Implement Azure Extended Network

2.1 Site-to-Site (S2S) VPN Connectivity

📘Microsoft Azure Networking Solutions (AZ-700)

1. What is Azure Extended Network?

Azure Extended Network allows on-premises workloads to be connected to Azure virtual networks (VNets) in a way that feels like they are part of the same Azure network.

In simple terms:

  • Azure networking capabilities are extended to on-premises environments
  • On-premises workloads can:
    • Use Azure IP addressing
    • Communicate securely with Azure VNets
    • Be managed and monitored through Azure

This is commonly used with:

  • Site-to-Site VPN
  • Azure Stack HCI
  • Azure Arc
  • Azure Virtual Network Gateway

📌 Exam focus: Azure Extended Network is about extending Azure networking to on-premises environments using VPN connectivity.

2. Why Azure Extended Network is Needed

Azure Extended Network is used when:

  • Some workloads must stay on-premises
  • Azure networking services are still required
  • Secure and private connectivity is needed
  • Centralized Azure management is required

With Azure Extended Network:

  • On-premises systems behave like Azure-connected systems
  • Azure policies, monitoring, and routing can be applied

3. Key Components of Azure Extended Network

To implement Azure Extended Network, you must understand these core components:

3.1 On-Premises Network

This is the local IT environment that includes:

  • Servers
  • Virtual machines
  • Network devices
  • Local IP address ranges

📌 These IP ranges must be defined correctly and must not overlap with Azure VNets.

3.2 Azure Virtual Network (VNet)

The Azure VNet is:

  • The private network in Azure
  • Where Azure resources such as VMs are deployed

Key points:

  • Must have a defined address space
  • Must not overlap with on-premises IP ranges
  • Acts as the Azure side of the extended network

3.3 Azure Virtual Network Gateway

This is a mandatory component.

The Virtual Network Gateway:

  • Connects Azure VNet to on-premises networks
  • Uses IPsec/IKE VPN tunnels
  • Encrypts all traffic

Gateway types:

  • VPN Gateway (used for S2S VPN)
  • Route-based gateway is required

📌 Policy-based gateways are not supported for Azure Extended Network

3.4 Local Network Gateway

The Local Network Gateway represents:

  • The on-premises VPN device in Azure

It includes:

  • On-premises public IP address
  • On-premises IP address ranges

📌 Azure uses this information to know where to send traffic.

3.5 Site-to-Site VPN Connection

This creates a secure tunnel between:

  • Azure Virtual Network Gateway
  • On-premises VPN device

Important points:

  • Uses IPsec/IKE encryption
  • Always-on connection
  • Supports routing between Azure and on-premises networks

4. How Azure Extended Network Works

The process works like this:

  1. Azure VNet is created
  2. Virtual Network Gateway is deployed in Azure
  3. Local Network Gateway is created
  4. Site-to-Site VPN connection is established
  5. On-premises workloads can communicate with Azure VNets
  6. Azure networking services are extended to on-premises systems

📌 From a networking perspective, Azure and on-premises act as one connected network.

5. Addressing and Routing Requirements

This is very important for the exam.

5.1 IP Address Planning

  • Azure VNet address space must be unique
  • On-premises IP ranges must not overlap
  • All subnets must be clearly defined

Overlapping IP addresses will:

  • Break routing
  • Prevent VPN connection from working

5.2 Routing

Azure Extended Network uses:

  • System routes
  • User-defined routes (UDRs) if required

Traffic flow:

  • Azure knows on-premises routes via Local Network Gateway
  • On-premises network knows Azure routes via VPN device configuration

6. Security Considerations

Azure Extended Network provides strong security by default:

6.1 Encryption

  • Uses IPsec/IKE
  • Data is encrypted in transit

6.2 Authentication

  • Uses shared key (pre-shared key)
  • Must match on both Azure and on-premises VPN device

6.3 Network Isolation

  • VNets are isolated by default
  • Only allowed traffic flows through the VPN

7. Monitoring and Management

Azure Extended Network can be monitored using Azure tools:

  • Azure Monitor
  • Network Watcher
  • VPN connection status
  • Tunnel health and diagnostics

This allows:

  • Visibility into connectivity issues
  • Performance monitoring
  • Troubleshooting VPN failures

8. Limitations and Important Exam Notes

You must remember these exam-critical points:

  • Requires route-based VPN gateway
  • Policy-based VPN is not supported
  • IP address overlap is not allowed
  • Requires stable internet connectivity
  • VPN gateway deployment takes time
  • Throughput depends on gateway SKU

9. When to Use Azure Extended Network (Exam Context)

Azure Extended Network is appropriate when:

  • Azure networking must be extended to on-premises systems
  • Secure private connectivity is required
  • Workloads cannot move fully to Azure
  • Centralized Azure networking control is needed

10. Key Exam Keywords to Remember

Make sure students recognize these terms:

  • Azure Extended Network
  • Site-to-Site VPN
  • Virtual Network Gateway
  • Local Network Gateway
  • Route-based VPN
  • IPsec/IKE
  • Non-overlapping IP ranges
  • Secure hybrid connectivity

11. One-Line Exam Summary

Azure Extended Network extends Azure virtual networking to on-premises environments using Site-to-Site VPN with secure, encrypted, route-based connectivity.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by