Skip to main content
Microsoft Azure
CHAPTER 06

Azure Virtual Networking

Updated: May 15, 2026
25 min read

# CHAPTER 6

Azure Virtual Networking

1. Introduction

If you deploy a Web Server and a Database, they need to communicate. If you send that communication over the public internet, hackers will intercept it in seconds. In Azure, resources communicate securely through an Azure Virtual Network (VNet). A VNet is a secure, isolated, private network dedicated entirely to your project. It is the virtual equivalent of laying down ethernet cables between your servers in a physical data center. In this chapter, we will master VNets, Subnets, Internal IP routing, and Network Security Groups.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define an Azure Virtual Network (VNet).
  • Understand IP address spaces and CIDR notation (e.g., /16 and /24).
  • Segment a VNet using Subnets.
  • Differentiate between Internal (Private) and External (Public) IP addresses.
  • Enforce network boundaries using Network Security Groups (NSGs).

3. Beginner-Friendly Explanation

Imagine a massive corporate office building (The VNet).
  • The Building (VNet): It is highly secure. You need a badge to get in.
  • The Floors (Subnets): The building is divided into floors. Floor 1 is for Web Servers. Floor 2 is for Databases.
  • The Desks (Internal IPs): Every employee on every floor has a desk phone with a 4-digit extension. A Web Server on Floor 1 can dial 1234 and instantly reach a Database on Floor 2. This call never leaves the building. It is totally secure.
  • The Public Switchboard (External IP): If someone *outside* the building wants to call a Web Server, they have to dial a public 1-800 number.
  • The Security Guards (NSGs): Guards stand in the stairwells checking badges. "Web Servers are allowed to walk down to the Database floor. But people from the outside internet are NOT allowed on the Database floor."

4. VNets and Subnets

When you create a VNet, you must define its overall size using an IP Address Space. Azure uses CIDR notation.
  • A VNet with an address space of 10.0.0.0/16 provides roughly 65,000 private IP addresses.
  • You then slice that massive VNet into smaller Subnets.
  • Subnet 1 (Frontend): 10.0.1.0/24 (Provides 256 IPs).
  • Subnet 2 (Backend): 10.0.2.0/24 (Provides 256 IPs).

*Note: Azure reserves the first 3 and last 1 IP addresses of every subnet for internal routing magic, so a /24 subnet actually gives you 251 usable IPs.*

5. Network Security Groups (NSGs)

An NSG is a digital firewall. It contains a list of Inbound and Outbound security rules. By default, VMs within the same VNet can talk to each other freely. However, the VNet blocks ALL incoming (Ingress) traffic from the public internet. You apply an NSG to a Subnet (or directly to a VM's network card) to open specific holes. *Example Rule:* "Allow Inbound traffic on Port 80 (HTTP) from Source: ANY to Destination: Frontend Subnet."

6. Mini Project: Create a Custom Virtual Network

Let's build a secure, segmented private network.

Step-by-Step Tutorial:

  1. 1. In the Azure Portal, search for Virtual networks.
  1. 2. Click + Create.
  1. 3. Resource group: rg-networking-demo.
  1. 4. Name: vnet-production.
  1. 5. Region: East US. Click Next to IP Addresses.
  1. 6. IPv4 address space: Azure defaults to 10.0.0.0/16. Leave this.
  1. 7. Under Subnets, click the default subnet to edit it.
  • Name: snet-frontend
  • Subnet address range: 10.0.1.0/24. Click Save.
  1. 8. Click + Add subnet.
  • Name: snet-backend
  • Subnet address range: 10.0.2.0/24. Click Add.
  1. 9. Click Review + create, then Create.
  1. 10. Now, search for Network security groups. Click + Create.
  1. 11. Name it nsg-backend. Place it in the same resource group. Click Create.
  1. 12. Go to the new nsg-backend resource. Click Inbound security rules.
  1. 13. Click + Add.
  • Source: IP Addresses
  • Source IP addresses/CIDR ranges: 10.0.1.0/24 (This is the Frontend Subnet!).
  • Destination port ranges: 3306 (MySQL Database Port).
  • Action: Allow.
  • Name: Allow-Frontend-To-DB. Click Add.
  1. 14. Finally, attach this NSG to the backend subnet. Go to Subnets on the left menu, click Associate, select your vnet-production, and select snet-backend.

*The Result:* You have created a highly secure architecture. Only VMs sitting in the Frontend Subnet are allowed to talk to the Database VMs in the Backend Subnet. The internet is completely blocked from reaching the databases!

7. Real-World Scenarios

A bank deploys a 3-tier architecture: Web, API, and Database. They create a VNet with 3 Subnets. Only the VMs in the Web Subnet are assigned Public IP addresses. The API and Database VMs have NO Public IPs; they are physically impossible to reach from the internet. They can only be accessed internally, creating an impenetrable zero-trust network perimeter.

8. Best Practices

  • VNet Peering: If your company merges with another company, they might have their own Azure VNet. You don't have to rebuild everything. You can configure VNet Peering to seamlessly connect two independent VNets together, allowing them to route traffic privately as if they were a single massive network.

9. Common Mistakes

  • Overlapping IP Ranges: If your company is trying to connect your Azure VNet to your on-premise corporate office via an Azure VPN Gateway, the IP ranges cannot overlap! If your corporate office uses 10.0.0.0/16, and you accidentally create your Azure VNet with 10.0.0.0/16, the routing will completely fail. Always plan your IP Address spaces carefully alongside your network engineers.

10. CLI Examples

To create a VNet with a specific address prefix using the Azure CLI:
bash
123456 
az network vnet create \
  --name vnet-production \
  --resource-group rg-networking-demo \
  --address-prefix 10.0.0.0/16 \
  --subnet-name snet-frontend \
  --subnet-prefix 10.0.1.0/24

11. Exercises

  1. 1. What is the architectural purpose of creating multiple Subnets within a single VNet?
  1. 2. Explain how a Network Security Group (NSG) can be used to isolate a database tier from the public internet.

12. FAQs

Q: Do I pay for the VNet itself? A: No, creating the VNet structure (Address Spaces, Subnets, NSGs) is completely free (up to 50 VNets). You only pay for the resources you put *inside* the VNet (like VMs) and the actual data (Egress) that flows out of it.

13. Interview Questions

  • Q: Describe the architectural flow of isolating a backend database. How do you utilize Subnets, NSGs, and the absence of Public IPs to create a zero-trust network perimeter?
  • Q: Your company needs to connect an existing Azure VNet (10.1.0.0/16) in the East US region to a newly acquired company's VNet (10.2.0.0/16) in the West Europe region. Detail the mechanism used to achieve this private connectivity and the routing requirements.

14. Summary

In Chapter 6, we secured our infrastructure's foundation. We replaced the chaotic public internet with a highly secure, private Azure Virtual Network (VNet). We architected the network by defining CIDR Address Spaces and slicing them into logical Subnets. Finally, we mastered the mechanics of Network Security Groups (NSGs), applying granular Inbound rules to explicitly permit traffic between tiers, ensuring our servers remain impenetrable to unauthorized access.

15. Next Chapter Recommendation

Our servers are secure, but what if one crashes? Or what if 10,000 users visit our site simultaneously? We need to distribute the load. Proceed to Chapter 7: Azure Load Balancer and Traffic Manager.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Azure Storage Services
Next Chapter Azure Load Balancer and Traffic Manager

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

Related Quizzes 6