/Virtual Networks
Concept Detail
Virtual Networks
Difficulty: medium
Overview
Azure Virtual Network (VNet) is the fundamental private networking building block in Azure.
Core Concepts:
- Address Space: One or more CIDR ranges (e.g., 10.0.0.0/16). Choose non-overlapping ranges if you plan to connect VNets or on-premises networks.
- Subnets: Subdivisions of the VNet address space. Azure resources (VMs, App Services, etc.) are deployed into subnets.
- Network Security Groups (NSGs): Stateful firewalls with priority-ordered ALLOW/DENY rules. Applied to subnets or individual NICs.
VNet Connectivity Options:
| Option | Use Case |
|---|---|
| VNet Peering | VNet-to-VNet; low latency, Microsoft backbone |
| VPN Gateway | On-premises to Azure over encrypted internet tunnel |
| ExpressRoute | On-premises to Azure via private dedicated circuit |
| Azure Bastion | Secure browser-based RDP/SSH — no public IP on VMs |
VNet Peering Details:
- Low-latency, high-bandwidth connection over Microsoft's backbone — traffic never traverses the public internet.
- Non-transitive: A peers with B, B peers with C — A and C cannot communicate through B without explicit A-C peering or a hub-spoke design with Azure Firewall/NVA.
Private Connectivity to Azure PaaS:
- Private Endpoint: Places an Azure PaaS service (Storage, SQL, Key Vault) directly into your VNet with a private IP. Traffic never leaves Azure's network.
- Service Endpoint: Extends VNet identity to Azure services to restrict access, but traffic still uses Azure's public backbone.
Azure Firewall vs NSG:
- NSGs are basic stateful filters at the subnet/NIC level.
- Azure Firewall is a managed, centralized stateful firewall service with FQDN filtering, threat intelligence, and TLS inspection — used in hub-spoke architectures.
Practice Linked Questions
easy
Q1. Two Azure Virtual Networks in the same region need to communicate using private IP addresses. Traffic must not traverse the public internet. What is the simplest solution?
Select one answer before revealing.
medium
Q2. A company needs to connect their on-premises network to an Azure VNet over a secure, encrypted connection using the internet. They do not have an ExpressRoute circuit. What should they configure?
Select one answer before revealing.