**AZURE NETWORKING (Central Topic)**

└── **1. CORE NETWORKING FOUNDATION**

├── **Virtual Network (VNet)**
│ ├── Purpose: Private network in Azure, isolation, segmentation
│ ├── Address Space: Private IP ranges (RFC 1918), CIDR notation
│ ├── Regions: Bound to a single region (can connect across regions)
│ ├── DNS Settings:
│ │ ├── Azure-provided DNS (default)
│ │ ├── Custom DNS Servers (on-prem, Azure VM, Azure Private DNS Resolver)
│ ├── Service Endpoints: Secure Azure PaaS access over VNet (e.g., Storage,
SQL)
│ ├── Private Endpoints: Network interface using private IP from VNet for
PaaS/Customer/Partner services (via Private Link)
│ └── Peering:
│ ├── Regional VNet Peering: Connect VNets in the same region
│ └── Global VNet Peering: Connect VNets in different regions
│ └── Considerations: Non-transitive, latency, cost
├── **Subnets**
│ ├── Purpose: Segment VNet into smaller networks
│ ├── Address Range: Subset of VNet's address space
│ ├── Network Security Group (NSG) Association: Apply NSG rules
│ ├── Route Table Association: Customize routing
│ ├── Service Endpoint Policies: Granular control over service endpoints
│ └── Delegation: Allow specific Azure services to inject into subnet (e.g.,
Azure NetApp Files, App Service Environment)
└── **IP Addressing**
├── **Private IP Addresses**
│ ├── Allocation: Dynamic (default), Static
│ ├── Scope: Within a VNet
│ └── Use Cases: VM NICs, Internal Load Balancers, Application Gateway
Frontend (internal)
├── **Public IP Addresses**
│ ├── Allocation: Dynamic, Static
│ ├── SKUs:
│ │ ├── Basic: Limited features, no AZ-redundancy
│ │ └── Standard: Zone-redundant/zonal, secure by default (closed to
inbound unless allowed by NSG)
│ ├── Association: VM NICs, Public Load Balancers, App Gateway, VPN
Gateway, Firewall, Bastion
│ ├── DDoS Protection: Basic (default), Standard (enhanced)
│ ├── Routing Preference: Microsoft Global Network, Internet (ISP
Network)
│ └── IPv6 Support
└── **Public IP Prefix**
└── Purpose: Reserve a contiguous range of public IP addresses

└── **2. CONNECTIVITY**

├── **Hybrid Connectivity (On-Premises to Azure)**
│ ├── **VPN Gateway**
│ │ ├── Type: Site-to-Site (S2S), Point-to-Site (P2S), VNet-to-VNet (within
Azure, alternative to peering)
│ │ ├── Protocol: IKEv1, IKEv2
│ │ ├── Tunnel Type: Policy-based, Route-based (recommended)
│ │ ├── SKUs: Basic, VpnGw1-5, VpnGw1AZ-5AZ (throughput, connections)
│ │ ├── High Availability: Active-Standby, Active-Active
│ │ └── BGP Support: For dynamic routing
│ ├── **ExpressRoute**
│ │ ├── Purpose: Private, dedicated, high-throughput connection
 │ │ ├── Connection Models: CloudExchange Co-location, Point-to-Point
Ethernet, Any-to-Any (IPVPN)
│ │ ├── Peering Types:
│ │ │ ├── Azure Private Peering: Extend on-prem networks to Azure VNets
│ │ │ └── Microsoft Peering: Access Microsoft Online Services (M365,
Dynamics 365, Public PaaS)
│ │ ├── Circuits & SKUs: Local, Standard, Premium (global reach)
│ │ ├── Bandwidth Options: 50 Mbps to 100 Gbps
│ │ ├── ExpressRoute Direct: Connect directly to Microsoft's global network
at peering locations (10 Gbps, 100 Gbps)
│ │ └── ExpressRoute Global Reach: Link ExpressRoute circuits together
(e.g., connect two on-prem sites via Microsoft backbone)
│ │ └── ExpressRoute FastPath: Improves data path performance between on-
prem and VNet
│ └── **Azure Virtual WAN (vWAN)**
│ ├── Purpose: Managed hub-and-spoke architecture, simplified global
transit
│ ├── Components:
│ │ ├── Virtual Hubs: Microsoft-managed VNets in regions
│ │ ├── Hub-to-Hub Connectivity
│ │ ├── Site-to-Site VPN Gateways
│ │ ├── Point-to-Site VPN Gateways
│ │ ├── ExpressRoute Gateways
│ │ └── Azure Firewall Integration (Secured Virtual Hub)
│ ├── SKUs: Basic (S2S VPN only), Standard (ExpressRoute, P2S, Firewall)
│ └── Use Cases: Large-scale branch connectivity, inter-region transit
├── **Internet Connectivity**
│ ├── Public IP Addresses (as above)
│ ├── **NAT Gateway**
│ │ ├── Purpose: Scalable, resilient outbound-only internet connectivity
for VNets
│ │ ├── No inbound connections directly
│ │ ├── Simplifies SNAT (Source Network Address Translation)
│ │ └── Associated with Subnets
├── **Inter-VNet Connectivity**
│ ├── VNet Peering (as above)
│ └── **Azure Private Link**
│ ├── Purpose: Securely access Azure PaaS (Storage, SQL DB, Cosmos DB,
etc.) and customer/partner services
│ ├── Components:
│ │ ├── Private Endpoint: NIC in your VNet with a private IP for the
service
│ │ └── Private Link Service: Expose your own service running behind a
Standard Load Balancer
│ └── Benefits: Network isolation, no public internet exposure, avoids IP
conflicts

