AZ-104 Objective 4.1: Configure and Manage Virtual Networks in Azure
•55 min read•Microsoft Azure Administrator
AZ-104 Exam Focus: This objective covers Azure Virtual Networks (VNets), the fundamental building blocks of Azure networking. Understanding VNet creation, subnet configuration, peering, public IP addresses, custom routing, and network troubleshooting is crucial for Azure administrators. Master these concepts for both exam success and real-world Azure network management.
Understanding Azure Virtual Networks
Azure Virtual Networks (VNets) are the fundamental building blocks of your private network in Azure. They enable Azure resources to securely communicate with each other, the internet, and on-premises networks. VNets provide isolation, segmentation, and control over network traffic flow. Once you understand VNet basics, you'll want to learn about configuring secure access to virtual networks to protect your network resources.
VNet Key Components
- Address Space: Private IP address ranges for the VNet
- Subnets: Segments within the VNet for resource organization
- Network Security Groups (NSGs): Firewall rules for traffic control
- Route Tables: Custom routing for traffic direction
- DNS Settings: Name resolution configuration
- Service Endpoints: Secure connectivity to Azure services
1. Create and Configure Virtual Networks and Subnets
Virtual networks provide the foundation for Azure networking. Proper planning of address spaces and subnet design is crucial for scalability, security, and network management.
VNet Planning Considerations
Design Principles:
- Use non-overlapping IP address ranges
- Plan for future growth and expansion
- Consider regional and global connectivity requirements
- Design subnets based on security and functionality
- Reserve IP addresses for Azure services
- Follow RFC 1918 private addressing standards
Creating Virtual Networks
# Create a virtual network az network vnet create \ --name myVNet \ --resource-group myResourceGroup \ --location eastus \ --address-prefix 10.0.0.0/16 # Create VNet with multiple address prefixes az network vnet create \ --name myVNet \ --resource-group myResourceGroup \ --location eastus \ --address-prefix 10.0.0.0/16 10.1.0.0/16 # Create VNet with DNS configuration az network vnet create \ --name myVNet \ --resource-group myResourceGroup \ --location eastus \ --address-prefix 10.0.0.0/16 \ --dns-servers 8.8.8.8 8.8.4.4
Creating and Configuring Subnets
# Create a subnet az network vnet subnet create \ --name mySubnet \ --resource-group myResourceGroup \ --vnet-name myVNet \ --address-prefix 10.0.1.0/24 # Create multiple subnets az network vnet subnet create \ --name frontendSubnet \ --resource-group myResourceGroup \ --vnet-name myVNet \ --address-prefix 10.0.1.0/24 az network vnet subnet create \ --name backendSubnet \ --resource-group myResourceGroup \ --vnet-name myVNet \ --address-prefix 10.0.2.0/24 az network vnet subnet create \ --name databaseSubnet \ --resource-group myResourceGroup \ --vnet-name myVNet \ --address-prefix 10.0.3.0/24
Subnet Design Best Practices
Subnet Architecture:
- Frontend Subnet: Web servers, load balancers (public-facing)
- Backend Subnet: Application servers, APIs (internal)
- Database Subnet: Database servers (most restricted)
- Management Subnet: Jump boxes, management tools
- Gateway Subnet: VPN gateways, ExpressRoute gateways
- AzureFirewall Subnet: Azure Firewall instances
Special Subnet Types
| Subnet Type | Purpose | Size Requirement | Notes |
|---|---|---|---|
| Gateway | VPN/ExpressRoute gateways | /27 or larger | Reserved for Azure services |
| AzureFirewall | Azure Firewall instances | /26 or larger | Dedicated subnet name |
| AzureBastionSubnet | Azure Bastion service | /26 or larger | Dedicated subnet name |
| App Service | App Service integration | /24 or larger | For VNet integration |
2. Create and Configure Virtual Network Peering
Virtual network peering enables you to connect VNets seamlessly, allowing resources in different VNets to communicate with each other as if they were in the same network.
