Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article compares the core networking services that Azure and Amazon Web Services (AWS) offer.
For links to articles that compare other AWS and Azure services and a complete service mapping between AWS and Azure, see Azure for AWS professionals.
Azure virtual networks and AWS VPCs
Azure virtual networks and AWS virtual private clouds (VPCs) are similar in that they both provide isolated, logically defined network spaces within their respective cloud platforms. There are, however, key differences in terms of architecture, features, and integration.
Subnet placement. In AWS, each subnet is bound to a single Availability Zone, so achieving zonal redundancy requires creating one subnet per Availability Zone. In Azure, a subnet is a regional construct that spans all availability zones in the region. Resources deployed into the same subnet can reside in different availability zones and use the same subnet CIDR or address space. If you redeploy or move a given resource into a different availability zone, the resource's private IP address might or might not be preserved, depending on the resource type and how you redeploy or move it.
Security models. AWS layers stateful security groups (attached to ENIs) with stateless network ACLs (applied at the subnet boundary). Azure uses stateful network security groups (NSGs), which can be applied at the subnet or NIC level, and application security groups, which you can use to create NSG rules by using logical workload tags instead of IP ranges. The latter approach is conceptually similar to AWS security groups that reference other security groups. For deeper inspection, Azure Firewall provides a managed, stateful, cloud-native firewall with FQDN filtering, threat intelligence, and optional IDPS/TLS inspection, similar to AWS Network Firewall.
Peering. Both Azure and AWS support virtual network / VPC peering. Both technologies allow more complex peering via Azure Virtual WAN or AWS Transit Gateway.
VPN
Both AWS Site-to-Site VPN and Azure VPN Gateway are robust solutions for connecting on-premises networks to the cloud. They provide similar features, but there's a notable difference with performance. VPN Gateway offers higher throughput for certain configurations (up to 10 Gbps), whereas Site-to-Site VPN generally ranges between 1.25 Gbps and 5 Gbps per connection (using ECMP).
Elastic Load Balancing, Azure Load Balancer, and Azure Application Gateway
The Azure equivalents of the Elastic Load Balancing services are:
Load Balancer provides the same network layer 4 capabilities as the AWS Network Load Balancer, so you can distribute traffic for multiple VMs at the network level. It also provides failover capability.
Application Gateway provides application-level rule-based routing comparable to that of the AWS Application Load Balancer.
Route 53, Azure DNS, and Azure Traffic Manager
In AWS, Route 53 provides both DNS name management and DNS-level traffic routing and failover services. In Azure, two services handle these tasks:
Azure DNS provides domain and DNS management.
Traffic Manager provides DNS-level traffic routing, load balancing, and failover capabilities.
AWS Direct Connect and Azure ExpressRoute
AWS Direct Connect can link a network directly to AWS. Azure provides similar site-to-site dedicated connections through ExpressRoute. You can use ExpressRoute to connect your local network directly to Azure resources by using a dedicated private network connection. Both Azure and AWS offer site-to-site VPN connections.
Route tables
AWS route tables contain routes that direct traffic from a subnet or gateway subnet to the destination. In Azure, the corresponding feature is called user-defined routes.
With user-defined routes, you can create custom or user-defined (static) routes. These routes override the default Azure system routes. You can also add more routes to a subnet's route table.
Azure Private Link
Private Link is similar to AWS PrivateLink. Azure Private Link provides private connectivity from a virtual network to an Azure platform as a service (PaaS) solution, a customer-owned service, or a Microsoft partner service.
VPC peering and virtual network peering
In AWS, a VPC peering connection is a networking connection between two VPCs. You can use this connection to route traffic between the VPCs by using private Internet Protocol version 4 (IPv4) addresses or Internet Protocol version 6 (IPv6) addresses.
You can use Azure virtual network peering to connect two or more virtual networks in Azure. For connectivity purposes, the virtual networks appear as one. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in a single network, traffic is routed only through the Microsoft private network.
Neither virtual networks nor VPCs allow transitive peering. In Azure, however, you can achieve transitive networking by using network virtual appliances (NVAs) or gateways in the hub virtual network.
