What Is VNet in Networking?
On This Page
What do you want to do?
Quick Definition
A VNet is a private network you create in the cloud. It works like a local network but runs on the cloud provider's infrastructure. You can control IP addresses, subnets, routing, and security settings. It allows your cloud resources, like virtual machines, to communicate safely with each other and with your on-premises network.
Common Commands & Configuration
az network vnet create --name MyVNet --resource-group MyRG --address-prefix 10.0.0.0/16 --subnet-name MySubnet --subnet-prefix 10.0.1.0/24Creates a new VNet with a single subnet in a specified resource group. The address space and subnet prefix are defined using CIDR notation.
This is a fundamental Azure CLI command for the AZ-104 exam. You must remember the --address-prefix and --subnet-prefix parameters. Tests often ask how to create a VNet in a specific region using this command.
az network vnet peering create --name PeerToHub --resource-group HubRG --vnet-name HubVNet --remote-vnet SpokeVNetID --allow-vnet-access --allow-forwarded-trafficCreates a VNet peering connection from a hub VNet to a spoke VNet. The --allow-vnet-access flag enables communication between VNets.
The AZ-104 exam tests the need for two-way peering (remote peering must be created from the spoke VNet to the hub as well). The --allow-forwarded-traffic flag is needed for NVA scenarios.
az network nsg rule create --resource-group MyRG --nsg-name MyNSG --name AllowSSH --priority 100 --source-address-prefixes 203.0.113.0/24 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 22Creates an NSG rule to allow SSH access from a specific source IP range with priority 100. The rule is set to inbound direction and TCP protocol.
Common exam scenario for Security+ and Azure exams: you must configure a rule to allow remote management from a specific IP. Remember that priority is evaluated in numerical order, and lower numbers have higher precedence.
az network vnet subnet update --name GatewaySubnet --resource-group MyRG --vnet-name MyVNet --network-security-group MyNSGAssociates an existing NSG with the GatewaySubnet. This subnet is reserved for VPN gateways and must have a unique security configuration.
The GatewaySubnet name must be exactly GatewaySubnet. The AZ-104 exam tests that you cannot use this subnet for any other resource type. Assigning an NSG here is optional but recommended for security.
az network vnet subnet create --name BackendSubnet --resource-group MyRG --vnet-name MyVNet --address-prefix 10.0.2.0/24 --service-endpoints Microsoft.StorageCreates a subnet with a service endpoint enabled for Azure Storage. This allows traffic from this subnet to reach Storage accounts over the Azure backbone.
Service endpoints are tested in the AZ-900, AZ-104, and Azure Developer exams. The service endpoint name is case-sensitive (e.g., Microsoft.Storage). Enabling endpoints locks the resource to the VNet.
az network vnet check-ip-address --name MyVNet --resource-group MyRG --ip-address 10.0.1.4Checks whether a specific IP address is available within the VNet. Useful during troubleshooting IP conflicts.
This command is less common but appears in troubleshooting scenarios for the AZ-104 exam. It helps identify overlapping IPs before deploying resources.
az network route-table route create --resource-group MyRG --route-table-name MyRouteTable --name ToOnPrem --next-hop-type VirtualAppliance --address-prefix 192.168.0.0/16 --next-hop-ip-address 10.0.1.100Creates a custom route that directs traffic destined for an on-premises network (192.168.0.0/16) to a virtual appliance (NVA) at 10.0.1.100.
User-Defined Routes (UDRs) are a key topic for the AZ-104 and Azure Solutions Architect exams. The next-hop-type of VirtualAppliance requires a specific IP address, unlike Internet or VNetLocal.
VNet appears directly in 222exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
VNet (or its equivalent VPC) is a core topic in almost every major cloud certification exam. Here is how it matters across the exams listed.
For Microsoft Azure exams (AZ-900, AZ-104), VNet is a primary concept. In AZ-900 (Azure Fundamentals), you need to know what a VNet is, its purpose, and the difference between VNet peering and VPN gateway. Expect multiple-choice questions that test your understanding of isolation in the cloud. In AZ-104 (Azure Administrator), VNet is a heavy topic. You must know how to create and configure VNets, subnets, network security groups, route tables, and peering. You will face scenario-based questions where you have to design a network topology to meet specific requirements, such as connecting two VNets with minimal latency or securing a multi-tier application.
For AWS exams (Cloud Practitioner, Developer Associate, Solutions Architect), the equivalent is VPC. In the Cloud Practitioner exam, you need a basic understanding of what a VPC is and why it is used. In the Developer Associate and Solutions Architect exams, VPCs are deeply covered. You must know how to design VPCs with public and private subnets, configure route tables, internet gateways, NAT gateways, security groups, and network ACLs. Expect complex scenario questions where you choose the best VPC design to meet high availability, security, and cost requirements. For example, you might need to design a VPC with an Application Load Balancer in public subnets and EC2 instances in private subnets, with a NAT gateway for outbound internet access.
For Google Cloud exams (ACE, Cloud Digital Leader), the equivalent is VPC Network. In the Cloud Digital Leader exam, the focus is on understanding the concept of network isolation and hybrid connectivity. In the Associate Cloud Engineer exam, you need to know how to create VPC networks, subnets, firewall rules, and VPC peering. You might have to configure Cloud VPN or Cloud Interconnect for hybrid connections.
For traditional networking exams (Network+, CCNA, Security+), VNet concepts are not directly tested but provide valuable context. Network+ covers IP addressing, routing, and subnetting, which are foundational to understanding VNets. CCNA goes deeper into routing protocols and VPNs, which help explain how cloud VPN gateways work. Security+ covers network segmentation and firewall rules, which map directly to NSGs and security groups.
