Networking
Every Azure resource that communicates over a network lives inside a VNet (Virtual Network). VNets are conceptually identical to AWS VPCs — your isolated network in the cloud.
VNet (Virtual Network)
Section titled “VNet (Virtual Network)”┌───────────────────────────────────────────────────────┐│ VNet: myapp-vnet 10.0.0.0/16 ││ ││ ┌────────────────────┐ ┌────────────────────┐ ││ │ Public Subnet │ │ Public Subnet │ ││ │ 10.0.1.0/24 │ │ 10.0.2.0/24 │ ││ │ (AZ 1) │ │ (AZ 2) │ ││ │ ┌──────┐ ┌──────┐ │ │ ┌──────┐ │ ││ │ │ App GW│ │ NAT │ │ │ │ App GW│ │ ││ │ └──────┘ └──────┘ │ │ └──────┘ │ ││ └────────────────────┘ └────────────────────┘ ││ ││ ┌────────────────────┐ ┌────────────────────┐ ││ │ Private Subnet │ │ Private Subnet │ ││ │ 10.0.3.0/24 │ │ 10.0.4.0/24 │ ││ │ (AZ 1) │ │ (AZ 2) │ ││ │ ┌──────┐ ┌──────┐ │ │ ┌──────┐ ┌──────┐ │ ││ │ │ VM │ │ DB │ │ │ │ VM │ │ DB │ │ ││ │ └──────┘ └──────┘ │ │ └──────┘ └──────┘ │ ││ └────────────────────┘ └────────────────────┘ │└───────────────────────────────────────────────────────┘Creating a VNet
Section titled “Creating a VNet”# Create a VNet with two subnetsaz network vnet create \ --resource-group myapp-rg \ --name myapp-vnet \ --address-prefix 10.0.0.0/16 \ --subnet-name frontend \ --subnet-prefix 10.0.1.0/24
az network vnet subnet create \ --resource-group myapp-rg \ --vnet-name myapp-vnet \ --name backend \ --address-prefix 10.0.3.0/24Azure vs AWS Networking Concepts
Section titled “Azure vs AWS Networking Concepts”| Azure | AWS | Purpose |
|---|---|---|
| VNet | VPC | Isolated virtual network |
| Subnet | Subnet | IP range within the network |
| NSG | Security Group + NACL | Firewall rules (see stateful vs stateless below) |
| Azure Load Balancer | NLB | Layer 4 load balancing |
| Application Gateway | ALB | Layer 7 load balancing (HTTP) |
| Azure DNS | Route 53 | DNS management |
| VNet Peering | VPC Peering | Connect two VNets |
| NAT Gateway | NAT Gateway | Outbound internet for private subnets |
| Azure Firewall | AWS Network Firewall | Managed firewall service |
| Private Endpoint | VPC Endpoint | Private access to Azure services |
NSGs (Network Security Groups)
Section titled “NSGs (Network Security Groups)”NSGs filter network traffic to and from Azure resources. They combine the functionality of AWS security groups and NACLs.
NSGs and Stateful vs Stateless Traffic
Section titled “NSGs and Stateful vs Stateless Traffic”NSG rules are stateful for TCP and UDP in the usual sense: when you allow an inbound flow, Azure can associate return traffic so you do not need a separate rule for every ephemeral client port on the return path (similar to AWS security groups). You still think in terms of inbound vs outbound rules and priority (first match wins), which feels closer to NACL-style ordering than to “merge all SG rules.” For the cross-cloud vocabulary, see Stateful vs Stateless Firewalls on the AWS networking page and the TCP/IP primer. For TLS certificates in Azure, see Azure security (Key Vault) and TLS and Certificates for the AWS side of a hybrid mental model.
How NSGs Work
Section titled “How NSGs Work”NSG rules have a priority (100–4096, lower = higher priority). Rules are evaluated in priority order — first match wins.
Inbound traffic ──► NSG rules (by priority) ──► Allow or DenyDefault Rules
Section titled “Default Rules”Every NSG comes with default rules you can’t delete:
| Priority | Direction | Action | Description |
|---|---|---|---|
| 65000 | Inbound | Allow | VNet to VNet traffic |
| 65001 | Inbound | Allow | Azure Load Balancer health probes |
| 65500 | Inbound | Deny | Deny all other inbound |
| 65000 | Outbound | Allow | VNet to VNet traffic |
| 65001 | Outbound | Allow | Internet outbound |
| 65500 | Outbound | Deny | Deny all other outbound |
Creating NSG Rules
Section titled “Creating NSG Rules”# Create an NSGaz network nsg create --resource-group myapp-rg --name web-nsg
# Allow HTTP from anywhereaz network nsg rule create \ --resource-group myapp-rg \ --nsg-name web-nsg \ --name AllowHTTP \ --priority 100 \ --direction Inbound \ --access Allow \ --protocol Tcp \ --destination-port-ranges 80 443 \ --source-address-prefixes '*'
# Allow SSH from a specific IPaz network nsg rule create \ --resource-group myapp-rg \ --nsg-name web-nsg \ --name AllowSSH \ --priority 110 \ --direction Inbound \ --access Allow \ --protocol Tcp \ --destination-port-ranges 22 \ --source-address-prefixes 203.0.113.50/32
# Associate NSG with a subnetaz network vnet subnet update \ --resource-group myapp-rg \ --vnet-name myapp-vnet \ --name frontend \ --network-security-group web-nsgApplication Security Groups (ASGs)
Section titled “Application Security Groups (ASGs)”ASGs let you group VMs logically and reference them in NSG rules (like AWS SG-to-SG references):
# Create ASGsaz network asg create --resource-group myapp-rg --name web-serversaz network asg create --resource-group myapp-rg --name db-servers
# Allow web-servers to access db-servers on port 5432az network nsg rule create \ --resource-group myapp-rg \ --nsg-name backend-nsg \ --name AllowWebToDb \ --priority 100 \ --direction Inbound \ --access Allow \ --protocol Tcp \ --destination-port-ranges 5432 \ --source-asgs web-servers \ --destination-asgs db-serversLoad Balancers
Section titled “Load Balancers”Azure Load Balancer (Layer 4)
Section titled “Azure Load Balancer (Layer 4)”Distributes TCP/UDP traffic. Comparable to AWS NLB.
