Network Connectivity Design — Azure Fundamentals (AZ-900)
Dedicated Line or Encrypted Tunnel: Connectivity Constraint Decides
Requirement: connect an on-premises datacenter to Azure with consistent bandwidth and a compliance mandate for private connectivity. Competing choices: ExpressRoute for dedicated layer-3 connectivity bypassing the public internet, VPN Gateway for encrypted site-to-site tunnels over public internet, Virtual WAN for hub-and-spoke multi-branch routing, Virtual Network for cloud-internal segmentation only. The deciding constraint is whether the path transits the public internet. ExpressRoute is the only option that doesn't — and compliance scenarios almost always hinge on exactly that.
What This Pattern Tests
Network connectivity questions test whether you match the connectivity model to the topology requirement. Few connections need simple peering. Many connections need a central hub. On-premises connectivity needs VPN or dedicated links depending on bandwidth and latency requirements.
Decision Axis
Topology complexity and bandwidth requirements determine the connectivity approach.
Associated Traps
More Top Traps on This Exam
Decision Rules
When the scenario requires that hybrid traffic must not traverse the public internet AND guarantees consistent bandwidth, ExpressRoute is the correct choice; VPN Gateway is disqualified because its IPsec tunnel still routes over the public internet regardless of encryption.
Choose ExpressRoute when the requirement is a private dedicated circuit that bypasses the public internet entirely; choose VPN Gateway when cost-effective encrypted connectivity over the public internet is acceptable.
Domain Coverage
Difficulty Breakdown