Azure Virtual Network (VNet)

A Virtual Network (VNet) is the fundamental building block for private networking in Azure. It enables many types of Azure resources—such as Azure Virtual Machines (VMs), Azure Kubernetes Service (AKS), and Azure App Service—to communicate securely with each other, the internet, and on‑premises networks.

Overview

• Isolation: Each VNet is isolated from other VNets unless you create peering.
• Address Space: You define one or more private IP address ranges (CIDR blocks).
• Subnets: Split the address space into logical segments. Subnets host resources.
• Connectivity: Internet, VPN, ExpressRoute, VNet Peering, Private Endpoints.

Quick‑Start: Create a VNet with Azure CLI

# Create a resource group
az group create --name MyResourceGroup --location eastus

# Create a VNet with a single subnet
az network vnet create \
  --resource-group MyResourceGroup \
  --name MyVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name MySubnet \
  --subnet-prefix 10.0.1.0/24

# Verify
az network vnet show --resource-group MyResourceGroup --name MyVNet

Subnet Configuration

Subnets can have dedicated network security groups (NSG), route tables, and service endpoints.

# Add a secondary subnet
az network vnet subnet create \
  --resource-group MyResourceGroup \
  --vnet-name MyVNet \
  --name BackendSubnet \
  --address-prefix 10.0.2.0/24 \
  --network-security-group MyBackendNSG

# PowerShell version
New-AzVirtualNetworkSubnetConfig -Name BackendSubnet `
    -AddressPrefix 10.0.2.0/24 `
    -NetworkSecurityGroup $nsg `
    -VirtualNetwork $vnet

VNet Peering

Peer VNets in the same or different Azure regions for low‑latency, high‑bandwidth connectivity.

# Peer VNetA with VNetB (same subscription)
az network vnet peering create \
  --name VNetAtoVNetB \
  --resource-group MyResourceGroup \
  --vnet-name VNetA \
  --remote-vnet VNetB \
  --allow-forwarded-traffic \
  --allow-gateway-transit

Security Features

• Network Security Groups (NSG) – Stateless firewall rules at subnet or NIC level.
• Azure Firewall – Centralized, stateful firewall with threat intelligence.
• Private Endpoints – Secure access to PaaS services over private IP.
• Service Endpoints – Extend VNet identity to Azure services.

Pricing

VNets themselves are free. Charges are incurred for:

• Peering (intra‑region: $0.01 per GB, inter‑region: $0.02 per GB).
• VPN Gateways, ExpressRoute circuits, Azure Firewall, and other networking services.

Reference

• Virtual Network documentation
• ARM template examples
• Portal tutorial