Azure Virtual Networking Components and Their Purpose
Slide deck explaining Azure virtual networking components: Virtual Networks (VNet), subnets, Network Security Groups (NSG), peering, DNS, VPN Gateway, ExpressRoute, and their purposes with examples and common pitfalls.
Azure Virtual Networking Components and Their Purpose
Introduction to Azure virtual networking components and their purposes in controlling network traffic.
Azure Virtual Networking Components and Their Purpose
Introduction to Azure virtual networking components and their purposes in controlling network traffic.
Azure networking: the big picture
You combine boundaries, segments, rules, and connections to control traffic. Private boundary: Virtual Network (VNet). Segments: subnets (IP ranges). Filters: Network Security Group (NSG) rules. Connections: peering, VPN Gateway, ExpressRoute. Names: Domain Name System (DNS).
Virtual Network (VNet)
A VNet is a logical, private network boundary in Azure. Software-defined (not physical hardware). Has an address space (your private IP ranges). Isolated from other VNets by default. Connected only when you explicitly link it.
Subnets
A subnet is an IP address range inside a VNet used for segmentation. Subnet equals slice of VNet address space. Each subnet has its own IP range. Use subnets to separate tiers (web/app/db). Segmentation enables tighter traffic control.
Network Security Group (NSG)
An NSG filters inbound and outbound network traffic using rules. Rules for inbound and outbound traffic. Control traffic between subnets (tier-to-tier). Control traffic into/out of a subnet. Association can be at subnet or resource level.
Virtual network peering
Peering connects VNets privately inside Azure using private IPs. VNet-to-VNet connectivity in Azure. Uses private IP addresses. No internet VPN tunnel setup. Still use NSGs to restrict flows.
Domain Name System (DNS)
DNS resolves names to IPs, but it doesn't connect networks. DNS equals name → IP address resolution. Example: app.contoso.com → 10.1.2.4. DNS does not create a network path. Connectivity needs peering or gateway options.
Azure DNS vs Azure Private DNS
Public zones are for internet names; private zones are for internal name resolution. Azure DNS: hosts public DNS zones. Azure Private DNS: private zones for VNets. Private DNS supports internal naming patterns. Name resolution still isn't connectivity.
Azure VPN Gateway
VPN Gateway provides encrypted connectivity over the public internet (IPsec/IKE). VPN equals encrypted tunnel over public internet. Uses IPsec (Internet Protocol Security) and IKE (Internet Key Exchange). Site-to-site and point-to-site scenarios. Can connect VNets via VPN if needed.
Azure ExpressRoute
ExpressRoute gives private connectivity to Azure via a provider (no public internet). Private connection through a connectivity provider. Designed to avoid the public internet. Often used for production connectivity needs. More predictable than internet-based VPN.
Connection choice cheat sheet
Choose based on where the networks are and whether the internet is allowed. Azure-to-Azure VNets → peering. Encrypted over public internet → VPN Gateway. Private connection (no public internet) → ExpressRoute. 'Encrypted' does not equal 'private circuit'.
Example: VNet + 3 subnets + NSG rules
Segmentation plus filtering lets you allow only the flows you intend. One VNet as the private boundary. Subnets: web / app / database tiers. NSG: allow web → app, allow app → db. NSG: block web → db direct access.
Common pitfalls (quick reminders)
Most mistakes come from mixing up boundaries, naming, and connectivity. VNets are isolated by default; you must connect them. Subnets are IP ranges, not 'folders'. Peering does not equal VPN gateway tunneling. DNS resolves names; it doesn't carry traffic. VPN Gateway vs ExpressRoute: public internet vs private provider link.