Azure Virtual Networks

Securely connect your Azure resources and on-premises networks.

Introduction to Azure Virtual Networks

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. It enables many types of Azure resources, such as Azure Virtual Machines (VMs), to communicate securely with each other, with the internet, and with your on-premises networks. VNet is a logical representation of your network in Azure, providing you with the benefits of cloud networking such as scalability, availability, and isolation.

Key Concepts

  • Address Space: A private IP address range defined for your VNet. This is typically a private IPv4 address range (e.g., 10.0.0.0/16).
  • Subnets: A VNet is segmented into one or more subnets. Each subnet is a range of IP addresses within the VNet's address space. You assign Azure resources to subnets.
  • Gateway Subnet: A dedicated subnet named GatewaySubnet is required for Azure VPN Gateway and ExpressRoute Gateway.
  • Network Security Groups (NSGs): NSGs act as a distributed firewall for VNet resources, allowing you to filter network traffic to and from Azure resources in an Azure virtual network.
  • Route Tables: Route tables contain routes that you define to override Azure's default system routes.
  • VNet Peering: VNet peering connects two Azure VNets, enabling resources in each VNet to communicate with each other. The VNets are peered together in a transitive relationship.
  • Service Endpoints: Service endpoints extend your VNet private address space and identity to Azure service resources, allowing secure access to Azure services over an optimized route from your VNet.

Creating a Virtual Network

You can create an Azure Virtual Network using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Tip: When planning your VNet, consider your IP addressing scheme carefully to avoid conflicts and allow for future expansion.

Here's a simplified Azure CLI example: 


az network vnet create \
  --resource-group MyResourceGroup \
  --name MyVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name MySubnet \
  --subnet-prefix 10.0.1.0/24

Understanding Subnetting

Subnets divide your VNet into smaller network segments. This helps in organizing resources, managing traffic flow, and applying security policies. You can have multiple subnets within a VNet.

Consider the following when creating subnets:

  • Each subnet must have a unique name within the VNet.
  • Subnets must be within the VNet's address space.
  • The first four IP addresses and the last IP address in each subnet are reserved by Azure for IP addressing purposes.
  • A subnet can have a Network Security Group (NSG) and a route table associated with it.

Network Security Groups (NSGs)

NSGs are a crucial component for securing your VNet. They contain security rules that allow or deny network traffic to resources connected to Azure VNets. You can associate NSGs with subnets or individual network interfaces (NICs).

Rules are evaluated based on priority, and if no rule matches, the DenyAllInbound and AllowAllOutbound default rules are applied.

User-Defined Routes (UDRs)

UDRs allow you to control the routing of network traffic within your VNet and between your VNet and other networks. This is essential for scenarios like forcing internet traffic through a network virtual appliance (NVA) for inspection.

Note: User-defined routes are applied at the subnet level.

Virtual Network Peering

VNet peering enables you to connect Azure VNets, allowing resources in different VNets to communicate as if they were in the same network. Peering is non-transitive, meaning if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot directly communicate with VNet C through VNet B unless VNet A and VNet C are also explicitly peered.

Benefits of VNet peering include:

  • Low-bandwidth, high-latency connectivity.
  • All traffic between peered VNets stays on the Microsoft Azure backbone.
  • No downtime required to create or delete peering.

Hybrid Connectivity

Azure Virtual Networks can be connected to your on-premises networks using:

  • Site-to-Site VPN: Connects your on-premises network to Azure through an IPsec/IKE VPN tunnel.
  • Point-to-Site VPN: Connects individual client devices to your VNet.
  • ExpressRoute: Provides private, dedicated connections from your premises to Azure.

Troubleshooting Common Issues

Common issues with Virtual Networks include connectivity problems, IP address conflicts, and NSG rule misconfigurations.

Use the following tools for troubleshooting:

  • Azure Network Watcher: Provides tools like Connection Troubleshoot, IP Flow Verify, and Packet Capture.
  • NSG Flow Logs: Analyze network traffic flow patterns.
  • Route Tables: Verify routing configurations.