Merge pull request #54120 from staleycyn/patch-3

Content drift changes to the design network solutions module

Author: AnnaMHuff

learn-pr/wwl-azure/design-network-solutions/includes/4-design-outbound-connectivity-routing.md

@@ -1,12 +1,15 @@
 
 Part of the planning for your Azure AI-ready network solution includes exploring how to support outbound network connectivity and traffic communication routing.
 
-Around the globe, IPv4 address ranges are in short supply. Trying to purchase an IP address in the v4 range can be an expensive way to grant access to your internet resources. To address this issue, architects use Network Address Translation (NAT) to enable internal resources on a private network to share routable IPv4 addresses. The internal resources use the routable IPv4 addresses to access external resources on a public network. Instead of buying an IPv4 address for each resource that needs internet access, you can use a NAT service to map outgoing requests from your internal resources to external IP addresses. Azure provides this technology via the Azure Virtual Network NAT service.
-
 Azure [routes communication traffic](/azure/virtual-network/virtual-networks-udr-overview) between your on-premises internal resources and external internet resources by using _route tables_. When you create a virtual network, Azure automatically creates a routing table for each subnet in the network. A routing table contains many different types of routes, including system, service endpoints, and subnet defaults. The table also has route entries for the Border Gateway Protocol (BGP), user-defined routes (UDRs), and routes from other virtual networks.
 
 > [!VIDEO https://learn-video.azurefd.net/vod/player?id=76dd401c-0669-4693-87fc-1ba82d27782d]
 
+> [!IMPORTANT]
+> Default outbound access retirement: As of March 31, 2026, new virtual networks no longer receive default outbound internet access. Private subnets are now the default behavior. For new Azure deployments that require outbound internet connectivity, you must explicitly configure NAT Gateway or another outbound method (Azure Firewall, public IP, Load Balancer outbound rules). 
+
+
+
 #### Business scenarios
 
 - Support on-demand outbound-to-internet connectivity without preallocation.
@@ -51,4 +54,4 @@ There are many networking scenarios where defining and overriding routes can be
 
 - **Consider overriding routes**. Plan for route overrides to control traffic flow.
    - Flow through NVA: [Configure route tables to force traffic between subnets to flow through an NVA](/azure/virtual-network/tutorial-create-route-table-portal).
-   - Forced tunneling: [Force all internet-bound traffic through an NVA, or on-premises, through an Azure VPN gateway](/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm).
+   - Forced tunneling: [Force all internet-bound traffic through an NVA, or on-premises, through an Azure VPN gateway](/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm).

learn-pr/wwl-azure/design-network-solutions/includes/5-design-for-premises-connectivity-to-azure-virtual-networks.md

@@ -38,12 +38,3 @@ The Azure Virtual WAN architecture includes the benefits of standard hub-spoke n
 - Mixed use of user VPN to the site
 - Virtual network-to-network connectivity
 
-## Compare services
-
-The following table compares the benefits and challenges of the network connectivity options. Review the scenarios, and think about which services can enhance the network solution for Tailwind Traders.
-
-| Compare | Azure VPN Gateway | Azure ExpressRoute | ExpressRoute + VPN failover | Azure Virtual WAN + hub-spoke | 
-| --- | --- | --- | --- | --- 
-| **Benefits** | - Simple to configure <br> - High bandwidth available (up to 10 Gbps depending on VPN Gateway SKU) | - High bandwidth available (up to 10 Gbps depending on connectivity provider) <br> - Supports dynamic scaling of bandwidth to help reduce costs during periods of lower demand (not supported by all connectivity providers) <br> - Enables direct organizational access to national clouds (depends on connectivity provider) | - High availability if ExpressRoute circuit fails (fallback connection on lower bandwidth network | - Reduced operational overhead by replacing existing hubs with fully managed service <br> - Cost savings by using managed service, which removes need for NVA <br> - Improved security via centrally managed secured hubs with Azure Firewall and Virtual WAN <br> - Separates concerns between central IT (SecOps, InfraOps) and workloads (DevOps) |
-| **Challenges** | - Requires on-premises VPN device | - Can be complex to set up <br> - Requires working with non-Microsoft connectivity provider <br> - Provider responsible for provisioning network connection <br> - Requires high-bandwidth routers on-premises | - Complex to configure <br> - Must set up both VPN connection and ExpressRoute circuit <br> - Requires redundant hardware (VPN appliances) <br> - Requires redundant Azure VPN Gateway connection for which you pay charges | **Note**: Azure Virtual WAN is designed to reduce previously listed connectivity challenges. |
-| **Scenarios** | - Hybrid apps with light traffic between on-premises hardware and the cloud <br><br> - Able to trade slightly extended latency for flexibility and processing power of the cloud | - Hybrid apps running large-scale, mission-critical workloads that require high degree of scalability | - Hybrid apps that require higher bandwidth of ExpressRoute and highly available network connectivity | - Connectivity among workloads requires central control and access to shared services <br><br> - Enterprise requires central control over security aspects like a firewall and segregated management for workloads in each spoke |

learn-pr/wwl-azure/design-network-solutions/includes/7-design-for-application-delivery-services.md

@@ -3,10 +3,10 @@ Azure offers several AI-ready networking services to help deliver applications.
 
 | Feature/Service | Azure Front Door | Application Gateway | Traffic Manager | Load Balancer  |
 | --- |--- | ---| --- | --- |
-| Type | Global | Regional | Global | Regional/Global |
+| Type | Global CDN/ADN | Regional | Global | Regional/Global |
 | Layer	| Layer 7 (HTTP/HTTPS) | Layer 7 (HTTP/HTTPS) | DNS-based | Layer 4 (TCP/UDP) |
-| Primary Use Case | Web traffic load balancing, application acceleration, and global routing | Web application firewall, TLS/SSL termination, and HTTP load balancing | DNS-based traffic routing for high availability and performance | Internal and external load balancing for non-HTTP(S) traffic |
-| Key Features | Path-based routing, TLS/SSL offload, Web Application Firewall (WAF), URL-based routing | Path-based routing, TLS/SSL offload, Web Application Firewall (WAF), URL-based routing | DNS-based routing, geographic routing, priority routing, weighted routing | High availability, low latency, zonal and zone-redundant endpoints |
+| Primary Use Case | Web traffic load balancing, application acceleration, global routing, and CDN content delivery | Web application firewall, TLS/SSL termination, and HTTP load balancing | DNS-based traffic routing for high availability and performance | Internal and external load balancing for non-HTTP(S) traffic |
+| Key Features | Path-based routing, TLS/SSL offload, Web Application Firewall (WAF), URL-based routing, CDN/edge caching  | Path-based routing, TLS/SSL offload, Web Application Firewall (WAF), URL-based routing | DNS-based routing, geographic routing, priority routing, weighted routing | High availability, low latency, zonal and zone-redundant endpoints |
 | Scalability | High | High | High | High |
 | Cost | Based on data processed and rules applied | Based on data processed, rules applied, and SKU | Based on DNS queries, health checks, and data points processed | Based on rules and data processed |
 
@@ -17,16 +17,22 @@ The different load balancers can work together in your networking architecture.
 
 ### Azure Front Door
 
-[Azure Front Door](/azure/frontdoor/front-door-overview) lets you define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability. With Front Door, you can transform your global (multi-region) consumer and enterprise applications into robust, high-performance personalized modern applications, APIs, and content that reaches a global audience with Azure.
- 
+[Azure Front Door Standard and Premium](/azure/frontdoor/front-door-overview) lets you define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability. With Front Door, you can transform your global (multi-region) consumer and enterprise applications into robust, high-performance personalized modern applications, APIs, and content that reaches a global audience with Azure.
+
+> [!NOTE]
+> Azure Front Door (classic) is being retired March 31, 2027. Use Front Door Standard or Premium tiers for new deployments.
+
 #### Business scenarios
 
 - Low latency: Ensure requests are sent to the lowest latency backends.
 - Priority: Support primary and secondary backends.
 - Weighted: Distribute traffic by using weight coefficients.
 - Affinity: Ensure requests from the same end user are sent to the same backend.
 - Support WAF and CDN integration for HTTP(S) traffic.
-- Support for content delivery services. 
+- Support for content delivery services.
+- Private Link integration for private origins (Premium tier).
+-	CDN content delivery for static workloads across 118+ edge locations.
+
 
 ### Azure Traffic Manager
 

learn-pr/wwl-azure/design-network-solutions/includes/8-design-for-application-protection-services.md

@@ -5,13 +5,17 @@ Azure offers several networking services to help protect your network resources.
 
