Merge pull request #53952 from Rob-Barefoot/rb-networking

initial push

Author: JamesJBarnett

learn-pr/wwl-azure/describe-azure-networking-services/1-introduction.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-networking-services.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction"
+  ms.date: 03/06/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 1
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/describe-azure-networking-services/2-virtual-network.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-networking-services.virtual-network
+title: Describe Azure virtual networking
+metadata:
+  title: Describe Azure virtual networking
+  description: "Describe Azure virtual networking"
+  ms.date: 09/20/2024
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 5
+content: |
+  [!include[](includes/2-virtual-network.md)]

learn-pr/wwl-azure/describe-azure-networking-services/3-virtual-private-networks.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-networking-services.virtual-private-networks
+title: Describe Azure virtual private networks
+metadata:
+  title: Describe Azure virtual private networks
+  description: "Describe Azure virtual private networks"
+  ms.date: 09/20/2024
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 5
+content: |
+  [!include[](includes/3-virtual-private-networks.md)]

learn-pr/wwl-azure/describe-azure-networking-services/4-expressroute.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-networking-services.expressroute
+title: Describe Azure ExpressRoute
+metadata:
+  title: Describe Azure ExpressRoute
+  description: "Describe Azure ExpressRoute"
+  ms.date: 09/20/2024
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 4
+content: |
+  [!include[](includes/4-expressroute.md)]

learn-pr/wwl-azure/describe-azure-networking-services/5-domain-name-system.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-networking-services.domain-name-system
+title: Describe Azure DNS
+metadata:
+  title: Describe Azure DNS
+  description: "Describe Azure DNS"
+  ms.date: 09/20/2024
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 3
+content: |
+  [!include[](includes/5-domain-name-system.md)]

learn-pr/wwl-azure/describe-azure-networking-services/6-knowledge-check.yml

@@ -0,0 +1,63 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-networking-services.knowledge-check
+title: Module assessment
+metadata:
+  title: Module assessment
+  description: "Knowledge check"
+  ms.date: 03/06/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+  module_assessment: true
+durationInMinutes: 4
+content: |
+  [!include[](includes/6-knowledge-check.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "Which Azure networking feature lets you divide a virtual network into smaller logical segments?"
+    choices:
+    - content: "Subnets"
+      isCorrect: true
+      explanation: "Subnets segment an Azure virtual network into smaller address ranges that you can use to organize and secure resources."
+    - content: "Availability sets"
+      isCorrect: false
+      explanation: "Availability sets are used with virtual machines for resiliency, not for virtual network segmentation."
+    - content: "Resource locks"
+      isCorrect: false
+      explanation: "Resource locks protect resources from deletion or modification, but they don't segment network address space."
+  - content: "If a company needs private, predictable connectivity between an on-premises datacenter and Azure, which service is the best fit?"
+    choices:
+    - content: "Azure ExpressRoute"
+      isCorrect: true
+      explanation: "ExpressRoute provides private connectivity to Azure without sending traffic over the public internet."
+    - content: "Azure Front Door"
+      isCorrect: false
+      explanation: "Azure Front Door is an application delivery and acceleration service, not a private on-premises connectivity service."
+    - content: "Azure Load Balancer"
+      isCorrect: false
+      explanation: "Azure Load Balancer distributes traffic within Azure workloads, but it doesn't provide dedicated private connectivity from on-premises sites."
+  - content: "Which VPN gateway type is recommended in Azure for connections between virtual networks and for multisite scenarios?"
+    choices:
+    - content: "Route-based VPN gateway"
+      isCorrect: true
+      explanation: "Route-based VPN gateways are the preferred option for virtual network-to-virtual network and multisite configurations."
+    - content: "Policy-based VPN gateway"
+      isCorrect: false
+      explanation: "Policy-based gateways support specific scenarios, but route-based gateways are preferred for broader Azure connectivity patterns."
+    - content: "Point-based VPN gateway"
+      isCorrect: false
+      explanation: "Point-based VPN gateway isn't an Azure gateway type."
+  - content: "What is a primary benefit of Azure DNS?"
+    choices:
+    - content: "You can manage DNS records using Azure credentials and tools"
+      isCorrect: true
+      explanation: "Azure DNS integrates with Azure Resource Manager, so you manage DNS records with the same credentials, APIs, and tools used for other Azure resources."
+    - content: "It provides a built-in domain registrar for all domains"
+      isCorrect: false
+      explanation: "Azure DNS hosts and manages DNS records, but it doesn't replace all domain registration services."
+    - content: "It removes the need for all network security controls"
+      isCorrect: false
+      explanation: "Azure DNS helps with name resolution and DNS management, but network security controls are still required."

