SkarpChapter 9 of 20
Azure Networking Fundamentals: Virtual Networks, Connectivity, and Security
Connect the dots between Azure resources, on-premises environments, and the internet using virtual networks, gateways, and basic security controls.
Big Picture: Why Azure Networking Matters
Where Networking Fits
Azure networking is the glue that lets resources talk to each other, to your on-premises environment, and to the public internet. It underpins how your apps actually communicate.
What AZ-900 Expects
You do not design complex networks for AZ-900, but you must know VNets, subnets, NSGs, VPN vs ExpressRoute, and public vs private endpoints at a conceptual level.
Mental Model
Think of a VNet as your private data center network in Azure, subnets as slices of that network, NSGs as basic firewalls, and VPN/ExpressRoute as bridges from on-prem to Azure.
Link to Service Models
Networking is core to IaaS, because virtual machines and related resources need IP connectivity. Even PaaS services often require decisions about public or private network access.
Azure Virtual Network (VNet): Your Private Network in Azure
What Is a VNet?
An Azure Virtual Network (VNet) is a logically isolated private network in Azure where you place resources like virtual machines and some PaaS services.
Isolation and Control
Each VNet is isolated from others by default. VNets do not talk to each other unless you configure connections such as VNet peering.
Address Space & Region
You assign private IP ranges (for example 10.0.0.0/16) to a VNet. A VNet exists in a single Azure region, alongside the resources deployed into it.
Analogy
Think of a VNet as renting an entire floor in a huge office building. You design the layout and control which rooms connect, while other tenants cannot access your floor by default.
Subnets: Slicing Your VNet
What Are Subnets?
Subnets divide a VNet’s IP address space into smaller segments. They help organize resources and apply different security controls to each segment.
Example Subnet Plan
In a 10.0.0.0/16 VNet, you might create 10.0.1.0/24 for web, 10.0.2.0/24 for app, and 10.0.3.0/24 for databases. Each subnet gets its own IP range.
Automatic IP Assignment
When you deploy a VM into a subnet, Azure assigns it a private IP from that subnet. The VM’s network interface is logically inside that subnet.
Exam Tips
Know that subnets live inside a VNet, group similar resources, and some services (like VPN gateways) require a dedicated subnet such as GatewaySubnet.
Network Security Groups (NSGs): Basic Traffic Filtering
What Is an NSG?
A Network Security Group is a set of rules that allow or deny inbound and outbound traffic to subnets or network interfaces in a VNet.
NSG Rule Components
Each rule has direction, source, destination, port, protocol, action (allow or deny), and a priority number that controls evaluation order.
Defaults and Overrides
Azure adds default rules, like allowing VNet internal traffic and denying internet inbound. Your custom rules with higher priority override these defaults.
Typical Use Case
Attach an NSG to a web subnet, allow inbound HTTP (80) from Internet, and ensure RDP (3389) is blocked from the Internet to protect your VMs.
Putting It Together: Simple 3-Tier VNet Design
Step 1: VNet
Create a VNet in East US with address space 10.10.0.0/16. This is your app’s private network in Azure.
Step 2: Subnets
Define three subnets: 10.10.1.0/24 (web), 10.10.2.0/24 (app), 10.10.3.0/24 (db). Each tier gets its own segment.
Step 3: NSGs
Attach Web-NSG, App-NSG, and DB-NSG to their subnets. Allow only the specific ports and source subnets each tier actually needs.
Step 4: Security Outcome
Internet users reach only the web tier. The app tier is reachable only from web, and the DB tier only from app, blocking direct internet access to sensitive resources.
Connecting VNets and Regions: VNet Peering (Conceptual)
What Is VNet Peering?
VNet peering links two VNets so resources can communicate over private IPs using Microsoft’s backbone network, not the public internet.
Types of Peering
You can peer VNets within the same region or across regions (global VNet peering), enabling private connectivity between them.
Important Behaviors
Peering is non-transitive and does not require a VPN gateway. NSGs still control which subnets and ports can communicate across the peering.
Analogy
Think of two separate office floors connected by a private staircase. People move between floors internally, while security still checks access at each door.
Hybrid Connectivity: Site-to-Site VPN vs ExpressRoute
Why Hybrid Connectivity?
Many organizations run some workloads on-premises and some in Azure. They need secure, reliable connections between these environments.
Site-to-Site VPN
Creates an encrypted tunnel over the public internet between your on-premises VPN device and an Azure VPN gateway in a GatewaySubnet.
ExpressRoute
Uses a private, dedicated connection via a connectivity provider. Traffic does not traverse the public internet and offers more predictable performance.
Exam Distinction
Internet-based encrypted tunnel → Site-to-Site VPN. Private dedicated circuit, not over internet → ExpressRoute. Match the scenario keywords to the right option.
Public IPs and Public Endpoints: Reaching the Internet
What Is a Public IP?
A public IP address lets a resource in Azure be reachable from the internet. It can be assigned to VMs, load balancers, and some other resources.
Public Endpoints on PaaS
Services like Azure Storage and Azure SQL Database expose public endpoints by default with DNS names, making them reachable over the internet.
Security Trade-offs
Public endpoints are convenient but increase attack surface. You mitigate risk with NSGs, service firewalls, and possibly a Web Application Firewall.
Exam Trap
Be cautious of options that expose sensitive resources like databases directly to the internet via public IPs when a private network path is possible.
Private Endpoints and Private Link: Keeping Traffic Private
What Is a Private Endpoint?
A private endpoint is a private IP in your VNet that connects directly to a specific Azure PaaS resource, such as a Storage account or SQL Database.
Traffic Flow
Traffic from your VNet to the service uses the private IP and Microsoft’s backbone network, not the public internet, improving security.
Why Use It?
Private endpoints reduce exposure of services, help meet compliance needs, and fit well with hybrid connectivity over VPN or ExpressRoute.
Exam Signal Words
Phrases like “private access from VNet” or “no internet exposure” typically point to private endpoints or Azure Private Link as the correct answer.
Quick Check: VNets, Subnets, and NSGs
Test your understanding of VNets, subnets, and NSGs with a short question.
You deploy several virtual machines that host a web application. You want to group them logically and apply the same inbound security rules to all of them. At the AZ-900 level, which combination of Azure features best fits this requirement?
- Place the VMs in the same VNet and assign each VM a public IP address.
- Place the VMs in the same subnet and associate a Network Security Group with that subnet.
- Create a separate VNet for each VM and peer all the VNets together.
- Use ExpressRoute to connect the VMs to your on-premises network.
Show Answer
Answer: B) Place the VMs in the same subnet and associate a Network Security Group with that subnet.
Placing the VMs in the same subnet and attaching an NSG to that subnet lets you group them logically and apply a shared set of inbound security rules. Public IPs expose them to the internet unnecessarily, separate VNets add complexity without benefit here, and ExpressRoute is about on-premises connectivity, not grouping and securing VMs in Azure.
Quick Check: Hybrid Connectivity and Endpoints
Test your understanding of VPN vs ExpressRoute and public vs private endpoints.
Your company needs a highly reliable, private connection from its on-premises data center to Azure that does not traverse the public internet. You also want to access Azure SQL Database using private IP addresses from your VNet. Which combination of technologies best meets these needs?
- Site-to-Site VPN and public endpoints
- ExpressRoute and private endpoints
- VNet peering and public IP addresses
- Network Security Groups and public endpoints
Show Answer
Answer: B) ExpressRoute and private endpoints
ExpressRoute provides a private, dedicated connection that does not use the public internet, and private endpoints allow services like Azure SQL Database to be accessed via private IPs in your VNet. Site-to-Site VPN uses the internet, and public endpoints expose services directly to the internet.
Thought Exercise: Choose the Right Connectivity and Security
Work through this scenario step by step. There is no single “correct” design, but the reasoning process mirrors AZ-900 questions.
Scenario
You are helping a small company move its 3-tier web app to Azure. Requirements:
- Users access the web app from the internet.
- The app tier and database tier must not be directly reachable from the internet.
- The company wants a secure but cost-effective connection from its office to Azure for admins to manage VMs.
- The database should not expose a public endpoint.
Your task
- VNet and subnets
- Which VNet address space might you choose (for example, 10.x.x.x or 192.168.x.x)?
- How would you split it into web, app, and database subnets?
- NSGs
- What rules would you place on the web subnet?