└── **3. APPLICATION DELIVERY & LOAD BALANCING**

├── **Azure Load Balancer**
│ ├── Layer: 4 (TCP/UDP)
│ ├── Scope: Regional
│ ├── Types: Public, Internal
│ ├── SKUs: Basic, Standard (AZ-aware, more features)
│ ├── Features: Health probes, Port forwarding, Outbound rules, HA Ports
│ └── Use Cases: Distribute traffic to VMs, scale sets
├── **Azure Application Gateway**
│ ├── Layer: 7 (HTTP/HTTPS)
│ ├── Scope: Regional
│ ├── Features:
 │ │ ├── SSL/TLS Termination
│ │ ├── Web Application Firewall (WAF) Integration (OWASP rules, custom
rules)
│ │ ├── URL-based Routing
│ │ ├── Path-based Routing
│ │ ├── Multiple Site Hosting
│ │ ├── Session Affinity (Cookie-based)
│ │ ├── Connection Draining
│ │ ├── Autoscaling
│ │ ├── Rewrite HTTP headers and URL
│ │ └── End-to-End TLS Encryption
│ ├── SKUs: Standard v1, WAF v1, Standard v2, WAF v2 (v2 recommended for
autoscaling, AZ, performance)
│ └── Use Cases: HTTP/S load balancing for web apps, APIs
├── **Azure Front Door**
│ ├── Layer: 7 (HTTP/HTTPS)
│ ├── Scope: Global (anycast-based)
│ ├── Features:
│ │ ├── Global load balancing with fast failover
│ │ ├── SSL/TLS Termination (bring your own cert or Azure-managed)
│ │ ├── Web Application Firewall (WAF) Integration (centralized)
│ │ ├── URL-based Routing, Path-based Routing
│ │ ├── Session Affinity
│ │ ├── Caching
│ │ ├── URL Rewrite/Redirect
│ │ ├── Custom Domains & HTTPS
│ │ └── End-to-End TLS
│ ├── SKUs: Standard, Premium (adds Security, Private Link to origins)
│ └── Use Cases: Global web application delivery, acceleration, HA, security
├── **Azure Traffic Manager**
│ ├── Layer: DNS-based load balancing
│ ├── Scope: Global
│ ├── Routing Methods:
│ │ ├── Priority: Failover
│ │ ├── Weighted: Distribute traffic by weight
│ │ ├── Performance: Route to lowest latency endpoint
│ │ ├── Geographic: Route based on user's geographic location
│ │ ├── Multivalue: Return multiple IP addresses
│ │ └── Subnet: Route based on user's source IP subnet
│ ├── Features: Endpoint monitoring, Nested profiles
│ └── Use Cases: Direct traffic to optimal endpoints (Azure or external)
based on DNS
└── **Cross-region Load Balancer**
├── Layer: 4 (TCP/UDP)
├── Scope: Global
├── Purpose: Global distribution for L4 traffic with low latency and high
availability
├── Requirements: Standard Public IP, backend pools can be regional LBs or
public IPs
└── Use Cases: Globally distributed L4 applications

└── **4. NETWORK SECURITY**

├── **Network Security Groups (NSGs)**
│ ├── Function: Stateful packet filtering (allow/deny)
│ ├── Rules: Inbound/Outbound, Priority, Source/Destination IP/CIDR, Port,
Protocol (TCP, UDP, ICMP, Any)
│ ├── Association: NICs, Subnets
│ ├── Default Rules: Allow VNet internal, Allow Azure LB, Deny All Inbound
(from internet), Allow All Outbound
 │ └── Application Security Groups (ASGs): Group VMs by application workload
for NSG rules
├── **Azure Firewall**
│ ├── Type: Managed, cloud-native, stateful firewall service
│ ├── Features:
│ │ ├── Application Rules (FQDN filtering)
│ │ ├── Network Rules (Source/Dest IP, Port, Protocol)
│ │ ├── NAT Rules (DNAT for inbound, SNAT for outbound)
│ │ ├── Threat Intelligence-based filtering
│ │ ├── Centralized management (via Azure Firewall Manager)
│ │ ├── Forced Tunneling
│ │ └── Availability Zones support
│ ├── SKUs:
│ │ ├── Standard: L3-L7 filtering, Threat Intel
│ │ └── Premium: Adds TLS Inspection, IDPS, URL filtering, Web categories
│ └── Deployment: In VNet (often dedicated "AzureFirewallSubnet") or Secured
Virtual Hub (vWAN)
├── **Azure Web Application Firewall (WAF)**
│ ├── Protection: Against common web exploits (OWASP Top 10, SQLi, XSS)
│ ├── Integration:
│ │ ├── Application Gateway
│ │ ├── Azure Front Door
│ │ ├── Azure CDN (Microsoft Standard SKU)
│ ├── Modes: Detection, Prevention
│ ├── Rules: Managed rule sets, Custom rules, Rate limiting, Geo-filtering,
Bot protection
├── **Azure DDoS Protection**
│ ├── Basic: Free, integrated with Azure platform (protects Azure
infrastructure)
│ ├── Standard:
│ │ ├── Enhanced mitigation for VNet resources (via Public IP)
│ │ ├── Adaptive tuning, Attack analytics, Metrics, Alerting
│ │ ├── Cost protection, SLA
│ │ └── Protects against volumetric, protocol, and application layer
attacks
├── **Azure Bastion**
│ ├── Purpose: Secure RDP/SSH access to VMs in a VNet without exposing Public
IPs on VMs
│ ├── Deployment: Deployed into a VNet (dedicated "AzureBastionSubnet")
│ ├── Access: Via Azure Portal over HTTPS/TLS
│ └── SKUs: Basic, Standard (more features like native client support)
├── **Network Virtual Appliances (NVAs)**
│ ├── Source: Azure Marketplace (Palo Alto, Cisco, Fortinet, etc.) or custom-
built
│ ├── Function: Firewall, WAN optimizer, custom routing, IDS/IPS
│ ├── Deployment: Typically in a Hub VNet, traffic routed via User Defined
Routes (UDRs)
└── **User Defined Routes (UDRs) / Route Tables**
├── Purpose: Override Azure's default system routes
├── Association: Subnets
├── Next Hop Types: Virtual Appliance, Virtual Network Gateway, Internet,
VNet Peering, None
└── Use Cases: Force tunneling, routing traffic through an NVA

└── **5. DNS & NAME RESOLUTION**

├── **Azure DNS (Public)**
│ ├── Purpose: Hosting public DNS domains
│ ├── Record Types: A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, TXT
│ ├── Alias Records: Point to Azure resources (Public IP, Traffic Manager,
Front Door, etc.)
│ └── Anycast network for global availability and performance
├── **Azure Private DNS**
│ ├── Purpose: DNS resolution within and between VNets without custom DNS
server
│ ├── Zones: Private zones linked to VNets
│ ├── Automatic Registration: VMs in linked VNets can auto-register DNS
records
│ ├── Split-Horizon DNS: Same DNS zone name for public and private (different
records)
│ └── Conditional Forwarding: To on-prem DNS or other DNS servers
├── **Azure Private DNS Resolver**
│ ├── Purpose: Enables querying Azure Private DNS zones from on-premises and
vice-versa without deploying VM-based DNS servers.
│ ├── Components: Inbound Endpoints, Outbound Endpoints, DNS Forwarding
Rulesets
├── **VNet DNS Resolution Options**
├── Azure-provided DNS (default)
├── Custom DNS Servers (VMs in Azure, on-prem, Azure Private DNS Resolver)
└── Private DNS Zones linked to VNet

└── **6. MONITORING & DIAGNOSTICS**

├── **Azure Monitor**
│ ├── Metrics: Platform metrics for network resources
│ ├── Logs:
│ │ ├── Activity Logs: Control plane actions
│ │ └── Diagnostic Logs: Data plane (e.g., NSG Flow Logs, Firewall Logs) -
send to Log Analytics, Storage, Event Hubs
│ ├── Alerts: Based on metrics or log queries
│ └── Insights: (e.g., Network Insights for topology, health)
├── **Network Watcher**
│ ├── Tools:
│ │ ├── Topology: Visualize network resources and relationships
│ │ ├── IP Flow Verify: Test if traffic is allowed/denied by NSGs
│ │ ├── Next Hop: Determine next hop for traffic from a VM
│ │ ├── Connection Troubleshoot: Test connectivity between source and
destination
│ │ ├── Packet Capture: Capture traffic to/from a VM
│ │ ├── VPN Troubleshoot: Diagnose VPN Gateway issues
│ │ ├── Connection Monitor: End-to-end connection monitoring (latency,
reachability)
│ │ └── NSG Flow Logs:
│ │ ├── Records IP traffic flowing through an NSG
│ │ ├── Storage: Stored in Azure Storage Account
│ │ ├── Analysis: With Traffic Analytics (via Log Analytics) or
external tools
│ │ └── Versions: v1, v2
├── **Azure Service Health**
│ ├── Purpose: Information about Azure service incidents, planned
maintenance, health advisories
└── **Traffic Analytics**
├── Source: NSG Flow Logs
├── Platform: Log Analytics
├── Insights: Traffic flows, malicious IPs, open ports, top talkers,
network topology

└── **7. GLOBAL & EDGE NETWORKING**

├── **Azure Front Door** (as above - key global service)
├── **Azure CDN (Content Delivery Network)**
 │ ├── Purpose: Cache static content closer to users globally
│ ├── Providers: Microsoft Standard, Akamai Standard, Verizon
Standard/Premium
│ ├── Features: Caching rules, Compression, Geo-filtering, Custom domains,
HTTPS
│ └── Integration with Storage, Web Apps, etc.
├── **Azure Traffic Manager** (as above - DNS-based global routing)
├── **ExpressRoute Global Reach** (as above - interconnect ER circuits)
├── **Cross-Region Load Balancer** (as above - global L4 LB)
└── **Azure Orbital (Ground Station as a Service)**
└── Niche: Communicate with and control satellites

└── **8. SPECIALIZED & EMERGING NETWORKING**

├── **Azure Route Server**
│ ├── Purpose: Simplify dynamic routing between NVAs and VNets (BGP peering
with NVAs)
│ └── No data path processing itself, just control plane
├── **Azure Container Networking**
│ ├── Azure CNI (Container Network Interface) for AKS
│ │ ├── Pods get IP addresses from VNet subnet
│ │ └── Advanced control, direct VNet integration
│ ├── Kubenet (for AKS)
│ │ ├── Simpler, uses NAT for pod communication to VNet
│ └── Service Meshes (e.g., Istio, Linkerd - often deployed on AKS)
├── **Azure VMware Solution (AVS) Networking**
│ ├── Integration with Azure VNets
│ ├── NSX-T Data Center for software-defined networking within AVS private
cloud
│ └── ExpressRoute connectivity to on-prem and Azure
├── **Azure Virtual Desktop (AVD) Networking**
├── Session Host VNet integration
├── RDP Shortpath (Managed Networks / Public Networks)
├── Private Link for AVD service objects
Use code with caution.
Key Considerations / Cross-Cutting Concepts:
Hub-and-Spoke Topology: Common design pattern for managing connectivity and
services centrally.
Security Best Practices: Defense in depth, least privilege, NSGs, Azure Firewall,
WAF, Private Link.
High Availability & Disaster Recovery: Redundancy across Availability Zones,
Regions, using load balancers, Traffic Manager, Front Door.
Cost Management: Choosing appropriate SKUs, monitoring traffic, optimizing data
transfer.
Automation: Infrastructure as Code (ARM Templates, Bicep, Terraform) for deploying
and managing network resources.
Governance: Azure Policy for enforcing network standards.
This detailed breakdown should give you a solid foundation for creating a
comprehensive visual mind map!