Virtual network concepts

A virtual network (VNet) is the fundamental building block for your private network in Azure. It represents your own network in the cloud. You can use VNets to:

• Provision private IP address spaces in Azure.
• Segment the virtual network into subnets and optionally route traffic between the subnets.
• Connect your Azure resources to each other, to the internet, and to your on-premises networks.

Conceptual diagram of an Azure Virtual Network.

Key Components of a Virtual Network

IP Address Spaces

When you create a VNet, you define your own private IP address space. Azure reserves public IP address spaces for your use, and these are routable on the internet. You can assign your own private IP address space to a VNet. For more information, see IP addressing in Azure Virtual Network.

Subnets

A subnet is a range of IP addresses within your VNet. After you create a VNet, you can divide it into one or more subnets. Each subnet can then be used to deploy Azure resources. Assigning resources to different subnets enables you to isolate those resources and control traffic flow.

By default, all subnets in a VNet can communicate with each other. You can use network security groups (NSGs) and user-defined routes (UDRs) to control traffic between subnets.

Gateway Type

The gateway type determines the functionality of the virtual network gateway. Common gateway types include:

• VPN: For connecting to on-premises networks or other VNets over the public internet.
• ExpressRoute: For connecting to Azure over a private, dedicated connection.

Routing

Azure automatically creates a system route table for each VNet. This table contains default routes that enable communication between subnets within the VNet and to the internet. You can add your own custom routes to the route table to control traffic flow, such as directing traffic through a Network Virtual Appliance (NVA).

Network Security Groups (NSGs)

An NSG is a stateless packet filtering firewall that you can associate with one or more network interfaces (NICs) or subnets. NSGs contain security rules that allow or deny inbound network traffic to, and outbound network traffic from, various Azure resources.

Network Virtual Appliances (NVAs)

NVAs are virtual machines that run network functions such as firewalls, WAN optimizers, or other specialized network appliances. You can deploy NVAs within your VNet to provide advanced networking capabilities.

Connectivity Options

VNet to VNet Connectivity

You can connect multiple VNets together to create a flat network architecture. This is useful for securely extending your network across different regions or subscriptions.

On-Premises Connectivity

Azure VNets can be connected to your on-premises networks using either a site-to-site VPN connection or an ExpressRoute circuit. This allows your on-premises resources to access Azure resources and vice versa.

Internet Connectivity

Azure resources within a VNet can be configured to access the internet directly or through a NAT gateway. You can also control internet access using NSGs and NVAs.

Learn More

• Create a virtual network
• IP addressing in Azure Virtual Network
• Network Security Groups