AZ-104 Networking Basics: Master Azure VNets, Subnets, NSGs, and VNet Peering
Study Guide: Azure Virtual Network (VNet) for AZ-104
1) What a VNet is
An Azure Virtual Network (VNet) is the foundational networking container in Azure. It provides a private IP space where Azure resources (VMs, services, etc.) can communicate securely with:
- Other resources inside the VNet
- The internet (when you allow/need it)
- On-premises networks (via VPN or ExpressRoute)
- Other VNets (via VNet peering)
Think: VNet = your private network boundary in Azure, similar to a LAN/VLAN concept, but cloud-native.
2) Benefits of a VNet (what you gain)
Key benefits you should be able to explain in exam language:
- Isolation: Your resources live in a logically isolated network space.
- Connectivity: You can connect to internet, on-prem, or other VNets.
- Segmentation: Use subnets to separate tiers (front-end, back-end, management).
- Security control: Use NSGs to allow/deny traffic at subnet/NIC.
- Name resolution: Resolve resources by name (Azure-provided DNS or custom DNS).
- Access to resources within VNet: Private communication between VMs/services.
3) Core components you must know
A) IP Addressing (CIDR)
VNets use CIDR ranges like 10.0.0.0/16.
Private IP
- Default for most Azure resources.
- Used for internal communication inside VNet and across peered VNets.
Public IP
- Optional.
- Used when something must be reachable from the internet (directly or through a load balancer/app gateway).
Exam trap (subnet IPs)
Azure reserves 5 IP addresses per subnet, so usable IPs are:
- Usable = Total IPs in subnet โ 5
B) Subnets
A subnet is a subcomponent of a VNet.
- All resources must be placed in a subnet (directly or indirectly through their NIC/service).
- Used to segment traffic and apply controls (NSG/UDR at subnet level).
2-tier pattern (common in exams)
FrontEndSubnet: reachable from internet (only required ports)BackEndSubnet: not reachable from internet; only reachable from FrontEndSubnet
C) NIC (Network Interface)
A NIC is what a VM uses to connect to the network.
- Holds the VMโs private IP
- Can also be associated with a public IP (optional)
- Has โeffective rulesโ based on NSGs applied at NIC and subnet
D) NSG (Network Security Group)
An NSG is a stateful packet filter for:
- Inbound rules
- Outbound rules
Where NSGs can be applied
- Subnet level
- NIC level
Priority
- Lower number = evaluated first = wins.
Default rules
- Azure includes default rules that exist automatically (you generally do not remove them; you build rules around them).
Practical best practice
- Put โbroad, tier-basedโ rules on the subnet
- Use NIC-level rules only when you need exceptions for a specific VM
4) VNet Peering (must-know fundamentals)
What it is
VNet peering connects two VNets so resources can communicate using private IPs.
Types
- Same region peering (often just called โVNet peeringโ)
- Cross-region peering (โGlobal VNet peeringโ)
Critical rules / pre-checks
- Non-transitive by default:
IfA โ BandB โ C, that does not automatically meanA โ C. - Address ranges cannot overlap between peered VNets.
- If you need to add/change address space, peering may block that operation. The common fix is:
- Remove peering
- Update address space
- Re-create peering
5) Quick โHow Toโ in the Azure portal (AZ-104 friendly)
Create a VNet + subnet
- Azure portal โ Virtual networks โ Create
- Set:
- Resource group, region
- Address space (example
10.0.0.0/16)
- Add subnets (example):
FrontEndSubnet: 10.0.1.0/24BackEndSubnet: 10.0.2.0/24
- Create
Create an NSG and associate it to a subnet
- Azure portal โ Network security groups โ Create
- Go to NSG โ Inbound security rules โ add rules (example: allow 443 to front-end)
- Go to NSG โ Subnets โ Associate
- Choose the VNet + subnet (example:
FrontEndSubnet)
Create VNet Peering
- Azure portal โ Virtual networks โ select VNetA
- Peerings โ Add
- Provide:
- Peering name (A-to-B)
- Select remote VNet (VNetB)
- Repeat from VNetB side if needed (often portal handles both sides when in same tenant)
6) Troubleshooting checklist (fast exam + real-world)
When โVM canโt connectโ questions show up, check in this order:
- IP addressing
- Are both resources in the expected subnets and CIDR ranges?
- NSG rules
- Inbound + outbound
- Priority and rule conflicts
- Subnet/NIC association
- NSG at subnet vs NIC (both can apply)
- Peering
- Is peering โConnectedโ?
- Are address spaces overlapping?
- Are you expecting transitive routing (which is not default)?