Network service comparison
| Area | AWS service | Azure service | Description |
|---|---|---|---|
| Cloud virtual networking | Virtual Private Cloud (VPC) | Virtual Network | These services provide an isolated private environment in the cloud. You have control over your virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. In AWS, each subnet must reside in one availability zone. In Azure, subnets can span multiple availability zones. |
| NAT gateways | AWS NAT gateways | Azure NAT Gateway | These services simplify outbound-only Internet connectivity for virtual networks. On a subnet, you can configure all outbound connectivity to use static public IP addresses that you specify. Outbound connectivity is possible without a load balancer or public IP addresses directly attached to virtual machines. AWS NAT gateways can be associated with only a single public IP. Azure NAT gateways can have multiple public IPs. |
| Cross-premises connectivity | Site-to-Site VPN | VPN Gateway | AWS Site-to-Site VPN and Azure VPN Gateway provide enhanced-security, reliable VPN connections with high availability and support for industry-standard protocols. The key differences are in their integration with other cloud services and in specific features like route-based and policy-based VPNs in Azure. AWS VPN provides a maximum of 5-Gbps throughput, whereas Azure provides up to 10 Gbps. |
| DNS management | Route 53 | Azure DNS | Azure DNS lets you manage your DNS records by using the same credentials and billing and support contract that you use for your other Azure services. Both services support DNSSEC. |
| DNS-based routing | Route 53 | Traffic Manager | These services host domain names, route users to internet applications, connect user requests to datacenters, manage traffic to apps, and improve app availability with automatic failover. |
| Dedicated network | Direct Connect | ExpressRoute | These services establish a dedicated, private network connection from a location to the cloud provider (not over the internet). |
| Load balancing | Network Load Balancer | Load Balancer | Azure Load Balancer load balances traffic at layer 4 (TCP or UDP). Load Balancer also supports cross-subscription and global load balancing. |
| Application-level load balancing | Application Load Balancer | Application Gateway | Application Gateway is a layer 7 load balancer. It supports SSL termination, cookie-based session affinity, and round robin for load-balancing traffic. It also provides multi-site routing and security features. |
| Route tables | Custom Route Tables | User Defined Routes | These tables provide custom or user-defined (static) routes to override default system routes, or to add more routes to a subnet's route table. |
| Private link | PrivateLink | Azure Private Link | Azure Private Link provides private access to services that are hosted on the Azure platform. This keeps your data on the Microsoft network. |
| Private PaaS connectivity | VPC endpoints | Private Endpoint | Private Endpoint provides secured, private connectivity to various Azure platform as a service (PaaS) resources, over a backbone Microsoft private network. |
| Virtual network peering | VPC Peering | Virtual network peering | Virtual network peering is a mechanism that connects two virtual networks in the same region through the Azure backbone network. After they're peered, the two virtual networks appear as one for all connectivity purposes. |
| Content delivery networks | CloudFront | Azure Front Door | Azure Front Door is a modern cloud content delivery network (CDN) service that provides high performance, scalability, and secure user experiences for your content and applications. |
| Network monitoring | VPC Flow Logs | Azure Network Watcher | Azure Network Watcher allows you to monitor, diagnose, and analyze the traffic in Azure Virtual Network. |
| Network security | Security groups | Network security groups | These controls filter network traffic to and from resources in virtual network subnets. |
| Hub-and-spoke and global network hub | AWS Transit Gateway | Azure Virtual WAN | These services centralize network connectivity across many VPCs and virtual networks, on-premises sites, and remote users via a managed transit hub. Virtual WAN integrates natively with Azure Firewall, Azure DDoS Protection, and secure SD-WAN partners. AWS Transit Gateway supports up to 100 Border Gateway Protocol (BGP) prefixes per attachment. Virtual WAN private peering supports 1,000 BGP prefixes. |
