Hi, I’m Makoto, a freelance engineer.
When using virtual machines and other services on Azure, it is common to connect servers on Azure to each other or to on-premises environments or the Internet.
In a traditional physical environment, networking devices called routers and switches are installed and connected to computers via LAN cables, but in the case of the cloud, such networks can be easily created using virtualization technology.
In this article, I will explain the basic networking services of Azure.
Let’s get started!
What is Azure Virtual Network (VNet) ?
Virtual Network is a basic service for configuring a private network within Azure.
It is used to connect various resources, such as virtual machines, to other Azure resources, the Internet, and on-premises. (The following description is based on the use of virtual machines.)
It is often abbreviated as VNet.
A VNet is assigned a private address space, such as 10.0.0.0/16, and this address space is further divided into one or more subnets, such as 10.0.1.0/24. Virtual machines are placed in these subnets.
Virtual machines in the same VNet can communicate even if they are in different subnets, but virtual machines in different VNets cannot connect by default.
In addition to subnetting, as explained in this article, Network Security Groups (NSG) are often assigned to subnets to control traffic within the VNet, so it is recommended from a security perspective to subdivide them according to the allow/deny pattern.
Although not explicitly shown in the diagram, by default, it is possible to connect to the Internet. The reason connections to the Internet and within the same VNet are possible from the start is because of the system routes that Azure automatically creates for each subnet. (However, if the default outbound access is retired, it will be necessary to assign a public IP address).
Source: Virtual network traffic routing
Reference:
On September 30, 2025, default outbound access for new deployments will be retired. If a virtual machine is not assigned a public IP address, it needs one of the following to connect to the Internet:
- Associating a public IP address to the virtual machine
- NAT Gateway
- Public Load Balancer
Reference: Default outbound access in Azure
And one more point to add.
This is a point that people who have studied AWS are likely to misunderstand, but Azure subnets do not have a fixed availability zone (you do not specify it), so you can deploy virtual machines in different availability zones in a single subnet.
To connect VNet to other locations
By default, you can connect to the VNet and the Internet, but there are also services available to connect to other locations.
What is the service for connecting VNet to where?
Please read on while being aware of this.
Virtual network peering
Virtual network peering is a service for connecting virtual networks to each other. As I mentioned earlier, you cannot connect to another VNet by default, but you can use peering to do so.
In this diagram, there are three VNets, and the following two locations are connected by peering.
- VNet A to VNet B (bidirectional)
- VNet B to VNet C (bidirectional)
As a point of interest, it may appear that the route from VNetA to VNetC could also be connected through VNetB, but this is not possible. This is because the peering function does not take routing into account. If you want to connect VNetA to VNetC, you must also connect them via peering.
VPN Gateway
VPN Gateway is a virtual router primarily used to connect Azure and on-premises via VPN (encrypted communication).
It uses an Internet connection, so it is cheaper to set up than ExpressRoute, which is described later.
There are actually three types of connections using VPN gateways, and you can connect to them other than on-premises.
- Site-to-site connection
- Point-to-site connection
- VNet-to-VNet connection
Site-to-site connection can be thought of as connecting one location to another. This diagram refers to the connection between Azure and an on-premises environment, specifically the connection between a VPN gateway and an on-premises physical device.
Point-to-site connection can be thought of as connecting users (or their devices) to a location. It is used for remote access from outside the company, such as in the case of telecommuting. In this diagram, it refers to the connection between Azure and an external environment, specifically the connection between a VPN gateway and a computer (using its VPN connection software).
VNet-to-VNet connection is a connection between VNets on Azure, but since it can also be achieved through virtual network peering, we will not go into detail here.
For details on each connection pattern, please refer to the official VPN Gateway Design document.
Reference:
Please refer to the following official document for information on how to use Vnet-to-Vnet connections when using virtual network peering and VPN gateways.
ExpressRoute
ExpressRoute is a service that primarily connects Azure and on-premises via a closed network connection service with guaranteed bandwidth.
Unlike the VPN gateway introduced earlier, it does not go out to the Internet. It connects over a closed network after signing a contract with a dedicated circuit provider such as AT&T, Equinix, or Verizon.
*A separate contract is required, so it cannot be completed using Azure alone.
When using an Internet connection, the quality of the connection is affected by factors such as network congestion because it is a best-effort service.
With ExpressRoute, you can choose the bandwidth of the connection, such as 50Mbps or 100Mbps, and that bandwidth is guaranteed.
Of course, the cost will increase in proportion to the bandwidth, but it is an option for those who want to connect to a high-speed, low-latency, high-quality network.
ExpressRoute can also be used to connect from on-premises to other Microsoft cloud services such as Microsoft 365, as well as to Azure.
Source: What is Azure ExpressRoute?
Summary
In this article, we have explained an overview of the basic networking services in Azure.
Azure’s compute services are based on the use of virtual networking or have options to integrate with virtual networking. It’s important to remember that Vnet is a basic networking service in Azure.
In addition, the following is a brief summary of the options for connecting Vnet to other locations.
| Service Name | Use Case | Difficulty of Setup |
|---|---|---|
| Virtual Network Peering | Connecting VNets to each other | Low |
| VPN Gateway | Connecting to on-premises via Internet VPN | Medium |
| ExpressRoute | Connecting to on-premises via closed network | High |
I think it’s enough to have a general idea of the AZ-900 test. Let’s make sure to remember the different uses!
