AZ-305 - Design a Networking Strategy
Network Topology Design
Network topology is a foundational decision in Azure architecture. The exam tests your ability to choose between hub-spoke and Azure Virtual WAN based on scale, complexity, and management requirements.
Hub-Spoke Topology
Hub-Spoke Architecture
In a hub-spoke topology, a central hub virtual network connects to multiple spoke VNets via VNet peering. The hub hosts shared services such as Azure Firewall, VPN Gateway, ExpressRoute Gateway, and Azure Bastion. Spokes contain workload-specific resources and are isolated from each other unless traffic is routed through the hub using User Defined Routes (UDRs).
This topology provides centralized security, reduces costs by sharing hub services, and enables network segmentation. It is well suited for organizations with fewer than 30 spoke networks and moderate complexity.
Azure Virtual WAN
Virtual WAN Overview
Azure Virtual WAN is a Microsoft-managed networking service that provides hub-and-spoke connectivity at global scale. It replaces the need to manually configure hub VNets, peering, route tables, and NVAs. Virtual WAN automatically manages routing between connected VNets, branch sites (via VPN or SD-WAN), and ExpressRoute circuits.
Use Virtual WAN when you have more than 30 branch offices, need transitive connectivity between VNets by default, or require a globally meshed network with minimal routing configuration. Virtual WAN supports two tiers: Basic (site-to-site VPN only) and Standard (full feature set).
Azure DNS
Azure DNS provides domain hosting and name resolution using Microsoft Azure infrastructure. It supports both public and private DNS zones.
Public DNS Zones
Azure DNS public zones host DNS records for domains accessible from the internet. You delegate your domain to Azure DNS by updating the nameserver records at your registrar to point to Azure DNS name servers. Azure DNS supports all common record types including A, AAAA, CNAME, MX, NS, TXT, and SRV. It provides alias record sets that point directly to Azure resources such as Traffic Manager profiles, public IP addresses, or Azure CDN endpoints.
Private DNS Zones
Azure Private DNS
Private DNS zones provide name resolution within virtual networks without the need for custom DNS servers. When a private zone is linked to a VNet with auto-registration enabled, DNS records for VMs in that VNet are automatically created and maintained. A single private zone can be linked to up to 1,000 virtual networks, and auto-registration can be enabled for up to 100 of those VNets.
Private DNS is essential for Private Endpoints, where the private IP of the endpoint is resolved by a custom DNS record (e.g., privatelink.database.windows.net).
Private Endpoints and Private Link
Azure Private Link enables secure, private connectivity to Azure PaaS services and customer-owned services over a private endpoint in your VNet.
How Private Endpoints Work
Private Endpoint Architecture
A private endpoint is a network interface with a private IP address from your VNet subnet. It connects to an Azure PaaS service (such as Azure SQL Database, Azure Storage, or Azure Key Vault) over the Microsoft backbone network. Traffic never traverses the public internet. To fully secure the connection, you should disable public access on the target service and configure DNS to resolve the service FQDN to the private endpoint IP address.
Private Link Service
Private Link Service allows you to expose your own services (running behind a Standard Load Balancer) as private endpoints in consumer VNets. This enables service providers to offer private connectivity to consumers without exposing services to the internet, even across Azure AD tenants.
Load Balancing Decision Tree
Azure offers four main load balancing services. The AZ-305 exam frequently tests your ability to select the right load balancer for a given scenario.
Load Balancing Options
| Service | Scope | Layer | Protocol | Key Feature |
|---|---|---|---|---|
| Azure Load Balancer | Regional | Layer 4 (TCP/UDP) | Non-HTTP | Ultra-low latency, millions of flows per second |
| Application Gateway | Regional | Layer 7 (HTTP/HTTPS) | HTTP/HTTPS | WAF, SSL termination, URL-based routing |
| Azure Front Door | Global | Layer 7 (HTTP/HTTPS) | HTTP/HTTPS | Global load balancing, CDN, WAF, SSL offload |
| Traffic Manager | Global | DNS-based | Any protocol | DNS routing (priority, weighted, geographic, performance) |
Decision Criteria
Choosing a Load Balancer
Is it HTTP/HTTPS traffic?
Yes, regional: Use Application Gateway. It provides URL-based routing, cookie-based session affinity, SSL termination, and Web Application Firewall (WAF).
Yes, global: Use Azure Front Door. It provides global HTTP load balancing with built-in CDN, WAF, and automatic failover across regions.
Is it non-HTTP traffic (TCP/UDP)?
Regional: Use Azure Load Balancer. It operates at Layer 4 with ultra-low latency for internal or public-facing workloads.
Global: Use Traffic Manager for DNS-based routing, or combine Traffic Manager with Azure Load Balancer for multi-region non-HTTP workloads.
Network Security
Azure provides multiple layers of network security controls. The exam tests your understanding of when to use each control.
Network Security Groups (NSGs)
NSGs contain rules that allow or deny inbound and outbound traffic based on source/destination IP, port, and protocol. NSGs can be applied to subnets or individual network interfaces. Rules are evaluated by priority (lower number = higher priority). NSGs are stateful, meaning if inbound traffic is allowed, the return traffic is automatically permitted.
Application Security Groups (ASGs)
ASGs for Simplified Security
Application Security Groups allow you to group virtual machines by application role (e.g., WebServers, DatabaseServers) and reference those groups in NSG rules instead of using IP addresses. This simplifies rule management because you do not need to update rules when VMs change IP addresses. ASGs work within a single VNet and make security policies application-centric rather than network-centric.
Azure Firewall vs Third-Party NVAs
Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects Azure VNet resources. It provides built-in high availability, unrestricted cloud scalability, FQDN filtering, network traffic filtering rules, and threat intelligence-based filtering. Azure Firewall Premium adds TLS inspection, IDPS (Intrusion Detection and Prevention System), URL filtering, and web categories.
Third-party NVAs from vendors like Palo Alto, Check Point, or Fortinet are preferred when organizations require specific vendor features, have existing vendor investments, or need capabilities not yet available in Azure Firewall such as advanced application-layer inspection.
Hybrid Connectivity
ExpressRoute vs VPN Gateway
| Feature | ExpressRoute | VPN Gateway |
|---|---|---|
| Connection Type | Private (via connectivity provider) | Encrypted over public internet (IPsec/IKE) |
| Bandwidth | Up to 100 Gbps | Up to 10 Gbps (VpnGw5) |
| Latency | Predictable, low latency | Variable, depends on internet |
| Reliability | 99.95 percent SLA (with redundant circuits) | 99.95 percent SLA |
| Cost | Higher (circuit + provider fees) | Lower |
| Use Case | Mission-critical, high-throughput, compliance | General hybrid connectivity |
VNet Peering
VNet Peering Types
Regional VNet Peering: Connects VNets within the same Azure region. Traffic stays on the Microsoft backbone with no gateways, encryption, or public internet involved. Latency is the same as within a single VNet.
Global VNet Peering: Connects VNets across different Azure regions. Traffic traverses the Microsoft backbone but cross-region bandwidth charges apply. Not all VM features are supported across global peering (e.g., Basic load balancers).
VNet peering is non-transitive. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C unless a separate peering or hub routing is established.
Key Terms
| Term | Definition |
|---|---|
| Hub-Spoke Topology | A network architecture where a central hub VNet connects to multiple spoke VNets, hosting shared services like firewalls and gateways. |
| Azure Virtual WAN | A Microsoft-managed networking service providing automated hub-spoke connectivity at global scale with built-in routing. |
| Private Endpoint | A network interface with a private IP in your VNet that connects to an Azure PaaS service over the Microsoft backbone. |
| NSG (Network Security Group) | A set of stateful security rules that control inbound and outbound traffic at the subnet or NIC level. |
| ASG (Application Security Group) | A logical grouping of VMs by application role, used as source or destination in NSG rules instead of IP addresses. |
| Azure Firewall | A managed, stateful firewall service with built-in high availability, FQDN filtering, and threat intelligence. |
| ExpressRoute | A private, dedicated connection between on-premises networks and Azure through a connectivity provider. |
| VNet Peering | A non-transitive, low-latency connection between two Azure virtual networks over the Microsoft backbone. |
Exam Tips
- Hub-spoke for moderate scale, Virtual WAN for large scale - if the scenario has more than 30 branches or needs automatic any-to-any routing, choose Virtual WAN. For simpler environments, hub-spoke is sufficient.
