Azure Networking — CLI & PowerShell Cheat Sheet
IntermediateCheat Sheet15 min7 min read20 Jan 2025Azure
Must-know Azure CLI and PowerShell commands for VNets, subnets, NSGs, route tables, VNet peering, load balancers, DNS, and private/service endpoints.
Prerequisites
Virtual Networks & Subnets
# Create a VNet with address space
az network vnet create \
--resource-group myRG \
--name myVNet \
--address-prefix 10.0.0.0/16 \
--location eastus
# Add a subnet
az network vnet subnet create \
--resource-group myRG \
--vnet-name myVNet \
--name mySubnet \
--address-prefix 10.0.1.0/24
# List VNets
az network vnet list --resource-group myRG --output table
# List subnets
az network vnet subnet list \
--resource-group myRG \
--vnet-name myVNet \
--output table
# Show VNet details
az network vnet show --resource-group myRG --name myVNet
# Delete VNet
az network vnet delete --resource-group myRG --name myVNet
$subnet = New-AzVirtualNetworkSubnetConfig -Name "mySubnet" -AddressPrefix "10.0.1.0/24"
New-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myRG" -Location "EastUS" -AddressPrefix "10.0.0.0/16" -Subnet $subnet
Get-AzVirtualNetwork -ResourceGroupName "myRG"
Network Security Groups (NSG)
# Create an NSG
az network nsg create \
--resource-group myRG \
--name myNSG
# Add inbound allow rule (HTTP)
az network nsg rule create \
--resource-group myRG \
--nsg-name myNSG \
--name AllowHTTP \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-address-prefixes "*" \
--source-port-ranges "*" \
--destination-address-prefixes "*" \
--destination-port-ranges 80
# Add inbound allow rule (SSH from specific IP)
az network nsg rule create \
--resource-group myRG \
--nsg-name myNSG \
--name AllowSSH \
--priority 110 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-address-prefixes "203.0.113.0/24" \
--destination-port-ranges 22
# Add outbound deny rule
az network nsg rule create \
--resource-group myRG \
--nsg-name myNSG \
--name DenyInternet \
--priority 200 \
--direction Outbound \
--access Deny \
--destination-address-prefixes Internet \
--destination-port-ranges "*" \
--protocol "*"
# Associate NSG with subnet
az network vnet subnet update \
--resource-group myRG \
--vnet-name myVNet \
--name mySubnet \
--network-security-group myNSG
# Associate NSG with NIC
az network nic update \
--resource-group myRG \
--name myVMNic \
--network-security-group myNSG
# List NSG rules
az network nsg rule list \
--resource-group myRG \
--nsg-name myNSG \
--output table
# Effective security rules on a NIC
az network nic list-effective-nsg \
--resource-group myRG \
--name myVMNic
Route Tables
# Create a route table
az network route-table create \
--resource-group myRG \
--name myRouteTable \
--disable-bgp-route-propagation false
# Add a route (send 0.0.0.0/0 to NVA)
az network route-table route create \
--resource-group myRG \
--route-table-name myRouteTable \
--name DefaultRoute \
--address-prefix 0.0.0.0/0 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address 10.0.2.4
# Forceful tunneling to on-premises
az network route-table route create \
--resource-group myRG \
--route-table-name myRouteTable \
--name ForceTunnel \
--address-prefix 0.0.0.0/0 \
--next-hop-type VirtualNetworkGateway
# Associate route table with subnet
az network vnet subnet update \
--resource-group myRG \
--vnet-name myVNet \
--name mySubnet \
--route-table myRouteTable
# List routes
az network route-table route list \
--resource-group myRG \
--route-table-name myRouteTable --output table
# Effective routes on a NIC
az network nic show-effective-route-table \
--resource-group myRG \
--name myVMNic \
--output table
VNet Peering
# Peer VNet-A → VNet-B
az network vnet peering create \
--resource-group myRG \
--name VNetA-to-VNetB \
--vnet-name VNetA \
--remote-vnet VNetB \
--allow-vnet-access \
--allow-forwarded-traffic
# Peer VNet-B → VNet-A (must create both directions)
az network vnet peering create \
--resource-group myRG \
--name VNetB-to-VNetA \
--vnet-name VNetB \
--remote-vnet VNetA \
--allow-vnet-access \
--allow-forwarded-traffic
# List peerings
az network vnet peering list \
--resource-group myRG \
--vnet-name VNetA \
--output table
# Delete peering
az network vnet peering delete \
--resource-group myRG \
--vnet-name VNetA \
--name VNetA-to-VNetB
Azure Load Balancer
# Create public IP for LB
az network public-ip create \
--resource-group myRG \
--name myLBPublicIP \
--sku Standard \
--allocation-method Static
# Create Standard Load Balancer
az network lb create \
--resource-group myRG \
--name myLB \
--sku Standard \
--public-ip-address myLBPublicIP \
--frontend-ip-name myFrontend \
