AWS and Azure: Networking Terminology Translation Chart

When working in multi-vendor environments, it can be useful to have tables that compare terminology from the vendors and differences between them. As I have also shared previously, the terminology translation between Brocade and Cisco Storage switching, below is an AWS vs Azure networking terminology translation chart. Note, this table is network/security focused. That’s why basic translations like “Instance = Virtual Machine” are missing.

Edits, corrections and additions are highly welcome! Please comment with your corrections or suggestions! 🙂




Virtual Private Cloud (VPC)

Virtual Network (VNET)





Direct Connect




Security Center



Activity Log





Application Load Balancer / Network Load Balancer

Load Balancer


Auto Scaling Groups (ASG)



Virtual Private Gateway (VGW) and Customer Gateway (CGW)

Virtual Network Gateway (VNG) (ExpressRoute version)

In AWS, VPG and CGW are used together, VPG representing AWS side and CGW representing customer side

Site-to-Site VPN


Virtual Network Gateway (VNG)

(VPN version)

Used for IPsec connectivity back to customer site.

In Azure there are two types of VNGs – one for ExpressRoute and another for IPsec VPN connectivity. Both functionalities are mutually exclusive – each VNG must only be used for one of the functionalities.

Client VPN Endpoints


Virtual Network Gateway (VNG)

(VPN version)

Used for IPsec/SSL VPN connectivity for end-users. As you can see, Azure use one terminology, VNG, for three different use cases, which are represented by four difference AWS equivalent services.

Transit Gateway

VNET Peering


Transit Gateway Route Tables

(not applicable)

In Azure, route tables for VNET Peers are automatically shared. ASGs, NSGs, Route Tables and/or BGP must be used to manage/limit traffic.

Security Group (SG)

Application Security Group (ASG)


Network ACL (NACL)

Network Security Group


Internet Gateway (IGW)

(not applicable)

In Azure VMs have access to Internet by default – can be removed easily

NAT Gateways (NGW)

(not applicable)

In Azure default route is pointed to “Internet” in route table – no need to create “NAT Gateways” or “NAT Instances”

Egress-only Internet Gateways

(not applicable)

In AWS these are used for IPv6 enabled instances for Internet access. In Azure, default route is simply pointed to “Internet” in the route table instead.

(not applicable)

User Defined Routes (UDR)

In AWS, routing within a VPC can only be controlled/manipulated by the instance itself. In Azure, UDRs can be used to control routing within and outside VNETs.

Route Tables

Route Tables


Elastic IPs

Public IP address

In both offerings, these are charged if unused. If used, the cost of public IPs gets absorbed by whatever services is using them.

Network Interface

Network Interface

A virtual network interface that is attached to the Instance/VM. It can be glued to VM or managed separately (for DR or other design considerations)

Interface Endpoint /

Gateway Endpoint

Service Endpoint

In AWS, S3 and DynamoDB are accessed using Gateway Endpoint (using internal DNS to access the service) while all other services that support Endpoints are accessed via Interface Endpoints attached to the appropriate VPC subnet (using private IP/DNS via attached Elastic Network Interface)

VPC Flow Logs

NSG Flow Logs

Both offerings allow logging of network flows (source/destination IP, port, protocol, direction).


Network Watcher Packet Capture

Azure’s Network Watcher also allows packet capture on VMs where Azure agent is installed – the packet capture is done on the VM (rather than on the network or hypervisor layer). NSG Flow Logs is a subcomponent of Network Watcher.


Connection Monitor

Network Watcher Connection Monitor enables you to configure and track connection reachability, latency, and network topology changes. If there is an issue, it tells you why it occurred and how to fix it.” (Azure Portal)


IP flow verify

Network Watcher IP flow verify checks if a packet is allowed or denied to or from a virtual machine based on 5-tuple information. The security group decision and the name of the rule that denied the packet is returned.” (Azure Portal)


Next hop verify

Next Hop provides the next hop from the target virtual machine to the destination IP address.” (Azure Portal)






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: