Compiled Thoughts
Home About

AZ-305 Network Solutions

May 6, 20251799 words9 min read
certification
azure
AI summarised

AZ-305 Azure Solutions Architect Expert

Azure Recommendations to Design Network Solutions

Below are the recommended Azure solutions to design network solutions as aligned with the AZ-305 exam objectives.

Azure Network Solutions Design Recommendations (AZ-305)

1. Recommend a Connectivity Solution for Azure-to-Internet

Azure NAT Gateway is the preferred solution for outbound internet connectivity:

  • Key Features:
    • Scalable SNAT: Handles dynamic workloads with up to 16 public IPs or a /28 prefix.
    • Cost-Effective: Avoids SNAT port exhaustion issues common with Load Balancer or Azure Firewall.
    • Static IPs: Assign predictable IPs for audit/compliance needs12.

Azure Firewall for secure outbound traffic:

  • Governs non-HTTP/S traffic, integrates with Azure Monitor for logging, and supports threat intelligence-based filtering31.

Best Practices:

  • Use NAT Gateway for high-volume outbound traffic (e.g., batch processing).
  • Combine with Azure Firewall for advanced security (e.g., FQDN filtering, IDPS)31.

2. Recommend a Connectivity Solution for Azure-to-On-Premises

ExpressRoute for private, high-throughput connections:

  • Benefits:
    • Low Latency: Bypasses public internet with SLA-backed 99.95% uptime.
    • Hybrid Scenarios: Extends on-premises networks to Azure with speeds up to 100 Gbps456.

VPN Gateway for cost-sensitive or backup scenarios:

  • Site-to-site VPN over public internet (max 1.25 Gbps). Use with Virtual WAN for automated branch connectivity785.

Hybrid Architectures:

  • ExpressRoute + VPN Failover: Ensure continuity during ExpressRoute outages5.
  • Azure Virtual WAN: Centralizes VPN, ExpressRoute, and SD-WAN connections into a hub-spoke model78.

Best Practices:

  • Terminate ExpressRoute inside on-premises firewalls for centralized security4.
  • Use Azure Arc for unified management of hybrid servers76.

3. Recommend a Solution to Optimize Network Performance

Accelerated Networking:

  • Reduces VM CPU overhead by offloading packet processing to SmartNICs (FPGA). Ideal for latency-sensitive apps (e.g., HPC, real-time analytics)9.

Azure Front Door/CDN:

  • Global HTTP load balancing with caching and Anycast routing for 50% lower latency vs. Traffic Manager101112.

Proximity Placement Groups:

  • Co-locate VMs in the same Azure zone to minimize latency139.

Best Practices:

  • Enable TCP/IP tuning (e.g., increasing RWIN size) for high-throughput VMs139.
  • Use Zonal Redundancy (Availability Zones) for critical workloads2.

4. Recommend a Solution to Optimize Network Security

Layered Security Approach:

  • Network Security Groups (NSGs): Basic Layer 3/4 filtering for subnets/VMs (e.g., allow/deny by IP/port)32.
  • Azure Firewall: Stateful Layer 7 inspection with threat intelligence, IDPS, and FQDN filtering31.
  • Web Application Firewall (WAF): Protects web apps from OWASP Top 10 vulnerabilities (integrated with Front Door/App Gateway)1012.

DDoS Protection:

  • Standard Tier: Auto-mitigates volumetric attacks (e.g., SYN floods) with cost guarantees during attacks14.

Best Practices:

  • Apply Zero Trust principles: Micro-segment subnets, enforce least-privilege NSG rules43.
  • Use Azure Policy to enforce NSG rules and firewall configurations across subscriptions1.

5. Recommend a Load-Balancing and Routing Solution

Azure Load Balancer (Layer 4):

  • Distributes TCP/UDP traffic across VMs with ultra-low latency. Use for non-HTTP workloads (e.g., databases)10122.

Application Gateway (Layer 7):

  • Routes HTTP/HTTPS traffic with SSL offloading, path-based routing, and WAF integration101512.

Azure Front Door:

  • Global HTTP load balancer with DDoS protection, caching, and Anycast routing. Ideal for multi-region web apps101112.

Traffic Manager (DNS-Based):

  • Directs users to the closest healthy endpoint via DNS. Use for non-latency-sensitive global apps1112.

Routing:

  • User-Defined Routes (UDRs): Override default system routes (e.g., direct traffic through NVAs)16.
  • Service Tags: Simplify UDRs by grouping IP ranges (e.g., Storage or AzureCloud)16.

Best Practices:

  • Chain Application Gateway (frontend) with Internal Load Balancer (backend) for multi-tier apps15.
  • Use Azure Monitor to track load balancer metrics (e.g., SNAT port usage, health probes)2.

Summary Table

RequirementAzure RecommendationKey Tools/Features
Azure-to-InternetNAT Gateway (SNAT) + Azure Firewall (security)Scalable SNAT, FQDN filtering, threat intelligence
Azure-to-On-PremisesExpressRoute (primary) + VPN Gateway (failover)100 Gbps private link, SLA-backed uptime
Network PerformanceAccelerated Networking + Front Door/CDNSmartNIC offloading, global caching, Anycast
Network SecurityNSGs + Azure Firewall + DDoS Protection StandardLayer 7 inspection, Zero Trust, volumetric attack mitigation
Load-Balancing/RoutingLoad Balancer (L4) + Application Gateway (L7) + Front Door (global)SSL offloading, WAF, UDRs with service tags

By aligning with these recommendations, you ensure a secure, high-performance, and resilient network architecture in Azure, meeting AZ-305 exam objectives and Microsoft best practices.

Summarised with Perplexity.

Footnotes

  1. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity 2 3 4 5
  2. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview 2 3 4 5
  3. https://www.knowledgehut.com/blog/cloud-computing/azure-firewall-vs-nsg 2 3 4 5
  4. https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices 2 3
  5. https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/expressroute-vpn-failover 2 3
  6. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/on-premises-connectivity 2
  7. https://learn.microsoft.com/en-us/azure/networking/fundamentals/networking-overview 2 3
  8. https://www.megaport.com/blog/comparing-ways-to-connect-to-microsoft-azure/ 2
  9. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning 2 3
  10. https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview 2 3 4 5
  11. https://stackoverflow.com/questions/67022265/it-is-azure-traffic-manager-or-azure-front-door-in-front-for-multi-region-system 2 3
  12. https://azure.microsoft.com/en-us/solutions/load-balancing-with-azure 2 3 4 5 6
  13. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-optimize-network-bandwidth 2
  14. https://k21academy.com/microsoft-security/overview-of-azure-ddos-protection/
  15. https://learn.microsoft.com/en-us/answers/questions/1121824/app-gateway-load-balancer-when-to-use-them-togethe 2
  16. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview 2

If you want to get in touch and hear more about this topic, feel free to contact me on or via .

© 2025 Andrei Bodea