door or Private Link

Knowledge check

Question

What's the key advantage of Private Link over Service Endpoints?

Click or press Enter to reveal answer

Answer

Private Link assigns a private IP in your VNet to the PaaS service β€” making it accessible from on-premises via VPN/ExpressRoute and supporting cross-region access. Service Endpoints are VNet-only (no on-prem access) and same-region only. Private Link is recommended for production.

Click to flip back
Question

When should you use ExpressRoute AND VPN together?

Click or press Enter to reveal answer

Answer

As a resilience pattern: ExpressRoute for primary traffic (private, guaranteed bandwidth) with S2S VPN as automatic failover if the ExpressRoute circuit fails. This is the recommended HA pattern for critical hybrid connectivity.

Click to flip back
Question

Why is hub-spoke the recommended network topology for Azure?

Click or press Enter to reveal answer

Answer

The hub VNet centralises shared services (firewall, VPN gateway, DNS) while spoke VNets isolate workloads. Spokes peer with the hub but not each other β€” VNet peering is non-transitive. Inter-spoke traffic must be routed through the hub firewall via UDRs (User Defined Routes) on spoke subnets β€” this is NOT automatic with peering alone. Benefits: centralised security control, workload isolation, cost savings (shared gateway via gateway transit), and simplified management.

Click to flip back
Knowledge Check

🏦 Elena needs Azure SQL Database to be accessible only via the corporate network β€” no public internet access. On-premises applications must reach the database via ExpressRoute. Which connectivity approach should she recommend?
Knowledge Check

πŸš€ NovaSaaS has 5 product teams, each needing isolated network environments in Azure. All teams need shared access to a central monitoring stack and an ExpressRoute connection to headquarters. Traffic between product environments must be inspected by a firewall. Which network design should Marcus recommend?

🎬 Video coming soon

Next up: Securing and optimising the network β€” Network Security & Performance.

← Previous

Executing Migrations

Next β†’

Network Security & Performance

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.