Connecting to Azure: VPNs, ExpressRoute, and DNS
How do you connect your on-premises network to Azure? How does DNS work in the cloud? And what are public vs private endpoints? This module covers Azure's connectivity options.
Connecting your world to Azure
Think of Azure as an island. Your office is on the mainland. How do you get there?
VPN Gateway = a tunnel under the ocean. Your data travels encrypted through the public internet, but it’s secure inside the tunnel. Affordable but not the fastest.
ExpressRoute = a private bridge built just for you. Your data never touches the public internet — it travels on a dedicated connection. Faster, more reliable, but more expensive.
Azure DNS = the phone book for the internet. It translates human-friendly names (like “portal.summit.com”) into IP addresses that computers understand.
Public endpoints = the island’s public ferry port (anyone can reach it). Private endpoints = a private dock only accessible from your bridge or tunnel.
Azure VPN Gateway
A VPN Gateway connects your on-premises network to Azure over an encrypted tunnel through the public internet.
Two types of VPN connections:
| Type | What It Connects | Use Case |
|---|---|---|
| Site-to-site (S2S) | On-premises network to Azure VNet | Office network to Azure — always on |
| Point-to-site (P2S) | Individual device to Azure VNet | Remote worker’s laptop to Azure |
Summit Construction uses a site-to-site VPN to connect their office network in Auckland to their Azure VNet. Staff access Azure resources as if they were on the same local network.
VPN Gateway key facts:
- Encrypted over the public internet
- Bandwidth depends on your internet connection
- Supports IPSec/IKE (S2S) and SSL/TLS (P2S)
- Cost-effective for most organisations
Azure ExpressRoute
ExpressRoute is a private, dedicated connection between your on-premises network and Azure. It doesn’t go over the public internet.
| Feature | VPN Gateway | ExpressRoute |
|---|---|---|
| Connection | Encrypted tunnel over public internet | Private dedicated connection |
| Bandwidth | Up to ~1.25 Gbps | Up to 100 Gbps |
| Latency | Variable (internet-dependent) | Consistent and low |
| Reliability | Internet-dependent | Built-in redundancy, SLA-backed |
| Cost | Lower (gateway + internet) | Higher (dedicated circuit + provider) |
| Best for | Most organisations, dev/test | Enterprise, regulated industries, high bandwidth |
Harbour Health uses ExpressRoute because:
- Patient data must not traverse the public internet (regulatory requirement)
- They need consistent, low-latency access to Azure-hosted applications
- The hospital generates large volumes of medical imaging data
ExpressRoute Global Reach
ExpressRoute Global Reach lets you connect your on-premises sites to each other through the Microsoft backbone. If Harbour Health has offices in Auckland and Wellington, both connected via ExpressRoute, Global Reach allows the two offices to communicate through Microsoft’s network instead of the public internet.
Azure DNS
Azure DNS hosts your DNS domains and resolves names using Microsoft’s global network.
What DNS does: Translates domain names into IP addresses.
portal.summit.com→20.53.201.47- Users type the name; DNS returns the IP address
Two types of Azure DNS zones:
| Type | Purpose | Example |
|---|---|---|
| Public DNS zone | Resolves names on the internet | summit.com → public IP |
| Private DNS zone | Resolves names within your VNet | db.internal → private IP (10.0.3.4) |
Why use Azure DNS?
- Runs on Microsoft’s global network (fast, reliable)
- Integrated with other Azure services
- Role-based access control for DNS records
- Alias records that point directly to Azure resources
Key concept: Azure DNS hosts your DNS zones — it does NOT let you buy domain names. You still purchase domains from a registrar (GoDaddy, Namecheap, etc.) and then point them to Azure DNS.
Public and private endpoints
This is a key security concept for the exam:
| Feature | Public Endpoint | Private Endpoint |
|---|---|---|
| Accessible from | The internet (public IP) | Only within your VNet (private IP) |
| IP address | Public IP address | Private IP from your VNet's address space |
| Security | Firewall rules needed to restrict access | Not exposed to internet at all |
| Use case | Public-facing apps, APIs | Databases, storage, internal services |
| Example | Web app accessible at app.summit.com | SQL Database accessible only at 10.0.3.5 within the VNet |
Harbour Health’s approach:
- Public endpoint: Patient booking portal (needs internet access)
- Private endpoint: SQL Database with patient records (accessible ONLY from within the VNet — no internet exposure)
Exam tip: Private endpoints for PaaS services
By default, Azure PaaS services (like Azure SQL Database, Storage Accounts) have public endpoints — they’re accessible over the internet. This concerns security-conscious organisations.
Private endpoints solve this by giving the PaaS service a private IP address within your VNet. Traffic flows over the Microsoft backbone network, never touching the internet.
If a question mentions “prevent internet access to a database” or “access storage only from within the VNet,” the answer is usually private endpoints.
🎬 Video walkthrough
🎬 Video coming soon
VPNs, ExpressRoute, and DNS — AZ-900
VPNs, ExpressRoute, and DNS — AZ-900
~10 minFlashcards
Knowledge Check
Harbour Health needs a connection from their hospital network to Azure that NEVER uses the public internet. Which service should they use?
Summit Construction wants their Azure SQL Database to be accessible ONLY from within their Azure VNet — not from the internet. What should they configure?
Which statement about Azure DNS is TRUE?
Next up: Azure Storage Services — storage accounts, tiers, redundancy options, and the different types of Azure storage.