Quickstart: Use the Azure portal to create a virtual network
This quickstart shows you how to create a virtual network by using the Azure portal. You then create two virtual machines (VMs) in the network, deploy Azure Bastion to securely connect to the VMs from the internet, and communicate privately between the VMs.
A virtual network is the fundamental building block for private networks in Azure. Azure Virtual Network enables Azure resources like VMs to securely communicate with each other and the internet.
- An Azure account with an active subscription. You can create an account for free.
Create a virtual network
The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and an Azure Bastion host.
Sign in to the Azure portal.
In the portal, search for and select Virtual networks.
On the Virtual networks page, select Create.
On the Basics tab of the Create virtual network screen, enter or select the following information:
- Subscription: Keep the default or select a different subscription.
- Resource group: Select Create new, and then name the resource group TestRG.
- Virtual network name: Enter VNet.
- Region: Keep the default or select a different region for the network and all its resources.
Select Next: IP Addresses at the bottom of the page.
On the IP Addresses tab, under IPv4 address space, select the garbage can icon to remove any address space that already appears, and then enter 10.0.0.0/16.
Select Add subnet.
On the Add subnet screen, enter the following information, and then select Add:
- Subnet name: default
- Subnet address range: 10.0.0.0/24.
Select Next: Security at the bottom of the page.
On the Security tab, next to BastionHost, select Enable.
Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see Azure Bastion.
Enter the following information:
- Bastion name: VNet-Bastion
- AzureBastionSubnet address space: 10.0.1.0/26. Azure automatically creates the AzureBastionSubnet subnet.
- Public IP address: Select Create new, then enter VNet-bastion-publicIp under Name and select OK.
Select Review + create at the bottom of the screen, and when validation passes, select Create.
Create virtual machines
Create two VMs named VM1 and VM2 in the virtual network.
In the portal, search for and select Virtual machines.
On the Virtual machines page, select Create, and select Azure virtual machine.
On the Basics tab of the Create a virtual machine screen, enter or select the following values:
- Resource group: Select TestRG if not already selected.
- Virtual machine name: Enter VM1.
- Region: Select the same region as your resource group and virtual network if not already selected.
- Availability options: Select No infrastructure redundancy required.
- Image: Select Windows Server 2019 Datacenter - x64 Gen2.
- Size: Accept the default, or drop down and select a size.
- Username, Password, and Confirm password: Enter an admin username and password for the VM.
- Public inbound ports: Select None.
Select the Networking tab at the top of the page.
On the Networking page, enter or select the following values:
- Virtual network: Select VNet if not already selected.
- Subnet: Select default if not already selected.
- Public IP: Select None.
Accept the other settings, and select Review + create. Review the settings, and then select Create.
After the VM creation finishes, you can select Create another VM to create the second VM. Name the VM VM2, with all the same settings.
VMs in a virtual network with a Bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in Bastion-hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.
Connect to a VM
In the portal, search for and select Virtual machines.
On the Virtual machines page, select VM1.
At the top of the VM1 page, select the dropdown arrow next to Connect, and then select Bastion.
On the Bastion page, enter the username and password you created for the VM, and then select Connect.
Communicate between VMs
From the desktop of VM1, open PowerShell.
ping myVM2. You get a reply similar to the following message:
PS C:\Users\VM1> ping VM2 Pinging VM2.ovvzzdcazhbu5iczfvonhg2zrb.bx.internal.cloudapp.net with 32 bytes of data Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.5: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The ping fails because it uses the Internet Control Message Protocol (ICMP). By default, ICMP isn't allowed through Windows firewall.
To allow ICMP to inbound through Windows firewall on this VM, enter the following command:
New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4
Close the Bastion connection to VM1.
Repeat the steps in Connect to a VM to connect to VM2.
From PowerShell on VM2, enter
This time you get a success reply similar to the following message, because you allowed ICMP through the firewall on VM1.
PS C:\Users\VM2> ping VM1 Pinging VM1.e5p2dibbrqtejhq04lqrusvd4g.bx.internal.cloudapp.net [10.0.0.4] with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time=2ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 2ms, Average = 0ms
Close the Bastion connection to VM2.
Clean up resources
When you're done using the virtual network and VMs, you can delete the resource group and all its resources.
In the Azure portal, search for and select Resource groups.
On the Resource groups page, select the TestRG resource group.
On the TestRG page, note all the resources the resource group contains. At the top of the page, select Delete resource group.
On the Delete a resource group page, under Enter resource group name to confirm deletion, enter TestRG, and then select Delete.
Select Delete again.
In this quickstart, you created a virtual network with two subnets, one containing two VMs and the other for Azure Bastion. You deployed Azure Bastion and used it to connect to the VMs, and securely communicated between the VMs. To learn more about virtual network settings, see Create, change, or delete a virtual network.
Private communication between VMs is unrestricted in a virtual network. Continue to the next article to learn more about configuring different types of VM network communications.
Submit and view feedback for