Skip to content

High Level AWS & Azure Networking Comparison

I’ve been comparing the two platforms recently and wanted to lay out key differences so I can consolidate my thoughts and summarize key points. This is an active scratchpad.

New Networks

When creating a new network or VNET in Azure, a default subnet is created as part of the processes regardless if you specify it or not. In addition, all NSG’s are created with basic rules to allow internet and local network connectivity.

This is true for the default VPC in AWS as well. All required bits required to allow basic internet and local network connectivity. All subsequent VPC’s are created with nothing else required for connectivity and everything must be built manually.

Availability Zones

Azure’s subnets traverse availability zones, meaning multiple VM’s can each be in different AZ’s while still in the same subnet. AWS on the other hand is built on a platform where AZ’s are assigned to subnets. In order to place a VM into an AZ, the VM must be in the subnet associated with that AZ.

Route Tables

AWS subnets require a route table to be assigned. There is no assumed our inherited routes from the environment. This enables what is declared as private and public subnets. Private subnets do not have the required resources to allow internet connectivit. This is in contrast to Azure, where internet connectivity must be explicitly blocked via an NSG if isolation is desired. AWS route tables only include 1 default route, one for it’s local subnet.

Azure assumes some basic routes including internet access, local subnet and even Virtual Network access. The Virtual Network consist of everything that the VNET has knowledge of. This included peered VNETs, User Defined Routes, VPN Gateway declared subnets, and routes learned from Express Route connections via BGP.

Internet Gateways

There is no equivalent to an Internet Gateway in Azure. Within AWS, this is required to allow a route to the internet. There can only be one Internet Gateway per VPC.

NAT Gateway

Azure has no equivalent or a NAT Gateway. A Load Balancer can be configured to function as one in a pinch, but it’s not exactly ideal. AWS offers the NAT Gateway to allow all internet VM’s. This resource still relies on an Internet Gateway for WAN connectivity.


AWS requires that ACL’s are applied to each subnet. While Azure, allows the NSG to be applied to the Subnet, VM, Both, or even none.

Public IPs

AWS allows subnets to be configured to allocated public IP’s to all resources deployed within a subnet automatically, or manually at the resource. Both AWS and Azure apply public IP’s by associating them with the Network Interface of a resource. A resource win AWS cannot talk to the internet without either a public IP assigned or by using a NAT Gateway. Azure allows resources to reach the internet using dynamic NAT and does not require any user configured public IP association.