This chapter covers Azure Virtual Networks (VNets) and subnets, the fundamental building blocks of network isolation and segmentation in Azure. For the AZ-104 exam, approximately 20-25% of networking questions touch VNet and subnet configuration, including address space planning, subnet delegation, and service endpoints. Mastering this topic is critical because every Azure resource that requires network connectivity—VMs, App Services, databases—must be placed in a VNet and subnet. This chapter will explain the architecture, configuration, and best practices, with a focus on exam-specific details like default subnets, service endpoints, and VNet peering constraints.
Jump to a section
Think of an Azure Virtual Network (VNet) as a private office building you own. The building has a physical address (the VNet's address space, like 10.0.0.0/16) and is divided into rooms (subnets), each with its own purpose. Each room has a door (subnet address range, e.g., 10.0.1.0/24) and a security guard (Network Security Group) that decides who can enter or leave. The building's main entrance (the internet gateway) is optional and controlled by a receptionist (Azure Firewall or NAT Gateway) who translates internal room numbers (private IPs) to a single public phone number (public IP) when someone inside calls out. Rooms can be connected via internal hallways (VNet peering) to other buildings in the same complex or across town (global peering). The building manager (Azure Resource Manager) keeps a log (flow logs) of every visitor and delivery. If you misconfigure a room's door, people might accidentally wander into secure areas (unintended subnet connectivity). This analogy maps directly: VNets are isolated networks, subnets are network segments, NSGs are stateful firewalls, and peering connects VNets. Just as you wouldn't put the server room next to the public lobby without a locked door, you shouldn't place sensitive resources in a subnet with a wide-open NSG.
What is an Azure Virtual Network?
An Azure Virtual Network (VNet) is a logically isolated network in the Azure cloud that represents your own private network in the cloud. It is analogous to a traditional on-premises LAN but operates at scale within Microsoft's global infrastructure. Each VNet resides within a single Azure region and subscription, but can be connected to other VNets across regions via VNet peering or VPN gateways. The VNet defines an IP address space (using CIDR notation) that is private (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or public (though public IPs within a VNet are not routable on the internet unless explicitly attached). Azure reserves the first four and last IP addresses in each subnet for protocol compliance (network address, gateway, Azure DNS, Azure reserved, and broadcast). For example, in a 10.0.0.0/24 subnet, the usable range is 10.0.0.4-10.0.0.254.
Subnets: Segmentation Within a VNet
Subnets divide a VNet's address space into smaller segments, each with its own security and routing policies. Every subnet must have a unique address range within the VNet that does not overlap with other subnets. Subnets are the deployment boundary for Azure resources: each resource (VM, App Service, etc.) is associated with a specific subnet. Subnets can be delegated to Azure PaaS services (e.g., Azure SQL Managed Instance, Azure Container Instances) to allow those services to inject their own resources. Delegation is configured at the subnet level and is irreversible for that subnet without removing the delegation first.
How Azure VNets Work Internally
When you create a VNet, Azure provisions a software-defined network (SDN) using the Azure SDN stack, which is built on top of the Azure Fabric Controller. The VNet's IP address space is programmed into the Azure SDN data plane, which consists of virtual switches (vSwitches) running on Hyper-V hosts. Each VM's virtual NIC (vNIC) connects to a vSwitch, and the vSwitch applies forwarding rules based on the VNet's routing table (system routes and user-defined routes). Azure automatically creates system routes for each subnet that include:
Local VNet: traffic within the same VNet is routed directly.
Peered VNet: if VNet peering is configured, routes for peered VNet address spaces are added.
On-premises: if a VPN gateway is present, routes for on-premises networks are added via BGP or static routes.
Internet: traffic to 0.0.0.0/0 is sent to the internet by default (unless a forced tunneling route is applied).
Defaults and Limits
Maximum VNets per subscription: 1000 (can be increased by support request).
Maximum subnets per VNet: 3000.
Maximum address spaces per VNet: 200.
Maximum private IP addresses per subnet: 65536 (using /16 subnet).
Default subnet range: None; you must specify.
Azure DNS: By default, VMs in a VNet can resolve names using Azure-provided DNS (168.63.129.16). Custom DNS can be configured at the VNet level.
Configuration Commands
Using Azure CLI:
# Create a VNet
az network vnet create \
--name MyVNet \
--resource-group MyRG \
--address-prefix 10.0.0.0/16 \
--location eastus
# Create a subnet
az network vnet subnet create \
--name MySubnet \
--resource-group MyRG \
--vnet-name MyVNet \
--address-prefix 10.0.1.0/24
# Delegate subnet to Azure NetApp Files
az network vnet subnet update \
--name MySubnet \
--resource-group MyRG \
--vnet-name MyVNet \
--delegations Microsoft.NetApp/volumesInteraction with Related Technologies
Network Security Groups (NSGs): Applied to subnets or NICs for traffic filtering.
Route Tables (UDRs): Override system routes, e.g., force traffic to a firewall.
Service Endpoints: Extend VNet identity to PaaS services (e.g., Azure Storage) by adding a route to the service's public IPs.
Private Endpoints: Give PaaS services a private IP in your VNet, eliminating public exposure.
VNet Peering: Connects two VNets privately via the Microsoft backbone.
VPN Gateway: Connects on-premises networks to a VNet over IPsec.
Azure Bastion: Provides secure RDP/SSH access to VMs without public IPs, using a subnet named AzureBastionSubnet with minimum /27.
Azure Firewall: A managed firewall service that requires a subnet named AzureFirewallSubnet with minimum /26.
Address Space Planning
When designing VNets, avoid overlapping address spaces if you plan to peer or connect via VPN. Use a consistent CIDR scheme, such as 10.x.0.0/16 per region (e.g., 10.1.0.0/16 for East US, 10.2.0.0/16 for West US). Subnets should be sized according to resource growth: use /24 for general workloads, /23 or larger for large clusters or delegated services. Remember that some Azure services require specific subnet names and sizes (e.g., Azure Firewall requires AzureFirewallSubnet /26, Azure Bastion requires AzureBastionSubnet /27, GatewaySubnet must be /27 or larger).
Plan IP Address Space
Determine the VNet's address space using CIDR notation (e.g., 10.0.0.0/16). Ensure it does not overlap with other VNets you plan to peer or connect via VPN. Consider future growth: a /16 provides 65,536 IPs, but you may start with /20. Azure reserves the first four and last IP in each subnet. For example, in 10.0.0.0/24, the reserved addresses are 10.0.0.0 (network), 10.0.0.1 (gateway), 10.0.0.2 (Azure DNS), 10.0.0.3 (Azure reserved), and 10.0.0.255 (broadcast). Usable range: 10.0.0.4-10.0.0.254. This step is crucial because address overlap is a common exam trap.
Create the Virtual Network
Using the Azure portal, CLI, or PowerShell, create the VNet in a specific region and resource group. Specify the address space (one or more prefixes). For example: 'az network vnet create --name ProdVNet --resource-group ProdRG --address-prefix 10.0.0.0/16 --location eastus'. The VNet is created with no subnets initially. You can add multiple address spaces later, but they must not overlap. Azure validates the address space against existing VNets in the same subscription only if using peering; otherwise, overlapping is allowed but discouraged.
Create Subnets with Sizing
Add subnets to the VNet, each with a unique address range within the VNet's space. For example, create a subnet 'Web' with 10.0.1.0/24 (254 usable IPs) and 'DB' with 10.0.2.0/24. Ensure you leave room for future subnets. Some services require specific subnet names: 'GatewaySubnet' for VPN/ExpressRoute (must be /27 or larger), 'AzureFirewallSubnet' (/26), 'AzureBastionSubnet' (/27). The exam tests that you know these reserved names and minimum sizes. Use 'az network vnet subnet create' command.
Configure Subnet Delegation
If you plan to deploy a PaaS service that injects its own resources (e.g., Azure Container Instances, Azure SQL Managed Instance, Azure NetApp Files), you must delegate the subnet to that service. Delegation is set at the subnet level via 'az network vnet subnet update --delegations Microsoft.ContainerInstance/containerGroups'. Once delegated, the subnet cannot be used for other resource types unless you remove the delegation. This is a common exam point: delegation is irreversible without explicit removal.
Apply Network Security Groups
Associate an NSG to a subnet to filter inbound and outbound traffic. NSGs are stateful: if you allow inbound traffic on port 80, the return traffic is automatically allowed. NSGs contain rules with priority, source, destination, port, and protocol. Default rules allow intra-VNet traffic and deny inbound from internet. You can also associate NSGs to individual NICs for finer control. Exam tip: NSG association to subnet affects all resources in that subnet; NIC-level overrides subnet-level for that NIC.
Configure Service Endpoints
Service endpoints allow you to secure Azure PaaS services (e.g., Storage, SQL Database) to your VNet. When enabled on a subnet, traffic to the service goes over the Azure backbone instead of the public internet. You must also configure the service's firewall to allow the subnet. Service endpoints do not give the service a private IP; they just route traffic internally. Exam trap: Service endpoints are not the same as Private Endpoints; Private Endpoints assign a private IP from your VNet to the service.
