AZ-104 Microsoft Azure Administrator Exam

Create and configure virtual networks and subnets

Creating a virtual network (VNet) in Azure gives you a logical isolation boundary for your resources. You start by choosing an address space using a CIDR block, such as 10.0.0.0/16, that will not conflict with on-premises networks. Subnets break that address space into smaller segments, so you can group related resources and apply different security rules.

You can create VNets and subnets through the Azure Portal, Azure CLI, or Azure PowerShell. Key steps include:

• Defining the address prefix for the VNet
• Adding subnets with specific CIDR ranges
• Attaching network security groups (NSGs) to filter traffic

Best practices for VNets include planning for growth and preventing IP conflicts. Always reserve extra address space for future needs and use separate subnets for web, application, and database tiers. Proper segmentation also simplifies network monitoring and improves security posture.

Create and configure virtual network peering

Virtual network peering lets two VNets communicate privately through the Azure backbone. Once peered, resources in each VNet can directly access each other using private IPs, achieving low-latency and high-bandwidth connectivity. There are two main types: regional peering (within the same Azure region) and global peering (across regions).

Before you peer VNets, ensure they have non-overlapping IP address ranges. You also need appropriate permissions in each subscription if crossing tenant boundaries. To set up peering:

• Create a peering connection in VNet A pointing to VNet B
• Create the reciprocal peering in VNet B
• Enable options such as allow forwarded traffic or gateway transit

Peering does not automatically share NSGs or route tables. If you require complex routing or inspection, consider using Network Virtual Appliances or Azure Firewall and configure user-defined routes accordingly.

Configure public IP addresses

A public IP address in Azure provides your resources a unique address on the internet. You can choose between dynamic and static allocation. Dynamic addresses may change if the associated resource is deallocated, while static addresses remain constant. Public IPs also come in two SKUs: Basic and Standard, with Standard offering zone redundancy and improved performance.

You can assign public IPs to:

• Virtual machines for direct SSH or RDP access
• Load balancers to distribute incoming traffic
• Azure NAT Gateway for outbound connectivity

When creating a public IP, pick the correct allocation method and SKU based on your availability needs. For mission-critical services, use a static Standard public IP and secure access with NSGs or Azure Firewall to limit exposure.

Configure user-defined network routes

User-defined routes (UDRs) let you override Azure’s default routing to control traffic flow. Each route table contains routes with a destination prefix and a next hop type (such as Virtual Appliance, Internet, or Virtual Network Gateway). When a packet matches a route, Azure sends it to the specified next hop instead of using the standard path.

Common use cases include:

• Forced tunneling back to on-premises via VPN or ExpressRoute
• Directing traffic through a Network Virtual Appliance for inspection
• Dropping or blackholing malicious traffic

To configure UDRs, create a route table, add routes for each prefix, and associate the table with one or more subnets. Remember that the most specific prefix takes precedence, and you can only assign one route table per subnet.

Troubleshoot network connectivity

Troubleshooting Azure networks often starts with Azure Network Watcher, which offers tools like Connection Troubleshoot, IP Flow Verify, and Packet Capture. These features help you test paths, verify NSG rules, and capture traffic for analysis. You can also use NSG flow logs to see allowed and denied traffic over time.

A typical troubleshooting workflow includes:

• Validating DNS resolution and IP address assignments
• Checking NSG rules and route tables for blocking rules
• Testing end-to-end connections with ping or TCP ping

If issues persist, leverage Azure Advisor for network recommendations and monitor metrics in Azure Monitor. Keeping logs and alerts in place ensures you catch connectivity problems quickly and maintain reliable network operations.

Conclusion

In this section, you learned how to design and deploy Azure VNets and subnets, ensuring proper address space planning and segmentation. You explored virtual network peering to connect VNets privately, and saw how to assign and secure public IP addresses for internet access. Through user-defined routes, you gained fine-grained control over traffic paths, and you practiced using Azure’s built-in tools to troubleshoot network connectivity. Together, these skills help you build scalable, secure, and well-managed virtual networks in Azure.