Module 2: Azure Architecture and Services

Azure Virtual Networks
& IP Addressing

Build secure, isolated networks in Azure with subnets, IP addressing, Network Security Groups, and VNet peering. Learn to connect Azure resources securely and efficiently.

Virtual Networks IP Addressing Network Security VNet Connectivity

Learning Objectives

After completing this session, you'll be ready for Quiz 13 and able to:

Understand Azure Virtual Networks (VNets) as logical isolation
Configure subnets and IP addressing (RFC 1918)
Implement Network Security Groups (NSGs)
Master VNet peering and connectivity options
Understand service endpoints and Private Link
Configure Azure Firewall and DDoS Protection
Know the difference between public and private IPs
Understand Azure DNS and load balancer basics

Azure Virtual Networks (VNets) - Your Private Cloud Network

Azure Virtual Network (VNet) is like creating your own private network in the cloud. Think of it as your own private section of the internet where only your resources can communicate with each other, isolated from everyone else's resources.

🏢 Office Building Analogy: Understanding VNets

🏢 Physical Office Building

Like an office building with separate floors, rooms, and security systems

🌐 Azure Virtual Network

Like your company's private floor in the cloud "building" with controlled access

🔒 Isolation & Security

Other companies can't access your floor, just like other customers can't access your VNet!

🔑 Key VNet Concepts (Important for Quiz!)

What is a VNet?
Logical isolation:

Your private network space in Azure cloud

Regional resource:

Exists within a specific Azure region

Resource communication:

Enables Azure resources to securely communicate

Why Use VNets?
Security:

Control who can access your resources

Organization:

Group related resources together

Connectivity:

Connect to on-premises or other VNets

📊 RFC 1918 Private IP Address Ranges

Class A

10.0.0.0/8

10.0.0.0 - 10.255.255.255

16.7 million addresses

Large organizations

Class B

172.16.0.0/12

172.16.0.0 - 172.31.255.255

1 million addresses

Medium organizations

Class C

192.168.0.0/16

192.168.0.0 - 192.168.255.255

65,536 addresses

Small networks

💡 Quiz Tip: Azure VNets can ONLY use RFC 1918 private IP address ranges!

IP Addressing and Subnets

🌐 Public vs Private IP Addresses

🌍 Public IP Addresses

  • • Accessible from the internet
  • • Must be explicitly assigned
  • • Cost extra money
  • • Can be static or dynamic
  • • Required for internet-facing services
  • • Example: Web servers, load balancers

🏠 Private IP Addresses

  • • Only accessible within Azure VNet
  • • Automatically assigned to all resources
  • • No additional cost
  • • Always dynamic (unless static configured)
  • • Used for internal communication
  • • Example: Database servers, internal APIs

Remember: Public IPs are accessible from the internet, Private IPs are only within Azure!

🏠 Subnets - Dividing Your VNet into Rooms

Subnets are like dividing your house (VNet) into different rooms for different purposes - kitchen, bedroom, office, etc.

What Are Subnets?
Segment networks:

Divide VNet into smaller networks

Apply security:

Different security rules per subnet

Organize resources:

Group similar resources together

Common Subnet Examples
Web Tier Subnet:

Front-end web servers (public access)

App Tier Subnet:

Application servers (internal only)

Database Subnet:

Database servers (highly restricted)

🧮 Subnet Sizing - Important for Quiz!

/30 Subnet

4 total addresses

2 usable (Azure reserves 5)

Minimum size!

/28 Subnet

16 total addresses

11 usable

Small subnet

/24 Subnet

256 total addresses

251 usable

Common choice

/16 Subnet

65,536 total addresses

65,531 usable

Very large subnet

⚠️ Azure reserves 5 IP addresses in each subnet!

(Network, Gateway, DNS x2, Broadcast)

Network Security Groups (NSGs) - Your Firewall

Network Security Groups (NSGs) are like security guards at your building entrance. They check every piece of network traffic and decide whether to allow or deny it based on your security rules.

🛡️ NSGs: Your Digital Firewall

🚪 Security Guard

Like a guard checking IDs at building entrance

📋 Rule List

Contains allow/deny rules with priorities

🎯 Traffic Control

Controls inbound and outbound traffic

⚙️ NSG Rules and Application (Key for Quiz!)

NSG Rule Components
Priority (100-4096):

Lower numbers = higher priority

Source/Destination:

IP addresses, subnets, or service tags

Port/Protocol:

TCP/UDP ports (80, 443, 22, etc.)

Action:

Allow or Deny traffic

Where to Apply NSGs
Subnet Level:

Applies to ALL resources in the subnet

Network Interface:

Applies to specific VM's network card

Default Behavior:

Deny all traffic except explicitly allowed

📋 Common NSG Rules Examples

✅ Allow Web Traffic

Priority: 100

Source: Internet

Destination: Web Subnet

Port: 80, 443

Action: Allow

🔒 Allow SSH Access

Priority: 200

Source: Admin IPs

Destination: Any

Port: 22

Action: Allow

❌ Deny All Others

Priority: 4096

Source: Any

Destination: Any

Port: Any

Action: Deny

🧠 Quiz Tip: Lower priority numbers are processed first (100 comes before 200)!

VNet Connectivity - Connecting Networks

🔗 VNet Peering - Direct Network Connection

What is VNet Peering?
Direct connection:

Private connection between VNets

Cross-region support:

Connect VNets across regions

High performance:

Uses Azure backbone network

Peering vs VPN Gateway
VNet Peering:

Direct, private, high-performance connection

VPN Gateway:

Encrypted tunnel, for on-premises connections

Quiz Note:

Peering = Azure to Azure, VPN = Azure to on-premises

🔐 Service Endpoints vs Private Link

🌐 Service Endpoints
  • • Direct access to Azure services from VNet
  • • Traffic stays on Azure backbone
  • • Service-level access control
  • • Examples: Storage, SQL Database, Key Vault
  • • Still uses public IP addresses
  • • No additional cost
🏠 Private Link
  • • Private IP access to Azure services
  • • Service appears inside your VNet
  • • Complete network isolation
  • • Works with on-premises via VPN/ExpressRoute
  • • Higher security than service endpoints
  • • Additional cost per endpoint

Key Difference: Service Endpoints = service-level, Private Link = private IP access!

🌐 Azure DNS and Load Balancer Basics

Azure DNS Resolution
Azure-provided DNS:

Automatic DNS for VNet resources

Azure DNS service:

Managed DNS hosting for external domains

Custom DNS:

Use your own DNS servers if needed

Load Balancer Basics
Layer 4 (Transport):

Distributes traffic based on IP and port

Internal/External:

Internal for private, external for internet traffic

Health Probes:

Monitors backend server health

Hands-on Lab: Create and Configure Your First VNet

Let's create a Virtual Network with multiple subnets and configure Network Security Groups. This lab will help you understand VNet concepts practically and prepare for Quiz 13.

1

Create Virtual Network

Set up your private network in Azure

🌐 VNet Configuration:

Basic Settings:
  • Name: MyLab-VNet
  • Region: East US (or closest)
  • Resource Group: NetworkLab-RG
IP Address Space:
  • Address Space: 10.0.0.0/16
  • Range: 10.0.0.0 - 10.0.255.255
  • Total IPs: 65,536 addresses

📋 Portal Steps:

  1. 1. Go to Azure Portal → Create a resource
  2. 2. Search "Virtual Network" → Create
  3. 3. Fill in basic settings as shown above
  4. 4. Go to "IP Addresses" tab → Configure address space
  5. 5. Leave security defaults for now
  6. 6. Review + Create → Create
2

Create Multiple Subnets

Divide VNet into logical segments

🌐 Web Subnet
  • Name: Web-Subnet
  • Range: 10.0.1.0/24
  • Usable IPs: 251
  • Purpose: Web servers
⚙️ App Subnet
  • Name: App-Subnet
  • Range: 10.0.2.0/24
  • Usable IPs: 251
  • Purpose: Application servers
🗄️ DB Subnet
  • Name: DB-Subnet
  • Range: 10.0.3.0/24
  • Usable IPs: 251
  • Purpose: Database servers

