Skip to Content
AzureVirtual Networks

Virtual Networks

Azure Virtual Networks (VNets) provide private network isolation for Azure resources. Resources within a VNet can communicate with each other, and connectivity to on-premises or other VNets is configured explicitly.

Key Concepts

  • Address space — the CIDR range allocated to the VNet (e.g. 10.0.0.0/16)
  • Subnets — subdivisions of the address space assigned to specific resource types
  • Peering — connects two VNets so resources can communicate privately without a gateway
  • DNS — VNets use Azure-provided DNS by default; custom DNS servers can be specified

Create a VNet and Subnets

# Define subnets
$appSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name "snet-app" `
  -AddressPrefix "10.0.1.0/24"
 
$dataSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name "snet-data" `
  -AddressPrefix "10.0.2.0/24"
 
# Create the VNet with subnets
New-AzVirtualNetwork `
  -ResourceGroupName "rg-network-prod-uks-01" `
  -Name "vnet-prod-uks-01" `
  -Location "uksouth" `
  -AddressPrefix "10.0.0.0/16" `
  -Subnet $appSubnet, $dataSubnet

Inspect a VNet

# List all VNets in a resource group
Get-AzVirtualNetwork -ResourceGroupName "rg-network-prod-uks-01" |
  Format-Table Name, Location, AddressSpace
 
# Show VNet details including subnets
$vnet = Get-AzVirtualNetwork `
  -ResourceGroupName "rg-network-prod-uks-01" `
  -Name "vnet-prod-uks-01"
 
# List subnets
$vnet.Subnets | Format-Table Name, AddressPrefix

VNet Peering

Peering must be created in both directions — from VNet A to VNet B, and from B to A.

$vnetProd = Get-AzVirtualNetwork -ResourceGroupName "rg-network-prod-uks-01" -Name "vnet-prod-uks-01"
$vnetDev  = Get-AzVirtualNetwork -ResourceGroupName "rg-network-dev-uks-01"  -Name "vnet-dev-uks-01"
 
# Peer prod to dev (direction 1)
Add-AzVirtualNetworkPeering `
  -Name "peer-prod-to-dev" `
  -VirtualNetwork $vnetProd `
  -RemoteVirtualNetworkId $vnetDev.Id `
  -AllowForwardedTraffic
 
# Peer dev to prod (direction 2)
Add-AzVirtualNetworkPeering `
  -Name "peer-dev-to-prod" `
  -VirtualNetwork $vnetDev `
  -RemoteVirtualNetworkId $vnetProd.Id `
  -AllowForwardedTraffic
 
# Check peering state
Get-AzVirtualNetworkPeering `
  -ResourceGroupName "rg-network-prod-uks-01" `
  -VirtualNetworkName "vnet-prod-uks-01" |
  Format-Table Name, PeeringState

Best Practices

  • Plan address spaces carefully — overlapping CIDR ranges prevent peering
  • Use dedicated subnets for specific resource types (VMs, App Services, databases, private endpoints)
  • Reserve the AzureBastionSubnet (/26 minimum) if using Azure Bastion
  • Avoid using the default subnet name in production — named subnets make NSG and route table assignments clearer
Last updated on
Storage AccountsNetwork Security Groups