Enterprise Scenario 1: Multi-Tier Web Application
A financial services company deploys a three-tier web application in Azure: web servers, application servers, and database servers. They create a VNet with address space 10.0.0.0/16. They create three subnets: 'Web' (10.0.1.0/24), 'App' (10.0.2.0/24), and 'DB' (10.0.3.0/24). NSGs are applied to each subnet: Web allows inbound HTTP/HTTPS from internet, App allows only traffic from Web subnet, DB allows only traffic from App subnet on port 1433 (SQL). This ensures defense-in-depth. They use Azure Firewall in a dedicated AzureFirewallSubnet to inspect outbound traffic. The VNet is peered to a central hub VNet for shared services (Active Directory, monitoring). In production, they monitor NSG flow logs to detect anomalies. Common misconfiguration: forgetting to allow Azure Load Balancer health probes (168.63.129.16) in NSG rules, causing health probe failures.
Scenario 2: Hybrid Connectivity with VPN
A retail company connects its on-premises datacenter to Azure using a site-to-site VPN. They create a VNet with address space 10.1.0.0/16, ensuring no overlap with on-premises networks (192.168.0.0/16). They create a GatewaySubnet (10.1.0.0/27) and deploy a VPN gateway. They also create a Local Network Gateway representing the on-premises VPN device. The connection is established via IPsec IKEv2. They use BGP to exchange routes dynamically. In Azure, they create a route table with a forced tunneling route (0.0.0.0/0 next hop to VPN gateway) to send all internet-bound traffic through the on-premises firewall for compliance. They must ensure the on-premises firewall can handle the load. Performance consideration: VPN throughput is limited by gateway SKU (e.g., VpnGw1: 650 Mbps). For higher throughput, they might use ExpressRoute.
Scenario 3: PaaS Service Injection with Delegation
A healthcare startup uses Azure Container Instances (ACI) to run microservices. They create a VNet and delegate a subnet ('Containers') to Microsoft.ContainerInstance/containerGroups. This allows ACI to place containers with private IPs in that subnet. They also deploy Azure SQL Managed Instance in a separate delegated subnet. They must size the subnet adequately: ACI requires a /24 or larger, and SQL Managed Instance requires a /27 or larger. They also enable service endpoints on the subnet for Azure Storage to ensure container logs go over the backbone. Common pitfall: forgetting to delegate the subnet before deploying ACI, causing deployment failure. They also restrict NSG rules to allow only necessary traffic from the application subnet to the container subnet.
What AZ-104 Tests on VNets and Subnets
The exam objectives under 'Configure and manage virtual networking' (AZ-104: 4.1) include: create and configure VNets and subnets, plan IP addressing, configure VNet peering, configure service endpoints and private endpoints, configure Azure DNS, and configure network security groups. Expect 5-8 questions on these topics.
Common Wrong Answers and Traps
Overlapping address spaces: Candidates often think you can peer VNets with overlapping address spaces. Reality: Peering requires non-overlapping address spaces. The exam will give two VNets with overlapping ranges and ask if peering is possible. Answer: No.
Subnet size for gateways: Many choose /24 for GatewaySubnet. Reality: Minimum is /27. The exam tests that GatewaySubnet must be /27 or larger. A /24 is acceptable but wasteful.
NSG default rules: Candidates forget that NSGs have default rules that allow intra-VNet traffic and deny inbound from internet. They might think all traffic is denied by default. Reality: Intra-VNet traffic is allowed by default rule 'AllowVNetInBound'.
Service endpoints vs. Private Endpoints: Candidates confuse these. Service endpoints route traffic over the Azure backbone but do not give a private IP. Private Endpoints assign a private IP from your VNet. The exam will ask which provides a private IP.
Specific Numbers and Terms
Reserved IPs: first four (network, gateway, Azure DNS, Azure reserved) and last (broadcast) in each subnet.
GatewaySubnet minimum size: /27.
AzureFirewallSubnet minimum size: /26.
AzureBastionSubnet minimum size: /27.
Maximum VNets per subscription: 1000.
Maximum subnets per VNet: 3000.
Azure DNS IP: 168.63.129.16.
VNet peering: requires 'Allow forwarded traffic' if using NVA.
Edge Cases
You can add multiple address spaces to a VNet after creation, but they must not overlap with existing subnets.
You can resize a subnet only if it contains no resources or delegated services.
A subnet can be deleted only if it has no resources.
Service endpoints are not supported for all PaaS services; check documentation.
Forced tunneling: set 0.0.0.0/0 route with next hop VPN gateway or NVA.
How to Eliminate Wrong Answers
Understand the underlying mechanism. For example, if a question asks about connecting two VNets in different regions, think: VNet peering supports global peering, so that's possible. If a question mentions 'private IP for Azure Storage', that's Private Endpoint, not Service Endpoint. If a question says 'subnet must be /24 for VPN gateway', that's wrong because minimum is /27. Always check reserved IPs: a subnet with /29 has only 3 usable IPs (8 total - 5 reserved).
