Azure Virtual Networks (VNet)

Quick Answer: Azure Virtual Network (VNet) enables Azure resources to communicate securely with each other, the internet, and on-premises networks. It is the fundamental networking building block in Azure, similar to a traditional network in a data center.

What Is a Virtual Network?

An Azure Virtual Network (VNet) is a logically isolated network in Azure that provides:

• Isolation — Each VNet is isolated from other VNets by default
• Communication — Resources within a VNet can communicate with each other
• Internet access — Resources can communicate with the internet (outbound by default)
• On-premises connectivity — Connect to on-premises networks via VPN or ExpressRoute
• Filtering — Control traffic flow with Network Security Groups and firewalls
• Routing — Custom routing tables to control where traffic goes

Key VNet Concepts

Subnets

Subnets divide a VNet into smaller, more manageable segments. Each subnet gets a portion of the VNet's address space.

Benefits of subnets:

• Organization — Group related resources together (e.g., web servers in one subnet, databases in another)
• Security — Apply different Network Security Groups (NSGs) to different subnets
• Traffic control — Route traffic between subnets through network virtual appliances

Example VNet layout:

Network Security Groups (NSGs)

Network Security Groups act as virtual firewalls that filter network traffic to and from Azure resources. They contain security rules that allow or deny inbound and outbound traffic.

NSG Rule Properties

Default rules (cannot be deleted but can be overridden):

• Allow inbound traffic from the same VNet
• Allow inbound traffic from Azure Load Balancer
• Deny all other inbound traffic
• Allow outbound traffic to the same VNet
• Allow outbound traffic to the internet
• Deny all other outbound traffic

On the Exam: NSGs can be applied at both the SUBNET level and the NIC (network interface) level. When applied at both levels, traffic must pass BOTH sets of rules. Subnet-level NSGs are the recommended best practice.

VNet Peering

VNet Peering connects two VNets so that resources in both networks can communicate using private IP addresses. Traffic between peered VNets travels over the Microsoft backbone network, never traversing the public internet.

Types of Peering

Key characteristics:

• Low latency, high bandwidth — Traffic stays on the Microsoft backbone
• Non-transitive — If VNet A is peered with VNet B and VNet B is peered with VNet C, VNet A and VNet C cannot communicate (unless directly peered)
• Cross-subscription — Peering works across different subscriptions and even different Azure AD tenants
• No downtime — Peering can be created without affecting existing resources

Azure DNS

Azure DNS hosts DNS domains on Azure infrastructure, providing name resolution using Microsoft's global network of DNS servers.

Key features:

• 100% availability SLA — Azure DNS uses a global anycast network
• Fast performance — Name resolution is handled by the nearest Azure DNS server
• Integration — Seamlessly integrates with other Azure services
• Private DNS zones — Provide name resolution within VNets (no custom DNS server needed)
• Alias record sets — Point directly to Azure resources (Traffic Manager, CDN, Public IP)

On the Exam: Azure DNS can host your domain's DNS records, but it does NOT support domain name purchasing. To buy a domain, use Azure App Service Domains or a third-party registrar.