Azure Virtual Networks

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

Azure virtual networks are like digital city roads, facilitating communication, isolation, and segmentation for resources.
They enable internet access with public IP addresses and provide security through network security groups.
Custom paths with route tables and network peering optimises data flow between resources and networks.

Azure virtual networks let Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and even with your on-premises client computers.

Here are the key words to know:

  • Virtual networks are like the pathways in a city. They create the main routes for your digital stuff to move around, just as roads help you get from one place to another in a city.
  • Virtual subnets are like smaller communities or neighbourhoods within the city. They divide the city into organised sections, like different suburbs. These subnets help you keep your digital things in order, making sure they're well-arranged and safe.
  • IP addresses act like unique house numbers in a city. Just as each house has its specific number, every device that connects to the internet has its own special address. This means computers, smartphones, servers, routers, truly anything that connects to the internet, has an IP address. These addresses help data find its way to the right place, although they might not make sense to us. IP addresses look like this: ""
  • Service endpoints are addresses where online services (e.g. websites, databases, or applications) can be accessed on a network or the internet. Service endpoints are split into two types:
  • Private endpoints play a crucial role in connecting and controlling the traffic within a specific virtual subnet. They allow data to flow in and out of that subnet, keeping the communication secure within that local neighbourhood. Private endpoints exist within a virtual network and have a private IP address from within the address space of that virtual network.
  • Public endpoints can also be used at a broader virtual network level to regulate the flow of data into and out of the entire network. This is especially relevant when you want to manage how your virtual network communicates with the outside world, such as the internet. Public endpoints have a public IP address and can be accessed from anywhere in the world.
  • Network traffic is like cars travelling on the road. It means the data flowing through the virtual network that enables digital stuff to travel from one place to another within a network. Just as roads can get busy with cars, network traffic can vary in volume at different times.

What you can do with Azure Virtual Networks

1. Isolation and segmentation

Within a city, suburbs are connected by roads and streets, but they are also separated by boundaries to maintain order and grouping. In the same way, virtual networks in Azure help connect your digital resources while creating isolated areas to keep things organised and secure.

When you set up a virtual network, you define a range of private IP addresses (called an IP address space). The IP range only exists within the virtual network and isn't accessible with the internet. You divide that range of IP addresses into subnets to create those boundaries.

2. Internet communications

To enable Azure resources to get information from the outside world (the internet), they are assigned public IP addresses. Resources can also receive information from the internet if you put them behind a public load balancer*.

A public load balancer is used to distribute internet traffic to resources accessible from the internet. In comparison, private load balancers are used within a network to distribute traffic among internal resources that aren't directly accessible from the internet.

3. Communicate between Azure resources

You'll want to enable Azure resources to communicate securely with each other. You can do that in one of two ways:

  • Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
  • Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.

4. Communicate with on-premises resources

Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription. In effect, you can create a network that spans both your local and cloud environments.

There are three ways to make this connection:

  1. Point-to-site VPN*: connects a computer outside your organisation to your Azure virtual network.
  2. Site-to-site VPN*: connects your entire on-premise network with your Azure virtual network. This means resource you've made on Azure can appear as being on the local network.
  3. Azure ExpressRoute: a private connection to Azure that doesn't travel over the internet, useful when you need a high level of security and have a LOT of data to send quickly and efficiently.

*VPN = virtual private network. We'll talk more about them very soon! For now, think of VPNs as a way to communicate securely over the public internet by encrypting data.

5. Route network traffic

Think of Azure as a traffic controller directing the flow of data, like a GPS! By default, Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet.

You can customise these paths using special route tables, which let you define rules about how traffic should be directed between subnets. Border Gateway Protocol (BGP), which is THE traffic director of the internet, collaborates with Azure services to share the best data routes from your on-premises network to your Azure virtual networks. This helps your data find the fastest paths to move between your office and the Azure cloud, making sure things run smoothly.

6. Filter network traffic

Azure virtual networks let you set up security checkpoints to control who gets access to different neighbourhoods of your city. These checkpoints, known as network security groups, decide who's allowed in and who gets turned away.

Network virtual appliances are like special workers in your digital city, focusing on specific tasks like guarding the entrances (firewall) and boosting traffic flow (WAN optimisation*) in your city's roads. They ensure safety and efficiency within the city.

*Wide Area Network (WAN) optimisation is like a set of techniques for making your data travel faster and more efficiently across long distances, especially when it needs to cross the internet or connect remote locations.

7. Connect virtual networks

With virtual network peering, two virtual networks can form direct connections (like secret tunnels!), exchanging precious information without entering the public internet. This enables resources in each virtual network to communicate, even if they're in separate regions.

User-Defined Routes (UDR) are like personalised routes you give to data traffic for specific subnets or even different virtual networks. While routing tables are more general and apply to the entire network (e.g. city-wide maps), UDR offers a way to have more precise control over movement in specific parts of the network. It's like having city-wide directions (routing tables) versus custom directions you give to a delivery person for a particular neighbourhood (UDR).