Chapter Four
Networking & Content Delivery
Eight services for connectivity, traffic distribution, and edge delivery. Get the virtual network and its address space right first — overlapping ranges block peering later, with no fix but renumbering.
Core Terminology
Azure networking layers regional and global components. These terms recur across the chapter.
Virtual Network (VNet)
A regional, isolated private network you define with address space and subnets. The boundary almost everything else attaches to.
Network Security Group
A stateful set of allow/deny rules on a subnet or NIC, filtering traffic by port, protocol, and source. Azure's basic firewall primitive.
Peering
A private, low-latency connection joining two VNets. It refuses to establish across overlapping address ranges — the reason address planning comes first.
Layer 4 vs Layer 7
Load Balancer works at L4 (TCP/UDP); Application Gateway and Front Door work at L7 (HTTP), seeing URLs, headers, and cookies.
Private Endpoint
A private IP inside your VNet that maps to a PaaS service, keeping traffic to it off the public internet.
Hub-and-Spoke
A topology where shared services live in a hub VNet that spoke VNets peer into — the standard enterprise network shape on Azure.
Services in This Chapter
Service 24
Virtual Network
The private, isolated network for your Azure resources. Subnets, routing, peering, and security groups all build on it; address planning here is permanent.
Service 25
Load Balancer
A high-throughput Layer 4 load balancer for TCP and UDP. Distributes traffic across VMs and scale sets within a Region at very low latency.
Service 26
Application Gateway
A Layer 7 load balancer with URL routing, TLS termination, and an optional WAF. The regional ingress for web applications inside a VNet.
Service 27
Azure DNS
Managed DNS hosting on Azure's global anycast network, plus private DNS zones for name resolution inside your VNets.
Service 28
Front Door & CDN
A global Layer 7 entry point with anycast routing, caching, TLS, and WAF at the edge. Front of a multi-Region app; CDN for static content.
Service 29
ExpressRoute
A private, dedicated circuit between on-premises and Azure that bypasses the public internet. For predictable bandwidth, low latency, and compliance.
Service 30
VPN Gateway
Encrypted IPsec tunnels connecting on-premises networks or remote users to a VNet over the internet. The accessible hybrid-connectivity option.
Service 31
Traffic Manager
DNS-based global traffic routing across Regions by latency, priority, or geography. Directs clients to the best endpoint before any connection is made.