Virtual Network Concepts - Azure Documentation

Understanding Azure Virtual Network Fundamentals

An Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. It enables Azure resources, such as virtual machines, to securely communicate with each other, with the internet, and with your on-premises networks. VNets are region-specific and exist within a single Azure region.

Key Concepts

IP Addressing

Every VNet is assigned a private IP address space. This address space is defined using CIDR (Classless Inter-Domain Routing) notation. You can define a single, contiguous address space or multiple contiguous address spaces. Azure reserves the first four IP addresses and the last IP address in each virtual network subnet for IP addressing purposes. You cannot assign these reserved IP addresses to any resource.

Address Space: A public or private IP address range that you assign to a VNet.
Subnets: VNets are segmented into subnets, each with its own IP address range. These ranges must be part of the VNet's address space and cannot overlap with other subnets within the same VNet. Subnets allow you to segment your network for security and organizational purposes.

IP Address Allocation

Azure assigns IP addresses to resources within a subnet. You can choose between:

Dynamic Allocation: Azure assigns an available IP address from the subnet's range. This address is released when the resource is deallocated.
Static Allocation: You manually assign a specific IP address from the subnet's range. This address remains assigned to the resource until it is explicitly unassigned.

Network Security Groups (NSGs)

NSGs are a fundamental security component that allows you to filter network traffic to and from Azure resources in an Azure virtual network. They act as a distributed firewall at the network interface (NIC) or subnet level. You can associate an NSG with one or more NICs or subnets. NSGs contain a list of security rules that allow or deny inbound network traffic and outbound network traffic based on source and destination IP address, port, and protocol.

Routing

Azure automatically manages routing between subnets within a VNet. For custom routing scenarios, such as routing traffic through a network virtual appliance (NVA) or to your on-premises network, you can use User Defined Routes (UDRs). UDRs allow you to override Azure's default system routes.

Gateways

Azure Virtual Network Gateway provides connectivity between your VNet and other networks, such as your on-premises data center or other Azure VNets. There are two primary types of gateways:

VPN Gateway: Enables you to send encrypted traffic through the public internet between your VNet and your on-premises location or other Azure VNets.
ExpressRoute Gateway: Enables you to establish private connections between your on-premises environment and Azure. These connections do not traverse the public internet.

Peering

Virtual Network Peering connects two Azure VNets, allowing resources to communicate with each other as if they were within the same network. VNets can be peered within the same region (local VNet peering) or across different regions (global VNet peering). Peering is a non-transitive relationship; if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C through VNet B.

Tip

Understanding the relationship between VNets, subnets, IP addressing, and NSGs is crucial for designing a secure and efficient network infrastructure in Azure.

Network Interface (NIC)

A NIC connects an Azure resource, such as a virtual machine, to a virtual network. Each NIC is assigned at least one private IP address from the subnet it's connected to. You can also associate public IP addresses, load balancer front-ends, and NSGs with a NIC.

Service Endpoints and Private Endpoints

Service Endpoints extend your VNet's private address space and identity to Azure services, allowing you to connect to Azure services like Azure Storage and Azure SQL Database directly from your VNet using a private IP address. Private Endpoints provide a private IP address from your VNet for an Azure service, ensuring that traffic to that service stays entirely within your VNet and Microsoft's backbone network.

Key Takeaway

Azure Virtual Networks are essential for creating secure, isolated, and scalable network environments for your cloud deployments. Mastering these core concepts is the first step towards building robust cloud architectures.

Next Steps

Now that you understand the core concepts, explore how to create and configure your first virtual network: