Azure Virtual Network Cheat Sheet

You can create a virtual network in the cloud dedicated to your Azure account. It is the fundamental building block where you can launch Azure resources.
Azure VNet is the networking layer of Azure VMs.
A VNet spans all the Availability Zones in the region. After creating a VNet, you can add one or more subnets in each Availability Zone.

Key Concepts

A virtual network (VNet) allows you to specify an IP address range for the VNet, add subnets, associate network security groups, and configure route tables.
A subnet is a range of IP addresses in your VNet. You can launch Azure resources into a specified subnet. Use a public subnet for resources that need to connect to the Internet and a private subnet for resources that won’t be connected to the Internet.
To protect the Azure resources in each subnet, use network security groups.

VNet Use Case

VNet with a single public subnet.
VNet with public and private subnets (NAT).

Subnets

When you create a VNet, you must specify a range of IPv4 addresses for the VNet in the form of a CIDR block (example: 10.0.0.0/16).
A CIDR block must not overlap with any existing CIDR block that’s associated with your VNet.
You can add multiple subnets in each Availability Zone of your VNet’s region.
Types of subnets:
- Public subnet
- Private subnet
- Gateway subnet
The CIDR block size of an IPv4 address is between a /16 netmask (65,536 IP addresses) and /29 netmask (8 IP addresses).
The 5 reserved addresses in each CIDR block is not available for you to use, and cannot be assigned to any virtual machines.
You can delegate a subnet to be used by a dedicated service.

Security

Network Security Groups – controls the inbound and outbound traffic of Azure resources.
- The rules are processed from lowest to highest numbers.
- You can set a number between 100 and 4096.
- The rules can be applied to both inbound or outbound traffic.
- You can allow or deny incoming or outgoing traffic.
- When you create a network security group, Azure assigns default security rules for inbound and outbound traffic.
- Can be attached to a subnet or a network interface. Refrain from attaching a network security group to both subnet and network interface.
You may use service tags on network security rules to minimize the complexity of frequent updates.
Augmented security rules allow you to create a single rule with multiple source and destination IPs.
Application Security Group – allows you to define a VMs group network security policy.
You can use IP flow verify of Azure Network Watcher to check which network security rule allows or denies the traffic.
With VNet service endpoint policy, you can filter the egress VNet traffic to Azure Storage.

VNet Components

NAT Gateway
- Allows your virtual network resources to have an outbound-only connection.
- A NAT gateway resource can use up to 16 static IP addresses.
- You can use multiple subnets in a NAT gateway.
Route tables are used to determine where network traffic is directed.
- A subnet can only be associated with one route table.
- If multiple routes contain the same address prefix, the selection will be based on the following priority: User-defined route, BGP route, and System route.
You can connect VNets to each other using VNet peering.
If you need to connect privately to a service, you can use Azure Private Endpoint powered by Azure Private Link.

VNet Peering

Allows you to connect two virtual networks seamlessly. You can:
- Connect virtual networks in the same Azure region known as virtual network peering.
- Connect virtual networks across different Azure regions known as global virtual network peering.
Ensure that your VNet address ranges do not overlap with one another. Plan accordingly before initiating the peer.

Azure Virtual Network Pricing

You are charged for the public IP address and reserved IP address inside your VNet.
You are charged for the ingress and egress data of VNet Peering.
You are charged for the NAT gateway resource hours and data processed (per GB).

How to Connect Virtual Networks Across Azure regions with Azure Global VNet Peering

Want to learn more about Azure? Watch the official Microsoft Azure YouTube channel’s video series called Azure Tips and Tricks.

Validate Your Knowledge

Question 1

Question Type: Single choice

Which Azure Service enables various types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks?

Microsoft Sentinel
Azure Virtual Network
Public IP
Azure Content Delivery Network (CDN)

Show me the answer!

Correct Answer: 2

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

A Virtual Network (VNet) is a logical representation of your network in the cloud. It allows you to define your own private IP address space and segment the network into subnets. VNets serve as a trust boundary to host your compute resources such as Azure Virtual Machines and Cloud Services (web/worker roles). A VNet allows direct private IP communication between the resources hosted in it. You can link a virtual network to an on-premises network through a VPN Gateway or ExpressRoute.

Hence, the correct answer is: Azure Virtual Network.

Microsoft Sentinel is incorrect because this service just provides you with a birds-eye view across the enterprise. Sentinel provides a proactive and responsive cloud-native SIEM that will help customers simplify their security operations and scale as they grow.

Public IP is incorrect because this feature simply allows Internet traffic to communicate inbound to Azure resources. Public IP addresses enable Azure resources to communicate to the Internet and public-facing Azure services.

Azure Content Delivery Network (CDN) is incorrect because this is primarily used to accelerate the delivery of high-bandwidth content to customers worldwide—from applications and stored content to streaming video.

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-disaster-recovery-guidance

Note: This question was extracted from our AZ-900 Microsoft Azure Fundamentals Practice Exams.

Question 2

Question Type: Single choice

You have the following virtual networks in your Azure subscription.

Virtual Network	Address Space	Subnet	Azure Region
TDVnet1	10.1.0.0/16	10.1.0.0/22	Southeast Asia
TDVnet2	10.1.0.0/17	10.1.0.0/20	Southeast Asia
TDVnet3	10.12.0.0/16	10.12.0.0/22	East Asia
TDVnet4	172.16.0.0/17	172.16.0.0/20	West US

Which of the following virtual networks can you establish a virtual network peering from TDVnet1?

TDVnet2 only
TDVnet3 and TDVnet4 only
TDVnet2, TDVnet3 and TDVnet4
TDVnet2 and TDVnet3 only

Show me the answer!

Correct Answer: 2

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.

Azure supports the following types of peering:

– Virtual network peering: Connect virtual networks within the same Azure region.

– Global virtual network peering: Connecting virtual networks across Azure regions.

Take note, the virtual networks you peer with must have non-overlapping IP address spaces.

Hence, the correct answer is: TDVnet3 and TDVnet4 only.

The following options are incorrect because the address space 10.1.0.0/17 of TDVnet2 overlaps with the address space 10.1.0.0/16 of TDVnet1. You need to plan ahead when you create your virtual network address spaces in the event that you will need to peer your virtual networks. You can always change the address space of a virtual network, but you need to make sure that the subnets within it must be contained to the new address space of your virtual network.

– TDVnet2 only

– TDVnet2, TDVnet3 and TDVnet4

– TDVnet2 and TDVnet3 only

References:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal: