Azure Hybrid Networking - Documentation

Hybrid Networking in Azure

Hybrid networking in Azure allows you to seamlessly extend your on-premises network to the Azure cloud. This enables you to run applications and services across both environments, leveraging the benefits of cloud scalability and agility while maintaining control over your existing infrastructure.

Key Concepts

Connectivity: Establishing secure and reliable connections between your on-premises network and Azure Virtual Networks (VNets).
Traffic Management: Routing traffic efficiently between on-premises and cloud resources.
Security: Implementing robust security measures to protect your hybrid environment.
Identity: Managing identities and access control across both environments.

Connectivity Options

Azure offers several ways to connect your on-premises network to Azure VNets:

1. VPN Gateway (Site-to-Site VPN)

A Site-to-Site (S2S) VPN connection provides an encrypted tunnel over the public internet between your on-premises VPN device and an Azure VPN Gateway. This is a cost-effective solution for hybrid connectivity.

Use Cases: Connecting smaller on-premises networks, development and testing environments, disaster recovery solutions.
Benefits: Cost-effective, relatively easy to set up.
Considerations: Bandwidth can be limited by internet connection performance.

2. ExpressRoute

Azure ExpressRoute provides a private, dedicated connection between your on-premises network and Azure, bypassing the public internet. This offers higher bandwidth, lower latency, and improved reliability.

Use Cases: Mission-critical applications, large data transfers, scenarios requiring high bandwidth and low latency.
Benefits: Predictable performance, enhanced security, compliance requirements.
Considerations: Generally more expensive than VPN Gateway, requires a network provider.

Diagram showing VPN Gateway and ExpressRoute connecting on-premises to Azure — Conceptual diagram of Azure hybrid connectivity options.

Hybrid Networking Architecture Patterns

Common patterns for hybrid networking include:

Hub-and-Spoke: A central Azure VNet (hub) acts as a connectivity point, with satellite VNets (spokes) connected to it. This simplifies management and enforces security policies centrally.


Azure VNet (Hub) <--> On-Premises Network
       |
       | (VNet Peering)
       V
Azure VNet (Spoke 1)
       |
       | (VNet Peering)
       V
Azure VNet (Spoke 2)

Full Mesh: Every VNet is directly connected to every other VNet. This is suitable for smaller deployments but can become complex to manage as the number of VNets grows.

Security Considerations

Securing your hybrid environment is paramount. Consider the following:

Network Security Groups (NSGs): Control traffic flow at the subnet and NIC level within Azure VNets.
Azure Firewall: A managed cloud-native network security service that protects your VNet resources.
Azure DDoS Protection: Protects your Azure resources from distributed denial of service attacks.
Always On VPN: For granular control over client VPN connections.

Getting Started

To set up hybrid networking, you'll typically need to:

Define your on-premises network topology and IP address ranges.
Create an Azure Virtual Network in your desired region.
Choose and configure a VPN Gateway or provision an ExpressRoute circuit.
Configure your on-premises VPN device or work with a network provider.
Establish routes and network security rules to allow desired traffic flow.

Refer to the official Azure documentation for detailed step-by-step guides and best practices.