AZ-305 Designing Microsoft Azure Infrastructure Solutions Exam

Recommend a connectivity solution that connects Azure resources to the internet

Azure Virtual Network provides private address spaces and a default route to the internet. By default, any subnet within a virtual network can send outbound traffic to the internet through a hidden Azure-managed gateway. This setup ensures basic connectivity without extra configuration. However, outbound traffic may come from randomly assigned IP addresses unless you configure a public IP or NAT.

To assign stable public IP addresses, you can deploy Azure NAT Gateway or attach Public IP resources to individual virtual machines. A NAT Gateway ensures that all outbound connections use a consistent set of IP addresses, which simplifies firewall and DNS configurations on remote systems. This solution also scales automatically and supports up to 16 public IP addresses per gateway. Overall, it reduces the management overhead of tracking changing IPs.

Securing internet traffic often involves implementing Network Security Groups (NSGs) and Azure Firewall. NSGs act as stateless packet filters at the subnet or network interface level. Azure Firewall is a stateful network firewall with built-in high availability and unrestricted cloud scalability. Together, they block unwanted traffic and allow detailed logging of security events.

For applications that serve global users, consider Azure Front Door or Azure Content Delivery Network (CDN). Azure Front Door offers global load balancing, SSL termination, and application acceleration at the edge. Azure CDN caches static content in points of presence close to end users. These services reduce latency and improve the user experience by offloading traffic from origin servers.

Recommend a connectivity solution that connects Azure resources to on-premises networks

When linking Azure to an on-premises network, you can choose between Site-to-Site VPN and ExpressRoute. A Site-to-Site VPN uses IPsec tunnels over the public internet and is quick to set up. ExpressRoute, on the other hand, offers dedicated private connections through a connectivity provider for higher reliability and lower latency. ExpressRoute circuits can deliver up to 100 Gbps of bandwidth.

VPN Gateway configurations support both policy-based and route-based tunnels. Policy-based VPNs match traffic based on defined policies, while route-based VPNs use dynamic routing protocols like BGP. Route-based tunnels allow you to exchange routes automatically, which simplifies large-scale network management. You can also combine VPN and ExpressRoute to create redundant, resilient hybrid networks.

For small numbers of remote users or developers, use Point-to-Site VPN. This solution establishes individual SSL/TLS-based tunnels from client computers to Azure. Point-to-Site VPNs require minimal infrastructure and support certificate or Azure Active Directory authentication. They are ideal for on-the-go scenarios or when fixed site connections are not practical.

To manage multiple branches and connections, deploy Azure Virtual WAN. Virtual WAN provides a hub-and-spoke architecture that simplifies large-scale network deployments. Each hub can host VPN and ExpressRoute connections, as well as Azure Firewall instances. This centralized approach streamlines network operations and improves visibility across your entire corporate network.

Recommend a solution to optimize network performance

Reducing latency and improving throughput often starts with Azure Front Door and Azure CDN. Azure Front Door uses anycast protocol to route user requests to the nearest edge location. Azure CDN caches content in global points of presence to speed up repeated requests. Together, they minimize round-trip times and lower origin load.

At the transport layer, enable Accelerated Networking on supported virtual machine sizes. Accelerated Networking bypasses the host and provides single-root I/O virtualization for low latency and high packets per second. This feature reduces jitter and improves CPU utilization. It is especially beneficial for network-intensive workloads such as high-performance computing or real-time analytics.

To handle failover and geo-traffic distribution, implement Azure Traffic Manager. Traffic Manager uses DNS-based routing to direct client requests based on performance, priority, or geographic location. It can route traffic away from unhealthy endpoints to maintain high availability. You can combine Traffic Manager with Front Door for a layered traffic management strategy.

For private connectivity with consistent throughput, upgrade to ExpressRoute Direct. This solution connects to the Azure global network with dedicated high-speed fiber links. ExpressRoute Direct offers redundant paths and supports up to 100 Gbps. It is best for mission-critical applications requiring guaranteed bandwidth and low jitter.

Recommend a solution to optimize network security

Layered security in Azure begins with Network Security Groups (NSGs) and Application Security Groups (ASGs). NSGs filter traffic at the subnet or NIC level based on source, destination, port, and protocol. ASGs let you group virtual machines and apply NSG rules dynamically without changing IP addresses. This approach simplifies rule management as your environment scales.

For advanced threat protection, deploy Azure Firewall and Web Application Firewall (WAF) on Application Gateway. Azure Firewall offers stateful packet inspection, threat intelligence, and URL filtering. WAF provides protection against common web exploits like SQL injection and cross-site scripting. Both services integrate with Azure Monitor for centralized logging and alerting.

To guard against volumetric attacks, enable Azure DDoS Protection Standard. This service provides always-on traffic monitoring and automatic mitigation for large-scale attacks. It also delivers detailed attack analytics to help you improve your network posture. For secure remote management, use Azure Bastion to bypass public IP exposure on virtual machines.

For secure access to PaaS services, use Private Endpoints and Service Endpoints. Private Endpoints map an Azure service to a private IP in your virtual network, ensuring traffic never traverses the public internet. Service Endpoints extend your VNet identity to the service, allowing simplified NSG rules to restrict access. Both options enhance security by keeping data within the Azure backbone.

Recommend a load-balancing and routing solution

When distributing internal or external traffic, Azure Load Balancer provides layer 4 load balancing for TCP and UDP. The Standard SKU offers zone-redundant and cross-region balancing. Health probes ensure traffic is only sent to healthy instances. You can also configure inbound NAT rules to manage individual VM access.

For web applications, use Azure Application Gateway with layer 7 routing and a built-in Web Application Firewall (WAF). Application Gateway supports URL-based and cookie-based routing to backend pools. It also offers SSL termination to offload decryption from servers. Autoscaling adjusts capacity based on traffic patterns.

To direct users to the nearest or fastest endpoint, deploy Azure Traffic Manager. It uses DNS queries to apply performance, priority, or geographic routing methods. Traffic Manager can act as a failover mechanism if primary endpoints become unavailable. This global routing complements local load balancing for a comprehensive solution.

For dynamic network routing, integrate Azure Route Server with your network virtual appliances. It uses Border Gateway Protocol (BGP) to exchange routes between Azure and third-party routers. This automates route management and maintains consistent routing tables. You can also define User-Defined Routes (UDRs) to override Azure’s default routing for custom traffic flows.

Conclusion

Designing Azure network solutions involves choosing the right connectivity, performance, security, and traffic management services. For internet access, you rely on public IPs, NAT Gateway, and services like Front Door or CDN. Hybrid and on-premises connectivity use VPN Gateway, ExpressRoute, and Virtual WAN to balance cost, performance, and reliability. Optimizing performance leverages Accelerated Networking, Front Door, CDN, Traffic Manager, and ExpressRoute Direct. Security layers include NSGs, Azure Firewall, WAF, DDoS Protection, Bastion, Private Endpoints, and Service Endpoints. Finally, you implement Azure Load Balancer, Application Gateway, Traffic Manager, Route Server, and UDRs for robust load distribution and route control. This end-to-end approach ensures high availability, scalability, and security for your Azure workloads.