Azure Fundamentals Networking: Master Cloud Networking Concepts

Q: What is the difference between a Virtual Network and a Subnet?

A Virtual Network (VNet) is a logically isolated network environment in Azure defined by an address space, such as 10.0.0.0/16. A subnet is a smaller division within that VNet, such as 10.0.1.0/24, used to further segment resources. Think of a VNet as a large office building and subnets as individual floors or departments. Resources in the same VNet communicate with each other by default. Subnets provide additional organization and allow you to apply different security rules and routing policies. You can have multiple subnets within a single VNet. The total IP addresses in all subnets cannot exceed the parent VNet's address space. Understanding this hierarchy is fundamental to designing scalable Azure networks.

Q: How do Network Security Groups protect Azure resources?

Network Security Groups (NSGs) act as stateful firewalls that filter traffic based on rules you define. Each NSG contains inbound rules that control traffic entering your resources and outbound rules that control traffic leaving them. Rules are processed in priority order, with lower numbers evaluated first. The first matching rule determines whether traffic is allowed or denied. By default, NSGs deny all inbound traffic and allow all outbound traffic, providing a secure-by-default posture. Apply NSGs at the subnet level to protect all resources in that subnet or at individual network interface levels for granular control. Common use cases include allowing only HTTP and HTTPS traffic to web servers and restricting database access to application servers only. NSGs are essential for implementing the principle of least privilege in cloud security.

Q: When should I use ExpressRoute versus Site-to-Site VPN?

ExpressRoute provides a dedicated, private connection with consistent high bandwidth and low latency, ideal for mission-critical workloads and large data transfers. It requires more setup time and investment but offers superior reliability and performance. Site-to-Site VPN uses encrypted tunnels over the public internet, making it faster to deploy and more cost-effective for smaller organizations or non-critical workloads. VPN is appropriate when you need occasional hybrid connectivity or backup connections. Consider ExpressRoute if your organization has demanding performance requirements, significant data transfer needs, or compliance requirements demanding dedicated connections. Choose VPN for rapid deployment, lower costs, or as a backup solution. Many organizations use both, employing ExpressRoute for primary production traffic and VPN as a failover option.

Q: What is Virtual Network Peering and why is it useful?

Virtual Network Peering establishes a direct, private connection between two Azure VNets, allowing resources in different networks to communicate securely and efficiently. Peering can be regional (connecting VNets in the same region) or global (connecting VNets across different regions). Regional peering offers lower latency and no data transfer charges between peered networks. Global peering enables organization-wide integration across geographic locations. Peering is useful for connecting different organizational departments and isolating production from development environments while maintaining connectivity. Unlike VPN gateways, peering provides direct mesh connectivity without additional hops, resulting in better performance. You can also enable transitive peering through User Defined Routes, allowing indirect connections through hub-and-spoke network topologies.

Q: How do flashcards help me learn Azure networking concepts more effectively?

Flashcards are particularly effective for Azure networking because they force active recall, which strengthens memory far more than passive reading. When studying networking, you encounter many interconnected concepts requiring integration of multiple facts. Flashcards break these integrated concepts into focused questions that test individual elements. Scenario-based flashcards are especially valuable. Rather than memorizing that ExpressRoute exists, flashcards prompt you to recall when ExpressRoute is appropriate given specific business requirements. The portability of digital flashcards lets you study during commutes or breaks. Spaced repetition algorithms ensure you focus on material you find challenging. Group related cards by topic to maintain coherent study sessions. Review your incorrect answers immediately after completing study sessions to reinforce learning.

By FluentFlash Research Team·Updated 2026-04-30

Azure Fundamentals networking is essential for the AZ-900 certification exam and real-world cloud architecture. This topic covers virtual networks, subnets, network security groups, and connectivity options that form the foundation of secure cloud infrastructure.

Mastering how data flows through cloud networks, implementing security controls, and choosing the right connectivity options will help you pass the exam and make informed decisions in cloud engineering roles. Flashcards excel for this topic because they help you internalize relationships between networking components and quickly recall Azure services during high-pressure exams.

Key Takeaways

•Virtual Networks are isolated network environments defined by address space and subdivided into subnets for organization and security controls
•Network Security Groups function as stateful firewalls with rules processed by priority order, enforcing secure-by-default traffic policies
•Choose connectivity based on requirements: ExpressRoute for high-performance dedicated connections, VPN for cost-effective encrypted tunnels, or peering for direct VNet-to-VNet communication
•Public IP addresses enable internet access while private IP addresses enable internal VNet communication and organizational separation
•Distribute traffic across layers using Load Balancer (layer 4), Application Gateway (layer 7), and Traffic Manager (DNS-level) for improved availability and performance
•Combine hands-on Azure free tier practice with strategic flashcard study to internalize networking concepts and pass the AZ-900 exam

Virtual Networks and Subnets in Azure

What Are Virtual Networks?

