Last updated: May 2026

Azure Networking Beginner AZ-104 ⏱ 13 min read

Azure Virtual Networks (VNet)

A Virtual Network (VNet) is your private network in Azure — the foundational networking building block that everything else is built on. It's an isolated, logically defined network where your Azure resources live and communicate. Every VM, every database, every App Service Environment needs a VNet. Understanding VNets deeply is the foundation of all Azure networking.

What you'll learn What VNets are and how they work · Address spaces and CIDR notation · VNet scope — region and subscription · Default and custom DNS · VNet Peering — regional and global · Creating VNets via Portal and CLI · VNet limits and best practices · VNet vs on-premises network

Table of Contents

What is a VNet?
Address Space and CIDR
VNet Scope
DNS Settings
VNet Peering
Creating a VNet
VNet Limits
Best Practices
Practice Questions

What is a VNet?

A Virtual Network is a logically isolated section of the Azure cloud where you can launch Azure resources in a network that you define. It is similar to a traditional network in your own data centre, but with the added benefits of Azure's scale, availability, and isolation.

ℹ️

Key Properties of a VNet Isolation — resources in one VNet cannot communicate with another VNet by default · Scope — a VNet exists within a single Azure region · Free — VNets themselves have no cost; you pay for gateways and data transfer · Extensible — can be connected to other VNets or on-premises networks

Address Space and CIDR

When creating a VNet, you define its address space using CIDR (Classless Inter-Domain Routing) notation. For example, 10.0.0.0/16 gives you 65,536 IP addresses.

Private IP Ranges (RFC 1918)

Always use private IP ranges for VNets:

Range	CIDR	Available IPs
10.0.0.0 – 10.255.255.255	10.0.0.0/8	~16 million
172.16.0.0 – 172.31.255.255	172.16.0.0/12	~1 million
192.168.0.0 – 192.168.255.255	192.168.0.0/16	65,536

CIDR Quick Reference

CIDR	Usable IPs	Typical Use
/8	~16.7 million	Enterprise — very large
/16	65,536	Large VNet — recommended for production
/24	256	Small VNet or subnet
/26	64	Small subnet (minimum for Bastion)
/28	16	Very small subnet (minimum for Gateway)

⚠️

Plan Your Address Space Carefully You cannot change a VNet's address space once resources are deployed (without downtime). Plan for growth — use /16 for production VNets even if you don't need that many IPs today. Also ensure your VNet address space doesn't overlap with on-premises networks if you plan to connect them later.

Reserved Addresses per Subnet

Azure reserves 5 IP addresses in every subnet:

x.x.x.0 — Network address
x.x.x.1 — Default gateway
x.x.x.2, x.x.x.3 — Azure DNS
x.x.x.255 — Broadcast

So a /24 subnet has 256 – 5 = 251 usable IPs.

VNet Scope

A VNet exists within a single Azure region and a single subscription. Resources in different regions cannot be in the same VNet — but they can be connected via VNet Peering or VPN Gateway.

Scope	Can Communicate Without Peering?
Same VNet, same subnet	✅ Yes — directly
Same VNet, different subnets	✅ Yes — by default (unless NSG blocks)
Different VNets, same region	❌ No — need VNet Peering or VPN
Different VNets, different regions	❌ No — need Global VNet Peering or VPN
VNet to on-premises	❌ No — need VPN Gateway or ExpressRoute

DNS Settings

VNets have a DNS setting that controls how VMs resolve hostnames. Three options:

Azure-provided DNS (default) — Uses Azure's built-in DNS (168.63.129.16). Resolves Azure resource names automatically. Sufficient for most workloads.
Custom DNS servers — Specify your own DNS servers (on-premises Active Directory, custom resolvers). Required when integrating with on-premises AD.
Private DNS Zones — Azure-managed private DNS for custom domain resolution within VNets.

VNet Peering

VNet Peering connects two VNets so resources in each can communicate privately using private IP addresses. Traffic never traverses the public internet — it uses Microsoft's backbone network.

