Introduction to Virtual Networking Exam Tips

• This lesson summarizes core networking concepts required for Azure administrator exams (especially AZ-104).

Primary service discussed:

• Azure Virtual Network

1️⃣ Core Concept: What Is a Virtual Network?#

A Virtual Network (VNet) is:

• An isolated private network in Azure
• Similar to on-premises LAN
• Uses RFC1918 private IP ranges
• Segmented into subnets

Private IP ranges allowed:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

Official docs:

2️⃣ Key Components of a VNet#

✔ Address Space#

Defines total IP CIDR block.

✔ Subnets#

• Smaller IP ranges carved from VNet.

Best practice:

• Separate frontend
• Backend
• Database
• Identity
• Firewall
• Gateway subnet

✔ Connected Devices#

• VMs, NICs, private endpoints, etc.

Each device receives:

• Private IP (static or dynamic)
• DNS settings
• NSG (optional)
• Public IP (optional)

3️⃣ DHCP and DNS#

DHCP#

Managed automatically by Azure. Assigns:

• Private IP
• Default gateway
• DNS settings
• You cannot disable Azure DHCP.

DNS#

Options:

• Azure-provided DNS
• Custom DNS (e.g., domain controllers)

Docs:

4️⃣ Routing in Virtual Networks#

Every VNet includes:

✔ System Routes (Default)#

Automatically created. Examples:

• Local VNet route
• Internet route
• Peering route
• Cannot be deleted, but can be overridden.

✔ User-Defined Routes (UDRs)#

Custom routes created in route tables.

✔ BGP Routes#

Learned from:

• VPN Gateway
• ExpressRoute

Route precedence:

• UDR
• BGP
• System route

Docs:

5️⃣ Public vs Private Connectivity#

• Azure VNets live in the private zone.

To enable public connectivity:

• Associate Public IP to NIC
• Use Load Balancer
• Use Application Gateway

Public IP types:

• Basic (less secure)
• Standard (secure by default)

Private connectivity includes:

• VNet peering
• VPN
• ExpressRoute

Docs:

6️⃣ VNet Peering#

• Azure VNet Peering
• Allows private connectivity between VNets.

Key properties:

• ✔ Non-overlapping IP ranges required ✔ Private IP communication ✔ Low latency ✔ Cross-region supported ✔ Cross-subscription supported ❌ Not transitive ❌ Not encrypted by default
• Important exam concept: Hub-and-spoke requires explicit peering between spokes if direct communication needed.

Docs:

7️⃣ Hybrid Connectivity#

Options:

VPN Gateway#

Encrypted IPsec tunnel.

ExpressRoute#

• Private dedicated circuit.
• Azure VPN Gateway Azure ExpressRoute

Docs:

8️⃣ Network Security Groups (NSGs)#

• Azure Network Security Group
• Layer 4 stateful firewall.

Can be applied at:

• Subnet level
• NIC level

Key facts:

• ✔ Controls inbound/outbound traffic ✔ Uses priority numbers (lower wins) ✔ Stateful (return traffic auto-allowed) ✔ Default rules exist (65000+ range)

Docs:

9️⃣ Application Security Groups (ASGs)#

• Azure Application Security Group
• Logical grouping of NICs.

Used inside NSG rules as:

• Source
• Destination

Benefits:

• Application-tier-based filtering
• Easier scaling
• Dynamic membership

Docs:

🔟 Troubleshooting Tools#

• Azure Network Watcher

Tools include:

• IP Flow Verify
• Next Hop
• NSG Diagnostics
• Connection Troubleshoot
• Packet Capture
• VPN Troubleshoot
• Connection Troubleshoot is the most powerful combined tool.

Docs:

11️⃣ Important Design Principles for Exam#

When designing a VNet:

✔ Avoid IP overlap ✔ Plan future growth ✔ Separate tiers into subnets ✔ Use NSGs for segmentation ✔ Use UDRs carefully ✔ Understand route precedence ✔ Know peering limitations ✔ Understand public vs private zone concept

12️⃣ Exam Pitfalls to Watch#

🚩 NSGs are stateless → False (they are stateful) 🚩 VNet peering is transitive → False 🚩 Peering traffic encrypted automatically → False 🚩 System routes can be deleted → False 🚩 UDR overrides system route → True 🚩 DHCP can be disabled → False 🚩 One Network Watcher per region → True

13️⃣ Conceptual Architecture Stack (Mental Model)#

Think in layers:

• IP Addressing
• Subnet segmentation
• Routing (system, UDR, BGP)
• Security (NSG)
• Application grouping (ASG)
• Connectivity (Peering / VPN / ExpressRoute)
• Troubleshooting (Network Watcher)
• If something breaks: Check in this order.

14️⃣ Final Revision Checklist#

Before exam, make sure you understand:

• ✔ VNet design process ✔ Subnet sizing ✔ CIDR calculations ✔ Route precedence ✔ NSG rule evaluation ✔ Public IP behavior ✔ Peering limitations ✔ Hybrid connectivity basics ✔ Network Watcher usage

If you want next:

• 🔥 30 AZ-104 networking scenario questions
• 📊 VNet design cheat sheet (one-page exam revision)
• 🧠 Route + NSG decision tree
• 🏗 Hub-spoke architecture deep dive
• Tell me your target exam (AZ-104, AZ-700, AZ-305), and I’ll tailor it exactly to that level.