Azure Networking Advanced — VNet Peering, VPN & DNS

“Welcome back. We covered VNet basics, subnets, and NSGs earlier in the series. Now we go deeper — the networking topics that appear on AZ-104 and AZ-305, and that every real Azure deployment uses. How do you connect two VNets in different regions? How do you connect your on-premises office to Azure? How do you manage DNS in Azure? How do you route global traffic to the nearest healthy endpoint? These are the questions we answer today.”

“VNet Peering connects two virtual networks so resources in each can communicate using private IP addresses. Traffic travels over Microsoft's private backbone network — never the public internet — which gives you low latency and high bandwidth. Peering is non-transitive: if VNet A peers with VNet B, and VNet B peers with VNet C, VNet A cannot reach VNet C through B. You'd need a direct peering or a hub-and-spoke architecture with a Network Virtual Appliance or Azure Firewall in the hub. Hub-and-spoke is the standard enterprise pattern — a central hub VNet contains shared services like gateways and firewalls, and spoke VNets for each workload peer to the hub.”

“VPN Gateway creates an encrypted IPSec/IKE tunnel between your Azure VNet and your on-premises network over the public internet. Site-to-site VPN connects your entire office network — any machine in your office can reach Azure resources over the VPN as if they were on the same local network. Point-to-site VPN is for individual connections — developers working from home connect their laptop to Azure VNet. The setup requires a dedicated GatewaySubnet in your VNet, a VPN Gateway resource (takes 30-45 minutes to provision), a Local Network Gateway representing your on-premises device, and a Connection resource joining them together.”

“ExpressRoute is for organizations that need more than VPN can offer. Instead of an internet tunnel, ExpressRoute gives you a private, dedicated circuit from your data center to Microsoft's network through a connectivity provider. Your data never touches the public internet. This is the choice for financial services, healthcare, and government organizations that have strict data sovereignty requirements, and for enterprises transferring large amounts of data between on-premises and Azure. ExpressRoute Global Reach connects two on-premises locations through the Azure backbone — effectively giving you a private WAN between your offices, routing through Microsoft's global network.”

“Azure DNS lets you host your domain's DNS zones in Azure, using the same portal, CLI, and billing you use for everything else. Public DNS zones handle name resolution for your internet-facing domains. Private DNS zones solve the internal naming challenge — every VM and service in your VNets can resolve each other by hostname instead of IP address. Auto-registration automatically creates DNS records when VMs join a VNet linked to a private zone. Alias records are a uniquely Azure capability — point a DNS record directly to an Azure resource like a Public IP or Traffic Manager profile, and when that resource's IP changes, the DNS record updates automatically. No more stale DNS entries.”

“Traffic Manager is Azure's global load balancing solution, but it works at the DNS layer rather than the network layer. When a user resolves your domain, Traffic Manager's DNS response directs them to the appropriate endpoint based on your routing policy. Priority routing is the classic active-passive failover: all traffic goes to region 1, and if its health check fails, Traffic Manager starts returning region 2's address. Performance routing sends each user to the Azure region with the lowest latency for their location. Weighted routing lets you do gradual traffic migration — shift 10% of traffic to a new deployment, monitor for errors, then gradually increase to 100%.”

“Enterprise Azure network architectures follow predictable patterns. Hub-and-spoke is the most common — a central hub VNet contains your VPN gateway, Azure Firewall, and shared services, and spoke VNets for individual workloads peer to the hub. Traffic between spokes routes through the hub's firewall for inspection. For global enterprises with multiple regions, each region has its own hub, and the regional hubs are connected via global VNet peering. Azure Virtual WAN is Microsoft's managed version of this pattern — it automates the hub-and-spoke deployment at global scale, reducing the configuration work significantly.”

“Let me walk through the key demos. I'll create two VNets in different regions, configure peering between them, and prove connectivity works from a VM in each. Then Azure DNS — create a public zone, delegate it, add records. Create a private zone, link it to a VNet, and show automatic VM name resolution. Finally, Traffic Manager — two web app endpoints, priority routing, and I'll disable the primary endpoint to watch automatic failover happen in real time.”

“These networking topics are heavily tested on AZ-104. Key exam points: VPN Gateway requires a subnet named exactly GatewaySubnet with no other resources. VNet Peering is non-transitive — this is a favourite exam question. ExpressRoute doesn't use the public internet — if a scenario mentions regulatory or compliance requirements, ExpressRoute is likely the right answer. Traffic Manager works at DNS level — it cannot inspect traffic content, only route DNS queries. Private DNS auto-registration only registers VMs, not other resource types. Know these details and networking questions become straightforward.”