Azure Networking — VNets, Subnets & NSGs

“Welcome back. Today we're tackling one of the most important topics in Azure — networking. If you're building anything in Azure, you need to understand Virtual Networks. Get this wrong and your resources are either unreachable or dangerously exposed. By the end of this video you'll know how to design and secure a proper Azure network.”

“A Virtual Network is your private network inside Azure. When you create a VNet, you define an address space — typically something like 10.0.0.0/16 — and all resources you place inside it get private IP addresses from that range. By default, no other VNet can reach yours, and nothing from the internet can get in unless you explicitly allow it. It's your own isolated network slice in Microsoft's data centers.”

“Within a VNet you create subnets to segment your network. A classic three-tier architecture has a web subnet for your front-end servers, an app subnet for business logic, and a database subnet for your data tier. Each subnet gets its own IP range, and you can apply different security rules to each. This way your database servers are completely isolated from direct internet traffic — only your app servers can reach them.”

“A Network Security Group is Azure's built-in firewall. You attach it to a subnet or a network interface, and it filters traffic based on rules you define. Each rule specifies a source, destination, port, and whether to allow or deny. Rules are processed in priority order — the lowest number wins. By default Azure denies all inbound traffic from the internet, which is a good secure starting point.”

“Here's a practical example for a three-tier app. We allow HTTPS from the internet into the web subnet. The web servers can talk to the app servers on port 8080, but only from within the VNet. The app servers can reach the database on SQL port 1433, but only from the app subnet. Everything else is denied. This is defense in depth — even if an attacker breaches the web tier, they can't directly reach the database.”

“Every resource in a VNet gets a private IP automatically. Public IPs are optional and only needed when you want something accessible from the internet — like a web server or a VPN gateway. Choose Static public IPs when you need a consistent address for DNS or firewall rules. Azure best practice is to minimize public IPs — use a load balancer or Application Gateway as the single public entry point, keeping all backend VMs private.”

“VNet Peering lets you connect two Virtual Networks so their resources can communicate privately, without the traffic ever touching the public internet. It uses Microsoft's backbone network, so latency is extremely low. Global VNet Peering even works across Azure regions. The most common pattern is hub-and-spoke — a central hub VNet hosts shared services like firewalls and gateways, and spoke VNets for each application peer back to the hub.”

“Azure provides automatic DNS within a VNet — resources can resolve each other by name without any configuration. For public-facing domains, Azure DNS lets you host your DNS zones in Azure, integrated with your resources. Private DNS Zones let you create custom domain names that only resolve inside your VNet — perfect for microservices calling each other by name rather than IP address.”

“Now let's build this in the portal. I'll create a VNet with two subnets, set up an NSG that protects the database subnet, and then show you how VNet peering works. Watch how the effective security rules view shows you exactly what traffic is allowed at any point — this is incredibly useful for troubleshooting.”

“You now have a solid foundation in Azure networking. VNets give you isolation, subnets give you segmentation, NSGs give you traffic control, and peering connects it all. These concepts are fundamental to every Azure architecture. Next video we're covering Azure Identity — Azure Active Directory, now called Microsoft Entra ID — covering users, groups, roles, and how access management works in Azure. See you there.”