2.6 Azure Virtual Networks (VNet)

Quick Answer: An Azure Virtual Network (VNet) is a logically isolated, software-defined network scoped to one Azure region and one subscription. It lets your resources talk to each other, to the internet, and to on-premises networks using private IP addresses you control.

What a Virtual Network Is

A Virtual Network (VNet) is the data-center network you would have racked and cabled on-premises, delivered as software. On AZ-900 you must know its hard boundaries: a VNet lives in exactly one region and one subscription, and resources in different regions cannot share a VNet (you connect them with peering instead).

You define a VNet by assigning one or more address spaces in CIDR (Classless Inter-Domain Routing) notation, normally from the private RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. A /16 such as 10.1.0.0/16 yields 65,536 addresses.

Subnets and Reserved Addresses

A VNet is carved into subnets, each a non-overlapping CIDR block inside the VNet's space. Azure reserves 5 IP addresses in every subnet, so a /24 (256 total) gives you only 251 usable addresses:

A classic exam trap: a question asks how many usable IPs a /24 subnet provides — the answer is 251, not 256, because of these five reservations. The smallest deployable subnet is a /29 (8 addresses, 3 usable).

Default Routing and Network Security Groups

Every subnet gets Azure-provided system routes automatically: resources can reach each other inside the VNet, reach peered VNets, and reach the internet for outbound traffic with no configuration. You override these with a route table (User-Defined Route, UDR) when you must force traffic through an appliance such as a firewall.

A Network Security Group (NSG) is the stateful, Layer-3/4 packet filter. It holds security rules evaluated by priority (100-4096, lowest number wins), each specifying source, source port, destination, destination port, protocol (TCP/UDP/Any), and Allow or Deny. Because NSGs are stateful, an allowed inbound flow's return traffic is permitted automatically.

Key NSG facts for the exam:

• An NSG attaches to a subnet, a network interface (NIC), or both; when both apply, inbound traffic must pass the subnet NSG then the NIC NSG.
• Every NSG has default rules you cannot delete: inbound AllowVNetInBound, AllowAzureLoadBalancerInBound, and DenyAllInBound; outbound AllowVNetOutBound, AllowInternetOutBound, and DenyAllOutBound.
• The implicit final rule is deny all — if no higher-priority rule allows a flow, it is dropped.

Worked example: To expose a web server on port 443 from the internet you add an inbound rule, e.g. priority 300, source Internet, destination port 443, protocol TCP, action Allow. Without it, the default DenyAllInBound rule (priority 65500) blocks the request. To allow only your office, set source to your public IP/CIDR instead of Internet.

Connecting VNets: Peering

VNet peering links two VNets so resources communicate using private IP addresses over the Microsoft backbone — never the public internet, giving low latency and high bandwidth. Two flavors exist:

The single most-tested rule: peering is not transitive. If A peers with B and B peers with C, A and C still cannot talk unless you peer A and C directly (or route through a hub VNet running a gateway/firewall). A common trap answer claims peering is automatically transitive — it is not.

Securing PaaS Access: Service Endpoints vs. Private Endpoints

By default, PaaS services like Azure Storage and Azure SQL Database are reached over public endpoints. Two features bring that traffic into your private network, and AZ-900 loves to contrast them:

Use a private endpoint when the requirement is "the storage account must have a private IP" or "no public exposure at all." Use a service endpoint when you simply want to lock a PaaS resource to traffic originating from named subnets without paying for per-endpoint resources.

Name Resolution: Azure DNS

Azure DNS hosts your public DNS zones on Microsoft's global anycast name servers and carries a 100% availability SLA for DNS query responses — one of the few Azure services with a 100% SLA. For internal records, Azure Private DNS zones resolve names within and across linked VNets without a custom DNS server.

Common Traps to Memorize

• A VNet cannot span regions — use global peering or a VPN/ExpressRoute connection instead.
• A /24 subnet has 251 usable IPs, not 256.
• Peering is non-transitive; a hub-and-spoke design needs a gateway or firewall in the hub for spoke-to-spoke traffic.
• NSGs filter at Layer 3/4; they do not inspect HTTP paths — that is Application Gateway's job (covered in 2.8).
• A private endpoint gives the PaaS service a private IP; a service endpoint does not.