![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 67%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELK%3C/text%3E%3C/svg%3E)
Community Center | Not monitored
Tag not monitored by Microsoft.
Azure Virtual Network (VNet) is a private network in the Azure cloud that is dedicated to a subscription. It lets Azure resources (like virtual machines) securely communicate with each other, with the internet, and with on-premises networks.
In simple terms:
- A VNet is a logical, private network inside Azure.
- It is isolated from other customers’ networks.
- It uses IP address ranges and subnets, similar to a traditional datacenter network.
How it works (high level):
- A VNet is created with an IP address range (CIDR block), for example 10.0.0.0/16.
- That range is split into subnets (for example 10.0.1.0/24 for web servers, 10.0.2.0/24 for databases).
- Azure resources (VMs, AKS nodes, etc.) get IP addresses from these subnets and can talk to each other privately inside the VNet.
- The VNet can be:
- Connected to the internet (for example via public IPs, NAT gateway, or load balancer).
- Connected to on-premises networks using VPN or ExpressRoute.
- Peered with other VNets so resources in different VNets can communicate.
House/apartment road analogy:
- Think of Azure as a big city.
- A VNet is like a gated community or private neighborhood inside that city:
- It has its own internal roads and house numbers (IP addresses).
- Only residents and allowed visitors can move around inside.
- Subnets are like streets inside that gated community:
- One street for houses (web servers), another for shops (databases), etc.
- Virtual machines and other resources are like houses on those streets, each with its own address.
- Network security groups are like security guards or gates controlling which cars/people (traffic/ports) can enter or leave certain streets.
- VNet peering is like building a private road between two gated communities, so residents can visit each other without going through the public city roads.
- VPN/ExpressRoute is like building a private tunnel or dedicated highway between an on-premises office and the Azure gated community.
How it’s different from “normal internet”:
- Normal internet is a public network: anyone can try to talk to anyone, and security is added on top (firewalls, encryption).
- A VNet is a private, isolated network:
- Only resources inside the VNet (and explicitly connected networks) can communicate over it.
- IP ranges are not advertised to the internet.
- Security policies, routing, and DNS are under full control inside that private space.
For AZ-900, key points to remember:
- VNet = private, isolated network in Azure.
- Used to connect Azure resources to each other, the internet, and on-premises.
- Supports subnets, peering, VPN, ExpressRoute, and security controls like network security groups.
References: