Skip to main content

Challenge 12: VPN Gateway, ExpressRoute & DNS

Estimated Time

20-30 min | Cost: Free | Domain: Azure Architecture & Services (35-40%)

Exam skills covered

  • Describe virtual networking (VPN Gateway, ExpressRoute)
  • Describe Azure DNS

Overview

When you need to connect your on-premises network to Azure (or connect Azure VNets across regions), you need connectivity services. Azure offers VPN Gateway for encrypted connections over the internet, and ExpressRoute for private, dedicated connections that bypass the internet entirely.

Azure DNS provides name resolution — translating human-readable domain names into IP addresses.

Explore

Task 1: Understand connectivity options

ServiceConnection typeOverSpeedUse case
VPN GatewayEncrypted tunnelPublic internetUp to 10 GbpsSite-to-site, point-to-site
ExpressRoutePrivate circuitDedicated lineUp to 100 GbpsEnterprise, compliance, high throughput
VNet PeeringDirect VNet linkMicrosoft backboneHighVNet-to-VNet within Azure

Task 2: Understand VPN Gateway types

VPN typeConnectsScenario
Site-to-Site (S2S)On-prem network ↔ Azure VNetOffice to Azure
Point-to-Site (P2S)Individual computer ↔ Azure VNetRemote worker to Azure
VNet-to-VNetAzure VNet ↔ Azure VNetCross-region connectivity

Task 3: Explore VPN Gateway in Portal

  1. In Azure Portal, search for Virtual network gateways
  2. Click + Create
  3. Explore the form:
    • Gateway type: VPN or ExpressRoute
    • SKU: Different throughput tiers
    • VPN type: Route-based (modern) or Policy-based (legacy)
  4. Notice: VPN Gateways take 30-45 minutes to deploy and DO cost money
  5. Click Cancel — don't create

Task 4: Understand ExpressRoute

ExpressRoute provides a private connection to Azure:

  • Traffic does NOT go over the public internet
  • Provided by connectivity partners (ISPs/telcos)
  • Higher bandwidth (50 Mbps to 100 Gbps)
  • Lower latency and higher reliability
  • Required for some compliance scenarios

When to choose ExpressRoute vs VPN:

CriteriaVPN GatewayExpressRoute
CostLowerHigher
Setup timeHoursWeeks (need ISP)
BandwidthUp to 10 GbpsUp to 100 Gbps
EncryptionBuilt-in (IPsec)Optional (add-on)
Traverses internetYesNo
Compliance needsStandardHigh-security

Task 5: Explore Azure DNS

  1. In Azure Portal, search for DNS zones
  2. Azure DNS hosts your domain's DNS records
  3. Browse the service — no need to create

Azure DNS features:

  • Host DNS zones in Azure
  • Manage DNS records (A, AAAA, CNAME, MX, etc.)
  • Integrated with other Azure services
  • Uses Azure's global anycast network
  • Does NOT register domain names (use a registrar for that)
DNS RecordPurposeExample
AMaps name → IPv4 addresswww → 20.53.x.x
AAAAMaps name → IPv6 addresswww → 2001:db8::1
CNAMEMaps name → another nameblog → myapp.azurewebsites.net
MXMail server@ → mail.example.com
TXTText data (verification, SPF)@ → "v=spf1 include:..."
Azure CLI Alternative
# List DNS zones (if any)
az network dns zone list --output table 2>/dev/null || echo "No DNS zones configured"

# List VPN gateways in a resource group (if any exist)
az network vnet-gateway list --resource-group rg-az900-learning --output table 2>/dev/null || echo "No VPN gateways configured (they cost money!)"

Key Concepts

ConceptDescription
VPN GatewayEncrypted tunnel over public internet to Azure
Site-to-Site VPNConnects an entire on-premises network to Azure
Point-to-Site VPNConnects a single device to Azure
ExpressRoutePrivate, dedicated connection (bypasses internet)
Azure DNSHost and manage DNS zones and records
DNS zoneContainer for DNS records of a domain

Knowledge Check

1. A company needs a private, dedicated connection between their datacenter and Azure that does not traverse the public internet. Which service should they use?

2. An employee working from home needs to securely access resources in an Azure VNet. Which VPN type is most appropriate?

3. What is the purpose of Azure DNS?

4. Which connectivity option provides the HIGHEST bandwidth to Azure?

5. VPN Gateway connections are encrypted using which protocol?

Learn More