AZ-900 Azure Networking Guide — Virtual Networks and Connectivity 2026

Azure Virtual Networks (VNet) — Fundamentals

An Azure Virtual Network (VNet) is the foundational networking building block in Azure. Think of a VNet as your own private section of the Azure cloud — a logically isolated network where your Azure resources communicate with each other, the internet, and your on-premises networks.

For the AZ-900 exam, you need to understand what a VNet does conceptually, not how to configure one. The key idea: a VNet gives you network isolation and segmentation in the cloud.

Subnets

Within a VNet, you divide the address space into subnets. Subnets let you segment the network for security and organization. For example, you might put web servers in one subnet and databases in another — then use Network Security Groups (NSGs) to control traffic between them.

Key point for AZ-900: subnets allow you to apply different security rules to different parts of your network. You can restrict which subnets can talk to each other and which services can be reached from the internet.

VNet Peering

VNet Peering connects two VNets so resources in each can communicate as if they were on the same network. Traffic between peered VNets travels over Microsoft's backbone network — fast, private, and never touching the public internet.

There are two types:

• Regional VNet Peering — connects VNets in the same Azure region
• Global VNet Peering — connects VNets across different Azure regions

When to use VNet Peering: when you have resources in separate VNets (perhaps in different subscriptions or regions) that need to communicate privately. It's simpler than VPN for Azure-to-Azure connectivity.

Want to understand how networking fits into the broader Azure picture? See our AZ-900 Complete Study Guide for full exam coverage.

VPN Gateway — Encrypted Connectivity to Azure

A VPN Gateway is an Azure service that sends encrypted traffic between your Azure VNet and another location — either your on-premises network or another VNet. The traffic travels over the public internet but is encrypted, making it secure.

Site-to-Site VPN

Site-to-Site (S2S) VPN creates a persistent, encrypted connection between your entire on-premises network and an Azure VNet. This is what organizations use to extend their datacenter into Azure. Think of it as a permanent secure tunnel between two locations.

Requirements: a VPN device on your on-premises side and an Azure VPN Gateway on the Azure side. Once configured, all traffic between the two networks flows through the encrypted tunnel automatically.

Point-to-Site VPN

Point-to-Site (P2S) VPN lets individual computers (remote workers) connect securely to an Azure VNet. Instead of connecting whole networks, individual devices connect as needed. This is the solution for remote employees who need to access Azure resources securely.

VNet-to-VNet VPN

You can also use VPN Gateway to connect two Azure VNets in different regions. Unlike VNet Peering, this goes through the VPN Gateway infrastructure. For AZ-900, know that VNet Peering is generally preferred for Azure-to-Azure connectivity (simpler and faster).

VPN Gateway is covered as part of the Azure Architecture and Services domain. See our Azure Services overview for how networking services fit alongside compute, storage, and databases.

ExpressRoute — Private Dedicated Connection

Azure ExpressRoute lets you extend your on-premises networks into Microsoft's cloud over a private connection facilitated by a connectivity provider. Unlike a VPN, ExpressRoute connections do not go over the public internet.

Why ExpressRoute Instead of VPN?

ExpressRoute offers several advantages over VPN Gateway:

• No public internet exposure — traffic never touches the internet, reducing security risk
• Higher reliability — SLA-backed uptime, typically 99.95%
• Faster speeds — bandwidth from 50 Mbps to 10 Gbps
• Lower latency — consistent, predictable performance
• Consistent throughput — no congestion from shared internet

When to Use ExpressRoute

ExpressRoute is ideal for:

• Large data migrations to Azure
• Mission-critical business applications that need guaranteed performance
• Compliance requirements that mandate private connections (healthcare, finance)
• Hybrid architectures where consistent, high-speed connectivity is essential

The tradeoff: ExpressRoute is significantly more expensive than VPN and requires working with a connectivity provider. For the AZ-900 exam, the key distinction is private vs. encrypted-over-internet.

Networking security topics connect closely to identity and access management. Read our AZ-900 Identity & Security guide to see how network security groups, firewalls, and identity work together.

Azure DNS, CDN & DDoS Protection

Azure DNS

Azure DNS is a hosting service for DNS domains that provides name resolution using Microsoft Azure infrastructure. If you have a custom domain (like contoso.com), you can use Azure DNS to manage the DNS records — the A records, CNAME records, MX records, and so on.

Key point: Azure DNS does not allow you to purchase a domain name. You buy your domain from a domain registrar, then delegate DNS management to Azure DNS. Azure DNS offers the same reliability and performance as other Azure services, with 100% SLA for DNS query availability.

Azure Content Delivery Network (CDN)

Azure CDN is a distributed network of servers that delivers web content to users based on their geographic location. When a user in Tokyo requests your website content, Azure CDN serves it from a nearby edge location rather than from your origin server in the United States.

Benefits for AZ-900: reduced latency, reduced load on your origin server, and better user experience globally. Azure CDN caches static content (images, CSS, JavaScript, video) at edge locations worldwide.

Azure DDoS Protection

A Distributed Denial of Service (DDoS) attack floods your service with traffic to overwhelm it and make it unavailable. Azure offers two tiers of DDoS protection:

• DDoS Basic (Network Protection) — automatically enabled for all Azure customers at no extra cost. Provides always-on monitoring and real-time mitigation of common network-layer attacks.
• DDoS Standard (IP Protection / Network Protection Standard) — paid tier with advanced attack mitigation, telemetry, logging, and alerting. Includes adaptive tuning, attack analytics, and cost protection guarantees (Azure will credit service cost increases caused by DDoS attacks).

For AZ-900: know that Basic is free and automatic; Standard costs extra but provides enhanced protection and SLA guarantees.

How Networking Topics Appear on the AZ-900 Exam

Azure networking falls within the Azure Architecture and Services domain, which makes up 35–40% of the AZ-900 exam. You will not be asked to configure a VNet or set up a VPN tunnel — the exam tests conceptual understanding: what each service does and when you would choose it.

What to Memorize

VNet: Private, isolated network in Azure. Resources inside can communicate; subnets provide segmentation; NSGs control traffic.

VPN Gateway: Encrypted tunnel over public internet. Site-to-Site = network to network. Point-to-Site = individual device to network. Uses public internet with encryption.

ExpressRoute: Private dedicated connection — never touches public internet. Higher cost, higher reliability, lower latency. Used for mission-critical or compliance-heavy scenarios.

VNet Peering: Connects two Azure VNets privately over Microsoft backbone. Faster and simpler than VPN for Azure-to-Azure connectivity.

Azure DNS: Hosts DNS records in Azure. Does not sell domain names — you bring your own domain.

Azure CDN: Caches content at edge locations near users. Reduces latency and origin server load.

DDoS Protection: Basic is free and automatic. Standard adds advanced mitigation, telemetry, and cost protection.

For exam tips on how to approach networking questions and other domains, visit our AZ-900 Exam Tips and Strategies guide. You can also try our AZ-900 Practice Test to test your networking knowledge.