You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Azure Virtual Networks (VNets)
Azure Virtual Networks (VNets)
An Azure Virtual Network (VNet) is the fundamental building block for private networking in Azure. It enables Azure resources — virtual machines, databases, web apps, and more — to communicate securely with each other, the internet, and on-premises networks. Every Azure deployment that involves networking starts with a VNet, making it the first topic you need to master.
What Is a Virtual Network?
A VNet is a logically isolated network within the Azure cloud. Think of it as your own private data-centre network, but hosted entirely in Azure. When you create a VNet you define an address space using CIDR notation, for example 10.0.0.0/16. All resources deployed inside the VNet receive IP addresses from this range.
Key characteristics of a VNet:
- Regional — a VNet exists in a single Azure region.
- Subscription-scoped — a VNet belongs to one subscription and one resource group.
- Isolated by default — traffic between two VNets is blocked unless you explicitly connect them (via peering, VPN, or other means).
- Free — there is no charge for creating a VNet itself, though resources inside it and data transfer may incur costs.
Address Spaces and CIDR
When you create a VNet you assign one or more address spaces in CIDR format. The address space defines the pool of private IP addresses available:
| CIDR Block | Usable IPs (approx.) | Typical Use |
|---|---|---|
10.0.0.0/16 |
~65,000 | Large VNet for enterprise workloads |
10.1.0.0/24 |
251 | Small VNet or single subnet |
172.16.0.0/12 |
~1 million | Very large environment |
192.168.0.0/16 |
~65,000 | Common in hybrid scenarios |
You can add multiple address spaces to a single VNet, but they must not overlap with each other or with any connected network (peered VNets, on-premises ranges).
Best practice: Plan your IP address scheme before you create any VNets. Overlapping address spaces are one of the most common mistakes and are painful to fix later.
Creating a VNet
Azure Portal
- Navigate to Create a resource > Networking > Virtual Network.
- Enter a name, region, and resource group.
- Define at least one address space (e.g.
10.0.0.0/16). - Add one or more subnets.
- Review and create.
Azure CLI
az network vnet create \
--resource-group myResourceGroup \
--name myVNet \
--address-prefix 10.0.0.0/16 \
--subnet-name default \
--subnet-prefix 10.0.0.0/24 \
--location uksouth
Bicep
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: 'myVNet'
location: 'uksouth'
properties: {
addressSpace: {
addressPrefixes: ['10.0.0.0/16']
}
subnets: [
{
name: 'default'
properties: {
addressPrefix: '10.0.0.0/24'
}
}
]
}
}
VNet Capabilities
DNS Resolution
By default, Azure provides built-in DNS for name resolution within a VNet. VMs within the same VNet can resolve each other by hostname automatically. You can also configure custom DNS servers or use Azure DNS Private Zones for more control.
Internet Access
By default, all resources in a VNet can make outbound connections to the internet. Inbound access from the internet requires a public IP address, load balancer, or Application Gateway.
Service Endpoints and Private Endpoints
- Service endpoints extend your VNet's identity to Azure PaaS services (Storage, SQL, Key Vault), allowing traffic to travel over the Azure backbone instead of the public internet.
- Private endpoints go further by assigning a private IP address from your VNet to the PaaS service, making it appear as a resource inside your network.
| Feature | Service Endpoint | Private Endpoint |
|---|---|---|
| Traffic path | Azure backbone | Azure backbone |
| IP address | Service uses public IP | Service gets a private IP in your VNet |
| DNS changes | None | Requires Private DNS Zone |
| Access from on-premises | Not directly | Yes, via VPN or ExpressRoute |
VNet Architecture Patterns
Hub-and-Spoke
The hub-and-spoke topology is the most common enterprise pattern:
Spoke VNet 1
|
Hub VNet --- Spoke VNet 2
|
On-premises (via VPN/ExpressRoute)
|
Spoke VNet 3
- The hub contains shared services: firewall, VPN gateway, Azure Bastion, and DNS.
- Each spoke contains workload resources and peers with the hub.
- Spokes do not peer with each other directly; traffic between spokes is routed through the hub firewall.
Single VNet
For smaller deployments, a single VNet with multiple subnets is simpler and sufficient. You segment workloads by subnet and control traffic with Network Security Groups.
VNet Limits
| Resource | Default Limit |
|---|---|
| VNets per subscription per region | 1,000 |
| Address spaces per VNet | 500 |
| Subnets per VNet | 3,000 |
| VNet peerings per VNet | 500 |
| Private endpoints per VNet | 1,000 |
These limits are generous for most workloads but can be increased via a support request if needed.
Summary
Azure Virtual Networks are the foundation of all networking in Azure. They provide isolated, configurable, and secure network environments for your cloud resources. You define address spaces in CIDR notation, segment traffic with subnets, and connect VNets to each other, the internet, or on-premises networks using peering, VPN, and ExpressRoute. Understanding VNets is the essential first step before exploring subnets, NSGs, load balancers, and the rest of the Azure networking stack.