# Role Deep Dive: Azure Network Engineer --- ## Role Overview Azure Network Engineers design, implement, and manage Azure networking infrastructure. They build the backbone that connects everything — VNets, firewalls, load balancers, DNS, hybrid connectivity, and traffic routing. Networking is the foundation of every Azure architecture. **Alternative Titles:** Cloud Network Engineer, Azure Network Architect, Network Security Engineer (overlap) **Typical Salary Range:** $95,000 – $155,000 (US) --- ## Core Responsibilities ### 1. Virtual Network Design & Implementation (25% of role) - Design VNet topologies (hub-spoke, mesh, Virtual WAN) - Plan IP addressing schemes - Implement VNet peering - Configure subnets, NSGs, ASGs, UDRs - Design for scalability and growth **Granular Tasks:** - **Hub-Spoke Topology:** - Hub VNet: 10.0.0.0/16 - GatewaySubnet: /27 (VPN/ExpressRoute) - AzureFirewallSubnet: /26 (Azure Firewall) - AzureBastionSubnet: /26 (Bastion) - ManagementSubnet: /28 (jumpboxes, management) - Spoke-Web: 10.1.0.0/16 - WebFrontend: /24 - WebBackend: /24 - DataSubnet: /24 - Spoke-App: 10.2.0.0/16 (same structure) - Never overlap address spaces (plan for peering from day 1) - Reserve room for growth: /16 per VNet minimum for production - **VNet Peering Configuration:** - Hub ↔ each spoke: allow gateway transit on hub, allow forwarded traffic on spoke - Spokes do NOT peer with each other (traffic routes through hub/firewall) - Global peering for cross-region (higher cost, consider Virtual WAN for many regions) - Peering is not transitive: design routing accordingly - **NSG Design:** - Tiered approach: subnet NSGs for broad rules, NIC NSGs for specific - Web subnet: allow 443 from Internet, allow 8080 from App Gateway subnet - App subnet: allow 8080 from Web subnet, allow 1433 to Data subnet - Data subnet: allow 1433 from App subnet, deny all other inbound - Management subnet: allow 3389/22 from Bastion subnet only - Deny all other inbound (default rule) - **UDR Design:** - Spoke subnets: 0.0.0.0/0 → Azure Firewall (forced tunneling) - Spoke subnets: VNet prefixes → VNet (local) - Spoke subnets: on-prem prefixes → VPN/ExpressRoute gateway (via hub) - GatewaySubnet: no UDR (let BGP handle routing) - AzureFirewallSubnet: no UDR needed (Azure manages) ### 2. Hybrid Connectivity (20% of role) - Implement ExpressRoute circuits - Configure VPN Gateways (S2S, P2S) - Design redundant hybrid connectivity - Implement BGP routing - Configure Azure Virtual WAN **Granular Tasks:** - **ExpressRoute Design:** - Choose provider: exchange provider (Equinix) or network service provider (AT&T, Verizon) - Circuit: 1 Gbps Standard, geo-redundant (2 circuits at different peering locations) - Private peering: connect to hub VNet via ExpressRoute gateway (ErGw1Az or ErGw3Az for 10 Gbps) - Microsoft peering: access M365 and Azure public services - ExpressRoute Global Reach: connect branch offices via Microsoft backbone - Failover: ExpressRoute primary + S2S VPN backup (automatic via BGP AS-path) - **VPN Gateway Design:** - Route-based only (policy-based is legacy) - SKU: VpnGw2 (1 Gbps) for medium, VpnGw5 (10 Gbps) for high throughput - Active-Active for higher availability and throughput - BGP: enable for dynamic routing, automatic failover - P2S: IKEv2 + OpenVPN for remote users, authenticate with Entra ID + certificates - **Redundancy Architecture:** - Dual ExpressRoute circuits at different locations → same gateway - ExpressRoute + S2S VPN (backup) → same gateway - Dual VPN tunnels (active-active) → same gateway - BGP: ExpressRoute preferred (shorter AS-path), VPN auto-activates if ExpressRoute fails - **Virtual WAN:** - For large-scale branch connectivity (50+ sites) - Microsoft-managed hub (no VNet to manage) - Integrated VPN, ExpressRoute, P2S - Inter-hub routing (connect hubs globally) - SD-WAN partner integration (Fortinet, Citrix, VMware) ### 3. Load Balancing & Traffic Management (15% of role) - Configure Azure Load Balancer (L4) - Configure Application Gateway (L7, WAF) - Configure Azure Front Door (global L7) - Configure Traffic Manager (DNS routing) - Design traffic routing strategy **Decision Matrix:** | Need | Service | |---|---| | L4 TCP/UDP load balancing | Azure Load Balancer | | L7 HTTP/HTTPS with WAF | Application Gateway | | Global L7 with edge caching | Front Door | | DNS-based global routing (any protocol) | Traffic Manager | | Internal traffic distribution | Internal Load Balancer | - **Architecture Pattern (Full Stack):** - Front Door (global routing, WAF, CDN) → App Gateway (regional WAF, path routing) → App Service / AKS - Use both when: global presence + regional WAF needed ### 4. DNS Architecture (10% of role) - Configure Azure DNS (public zones) - Configure Private DNS Zones - Implement split-brain DNS - Configure DNS for Private Endpoints - Design DNS resolution for hybrid environments **Granular Tasks:** - Public DNS: host external domains in Azure DNS (A, CNAME, MX, TXT records) - Private DNS Zones: one zone per service type (privatelink.blob.core.windows.net, privatelink.database.windows.net) - Auto-registration: enable for VM A records in private zones - Split-brain DNS: same domain (contoso.com) → different records internally vs externally - Private Endpoint DNS: create A record in private zone pointing to private IP - Hybrid DNS: on-prem DNS → forward to Azure (168.63.129.16), Azure → forward to on-prem via ExpressRoute - Azure Firewall DNS proxy: enable for FQDN-based network rules ### 5. Network Security (15% of role) - Implement Azure Firewall (Standard/Premium) - Configure WAF policies - Implement DDoS Protection - Configure Private Link / Private Endpoints - Implement Network Watcher for diagnostics - Design zero-trust network **Granular Tasks:** - Azure Firewall Premium: deploy in hub, configure TLS inspection, IDPS (alert + deny), DNS proxy - WAF: Prevention mode, OWASP 3.2, custom rules (geo-filter, rate limit), exclusions for false positives - DDoS Protection Standard: enable on public IPs for production workloads - Private Endpoints: create for all PaaS services, disable public network access - Network Watcher: IP Flow Verify (debug NSG), Next Hop (debug routing), Connection Troubleshoot (end-to-end connectivity), NSG Flow Logs (traffic analytics) - JIT VM Access: open RDP/SSH ports only when needed ### 6. Network Monitoring & Troubleshooting (15% of role) - Monitor network health and performance - Configure NSG Flow Logs and Traffic Analytics - Troubleshoot connectivity issues - Monitor ExpressRoute/VPN health **Granular Tasks:** - NSG Flow Logs → Traffic Analytics: visualize traffic flows, identify top talkers, verify rules - Connection Monitor: monitor connectivity between endpoints (on-prem ↔ Azure, VNet ↔ VNet) - ExpressRoute monitor: track bandwidth utilization, BGP route changes - VPN monitor: tunnel status, bandwidth, packet drops - Network Performance Monitor: monitor bandwidth, latency, packet loss - Alert on: VPN tunnel down, ExpressRoute BGP session down, Firewall health issues --- ## Network Architecture Patterns ### Pattern 1: Simple Hub-Spoke ``` On-Prem ←→ ExpressRoute/VPN ←→ Hub VNet (Azure Firewall, Gateway, Bastion) ↕ (VNet Peering) Spoke-1 (App Workload) Spoke-2 (Data Workload) ``` ### Pattern 2: Multi-Region Hub-Spoke ``` Region A Hub ←→ Region B Hub (VNet Peering / Virtual WAN) ↕ ↕ Spoke-A1 Spoke-B1 Spoke-A2 Spoke-B2 ``` ### Pattern 3: Virtual WAN (Enterprise Scale) ``` Branch Offices ←→ Virtual WAN Hub ←→ VNet Spokes Remote Users ←→ (P2S VPN) ←→ Azure Firewall Partners ←→ (S2S VPN) ←→ ExpressRoute to on-prem ``` --- ## Certification Path | Certification | Level | Focus | |---|---|---| | **AZ-900** | Foundational | Azure fundamentals | | **AZ-104** | Associate | Azure Administrator (includes networking) | | **AZ-700** | Associate | **Core cert** — Azure Network Engineer | | **AZ-500** | Associate | Security (complement) | | **AZ-305** | Expert | Solutions Architect (next step) | ### AZ-700 Exam Breakdown | Domain | Weight | |---|---| | Design, implement, and manage hybrid networking | 10-15% | | Design and implement core networking infrastructure | 20-25% | | Design and implement routing | 25-30% | | Secure and monitor networks | 15-20% | | Design and implement Private Access to Azure Services | 10-15% | --- ## Interview Focus Areas 1. **Design a hub-spoke network for a 3-workload organization.** → Hub VNet with Firewall/Gateway/Bastion. Spoke per workload. VNet peering hub↔spokes. UDR on spokes → Firewall. Private Endpoints for PaaS. 2. **How do you implement hybrid connectivity with redundancy?** → Dual ExpressRoute at different peering locations + S2S VPN backup. BGP for automatic failover. ExpressRoute preferred (shorter AS-path). VPN activates on ExpressRoute failure. 3. **When to use Front Door vs App Gateway vs Load Balancer?** → Front Door = global, anycast, CDN. App Gateway = regional, WAF, L7. Load Balancer = L4, any protocol, high performance. Many use Front Door → App Gateway for global + regional. 4. **How do you implement zero-trust networking?** → Private Endpoints for all PaaS (no public access), Azure Firewall for all outbound, WAF for all web traffic, NSGs deny-all default, Bastion for management, JIT VM access, network segmentation. 5. **How do you troubleshoot a VNet connectivity issue?** → Network Watcher: IP Flow Verify (NSG check), Next Hop (routing check), Connection Troubleshoot (end-to-end). Check NSG rules, UDR routes, VNet peering status, DNS resolution. 6. **How do you design DNS for Private Endpoints?** → Create Private DNS Zone per service (privatelink.blob.core.windows.net). Link to VNet. Create A record for private endpoint IP. Auto-registration for VMs. Azure Firewall DNS proxy for FQDN rules. 7. **What's the difference between VNet peering and VPN?** → Peering: connects VNets within Azure (Microsoft backbone), high bandwidth, low latency, not transitive. VPN: connects VNet to on-prem over internet (encrypted IPsec), lower bandwidth, higher latency, can be transitive with BGP. 8. **How do you implement Azure Firewall in a hub-spoke?** → Deploy in AzureFirewallSubnet (/26) in hub. UDR on all spoke subnets: 0.0.0.0/0 → Firewall. Configure network rules, app rules, NAT rules. Premium for TLS inspection + IDPS. Firewall Manager for policy management.