AdvancedLesson 6 of 10

Hybrid Connectivity

Connect on-premises and Azure securely using VPN Gateway for encrypted internet tunnels and ExpressRoute for private dedicated connectivity.

What Is It? (Simple Explanation)

Hybrid connectivity lets your data center and Azure network behave like connected offices.

Why Do We Need It?

Lift-and-shift applications while keeping some systems on-premises.
Low-risk migration with phased cutovers.
Centralized identity and data access across environments.

Real-world Analogy

VPN is a secure tunnel through public roads. ExpressRoute is a private leased highway between your office and Azure.

How It Works (Technical)

Option	Transport	Latency	Use Case
Site-to-Site VPN	IPsec over internet	Variable	Quick setup, lower cost
Point-to-Site VPN	Client VPN	Variable	Admin/user remote access
ExpressRoute	Private MPLS/direct	Consistent	Mission-critical and compliance workloads

Visual Representation

On-prem to Azure

On-prem Network

10.100.0.0/16

VPN/ER Circuit

Encrypted / private path

Azure Gateway Subnet

Gateway resource

Azure VNet

10.20.0.0/16

Hands-on Commands

Azure CLI (VPN Gateway)

# Create gateway subnet
az network vnet subnet create -g rg-hybrid --vnet-name vnet-hub -n GatewaySubnet --address-prefixes 10.20.255.0/27

# Create public IP and VPN gateway
az network public-ip create -g rg-hybrid -n pip-vpngw --sku Standard
az network vnet-gateway create -g rg-hybrid -n vpngw-hub --public-ip-addresses pip-vpngw \
  --vnet vnet-hub --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait

# Create local network gateway (on-prem)
az network local-gateway create -g rg-hybrid -n lng-onprem --gateway-ip-address 198.51.100.10 --local-address-prefixes 10.100.0.0/16

Real-world Use Case

A bank begins migration with VPN for non-critical apps, then moves payment workloads to ExpressRoute for predictable latency and stricter compliance controls.

Debugging Scenario

Issue: Tunnel is connected but no traffic flows.

Check on-prem and Azure address spaces do not overlap.
Validate IPsec parameters match on both sides.
Check effective routes for subnet path to on-prem prefixes.
Review NSG/firewall rules blocking hybrid ranges.

Interview Questions

Beginner

VPN vs ExpressRoute?

VPN uses internet with encryption; ExpressRoute is private dedicated connectivity.

Intermediate

Why avoid overlapping CIDR between on-prem and Azure?

Overlaps break routing decisions and prevent deterministic path selection.

Scenario-based

Company needs quick hybrid link in one week, budget constrained.

Start with Site-to-Site VPN and evolve to ExpressRoute for critical workloads later.

Summary

Hybrid connectivity is about safe migration and consistent access. Start with correct IP planning and route design, then choose VPN or ExpressRoute based on risk, cost, and performance requirements.

PreviousLoad Balancing NextDNS & Name Resolution