📝 How to Add Subnets:

  1. 1. Go to your VNet → Settings → Subnets
  2. 2. Click "+ Subnet" for each subnet
  3. 3. Enter name and address range
  4. 4. Leave other settings as default
  5. 5. Save each subnet
3

Configure Network Security Groups

Add security rules to control traffic

🛡️ Create Web-NSG:

Allow HTTP Rule:
  • • Priority: 100
  • • Source: Internet
  • • Port: 80
  • • Action: Allow
Allow HTTPS Rule:
  • • Priority: 110
  • • Source: Internet
  • • Port: 443
  • • Action: Allow

📝 NSG Creation Steps:

  1. 1. Search "Network Security Group" → Create
  2. 2. Name: Web-NSG, same resource group and region
  3. 3. After creation → Settings → Inbound security rules
  4. 4. Add rules as shown above
  5. 5. Go to Subnets → Associate with Web-Subnet
4

Test and Verify Configuration

Validate your VNet setup

✅ Verification Checklist:

  • VNet created with 10.0.0.0/16 address space
  • Three subnets created with /24 ranges
  • NSG created with appropriate rules
  • NSG associated with Web-Subnet
  • All resources in same region

🎯 What You Learned:

  • • How to create VNets with proper IP addressing
  • • Subnet segmentation for different tiers
  • • NSG rule creation and association
  • • Basic network security concepts
5

💰 Clean Up Resources

Important: Delete resources to avoid charges

🗑️ Deletion Steps:

  1. 1. Go to Resource Groups → NetworkLab-RG
  2. 2. Click "Delete resource group"
  3. 3. Type the resource group name exactly
  4. 4. Click Delete
  5. 5. Wait for deletion to complete

🧠 Get Ready for Quiz 13 - Sample Questions

Here are example questions similar to what you'll see in Quiz 13. Make sure you understand these networking concepts!

Sample Question 1:

"What is an Azure Virtual Network (VNet)?"

  • A) A physical network in Azure data centers
  • B) A logical isolation of Azure cloud resources ✅
  • C) A VPN connection to on-premises
  • D) A load balancing service

Sample Question 2:

"How many IP addresses does Azure reserve in each subnet?"

  • A) 2 addresses
  • B) 3 addresses
  • C) 5 addresses ✅
  • D) 10 addresses

📝 Quiz 13 Topics: VNets, IP addressing, subnets, NSGs, VNet peering, service endpoints, Azure DNS, load balancer basics

Take Quiz 13 Now

Session 13 Summary

🎯 Key Takeaways - Everything You Need for Quiz 13

🌐 Virtual Networks (VNets):

  • Logical isolation: Private network space in Azure cloud
  • Regional resource: Exists within specific Azure region
  • RFC 1918 ranges: 10.x.x.x, 172.16-31.x.x, 192.168.x.x
  • Subnets: Segment networks, Azure reserves 5 IPs per subnet

🔒 Network Security:

  • NSGs: Firewall rules with priority (100-4096)
  • Application: Subnet level or network interface level

🌍 IP Addressing:

  • Public IPs: Internet accessible, must be explicitly assigned
  • Private IPs: VNet internal only, automatically assigned
  • Smallest subnet: /30 (4 addresses, but only 2 usable)

🔗 Connectivity:

  • VNet Peering: Direct connection between VNets
  • Service Endpoints: Direct access to Azure services
  • Private Link: Private IP access to Azure services

🎉 Azure Networking Mastered!

You now understand how to build secure, isolated networks in Azure using Virtual Networks, subnets, and Network Security Groups. You know the difference between public and private IPs, how to connect VNets, and the basics of Azure networking services.

VNet Concepts ✓ IP Addressing ✓ Network Security ✓ VNet Connectivity ✓ Service Endpoints ✓

🚀 Ready for Quiz 13?

Perfect! You've mastered Azure Virtual Networks and IP addressing concepts. Now test your knowledge with Quiz 13, which covers all the VNet, subnet, and network security topics from this session.

Take Quiz 13 - Virtual Networks & IP Addressing Continue to Session 14: Load Balancer & VPN