| SKU | Features | Use Case |
|---|---|---|
| Basic | Limited, no AZ support, free | Dev/test |
| Standard | AZ-aware, zone-redundant, SLA, required for production | Production |
# Create a standard load balanceraz network lb create \ --resource-group myapp-rg \ --name my-lb \ --sku Standard \ --frontend-ip-name myFrontend \ --backend-pool-name myBackend \ --public-ip-address my-public-ipApplication Gateway (Layer 7)
Section titled “Application Gateway (Layer 7)”HTTP/HTTPS load balancer with URL-based routing, SSL termination, and WAF. Comparable to AWS ALB.
Client ──► Application Gateway ──► /api/* ──► Backend Pool A (VMs) ──► /web/* ──► Backend Pool B (App Service) ──► /static/* ──► Backend Pool C (Storage)Key features:
- URL-based routing — Route by path or hostname.
- SSL termination — Offload TLS at the gateway.
- Web Application Firewall (WAF) — Built-in OWASP protection.
- Autoscaling — Scale based on traffic.
- Session affinity — Sticky sessions via cookies.
Azure Front Door
Section titled “Azure Front Door”Global load balancer and CDN — comparable to AWS CloudFront + Global Accelerator:
- Global HTTP/HTTPS routing with latency-based or priority-based routing.
- Built-in WAF and DDoS protection.
- SSL offloading at the edge.
- Caching at edge locations worldwide.
Use Front Door for globally distributed applications; Application Gateway for regional applications.
Azure DNS
Section titled “Azure DNS”Managed DNS service for hosting DNS zones:
# Create a DNS zoneaz network dns zone create --resource-group myapp-rg --name example.com
# Add an A recordaz network dns record-set a add-record \ --resource-group myapp-rg \ --zone-name example.com \ --record-set-name www \ --ipv4-address 20.50.100.150
# Add a CNAMEaz network dns record-set cname set-record \ --resource-group myapp-rg \ --zone-name example.com \ --record-set-name api \ --cname api.azurewebsites.netAzure Private DNS resolves names within a VNet (like AWS Route 53 private hosted zones).
VNet Peering
Section titled “VNet Peering”Connect two VNets so resources can communicate directly using private IPs:
# Peer VNet-A to VNet-Baz network vnet peering create \ --resource-group rg-a \ --name a-to-b \ --vnet-name vnet-a \ --remote-vnet /subscriptions/.../resourceGroups/rg-b/providers/Microsoft.Network/virtualNetworks/vnet-b \ --allow-vnet-access
# Peer VNet-B to VNet-A (peering must be created in both directions)az network vnet peering create \ --resource-group rg-b \ --name b-to-a \ --vnet-name vnet-b \ --remote-vnet /subscriptions/.../resourceGroups/rg-a/providers/Microsoft.Network/virtualNetworks/vnet-a \ --allow-vnet-access- Works across regions (global VNet peering) and across subscriptions.
- Not transitive — A↔B and B↔C doesn’t give A↔C (use Azure Virtual WAN or hub-spoke with a firewall for that).
Private Endpoints
Section titled “Private Endpoints”Access Azure PaaS services (Storage, SQL, Key Vault) over a private IP in your VNet — traffic never goes over the internet:
az network private-endpoint create \ --resource-group myapp-rg \ --name my-sql-pe \ --vnet-name myapp-vnet \ --subnet backend \ --private-connection-resource-id /subscriptions/.../Microsoft.Sql/servers/my-sql-server \ --group-ids sqlServer \ --connection-name my-sql-connectionThe Azure SQL server now has a private IP (10.0.3.x) in your VNet. Disable public access on the SQL server to ensure all traffic goes through the private endpoint.
NAT Gateway
Section titled “NAT Gateway”Provides outbound internet for private subnets (like AWS NAT Gateway):
# Create a NAT gatewayaz network nat gateway create \ --resource-group myapp-rg \ --name my-nat-gw \ --public-ip-addresses my-nat-ip
# Associate with a subnetaz network vnet subnet update \ --resource-group myapp-rg \ --vnet-name myapp-vnet \ --name backend \ --nat-gateway my-nat-gwKey Takeaways
Section titled “Key Takeaways”- A VNet is your isolated network. Plan CIDR ranges to avoid conflicts with other VNets and on-premises networks.
- NSGs are firewall rules evaluated by priority (first match wins). Use ASGs for logical grouping.
- Application Gateway for Layer 7 (HTTP routing, SSL, WAF); Azure Load Balancer for Layer 4 (TCP/UDP).
- Azure Front Door for global applications with built-in CDN, WAF, and latency-based routing.
- Use Private Endpoints to access PaaS services (SQL, Storage, Key Vault) over private IPs — no internet exposure.
- VNet Peering connects two VNets directly. Not transitive — use hub-spoke topology with a firewall for complex networks.