--backend-pool-name myBackendPool
# Add health probe
az network lb probe create \
--resource-group myRG \
--lb-name myLB \
--name myHealthProbe \
--protocol Http \
--port 80 \
--path /health
# Add load balancing rule
az network lb rule create \
--resource-group myRG \
--lb-name myLB \
--name myHTTPRule \
--protocol Tcp \
--frontend-port 80 \
--backend-port 80 \
--frontend-ip-name myFrontend \
--backend-pool-name myBackendPool \
--probe-name myHealthProbe
# Add VM NIC to backend pool
az network nic ip-config update \
--resource-group myRG \
--nic-name myVM1NIC \
--name ipconfig1 \
--lb-name myLB \
--lb-address-pools myBackendPool
# Create inbound NAT rule (SSH to specific VM)
az network lb inbound-nat-rule create \
--resource-group myRG \
--lb-name myLB \
--name NATruleVM1 \
--protocol Tcp \
--frontend-port 50001 \
--backend-port 22 \
--frontend-ip-name myFrontend
Azure DNS
# Create a DNS zone
az network dns zone create \
--resource-group myRG \
--name example.com
# List name servers (to configure at registrar)
az network dns zone show \
--resource-group myRG \
--name example.com \
--query nameServers
# Create A record
az network dns record-set a add-record \
--resource-group myRG \
--zone-name example.com \
--record-set-name www \
--ipv4-address 20.0.0.1
# Create CNAME record
az network dns record-set cname set-record \
--resource-group myRG \
--zone-name example.com \
--record-set-name blog \
--cname myapp.azurewebsites.net
# Create MX record
az network dns record-set mx add-record \
--resource-group myRG \
--zone-name example.com \
--record-set-name "@" \
--exchange mail.example.com \
--preference 10
# Create TXT record (for domain verification)
az network dns record-set txt add-record \
--resource-group myRG \
--zone-name example.com \
--record-set-name "@" \
--value "v=spf1 include:example.com ~all"
# List all record sets
az network dns record-set list \
--resource-group myRG \
--zone-name example.com \
--output table
# Create a private DNS zone
az network private-dns zone create \
--resource-group myRG \
--name privatelink.blob.core.windows.net
# Link private zone to VNet
az network private-dns link vnet create \
--resource-group myRG \
--zone-name privatelink.blob.core.windows.net \
--name myDNSLink \
--virtual-network myVNet \
--registration-enabled false
Service Endpoints & Private Endpoints
# Enable Service Endpoint on subnet (for Storage)
az network vnet subnet update \
--resource-group myRG \
--vnet-name myVNet \
--name mySubnet \
--service-endpoints Microsoft.Storage
# Add storage account network rule to allow only from subnet
az storage account network-rule add \
--resource-group myRG \
--account-name mystorageacct \
--vnet-name myVNet \
--subnet mySubnet
# Deny all other network access to storage account
az storage account update \
--resource-group myRG \
--name mystorageacct \
--default-action Deny
# Create Private Endpoint for Storage Blob
az network private-endpoint create \
--resource-group myRG \
--name myBlobPE \
--vnet-name myVNet \
--subnet mySubnet \
--private-connection-resource-id $(az storage account show -n mystorageacct -g myRG --query id -o tsv) \
--group-id blob \
--connection-name myBlobConnection
# Create DNS record for private endpoint
az network private-endpoint dns-zone-group create \
--resource-group myRG \
--endpoint-name myBlobPE \
--name blobZoneGroup \
--private-dns-zone privatelink.blob.core.windows.net \
--zone-name blob
Azure Bastion
# Create Bastion subnet (required name: AzureBastionSubnet)
az network vnet subnet create \
--resource-group myRG \
--vnet-name myVNet \
--name AzureBastionSubnet \
--address-prefix 10.0.255.0/26
# Create public IP for Bastion
az network public-ip create \
--resource-group myRG \
--name BastionPublicIP \
--sku Standard \
--allocation-method Static
# Create Bastion host
az network bastion create \
--resource-group myRG \
--name myBastion \
--public-ip-address BastionPublicIP \
--vnet-name myVNet \
--location eastus
Key Facts for AZ-104
| Concept | Detail |
|---|---|
| NSG rule priority | Lower number = higher priority; 100–4096 |
| Default NSG rules | AllowVNetInBound, AllowAzureLBInBound, DenyAllInBound |
| Service tags | Named groups (Internet, VirtualNetwork, AzureLoadBalancer) |
| VNet peering | Non-transitive; must be set both directions |
| Global VNet peering | Cross-region peering; supported |
| Standard LB SKU | Required for zones, HTTPS probe, backend VMs without public IP |
| Service endpoint | Traffic stays on Azure backbone; no private IP |
| Private endpoint | Private IP in your VNet; works over VPN/ExpressRoute |
| Bastion | Browser-based RDP/SSH; no public IP on VMs needed |