VNet Peering Types
Peering Options:
- Regional Peering: Connect VNets in the same Azure region
- Global Peering: Connect VNets in different Azure regions
- One-way Peering: Unidirectional connectivity
- Two-way Peering: Bidirectional connectivity (default)
Creating VNet Peering
# Create regional VNet peering az network vnet peering create \ --name myVNet1-to-myVNet2 \ --resource-group myResourceGroup \ --vnet-name myVNet1 \ --remote-vnet myVNet2 \ --resource-group myResourceGroup \ --allow-vnet-access # Create global VNet peering az network vnet peering create \ --name myVNet1-to-myVNet2 \ --resource-group myResourceGroup \ --vnet-name myVNet1 \ --remote-vnet myVNet2 \ --remote-resource-group myResourceGroup \ --remote-location westus \ --allow-vnet-access # Configure peering with specific settings az network vnet peering create \ --name myVNet1-to-myVNet2 \ --resource-group myResourceGroup \ --vnet-name myVNet1 \ --remote-vnet myVNet2 \ --resource-group myResourceGroup \ --allow-vnet-access \ --allow-forwarded-traffic \ --allow-gateway-transit \ --use-remote-gateways
Peering Configuration Options
| Setting | Description | Use Case |
|---|---|---|
| Allow VNet Access | Enable communication between VNets | Basic connectivity |
| Allow Forwarded Traffic | Allow traffic from remote VNet | Hub-spoke topology |
| Allow Gateway Transit | Use remote VNet gateway | Centralized connectivity |
| Use Remote Gateways | Use remote VNet's gateway | Spoke VNets |
Peering Management
# List VNet peerings az network vnet peering list \ --resource-group myResourceGroup \ --vnet-name myVNet1 # Get peering details az network vnet peering show \ --name myVNet1-to-myVNet2 \ --resource-group myResourceGroup \ --vnet-name myVNet1 # Update peering settings az network vnet peering update \ --name myVNet1-to-myVNet2 \ --resource-group myResourceGroup \ --vnet-name myVNet1 \ --allow-vnet-access \ --allow-forwarded-traffic # Delete peering az network vnet peering delete \ --name myVNet1-to-myVNet2 \ --resource-group myResourceGroup \ --vnet-name myVNet1
3. Configure Public IP Addresses
Public IP addresses enable Azure resources to communicate with the internet and receive inbound connections. Understanding the different types and allocation methods is crucial for proper network configuration.
Public IP Address Types
IP Address Options:
- Basic: Standard SKU with basic features
- Standard: Advanced SKU with additional features
- Dynamic: IP address changes when resource is stopped/started
- Static: IP address remains constant
- IPv4: Traditional 32-bit addresses
- IPv6: Modern 128-bit addresses
Creating Public IP Addresses
# Create basic public IP az network public-ip create \ --name myPublicIP \ --resource-group myResourceGroup \ --location eastus \ --allocation-method Dynamic # Create standard public IP az network public-ip create \ --name myStandardPublicIP \ --resource-group myResourceGroup \ --location eastus \ --sku Standard \ --allocation-method Static # Create IPv6 public IP az network public-ip create \ --name myIPv6PublicIP \ --resource-group myResourceGroup \ --location eastus \ --sku Standard \ --allocation-method Static \ --version IPv6 # Create public IP with DNS name az network public-ip create \ --name myPublicIP \ --resource-group myResourceGroup \ --location eastus \ --allocation-method Static \ --dns-name myapp-dns
Public IP Configuration Options
| Feature | Basic SKU | Standard SKU |
|---|---|---|
| Availability Zones | No | Yes |
| Load Balancer Integration | Basic LB only | Standard LB only |
| Security Rules | NSG required | Built-in protection |
| Idle Timeout | 4 minutes | 4 minutes |
4. Configure User-Defined Network Routes
User-defined routes (UDRs) allow you to override Azure's default routing behavior and direct traffic through custom paths, such as network virtual appliances (NVAs) or specific gateways.
