Azure Virtual Network (VNet)

Home » Azure Cheat Sheets » Azure Networking and Content Delivery » Azure Virtual Network (VNet)

Azure Virtual Network (VNet)

Last updated on October 23, 2023

Azure Virtual Network Cheat Sheet

  • You can create a virtual network in the cloud dedicated to your Azure account. It is the fundamental building block where you can launch Azure resources.
  • Azure VNet is the networking layer of Azure VMs.
  • A VNet spans all the Availability Zones in the region. After creating a VNet, you can add one or more subnets in each Availability Zone.

Key Concepts

  • A virtual network (VNet) allows you to specify an IP address range for the VNet, add subnets, associate network security groups, and configure route tables.
  • A subnet is a range of IP addresses in your VNet. You can launch Azure resources into a specified subnet. Use a public subnet for resources that need to connect to the Internet and a private subnet for resources that won’t be connected to the Internet.
  • To protect the Azure resources in each subnet, use network security groups.
Tutorials dojo strip

VNet Use Case

  • VNet with a single public subnet.
  • VNet with public and private subnets (NAT).

Subnets

  • When you create a VNet, you must specify a range of IPv4 addresses for the VNet in the form of a CIDR block (example: 10.0.0.0/16).
  • A CIDR block must not overlap with any existing CIDR block that’s associated with your VNet.
  • You can add multiple subnets in each Availability Zone of your VNet’s region.
  • Types of subnets:
    • Public subnet
    • Private subnet
    • Gateway subnet
  • The CIDR block size of an IPv4 address is between a /16 netmask (65,536 IP addresses) and /29 netmask (8 IP addresses).
  • The 5 reserved addresses in each CIDR block is not available for you to use, and cannot be assigned to any virtual machines.
  • You can delegate a subnet to be used by a dedicated service.

Security

  • Network Security Groups – controls the inbound and outbound traffic of Azure resources.
    • The rules are processed from lowest to highest numbers. 
    • You can set a number between 100 and 4096. 
    • The rules can be applied to both inbound or outbound traffic.
    • You can allow or deny incoming or outgoing traffic.
    • When you create a network security group, Azure assigns default security rules for inbound and outbound traffic.
    • Can be attached to a subnet or a network interface. Refrain from attaching a network security group to both subnet and network interface.
  • You may use service tags on network security rules to minimize the complexity of frequent updates.
  • Augmented security rules allow you to create a single rule with multiple source and destination IPs.
  • Application Security Group – allows you to define a VMs group network security policy.
  • You can use IP flow verify of Azure Network Watcher to check which network security rule allows or denies the traffic.
  • With VNet service endpoint policy, you can filter the egress VNet traffic to Azure Storage.

VNet Components

  • NAT Gateway 
    • Allows your virtual network resources to have an outbound-only connection.
    • A NAT gateway resource can use up to 16 static IP addresses.
    • You can use multiple subnets in a NAT gateway.
  • Route tables are used to determine where network traffic is directed.
    • A subnet can only be associated with one route table.
    • If multiple routes contain the same address prefix, the selection will be based on the following priority: User-defined route, BGP route, and System route.
  • You can connect VNets to each other using VNet peering.
  • If you need to connect privately to a service, you can use Azure Private Endpoint powered by Azure Private Link.

VNet Peering

  • Allows you to connect two virtual networks seamlessly. You can: 
    • Connect virtual networks in the same Azure region known as virtual network peering.
    • Connect virtual networks across different Azure regions known as global virtual network peering.
  • Ensure that your VNet address ranges do not overlap with one another. Plan accordingly before initiating the peer.

Azure Virtual Network Pricing

  • You are charged for the public IP address and reserved IP address inside your VNet.
  • You are charged for the ingress and egress data of VNet Peering.
  • You are charged for the NAT gateway resource hours and data processed (per GB).

How to Connect Virtual Networks Across Azure regions with Azure Global VNet Peering

Want to learn more about Azure? Watch the official Microsoft Azure YouTube channel’s video series called Azure Tips and Tricks.

Validate Your Knowledge

Question 1

Question Type: Single choice

Which Azure Service enables various types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks?

  1. Microsoft Sentinel
  2. Azure Virtual Network
  3. Public IP
  4. Azure Content Delivery Network (CDN)

Correct Answer: 2

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

A Virtual Network (VNet) is a logical representation of your network in the cloud. It allows you to define your own private IP address space and segment the network into subnets. VNets serve as a trust boundary to host your compute resources such as Azure Virtual Machines and Cloud Services (web/worker roles). A VNet allows direct private IP communication between the resources hosted in it. You can link a virtual network to an on-premises network through a VPN Gateway or ExpressRoute.

Hence, the correct answer is: Azure Virtual Network.

Microsoft Sentinel is incorrect because this service just provides you with a birds-eye view across the enterprise. Sentinel provides a proactive and responsive cloud-native SIEM that will help customers simplify their security operations and scale as they grow.

Public IP is incorrect because this feature simply allows Internet traffic to communicate inbound to Azure resources. Public IP addresses enable Azure resources to communicate to the Internet and public-facing Azure services. 

Azure Content Delivery Network (CDN) is incorrect because this is primarily used to accelerate the delivery of high-bandwidth content to customers worldwide—from applications and stored content to streaming video.

References: 

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-disaster-recovery-guidance

Note: This question was extracted from our AZ-900 Microsoft Azure Fundamentals Practice Exams.

Question 2

Question Type: Single choice

AWS Exam Readiness Courses

You have the following virtual networks in your Azure subscription.

Virtual Network

Address Space

Subnet

Azure Region

TDVnet1

10.1.0.0/16

10.1.0.0/22

Southeast Asia

TDVnet2

10.1.0.0/17

10.1.0.0/20

Southeast Asia

TDVnet3

10.12.0.0/16

10.12.0.0/22

East Asia

TDVnet4

172.16.0.0/17

172.16.0.0/20

West US

 

Which of the following virtual networks can you establish a virtual network peering from TDVnet1?

  1. TDVnet2 only
  2. TDVnet3 and TDVnet4 only
  3. TDVnet2, TDVnet3 and TDVnet4
  4. TDVnet2 and TDVnet3 only

Correct Answer: 2

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.

Azure supports the following types of peering:

– Virtual network peering: Connect virtual networks within the same Azure region.

– Global virtual network peering: Connecting virtual networks across Azure regions.

Take note, the virtual networks you peer with must have non-overlapping IP address spaces.

Hence, the correct answer is: TDVnet3 and TDVnet4 only.

The following options are incorrect because the address space 10.1.0.0/17 of TDVnet2 overlaps with the address space 10.1.0.0/16 of TDVnet1. You need to plan ahead when you create your virtual network address spaces in the event that you will need to peer your virtual networks. You can always change the address space of a virtual network, but you need to make sure that the subnets within it must be contained to the new address space of your virtual network.

TDVnet2 only

TDVnet2, TDVnet3 and TDVnet4

TDVnet2 and TDVnet3 only

References: 

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo

Azure Virtual Network Cheat Sheet References:

https://azure.microsoft.com/en-us/services/virtual-network/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?