 ### Azure DDoS Protection (distributed denial of service protection)
 
-[Azure DDoS Protection](/azure/ddos-protection/manage-ddos-protection) provides countermeasures against the most sophisticated DDoS threats. The service provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Additionally, customers who use Azure DDoS Protection have access to DDoS Rapid Response support to engage DDoS experts during an active attack.
+[Azure DDoS Protection](/azure/ddos-protection/ddos-protection-overview) provides countermeasures against the most sophisticated DDoS threats with [two tiers](/azure/ddos-protection/ddos-protection-sku-comparison#tiers).
+
+- **DDoS Network Protection**: VNet-level protection plan covering multiple resources, includes DDoS Rapid Response support and cost protection guarantees
+- **DDoS IP Protection**: Pay-per-protected-IP model, no protection plan required, suitable for individual workloads.
 
 #### Business scenarios
 
 - Implement always-on traffic monitoring, adaptive tuning, and mitigation scale.
 - Access multi-layered protection, including attack analytics, metrics, and alerting.
-- Receive support from the DDoS rapid response team.
+- Network protection with centralized management and Rapid Response support.
+-	IP protection for individual workloads or cost-sensitive architectures.
 
 ### Azure Private Link
 
@@ -25,7 +29,11 @@ Azure offers several networking services to help protect your network resources.
 
 ### Azure Firewall
 
-Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall uses a static public IP address for your virtual network resources, which allows outside firewalls to identify traffic originating from your virtual network. Azure Firewall provides inbound protection for non-HTTP/S protocols (such as RDP, SSH, and FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
+[Azure Firewall](/azure/firewall/overview) is a managed, cloud-based network security service available in three tiers:
+- **Basic**: Limited features, alert-only threat intelligence (not recommended for production).
+- **Standard**: Full stateful firewall, FQDN filtering, threat intelligence, log analytics.
+- **Premium**: Adds TLS inspection, IDPS with 67,000+ signatures, URL filtering, web categories, scales to 100 Gbps, PCI DSS compliance.
+
 
 #### Business scenarios
 
@@ -45,7 +53,7 @@ Azure Firewall is a managed, cloud-based network security service that protects
 - React faster to security threats by centrally patching known vulnerabilities instead of securing individual web apps.
 - Deploy Web Application Firewall with Application Gateway, Front Door, and Content Delivery Network.
 
-### Azure virtual network security groups
+### Azure network security groups
 
 You can filter network traffic to and from Azure resources in an Azure virtual network with [Azure network security group (NSGs)](/azure/virtual-network/network-security-groups-overview). You can use a network virtual appliance (NVA) such as Azure Firewall or firewalls from other vendors.
 
@@ -58,4 +66,4 @@ NSGs contain two sets of rules: inbound and outbound. The priority for a rule mu
 - Control how Azure routes traffic from subnets.
 - Limit the users in an organization who can work with resources in virtual networks.
 - Restrict traffic to an individual NIC by associating an NSG directly to a NIC.
-- Combine NSGs with JIT access to restrict access to your virtual machine management ports.
+- Combine NSGs with JIT access to restrict access to your virtual machine management ports.

learn-pr/wwl-azure/design-network-solutions/index.yml

@@ -5,7 +5,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Design Network Solutions
   description: "Azure Architects design and recommend network solutions."
-  ms.date: 01/26/2026
+  ms.date: 03/23/2026
   author: wwlpublish
   ms.author: cynthist
   ms.topic: module