Azure Networking (VNet, NSG, Load Balancer)

Networking is the backbone of any cloud architecture. Azure provides a rich set of networking services to connect, protect, and deliver your applications. This lesson covers the core networking concepts you need to know.

---

Azure Virtual Network (VNet)

A Virtual Network (VNet) is a logically isolated network in Azure. It's the fundamental building block for your private network, similar to a traditional network in a data centre.

Key Concepts

Concept	Description
Address space	The IP range for your VNet (e.g., 10.0.0.0/16)
Subnets	Subdivisions of the address space (e.g., 10.0.1.0/24, 10.0.2.0/24)
Region	A VNet exists in a single region
Subscription	A VNet belongs to a single subscription

Creating a VNet

az network vnet create \
  --resource-group rg-demo \
  --name myVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name frontend \
  --subnet-prefix 10.0.1.0/24

Subnets

Subnets segment your VNet for organisation and security:

VNet: 10.0.0.0/16
  |
  |-- Subnet: frontend   (10.0.1.0/24) — web servers
  |-- Subnet: backend    (10.0.2.0/24) — application servers
  |-- Subnet: database   (10.0.3.0/24) — databases

Each subnet can have its own Network Security Group (NSG) and route table.

---

Network Security Groups (NSGs)

An NSG contains security rules that allow or deny inbound and outbound network traffic. You can attach an NSG to a subnet or a network interface (NIC).

Rule Properties

Property	Description
Priority	Lower number = higher priority (100–4096)
Source / Destination	IP address, CIDR range, service tag, or application security group
Protocol	TCP, UDP, ICMP, or Any
Port range	Single port, range, or all (*)
Action	Allow or Deny

Default Rules

Every NSG comes with default rules that cannot be deleted:

• Inbound: Allow traffic from within the VNet and from Azure Load Balancer; deny all other inbound
• Outbound: Allow traffic within the VNet and to the internet; deny all other outbound

Example: Allow SSH

az network nsg rule create \
  --resource-group rg-demo \
  --nsg-name myNSG \
  --name AllowSSH \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --destination-port-ranges 22

---

Public and Private IP Addresses

Type	Description
Private IP	Assigned from the subnet's address range. Used for internal communication.
Public IP	A routable internet address. Assigned to a resource for external access.