LetsDevops: Azure VNet Turorial for Beginner's


In this article we will understand the basic of Azure VNet. What is the purpose and why do we need it.


Before diving into the core concept first lets try to understand what are the different connectivity we use during work, also how differently our application/resources connect to each other for secure communication.

1. Working from Home to connect Office Network.

2. Connecting to Azure Resources

3. Azure Resources communication to each Other.

4. Connecting on-premise private Network to Cloud Network

5. Connecting to On Premise Network and then Azure Network

6. Azure Service Communication to the Internet

Azure VNet

Azure VNet provides option to create private network which further helps to establish secure communication from any Azure Resource to Internet, on premise Network and between different Azure Resource.

Communication Types

1. Communication with Internet

  • By default all the resource under the VNet can Outbound to the Internet but no inbound access to the Azure Resource. Outbound meaning the Azure Resource can send the Request to the Internet and get the response.

  • You can inbound to the Azure Resource after assigning the Public IP or Configuring the Load Balancer. Inbound access meaning the Azure resource can accept the request and send the Response from Internet.

  • Further with the help of VNet we can control all the request coming or outgoing with Azure Resources.

Options to enable the Azure Resource communication to Internet

  1. Load Balancer

  2. Public IP Address

2. Azure Resources Communication to each other

If you are working with Azure Resources then it might be required that azure resources will be communicating to each other. Now lets discuss what are the different option we have to achieve the communication between azure resources.

2.1 Communicate through Virtual network

If we want azure resources to communication to each other. We can deploy and create Azure resources under the single Virtual Network which enable the communication within the azure resources.

We have list of Azure services can be deployed under the Virtual Network. AzureResourcesList

2.2 Through a Virtual Network Service Endpoint

Assume we have Azure Services like Azure Database, Azure Storage Account and we do not want to expose them over the Internet. In this case how we can secure communication.

Service Endpoint allow the communication to the Azure service resources privately through Virtual Network.

Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

2.3 VNet Peering

Assume if you have Azure resources created under the different VNet and you want to enable the communication between azure resources which exist in the different VNet. In this case with the help of VNet peering we can enable the communication.

3. How to Communicate with on-premises resources

This is common for every working professional where at some point you might need to connect to your On Premise Network. Sometime we need to connect to Azure Network from our system/on premise Network.

Now Lets discuss the different option available to achieve this.

3.1 Point to Site Virtual Private Network (VPN)

This is very common for every working professional. When we try to access on premise Virtual Machine/ Application, in that case either computer should be in office network or connect to VPN.

Point to Site Virtual Private Network helps to establish connection between Virtual Network and single computer. The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet.

3.2 Site-to-site VPN

Assume if you want to enable the communication with on premise network to Virtual Network then we use Site-to-Site VPN. This communication established through the on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network.

The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet.

3.3 Azure ExpressRoute

Since the other options are available where communication happening over the internet. Assume you want to make the private communication from on premise network to Azure. In this case we have ExpressRoute Option.

ExpressRoute helps to create private connection which further Establish communication between your network and Azure.

Filter network traffic

This option helps to filter the network traffic between subnets. To achieve this we have two option.

Network security groups:

NSG helps to apply traffic filter for all the incoming and outgoing traffic using the Inbound and Outbound security rule, with the help of source and destination IP address, port, and protocol.

Network Virtual Appliance:

Network Virtual Appliance is VM that perform a network function such as Firewall, inbound outbound rule.

Route network traffic

By Default Azure can route the traffic to subnets, connected network, on premise and on internet.

Now lets discuss how we can override the default and create custom Route which further can help to route the traffic.

We have below to options to route the traffic.

1. Route tables:

Azure provide option to write custom route table for incoming traffic and through which traffic will be routed to for each subnet. More Info: route tables.

2. Border gateway protocol (BGP) routes:

We can implement BGP route through the Azure VPN Gateway or ExpressRoute.

If you connect your virtual network to your on-premises network using an Azure VPN Gateway or ExpressRoute connection, you can propagate your on-premises BGP routes to your virtual networks.

Virtual network integration for Azure services

We can integrate our azure services with Virtual Network which further enable the private access to azure service from the Virtual machine or compute resources in the virtual Network.

1. Deploy the azure services under the Virtual Network which will have private access within the VNet or On-premise Network.

2. We can also create private link to access privately a specific instance of the service from your virtual network and from on-premises networks.

3. You can also access the service using public endpoints by extending a virtual network to the service, through service endpoints. Service endpoints allow service resources to be secured to the virtual network.