Azure Virtual Network (VNet)

Networking is the backbone of any cloud architecture. Azure Virtual Network (VNet) is the fundamental networking service in Azure that allows Azure resources — like virtual machines, databases, and app services — to securely communicate with each other, with the internet, and with on-premises networks.

Think of a VNet as a private, isolated network that exists inside Azure — similar to a private office LAN (Local Area Network) but hosted in the cloud. Resources inside a VNet can talk to each other privately without going through the public internet.

What is an Azure Virtual Network?

An Azure Virtual Network is a logically isolated section of the Azure cloud where Azure resources are deployed. It provides a private IP address space, subnets, routing, and security controls — all configurable by the user.

Key Properties of a VNet

  • Defined by an IP address range in CIDR notation (e.g., 10.0.0.0/16)
  • Scoped to a single Azure region — one VNet cannot span multiple regions
  • Can contain multiple subnets
  • Resources in the same VNet can communicate by default using private IPs
  • Isolated from other VNets unless explicitly connected via VNet Peering

VNet Structure and Subnets

A VNet is divided into smaller segments called subnets. Each subnet gets a portion of the VNet's IP address range. Subnets are used to separate different layers of an application and apply different security rules to each layer.

Diagram – VNet and Subnet Structure

  VNet: 10.0.0.0/16  (65,536 available IPs)
  │
  ├── Subnet: WebTier    → 10.0.1.0/24  (256 IPs)
  │   └── Virtual Machines (Web Servers)
  │
  ├── Subnet: AppTier    → 10.0.2.0/24  (256 IPs)
  │   └── Virtual Machines (API Servers)
  │
  ├── Subnet: DataTier   → 10.0.3.0/24  (256 IPs)
  │   └── Azure SQL Database (Managed Instance)
  │
  └── Subnet: GatewaySubnet → 10.0.4.0/27  (Reserved for VPN/ExpressRoute Gateway)

Why Use Subnets?

BenefitDescription
SegmentationSeparate web, app, and database tiers to limit blast radius of a breach
SecurityApply different Network Security Groups (NSGs) to each subnet
Traffic ControlUse route tables to direct traffic between subnets through a firewall
IP ManagementAllocate IP ranges logically to different application layers

Network Security Groups (NSG)

A Network Security Group acts as a virtual firewall for resources inside a VNet. It contains a list of security rules that allow or deny inbound and outbound traffic based on source IP, destination IP, port, and protocol.

NSG Rule Components

FieldDescriptionExample
PriorityLower number = higher priority. Rules are evaluated in priority order (100–4096)100
NameDescriptive label for the ruleAllow-HTTP
DirectionInbound (traffic coming into the resource) or OutboundInbound
SourceIP address or range that traffic comes from. "*" means any.* (Any)
Destination PortThe port being targeted80 (HTTP), 443 (HTTPS)
ProtocolTCP, UDP, ICMP, or AnyTCP
ActionAllow or DenyAllow

Example: NSG for a Web Server

  Inbound Rules:
  Priority | Name          | Port  | Protocol | Source    | Action
  ---------|---------------|-------|----------|-----------|--------
  100      | Allow-HTTPS   | 443   | TCP      | *         | Allow
  110      | Allow-HTTP    | 80    | TCP      | *         | Allow
  120      | Allow-SSH     | 22    | TCP      | 203.0.1.5 | Allow   ← Admin IP only
  65500    | DenyAllInbound| *     | *        | *         | Deny    ← Default deny rule

Public and Private IP Addresses in Azure

TypeDescriptionUse Case
Private IPIP assigned from the VNet address space. Only accessible within the VNet or connected networks.Communication between VMs, databases, and internal services
Public IPIP accessible from the internet. Attached to a NIC, Load Balancer, or VPN Gateway.Hosting a public-facing website or API
Static IPIP that does not change even when the resource is stopped and restartedDNS records, SSL certificates, firewall rules that depend on a fixed IP
Dynamic IPIP that may change when the resource is stoppedDev/test environments where the IP does not need to stay the same

VNet Peering

VNet Peering connects two VNets so that resources in each VNet can communicate using private IP addresses, as if they were on the same network. Traffic between peered VNets travels over Microsoft's internal backbone network — not the public internet.

Types of Peering

  • VNet Peering: Connects two VNets in the same Azure region.
  • Global VNet Peering: Connects two VNets in different Azure regions.

Diagram – VNet Peering

  VNet-A (East US)          VNet-B (West US)
  10.0.0.0/16       ←───►   10.1.0.0/16
  │                          │
  ├── VM-1 (10.0.1.4)        ├── VM-3 (10.1.1.4)
  └── VM-2 (10.0.1.5)        └── VM-4 (10.1.1.5)

  After peering: VM-1 can reach VM-3 using private IP 10.1.1.4
  (Traffic stays on Microsoft backbone, not public internet)

Connecting Azure to On-Premises

Many organizations need their Azure VNet to connect to their physical office network. Azure provides two options:

VPN Gateway

A VPN Gateway creates an encrypted tunnel over the public internet between the Azure VNet and the on-premises network. It is cost-effective for moderate bandwidth requirements.

  • Site-to-Site VPN: Permanent connection between an on-premises VPN device and Azure.
  • Point-to-Site VPN: Individual user connects their laptop to Azure VNet over VPN (like a remote worker VPN).

Azure ExpressRoute

ExpressRoute is a dedicated private connection between an on-premises network and Azure, set up through a connectivity provider (like a telecom company). Traffic does not go over the public internet at all, providing higher security, reliability, and bandwidth than a VPN.

FeatureVPN GatewayExpressRoute
Connection PathEncrypted tunnel over public internetDedicated private connection via provider
SpeedUp to 10 GbpsUp to 100 Gbps
CostLowerHigher (requires provider contract)
SLA99.9% uptime99.95% uptime
Best ForSmall to mid-size businessesEnterprises with high bandwidth and compliance requirements

Service Endpoints and Private Endpoints

Service Endpoint

A service endpoint extends a VNet's private IP space to Azure services like Storage and SQL Database. Traffic from the VNet to those services travels over Microsoft's backbone without going through the public internet, but the service still has a public IP.

Private Endpoint

A private endpoint gives an Azure service (like Azure SQL Database or Azure Blob Storage) a private IP address inside the VNet. The service is now fully accessible only through the private network, not the public internet at all. This is the most secure option.

Key Takeaways

  • Azure VNet is a private, isolated network inside Azure with a configurable IP address range.
  • Subnets divide a VNet into segments for different application tiers or teams.
  • Network Security Groups (NSGs) act as virtual firewalls with allow/deny rules based on IP, port, and protocol.
  • VNet Peering connects VNets within or across regions using Microsoft's private backbone.
  • VPN Gateway provides encrypted connectivity to on-premises over the internet; ExpressRoute provides a dedicated private line.
  • Private Endpoints give Azure services a private IP inside a VNet for the most secure connectivity.
Previous lessons
Back to courses
Next lessons

Leave a Comment