Virtual Networks and Subnets
An Azure Virtual Network (VNet)A logically isolated network in Azure that enables Azure resources to securely communicate with each other, the internet, and on-premises networks. Each VNet is defined by one or more address spaces (CIDR blocks) drawn from RFC 1918 private ranges.
SubnetsSegments that subdivide a VNet's address space. Azure reserves 5 IP addresses in every subnet: network address (.0), Azure default gateway (.1), two Azure DNS addresses (.2 and .3), and the broadcast address (last address). subdivide a VNet's address space; Azure reserves 5 IP addresses in every subnet (.0 network, .1 gateway, .2/.3 DNS, last address broadcast).
For example, in a /28 subnet (16 addresses), only 11 addresses are usable. In a /26 (64 addresses), only 59 are usable.
Each subnet can have zero or one route table and zero or one network security group (NSG) associated. Some Azure services (Azure Firewall, VPN Gateway, Azure Bastion) require a dedicated subnet.
VNet Peering
VNet peeringConnects two VNets so resources communicate directly over the Microsoft backbone network — no public internet, no gateways, no encryption overhead. Can be regional (same region) or global (cross-region). connects two VNets so resources communicate directly over the Microsoft backbone — no public internet, no gateways, no encryption overhead.
VNet peering is non-transitive by default: if VNet A is peered to VNet B, and VNet B is peered to VNet C, VNet A cannot reach VNet C through VNet B.
Key peering settings:
| Peering Setting | What It Enables |
|---|---|
| Allow gateway transit | Lets the remote VNet use this VNet's VPN/ExpressRoute gateway |
| Use remote gateway | Routes this VNet's traffic through the remote VNet's gateway |
| Allow forwarded traffic | Accepts traffic forwarded by a network appliance in the peered VNet |
| Allow virtual network access | Lets resources in each VNet communicate (enabled by default) |
Peering is not free — you pay per GB of data transferred. Peered VNets must not have overlapping address spaces.
Public IP Addresses
| SKU | Assignment | Zone Support | Use Case |
|---|---|---|---|
| Basic | Static or Dynamic | Not zone-redundant | Legacy; being retired |
| Standard | Static only | Zone-redundant by default | Recommended for all new deployments |
A Standard public IPAlways static, zone-redundant, and secure by default — inbound traffic is blocked unless an NSG explicitly allows it. Required for Standard Load Balancer, Availability Zones, and Azure Bastion. is always static, zone-redundant, and secure by default; it is required for Standard Load Balancer, Availability Zones, and Azure Bastion.
User-Defined Routes (UDRs)
User-defined routes (UDRs)Override Azure's default system routes to control how traffic flows within and out of a subnet. Created in a route table, assigned to subnets. override Azure's default system routes to control how traffic flows within and out of a subnet; they are created in a route table and assigned to subnets.
Valid next hop types for UDRs:
| Next Hop Type | When to Use |
|---|---|
| Virtual appliance | Force traffic through an NVA (firewall); requires a next hop IP |
| Virtual network gateway | Route to a VPN gateway (VPN only, not ExpressRoute) |
| VNet | Keep traffic within the VNet |
| Internet | Send traffic directly to the public internet |
| None | Drop (blackhole) traffic to this prefix |
Azure selects routes by longest prefix match. Among equal-length prefixes: UDR > BGP > System route.
Forced tunnelingA UDR pattern using a 0.0.0.0/0 route pointing to a virtual appliance or VPN gateway to ensure all outbound traffic is inspected before leaving Azure. uses a 0.0.0.0/0 UDR pointing to a virtual appliance or VPN gateway to ensure all outbound traffic is inspected before leaving Azure.
Troubleshooting with Network Watcher
| Tool | What It Tests |
|---|---|
| IP Flow Verify | Whether a packet is allowed/denied by NSG rules; names the matching rule |
| Next Hop | What the next hop is for a given source/destination IP; reveals routing problems |
| Connection Troubleshoot | End-to-end connectivity and latency from a VM to any endpoint |
| Effective Security Rules | Merged view of all NSG rules (subnet + NIC) applied to a network interface |
| NSG Flow Logs / VNet Flow Logs | Per-flow traffic log stored in a storage account |
Network Watcher is enabled per region and is automatically enabled when you create or update a VNet in that region.
