This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This quickstart shows you how to create a virtual network by using the Azure CLI, the Azure command-line interface. You then create two virtual machines (VMs) in the network, securely connect to the VMs from the internet, and start private communication between the VMs.
A virtual network is the fundamental building block for private networks in Azure. Azure Virtual Network enables Azure resources like VMs to securely communicate with each other and the internet.
If you don't have an Azure subscription, create an Azure free account before you begin.
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Use az group create to create a resource group to host the virtual network. Use the following code to create a resource group named test-rg in the eastus2 Azure region:
az group create \
--name test-rg \
--location eastus2
Use az network vnet create to create a virtual network named vnet-1 with a subnet named subnet-1 in the test-rg resource group:
az network vnet create \
--name vnet-1 \
--resource-group test-rg \
--address-prefix 10.0.0.0/16 \
--subnet-name subnet-1 \
--subnet-prefixes 10.0.0.0/24
Azure Bastion uses your browser to connect to VMs in your virtual network over Secure Shell (SSH) or Remote Desktop Protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration.
Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it. For more information about Bastion, see What is Azure Bastion?.
Use az network vnet subnet create to create a Bastion subnet for your virtual network. This subnet is reserved exclusively for Bastion resources and must be named AzureBastionSubnet.
az network vnet subnet create \
--name AzureBastionSubnet \
--resource-group test-rg \
--vnet-name vnet-1 \
--address-prefix 10.0.1.0/26
Create a public IP address for Bastion. This IP address is used to connect to the Bastion host from the internet. Use az network public-ip create to create a public IP address named public-ip in the test-rg resource group:
az network public-ip create \
--resource-group test-rg \
--name public-ip \
--sku Standard \
--location eastus2 \
--zone 1 2 3
Use az network bastion create to create a Bastion host in AzureBastionSubnet for your virtual network:
az network bastion create \
--name bastion \
--public-ip-address public-ip \
--resource-group test-rg \
--vnet-name vnet-1 \
--location eastus2
It takes about 10 minutes to deploy the Bastion resources. You can create VMs in the next section while Bastion deploys to your virtual network.
Use az vm create to create two VMs named vm-1 and vm-2 in the subnet-1 subnet of the virtual network. When you're prompted for credentials, enter user names and passwords for the VMs.
To create the first VM, use the following command:
az vm create \
--resource-group test-rg \
--admin-username azureuser \
--authentication-type password \
--name vm-1 \
--image Ubuntu2204 \
--public-ip-address ""
To create the second VM, use the following command:
az vm create \
--resource-group test-rg \
--admin-username azureuser \
--authentication-type password \
--name vm-2 \
--image Ubuntu2204 \
--public-ip-address ""
Tip
You can also use the --no-wait option to create a VM in the background while you continue with other tasks.
The VMs take a few minutes to create. After Azure creates each VM, the Azure CLI returns output similar to the following message:
{
"fqdns": "",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Compute/virtualMachines/vm-2",
"location": "eastus2",
"macAddress": "00-0D-3A-23-9A-49",
"powerState": "VM running",
"privateIpAddress": "10.0.0.5",
"publicIpAddress": "",
"resourceGroup": "test-rg"
"zones": ""
}
Note
VMs in a virtual network with a Bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in Bastion-hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.
Note
Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.
The default outbound access IP is disabled when one of the following events happens:
VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.
For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.
In the portal, search for and select Virtual machines.
On the Virtual machines page, select vm-1.
In the Overview information for vm-1, select Connect.
On the Connect to virtual machine page, select the Bastion tab.
Select Use Bastion.
Enter the username and password that you created when you created the VM, and then select Connect.
At the bash prompt for vm-1, enter ping -c 4 vm-2.
You get a reply similar to the following message:
azureuser@vm-1:~$ ping -c 4 vm-2
PING vm-2.3bnkevn3313ujpr5l1kqop4n4d.cx.internal.cloudapp.net (10.0.0.5) 56(84) bytes of data.
64 bytes from vm-2.internal.cloudapp.net (10.0.0.5): icmp_seq=1 ttl=64 time=1.83 ms
64 bytes from vm-2.internal.cloudapp.net (10.0.0.5): icmp_seq=2 ttl=64 time=0.987 ms
64 bytes from vm-2.internal.cloudapp.net (10.0.0.5): icmp_seq=3 ttl=64 time=0.864 ms
64 bytes from vm-2.internal.cloudapp.net (10.0.0.5): icmp_seq=4 ttl=64 time=0.890 ms
Close the Bastion connection to vm-1.
Repeat the steps in Connect to a virtual machine to connect to vm-2.
At the bash prompt for vm-2, enter ping -c 4 vm-1.
You get a reply similar to the following message:
azureuser@vm-2:~$ ping -c 4 vm-1
PING vm-1.3bnkevn3313ujpr5l1kqop4n4d.cx.internal.cloudapp.net (10.0.0.4) 56(84) bytes of data.
64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=1 ttl=64 time=0.695 ms
64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=2 ttl=64 time=0.896 ms
64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=3 ttl=64 time=3.43 ms
64 bytes from vm-1.internal.cloudapp.net (10.0.0.4): icmp_seq=4 ttl=64 time=0.780 ms
Close the Bastion connection to vm-2.
When you finish with the virtual network and the VMs, use az group delete to remove the resource group and all its resources:
az group delete \
--name test-rg \
--yes
In this quickstart, you created a virtual network with a default subnet that contains two VMs. You deployed Bastion, and you used it to connect to the VMs and establish communication between the VMs. To learn more about virtual network settings, see Create, change, or delete a virtual network.
Private communication between VMs in a virtual network is unrestricted by default. To learn more about configuring various types of VM network communications, continue to the next article:
Training
Module
Manage virtual machines with the Azure CLI - Training
Learn how to use the cross-platform Azure CLI to create, start, stop, and perform other management tasks related to virtual machines in Azure.
Certification
Microsoft Certified: Azure Network Engineer Associate - Certifications
Demonstrate the design, implementation, and maintenance of Azure networking infrastructure, load balancing traffic, network routing, and more.
Documentation
Quickstart: Use Azure PowerShell to create a virtual network - Azure Virtual Network
Learn how to use Azure PowerShell to create and connect through an Azure virtual network and virtual machines.
Quickstart: Use the Azure portal to create a virtual network - Azure Virtual Network
Learn how to use the Azure portal to create and connect through an Azure virtual network and virtual machines.
Quickstart: Use Terraform to create a virtual network - Azure Virtual Network
In this quickstart, you create an Azure virtual network and subnets by using Terraform. You use the Azure CLI to verify the resources.