| Global traffic acceleration (anycast on backbone) | AWS Global Accelerator | Azure Front Door / Azure cross-region load balancer | These services provide global anycast entry points on the provider's backbone network to improve application performance and availability across regions. Azure Front Door operates at layer 7 (HTTP/HTTPS) with integrated CDN and WAF. Azure cross-region Load Balancer operates at layer 4 for TCP/UDP, which closely matches AWS Global Accelerator's layer-4 behavior. Traffic Manager is DNS-based and is compared separately under DNS-based routing. |
| Cross-premises connectivity | AWS Direct Connect gateways | Azure ExpressRoute Global Reach | These services extend your on-premises networks to the cloud with dedicated private connections that span multiple regions. |
| Service mesh | AWS App Mesh (scheduled for end of support on September 30, 2026) / Amazon ECS Service Connect / Amazon VPC Lattice | Istio add-on for AKS | A service mesh provides traffic management, observability, and security for microservices communication. AWS App Mesh is no longer accepting new customers and is scheduled for retirement. AWS recommends ECS Service Connect, VPC Lattice, or direct ALB routing. The Istio add-on for Azure Kubernetes Service (AKS) provides a fully supported integration of the open-source Istio service mesh. |
| Service discovery | AWS Cloud Map | Built-in service discovery in AKS (CoreDNS) / Azure Container Apps / Azure Service Fabric naming service | AWS Cloud Map is a service registry that tracks dynamic application instances and exposes them via DNS or API. Azure provides equivalent functionality via platform-specific service discovery: CoreDNS in AKS, built-in name resolution in Container Apps, and the naming service in Service Fabric. Azure Private DNS, by contrast, is a managed DNS zone service for resolving custom domains inside a virtual network. |
| Managed firewall | AWS Network Firewall | Azure Firewall | These services provide managed, stateful, cloud-native firewall services for virtual networks. Both support traffic inspection with Suricata-compatible rules (AWS) or built-in threat intelligence (Azure), FQDN filtering, and centralized policy management. Azure Firewall is available in Standard, Premium (TLS inspection, IDPS), and Basic tiers. |
| Web application firewall | AWS WAF | Azure Web Application Firewall (on Application Gateway or Azure Front Door) | Layer 7 protection against common web exploits (OWASP Top 10, SQL injection, XSS). Both services support managed rule sets, custom rules, rate limiting, and bot protection. Azure Web Application Firewall is deployed as a feature of Application Gateway (regional) or Azure Front Door (global). |
| DDoS protection | AWS Shield Standard and AWS Shield Advanced | Azure DDoS Protection (Network Protection or IP Protection) / Azure basic infrastructure DDoS protection | These services provide protection against volumetric, protocol, and application-layer distributed denial of service (DDoS) attacks. Both platforms provide a free baseline tier (AWS Shield Standard or Azure basic infrastructure DDoS) that's enabled by default, and a paid advanced tier with detailed telemetry, attack analytics, cost protection, and access to a rapid response team. |
| Secure VM remote access | AWS Systems Manager Session Manager / EC2 Instance Connect Endpoint | Azure Bastion | These services provide secure RDP and SSH connectivity to virtual machines without exposing public IP addresses or opening inbound ports. Azure Bastion is a fully managed PaaS service that's deployed inside a virtual network. |
Networking architectures
| Architecture | Description |
|---|---|
| Deploy highly available NVAs | Learn how to deploy network virtual appliances for high availability in Azure. This article includes example architectures for ingress, egress, and both. |
| Hub-spoke network topology in Azure | Learn how to implement a hub-spoke topology in Azure, where the hub is a virtual network and the spokes are virtual networks that peer with the hub. |
| Implement a secure hybrid network | Learn how to implement a secure hybrid network that extends an on-premises network to Azure with a perimeter network between the on-premises network and an Azure virtual network. |
View all networking architectures.
Migration
If you plan to migrate an AWS workload to Azure, see Migrate networking from Amazon Web Services to Azure, which includes some specific example migration scenarios that might align to your use case.
Contributors
Microsoft maintains this article. The following contributors wrote this article.
Principal author:
- Konstantin Rekatas | Principal Cloud Solution Architect
Other contributors:
- Adam Cerini | Director, Partner Technology Strategist
- Juan Carlos Osorio | Cloud Solution Architect
To see nonpublic LinkedIn profiles, sign in to LinkedIn.
Next steps
- Create a virtual network by using the Azure portal
- Plan and design Azure virtual networks
- Azure network security best practices