Each subnet in Azure reserves the first four IPs (network, gateway, DNS, Azure reserved) and the last IP (broadcast), making them unavailable for resources.
GatewaySubnet must be at least /27; AzureFirewallSubnet at least /26; AzureBastionSubnet at least /27.
VNet peering requires non-overlapping address spaces and works across regions (global peering).
Service endpoints route traffic over the Azure backbone but do not give a private IP; Private Endpoints do.
NSGs are stateful: inbound allowance automatically permits outbound return traffic.
You can have up to 1000 VNets per subscription and 3000 subnets per VNet.
Subnet delegation is required for PaaS services that inject resources (ACI, SQL MI, NetApp).
Azure DNS resolver IP is 168.63.129.16; do not block it in NSGs.
Forced tunneling is configured by adding a route 0.0.0.0/0 with next hop VPN gateway or NVA.
You cannot resize a subnet if it contains resources; you must delete them first.
These come up on the exam all the time. Here's how to tell them apart.
Service Endpoints
Traffic stays on Azure backbone but uses public IP of the service.
No private IP assigned; service still has public endpoint.
Configured at subnet level via service endpoint policy.
Supported for Azure Storage, SQL Database, Cosmos DB, etc.
Free of charge; no additional cost.
Private Endpoints
Assigns a private IP from your VNet to the service.
Service is accessible only via private IP; public endpoint can be disabled.
Configured as a separate resource (Private Endpoint) in the VNet.
Supported for many PaaS services and also custom services via Private Link.
Incurs hourly charges for the Private Endpoint.
Mistake
A subnet's first IP address is usable for a VM.
Correct
The first IP of any subnet (x.x.x.0) is reserved for the network address and cannot be assigned to any resource. The first usable IP is x.x.x.4 (after network, gateway, DNS, and Azure reserved).
Mistake
VNet peering works even if address spaces overlap.
Correct
VNet peering requires non-overlapping address spaces because Azure cannot route between overlapping ranges. If you try to peer overlapping VNets, the peering will fail.
Mistake
Service endpoints assign a private IP to the PaaS service.
Correct
Service endpoints do not assign a private IP; they only route traffic to the service over the Azure backbone. Private Endpoints are required to give a private IP.
Mistake
GatewaySubnet can be any size, but /24 is recommended.
Correct
GatewaySubnet must be at least /27. A /24 is larger than necessary and wastes IP space. The minimum is /27; /26 or larger is also acceptable.
Mistake
You can change a subnet's address range after resources are deployed.
Correct
You cannot change a subnet's address range if it contains any resources (VMs, containers, etc.). You must first delete or move the resources.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can add additional address spaces to a VNet after creation, but you cannot remove or modify the original address space if it contains subnets. To change the original address space, you must delete all subnets first. Exam tip: adding address spaces is allowed, but careful planning avoids the need.
Azure Firewall requires a subnet named 'AzureFirewallSubnet' with a minimum size of /26 (64 IPs, but only 59 usable after reservations). A /26 provides enough IPs for scaling firewall instances. Never use a smaller subnet or the deployment will fail.
A /29 subnet has 8 total IPs (2^(32-29) = 8). Azure reserves 5 IPs (network, gateway, DNS, Azure reserved, broadcast), leaving 3 usable IPs for resources. Example: 10.0.0.0/29 has usable range 10.0.0.4-10.0.0.6.
Yes, VNet peering supports global peering across regions. Traffic between peered VNets in different regions stays on the Microsoft backbone and does not traverse the public internet. There is no additional cost for the peering itself, but egress charges apply for data transfer across regions.
NSG is a distributed stateful firewall that filters traffic at the subnet or NIC level, with rules based on source/destination IP, port, and protocol. Azure Firewall is a managed, centralized firewall service with advanced features like FQDN filtering, threat intelligence, and NAT. Azure Firewall is deployed in its own subnet and can inspect traffic between VNets, to internet, and on-premises.
Yes, you can assign a public IP to a VM's NIC, which allows inbound internet traffic to the VM (subject to NSG rules). The VM retains its private IP from the subnet. Public IPs are a separate resource that can be static or dynamic.
Blocking 168.63.129.16 will break DNS resolution for VMs in that subnet. Azure uses this IP for internal DNS and also for health probes from Azure Load Balancer. Do not block it. If you use custom DNS, ensure the VM can still reach 168.63.129.16 for metadata and health probes.
You've just covered Azure Virtual Networks and Subnets — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?