Virtual Network (VNet) – Hybrid Cloud Reference

Azure Virtual Network (VNet) provides an isolated, secure environment to run your cloud workloads. In a hybrid cloud scenario, VNets can be seamlessly connected to on‑premises networks, other clouds, and Azure services to enable consistent networking, security, and governance.

Architecture

The core components of a hybrid VNet architecture include:

  • Subnets – Logical segmentation of the address space.
  • Network Security Groups (NSG) – Rule‑based inbound/outbound traffic filtering.
  • Azure VPN Gateway – Site‑to‑site VPN connections to on‑premises networks.
  • Azure ExpressRoute – Dedicated private connection for high‑throughput, low‑latency links.
  • Virtual Network Peering – Low‑latency, high‑bandwidth connectivity between VNets.
  • Azure Firewall & DDoS Protection – Centralized security controls.
View Architecture Diagram ▼
Hybrid VNet Architecture

Configuration Steps

  1. Create a VNet with an appropriate address space.
  2. Define subnets for each workload tier (e.g., Frontend, App, DB).
  3. Associate NSGs with subnets to enforce traffic policies.
  4. Deploy a VPN Gateway or ExpressRoute circuit to connect to on‑premises.
  5. Configure peering if you have multiple VNets across regions.
  6. Apply Azure Firewall policies and enable DDoS Protection if required.
// Azure CLI example to create a VNet and subnet
az network vnet create \
  --resource-group MyResourceGroup \
  --name MyVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name Frontend \
  --subnet-prefix 10.0.1.0/24

// Create a VPN gateway
az network vnet-gateway create \
  --resource-group MyResourceGroup \
  --name MyVPNGateway \
  --vnet MyVNet \
  --public-ip-address MyVPNGatewayIP \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1

API Reference

Azure REST APIs and SDKs provide programmatic control over VNet resources.

Operation Method Endpoint
Create/Update VNet PUT https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnetName}?api-version=2024-08-01
List VNets GET https://management.azure.com/subscriptions/{subId}/providers/Microsoft.Network/virtualNetworks?api-version=2024-08-01

Sample Code (C# SDK)

using Azure;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;

var cred = new DefaultAzureCredential();
var client = new ArmClient(cred);
var subscription = client.GetDefaultSubscription();

var rg = await subscription.GetResourceGroups().GetAsync("MyResourceGroup");
var vnetData = new VirtualNetworkData()
{
    Location = "EastUS",
    AddressSpace = new AddressSpace() { AddressPrefixes = { "10.2.0.0/16" } },
    Subnets = {
        new SubnetData() { Name = "AppSubnet", AddressPrefix = "10.2.1.0/24" }
    }
};

var vnetLro = await rg.Value.GetVirtualNetworks().CreateOrUpdateAsync(WaitUntil.Completed, "MyHybridVNet", vnetData);
var vnet = vnetLro.Value;

Console.WriteLine($"Created VNet: {vnet.Data.Name} in {vnet.Data.Location}");

For more language samples, visit Code Samples.

Best Practices

  • Use CIDR blocks that do not overlap with on‑premises address ranges.
  • Segment workloads using multiple subnets and NSGs.
  • Prefer ExpressRoute for mission‑critical workloads requiring guaranteed bandwidth.
  • Enable Azure Firewall and DDoS protection for production environments.
  • Implement Azure Policy to enforce naming conventions and tagging.
  • Regularly audit NSG rules and remove unused entries.