Study Azure AZ-305 Network Connectivity: key concepts, common traps, and exam decision cues.
Networking is where AZ-305 punishes shallow memorization. The exam usually wants to know whether you understand the path traffic takes, the trust boundary it crosses, and the name-resolution impact of the design. The right answer is often not just the secure service. It is the secure service plus the correct routing and DNS behavior.
| Need | Strongest first fit | Why |
|---|---|---|
| private access from Azure virtual networks to a PaaS service | private endpoint pattern | private IP path into the service |
| restrict public exposure while keeping traffic on Azure backbone paths | service endpoint or private connectivity comparison | depends on isolation and access model needed |
| dedicated private connectivity from on-premises to Azure | ExpressRoute | private dedicated hybrid connection |
| encrypted site-to-site connectivity over public internet | VPN gateway | lower-cost hybrid connection pattern |
| global web entry and acceleration | Front Door style edge entry | global HTTP entry and routing |
| regional web protection and Layer 7 controls | Application Gateway and WAF pattern | regional app delivery and inspection |
| regional non-HTTP load distribution | Load Balancer | Layer 4 traffic distribution |
| DNS-based endpoint choice across regions | Traffic Manager | DNS routing, not inline proxying |
| Pair | Exam-safe difference |
|---|---|
| private endpoint vs service endpoint | private endpoint gives a private IP into the service; service endpoint secures access from a subnet to the service over the Microsoft backbone without turning the service into a private IP resource in your VNet |
| Front Door vs Application Gateway | Front Door is global edge entry; Application Gateway is regional Layer 7 load balancing and WAF |
| Traffic Manager vs Front Door | Traffic Manager is DNS-based routing; Front Door is a proxying edge service |
| VPN vs ExpressRoute | VPN uses encrypted internet paths; ExpressRoute is a dedicated private circuit |
Private access designs often fail in practice because the name-resolution plan is missing. If you add private endpoints, you usually need to make sure clients resolve the service name to the private address from the networks that will consume it.
| Trap | Better rule |
|---|---|
| picking private endpoints without planning DNS | private access changes both network path and name resolution |
| using Front Door when the requirement is really regional app inspection | global edge entry and regional Layer 7 inspection are different design goals |
| treating Traffic Manager like a proxy | it is DNS routing, not a request-processing edge service |
| defaulting to ExpressRoute for every hybrid scenario | dedicated circuits solve a specific connectivity and predictability problem, not every connection problem |