- Private Endpoint eliminates public internet exposure - whenever the exam asks about securing PaaS services from internet access, Private Endpoint with disabled public access is the solution.
- Application Gateway for regional HTTP, Front Door for global HTTP - the scope (regional vs global) and protocol (HTTP vs non-HTTP) are the two main factors in choosing a load balancer.
- VNet peering is non-transitive - if A peers with B and B peers with C, A cannot reach C without additional routing or a direct peering. The exam tests this concept frequently.
- ExpressRoute for mission-critical, VPN for general hybrid - choose ExpressRoute when the scenario emphasizes predictable latency, high bandwidth, or compliance requirements.
- Azure Firewall Premium for TLS inspection and IDPS - if the exam scenario requires inspecting encrypted traffic or intrusion detection, the Premium tier of Azure Firewall is required.
Practice Questions
Question 1
Your organization has 50 branch offices that need to connect to Azure and to each other with automatic routing. Which networking solution should you recommend?
- A. Hub-spoke with VNet peering and UDRs
- B. Azure Virtual WAN (Standard tier)
- C. Multiple VPN Gateways in each VNet
- D. ExpressRoute Global Reach only
Answer: B
Explanation: Azure Virtual WAN Standard tier provides automated any-to-any routing, supports VPN, ExpressRoute, and VNet connections at global scale, and eliminates the need for manual UDR and peering configuration. It is designed for large organizations with many branches.
Question 2
You need to ensure that an Azure SQL Database is only accessible from your virtual network and never exposed to the public internet. What should you implement?
- A. Service Endpoint
- B. Private Endpoint with public access disabled
- C. NSG rules on the SQL Database
- D. Azure Firewall FQDN rule
Answer: B
Explanation: A Private Endpoint creates a private IP in your VNet for the Azure SQL Database, and disabling public access ensures the database is only reachable through the private endpoint. Service Endpoints still traverse the Microsoft backbone but the PaaS resource retains its public IP.
Question 3
You are designing load balancing for a multi-region web application that requires WAF protection and automatic failover between Azure regions. Which service should you use?
- A. Azure Load Balancer
- B. Application Gateway
- C. Azure Front Door
- D. Traffic Manager
Answer: C
Explanation: Azure Front Door provides global Layer 7 load balancing with built-in WAF, automatic regional failover, SSL termination, and CDN capabilities. Application Gateway is regional only, and Traffic Manager does not provide WAF or Layer 7 features.
Question 4
A company requires a dedicated, private connection between its on-premises datacenter and Azure with guaranteed bandwidth of 10 Gbps and predictable latency. Which connectivity option should you recommend?
- A. Site-to-site VPN
- B. Point-to-site VPN
- C. ExpressRoute
- D. Azure Virtual WAN with VPN
Answer: C
Explanation: ExpressRoute provides a private, dedicated connection through a connectivity provider with guaranteed bandwidth up to 100 Gbps and predictable low latency. VPN connections traverse the public internet and cannot guarantee consistent bandwidth or latency.
Question 5
You have three VNets: VNet-A peered with VNet-B, and VNet-B peered with VNet-C. Resources in VNet-A cannot communicate with VNet-C. What is the most efficient solution?
- A. Create a direct VNet peering between VNet-A and VNet-C
- B. Deploy Azure Firewall in VNet-B and configure UDRs
- C. Use a VPN Gateway in each VNet
- D. Redeploy all resources into a single VNet
Answer: A
Explanation: VNet peering is non-transitive, so VNet-A cannot reach VNet-C through VNet-B without additional configuration. The most efficient solution is to create a direct peering between VNet-A and VNet-C. Option B works but adds cost and complexity. Option D is disruptive and not practical.
AZ-305 Designing Azure Infrastructure Solutions - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.