Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Designing and implementing Azure networking capabilities is a critical part of your cloud solution. You need to make networking design decisions to properly support your workloads and services.
Azure services for networking
Azure provides a range of services for networking:
Networking foundation
- Azure Virtual Network: Provision private networks, and optionally connect to on-premises datacenters.
- Azure DNS. Host your DNS domains and manage name resolution.
- Azure NAT Gateway: Provide outbound internet connectivity for virtual networks.
- Azure Bastion: Connect securely to your virtual machines without exposing public IP addresses.
- Azure Traffic Manager: Distribute traffic optimally to services across global Azure regions.
- Azure Route Server: Simplify dynamic routing between your network virtual appliance and your virtual network.
- Azure Private Link: Enable private access to services that are hosted on the Azure platform while keeping your data on the Microsoft network.
Load balancing and content delivery
- Azure Load Balancer: Deliver high availability and network performance to your apps.
- Azure Application Gateway: Build highly secure, scalable, highly available web front ends.
- Azure Front Door: Deliver, protect, and monitor your global web applications.
Hybrid connectivity
- Azure ExpressRoute: Create a fast, reliable, and private connection to Azure.
- Azure VPN Gateway: Establish highly secure cross-premises connectivity.
- Azure Virtual WAN: Optimize and automate branch-to-branch connectivity.
- Azure Peering Service: Enhance connectivity from the public internet to Microsoft cloud services.
Network security
- Azure Firewall: Provide protection for your Azure Virtual Network resources.
- Azure Firewall Manager: Centrally manage security policies and routes across multiple firewalls.
- Azure Web Application Firewall: Protect your web applications from common web exploits and vulnerabilities.
- Azure DDoS Protection: Protect your Azure resources from distributed denial-of-service attacks.
- Container Network Security: Enforce security policies for containerized workloads in Azure Kubernetes Service (AKS) clusters.
Network management and monitoring
- Azure Network Watcher: Monitor, diagnose, and gain insights into your network performance and health.
- Azure Monitor: Collect, analyze, and act on telemetry from your network and other Azure resources.
- Azure Virtual Network Manager: Centrally manage virtual networks at scale across subscriptions and regions.
- Container Network Observability: Gain deep insights into network traffic and performance across containerized environments in Azure Kubernetes Service (AKS) clusters.
For more information about Azure networking services, see Azure networking services overview.
For guidance on selecting the right networking technologies for your solution, see the following articles:
Architecture
Download a Visio file of this architecture.
The previous diagram demonstrates a typical basic or baseline networking implementation.
Explore networking guides and architectures
The articles in this section include guides and fully developed architectures that you can deploy in Azure and expand to production-grade solutions. These articles can help you decide how to use networking technologies in Azure.
Networking guides
The following articles help you evaluate and select the best networking technologies for your workload requirements.
Networking foundation
- Virtual network connectivity options and spoke-to-spoke communication: Compare virtual network peering, VPN gateways, and other connectivity options for spoke-to-spoke communication.
- Azure Private Link in a hub-and-spoke network: Use Private Link in a hub-and-spoke network topology.
- Azure Private Link and DNS with Azure Virtual WAN:
- Guide overview: Plan Azure Private Link and DNS integration with Azure Virtual WAN.
- Virtual hub extension pattern: Implement the virtual hub extension pattern for Azure Private Link and DNS.
- Single region accessing a single resource: Configure Azure Private Link and DNS for a single-region workload that accesses a single resource.
- Adopt IPv6:
- Prevent IPv4 exhaustion: Plan for IPv4 address exhaustion, and adopt IPv6 in Azure.
- IPv6 hub-spoke network topology: Implement a hub-spoke network topology with IPv6 support.
- Conceptual planning for IPv6 networking: Plan your IPv6 IP addressing strategy for Azure networking.
- Design a hybrid DNS solution by using Azure: Design a hybrid DNS solution that uses Azure DNS Private Resolver to resolve names for workloads hosted on-premises and on Azure.
Load balancing and content delivery
- Load balancing options: Choose the right Azure load balancing service for your workload.
Hybrid connectivity
- SD-WAN integration in hub-and-spoke network topologies: Integrate SD-WAN solutions with Azure hub-and-spoke network topologies.
- Troubleshoot a hybrid VPN connection: Troubleshoot connectivity problems in site-to-site VPN connections between an on-premises network and Azure.
Network security
- Use a split-brain DNS configuration to host a web app: Configure split-brain DNS to host a web application with private and public resolution.
- Deploy highly available NVAs: Deploy network virtual appliances (NVAs) in a highly available configuration.
- Cross-tenant secure access to apps: Use private endpoints to enable cross-tenant secure access to applications.
Networking architectures
The following production-ready architectures demonstrate end-to-end networking solutions that you can deploy and customize.
Networking foundation
- Hub-spoke network topology in Azure: Implement a hub-and-spoke network pattern that has customer-managed hub infrastructure components.
- Azure DNS Private Resolver: Implement hybrid DNS resolution by using Azure DNS Private Resolver.
Hybrid connectivity
- Hub-spoke network topology that uses Azure Virtual WAN: Implement a hub-and-spoke network topology by using Azure Virtual WAN for Microsoft-managed hub infrastructure.
- Massive-scale Azure Virtual WAN architecture design: Design a massive-scale Azure Virtual WAN network architecture across multiple Azure regions.
