Creating Virtual Networks

This lesson builds on VNet concepts and walks through:

• How to design a virtual network properly
• How to create it in Azure
• How to deploy a VM into it

Core service:

• Azure Virtual Network

1️⃣ Step 1: Designing Before Creating (Critical for Real-World & Exams)#

Networking must be planned before implementation.

A. Choose IP Address Space (CIDR)#

VNets use RFC 1918 private IP ranges:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

Example:

• 172.16.0.0/16

Key Planning Rule:

✔ Must NOT overlap with:

• Other VNets
• On-prem networks
• Other clouds
• Future peered networks
• Why?

Overlapping IP space causes:

• Complex NAT requirements
• Routing failures
• Hybrid connectivity issues

B. Subnet Design#

• After choosing address space, segment into subnets.

Example:

• 172.16.0.0/16
• ├── 172.16.1.0/24 (Frontend)
• ├── 172.16.2.0/24 (Backend)
• └── 172.16.3.0/24 (Identity)

Subnet design depends on:

• Application tiers
• Security boundaries
• Scaling needs
• Routing control

Each subnet:

• Allocates IPs to workloads
• Can have NSGs
• Can have route tables
• Can enable service endpoints

C. Determine Connectivity Requirements#

Questions to ask:

• Does frontend need public access?
• Do backend systems require private-only access?
• Do we need load balancers?
• Do we need VNet peering?
• Do we need hybrid connectivity?

Connectivity options include:

• Azure Load Balancer
• Azure VPN Gateway
• Azure ExpressRoute
• VNet Peering
• Good design considers future expansion.

2️⃣ Creating the Virtual Network (Portal Walkthrough)#

Step 1: Define Basics#

• Name: vnet-prod-01
• Region: East US
• Subscription + Resource Group

Naming convention example:

• vnet-[environment]-[number]

Step 2: Advanced Features (Optional)#

Options include:

• Virtual Network Encryption
• Azure Bastion integration
• Azure Firewall
• DDoS Protection Plan
• Most deployments leave these off initially unless required.

Step 3: Address Space#

Example configured:

• 172.16.0.0/16

Possible adjustment:

• 172.16.0.0/24
• Planning Tip: Always leave space for growth.

Step 4: Create Subnet#

Example:

• fe-subnet
• 172.16.0.0/29
• /29 provides: 8 IP addresses (5 usable after Azure reservation).

Important:

• Azure reserves 5 IPs per subnet.

So:

• /29 → 8 total → 3 usable
• /24 → 256 total → 251 usable
• Plan subnet sizes carefully.

Step 5: Private Subnet Option#

• “Private subnet” disables default outbound internet access.

Useful for:

• Backend databases
• High-security environments

3️⃣ Deploying a VM into the VNet#

Created:

• Ubuntu VM
• No public IP
• No inbound public ports
• Placed in fe-subnet

Key Settings:

• ✔ Public IP: None ✔ NIC NSG: None (for simplicity) ✔ Accelerated networking: Enabled

4️⃣ What Happens Internally#

After deployment:

• NIC created
• Private IP assigned via Azure DHCP
• VM attached to subnet
• System routes applied

5️⃣ System Default Routes#

Every subnet automatically gets:

• Local VNet route
• Internet route (0.0.0.0/0)
• Service routes
• VNet peering routes (if configured)
• System routes: ✔ Automatically created ✔ Cannot be deleted ✔ Can be overridden with UDRs

6️⃣ DNS Behavior#

By default:

• Uses Azure-provided DNS (168.63.129.16)

Can configure:

• Custom DNS
• Domain controllers
• Hybrid DNS forwarding
• If using Active Directory: Must configure custom DNS.

7️⃣ Connected Devices View#

Inside VNet:

You can view:

• NICs
• Private Endpoints
• Bastion
• Other resources
• Effective routes are visible on NIC level.

8️⃣ Real-World Architecture Example#

Typical Production Layout:

• Internet → Public Load Balancer → Frontend Subnet → Internal Load Balancer → Backend Subnet → Identity Subnet
• Hybrid: → VPN Gateway subnet

9️⃣ Best Practices#

✔ Avoid overlapping IP ranges ✔ Use structured subnet naming ✔ Plan for hybrid early ✔ Reserve IP space for future growth ✔ Use private subnets for backend ✔ Minimize public IP exposure ✔ Use NSGs and UDRs appropriately

🔟 Common Exam Traps (AZ-104 / AZ-700)#

🚩 Subnets can overlap → False 🚩 Azure reserves 2 IPs → False (reserves 5) 🚩 You can remove system routes → False 🚩 You must use 10.x.x.x range → False (any RFC 1918 allowed) 🚩 VM requires public IP → False

11️⃣ Reference Documentation#

• Virtual Network Overview
• IP Address Planning
• Subnet Design
• User Defined Routes
• DNS for VMs
• Hybrid Networking

Final Conceptual Summary#

Creating a VNet involves:

• 1️⃣ Designing address space 2️⃣ Segmenting subnets 3️⃣ Planning connectivity 4️⃣ Deploying resources 5️⃣ Understanding routing & DNS
• Networking design mistakes are costly to fix later — planning is critical.

If you'd like, I can now create:

• 🧠 30 AZ-104 VNet scenario questions
• 📊 VNet + Subnet sizing calculator explanation
• 🏗 Hub-Spoke architecture deep dive
• 📄 One-page networking cram sheet
• Tell me your target exam (AZ-104, AZ-700, AZ-305?).

Hands-on: Create a VNet with Public and Private Subnets#

Goal: Build a simple VNet layout that can host web, app, and private endpoint resources.

1. Open Virtual networks > Create.
2. Create resource group az104-network-rg.
3. Name the VNet az104-vnet.
4. Use address space 10.50.0.0/16.
5. Create these subnets:
   • web-subnet: 10.50.1.0/24
   • app-subnet: 10.50.2.0/24
   • private-endpoints-subnet: 10.50.10.0/24
6. Create the VNet.
7. Open Subnets and confirm each /24 subnet has 251 usable addresses because Azure reserves 5 addresses per subnet.
8. Deploy a test VM into web-subnet.
9. Open the VM NIC and review Effective routes.
10. Add tags to the VNet such as Environment = lab.

Hands-on: Add a Route Table#

1. Create a route table named az104-app-rt.
2. Add a route:
   • Name: default-to-appliance
   • Address prefix: 0.0.0.0/0
   • Next hop type: Virtual appliance
   • Next hop IP: 10.50.2.4
3. Associate the route table to app-subnet.
4. Open a NIC in the subnet and check Effective routes.
5. Remove the route table association after the lab unless you have a real appliance.