In all these exams, the most common question types are: - Which service provides network isolation in Azure? (Answer: VNet) - What is the purpose of a subnet? (To segment the VNet) - How do you connect two VNets? (Peering) - How do you secure traffic within a VNet? (NSGs or Security Groups) - How do you connect an on-premises network to a VNet? (VPN gateway or ExpressRoute/Direct Connect)
If you master VNet concepts, you will answer a significant number of questions correctly in cloud exams.
Simple Meaning
Imagine you work in a large office building. Your company rents a section of the building, and within that section, you have several rooms: a server room, a developer lab, a finance office, and a meeting room. These rooms are connected by internal hallways that only your employees can use. Nobody from other companies on different floors can walk through your hallways unless you give them a keycard.
A VNet is exactly that private office space, but in the cloud. Instead of a physical building, the cloud provider (like Microsoft Azure or Amazon Web Services) owns a massive data center with thousands of servers. When you create a VNet, you are carving out a private, isolated section of that data center. Within your VNet, you can place virtual machines, databases, and other services, just like placing furniture and equipment in your office rooms. These resources can talk to each other using internal IP addresses, just like using internal office phones. The outside world cannot see or access anything inside your VNet unless you explicitly open a door, like a public IP address or a VPN connection.
You are also in full control of the layout. You can split your VNet into smaller sections called subnets. For example, you might put your web servers in a subnet that is open to the internet, your application servers in a middle subnet that only the web servers can access, and your database servers in a completely locked-down subnet. You can also set up rules (like firewalls) to control traffic. If your company has a physical office, you can connect your VNet to that office using a secure tunnel (VPN), making the cloud network feel like just another branch of your company.
The key point is that a VNet is your own private slice of the cloud. It is software-defined, meaning it doesn't require any physical cables or routers you have to plug in. You define it in a configuration file or in a web portal, and the cloud provider makes it happen. This flexibility is why VNets are the foundation of almost every cloud deployment. Without a VNet, your cloud resources would be isolated, unable to communicate, and exposed to the public internet. With a VNet, you have a secure, organized, and scalable network that behaves just like a physical network you would build in your own data center, but without the hardware costs and maintenance headaches.
Full Technical Definition
A VNet (Virtual Network) is a software-defined network (SDN) abstraction that provides logical isolation of cloud resources within a specific region. In Microsoft Azure, the term VNet is a first-class resource, while in AWS the equivalent is a Virtual Private Cloud (VPC), and in Google Cloud it is called a VPC Network. Despite different names, the core concept is identical: a private, isolated network segment within the public cloud that the customer controls.
A VNet operates at Layer 3 (Network layer) of the OSI model, using IP addressing. When you create a VNet, you define an IP address space using Classless Inter-Domain Routing (CIDR) notation, such as 10.0.0.0/16. This address space is private and follows RFC 1918 guidelines (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Within that address space, you create one or more subnets. Each subnet receives a smaller CIDR block, like 10.0.1.0/24, and resources such as virtual machines (VMs) are assigned an IP address from that subnet.
The underlying implementation uses the cloud provider's physical network infrastructure. The provider runs a distributed software-defined networking stack on its hypervisors and network switches. When you create a VNet, the provider configures virtual routers, virtual switches, and network access control lists (ACLs) in software. These virtual devices forward traffic between subnets, to the internet, and to on-premises networks. Traffic within the same VNet is routed automatically by default, using the provider’s internal routing tables. You can customize routing by creating User-Defined Routes (UDRs) in Azure, or route tables in AWS, to direct traffic to network virtual appliances (NVAs) like firewalls or load balancers.
Security within a VNet is enforced through Network Security Groups (NSGs) in Azure, or Security Groups in AWS. These stateful firewalls operate at Layers 3 and 4. You create rules that allow or deny traffic based on source and destination IP addresses, ports, and protocols. Each rule has a priority, and rules are evaluated in order. By default, all inbound traffic is denied, and all outbound traffic is allowed. You can also use Application Security Groups (ASGs) in Azure to group VMs logically (e.g., all web servers) and apply rules to the group, simplifying management.
Connectivity beyond the VNet includes several options. To connect to the internet, you assign a public IP address to a resource or use a NAT gateway. To connect to other VNets in the same region or different regions, you use VNet Peering (Azure) or VPC Peering (AWS). Peering creates a low-latency, private connection between VNets without traversing the public internet. For hybrid connectivity to an on-premises data center, you can use a Site-to-Site VPN (IPsec tunnel) or a dedicated private connection like Azure ExpressRoute or AWS Direct Connect. These services provide secure, reliable, and high-bandwidth links.
You can also extend your on-premises network into the VNet using a VPN gateway, which sits at the edge of the VNet. The VPN gateway encrypts traffic and sends it over the public internet to your on-premises VPN device. For mission-critical workloads, ExpressRoute or Direct Connect bypasses the internet entirely, offering higher reliability and lower latency.
a VNet is a fully customizable, software-defined private network in the cloud. It supports complex topologies, advanced routing, granular security, and secure hybrid connections. Understanding VNet concepts is essential for cloud architects, network engineers, and anyone preparing for cloud certification exams such as the Microsoft Azure exams (AZ-104, AZ-900), AWS certifications (Cloud Practitioner, Solutions Architect), and Google Cloud certifications.
Real-Life Example
Think of a large apartment building. Each apartment is its own private space, with a front door, rooms, and its own set of keys. The building has common areas like hallways, elevators, and a lobby. Residents can move freely within the building, but they cannot enter another resident's apartment without permission.
Now, imagine you are the manager of a company that rents an entire floor of the building. Your floor is your VNet. You have several offices (subnets) on that floor: an operations office, a development lab, a storage room, and a meeting room. The doors between these offices are unlocked by default, so your employees can walk freely between them (internal routing). However, you can add a security guard (Network Security Group) at the door of the storage room to only allow the operations manager (specific IP and port) to enter.
If you want to collaborate with another company on a different floor, you do not open the stairwell door to everyone. Instead, you build a private bridge (VNet Peering) between your floor and their floor. Only people you authorize can cross that bridge. If your company has a separate building across the street (on-premises data center), you dig a secure underground tunnel (Site-to-Site VPN) that connects your floor directly to that building. No one on the street can see or use that tunnel.
The elevator to the lobby (internet gateway) is available for anyone, but you can control who takes it. For example, you might allow only the development lab (web servers) to access the lobby to receive customer orders, while the storage room (database) is strictly off-limits to the public. If the elevator breaks, you have a backup tunnel (ExpressRoute) that is faster and more reliable, but it costs extra.
This analogy helps you see that a VNet gives you complete control over your private network in the cloud. You decide the layout, the security rules, and the connections to the outside world. It is your private floor in the cloud apartment building, and you are the landlord of that floor.
Why This Term Matters
In any modern IT environment, especially cloud-based ones, network isolation is not just a convenience, it is a security imperative. Without a VNet, every cloud resource you create would be exposed to the public internet or, at best, loosely grouped with other customers' resources. A VNet provides the fundamental boundary that separates your workloads from everyone else's.
For IT professionals, understanding VNets is essential for designing secure, scalable, and cost-effective architectures. You need to know how to segment your network using subnets to isolate tiers of an application (web, app, database). You must grasp how routing works to ensure traffic flows correctly, especially when you introduce virtual appliances like firewalls or load balancers.
VNets also enable hybrid cloud scenarios. Many enterprises are not fully cloud-native; they have on-premises data centers with legacy systems. A VNet, connected via VPN or dedicated circuits, allows those on-premises resources to communicate with cloud resources as if they were on the same local network. This enables gradual migration, disaster recovery, and burst capacity without rearchitecting the entire network.
Finally, VNets directly impact cost and performance. Misconfigured VNets can lead to data egress charges (traffic leaving the cloud), security breaches, or performance bottlenecks. For example, placing all resources in a single subnet without proper NSG rules can create a flat network with no security boundaries. Similarly, forgetting to restrict outbound traffic can lead to data exfiltration. Mastering VNet concepts helps you build networks that are secure, efficient, and compliant with industry standards.
How It Appears in Exam Questions
In certification exams, VNet questions often appear in three main patterns: scenario design, configuration, and troubleshooting.
Scenario design questions present a business requirement and ask you to choose the best network topology. For example: A company wants to host a web application in the cloud. The web servers must be accessible from the internet, but the application and database servers must be private. The solution must be cost-effective and secure. The correct answer would involve creating a VNet with two subnets: a public subnet for web servers with a route to an internet gateway, and a private subnet for app and database servers with no direct internet route. You might also need a NAT gateway in the public subnet to allow the private instances to download updates.
Another common design question involves connecting multiple VNets. Example: A company has two VNets in different Azure regions. They want a low-latency, private connection between them. Which solution should they use? The answer is VNet peering (global VNet peering). The trap answer might be a VPN gateway, which is slower and more expensive.
Configuration questions ask you to identify the correct settings. For instance: You need to allow HTTP traffic from the internet to a web server in a VNet. Which resource should you configure? The answer is a Network Security Group rule that allows inbound TCP port 80 from any source. A common wrong answer would be configuring a route table, which controls routing, not access.
Troubleshooting questions present a broken scenario. Example: Users cannot access a web application hosted on an Azure VM. The VM has a public IP and is in a subnet. What should you check first? The correct answer is the NSG rules on the subnet or VM to ensure inbound port 80/443 is allowed. A distractor might be checking the DNS records, which is a valid step but not the first thing to check in a connectivity issue.
Another troubleshooting pattern: A VM in a private subnet cannot reach the internet to download updates. What is the most likely cause? The answer is missing a NAT gateway or a route to a NAT device. Learners often forget that private subnets have no internet route by default.
For Azure-specific exams, expect questions about service endpoints and private endpoints. Service endpoints allow secure access to Azure services (like Storage or SQL) from within a VNet without using a public IP. Private endpoints assign a private IP to the service from the VNet. Questions might ask: Which feature allows an Azure SQL Database to be accessed using a private IP from a VNet? Answer: Private Endpoint.
Finally, hybrid connectivity questions are common. Example: An on-premises network uses IP addresses 10.0.0.0/16. You create an Azure VNet with the same address space. What problem will this cause? The answer is IP address overlap, which prevents VPN connectivity because the routes conflict. The solution is to choose a unique address space for the VNet that does not overlap with on-premises.
Being familiar with these question patterns and common traps will significantly boost your exam performance.
Practise VNet Questions
Test your understanding with exam-style practice questions.
Example Scenario
Your company, GreenLeaf Media, is launching a new video streaming platform. You are tasked with designing the cloud infrastructure on Microsoft Azure. The application has three components: a web frontend that users access via a browser, an application server that processes video streams, and a database server that stores user data and video metadata. The web frontend must be accessible from the internet. The application server must only be reachable from the web frontend. The database server must not be accessible from the internet and only accessible from the application server.
You decide to use a single Azure VNet with the address space 10.0.0.0/16. You create three subnets: SubnetA (10.0.1.0/24) for the web frontend, SubnetB (10.0.2.0/24) for the application server, and SubnetC (10.0.3.0/24) for the database server.
