While preparing for the Azure AZ-104: Microsoft Azure Administrator exam, many candidates struggle with hybrid connectivity scenarios involving legacy on-premises resources. In the enterprise world, this decision often hinges on maintaining secure connectivity with minimal latency while adhering to strict corporate network policies. Let’s drill into a simulated hybrid migration scenario.
The Scenario #
Tailspin Manufacturing operates a corporate on-premises data center that hosts a critical SMB file share called DocsShare. The company has recently migrated key web applications into Azure, including a web app named TailspinWebApp deployed in an Azure virtual network named TailspinVNet. Tailspin requires that TailspinWebApp securely connect to the on-premises DocsShare to access shared documents as part of its workflow.
Key Requirements #
Ensure that the Azure web app TailspinWebApp can access the on-premises SMB share DocsShare securely and reliably with minimal administrative overhead.
The Options #
- A) Deploy an Azure Application Gateway in front of
TailspinWebApp - B) Configure Azure Active Directory Application Proxy to publish
DocsShare - C) Establish an Azure Virtual Network Gateway for site-to-site VPN connectivity between
TailspinVNetand the on-premises network - D) No additional configuration is required
Correct Answer #
C) Establish an Azure Virtual Network Gateway for site-to-site VPN connectivity between TailspinVNet and the on-premises network
Step-by-Step Winning Logic #
The core challenge is enabling bi-directional, session-aware SMB protocol traffic between an Azure App Service (which is placed inside a VNet via regional VNet integration) and an on-premises file share. Azure Application Gateway (Option A) is a Layer-7 load balancer and web traffic manager and does not provide network-layer connectivity to SMB shares. Azure AD Application Proxy (Option B) is primarily designed for publishing web applications over HTTP/S and is not suitable for SMB protocol. Option D ignores the need for network bridging.
By deploying a Virtual Network Gateway and configuring a site-to-site VPN, Tailspin furnishes a secure IPsec/IKE-based tunnel between the Azure virtual network and the on-premises network. This allows TailspinWebApp running within Azure App Service’s VNet integration to access the SMB share across the VPN as if on the local network. This design pattern is consistent with the Microsoft Well-Architected Framework pillars of:
- Reliability: Ensures a persistent and encrypted connection
- Security: Data in transit is protected via VPN encryption; network security enforced by NSGs.
- Operational Excellence: Supports monitoring and diagnostics through Azure Network Watcher and logs.
- Cost Optimization: VPN Gateway offers a cost-effective hybrid connectivity option compared to ExpressRoute.
- Performance Efficiency: Adequate throughput and concurrency for SMB workloads.
The Architect’s Analysis #
The Trap (Distractor Analysis) #
- Why not A? Azure Application Gateway does not support SMB protocols or on-premises network bridging; it’s designed for HTTP(S) load balancing only.
- Why not B? Azure AD Application Proxy is an HTTP reverse proxy, unsuitable for SMB or other file-level protocols.
- Why not D? No default connectivity exists between the Azure web app and on-prem SMB shares without explicit networking setup.
The Architect Blueprint #
Mermaid Diagram illustrating the VPN-based connectivity flow.
Diagram Note: This shows the Azure App Service integrated with the Azure VNet, routed through a site-to-site VPN to the on-premises network hosting the SMB share.
The Decision Matrix (Mandatory for Associate Level) #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) App Gateway | Medium | Moderate ~ $100+ | Handles HTTP(S) traffic, WAF capability | No SMB or on-premises network support |
| B) AD App Proxy | Low | Low (~$0 if Azure AD P1) | Quick publishing of web apps, Azure AD integration | Not compatible with SMB protocol |
| C) Virtual Network Gateway | Medium to High | $30-$200+ depending on SKU | Secure hybrid connectivity, works with SMB | VPN setup complexity, incurs gateway hourly costs |
| D) None | None | $0 | No costs | No connectivity, fails requirement |
Real-World Practitioner Insight #
Exam Rule #
For the exam, always pick Virtual Network Gateway site-to-site VPN when the scenario requires secure network connectivity from Azure VNets to on-premises resources, especially for legacy protocols like SMB.
Real World #
Many enterprises start with a site-to-site VPN for hybrid connectivity due to relatively low setup cost and native Azure integration. As bandwidth demands grow or compliance requires, they may transition to ExpressRoute for private, dedicated connectivity.