- Azure Virtual WAN optimized for department-specific requirements: Optimize an Azure Virtual WAN architecture for department-specific performance and security requirements.
- Connect an on-premises network to Azure: Compare options for connecting an on-premises network to Azure, including Azure VPN Gateway and Azure ExpressRoute.
- Connect an on-premises network to Azure by using Azure ExpressRoute with VPN failover: Use Azure ExpressRoute as the primary connection to Azure and Azure VPN Gateway as a backup connection.
Network security
- Implement TIC 3.0 compliance: Implement Trusted Internet Connections (TIC) 3.0 compliance for internet-facing applications.
- Implement a secure hybrid network: Extend an on-premises network to Azure by using a perimeter network and Azure Firewall.
Organizational readiness
Organizations at the beginning of the cloud adoption process can use the Cloud Adoption Framework for Azure to access proven guidance that accelerates cloud adoption. The following articles can help you plan and implement your networking solution:
- Network topology and connectivity: Review the network topology and connectivity design area for Azure landing zones.
- Connectivity to other cloud providers: Establish enterprise-grade connections between Azure and other cloud providers.
- Connectivity to Oracle Cloud Infrastructure: Set up secure, high-performance connectivity between Azure and Oracle Cloud Infrastructure.
To help ensure the quality of your networking solution on Azure, follow guidance in the Azure Well-Architected Framework. The Well-Architected Framework provides prescriptive guidance for organizations that seek architectural excellence and describes how to design, provision, and monitor cost-optimized Azure solutions. For networking-specific guidance, see the following Well-Architected Framework service guides:
- Architecture best practices for Azure Application Gateway v2
- Architecture best practices for Azure ExpressRoute
- Architecture best practices for Azure Firewall
- Architecture best practices for Azure Front Door
- Architecture best practices for Azure Load Balancer
- Architecture best practices for Azure Traffic Manager
- Architecture best practices for Azure Virtual Network
- Architecture best practices for Azure Virtual WAN
Best practices
Apply these best practices to improve the security, reliability, performance, and operational quality of your networking workloads on Azure.
Architecture best practices for Azure Application Gateway v2: Review Well-Architected Framework guidance for designing secure, reliable, and performant Application Gateway deployments.
Architecture best practices for Azure Firewall: Review Well-Architected Framework guidance for Azure Firewall deployments, including security, cost optimization, and operational best practices.
Architecture best practices for Azure Virtual Network: Review Well-Architected Framework guidance for virtual network design, including segmentation, IP address planning, and network security.
Architecture best practices for Azure Virtual WAN: Review Well-Architected Framework guidance for Azure Virtual WAN deployments, including security, reliability, and performance recommendations.
Azure best practices for network security: Apply network security best practices, including Zero Trust principles, network segmentation guidance, and load balancing strategies.
Azure Private Link in a hub-and-spoke network: Plan the deployment of private endpoints in hub-and-spoke or Azure Virtual WAN network topologies.
Recommendations for using availability zones and regions: Select the right deployment approach across availability zones and regions to meet your reliability requirements.
Virtual network connectivity options and spoke-to-spoke communication: Compare virtual network peering, VPN gateways, and other connectivity options for spoke-to-spoke communication.
Use Azure ExpressRoute with Power Platform: Configure Azure ExpressRoute connectivity for Microsoft Power Platform workloads.
Stay current with networking
Azure networking services evolve to address modern data challenges. Stay informed about the latest updates and features.
To stay current with key networking services, see the following articles:
- What's new in Azure VPN Gateway?
- What's new in Azure Virtual WAN?
- What's new in Azure Load Balancer?
Other resources
The following resources can help you discover more about networking.
Cloud platform resources
Traditional Azure networking topology: Review design considerations and recommendations for traditional hub-and-spoke network topologies in Azure, including virtual network peering, Azure ExpressRoute, and VPN gateway configurations.
What is an Azure landing zone?: Learn about the standardized approach for setting up and managing your Azure environment at scale, including hub-and-spoke and Azure Virtual WAN networking topologies.
Baseline highly available zone-redundant web application: Deploy a secure, zone-redundant web application on Azure with Azure Application Gateway, Azure Private Link, and virtual network integration.
Network topology and connectivity for Azure VMware Solution: Design network topology and connectivity for Azure VMware Solution deployments, including Azure ExpressRoute, Global Reach, and hub-and-spoke or Azure Virtual WAN integration.
Azure Private Link and DNS integration at scale: Configure Azure Private Link and private DNS zones at scale in enterprise environments, including policy-driven DNS record management and centralized DNS architecture.
Amazon Web Services (AWS) or Google Cloud professionals
To help you get started quickly, the following articles compare Azure networking options to other cloud services and provide migration guidance.
Service comparison
- Compare AWS and Azure networking options: Compare the core networking services of AWS and Azure, including virtual networks, VPN, load balancing, DNS, Private Link, and peering.
- Google Cloud to Azure services comparison - Networking: Compare Google Cloud networking services to Azure equivalents, including VPC, DNS, load balancing, VPN, ExpressRoute, and firewall services.
Migration guidance
If you're migrating from another cloud platform, see the following article:
- Migrate networking from AWS to Azure: Review networking migration guides for moving AWS networking services to Azure, including VPN gateway connectivity, Application Load Balancer migration, Network Load Balancer migration, and API Gateway migration.