AWS and Azure: Networking Terminology Translation Chart

AWS

Azure

Notes

Virtual Private Cloud (VPC)

Virtual Network (VNET)

Subnet

Subnet

Direct Connect

ExpressRoute

SecurityHub

Security Center

CloudTrail

Activity Log

CloudWatch

Monitor

Application Load Balancer / Network Load Balancer

Load Balancer

Auto Scaling Groups (ASG)

Autoscale

Virtual Private Gateway (VGW) and Customer Gateway (CGW)

Virtual Network Gateway (VNG) (ExpressRoute version)

In AWS, VPG and CGW are used together, VPG representing AWS side and CGW representing customer side

Site-to-Site VPN

(VGW)

Virtual Network Gateway (VNG)

(VPN version)

Used for IPsec connectivity back to customer site.

In Azure there are two types of VNGs – one for ExpressRoute and another for IPsec VPN connectivity. Both functionalities are mutually exclusive – each VNG must only be used for one of the functionalities.

Client VPN Endpoints

(VGW)

Virtual Network Gateway (VNG)

(VPN version)

Used for IPsec/SSL VPN connectivity for end-users. As you can see, Azure use one terminology, VNG, for three different use cases, which are represented by four difference AWS equivalent services.

Transit Gateway

VNET Peering

Transit Gateway Route Tables

(not applicable)

In Azure, route tables for VNET Peers are automatically shared. ASGs, NSGs, Route Tables and/or BGP must be used to manage/limit traffic.

Security Group (SG)

Application Security Group (ASG)

Network ACL (NACL)

Network Security Group

Internet Gateway (IGW)

(not applicable)

In Azure VMs have access to Internet by default – can be removed easily

NAT Gateways (NGW)

(not applicable)

In Azure default route is pointed to “Internet” in route table – no need to create “NAT Gateways” or “NAT Instances”

Egress-only Internet Gateways

(not applicable)

In AWS these are used for IPv6 enabled instances for Internet access. In Azure, default route is simply pointed to “Internet” in the route table instead.

(not applicable)

User Defined Routes (UDR)

In AWS, routing within a VPC can only be controlled/manipulated by the instance itself. In Azure, UDRs can be used to control routing within and outside VNETs.

Route Tables

Route Tables

Elastic IPs

Public IP address

In both offerings, these are charged if unused. If used, the cost of public IPs gets absorbed by whatever services is using them.

Network Interface

Network Interface

A virtual network interface that is attached to the Instance/VM. It can be glued to VM or managed separately (for DR or other design considerations)

Interface Endpoint /

Gateway Endpoint

Service Endpoint

In AWS, S3 and DynamoDB are accessed using Gateway Endpoint (using internal DNS to access the service) while all other services that support Endpoints are accessed via Interface Endpoints attached to the appropriate VPC subnet (using private IP/DNS via attached Elastic Network Interface)

VPC Flow Logs

NSG Flow Logs

Both offerings allow logging of network flows (source/destination IP, port, protocol, direction).

?

Network Watcher Packet Capture

Azure’s Network Watcher also allows packet capture on VMs where Azure agent is installed – the packet capture is done on the VM (rather than on the network or hypervisor layer). NSG Flow Logs is a subcomponent of Network Watcher.

?

Connection Monitor

“Network Watcher Connection Monitor enables you to configure and track connection reachability, latency, and network topology changes. If there is an issue, it tells you why it occurred and how to fix it.” (Azure Portal)

?

IP flow verify

“Network Watcher IP flow verify checks if a packet is allowed or denied to or from a virtual machine based on 5-tuple information. The security group decision and the name of the rule that denied the packet is returned.” (Azure Portal)

?

Next hop verify

“Next Hop provides the next hop from the target virtual machine to the destination IP address.” (Azure Portal)