Service 24

Virtual Network

Networking

A Virtual Network is the private, isolated network for your Azure resources — a regional address space you carve into subnets, where VMs, databases, and private endpoints attach. Nothing routes in or out except through the rules and gateways you define. It is the boundary almost everything else in Azure builds on.

The address plan still deserves care up front. You can now add or modify a VNet's address ranges even while it is peered (the peering re-syncs), but overlapping ranges between VNets you want to connect remain unfixable except by renumbering one side — peering and on-premises connectivity simply refuse to establish across an overlap. Plan the address space before you create anything, with room for the subnets and growth you have not designed yet.

Address Space and Subnets

A VNet has one or more CIDR address ranges, divided into subnets that group resources and apply routing and security. Subnets reserve five addresses each for Azure's use, and some services (like a VPN gateway or a Managed Instance) require their own dedicated subnet. Size subnets for growth — resizing a populated subnet is disruptive, and running out of addresses mid-project is a self-inflicted outage.

Virtual Network — Subnets by Tier

VNet · 10.0.0.0/16

Web subnetpublic-facing tier · NSG

App subnetprivate app tier · NSG

Data subnetprivate endpoints · no inbound internet

One regional address space, carved into subnets per tier. Each subnet gets its own NSG and route rules, and the data tier reaches PaaS over private endpoints rather than the public internet.

Network Security Groups

A Network Security Group is a stateful set of allow and deny rules, attached to a subnet or a network interface, filtering traffic by source, destination, port, and protocol. Because it is stateful, a return packet for an allowed flow is permitted automatically. NSGs are the basic segmentation primitive — least-privilege rules at the subnet boundary, not a default-allow posture.

Peering and Connectivity

VNet peering joins two VNets into one low-latency, privately routed network, within or across regions. Peering refuses to establish across overlapping address ranges — the concrete reason address planning comes first. Peering is non-transitive: if hub peers with spoke A and spoke B, A and B do not reach each other through the hub without a route and a network virtual appliance or gateway.

Private and Service Endpoints

A private endpoint gives a PaaS service (a storage account, a SQL database) a private IP inside your VNet, so traffic to it never touches the public internet. A service endpoint instead extends the subnet's identity to the service over the Azure backbone. Private endpoints are the stronger, more general model and the modern default for keeping PaaS traffic private.

Routing

Azure provides default system routes; a user-defined route table overrides them to force traffic through a next hop — typically a firewall or network virtual appliance for inspection. Forced tunneling sends internet-bound traffic back on-premises for inspection. Custom routing is how you insert security and control into the path, at the cost of complexity you must maintain.

Common Mistakes

Choosing overlapping CIDR ranges across VNets you later want to peer or connect on-premises — peering refuses, and the only fix is renumbering one side.
Sizing subnets with no headroom, then needing to resize a populated subnet — disruptive — or running out of addresses mid-project.
Assuming peering is transitive, so two spokes silently cannot reach each other through a shared hub without explicit routing.
Leaving NSGs permissive or absent instead of applying least-privilege rules at the subnet boundary.
Exposing PaaS services on public endpoints when a private endpoint would keep the traffic on the VNet.
Forgetting that gateway subnets and some services need their own dedicated subnet, then having to rework the address plan.

Best Practices

Plan the address space up front with non-overlapping ranges and room for growth before creating any resources.
Apply least-privilege NSG rules at subnet boundaries; never run a default-allow posture.
Use private endpoints to keep PaaS traffic off the public internet.
Remember peering is non-transitive — route spoke-to-spoke traffic through the hub deliberately with a firewall or gateway.
Reserve dedicated subnets for gateways, firewalls, and services that require them.
Use user-defined routes to force traffic through inspection points where security requires it.

Comparable servicesAWS VPCGCP VPC

Knowledge Check

Why is the VNet address plan the decision to get right first?

Overlapping ranges block peering and on-premises connectivity later, with no fix but renumbering one side
The chosen address range permanently fixes the VNet's region at creation time and can never be changed afterward
A larger CIDR range is always billed at a proportionally higher rate
Subnets can never be added once the VNet has been created

Hub peers with spoke A and spoke B, but A and B cannot reach each other. Why?

VNet peering is non-transitive; spoke-to-spoke traffic needs explicit routing through the hub
VNet peering only works within a single region and can never span across two separate Azure regions
NSGs silently block all peered spoke traffic by default
The two spokes were given identical overlapping address ranges

What does a private endpoint provide for a PaaS service like a storage account?

A private IP inside the VNet so traffic to the service avoids the public internet
A second public IP address for frontend redundancy
Automatic cross-region replication of the service's stored data
A dedicated, locked NSG that can never be modified, edited, or removed later on at all

You got correct