Last updated on October 23, 2023
Azure Virtual Network Cheat Sheet
- You can create a virtual network in the cloud dedicated to your Azure account. It is the fundamental building block where you can launch Azure resources.
- Azure VNet is the networking layer of Azure VMs.
- A VNet spans all the Availability Zones in the region. After creating a VNet, you can add one or more subnets in each Availability Zone.
Key Concepts
- A virtual network (VNet) allows you to specify an IP address range for the VNet, add subnets, associate network security groups, and configure route tables.
- A subnet is a range of IP addresses in your VNet. You can launch Azure resources into a specified subnet. Use a public subnet for resources that need to connect to the Internet and a private subnet for resources that won’t be connected to the Internet.
- To protect the Azure resources in each subnet, use network security groups.
VNet Use Case
- VNet with a single public subnet.
- VNet with public and private subnets (NAT).
Subnets
- When you create a VNet, you must specify a range of IPv4 addresses for the VNet in the form of a CIDR block (example: 10.0.0.0/16).
- A CIDR block must not overlap with any existing CIDR block that’s associated with your VNet.
- You can add multiple subnets in each Availability Zone of your VNet’s region.
- Types of subnets:
- Public subnet
- Private subnet
- Gateway subnet
- The CIDR block size of an IPv4 address is between a /16 netmask (65,536 IP addresses) and /29 netmask (8 IP addresses).
- The 5 reserved addresses in each CIDR block is not available for you to use, and cannot be assigned to any virtual machines.
- You can delegate a subnet to be used by a dedicated service.
Security
- Network Security Groups – controls the inbound and outbound traffic of Azure resources.
- The rules are processed from lowest to highest numbers.
- You can set a number between 100 and 4096.
- The rules can be applied to both inbound or outbound traffic.
- You can allow or deny incoming or outgoing traffic.
- When you create a network security group, Azure assigns default security rules for inbound and outbound traffic.
- Can be attached to a subnet or a network interface. Refrain from attaching a network security group to both subnet and network interface.
- You may use service tags on network security rules to minimize the complexity of frequent updates.
- Augmented security rules allow you to create a single rule with multiple source and destination IPs.
- Application Security Group – allows you to define a VMs group network security policy.
- You can use IP flow verify of Azure Network Watcher to check which network security rule allows or denies the traffic.
- With VNet service endpoint policy, you can filter the egress VNet traffic to Azure Storage.
VNet Components
- NAT Gateway
- Allows your virtual network resources to have an outbound-only connection.
- A NAT gateway resource can use up to 16 static IP addresses.
- You can use multiple subnets in a NAT gateway.
- Route tables are used to determine where network traffic is directed.
- A subnet can only be associated with one route table.
- If multiple routes contain the same address prefix, the selection will be based on the following priority: User-defined route, BGP route, and System route.
- You can connect VNets to each other using VNet peering.
- If you need to connect privately to a service, you can use Azure Private Endpoint powered by Azure Private Link.
VNet Peering
- Allows you to connect two virtual networks seamlessly. You can:
- Connect virtual networks in the same Azure region known as virtual network peering.
- Connect virtual networks across different Azure regions known as global virtual network peering.
- Ensure that your VNet address ranges do not overlap with one another. Plan accordingly before initiating the peer.
Azure Virtual Network Pricing
- You are charged for the public IP address and reserved IP address inside your VNet.
- You are charged for the ingress and egress data of VNet Peering.
- You are charged for the NAT gateway resource hours and data processed (per GB).
How to Connect Virtual Networks Across Azure regions with Azure Global VNet Peering
Want to learn more about Azure? Watch the official Microsoft Azure YouTube channel’s video series called Azure Tips and Tricks.
Validate Your Knowledge
Question 1
Question Type: Single choice
Which Azure Service enables various types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks?
- Microsoft Sentinel
- Azure Virtual Network
- Public IP
- Azure Content Delivery Network (CDN)
Question 2
Question Type: Single choice
You have the following virtual networks in your Azure subscription.
Virtual Network |
Address Space |
Subnet |
Azure Region |
TDVnet1 |
10.1.0.0/16 |
10.1.0.0/22 |
Southeast Asia |
TDVnet2 |
10.1.0.0/17 |
10.1.0.0/20 |
Southeast Asia |
TDVnet3 |
10.12.0.0/16 |
10.12.0.0/22 |
East Asia |
TDVnet4 |
172.16.0.0/17 |
172.16.0.0/20 |
West US |
Which of the following virtual networks can you establish a virtual network peering from TDVnet1
?
TDVnet2
onlyTDVnet3
andTDVnet4
onlyTDVnet2
,TDVnet3
andTDVnet4
TDVnet2
andTDVnet3
only
For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:
Azure Virtual Network Cheat Sheet References:
https://azure.microsoft.com/en-us/services/virtual-network/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview