Azure Administrator GuideMicrosoft Azure Administrator

Azure Virtual Networks: Peering, NSGs, and Service Endpoints for AZ-104

How Azure VNets, subnets, network security groups, VNet peering, and service endpoints are configured and tested on the Microsoft AZ-104 exam.

4 min read
6 sections
Courseiva Study Hub
JA

Reviewed by Johnson Ajibi, MSc IT Security

12+ years in network and security engineering · Founder, JTNetSolutions Limited & Courseiva

Quick answer

How Azure VNets, subnets, network security groups, VNet peering, and service endpoints are configured and tested on the Microsoft AZ-104 exam.

Azure Virtual Networks: Peering, NSGs, and Service Endpoints for AZ-104

Azure Virtual Networks (VNets) are the foundation of network connectivity in Azure. For the AZ-104 exam, you must understand how to design, configure, and secure VNets, including subnets, network security groups (NSGs), VNet peering, and service endpoints. This post covers the key concepts and practical configurations you need to know.

VNets and Subnets

An Azure VNet is a logically isolated network in the Azure cloud. Each VNet has an address space (e.g., 10.0.0.0/16) that you define. Subnets divide this address space into smaller segments (e.g., 10.0.1.0/24 for front-end, 10.0.2.0/24 for back-end).

Key points for the exam:

  • Subnets cannot overlap across VNets if you plan to peer them.
  • Azure reserves the first three IP addresses in each subnet for infrastructure (e.g., .1, .2, .3).
  • You can associate an NSG or route table to a subnet for traffic control.

Network Security Groups (NSGs)

NSGs filter network traffic to and from Azure resources. They contain security rules that allow or deny traffic based on source/destination IP, port, and protocol. Each rule has a priority (100-4096), and lower numbers are evaluated first.

Example: Allow RDP (port 3389) from your office IP only:

Priority: 100
Name: AllowRDP
Source: 203.0.113.0/24
Source port: *
Destination: VirtualNetwork
Destination port: 3389
Protocol: TCP
Action: Allow

Exam tips:

  • NSGs can be applied to a subnet or a NIC. Subnet NSGs apply to all VMs in that subnet; NIC NSGs apply only to the specific VM.
  • Default rules exist: AllowVNetInBound, AllowAzureLoadBalancerInBound, DenyAllInbound. Understand these.
  • Service tags like Internet, VirtualNetwork, AzureLoadBalancer simplify rule creation.

VNet Peering

VNet peering connects two VNets, enabling resources in different VNets to communicate as if they were on the same network. Peering is non-transitive by default, meaning if VNet A is peered to VNet B and VNet B to VNet C, A does not talk to C unless you create a separate peering.

Configuration steps:

  1. Create two VNets with non-overlapping address spaces.
  2. Go to VNet A -> Peering -> Add. Provide a name, select the remote VNet, and configure settings.
  3. Repeat on VNet B for the reverse link.

Important settings:

  • Allow virtual network access: Must be enabled on both sides.
  • Allow forwarded traffic: Enable if you need transit routing (e.g., hub-spoke with NVA).
  • Use remote gateways / Allow gateway transit: Used for VPN connectivity across peered VNets.

Exam scenario: You have two VNets: Hub (10.0.0.0/16) with a VPN gateway, and Spoke (10.1.0.0/16). You want Spoke VMs to use the Hub's VPN gateway. Enable "Use remote gateways" on Spoke peering and "Allow gateway transit" on Hub peering.

Service Endpoints

Service endpoints extend your VNet identity to Azure services (e.g., Azure Storage, SQL Database) over the Azure backbone. When enabled, traffic from your VNet to the service uses the Microsoft network instead of the public internet, improving security and performance.

How to enable:

  1. Go to your VNet -> Subnets -> Select a subnet -> Service Endpoints -> Add a service (e.g., Microsoft.Storage).
  2. Then, configure the service firewall to allow access only from that subnet (e.g., Storage account firewall: add virtual network rule).

Key exam points:

  • Service endpoints are per-subnet, not per-VM.
  • They do not provide private IP connectivity; the service still has a public endpoint but traffic stays on Azure backbone.
  • For fully private connectivity, use Private Link (a different concept).

Exam Tips: What to Watch For

  • NSG evaluation order: Rules are evaluated in priority order. If you have a deny rule with priority 200 and an allow rule with priority 300, the deny wins. Also, NSG flow logs can help troubleshoot.
  • Peering transitive vs. non-transitive: Understand that peering is not transitive. If you need transitive routing, use a hub VNet with an NVA (e.g., firewall) and enable "Allow forwarded traffic" on both peerings.
  • Service endpoint vs. Private Link: Service endpoints are simpler but less secure (service still has public IP). Private Link gives a private IP in your VNet. The exam may ask which to use based on requirements.
  • Gateway transit: Only one VPN gateway can be used per peered setup. If you have multiple spokes, they all can use the hub's gateway, but you cannot have spokes with their own gateways that need to communicate.
  • Address space planning: Before peering, ensure address spaces do not overlap. Overlapping VNets cannot be peered.

Conclusion

Mastering VNets, NSGs, peering, and service endpoints is critical for the AZ-104 exam. Practice configuring these in the Azure portal or using CLI/PowerShell. Focus on understanding the behavior of each component, especially non-transitive peering and NSG rule evaluation. With hands-on practice, you'll be ready for scenario-based questions.

To solidify your knowledge, try our free practice questions at Practice Exams for AZ-104.

Practise AZ-104 questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

Courseiva provides free IT certification practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics. Explore related practice questions for Cisco, CompTIA, Microsoft Azure, AWS, and other certification exams.