Managing Public and Private Connectivity

This lesson explains how Azure Virtual Networks handle public and private connectivity, focusing on:

• IP addressing
• Network Interface (NIC) components
• Public IP configuration
• Network Security Groups (NSGs)

Core services involved:

• Azure Virtual Network
• Azure Virtual Machines
• Azure Public IP Address
• Azure Network Security Group

1️⃣ Understanding Public vs Private Zones#

Azure networking operates in two logical spaces:

🔒 Private Zone#

• Virtual Networks (VNets)
• Subnets
• Private IP addresses
• VM-to-VM communication
• Hybrid connectivity (VPN/ExpressRoute)

🌐 Public Zone#

• Internet
• Public IP addresses
• Public endpoints of PaaS services

2️⃣ How Public Connectivity Works#

To expose a VM publicly:

• Assign a Public IP resource
• Associate it with VM’s NIC
• Configure NSG to allow inbound traffic

Traffic Flow:

• Internet → Public IP → NAT → Private IP → VM
• Public connectivity always involves Network Address Translation (NAT).

3️⃣ How Private Connectivity Works#

Private connectivity:

• Uses private IP addresses
• Stays within VNet
• Works across peered VNets
• Works across hybrid (VPN/ExpressRoute)

Example:

• VM1 (172.16.0.4) → VM2 (172.16.0.5)
• No public IP required.

4️⃣ Network Interface Card (NIC) Components#

Each VM has a NIC with:

✔ IP Configuration#

Private IP (dynamic or static)

Optional Public IP association

✔ Subnet Association#

Determines IP allocation range

✔ DNS Settings#

Inherit from VNet

Or use custom DNS

✔ NSG Association#

Controls inbound/outbound traffic

5️⃣ Private IP Configuration#

Private IP:

• Assigned via Azure-managed DHCP
• Can be dynamic (default)
• Can be set to static
• Important: Azure reserves 5 IPs per subnet.

6️⃣ Public IP Configuration#

Public IP resource options:

SKU Types#

Standard SKU:

• Requires NSG rule to allow traffic
• More secure

7️⃣ Demonstration Summary#

Steps performed:

• Created Standard Public IP
• Associated it to VM NIC
• Attempted SSH → Failed (secure by default)
• Created Network Security Group
• Added inbound SSH rule
• Successfully connected via public IP
• Used private IP to SSH into second VM

This demonstrated:

• ✔ Public connectivity via Public IP + NSG ✔ Private connectivity via Private IP

8️⃣ Network Security Groups (NSGs)#

NSGs are:

• Stateful Layer 4 firewalls

Can attach to:

• Subnet
• NIC

Rule example:

• Allow SSH (Port 22)
• Source: Any
• Destination: Any
• Action: Allow
• Without NSG rule: Standard Public IP will block traffic.

9️⃣ Public IP Security Behavior#

Standard Public IP:

• ✔ Closed by default ✔ Requires explicit NSG allow rule

Basic Public IP:

• ⚠ More permissive ⚠ Not recommended for production

🔟 Jump Box Pattern (What Demo Showed)#

• Public connectivity used only for VM1.

Then:

• VM1 (Public Access)
• → SSH
• → VM2 (Private IP)
• This is traditional “jump host” model.

More secure alternative:

• Use Azure Bastion instead.

11️⃣ Key Exam Concepts (AZ-104 / AZ-700)#

🔹 Standard Public IP requires NSG rule 🔹 Public IP is separate resource 🔹 Public IP performs NAT 🔹 Private connectivity requires no public IP 🔹 NSG can be applied to NIC or subnet 🔹 Private IP assigned from subnet range

12️⃣ Connectivity Models Compared#

13️⃣ Design Best Practices#

✔ Avoid assigning public IPs directly to VMs ✔ Use Standard SKU public IPs ✔ Use NSGs for granular control ✔ Prefer Bastion for admin access ✔ Segment workloads into subnets ✔ Use private connectivity whenever possible

14️⃣ Troubleshooting Checklist#

If SSH fails:

• Check Public IP associated?
• Confirm NSG rule exists?
• Confirm correct port?
• Verify VM running?
• Check effective security rules?

If private connectivity fails:

• Confirm both VMs in same VNet?
• Check NSGs blocking traffic?
• Verify correct private IP?

15️⃣ Reference Documentation#

• Azure Virtual Network
• Public IP Addresses
• Network Security Groups
• Azure VM Networking
• Effective Security Rules

Final Conceptual Summary#

Public Connectivity:

• Uses Public IP
• Requires NSG allow rule
• Involves NAT

Private Connectivity:

• Uses private IP
• Stays inside VNet
• Secure by default

Managing connectivity requires understanding:

• NIC configuration
• Public IP association
• NSG rules
• Subnet design

If you'd like, I can now create:

• 🧠 30 scenario-based exam questions
• 📊 Public vs Private connectivity comparison sheet
• 🏗 Secure enterprise VNet design example
• 📄 One-page networking cheat sheet
• Tell me your target certification (AZ-104, AZ-700, AZ-305?).