Skip to content


Internet protection

To provide inbound protection at the perimeter:

Service Description
Application Gateway Layer 7 load balancer that also includes a web application firewall (WAF) to provide advanced security for HTTP-based services
Network virtual appliances (NVA)
  • For protecting non-HTTP-based services or for increased customization
  • Available from many of the most popular network security vendors
Azure DDoS Provides basic protection across all Azure services and enhanced protection for further customization

Virtual network security

Once inside a virtual network:

Service Description
Network security groups
  • Provide a list of allowed and denied communication to and from network interfaces and subnets
  • Operate at layers 3 & 4
Virtual network service endpoints
  • Isolate Azure services to only allow communication from virtual networks
  • Improves security by fully removing public internet access to resources, and allowing traffic only from your virtual network

Network integration

Service Description
Virtual private network (VPN)
  • Common way of establishing secure communication channels between networks
  • Types:
    • Point-to-site VPN: the client computer initiates (over the Internet) an encrypted VPN connection to Azure, connecting that computer to the Azure virtual network
    • Site-to-site VPN: links an on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. Can be over the Internet or over ExpressRoute
  • Provides a dedicated, private connection between your network and Azure
  • Lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider
  • Improves the security of your on-premises communication by sending traffic over the private circuit instead of over the internet
Virtual network peering
  • Integrates multiple virtual networks in Azure by establishing a direct connection between them
  • Once established, you can use network security groups to provide isolation between resources
  • Communication is only allowed between directly connected virtual networks

VPN Gateway

  • An Azure virtual network gateway provides an endpoint for incoming connections from on-premises locations to Azure over the Internet
  • A VPN gateway is a specific type of virtual network gateway that can be an endpoint for encrypted connections
  • Within each virtual network gateway there are two or more virtual machines (VMs)
    • These VMs have been deployed to a special subnet (called the GatewaySubnet)
    • They contain routing tables for connections to other networks, along with specific gateway services
    • You don't need to configure these VMs directly and should not deploy any additional resources into the gateway subnet
  • Gateway Types
    • RouteBased: use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels
    • PolicyBased: use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels
  • The GatewayType determines the way the gateway functions:
    • For a VPN gateway, the gateway type is vpn
    • Options for VPN gateways include:
      • Network-to-network connections over IPsec/IKE VPN tunneling, linking VPN gateways to other VPN gateways
      • Cross-premises IPsec/IKE VPN tunneling, for connecting on-premises networks to Azure through dedicated VPN devices to create site-to-site connections
      • Point-to-site connections over IKEv2 or SSTP, to link client computers to resources in Azure
  • Restrictions
    • Each virtual network can have only one VPN gateway
    • Subnets cannot overlap
    • IP addresses must be unique
    • VPN gateways need a gateway subnet called GatewaySubnet

VPN Types

Point to site Site to site ExpressRoute
Azure supported services Cloud services and VMs Cloud services and VMs All supported services
Typical bandwidth Depends on VPN Gateway SKU Depends on VPN Gateway SKU See ExpressRoute bandwidth options
Protocols supported SSTP and IPsec IPsec Direct connection, VLANs
Routing RouteBased (dynamic) PolicyBased (static) and RouteBased BGP
Connection resiliency Active-passive Active-passive or active-active Active-active
Use case Testing and prototyping Dev, test and small-scale production Enterprise/mission critical


  • An ExpressRoute circuit is the logical connection between your on-premises infrastructure and the Microsoft Cloud
  • Each circuit is defined by a GUID, called a service or s-key
    • The s-key provides the connectivity link between Microsoft, your connectivity provider, and your organization (it isn't a cryptographic secret)
    • Each s-key has a one-to-one mapping to an Azure ExpressRoute circuit
  • Each circuit can have up to two peerings, which are a pair of BGP sessions that are configured for redundancy. They are:
    • Azure private: connects to Azure compute services that are deployed with a virtual network
    • Microsoft: provides bi-directional connectivity between your company's WAN and Microsoft cloud services (e.g., Office 365 and Dynamics 365)

Connectivity models

IP VPN network (any-to-any)
  • IPVPN providers typically provide connectivity between branch offices and your corporate datacenter over managed layer 3 connections
  • With ExpressRoute, the Azure datacenters appear as if they were another branch office
Virtual cross-connection through an Ethernet exchange
  • If your organization is co-located with a cloud exchange facility, you request cross-connections to the Microsoft Cloud through your provider's Ethernet exchange
  • These cross-connections to the Microsoft Cloud can operate at either layer 2 or layer 3 managed connections
Point-to-point Ethernet connection
  • Can provide layer 2 or managed layer 3 connections between your on-premises datacenters or offices to the Microsoft Cloud