- What about the app and database subnets?
- Hybrid connectivity
- Given the need for “secure but cost-effective” admin access from the office, which option is more appropriate: Site-to-Site VPN or ExpressRoute? Why?
- Endpoints
- How would you make the web tier reachable from the internet?
- How would you keep the database private while allowing the app tier to reach it?
Pause and sketch your answers (mentally or on paper), then compare them to the patterns you have learned: VNets with subnets per tier, NSGs to restrict traffic, Site-to-Site VPN for affordable secure connectivity, and private endpoints or private IP-only access for the database.
Key Azure Networking Concepts: Flashcards
Use these flashcards to reinforce core terms and distinctions that frequently appear in AZ-900 questions.
- Azure Virtual Network (VNet)
- A logically isolated, private network in Azure where you define IP address spaces and place resources such as virtual machines and certain PaaS services.
- Subnet
- A subdivision of a VNet’s IP address space used to group resources and apply network security rules at a more granular level.
- Network Security Group (NSG)
- A set of inbound and outbound security rules that allow or deny traffic to subnets or network interfaces based on source, destination, port, and protocol.
- VNet Peering
- An Azure feature that connects two VNets so resources can communicate using private IPs over Microsoft’s backbone network, without using a VPN gateway.
- Site-to-Site VPN
- A secure, encrypted tunnel over the public internet between an on-premises VPN device and an Azure VPN gateway, used for hybrid connectivity.
- ExpressRoute
- A private, dedicated connection between on-premises networks and Azure that does not traverse the public internet and offers more predictable performance.
- Public IP / Public Endpoint
- An internet-facing address or entry point that allows resources or services in Azure to be accessed from the public internet.
- Private Endpoint (Azure Private Link)
- A private IP address in your VNet that securely connects to a specific Azure PaaS resource, enabling access over private networks instead of the public internet.
- GatewaySubnet
- A special subnet in a VNet reserved for Azure VPN gateways or ExpressRoute gateways, required for hybrid connectivity scenarios.
- Typical 3-tier layout in a VNet
- Separate subnets for web, app, and database tiers, with NSGs allowing only necessary traffic between tiers and blocking direct internet access to app and database tiers.
Wrap-Up and How This Maps to AZ-900 Prep
What You Learned
You explored VNets, subnets, NSGs, VNet peering, Site-to-Site VPN, ExpressRoute, and public vs private endpoints as core Azure networking tools.
Exam Focus
AZ-900 expects you to match scenarios to the right concept, not configure details. Pay attention to keywords like internet-based, private connection, and no public exposure.
Use Skarp Effectively
Run the diagnostic, attempt mock exams focused on networking, and rely on spaced review to keep these ideas fresh and exam-ready.
Connect to Other Domains
Whenever you see compute or data services, mentally place them in a VNet or behind an endpoint and consider how traffic reaches them securely.
Key Terms
- Subnet
- A subdivision of a VNet’s IP address space used to group resources and apply network security rules at a more granular level.
- ExpressRoute
- A private, dedicated connection between on-premises networks and Azure that does not traverse the public internet and offers more predictable performance.
- VNet Peering
- An Azure feature that connects two VNets so resources can communicate using private IPs over Microsoft’s backbone network, without using a VPN gateway.
- GatewaySubnet
- A special subnet in a VNet reserved for Azure VPN gateways or ExpressRoute gateways, required for hybrid connectivity scenarios.
- Public endpoint
- An internet-facing entry point to an Azure service, often represented by a DNS name and public IP address.
- Private endpoint
- A private IP address in your VNet that securely connects to a specific Azure PaaS resource, enabling access over private networks instead of the public internet.
- Site-to-Site VPN
- A secure, encrypted tunnel over the public internet between an on-premises VPN device and an Azure VPN gateway, used for hybrid connectivity.
- Public IP address
- An internet-routable IP address assigned to an Azure resource, enabling direct communication with the public internet.
- Azure Virtual Network (VNet)
- A logically isolated, private network in Azure where you define IP address spaces and place resources such as virtual machines and certain PaaS services.
- Network Security Group (NSG)
- A set of inbound and outbound security rules that allow or deny traffic to subnets or network interfaces based on source, destination, port, and protocol.