Route Types and Priority
Route Hierarchy:
- User-defined routes (UDRs): Highest priority, custom routing
- BGP routes: Routes learned from on-premises via ExpressRoute/VPN
- System routes: Azure's default routing behavior
Creating Route Tables and Routes
# Create route table az network route-table create \ --name myRouteTable \ --resource-group myResourceGroup \ --location eastus # Create user-defined route az network route-table route create \ --name myCustomRoute \ --resource-group myResourceGroup \ --route-table-name myRouteTable \ --address-prefix 0.0.0.0/0 \ --next-hop-type VirtualAppliance \ --next-hop-ip-address 10.0.1.4 # Create route to on-premises az network route-table route create \ --name toOnPremises \ --resource-group myResourceGroup \ --route-table-name myRouteTable \ --address-prefix 192.168.0.0/16 \ --next-hop-type VirtualNetworkGateway # Associate route table with subnet az network vnet subnet update \ --name mySubnet \ --resource-group myResourceGroup \ --vnet-name myVNet \ --route-table myRouteTable
Common Routing Scenarios
| Scenario | Next Hop Type | Use Case |
|---|---|---|
| Force Internet Traffic Through Firewall | VirtualAppliance | Security inspection |
| Route to On-Premises | VirtualNetworkGateway | Hybrid connectivity |
| Discard Traffic | None | Block specific destinations |
| Route to VNet | VnetLocal | Local VNet traffic |
5. Troubleshoot Network Connectivity
Network troubleshooting is a critical skill for Azure administrators. Understanding common connectivity issues and the tools available for diagnosis is essential for maintaining network health.
Network Troubleshooting Tools
Diagnostic Tools:
- Network Watcher: Comprehensive network monitoring and diagnostics
- Connection Monitor: Monitor connectivity between resources
- Packet Capture: Capture network traffic for analysis
- IP Flow Verify: Check if traffic is allowed or denied
- Next Hop: Determine the next hop for traffic
- VPN Troubleshoot: Diagnose VPN connectivity issues
Common Connectivity Issues
Troubleshooting Checklist:
- Check NSG rules and security group associations
- Verify route table configuration and associations
- Confirm public IP address allocation and configuration
- Validate VNet peering status and settings
- Check DNS resolution and custom DNS settings
- Verify service endpoints and private endpoints
- Test connectivity from different sources
Using Network Watcher for Troubleshooting
# Enable Network Watcher az network watcher configure \ --resource-group NetworkWatcherRG \ --location eastus # Check IP flow az network watcher test-ip-flow \ --resource-group myResourceGroup \ --vm myVM \ --direction Outbound \ --protocol TCP \ --local 10.0.1.4:80 \ --remote 8.8.8.8:80 # Check next hop az network watcher show-next-hop \ --resource-group myResourceGroup \ --vm myVM \ --source-ip 10.0.1.4 \ --dest-ip 8.8.8.8 # Verify connectivity az network watcher test-connectivity \ --resource-group myResourceGroup \ --source-resource myVM \ --dest-address 8.8.8.8 \ --dest-port 80 # Capture packets az network watcher packet-capture create \ --resource-group myResourceGroup \ --vm myVM \ --name myPacketCapture \ --storage-account mystorageaccount \ --storage-path captures
NSG Troubleshooting
# List NSG rules az network nsg rule list \ --resource-group myResourceGroup \ --nsg-name myNSG # Check NSG flow logs az network watcher flow-log show \ --resource-group myResourceGroup \ --name myFlowLog # Test NSG rules az network watcher test-ip-flow \ --resource-group myResourceGroup \ --vm myVM \ --direction Inbound \ --protocol TCP \ --local 10.0.1.4:80 \ --remote 0.0.0.0:0
DNS Troubleshooting
# Test DNS resolution nslookup myapp.azurewebsites.net # Check custom DNS settings az network vnet show \ --name myVNet \ --resource-group myResourceGroup \ --query "dhcpOptions.dnsServers" # Test connectivity to DNS servers az network watcher test-connectivity \ --resource-group myResourceGroup \ --source-resource myVM \ --dest-address 8.8.8.8 \ --dest-port 53
Network Security Best Practices
