πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-900 Domain 2
Domain 2 β€” Module 5 of 11 45%
12 of 26 overall

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights
Domain 2: Describe Azure Architecture and Services Premium ⏱ ~11 min read

Azure Networking: VNets, Subnets, and Peering

Virtual networks are the backbone of Azure networking. They let your resources communicate securely β€” with each other, with the internet, and with your on-premises network.

What is an Azure Virtual Network?

β˜• Simple explanation

Think of a virtual network (VNet) as a private office building in the cloud.

Your VMs, databases, and other resources are like offices inside the building. They can talk to each other freely because they’re on the same internal network β€” just like colleagues in the same office.

Subnets are floors in the building. The web servers might be on Floor 1, the databases on Floor 2. You can control who goes between floors using security rules.

Peering connects two buildings together with a private hallway. Resources in Building A can reach resources in Building B without going through the public internet.

Azure Virtual Network (VNet) is the fundamental networking building block in Azure. It provides an isolated, private network space for your Azure resources. VNets enable:

1. Communication between Azure resources β€” VMs and other VNet-connected resources communicate over private IP addresses. PaaS services like App Service and SQL Database can also be integrated into a VNet via service endpoints or private endpoints.

2. Communication with the internet β€” outbound by default; inbound requires a public IP or load balancer.

3. Communication with on-premises networks β€” via VPN Gateway or ExpressRoute.

VNets are scoped to a single region but can connect to VNets in other regions via VNet peering. They are free to create; charges apply to gateways, peering traffic, and public IPs.

VNets β€” your private cloud network

When you create a VNet, you define:

  • Address space β€” the range of private IP addresses available (e.g., 10.0.0.0/16 = 65,536 addresses)
  • Region β€” VNets exist in a single Azure region
  • Subnets β€” subdivisions of the address space

Key facts about VNets:

FactDetail
IsolationEach VNet is isolated from others by default
Region-scopedA VNet exists in one region (but can peer with other regions)
Free to createNo charge for the VNet itself
Private IP addressesResources in a VNet get private IPs automatically
DNSAzure provides built-in DNS, or you can use custom DNS

Summit Construction’s network design

VNet: summit-prod-vnet (10.0.0.0/16)
β”œβ”€β”€ Subnet: web-tier (10.0.1.0/24) β€” 256 addresses
β”‚     β”œβ”€β”€ VM: portal-web-01
β”‚     └── VM: portal-web-02
β”œβ”€β”€ Subnet: app-tier (10.0.2.0/24)
β”‚     └── VM: portal-app-01
└── Subnet: data-tier (10.0.3.0/24)
      └── SQL Database: portal-db

Each subnet has its own network security group (NSG) controlling which traffic flows between tiers.

Subnets β€” segmenting your network

Subnets divide a VNet into smaller sections. This lets you:

  • Organise resources β€” group related resources (web servers in one subnet, databases in another)
  • Apply security rules β€” attach Network Security Groups (NSGs) to control traffic per subnet
  • Manage IP addresses β€” allocate address ranges efficiently

Security example: Harbour Health’s database subnet only allows traffic from the application subnet. No direct internet access to the database β€” ever.

SubnetAllowed Inbound TrafficBlocked
Web subnetInternet (ports 80, 443)Everything else
App subnetWeb subnet onlyInternet, direct DB access
Data subnetApp subnet onlyInternet, web subnet

Key concept: Subnets within the same VNet can communicate by default. You use NSGs to restrict traffic between subnets β€” this is how you implement network segmentation (a defence-in-depth practice).

VNet peering β€” connecting networks

By default, VNets are isolated. VNet peering connects two VNets so resources can communicate using private IP addresses:

Regional vs global VNet peering
FeatureRegional PeeringGlobal Peering
ConnectsVNets in the same regionVNets in different regions
LatencySame as within a single VNetSlightly higher (cross-region)
Traffic staysOn Microsoft backbone networkOn Microsoft backbone network
CostCharged per GB transferredCharged per GB (higher rate for cross-region)

Important peering rules:

  • Peering is not transitive β€” if VNet A peers with VNet B, and VNet B peers with VNet C, VNet A cannot reach VNet C automatically
  • Both VNets must explicitly set up peering
  • Traffic uses Microsoft’s backbone network (never the public internet)
  • Address spaces must not overlap
πŸ’‘ Exam tip: Peering is not transitive

This is a commonly tested concept. If VNet A connects to VNet B, and VNet B connects to VNet C:

  • A ↔ B: βœ… can communicate
  • B ↔ C: βœ… can communicate
  • A ↔ C: ❌ CANNOT communicate (unless you also peer A with C)

Think of it like phone contacts. Just because you have Bob’s number and Bob has Carol’s number doesn’t mean you have Carol’s number.

🎬 Video walkthrough

🎬 Video coming soon

Azure Networking: VNets, Subnets, and Peering β€” AZ-900

Azure Networking: VNets, Subnets, and Peering β€” AZ-900

~9 min

Flashcards

Question

What is an Azure Virtual Network (VNet)?

Click or press Enter to reveal answer

Answer

A private, isolated network in Azure where your resources communicate using private IP addresses. VNets are region-scoped, free to create, and provide isolation, DNS, and subnet segmentation.

Click to flip back
Question

What are subnets used for?

Click or press Enter to reveal answer

Answer

Subnets divide a VNet into smaller sections for organisation, security (NSGs per subnet), and IP address management. Resources in the same VNet can communicate by default; NSGs restrict traffic between subnets.

Click to flip back
Question

Is VNet peering transitive?

Click or press Enter to reveal answer

Answer

No. If VNet A peers with VNet B, and VNet B peers with VNet C, A cannot communicate with C. You must explicitly create a peering between A and C.

Click to flip back
Question

What network does peered VNet traffic travel over?

Click or press Enter to reveal answer

Answer

Microsoft's private backbone network β€” never the public internet. This provides low latency and high security for peered VNet communication.

Click to flip back

Knowledge Check

Knowledge Check

Summit Construction has web servers and database servers in the same VNet but different subnets. They want to prevent the web servers from directly accessing the database. What should they use?
Knowledge Check

Harbour Health has VNet A peered with VNet B, and VNet B peered with VNet C. Can resources in VNet A communicate with resources in VNet C?

Next up: Connecting to Azure from the outside β€” VPN Gateway, ExpressRoute, Azure DNS, and public/private endpoints.

← Previous

Azure Compute: Containers, Functions, and App Service

Next β†’

Connecting to Azure: VPNs, ExpressRoute, and DNS

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.