Create and configure virtual networks and subnets

Configure and manage virtual networks in Azure

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

Azure Virtual Networks (VNets) are the foundation of networking in Azure. Almost every Azure service you deploy—virtual machines, containers, databases, and application services—relies on VNets to communicate securely.

Understanding how to create and configure VNets and subnets is essential for the AZ-104 exam and for real-world Azure administration.

1. What Is an Azure Virtual Network (VNet)?

A Virtual Network (VNet) is a private, isolated network inside Azure.
It works like a network you would normally build inside a company’s datacenter, but it is hosted in Azure.

A VNet allows:

  • Communication between Azure resources (VMs, App Services, Containers)
  • Communication with on-premises networks
  • Communication to the internet (if allowed)
  • Network isolation and segmentation for security

VNets use private IP addresses based on RFC 1918 ranges:

  • 10.0.0.0 – 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)

2. Key VNet Components You Must Know for AZ-104

Address Space

  • Defines the IP address range for your VNet (e.g., 10.0.0.0/16).
  • You can add multiple address spaces if needed.
  • Ensure address ranges do NOT overlap with:
    • Your on-premises network
    • Other connected VNets

Subnets

  • Subnets divide a VNet into smaller sections.
  • Each subnet has its own IP range (e.g., 10.0.1.0/24).
  • Each subnet can be assigned different:
    • Network security rules
    • Route tables
    • Network functions

IP Types

  • Private IP – Used inside VNets
  • Public IP – Allows external access (e.g., to a VM or load balancer)

3. How to Create a Virtual Network

You can create VNets using:

  • Azure Portal
  • Azure CLI
  • Azure PowerShell
  • ARM/Bicep templates

Below is the Portal method (most exam-relevant).

Steps to Create a Virtual Network (Azure Portal)

  1. Go to Azure Portal
  2. Search for Virtual Networks
  3. Click Create
  4. Fill basic details:
    • Subscription
    • Resource group
    • Name (e.g., “Prod-VNet”)
    • Region (must match region of resources)
  5. IP Addressing tab
    • Define Address Space (e.g., 10.0.0.0/16)
    • Add starter Subnets (you can add more later)
  6. Review + Create

4. Plan and Configure Subnets

Subnets allow you to separate workloads inside the VNet.
For example:

  • A subnet for web servers
  • A subnet for application servers
  • A subnet for databases
  • A subnet dedicated to Azure firewall or NVA
  • A subnet for private endpoints

Subnet Configuration Options

1. Subnet Address Range

Example:

  • VNet: 10.0.0.0/16
  • Subnet1: 10.0.1.0/24
  • Subnet2: 10.0.2.0/24
  • Subnet3: 10.0.3.0/24

A subnet must be at least /29 in size.

Azure reserves 5 IP addresses in every subnet:

  • x.x.x.0 → network address
  • x.x.x.1 → Azure reserved
  • x.x.x.2 → Azure reserved
  • x.x.x.3 → Azure reserved
  • x.x.x.255 → broadcast (last IP)

2. Subnet Delegation

Allows a subnet to be dedicated to specific Azure services such as:

  • Azure Web Apps (ASE)
  • Azure Container Instances
  • Azure Batch
  • Azure SQL Managed Instance

This is critical for secure deployments.

3. Network Security Group (NSG)

You can apply NSGs to subnets to control inbound/outbound network traffic.

Example:
Only allow RDP/SSH from management subnet.

4. Route Table (UDR)

You can associate custom routes with a subnet to control traffic flow.

Example:
Send all outbound traffic to a firewall.

5. Service Endpoints

Used to restrict access to Azure services such as:

  • Azure Storage
  • Azure SQL
  • Cosmos DB

Only traffic from your VNet is allowed.

6. Private Endpoints

Provides private IP connectivity to Azure PaaS services.

Used for highly secure environments.

7. NAT Gateway

Provides outbound internet access with a stable public IP for resources inside a specific subnet.

5. Create a Subnet (Azure Portal)

  1. Go to your Virtual Network
  2. Select Subnets
  3. Click + Subnet
  4. Provide:
    • Subnet name (e.g., AppSubnet)
    • Subnet address range (e.g., 10.0.2.0/24)
    • Optional:
      • NSG
      • Route Table
      • Delegation
      • Service Endpoints
      • NAT Gateway
  5. Save

6. Important IP Addressing Guidelines for the Exam

Non-overlapping IP ranges

When connecting:

  • VNet-to-VNet peering
  • VPN gateway to on-prem network

Your address spaces must not overlap.

Subnets must be large enough

Plan capacity for:

  • VM count
  • Private endpoints
  • Azure services requiring dedicated subnets

Gateway Subnet

When using VPN/ExpressRoute, you must create a GatewaySubnet with at least /27 recommended.

7. VNet Peering – Why It’s Relevant Here

Even though peering is a separate topic, it is tied closely to VNet creation.

VNet peering allows:

  • Traffic between VNets
  • High-speed, low-latency connectivity
  • Keeping traffic entirely on Azure backbone (secure, not over the internet)

Rules:

  • Address spaces cannot overlap
  • Peering must be enabled from both VNets

8. Tools to Verify VNet and Subnet Configuration

IP Address usage:

Check available IP in subnet.

Effective routes:

Shows final route table applied to a NIC.

Effective security rules:

Shows NSG rules applied.

These help greatly during troubleshooting.

9. Common Real-World IT Scenarios

Here are IT-focused examples (not analogies):

Scenario 1: Isolating workloads

A company deploys:

  • Web servers in WebSubnet
  • App servers in AppSubnet
  • Databases in DBSubnet

Each subnet has different security rules.

Scenario 2: Forcing all traffic through a firewall

A custom route in every subnet points internet traffic to a firewall subnet.

Scenario 3: Secure access to Azure Storage

A subnet uses Service Endpoints so only VNet traffic can access Storage Accounts.

Scenario 4: Hybrid network

On-prem datacenter connected through VPN Gateway, requiring proper IP planning.

10. What You MUST Know for the AZ-104 Exam

✔ What a VNet is and why it’s used
✔ How to create a VNet through portal, CLI, and PowerShell
✔ Address space planning and CIDR notation
✔ How subnets are created and configured
✔ IP address reservation rules
✔ Subnet delegation
✔ Service Endpoints vs Private Endpoints
✔ Associating NSGs and Route Tables
✔ NAT Gateway usage
✔ Requirements for gateway subnet
✔ Rules for VNet peering
✔ Overlapping address space issues

Conclusion

Creating and configuring VNets and subnets is one of the most fundamental skills in Azure networking.
For the AZ-104 exam, you must clearly understand:

  • How to design VNet address spaces
  • How to segment networks using subnets
  • How to secure, route, and manage traffic
  • How VNets integrate with other Azure services

With this knowledge, you will be able to deploy secure, scalable, and well-structured network environments in Azure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by