learn-pr/wwl-azure/describe-azure-networking-services/7-summary.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-networking-services.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary"
+  ms.date: 03/06/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 2
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-azure/describe-azure-networking-services/includes/1-introduction.md

@@ -0,0 +1,11 @@
+This module introduces Azure networking services that help you connect, secure, and route traffic between resources. You explore foundational capabilities for communication within Azure, between Azure and on-premises environments, and across internet-connected clients.
+
+## Learning objectives
+
+After completing this module, you'll be able to:
+
+ -  Describe Azure virtual networking, including subnets and endpoints.
+ -  Describe connectivity options with Azure VPN Gateway.
+ -  Describe when to use Azure ExpressRoute.
+ -  Describe Azure DNS capabilities.
+ -  Configure basic network access for an Azure resource.

learn-pr/wwl-azure/describe-azure-networking-services/includes/2-virtual-network.md

@@ -0,0 +1,65 @@
+Azure virtual networks and virtual subnets enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers. You can think of an Azure network as an extension of your on-premises network with resources that link other Azure resources.
+
+Azure virtual networks provide the following key networking capabilities:
+
+ -  Isolation and segmentation
+ -  Internet communications
+ -  Communicate between Azure resources
+ -  Communicate with on-premises resources
+ -  Route network traffic
+ -  Filter network traffic
+ -  Connect virtual networks
+
+Azure virtual networking supports both public and private endpoints to enable communication between external or internal resources with other internal resources.
+
+ -  Public endpoints have a public IP address and can be accessed from anywhere in the world.
+ -  Private endpoints exist within a virtual network and have a private IP address from within the address space of that virtual network.
+
+## Isolation and segmentation
+
+Azure Virtual Network lets you create multiple isolated virtual networks. When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges. The IP range only exists within the virtual network and isn't internet routable. You can divide that IP address space into subnets and allocate part of the defined address space to each named subnet.
+
+For name resolution, you can use the name resolution service built into Azure. You also can configure the virtual network to use either an internal or an external DNS server.
+
+## Internet communications
+
+You can enable incoming connections from the internet by assigning a public IP address to an Azure resource, or putting the resource behind a public load balancer.
+
+## Communicate between Azure resources
+
+Azure resources can communicate securely with each other in one of two ways:
+
+ -  Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
+ -  Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach lets you link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.
+
+## Communicate with on-premises resources
+
+Azure virtual networks let you link resources together in your on-premises environment and within your Azure subscription. In effect, you can create a network that spans both your local and cloud environments. There are three ways to achieve this connectivity:
+
+ -  Point-to-site virtual private network connections are from a computer outside your environment back into your private network. In this case, the client computer initiates an encrypted VPN connection to connect to the Azure virtual network.
+ -  Site-to-site virtual private networks link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
+ -  Azure ExpressRoute provides a dedicated private connectivity to Azure that doesn't travel over the internet. ExpressRoute is useful for environments where you need greater bandwidth and even higher levels of security.
+
+## Route network traffic
+
+By default, Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet. You also can control routing and override those settings, as follows:
+
+ -  Route tables let you define rules about how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.
+ -  Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
+ -  User-defined routes (UDR) let you control the routing tables between subnets within a virtual network or between virtual networks, giving you greater control over network traffic flow.
+
+## Filter network traffic
+
+Azure virtual networks let you filter traffic between subnets by using the following approaches:
+
+ -  Network security groups are Azure resources that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.
+ -  Network virtual appliances are specialized VMs that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.
+
+:::image type="content" source="../media/virtual-network-filter-stack.png" alt-text="Diagram showing an inbound packet flowing through NSG security rules and then through a network virtual appliance before reaching the target VM.":::
+
+## Connect virtual networks
+
+You can link virtual networks together by using virtual network peering. Peering allows two virtual networks to connect directly to each other. Network traffic between peered networks is private, and travels on the Microsoft backbone network, never entering the public internet. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which lets you create a global interconnected network through Azure.
+
+:::image type="content" source="../media/virtual-network-peering-backbone.png" alt-text="Diagram of two peered Azure virtual networks in separate regions connected over the Microsoft private backbone network.":::
+