You deploy a virtual machine (VM) for the web frontend in SubnetA and assign it a public IP address. You add an NSG rule on SubnetA that allows inbound HTTP (port 80) and HTTPS (port 443) traffic from any source.
For the application server VM in SubnetB, you do not assign a public IP. You create an NSG rule that allows inbound traffic from SubnetA (10.0.1.0/24) on port 8080, where the application listens. You also allow outbound traffic to SubnetC on port 5432 (PostgreSQL).
For the database server VM in SubnetC, you also have no public IP. The NSG rule allows inbound traffic from SubnetB (10.0.2.0/24) on port 5432. All other inbound traffic is denied.
Now, a user on the internet visits your site. The request goes to the web frontend's public IP. The web frontend processes the request and needs data from the application server. Because SubnetA and SubnetB are in the same VNet, they can communicate using private IPs. The application server then queries the database server in SubnetC, again using the private IP.
This design keeps your database completely hidden from the public internet. Even if someone discovers the database server's private IP (which is impossible from the internet), they cannot reach it because the NSG blocks all inbound traffic from outside the VNet. This is a simple but powerful example of how VNets, subnets, and NSGs work together to create a secure multi-tier application.
Common Mistakes
Thinking a VNet provides direct internet access by default to all resources inside it.
A VNet by default is isolated from the internet. Resources inside a VNet cannot communicate with the internet unless you explicitly attach an internet gateway (or a public IP to the resource) and configure routing. The VNet only provides internal private connectivity.
Remember that a VNet is like a private office. You must install an internet door (gateway) and give specific employees (resources) permission to use it.
Confusing subnets with separate VNets.
A subnet is just a subdivision of a VNet's IP address space. All subnets within a VNet can communicate with each other by default. If you need true isolation (e.g., for different departments or environments), you need separate VNets, not just separate subnets.
Use different VNets for environments that should not talk to each other (e.g., dev and prod). Use subnets within a single VNet to organize tiers of the same application.
Forgetting to update route tables when using a virtual appliance (like a firewall).
If you deploy a firewall VM and want all traffic from a subnet to go through it, you must create a User-Defined Route (UDR) that points the default route (0.0.0.0/0) to the firewall's private IP. Without this, traffic will use the system default route and bypass the firewall.
After deploying a network virtual appliance, always check the effective routes for the subnets that should use it. Add a route if necessary.
Assuming VNet peering automatically allows all traffic between peered VNets.
VNet peering creates a private connection between two VNets, but traffic is still subject to NSG rules. By default, peered VNets can communicate, but if you have NSGs that deny traffic, the communication will fail. Also, you must configure the peering to allow traffic to transit through a third VNet if needed (transit routing).
After peering, always verify that NSG rules permit the desired traffic. If you need traffic to pass through a hub VNet, enable 'Allow gateway transit' on the peer connection.
Using overlapping IP address ranges when connecting VNets or on-premises networks.
If you create a VNet with 10.0.0.0/16 and your on-premises network also uses 10.0.0.0/16, you cannot establish a VPN connection because the routes conflict. The cloud and on-premises networks must have unique, non-overlapping private IP ranges.
Plan your IP address space carefully before deploying any cloud resources. Use distinct CIDR blocks for each VNet and your on-premises network. Common choices are 10.0.0.0/16 for on-premises, 10.1.0.0/16 for VNet1, and 10.2.0.0/16 for VNet2.
Applying NSG rules at the subnet level without considering service tags.
Many beginners write rules using specific IP addresses for Azure services (like Azure Load Balancer or Azure SQL), but these IPs can change. Service tags (like AzureLoadBalancer, Sql) automatically update as Azure's IP ranges change, ensuring your rules remain valid.
For rules that need to allow traffic from Azure services, use service tags instead of IP addresses. For example, allow inbound from 'AzureLoadBalancer' on port 80 instead of listing all possible Azure LB IPs.
Exam Trap — Don't Get Fooled
{"trap":"In an Azure exam question, you are asked to connect an on-premises network to an Azure VNet. The on-premises network uses IP range 10.0.0.0/16. You create a VNet with address space 10.
0.0.0/16 as well. The answer choice that says 'Use Site-to-Site VPN' is presented as the correct solution.","why_learners_choose_it":"Learners know that VPN is used for hybrid connectivity, and they may not realize that overlapping address spaces will prevent the VPN from working.
The exam presents this as a plausible solution because it sounds correct on the surface.","how_to_avoid_it":"Always check for IP address overlap when designing hybrid connections. If the ranges overlap, the VPN routes will conflict, and traffic will not be routed correctly.
The correct answer would be to choose a different VNet address space or use NAT to translate addresses. In the exam, if a question mentions overlapping ranges, any direct VPN or peering solution is wrong."
Commonly Confused With
A VNet is the private network in the cloud itself, while a VPN is a secure tunnel that connects that private network to an external network like an on-premises office. You use a VPN to connect your on-premises network to your VNet. They are not the same thing; the VPN is a connection type, and the VNet is the destination.
Think of your VNet as your private house. A VPN is like a secured underground tunnel that connects your house to your office. The tunnel is not the house.
A subnet is a smaller network segment inside a VNet. A VNet can contain multiple subnets, and resources in different subnets can communicate by default. While both are about network segmentation, a VNet is the overall isolated network, and a subnet is just a logical partition within it.
Your VNet is the entire building you own. Subnets are the different rooms inside that building. Each room can have its own access rules, but they are all part of the same building.
An NSG is a firewall that controls inbound and outbound traffic to resources inside a VNet. It is not the network itself, but a security filter applied at the subnet or network interface level. You attach NSGs to subnets or VMs to allow or deny traffic. The VNet provides connectivity, and the NSG secures it.
