You're a great admin... on-prem. Now, become a great admin in the cloud and prove it by passing the Microsoft Certified: Azure Administrator Associate exam!
Gauge your current knowledge
Gauge your current knowledge
Creating a virtual network (VNet) in Azure gives you a logical isolation boundary for your resources. You start by choosing an address space using a CIDR block, such as 10.0.0.0/16, that will not conflict with on-premises networks. Subnets break that address space into smaller segments, so you can group related resources and apply different security rules.
You can create VNets and subnets through the Azure Portal, Azure CLI, or Azure PowerShell. Key steps include:
Best practices for VNets include planning for growth and preventing IP conflicts. Always reserve extra address space for future needs and use separate subnets for web, application, and database tiers. Proper segmentation also simplifies network monitoring and improves security posture.
Virtual network peering lets two VNets communicate privately through the Azure backbone. Once peered, resources in each VNet can directly access each other using private IPs, achieving low-latency and high-bandwidth connectivity. There are two main types: regional peering (within the same Azure region) and global peering (across regions).
Before you peer VNets, ensure they have non-overlapping IP address ranges. You also need appropriate permissions in each subscription if crossing tenant boundaries. To set up peering:
Peering does not automatically share NSGs or route tables. If you require complex routing or inspection, consider using Network Virtual Appliances or Azure Firewall and configure user-defined routes accordingly.
A public IP address in Azure provides your resources a unique address on the internet. You can choose between dynamic and static allocation. Dynamic addresses may change if the associated resource is deallocated, while static addresses remain constant. Public IPs also come in two SKUs: Basic and Standard, with Standard offering zone redundancy and improved performance.
You can assign public IPs to:
When creating a public IP, pick the correct allocation method and SKU based on your availability needs. For mission-critical services, use a static Standard public IP and secure access with NSGs or Azure Firewall to limit exposure.
User-defined routes (UDRs) let you override Azure’s default routing to control traffic flow. Each route table contains routes with a destination prefix and a next hop type (such as Virtual Appliance, Internet, or Virtual Network Gateway). When a packet matches a route, Azure sends it to the specified next hop instead of using the standard path.
Common use cases include:
To configure UDRs, create a route table, add routes for each prefix, and associate the table with one or more subnets. Remember that the most specific prefix takes precedence, and you can only assign one route table per subnet.
Troubleshooting Azure networks often starts with Azure Network Watcher, which offers tools like Connection Troubleshoot, IP Flow Verify, and Packet Capture. These features help you test paths, verify NSG rules, and capture traffic for analysis. You can also use NSG flow logs to see allowed and denied traffic over time.
A typical troubleshooting workflow includes:
If issues persist, leverage Azure Advisor for network recommendations and monitor metrics in Azure Monitor. Keeping logs and alerts in place ensures you catch connectivity problems quickly and maintain reliable network operations.
In this section, you learned how to design and deploy Azure VNets and subnets, ensuring proper address space planning and segmentation. You explored virtual network peering to connect VNets privately, and saw how to assign and secure public IP addresses for internet access. Through user-defined routes, you gained fine-grained control over traffic paths, and you practiced using Azure’s built-in tools to troubleshoot network connectivity. Together, these skills help you build scalable, secure, and well-managed virtual networks in Azure.