Azure Virtual Network Concepts: AZ-900 Study Guide
An Azure Virtual Network (VNet) is a fundamental building block for your private network in Azure. It enables Azure resources, like VMs, to securely communicate with each other, the internet, and on-premises networks. Key concepts for the AZ-900 include subnetting for organization, VNet peering for connectivity, and Network Security Groups for isolation.
What Exactly is an Azure Virtual Network (VNet)?
Think of an Azure Virtual Network (VNet) as your own private slice of the Azure public cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. When you deploy a VNet, you're essentially creating a boundary where you control the IP address space, the security rules, and how resources communicate.
For the AZ-900 exam, the most critical thing to remember is that a VNet is a regional resource. This means it is confined to a single Azure region. If you need resources in two different regions to talk to each other, you can't just stretch one VNet across them; you'll need a strategy to connect two separate VNets. This fundamental concept of regionality is a common trap on the exam, so keep it top of mind.
How Do Subnets and IP Addressing Work in VNets?
You don't just throw all your resources into one big bucket. Instead, you use subnets to slice your VNet into smaller, manageable segments. Subnetting allows you to group related resources—like putting your web servers in one subnet and your databases in another—which is essential for both organization and security.
When planning your address space, you'll use CIDR notation (like 10.0.0.0/16). A common mistake students make is overlapping IP addresses. If you plan to connect your VNet to an on-premises network or another VNet, ensure your IP ranges don't overlap, or the traffic simply won't know where to go. We recommend sketching out your IP plan before you start clicking buttons in the portal to avoid the headache of recreating your network from scratch.
What is VNet Peering and Why is it Necessary?
In the real world, your architecture will often grow beyond a single VNet. VNet peering allows you to connect two Azure Virtual Networks seamlessly. Once peered, the two networks behave as one for connectivity purposes. The magic here is that the traffic between peered VNets travels over the Microsoft backbone network, not the public internet, which ensures lower latency and higher security.
There are two types you need to know: Regional VNet Peering (connecting VNets in the same region) and Global VNet Peering (connecting VNets across different Azure regions). Whether you're implementing a hub-and-spoke model or just connecting two departments, peering is the go-to tool for cross-network communication without the complexity of a VPN gateway.
How Do You Secure Your VNet Using Network Security Groups (NSGs)?
Connectivity is great, but unrestricted access is a security nightmare. This is where Network Security Groups (NSGs) come in. An NSG acts as a basic firewall, containing a list of security rules that allow or deny network traffic based on a 5-tuple: source, source port, destination, destination port, and protocol.
You can apply an NSG to an entire subnet or to a specific network interface (NIC) on a virtual machine. A pro tip for the exam: remember that NSGs have priority numbers. Rules are processed in order from lowest to highest number. Once a rule matches the traffic, processing stops. If you have a 'Deny All' rule at priority 100, any 'Allow' rule at priority 200 will be ignored.
How Do Azure Resources Connect to the Outside World?
Your VNet isn't an island. To communicate with the internet or your local office, you need specific connectivity tools. For basic internet access, Azure provides default outbound connectivity. However, for controlled inbound access, you'll assign a Public IP address to your resource or use an Azure Load Balancer.
For hybrid cloud scenarios, you have two main choices: Azure VPN Gateway and Azure ExpressRoute. A VPN Gateway sends encrypted traffic over the public internet, which is cost-effective but subject to internet fluctuations. ExpressRoute, on the other hand, is a private, dedicated connection provided by a third-party partner. It bypasses the public internet entirely, offering higher reliability and faster speeds—perfect for enterprise-grade workloads.
How Can You Master VNet Concepts for the AZ-900 Exam?
Reading the documentation is a start, but the AZ-900 exam tests your ability to apply these concepts to scenarios. You need to be able to distinguish between a VNet and a Subnet, or know when to choose ExpressRoute over a VPN. The best way to bridge that gap is through high-volume, high-quality practice.
At Cert Sensei, we've built a platform specifically for this. We offer 1,000 expert-curated Microsoft Azure Fundamentals (AZ-900) practice questions that mimic the actual exam environment. Instead of just telling you if you're wrong, we provide detailed expert reasoning for every answer. Plus, our domain-level analytics show you exactly where you're struggling—whether it's in the 'Azure Architecture and Services' domain or elsewhere—so you can stop wasting time on what you already know and focus on your weak spots.
❓ Frequently Asked Questions
Can a single Azure Virtual Network span multiple regions?
No, a VNet is a regional resource and cannot span multiple regions. To connect resources in different regions, you must create a VNet in each region and use Global VNet Peering to link them together.
What happens if two peered VNets have overlapping IP address spaces?
Azure will not allow you to establish a peering connection between two VNets that have overlapping IP address ranges. You must ensure your CIDR blocks are unique before attempting to peer them.
Is an NSG the same as an Azure Firewall?
Not exactly. An NSG is a basic layer-4 filter (ports and IPs) applied to subnets or NICs. Azure Firewall is a managed, cloud-based network security service that provides layer-7 filtering and centralized protection across multiple VNets.