Real-world Scenarios
Apply Azure networking concepts to practical architecture designs focused on traffic flow, segmentation, and secure exposure patterns.
Scenario 1: Designing VNet for Application
| Requirement | Design Decision |
|---|---|
| Three-tier app | One VNet with dedicated web/app/data subnets |
| Team isolation | Separate spoke VNets per app team |
| Central governance | Hub VNet with shared firewall and DNS |
Scenario 2: Connecting Frontend and Backend
- Frontend in web subnet receives internet traffic through Application Gateway.
- Backend APIs remain private in app subnet.
- NSG allows only required backend ports from web subnet.
- Database only accessible from app subnet over private endpoint.
Scenario 3: Securing Services with NSG
Security Flow
Internet
Allowed to 443 only
Web Subnet NSG
Allow 443 inbound
Deny everything else
App Subnet NSG
Allow only from web subnet
Data Subnet NSG
Allow only from app subnet
Scenario 4: Exposing Application via Load Balancer
| Need | Service |
|---|---|
| TCP/UDP internal distribution | Azure Load Balancer |
| HTTP routing + WAF | Application Gateway |
| Global entry + acceleration | Front Door |
| DNS-level global failover | Traffic Manager |
Hands-on Lab Steps
- Create VNet with three subnets: web, app, data.
- Deploy one VM in web and one VM in app subnet.
- Attach NSGs with least-privilege rules.
- Create internal load balancer for app subnet VMs.
- Test traffic from web tier to app tier and verify blocked flows.
Debugging Scenario
Issue: Frontend can reach backend health endpoint, but API data calls fail.
- Check backend dependency path (database/private endpoint) rather than frontend path only.
- Validate DNS resolution inside app subnet.
- Check outbound NSG/firewall rules from app subnet to data subnet.
Interview Questions
Beginner
Why split app tiers into separate subnets?
To apply targeted security policies and minimize lateral movement risk.
Intermediate
When choose Application Gateway over Load Balancer?
When you need HTTP-aware routing, SSL offload, or WAF capabilities.
Scenario-based
Design secure internet-to-database path for a web app.
Internet -> App Gateway/WAF -> web subnet -> app subnet -> private endpoint in data subnet, with strict NSG allow-list between each tier.
Summary
Good network architecture is about intentional traffic flow. Model each hop, define explicit rules, and validate both allowed and denied paths.