Challenge 11: Azure Networking Basics
25-35 min | Cost: Free | Domain: Azure Architecture & Services (35-40%)
Exam skills covered
- Describe virtual networking (VNets, subnets, peering)
- Define public and private endpoints
Overview
Azure Virtual Networks (VNets) are the fundamental building block for networking in Azure. They enable Azure resources to securely communicate with each other, the internet, and on-premises networks.
Think of a VNet like your own private network in the cloud — similar to a traditional network you'd operate in your own datacenter, but with the benefits of Azure's scale, availability, and isolation.
Explore
Task 1: Understand VNet concepts
| Concept | Description | On-prem equivalent |
|---|---|---|
| Virtual Network (VNet) | Isolated network in Azure | LAN/WAN |
| Subnet | Segment within a VNet | VLAN |
| Network Security Group (NSG) | Firewall rules for traffic | ACL / Firewall rules |
| Public IP | Internet-facing IP address | Public IP |
| Private IP | Internal-only IP address | RFC 1918 address |
| VNet Peering | Connect two VNets | WAN link between offices |
Task 2: Explore VNet creation (don't create)
- In Azure Portal, search for Virtual networks
- Click + Create
- Explore the form:
- Address space: Define the IP range (e.g., 10.0.0.0/16)
- Subnets: Divide the VNet (e.g., 10.0.1.0/24 for web, 10.0.2.0/24 for database)
- Notice that VNets are free — you only pay for data transfer
- Click Cancel
Task 3: Understand IP addressing
Note: Azure reserves 5 IPs in each subnet (first 4 + last 1), so a /24 has 251 usable addresses.
Task 4: Understand public vs private endpoints
| Endpoint type | Accessible from | Use case |
|---|---|---|
| Public endpoint | Internet + internal | Web servers, public APIs |
| Private endpoint | Internal VNet only | Databases, internal services |
| Service endpoint | VNet to Azure service (optimized route) | Storage, SQL from within VNet |
Private endpoints keep traffic on Microsoft's backbone network — never touching the public internet.
Task 5: Understand VNet peering
VNet peering connects two VNets so resources can communicate:
| Peering type | Scope | Latency |
|---|---|---|
| Regional peering | Same region | Very low |
| Global peering | Different regions | Low (via Microsoft backbone) |
Key rules:
- Peered VNets can't have overlapping IP ranges
- Peering is NOT transitive (A↔B + B↔C ≠ A↔C)
- Traffic between peered VNets stays on Microsoft's network
# List virtual networks (if any exist)
az network vnet list --output table
# Show available address prefixes (example)
az network vnet show --name myVnet --resource-group rg-az900-learning --query "addressSpace" 2>/dev/null || echo "No VNet exists yet - that's fine!"
Key Concepts
| Concept | Description |
|---|---|
| VNet | Private network in Azure; resources communicate securely |
| Subnet | Segment of a VNet with its own address range and NSG |
| NSG | Stateful firewall rules (allow/deny traffic by port, IP, protocol) |
| Public endpoint | Service accessible from the internet |
| Private endpoint | Service accessible only from within a VNet |
| VNet peering | Connects two VNets for private communication |
| Non-transitive | If A↔B and B↔C, A cannot reach C without direct peering |
Knowledge Check
1. What is the purpose of an Azure Virtual Network (VNet)?
2. A company wants to ensure their Azure SQL Database is only accessible from their VNet and never from the internet. What should they use?
3. VNet A is peered with VNet B, and VNet B is peered with VNet C. Can resources in VNet A communicate directly with resources in VNet C?
4. What is a subnet in Azure networking?
5. Which resource acts as a firewall to control inbound and outbound traffic to Azure resources?
Learn More
- 📚 Study Guide AZ-900 — Curated study materials
- Microsoft Learn: Describe Azure compute and networking
- Azure Virtual Network documentation