AZ-305 – Microsoft Azure Solutions Architect Expert- Design a Networking Strategy
1. Overview of Networking in Azure
So in this section of the course we’re going to be discussing the topics underneath the design and network solution section of the exam objectives. We can see on screen the exam objectives and there are seven sub objectives in this section. So in this video we’re going to be talking about network architecture and in other videos that come after this we’re going talk about name resolution, provisioning, security, connectivity, et cetera. Now do keep in mind that this is a design exam and some of these topics are advanced topics. And so we’re not really going to go through the absolute basics of creating a virtual network here. It’s going to be assumed that you already know how to create a VNet, you already know how to create a subnet, attach your virtual machine and other resources to that subnet. So you can see the objectives here.
And this is what we’re going to cover in this course. Now the AZ 303 exam, which is the Architect Technologies exam, does cover some of those basics and that’s why I suggest the 303 exam is actually a prerequisite for the 304. Even though it’s not, it’s a good exam to take first before you take 304. So let’s talk about network architecture. Now we’re going to refer to a couple of official Microsoft resources for this. The first one is going to be what’s called the Cloud Adoption Framework. So the Cloud Adoption Framework is a document that Microsoft prepared that will help you prepare to migrate your existing architecture into the cloud and it’s a pretty good resource as an architect. Going through it you can see a lot of the considerations that you’re going to have to set up. But what we’re talking about here is the networking aspect.
And so we’re going to refer directly to the network topology section of the Cloud Adoption Framework. I’m going to add a link to this, to this video. So in the resources for the video you’ll see a link directly to this. And so there’s some other topics that are part of this section in here. In terms of IP addressing, the one that we are more concerned with is the topology. So this first video is going to deal with the network topology. Now network topology is effectively how you design your networks, multiple networks within your environment.
Do you create standalone networks that don’t really talk to each other? Do you create interconnected networks and what is the design of that? Do you try to connect every network with every other network or are you trying to do what is called a hub and spoke model? So these are some of the design elements. When you’re sitting down to design your network, it really depends on how your applications need to talk to each other. So in some cases your applications may not need to talk to each other for any reason, in which case maybe for security reasons, it makes sense not to connect those networks. But if you have applications that run on separate networks that do from time to time need to send data back and forward then you’re going to have to basically set up that interconnectivity. Now the next document I’ll refer to on this is specifically the Hub and Spoke network model within Azure.
So this is the Azure architecture documentation and if you look under Networking and under Architectures they have a number of them including High Availability Peering which we’ll talk about high Availability again and the Hub and Spoke Network Model. Now the Hub and Spoke network model is basically summarized as there being one central network over which all traffic travels and then you have a distribution of subnetworks that connect to it. I don’t think this diagram does a very good job of showing the Hub and the Smoke Hub and the Spoke although you do have the center here what would be considered to be the Hub and then the other networks including the on premises network connect only to it. The on premises network does not connect to the other networks and the other networks do not connect to each other. So if one of these networks wants to communicate with the resource on the other network it has to go through the center.
Now this is a fairly simplified network design because you’re minimizing the number of connections between it. But there is some additional complexity because the data does have to travel from one network to another and then to another to get to its destination. In some ways you can look at this as the US. Airline system. If you want to travel from one small city to another oftentimes you have to travel through a large city in order to get there. There’s no direct flights between every single small city. Usually you have to travel to Detroit or to Los Angeles or to New York before you get on to the next destination. That’s why when you’re traveling from a small city to small city this is the Hub and spoke design and that’s why they’re called Hubs in terms of airports.
So it’s a very similar design if you’re familiar with that. Now what we’re going to do is Microsoft also has a code samples website. I’ll attach these three documents to this video and so we can see the exact same diagram we were just examining but we can actually download this as a Arm template. So we can see there are JSON here of basically the variables and the resources. So this is the Arm template contains a log, linux workspace the Hub Virtual Network and then firewall public IP address, et cetera. So what I’m going to do basically in order to set this up within my environment I’m going to just go download the Arm template and deploy it. We’ll do that in the next video.
