Azure Virtual Networks (VNets)

Last updated: October 26, 2023

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables you to securely connect Azure resources to each other, to the internet, and to your on-premises networks.

Key Concepts

Understanding VNets involves grasping these core components:

  • IP Addressing: Define private IP address spaces for your VNet and subnets.
  • Subnets: Divide your VNet into smaller segments for better organization and security.
  • Network Security Groups (NSGs): Control inbound and outbound traffic to resources within your VNet.
  • Route Tables: Define custom routes to control traffic flow within your VNet and to other networks.
  • Peering: Connect VNets together to enable communication between them.

What is an Azure Virtual Network?

An Azure Virtual Network is a logical representation of your own network in the cloud. It's an isolated network environment where you can deploy and manage your Azure resources. VNets allow you to:

Core Components of a VNet

IP Addressing and Subnets

When you create a VNet, you define a private IP address space. This address space is then divided into one or more subnets. Each subnet has its own range of IP addresses within the VNet's address space. Resources are deployed into subnets. It's best practice to allocate address space to subnets such that you can accommodate future growth.


// Example of defining an IP address space and subnets in ARM template
{
  "type": "Microsoft.Network/virtualNetworks",
  "apiVersion": "2023-05-01",
  "name": "myVNet",
  "location": "[resourceGroup().location]",
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "10.0.0.0/16"
      ]
    },
    "subnets": [
      {
        "name": "subnet-web",
        "properties": {
          "addressPrefix": "10.0.1.0/24"
        }
      },
      {
        "name": "subnet-app",
        "properties": {
          "addressPrefix": "10.0.2.0/24"
        }
      }
    ]
  }
}

Network Security Groups (NSGs)

NSGs are a fundamental component for network security in Azure. They contain security rules that allow or deny network traffic to resources connected to Azure Virtual Networks. You can associate NSGs with subnets or individual network interfaces (NICs).

Security Rule Properties

  • Priority: Rules are processed in priority order (lower number processed first).
  • Protocol: TCP, UDP, ICMP, Any.
  • Source/Destination: IP addresses, CIDR blocks, service tags, application security groups.
  • Port Range: Specific ports or ranges.
  • Action: Allow or Deny.

User Defined Routes (UDRs)

By default, Azure route traffic within a VNet, to the internet, and to on-premises networks. However, you can override this default routing behavior using User Defined Routes (UDRs). UDRs are configured using route tables, which are associated with subnets. This allows for advanced network topologies, such as enforcing traffic through a Network Virtual Appliance (NVA).

Azure VNet Routing Diagram

Connecting to On-Premises Networks

Azure VNets can be extended to your on-premises data centers using:

VNet Peering

VNet peering allows you to connect Azure virtual networks in Azure. When VNets are peered, resources in either virtual network can communicate with each other as if they were within the same network. This communication is facilitated by the Azure backbone network and does not involve a VPN tunnel or a router.

Important Considerations for Peering

  • VNet peering is not transitive. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C through VNet B unless VNet A is also peered with VNet C.
  • Ensure that the address spaces of peered VNets do not overlap.

Use Cases

Learn More