Subnet IP Address Math
Must Memorize
Azure always reserves 5 IP addresses per subnet: .0 (network), .1 (gateway), .2 and .3 (DNS), and the last address (broadcast). Subtract 5 from the total to get usable addresses:
- /29 = 8 total → 3 usable
- /28 = 16 total → 11 usable
- /26 = 64 total → 59 usable
- /24 = 256 total → 251 usable
VNet Peering Non-Transitivity
Exam Trap
"VNet peering is transitive — if A peers to B and B peers to C, A can reach C." → Peering is non-transitive by default. VNet A cannot reach VNet C through VNet B without additional routing (hub NVA + UDRs or Azure Virtual Network Manager).
Peering Address Space Changes
Exam Trap
"When you add an address space to a peered VNet, peering automatically updates." → After resizing or adding an address space to a peered VNet, you must sync the peering on both sides for the change to take effect. Traffic disruption can occur until the sync is complete.
UDR Next Hop — VPN vs. ExpressRoute
Exam Trap
"A UDR with next hop type 'Virtual network gateway' works with ExpressRoute gateways." → The VNet Gateway next hop type in UDRs is only supported for VPN gateways, NOT ExpressRoute.
Standard vs. Basic Public IP
Exam Trap
"Standard public IP addresses are dynamic and must be reassigned after a VM restart." → Standard SKU public IPs are always static. Only Basic SKU supports dynamic allocation (and Basic is being retired).
IP Flow Verify vs. Effective Security Rules
Must Memorize
- Effective security rules: Shows the merged rule list for a NIC — all NSG rules in one view
- IP Flow Verify: Simulates a specific packet and returns Allow/Deny with the specific rule name that matched
These are different tools for different questions. Use Effective Security Rules for "show me all rules"; use IP Flow Verify for "is this specific packet allowed?"
Create a Virtual Network and Subnet
- Portal → Search bar → Virtual networks → + Create
- Fill in Subscription, Resource Group, Name, Region
- Under IP Addresses tab: set the IPv4 address space (e.g.,
10.0.0.0/16) - Click + Add subnet: enter Subnet name and Starting address / Subnet size
- Review + Create
Configure VNet Peering
- Portal → Virtual networks → select the source VNet → Settings → Peerings → + Add
- Set Peering link name (local side) and Remote peering link name
- Select the Remote virtual network (subscription + VNet)
- Choose peering settings: Allow gateway transit, Use remote gateway, Allow forwarded traffic as needed
- Click Add — peering is created on both VNets simultaneously
Create a Route Table and Add a UDR
- Portal → Search bar → Route tables → + Create
- Select subscription, resource group, region, name; choose whether to Propagate gateway routes
- Open the new route table → Routes → + Add
- Enter Route name, Destination CIDR, Next hop type, and Next hop IP (if Virtual appliance)
- Go to Subnets → + Associate → select VNet and subnet
Use IP Flow Verify
- Portal → Network Watcher → Network diagnostic tools → IP flow verify
- Select VM, NIC, direction (Inbound/Outbound), protocol, local port, remote IP and port
- Click Check → result shows Access allowed or Access denied and the matching NSG rule name
AZ-104 Exam Focus
Exam Trap
"You can use any 5 addresses in a /29 subnet (8 addresses)." → Azure reserves 5 addresses per subnet — network, gateway, two DNS, and broadcast — leaving only 3 usable addresses in a /29.
Exam Trap
"VNet peering is transitive — if A peers to B and B peers to C, A can reach C." → Peering is non-transitive by default. VNet A cannot reach VNet C through VNet B without additional routing.
Exam Trap
"A UDR with next hop type 'Virtual network gateway' works with ExpressRoute gateways." → This next hop type only works for VPN gateways, not ExpressRoute.
Exam Trap
"Standard public IP addresses are dynamic and must be reassigned after a VM restart." → Standard SKU public IPs are always static. Only Basic SKU supports dynamic allocation.
Exam Trap
"When you add an address space to a peered VNet, peering automatically updates." → After adding an address space, you must sync the peering on both sides for the change to take effect.
Exam Trap
"Effective security rules and IP Flow Verify are the same tool." → They are different. Effective security rules shows the merged rule list for a NIC; IP Flow Verify simulates a specific packet and tells you which rule matched.
Question — click to flip
Q: How many usable IP addresses does a /26 subnet have?
Question — click to flip
Q: Is VNet peering transitive by default?
Question — click to flip
Q: What UDR pattern routes ALL outbound subnet traffic through a network virtual appliance?
Question — click to flip
Q: Which Network Watcher tool identifies which NSG rule is blocking a specific packet?
Question — click to flip
Q: After adding a new address space to a peered VNet, traffic to the new range fails. What is the cause?
Question — click to flip
Q: What assignment type do Standard SKU public IP addresses use?