The VNet is the hallway that connects all rooms. The NSG is the security guard at each door who decides who can enter or leave that room.
VPC is the term used by AWS for the exact same concept as Azure's VNet. They are functionally identical: a private, isolated network in the cloud. The name is different because each cloud provider has its own branding. If you understand VNet in Azure, you understand VPC in AWS, and vice versa.
Both are the same concept, like how a 'lift' in the UK is called an 'elevator' in the US. The object is the same, just a different name.
Amazon VPC is the AWS implementation of a virtual private network in the cloud. It is the direct equivalent of Azure VNet. Both provide similar features: subnets, route tables, security groups, and gateways. The main difference is the terminology and some implementation details, such as AWS's use of Internet Gateways versus Azure's use of public IPs and the default route.
It is like comparing a Ford car to a Chevrolet car. Both are cars with the same basic functions, just from different manufacturers.
Step-by-Step Breakdown
Plan IP Address Space
Before creating a VNet, decide on the IP address range you will use. This must be a private IP range (RFC 1918) that does not overlap with any other network you plan to connect to, such as on-premises or other VNets. Common choices are 10.0.0.0/16 or 172.16.0.0/12. Planning avoids conflicts later.
Create the VNet Resource
In the cloud portal (or via CLI/API), you create a new VNet resource. You specify a name, a region, and the IP address space you planned. The VNet is the top-level container for all your networking components in that region.
Create Subnets
Within the VNet, you create one or more subnets. Each subnet gets a smaller CIDR block from the VNet's address space. Subnets allow you to segment your network logically. For example, a 'public subnet' for web servers and a 'private subnet' for databases. Subnets are the boundaries where you apply different security rules and routing.
Configure Network Security Groups (NSGs)
Create an NSG and associate it with each subnet or network interface. Inside the NSG, you define inbound and outbound rules to allow or deny traffic. For example, allow HTTP (port 80) inbound to the public subnet, and deny all inbound to the private subnet except from the public subnet. NSGs are stateful, meaning return traffic is automatically allowed.
Set Up Routing
By default, Azure creates a system route table that allows traffic between all subnets within the VNet and provides a default route to the internet. If you need custom routing (e.g., to send traffic through a firewall), you create a User-Defined Route (UDR) and associate it with a subnet. The route table defines the next hop for specific destination prefixes.
Add Internet Connectivity
To allow resources in a subnet to access the internet (or be accessed from the internet), you need an internet gateway. In Azure, this is typically done by assigning a public IP address to a resource (like a VM or load balancer) and ensuring the NSG allows inbound traffic. For outbound-only access from private subnets, you use a NAT gateway.
Connect to On-Premises (Optional)
If you need to connect your VNet to a physical data center or office, you create a VPN gateway in the VNet. Then, you establish a Site-to-Site VPN tunnel between the VPN gateway and your on-premises VPN device. Alternatively, for dedicated private connectivity, you provision Azure ExpressRoute.
Connect to Other VNets (Optional)
To connect your VNet to another VNet in the same or different Azure region, you create a VNet peering connection. Peering is a private, low-latency link. You enable it in both directions (two peering connections). Once peered, resources in both VNets can communicate using private IPs, subject to NSG rules.
Deploy Resources
Now you can deploy virtual machines, databases, and other services into the subnets. During deployment, you specify which VNet and subnet the resource should belong to. The resource automatically gets a private IP from the subnet's range. You can also attach an NSG directly to the resource's network interface for additional granularity.
Test and Monitor
After deploying, test connectivity. Use tools like ping (if ICMP is allowed) or test-NetConnection to verify that resources can talk to each other as intended. Monitor network traffic with Azure Network Watcher, which provides diagnostics, packet capture, and topology visualization. Adjust NSG rules and routing as needed.
Practical Mini-Lesson
In the real world, IT professionals rarely create a single VNet with everything in one subnet. The real skill lies in designing a network topology that meets security, performance, and compliance requirements. Let us walk through a common enterprise scenario.
You are the cloud architect for a midsized e-commerce company. The application consists of: a web frontend, a recommendation engine, a payment processing service, and a database. The company has strict compliance requirements: the payment data must be isolated from the rest of the application, and all traffic between services must be encrypted. The company also has an on-premises ERP system that needs to query the cloud database.
First, you create a VNet with a large address space, say 10.0.0.0/16, to allow room for growth. You create four subnets: WebSubnet (10.0.1.0/24), AppSubnet (10.0.2.0/24), PaymentSubnet (10.0.3.0/24), and DBSubnet (10.0.4.0/24). You apply strict NSGs: WebSubnet allows inbound HTTP/HTTPS from the internet. AppSubnet allows inbound only from WebSubnet on the app port (e.g., 8080). PaymentSubnet allows inbound only from AppSubnet on a specific port (e.g., 8443) and must use TLS. DBSubnet allows inbound only from AppSubnet and from PaymentSubnet on the database port (e.g., 1433 for SQL Server).
Now, the on-premises ERP needs access to the database. You set up a Site-to-Site VPN. You must ensure the VNet's IP range (10.0.0.0/16) does not overlap with the on-premises range (which is 192.168.0.0/16). You create a VPN gateway in a dedicated GatewaySubnet (a special subnet required for gateways). You configure the tunnel. The ERP can now reach the database server's private IP. You also create a route on the VPN gateway to advertise the VNet ranges to on-premises.
However, you want an extra layer of security. Instead of the ERP directly accessing the database, you deploy a jump box (a management VM) in a separate management subnet. The ERP connects to the jump box, and the jump box connects to the database. This reduces the attack surface.