Security Guidelines:
- Use Network Security Groups (NSGs) for traffic filtering
- Implement the principle of least privilege for NSG rules
- Use service tags to simplify NSG rule management
- Enable NSG flow logs for monitoring and troubleshooting
- Use private endpoints for secure Azure service connectivity
- Implement DDoS protection for public-facing resources
- Regularly review and audit network security configurations
Network Monitoring and Logging
# Enable NSG flow logs az network watcher flow-log create \ --resource-group myResourceGroup \ --nsg myNSG \ --storage-account mystorageaccount \ --log-version 2 \ --retention 30 # Enable VNet flow logs az network watcher flow-log create \ --resource-group myResourceGroup \ --nsg myNSG \ --storage-account mystorageaccount \ --log-version 2 \ --retention 30 \ --traffic-analytics true # Configure connection monitor az network watcher connection-monitor create \ --name myConnectionMonitor \ --resource-group myResourceGroup \ --source-resource myVM \ --dest-address 8.8.8.8 \ --dest-port 80
Exam Tips and Key Points
Critical Exam Knowledge:
- VNet Design: Understand address space planning and subnet design
- Peering: Know peering types, configuration options, and limitations
- Public IPs: Understand SKU differences and allocation methods
- Routing: Know route priority, UDR creation, and common scenarios
- Troubleshooting: Understand Network Watcher tools and common issues
- Security: Know NSG rules, service tags, and security best practices
- Monitoring: Understand flow logs, connection monitoring, and diagnostics
Common Scenarios and Solutions
Real-World Scenarios:
- Hub-Spoke Topology: Use VNet peering with gateway transit
- Internet Traffic Inspection: Use UDRs to route through firewall
- Hybrid Connectivity: Configure site-to-site VPN with custom routing
- Multi-Region Deployment: Use global VNet peering for connectivity
- Secure Azure Service Access: Use private endpoints and service endpoints
- Network Segmentation: Use subnets and NSGs for security boundaries
Summary
Azure Virtual Networks form the foundation of Azure networking, providing the infrastructure for secure, scalable, and manageable network connectivity. This objective covers the essential aspects of VNet management:
- VNet and subnet creation with proper address space planning
- VNet peering configuration for regional and global connectivity
- Public IP address configuration with appropriate SKU selection
- User-defined routes for custom traffic routing scenarios
- Network troubleshooting using Azure Network Watcher tools
- Security implementation through NSGs and network segmentation
- Monitoring and logging for network health and diagnostics
Understanding these VNet concepts is essential for Azure administrators to design, implement, and maintain robust network architectures in Azure environments.
Next Steps: Practice creating VNets, subnets, and peering connections in the Azure portal. Experiment with NSG rules, custom routing, and Network Watcher tools to understand the complete Azure networking ecosystem and troubleshooting capabilities.
Related Topics
Continue your Azure administration learning journey with these related topics:
- Configure Secure Access to Virtual Networks - Secure your VNets with NSGs and other security features
- Configure Name Resolution and Load Balancing - Set up DNS and load balancing for your VNets
- Create and Configure Virtual Machines - Deploy VMs into your VNets
- Monitor Resources in Azure - Monitor your VNets and network performance
- Automate Deployment with ARM Templates and Bicep - Deploy VNets using infrastructure as code
- Configure Access to Storage - Secure storage access through VNets
- Manage Azure Subscriptions and Governance - Apply governance policies to network resources