Azure Virtual Networks Explained: VNet, Subnets, and NSG

Networking is the invisible backbone of every cloud architecture. In Azure, the fundamental networking construct is the Virtual Network (VNet) — a logically isolated network in the Azure cloud where you launch your resources. Understanding VNets, subnets, and Network Security Groups (NSGs) is essential before you deploy any production workload.

What Is an Azure Virtual Network?

A VNet is your own private network within Azure. Resources inside a VNet — virtual machines, app services, databases — can communicate with each other privately without traffic ever touching the public internet. VNets are scoped to a single Azure region, but you can connect VNets across regions using VNet Peering or Azure VPN Gateway.

When you create a VNet, you define an address space using CIDR notation. A common choice for a VNet is 10.0.0.0/16, which gives you 65,536 addresses to allocate across subnets.

# Create a resource group
az group create --name rg-network-demo --location eastus

# Create a VNet with a /16 address space
az network vnet create 
  --resource-group rg-network-demo 
  --name vnet-prod 
  --address-prefix 10.0.0.0/16 
  --location eastus

Subnets: Dividing Your VNet

Subnets divide a VNet into smaller, logical segments. Each subnet gets a portion of the VNet's address space, and resources in different subnets can communicate with each other by default (subject to NSG rules). Well-designed subnet architecture separates tiers of your application:

• Frontend subnet (10.0.1.0/24): Web servers and load balancers that face the internet.
• Backend subnet (10.0.2.0/24): Application servers with no direct internet access.
• Database subnet (10.0.3.0/24): Databases, accessible only from the backend subnet.
• Management subnet (10.0.4.0/24): Bastion hosts or jump boxes for administrative access.

# Create subnets inside the VNet
az network vnet subnet create 
  --resource-group rg-network-demo 
  --vnet-name vnet-prod 
  --name subnet-frontend 
  --address-prefixes 10.0.1.0/24

az network vnet subnet create 
  --resource-group rg-network-demo 
  --vnet-name vnet-prod 
  --name subnet-backend 
  --address-prefixes 10.0.2.0/24

az network vnet subnet create 
  --resource-group rg-network-demo 
  --vnet-name vnet-prod 
  --name subnet-database 
  --address-prefixes 10.0.3.0/24

Network Security Groups (NSGs)

An NSG is a virtual firewall that controls inbound and outbound traffic to Azure resources. You can attach an NSG to a subnet (affecting all resources in that subnet) or to an individual network interface card (NIC) on a VM. NSG rules have five fields:

• Priority: Lower numbers are processed first (100–4096).
• Source / Destination: IP address, IP range, service tag, or application security group.
• Port: Single port, range, or wildcard (*).
• Protocol: TCP, UDP, ICMP, or Any.
• Action: Allow or Deny.

# Create an NSG for the frontend subnet
az network nsg create 
  --resource-group rg-network-demo 
  --name nsg-frontend

# Allow HTTPS inbound from anywhere
az network nsg rule create 
  --resource-group rg-network-demo 
  --nsg-name nsg-frontend 
  --name Allow-HTTPS-Inbound 
  --priority 100 
  --direction Inbound 
  --source-address-prefixes "*" 
  --destination-port-ranges 443 
  --protocol Tcp 
  --access Allow

# Deny all other inbound traffic
az network nsg rule create 
  --resource-group rg-network-demo 
  --nsg-name nsg-frontend 
  --name Deny-All-Inbound 
  --priority 4000 
  --direction Inbound 
  --source-address-prefixes "*" 
  --destination-port-ranges "*" 
  --protocol "*" 
  --access Deny

# Associate the NSG with the frontend subnet
az network vnet subnet update 
  --resource-group rg-network-demo 
  --vnet-name vnet-prod 
  --name subnet-frontend 
  --network-security-group nsg-frontend

Service Tags

Instead of specifying individual IP ranges for Azure services, use Service Tags — named groups of IP prefixes managed by Microsoft. Common service tags:

• Internet — all internet IP addresses
• AzureLoadBalancer — health probe traffic from Azure Load Balancer
• VirtualNetwork — all addresses in your VNet and peered VNets
• Storage — Azure Storage service endpoints

Using service tags makes NSG rules self-maintaining — Microsoft updates the underlying IP ranges automatically.

VNet Peering

Connect two VNets — in the same region or across regions — using VNet Peering. Peered VNets route traffic over the Microsoft backbone network (not the internet), giving you low-latency, private connectivity without a VPN gateway.

# Peer vnet-prod with vnet-shared (assuming vnet-shared exists)
az network vnet peering create 
  --resource-group rg-network-demo 
  --name peer-prod-to-shared 
  --vnet-name vnet-prod 
  --remote-vnet vnet-shared 
  --allow-vnet-access

Remember that peering is non-transitive: if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C without a direct peering between A and C.

Key Takeaways

Well-designed Azure networking starts with a properly sized VNet, logically separated subnets by tier, and NSGs that enforce least-privilege traffic rules. Plan your IP address space carefully — it is difficult to change later. Layer VNet Peering and service tags on top to build scalable, secure network architectures that grow with your workloads.