Virtual Networks (VNets) are logically isolated network environments in Azure where you launch resources like virtual machines, app services, and databases. When you create a VNet, you define an address space using CIDR notation (for example, 10.0.0.0/16), which provides 65,536 available IP addresses.

Understanding Subnets

Subnets are divisions within your VNet that segment your network further. You might create a subnet 10.0.1.0/24 for web servers and another subnet 10.0.2.0/24 for databases. Each subnet must have a smaller CIDR block than its parent VNet.

Key Design Principles

Think of a VNet as an office building and subnets as individual floors. Resources in the same VNet communicate with each other by default. Plan your IP address space carefully to avoid conflicts. You cannot change a VNet's address space after creation without significant reconfiguration.

Azure automatically creates route tables for subnets, enabling traffic to flow between them. Focus your study on the hierarchical relationship between address spaces, VNets, and subnets. Practice creating VNets with multiple subnets to understand IP addressing in practice.

Network Security Groups and Access Control

How NSGs Work

Network Security Groups (NSGs) act as stateful firewalls controlling inbound and outbound traffic to Azure resources. Each NSG contains security rules that allow or deny traffic based on source, destination, protocol, and port. Rules have priority numbers between 1 and 65,535, with lower numbers evaluated first.

Default Rules and Custom Rules

Azure provides default rules in every NSG:

AllowVNetInBound (allows all traffic between resources in the same VNet)
DenyAllInbound (denies all other inbound traffic)

When you create custom rules, allow specific traffic first, then rely on default deny rules. A rule allowing inbound traffic on port 443 (HTTPS) with priority 100 is evaluated before a lower-priority deny rule.

NSG Scope and Application Security Groups

Apply NSGs at the subnet level to protect all resources in that subnet, or at individual network interface levels for granular control. Application Security Groups (ASGs) provide additional organization, allowing you to group resources logically and apply NSG rules to those groups instead of individual IP addresses.

Inbound rules control traffic entering your resources. Outbound rules control traffic leaving your resources. This scaling approach works better for complex environments with many resources.

Azure Connectivity Options and Hybrid Scenarios

ExpressRoute for High-Performance Connections

ExpressRoute offers a dedicated, private connection to Azure with consistent bandwidth and lower latency compared to internet-based connections. This service suits organizations requiring high reliability and predictable network performance.

VPN Solutions for Cost-Effective Connectivity

Site-to-Site VPN uses encrypted tunnels over the public internet to connect your on-premises network to Azure. This provides a cost-effective solution for smaller deployments or as a backup connectivity option. Point-to-Site VPN allows individual computers to connect securely to Azure, perfect for remote workers or administrators.

Virtual Network Peering

Virtual Network Peering enables direct communication between two VNets in Azure, allowing resources in different networks to communicate as if they were in the same network. Regional peering (same region) offers lower latency. Global peering (different regions) enables organization-wide integration.

Choosing the Right Connectivity Option

Evaluate bandwidth requirements, acceptable latency, uptime needs, cost constraints, and whether you need hybrid connectivity. ExpressRoute requires more setup time and investment but provides superior performance. VPN solutions deploy faster and cost less but depend on internet connectivity. Many organizations use both, with ExpressRoute for primary traffic and VPN as a failover option.

IP Addressing, DNS, and Traffic Management

Public and Private IP Addresses

Public IP addresses allow resources to be accessed from the internet. Private IP addresses enable communication within your VNet. Public IPs can be static (unchanging) or dynamic (reassigned when the resource stops).

DNS and Domain Management

DNS in Azure is automatically managed for resources within a VNet. Configure custom DNS servers or use Azure DNS, a hosting service for DNS domains that integrates seamlessly with other Azure services.

Load Balancing at Different Layers

Azure Load Balancer operates at layer 4 (transport layer) and efficiently distributes traffic based on configured rules. Application Gateway operates at layer 7 (application layer), providing path-based routing, hostname-based routing, and SSL termination.

Traffic Manager performs DNS-level routing, directing users to appropriate endpoints based on performance, priority, or geographic location. This suits global applications or disaster recovery scenarios. Azure CDN accelerates content delivery by caching content at edge locations closer to users.

Practice scenarios involving traffic distribution. Create flashcards describing traffic management challenges and asking which Azure service best solves them.

Practical Study Tips and Exam Strategy for Azure Networking

Build Real Network Architecture

Start by creating a mental model of your own network design. Imagine deploying a three-tier application with web, business logic, and database layers in Azure. Work through how you would secure, connect, and manage traffic for each layer.

