Configuring virtual networks (VNets) and subnets is a critical task within the Azure Administrator Associate curriculum, serving as the fundamental layer for cloud resource connectivity. An Azure VNet is a logically isolated section of the Azure cloud dedicated to your subscription. When configurin…Configuring virtual networks (VNets) and subnets is a critical task within the Azure Administrator Associate curriculum, serving as the fundamental layer for cloud resource connectivity. An Azure VNet is a logically isolated section of the Azure cloud dedicated to your subscription. When configuring a VNet, the primary requirement is defining an IPv4 or IPv6 address space using Classless Inter-Domain Routing (CIDR) notation (e.g., 10.0.0.0/16). It is vital to ensure these ranges do not overlap with your on-premises infrastructure or other cloud networks to facilitate feasible peering and hybrid connectivity.
Once the VNet is established, the address space is segmented into subnets. Subnets allow for the logical organization of resources and the application of granular security controls. Each subnet must fall within the VNet's address space (e.g., 10.0.1.0/24). Administrators must remember that Azure reserves five IP addresses in every subnet for internal routing and management, which impacts capacity planning.
Security and routing are managed at the subnet level. Administrators deploy Network Security Groups (NSGs) associated with subnets to filter inbound and outbound traffic based on rules defined by source/destination IP, port, and protocol. Furthermore, specific architectural roles require dedicated subnets with immutable names, such as 'GatewaySubnet' for Virtual Network Gateways or 'AzureBastionSubnet' for secure remote access.
Finally, VNet configuration includes defining DNS settings. While Azure provides default name resolution, enterprise environments often require configuring custom DNS servers on the VNet to handle hybrid name resolution. Proper configuration of VNets and subnets ensures a precise balance of connectivity, isolation, and security for virtual machines and PaaS services.
Mastering Virtual Networks and Subnets for Azure Administrator (AZ-104)
Why is this Important? Virtual Networks (VNets) are the fundamental building block for your private network in Azure. Understanding VNets is critical because they enable Azure resources, such as Virtual Machines (VMs), to securely communicate with each other, the internet, and on-premises networks. Without proper VNet and subnet configuration, you risk security vulnerabilities, connectivity failures, and IP address conflicts. It is the foundation upon which hybrid cloud connectivity and traffic isolation are built.
What is it? An Azure Virtual Network (VNet) is a logical representation of your network in the cloud. It is isolated from other networks by default. A Subnet is a range of IP addresses within the VNet. You divide a VNet into subnets for security and operational organization. All resources in a VNet are deployed into a specific subnet.
How it works 1. Scoping: A VNet is scoped to a single Azure Region (e.g., East US), but it spans all Availability Zones within that region. It cannot span across regions. 2. Address Space: You assign a private IP address space using CIDR notation (e.g., 10.0.0.0/16). This space can define up to 65,536 addresses. 3. Segmentation: You slice that large address space into smaller chunks called subnets (e.g., 10.0.1.0/24 for Web servers, 10.0.2.0/24 for Databases). 4. The 5 Reserved IPs: Unlike standard on-premises networking, Azure reserves 5 IP addresses within heavily subnet. For a subnet with a range like 192.168.1.0/24: - x.x.x.0: Network address. - x.x.x.1: Reserved by Azure for the default gateway. - x.x.x.2: Reserved by Azure to map the Azure DNS IPs. - x.x.x.3: Reserved by Azure for future use. - x.x.x.255: Network broadcast address.
How to answer questions regarding Configure virtual networks and subnets When analyzing AZ-104 scenarios, apply this logic: 1. Validate IP Overlaps: If the scenario involves connecting two networks (Peering or VPN), check the CIDR ranges immediately. If VNet A (10.0.0.0/16) and VNet B (10.0.0.0/24) overlap, they cannot be connected. 2. Count Resources vs. IPs: If asked to design a subnet for a specific number of VMs, always calculate: (Total IPs requested) + 5 Reserved IPs. Then choose the smallest CIDR block that fits that sum. 3. Check Constraints: Look for constraints about regions. If a question asks to place a VM in 'Region A' into a VNet in 'Region B', the answer is that it is not possible directly; they must be in the same region.
Exam Tips: Answering Questions on Configure virtual networks and subnets Tip 1: The 'Minus 5' Calculation. This is a frequent exam trap. If a question asks 'How many usable IP addresses are in a /24 subnet?', the answer is 251 (256 total minus 5 reserved), not 256 or 254.
Tip 2: GatewaySubnet Strict Naming. If you are configuring a VPN Gateway or ExpressRoute, the designated subnet must be named GatewaySubnet. Any deviation (e.g., 'Gateway-Subnet' or 'GwSubnet') will cause the deployment to fail.
Tip 3: Subnet Resizing Limitations. You cannot change the CIDR range of a subnet if there are any resources (even powered-off VMs) inside it. You must delete or move the resources before resizing the subnet.
Tip 4: DHCP is Automatic. Azure manages IP assignment via its own DHCP. You do not deploy DHCP servers in Azure subnets, and you generally do not configure static IPs inside the VM's Operating System; you configure the 'Static' assignment on the Azure Network Interface (NIC) object.