A practical issue that often arises: traffic through the VPN might have higher latency. You might consider using ExpressRoute for a faster, more reliable connection. You also need to enable service endpoints for Azure Storage if the application uses blob storage for product images. This allows the VMs to access storage without using a public IP, keeping traffic within the Azure backbone.
Another common task is logging and monitoring. You enable NSG flow logs to capture traffic patterns. You set up alerts for any denied inbound traffic, which could indicate a scanning attack. You also use Azure Network Watcher to troubleshoot connectivity issues. For example, if the payment service cannot reach the database, you use IP flow verify to check whether the traffic is allowed by NSG rules.
Finally, consider cost. NAT gateways and VPN gateways incur hourly charges. You must balance performance with cost. For non-production environments, you might skip the VPN and use a less expensive point-to-site VPN for administrative access.
This mini lesson shows that VNet design is not just about clicking 'create'. It requires careful planning, security awareness, and familiarity with a range of networking and security features. Professionals who master these concepts are invaluable in any cloud team.
VNet Architecture and Subnet Design Principles
A Virtual Network (VNet) is a fundamental building block for Azure networking, providing an isolated environment for deploying cloud resources. When designing a VNet, the first consideration is the address space. In Azure, you define a private IP address range using CIDR notation, such as 10.
0.0.0/16. This address space must not overlap with any on-premises network or other VNets that will connect to it through peering or VPN gateways. Once the address space is defined, you partition it into subnets.
Subnets segment the VNet into logical zones for different resource types. For example, you might have a front-end subnet for web servers, a back-end subnet for databases, and a management subnet for administrative access. Each subnet must have a unique address range that falls within the VNet's address space.
Azure reserves the first four and the last IP address of each subnet for protocols like DHCP and routing. A critical exam concept is that subnets are not security boundaries; rather, Network Security Groups (NSGs) applied at the subnet or NIC level enforce traffic filtering. Another key point is that Azure automatically provides default routes within a VNet, allowing resources in different subnets to communicate.
However, you can override these routes with User-Defined Routes (UDRs) to force traffic through a firewall or network virtual appliance. For the AWS Cloud Practitioner and Azure Fundamentals exams, understanding that VNets are region-specific and can span multiple availability zones is essential. In contrast, Google Cloud's VPC is global.
When planning subnet design, avoid using the /16 address space for production environments when you need many subnets; a /20 or larger prefix is more flexible. Also, remember that you cannot change the address space of a VNet after creation unless the VNet has no resources attached. This design constraint appears frequently in the AZ-104 and Azure Administrator exams.
A common mistake is creating subnets that are too small, leading to IP exhaustion. For example, a /29 subnet provides only 3 usable host IPs after Azure's reservations, which is insufficient for most workloads. Always calculate required capacity based on projected growth.
For the CCNA and Network+ exams, understanding CIDR and subnetting math is directly applicable to VNet design. VNet architecture requires careful planning of address spaces, subnet segmentation, and an awareness of Azure's IP reservation and routing behaviors to ensure scalable and secure deployments.
VNet Peering and Gateway Connectivity Models
VNet peering allows you to connect two Azure VNets directly, enabling resources in different VNets to communicate with each other using private IP addresses. There are two types of peering: regional (within the same Azure region) and global (across different regions). Both types use the Azure backbone network, so traffic does not traverse the public internet.
To establish peering, you must create two-way peering connections: one from VNet A to VNet B and another from VNet B to VNet A. Once peered, VNets can be transitive if you use a hub-and-spoke topology with a network virtual appliance (NVA) or Azure Firewall as the hub. However, by default, VNet peering is not transitive.
For example, if VNet A is peered to VNet B, and VNet B is peered to VNet C, VNet A cannot directly reach VNet C unless you configure explicit peering or use a routing solution. This non-transitivity is a common test point in the AZ-104, Azure Solutions Architect, and Google Cloud Digital Leader exams. Another connectivity model is using a VPN gateway to connect a VNet to an on-premises network.
Azure VPN gateways support both site-to-site (S2S) and point-to-site (P2S) configurations. A site-to-site VPN requires an on-premises VPN device with a public IP address and an Azure VPN gateway with a pre-shared key. The Azure VPN gateway must be deployed in a dedicated gateway subnet named GatewaySubnet.
This subnet must be at least /27 to accommodate the gateway's scaling requirements. For cross-premises redundancy, you can use an active-active VPN gateway configuration or set up multiple tunnels. For the AWS Cloud Practitioner exam, a similar concept is the Virtual Private Gateway attached to a VPC.
In Azure, the VPN gateway also supports ExpressRoute as an alternative, which provides dedicated private connectivity. ExpressRoute bypasses the internet and offers higher bandwidth and lower latency than VPN. For the Security+ and CCNA exams, understanding the difference between encrypted VPN tunnels (over IPsec) and private connections like ExpressRoute is important.
A common troubleshooting issue with peering is that peered VNets have overlapping address spaces, which blocks connectivity. Azure does not allow peering between VNets with overlapping CIDR ranges. Always ensure unique address spaces during design.
Another exam scenario is when you need to allow traffic from a peered VNet to access an Azure SQL database; you must enable the Allow Azure Services option on the firewall rules. For the Google ACE exam, VPC peering in Google Cloud works similarly but is globally available. VNet peering and gateway connectivity models are critical for building hybrid and multi-VNet architectures, and they frequently appear in certification exams as scenario-based questions.
VNet Network Security Groups and Service Endpoints
Network Security Groups (NSGs) are a core security feature for controlling inbound and outbound traffic to Azure resources. An NSG can be associated with a subnet or a network interface card (NIC). When associated with a subnet, it applies to all resources in that subnet.
When associated with a NIC, it applies only to that specific VM. NSGs contain a set of security rules that define the source, destination, port, protocol, and action (allow or deny). Each rule has a priority number; lower numbers are evaluated first.
By default, Azure creates several default rules. For inbound, these include allowing traffic from within the VNet and from Azure load balancer health probes. For outbound, all traffic to the internet and VNet is allowed by default.
You cannot delete these default rules, but you can override them with higher-priority custom rules that explicitly deny traffic. A common exam scenario involves creating a rule to allow SSH (port 22) or RDP (port 3389) from a specific IP range. For the Security+ and Network+ exams, understanding stateful vs stateless filtering is key: NSGs are stateful, meaning that if you allow inbound traffic, the outbound return traffic is automatically allowed, regardless of outbound rules.
This differs from network ACLs in AWS, which are stateless. Another important feature is service endpoints. Service endpoints extend your VNet's identity to Azure services, such as Azure Storage and Azure SQL Database, effectively connecting your VNet to those services over the Azure backbone.
When you enable a service endpoint on a subnet, traffic from that subnet to the Azure service is routed directly and no longer goes through the public internet. This improves security and allows you to lock down the service to only your VNet using firewall rules. For example, if you have an Azure Storage account, you can configure it to deny access from all networks except your VNet subnet that has the Microsoft.
Storage endpoint enabled. Service endpoints are free and easy to configure, but they are regional by default and do not work across regions unless you use Global VNet Peering. For the AZ-104 and Azure Developer exams, knowing the difference between service endpoints and Private Link is crucial.
Private Link provides a private IP address for the service within your VNet, while service endpoints still use a public IP but with private routing. Another troubleshooting clue is that NSGs are evaluated at the subnet level before the NIC level. If you have conflicting rules, the subnet-level NSG rule that denies traffic will override a NIC-level rule that allows it, because the subnet level is evaluated first.
This cascading effect is a common pitfall. For the AWS Cloud Practitioner exam, understanding that security groups in AWS are similar but tied to ENIs instead of subnets provides a good comparison. Mastering NSG rules and service endpoints is essential for securing VNet resources in Azure and appears in nearly every Azure-related certification.
VNet Cost Optimization and Billing Models
Understanding how VNet usage is billed is critical for cost optimization in Azure. The VNet itself is free to create; you are only charged for the resources that use the VNet, such as VMs, VPN gateways, and Azure Firewall. However, there are costs associated with outbound data transfer.
Data transfer between two Azure resources in the same VNet is free, but outbound data transfer to the internet, to a different region, or to on-premises networks incurs charges. For VNet peering, there are two types of charges: ingress and egress data transfer, and they depend on whether the peering is regional or global. Regional peering (within the same Azure region) has lower per-GB costs than global peering (across regions).
For example, transferring 10 GB between VNets in the same region costs less than transferring the same data between VNets in different regions. This cost structure encourages architects to keep data within the same region when possible. For the Azure Solutions Architect and Google ACE exams, designing for data locality is a key cost-saving strategy.
Another cost consideration is the use of Azure VPN gateways. VPN gateways have hourly billing rates that depend on the SKU (Basic, VpnGw1, VpnGw2, etc.) and the number of tunnels. The Basic SKU is cheaper but does not support all features like active-active, BGP, or site-to-site with VNet-to-VNet connections for production.
For development and testing, selecting the Basic SKU can reduce costs, but for production, VpnGw1 or higher is recommended. ExpressRoute circuits have fixed monthly fees based on bandwidth and billing model (metered vs unlimited). For the Cloud Digital Leader and AWS Cloud Practitioner exams, understanding that network egress is a major cost driver is essential.
A common optimization technique is to use Azure Content Delivery Network (CDN) or Azure Front Door to cache content closer to users, reducing egress costs from the VNet. Another tip is to use Azure Bastion to connect to VMs without exposing public IPs, which can save costs compared to using a jump box VM. For the AZ-104 exam, you might be asked to design a cost-effective VNet architecture for a multi-tier application.
The answer often involves using the same region for all VNets and choosing the appropriate VPN gateway SKU. Also, avoid using unnecessary Global VNet Peering when regional peering is sufficient. Azure also offers reserved instances for VPN gateways, which can reduce costs by up to 72% compared to pay-as-you-go, but requires a one- or three-year commitment.
For the Network+ and CCNA exams, understanding network cost trade-offs between bandwidth, latency, and cost is a foundational concept. VNet cost optimization requires careful selection of peering types, gateway SKUs, and data transfer patterns to avoid unexpected bills, and these topics are frequently tested in cloud certification exams.
Troubleshooting Clues
VNet Peering Connection Not Established
Symptom: When attempting to create a peering, the portal shows 'Connection pending' or the command fails with a 'Failed to establish peering' error.
This typically occurs if the remote VNet's address space overlaps with the local VNet's address space. Azure does not allow peering between VNets with overlapping CIDR ranges. Alternatively, the remote VNet might be in a different region that does not support global peering due to billing subscription issues.
Exam clue: Certification exams often present a scenario where VNet peering fails and the answer is that the address spaces must be unique. The AZ-104 specifically tests this condition.
VM Cannot Access Internet After Applying NSG
Symptom: An Azure VM is unable to browse the web or download updates after an NSG is applied to its subnet.
By default, outbound internet traffic is allowed in the default NSG rules. If you created a custom deny-all outbound rule, it will block all outbound traffic. The default rules are lower priority and are overridden. You must explicitly allow outbound traffic to the internet (e.g., to 0.0.0.0/0) with a higher priority than the deny rule.