Use Azure free tier resources to build actual VNets, create subnets, configure NSGs, and test connectivity. Hands-on experience helps you internalize how networking components interact and reveals dependencies you might miss in pure study.

Strategic Flashcard Organization

Group related concepts into separate flashcard sets. Create one set for VNet architecture, another for security rules, and a third for connectivity options. This organization helps you study in focused sessions and prevents information overload.

When reviewing flashcards, actively recall answers before looking at them. Active recall strengthens memory far more than passive reading. Study the Azure documentation's decision trees and comparison tables, converting these visuals into flashcard questions.

Exam Preparation Strategies

Practice scenario-based questions because the AZ-900 exam presents realistic situations rather than isolated facts. Join study groups or online communities to discuss networking concepts. Explaining ideas to others reinforces your understanding.

Track which topics consistently challenge you and dedicate additional study time to those areas. Simulate exam conditions by taking practice tests under timed conditions. This builds confidence and helps you internalize information efficiently.

Start Studying Azure Fundamentals Networking

Master Azure networking concepts with interactive flashcards designed for the AZ-900 exam. Create custom study decks covering VNets, NSGs, connectivity options, and IP addressing with scenario-based questions that mirror real exam content.

Create Free Flashcards

Frequently Asked Questions

What is the difference between a Virtual Network and a Subnet?

A Virtual Network (VNet) is a logically isolated network environment in Azure defined by an address space, such as 10.0.0.0/16. A subnet is a smaller division within that VNet, such as 10.0.1.0/24, used to further segment resources.

Think of a VNet as a large office building and subnets as individual floors or departments. Resources in the same VNet communicate with each other by default. Subnets provide additional organization and allow you to apply different security rules and routing policies.

You can have multiple subnets within a single VNet. The total IP addresses in all subnets cannot exceed the parent VNet's address space. Understanding this hierarchy is fundamental to designing scalable Azure networks.

How do Network Security Groups protect Azure resources?

Network Security Groups (NSGs) act as stateful firewalls that filter traffic based on rules you define. Each NSG contains inbound rules that control traffic entering your resources and outbound rules that control traffic leaving them.

Rules are processed in priority order, with lower numbers evaluated first. The first matching rule determines whether traffic is allowed or denied. By default, NSGs deny all inbound traffic and allow all outbound traffic, providing a secure-by-default posture.

Apply NSGs at the subnet level to protect all resources in that subnet or at individual network interface levels for granular control. Common use cases include allowing only HTTP and HTTPS traffic to web servers and restricting database access to application servers only. NSGs are essential for implementing the principle of least privilege in cloud security.

When should I use ExpressRoute versus Site-to-Site VPN?

ExpressRoute provides a dedicated, private connection with consistent high bandwidth and low latency, ideal for mission-critical workloads and large data transfers. It requires more setup time and investment but offers superior reliability and performance.

Site-to-Site VPN uses encrypted tunnels over the public internet, making it faster to deploy and more cost-effective for smaller organizations or non-critical workloads. VPN is appropriate when you need occasional hybrid connectivity or backup connections.

Consider ExpressRoute if your organization has demanding performance requirements, significant data transfer needs, or compliance requirements demanding dedicated connections. Choose VPN for rapid deployment, lower costs, or as a backup solution. Many organizations use both, employing ExpressRoute for primary production traffic and VPN as a failover option.

What is Virtual Network Peering and why is it useful?

Virtual Network Peering establishes a direct, private connection between two Azure VNets, allowing resources in different networks to communicate securely and efficiently. Peering can be regional (connecting VNets in the same region) or global (connecting VNets across different regions).

Regional peering offers lower latency and no data transfer charges between peered networks. Global peering enables organization-wide integration across geographic locations. Peering is useful for connecting different organizational departments and isolating production from development environments while maintaining connectivity.

Unlike VPN gateways, peering provides direct mesh connectivity without additional hops, resulting in better performance. You can also enable transitive peering through User Defined Routes, allowing indirect connections through hub-and-spoke network topologies.

How do flashcards help me learn Azure networking concepts more effectively?

Flashcards are particularly effective for Azure networking because they force active recall, which strengthens memory far more than passive reading. When studying networking, you encounter many interconnected concepts requiring integration of multiple facts.

Flashcards break these integrated concepts into focused questions that test individual elements. Scenario-based flashcards are especially valuable. Rather than memorizing that ExpressRoute exists, flashcards prompt you to recall when ExpressRoute is appropriate given specific business requirements.

The portability of digital flashcards lets you study during commutes or breaks. Spaced repetition algorithms ensure you focus on material you find challenging. Group related cards by topic to maintain coherent study sessions. Review your incorrect answers immediately after completing study sessions to reinforce learning.