learn-pr/wwl-azure/describe-azure-networking-services/includes/3-virtual-private-networks.md

@@ -0,0 +1,52 @@
+A virtual private network (VPN) uses an encrypted tunnel within another network. VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet). Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks. VPNs can enable networks to safely and securely share sensitive information.
+
+## VPN gateways
+
+A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:
+
+:::image type="content" source="../media/connectivity-models.png" alt-text="Diagram comparing point-to-site, site-to-site, and network-to-network VPN connectivity models, all encrypted through private tunnels.":::
+
+ -  Connect on-premises datacenters to virtual networks through a site-to-site connection.
+ -  Connect individual devices to virtual networks through a point-to-site connection.
+ -  Connect virtual networks to other virtual networks through a network-to-network connection.
+
+All data transfer is encrypted inside a private tunnel as it crosses the internet. You can deploy only one VPN gateway in each virtual network. However, you can use one gateway to connect to multiple locations, which includes other virtual networks or on-premises datacenters.
+
+When setting up a VPN gateway, you must specify the type of VPN - either policy-based or route-based. The primary distinction between these two types is how they determine which traffic needs encryption. In Azure, regardless of the VPN type, the method of authentication employed is a preshared key.
+
+ -  Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel through which that packet is sent.
+ -  In route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They're more resilient to topology changes such as the creation of new subnets.
+
+Use a route-based VPN gateway if you need any of the following types of connectivity:
+
+ -  Connections between virtual networks
+ -  Point-to-site connections
+ -  Multisite connections
+ -  Coexistence with an Azure ExpressRoute gateway
+
+## High-availability scenarios
+
+If you're configuring a VPN to keep your information safe, you also want to make sure it's a highly available and fault-tolerant VPN configuration. There are a few ways to maximize the resiliency of your VPN gateway.
+
+### Active/standby
+
+:::image type="content" source="../media/active-standby.png" alt-text="Diagram showing an active-standby VPN gateway pair where the standby instance takes over during failover.":::
+
+By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure. When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention. Connections are interrupted during this failover, but they're typically restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.
+
+### Active/active
+
+:::image type="content" source="../media/active-active.png" alt-text="Diagram showing an active-active VPN gateway configuration with BGP routing and dual tunnels.":::
+
+With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration. In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address. You can extend the high availability by deploying an additional VPN device on-premises.
+
+### ExpressRoute failover
+
+Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections. ExpressRoute circuits have resiliency built in. However, they aren't immune to physical problems that affect the cables delivering connectivity or outages that affect the complete ExpressRoute location. In high-availability scenarios, where there's risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN gateway that uses the internet as an alternative method of connectivity. In this way, you can ensure there's always a connection to the virtual networks.
+
+### Zone-redundant gateways
+
+:::image type="content" source="../media/zone-redundant.png" alt-text="Diagram showing a zone-redundant VPN gateway deployed across availability zones.":::
+
+In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration. This configuration brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure availability zones physically and logically separates gateways within a region while protecting your on-premises network connectivity to Azure from zone-level failures. These gateways require different gateway stock keeping units (SKUs) and use Standard public IP addresses instead of Basic public IP addresses.
+