- Effective rules / effective routes
- Validate what Azure is actually applying
Practice Questions (with Answers and Explanations)
Q1 (MCQ)
What best describes a VNet?
A. A public network shared by all customers
B. A private network boundary in Azure for secure communication
C. A firewall that blocks all inbound traffic
D. A DNS-only service
Answer: B
Why: A VNet is the private network container that enables secure communication between resources and connectivity options.
Q2 (Short answer)
Name three benefits of using a VNet.
Answer (any 3):
- Isolation
- Connectivity (internet/on-prem/other VNets)
- Segmentation via subnets
- Security via NSGs
- Name resolution
- Private access to resources within the VNet
Q3 (MCQ)
Which options connect a VNet to on-premises?
A. VNet peering only
B. VPN or ExpressRoute
C. NAT Gateway only
D. Azure DNS only
Answer: B
Why: VPN and ExpressRoute are the standard VNet-to-on-prem connectivity methods.
Q4 (MCQ)
VNets are configured using which addressing notation?
A. MAC addressing
B. CIDR
C. VLAN tags
D. DNS suffixes
Answer: B
Q5 (MCQ)
By default, VM-to-VM communication inside a VNet uses:
A. Public IPs only
B. Private IPs
C. Loopback
D. Broadcast
Answer: B
Q6 (Short answer)
When would you assign a Public IP?
Answer: When a resource must be reachable from the internet (directly or through a public-facing design). Examples: bastion alternatives, public web endpoints, certain inbound admin scenarios (though you typically prefer secure options).
Q7 (True/False)
Every resource in a VNet must exist in a subnet.
Answer: True
Why: Subnets are where resources attach (directly or via their NIC/service).
Q8 (Scenario)
You have a 2-tier app. Internet should reach only front-end; back-end only from front-end. What VNet design do you use?
Answer: Two subnets:
- FrontEndSubnet (allow required inbound ports from internet)
- BackEndSubnet (deny internet inbound; allow only from FrontEndSubnet)
Q9 (MCQ)
A NIC is best described as:
A. A routing table
B. The network component that enables traffic flow and holds IP config
C. A subnet-only firewall
D. A DNS zone
Answer: B
Q10 (MCQ)
An NSG can be assigned at:
A. VNet only
B. Subscription only
C. Subnet or NIC
D. VM only
Answer: C
Q11 (True/False)
If there is no NSG, traffic is blocked inbound and outbound by default.
Answer: False
Why: NSGs are the main allow/deny control mechanism. Without them, you are not explicitly filtering at that layer.
Q12 (MCQ)
NSG priority works like:
A. Higher number wins
B. Lower number wins
C. Deny always overrides allow
D. Last rule evaluated wins
Answer: B
Q13 (Scenario)
Priority 100 allow TCP 443 from Internet to FrontEndSubnet, priority 101 deny any any. What happens to TCP 443 inbound?
Answer: Allowed
Why: Rule 100 is evaluated first (lower number), so it matches and allows before the deny rule is considered.
Q14 (MCQ)
Default NSG security rules:
A. Can be removed and edited freely
B. Exist by default and are treated as built-in baseline behavior
C. Do not exist
D. Only apply with ExpressRoute
Answer: B
Q15 (Short answer)
What is VNet peering?
Answer: A way to connect two VNets so resources can communicate using private IPs.
Q16 (MCQ)
VNet peering can be configured:
A. Only same region
B. Only cross-region
C. Same region and cross-region (global)
D. Only VNet-to-on-prem
Answer: C
Q17 (Scenario)
VNetA peered with VNetB, VNetB peered with VNetC. Can VNetA reach VNetC by default?
Answer: No
Why: Peering is non-transitive by default. A-to-C needs its own connectivity path/design.
Q18 (True/False)
Peered VNets can have overlapping CIDR ranges.
Answer: False
Why: Overlapping address space breaks routing and is not allowed for peering.
Q19 (Scenario)
You need to add address space to VNetA, but itโs peered to VNetB and the operation is blocked. Whatโs the fix?
Answer:
- Delete peering between VNetA and VNetB
- Add/update VNetA address space
- Recreate peering
Q20 (Calculation)
You need a subnet to host 50 VMs. What is the smallest subnet size you should use? Show calculations.
Answer: /26
Work:
- Need at least 50 usable IPs
- Azure reserves 5 IPs per subnet
- Required total IPs = 50 + 5 = 55
Now test subnet sizes:
/27= 32 total โ usable = 32 โ 5 = 27 (not enough)/26= 64 total โ usable = 64 โ 5 = 59 (enough)
So the smallest that works is /26.