Exam clue: This scenario is common in the Security+ and Azure exams. The exam tests that NSG rules are stateful for inbound but outbound rules must be explicitly defined if you override defaults.
Azure SQL Database Connection Timeout from VNet
Symptom: An application running on an Azure VM inside a VNet cannot connect to an Azure SQL database, even though the firewall on the SQL server allows traffic from the VM's IP.
The public IP address of the VM might not be static, or the VM is connecting over the internet. If the service endpoint for Microsoft.Sql is enabled on the subnet, the VM should use the private routing to the database. However, if the SQL server's firewall does not allow Azure services or the VNet subnet, the connection fails. If the VM is in a spoke VNet and the SQL server is in a hub VNet without peering, the connection will be blocked.
Exam clue: The AZ-104 exam tests the use of service endpoints for SQL. A common answer is to add the VNet subnet as a firewall rule on the SQL server.
VPN Gateway Connection Dropping Intermittently
Symptom: A site-to-site VPN connection between an on-premises network and an Azure VNet disconnects periodically, requiring manual restart.
Intermittent drops can occur due to IPsec/IKE policy mismatches, expired pre-shared keys, or insufficient bandwidth causing packet drops. Also, if the on-premises VPN device does not support DPD (Dead Peer Detection), the tunnel may time out after periods of inactivity.
Exam clue: The CCNA and Security+ exams test VPN troubleshooting. Azure-specific exams ask about checking the VPN gateway health metrics in Azure Monitor and ensuring the correct IKE version is configured.
VNet Address Space Exhaustion
Symptom: You cannot deploy additional VM instances in an existing subnet, receiving an error stating 'Insufficient IP addresses in the subnet.'
The subnet's address space has been fully allocated to existing resources. Azure reserves five IPs per subnet (first four and last), so the usable IP count is less than the total. For example, a /24 subnet (256 total) has 251 usable IPs after reservations. If all 251 are used, no more resources can be deployed in that subnet.
Exam clue: The AZ-900 and AZ-104 exams test that you cannot expand a subnet's address space once resources are deployed. The solution is to create a new subnet within the same VNet or use a different VNet.
Data Transfer Costs Higher Than Expected
Symptom: Monthly billing shows unexpected egress charges between two VNets in different regions.
VNet peering charges apply for both ingress and egress data transfer. Global peering (across regions) has higher per-gigabyte costs than regional peering. The cost is billed to the owner of the peering connection. If you use Global VNet Peering for development, costs can escalate quickly.
Exam clue: The Cloud Digital Leader and Azure Solutions Architect exams focus on cost optimization. A common question is how to reduce costs between VNets: use regional peering instead of global, or use ExpressRoute with a billing model that suits your traffic profile.
Cannot From-on-Prem Traffic to VNet Through ExpressRoute
Symptom: On-premises devices cannot reach resources in a peered VNet after setting up ExpressRoute to the hub VNet.
By default, ExpressRoute connects to the hub VNet, but peered spoke VNets are not automatically reachable because VNet peering is not transitive. To allow on-premises traffic to reach spoke VNets, you must configure the hub VNet's gateway to use BGP and set up routing to propagate routes from the spoke VNets using a route server or UDRs.
Exam clue: This scenario tests the non-transitive nature of VNet peering. The AZ-104 exam asks how to enable access from a gateway to peered VNets-the answer is to use a network virtual appliance or Azure Route Server.
NSG Rule Not Taking Effect as Expected
Symptom: After adding an NSG rule that allows a specific port, traffic is still blocked.
NSG rules are evaluated in priority order. A higher priority deny rule (lower number) might be blocking the port before the allow rule is evaluated. Also, if an NSG is associated at both the subnet and NIC level, the subnet-level rule takes effect first. If there is a conflict, the most restrictive rule wins at each level.
Exam clue: The Network+ and Security+ exams test NSG evaluation order. Azure exams also test that you must verify both subnet and NIC associations.
Memory Tip
Think of VNet as 'Virtual Neighborhood' where your cloud resources live, with subnets as the houses and NSGs as the security guards at each house.
Learn This Topic Fully
This glossary page explains what VNet means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →CLF-C02CLF-C02 →SAA-C03SAA-C03 →DVA-C02DVA-C02 →220-1101CompTIA A+ Core 1 →200-301Cisco CCNA →N10-009CompTIA Network+ →AZ-104AZ-104 →ACEGoogle ACE →CDLGoogle CDL →AZ-900AZ-900 →PCAGoogle PCA →Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Quick Knowledge Check
1.You have two Azure VNets in the same region: VNetA (10.0.0.0/16) and VNetB (10.1.0.0/16). You create a VNet peering from VNetA to VNetB. What additional step is required for resources in VNetA to communicate with resources in VNetB?
2.An Azure VM in a subnet is unable to connect to an Azure Storage account. The subnet has an NSG applied that allows all outbound traffic. The Storage account's firewall is set to deny all traffic. What is the most likely resolution?
3.A site-to-site VPN connection between your on-premises network and an Azure VNet is frequently dropping. The Azure VPN gateway shows 'Connected' but traffic stops after a few minutes. What could be the issue?
4.You are deploying a multi-tier application in Azure. You need to ensure that the front-end VMs can only communicate with the back-end VMs on port 3306 (MySQL). What should you use?
5.Your VNet has a /16 address space (10.0.0.0/16) and you have five subnets: A (10.0.0.0/24), B (10.0.1.0/24), C (10.0.2.0/24), D (10.0.3.0/24), and E (10.0.4.0/24). You need to deploy a VPN gateway. What must you do?