Feature	Regional Peering	Global Peering
VNet location	Same region	Different regions
Latency	Very low (<1ms)	Low (cross-region)
Bandwidth	Full VNet bandwidth	Full VNet bandwidth
Cost	Charged per GB	Charged per GB (higher rate)
Encryption	No (Microsoft backbone is trusted)	No

ℹ️

Peering is Non-Transitive If VNet A is peered with VNet B, and VNet B is peered with VNet C — VNet A cannot communicate with VNet C. You must create a separate peering between A and C, or use a hub-spoke architecture with Azure Firewall or VPN Gateway in the hub.

Azure CLI Create VNet Peering (both directions required)

# Peer VNet-A to VNet-B
az network vnet peering create \
  --name VNetA-to-VNetB \
  --resource-group myRG \
  --vnet-name VNetA \
  --remote-vnet VNetB \
  --allow-vnet-access

# Peer VNet-B to VNet-A (peering must be created in BOTH directions)
az network vnet peering create \
  --name VNetB-to-VNetA \
  --resource-group myRG \
  --vnet-name VNetB \
  --remote-vnet VNetA \
  --allow-vnet-access

Creating a VNet

Azure CLI Create a VNet with two subnets

# Create the VNet
az network vnet create \
  --name myVNet \
  --resource-group myResourceGroup \
  --location centralindia \
  --address-prefix 10.0.0.0/16

# Add a web subnet
az network vnet subnet create \
  --name web-subnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --address-prefix 10.0.1.0/24

# Add an app subnet
az network vnet subnet create \
  --name app-subnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --address-prefix 10.0.2.0/24

# List subnets
az network vnet subnet list \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --output table

VNet Limits

Resource	Default Limit
VNets per subscription per region	1,000
Subnets per VNet	3,000
VNet Peerings per VNet	500
DNS servers per VNet	20
Address prefixes per VNet	200 (via support: 1,000)

Best Practices

Use /16 for production VNets — Plenty of room to grow without recreating
Don't overlap address spaces — Plan IP ranges across all VNets and on-premises to avoid conflicts
Segment with subnets — Separate web, app, data, and management tiers into different subnets
Use Hub-Spoke topology — One hub VNet with shared services (Firewall, Bastion, VPN), spoke VNets for workloads
Document your IP scheme — Track which ranges are used where to prevent future conflicts

💡

AZ-104 Exam Tip Know that VNet peering must be created in both directions, that peering is non-transitive, that Azure reserves 5 IPs per subnet, and that VNets are scoped to a single region. Address space overlap prevents VNet peering — a very common exam scenario.

📝 Practice Questions

Click an option to check your answer. AZ-104 style questions.

Q1. How many IP addresses are reserved by Azure in every subnet?

A 3

B 5

C 8

D 10

Q2. VNet A is peered with VNet B. VNet B is peered with VNet C. Can VNet A communicate with VNet C?

A Yes — peering is transitive, so A can reach C through B

B No — VNet Peering is non-transitive; a direct A↔C peering is required

C Only if transitive peering is enabled on VNet B

D Only if all three VNets are in the same subscription

Q3. You need to create a VNet peering between VNet-A and VNet-B. How many peering connections must you create?

A 2 — one from A to B, and one from B to A

B 1 — a single peering covers both directions

C 4 — two in each direction

D Depends on how many subscriptions the VNets are in

Q4. Can two VMs in different subnets of the same VNet communicate with each other by default?

A Yes — all subnets within a VNet can communicate by default

B No — subnet peering must be configured

C Only if NSG rules explicitly allow it

D Only if a VPN is configured between the subnets

Q5. Why is it important that VNet address spaces don't overlap when planning hybrid connectivity?

A Overlapping address spaces reduce network performance

B Overlapping address spaces prevent peering and VPN connections — routing becomes ambiguous

C Overlapping address spaces create security vulnerabilities

D Azure charges more for overlapping address spaces

← Previous Azure Networking Overview Next → Subnets & IP Addressing

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.