2. The Hub and Spoke Networking Topology
All right, so let’s set up a Hub and spoke model for ourselves. I’m going to go from the code sample that’s called Hub and spoke deployment link was in the previous video and actually there is code here so that you can just copy and deploy it yourself. So the first thing you need to do is create a resource group. Now as you may know, at the current time you have to create the resource group separately from the resources themselves because when you do a deployment you’re deploying inside of an existing resource group. So the deployment is almost a sub resource of the group. So the group must exist first. So I can go to my Azure account, open up the Azure cloud shell which is this command here and I’ve already run the AZ group create, I called it HubSpoke demo location Central US. So I went a little bit different than here but it should be fine. So I created the resource group. Now we have three choices in terms of deploying it. In terms of this example code, we can do a basic deployment which does not include a VPN gateway or virtual machines.
We can do the virtual machines which will do Linux and Windows VMs and we can deploy everything with a VPN gateway. So if we go back up to the diagram, we can see that the VPN gateway is for connecting to an on premises network. So I don’t believe we need this and I don’t even really want the virtual machines at this time. So I’m just going to deploy it using this command. Now I did change the name of the resource group so I’m going to have to overwrite that. Notice that the deployment command links to GitHub to pull down the deployment JSON.
So we should be able to deploy this using the deployment JSON right from the web without having to download this and upload it, et cetera. So I do have the command pasted here and I changed the resource group to the demo. So now I can hit enter. So this is going to take a few minutes to deploy and let’s let that deployment fire off. Hopefully there won’t be any issues with that. So we got a successful message for deploying this. I will say just to warn you that this is a very complicated set of code. Like if we look at the there’s over 1000 lines of this Arm template and so yeah, to work for me, just keep trying and hopefully it’ll work for you too. But it is complicated. So if I go into resource groups, I can go into Hub, just search for it, I guess the Hub spoke demo.
Now the idea here is that we’ve got and I will maximize this, try to get some extra space here. So the idea here is that we’ve got three networks, we’ve got the Hub and we’ve got two spokes. We saw this in the diagram right? And so if one of the spokes wants to talk to the other spoke it has to go through the hub. So the hub becomes where all of the connectivity happens. And if we go into one of these networks we can go into the peering section, we can see that the spoke itself is only peered to the hub. It does not have a direct connection to the second spoke. Now it doesn’t have to do anything different in order to connect to the other spoke because the hub itself will know how to connect to the second spoke. So it will just connect to the hub and the hub will pass the message along. Now the way it works is through the virtual networks having a routing table.
So if we go into the virtual network and we go into subnets and we look at the subnet on, in this case bespoke, you can see that the subnet itself is directed to how to direct traffic through the routing table and it directs stuff through the firewall, I guess. So if we go back to the resource group we go into the routing table, we can see that the subnets have subnets are attached and the route is basically to go to the fire hall, the firewall and it’s a firewall that’s going to direct the traffic properly. Very interesting setup. Now like I said, this is done for both safety and security and simplicity, right? So if we go back to the diagram here we can see that by having a firewall being the tunnel basically to this that protects the two subnets in the background here.
So it’s basically a protected setup. Instead of having firewalls on these individual ones, instead of having a spider pattern where everything is connected to each other, it’s a strong defensive front end where you’ve got the bastion, which will allow you to get remote access into those networks, the gateway, which will also allow private encrypted access and for everything else, the firewall that will direct traffic properly. And basically there’s a deny all rule. So it basically blocks all traffic coming in. So it’s a very defensive posture here where everything behind here is protected by one of these three services. So that’s just one of the types of configurations. It’s not certainly not the only one and it really is going to depend on your needs. We can go back to the Azure documentation and look at some of the other setups as this is not the only one. Of course.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »