Azure Networking Fundamentals

In this lesson, we’ll explore Azure’s core networking components—Virtual Networks (VNets), CIDR addressing, subnets, Network Security Groups (NSGs), Route Tables, and User-Defined Routes (UDRs). These building blocks form the foundation of secure, scalable networking for Azure Kubernetes Service (AKS).

Virtual Networks (VNets) & CIDR Notation
Subnets
Network Security Groups (NSGs)
Route Tables & User-Defined Routes (UDRs)
VNet Peering
Quick Reference
Links and References

Virtual Networks (VNets) & CIDR Notation

A Virtual Network (VNet) provides an isolated, private IP address space in Azure. VNets support both IPv4 and IPv6; this guide focuses on IPv4. We define address ranges using Classless Inter-Domain Routing (CIDR) notation, which combines an IP address with its subnet mask. Example CLI:

# Create a VNet with a /16 CIDR block (up to 65,534 addresses)
az network vnet create \
  --resource-group MyResourceGroup \
  --name VNet1 \
  --address-prefixes 10.2.0.0/16

Use IP address management (IPAM) tools or Azure’s built-in features to plan non-overlapping CIDR blocks across multiple VNets.

Subnets

A subnet segments your VNet’s address space into smaller networks, enabling you to group and isolate resources like VMs or AKS nodes. Example CLI:

# Create two /24 subnets within VNet1
az network vnet subnet create \
  --resource-group MyResourceGroup \
  --vnet-name VNet1 \
  --name SubnetA \
  --address-prefixes 10.2.1.0/24

az network vnet subnet create \
  --resource-group MyResourceGroup \
  --vnet-name VNet1 \
  --name SubnetB \
  --address-prefixes 10.2.2.0/24

Subnets within the same VNet must not have overlapping CIDR ranges.

Network Security Groups (NSGs)

A Network Security Group (NSG) acts as a virtual firewall at the subnet or NIC level. NSGs include inbound and outbound rules to allow or deny traffic based on source/destination IP, port, and protocol. Example CLI:

# Create an NSG and attach it to SubnetA
az network nsg create \
  --resource-group MyResourceGroup \
  --name MyNSG

az network vnet subnet update \
  --resource-group MyResourceGroup \
  --vnet-name VNet1 \
  --name SubnetA \
  --network-security-group MyNSG

Azure NSGs include default rules permitting VNet-to-VNet traffic and outbound internet traffic. Customize NSGs to enforce your security policies.

Route Tables & User-Defined Routes (UDRs)

A Route Table is a set of routes that control packet forwarding within a VNet. Azure populates it with:

System routes (default Azure routes)
BGP routes (learned via ExpressRoute or VPN)
User-Defined Routes (UDRs)

UDRs let you override default routing—for instance, to direct traffic through a firewall appliance. Example CLI:

# Create a route table
az network route-table create \
  --resource-group MyResourceGroup \
  --name MyRouteTable

# Add a UDR to route all internet-bound traffic via a virtual appliance
az network route-table route create \
  --resource-group MyResourceGroup \
  --route-table-name MyRouteTable \
  --name InternetRoute \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address 10.2.1.4

# Associate the route table with SubnetA
az network vnet subnet update \
  --resource-group MyResourceGroup \
  --vnet-name VNet1 \
  --name SubnetA \
  --route-table MyRouteTable

VNet Peering

To enable low-latency, high-bandwidth connectivity between VNets (within or across regions), configure VNet Peering. Example CLI:

# Peer VNet1 with VNet2
az network vnet peering create \
  --name VNet1-to-VNet2 \
  --resource-group MyResourceGroup \
  --vnet-name VNet1 \
  --remote-vnet /subscriptions/.../resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/VNet2 \
  --allow-vnet-access

The image shows a diagram of three virtual networks (VNet1, VNet2, VNet3), each containing two subnets with network security groups and other components.

Quick Reference

Component	Description	CLI Example
VNet	Private IP address space	`az network vnet create --resource-group RG --name VNet1 --address-prefixes 10.2.0.0/16`
Subnet	Subdivision of a VNet	`az network vnet subnet create --resource-group RG --vnet-name VNet1 --name SubnetA --address-prefixes 10.2.1.0/24`
NSG	Virtual firewall	`az network nsg create --resource-group RG --name MyNSG`
Route Table	Collection of system, BGP, and user-defined routes	`az network route-table create --resource-group RG --name MyRouteTable`
Route	Custom path (UDR)	`az network route-table route create --resource-group RG --route-table-name MyRouteTable --name InternetRoute --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance`

Introduction

Just Enough Azure for AKS

Building and containerizing sample application

Working with AKS

Networking in AKS

AKS Security

CICD Workflow for AKS

Observability

Close out

Azure Networking Fundamentals

Table of Contents

Virtual Networks (VNets) & CIDR Notation

Subnets

Network Security Groups (NSGs)

Route Tables & User-Defined Routes (UDRs)

VNet Peering

Quick Reference

Links and References

Watch Video

Introduction

Just Enough Azure for AKS

Building and containerizing sample application

Working with AKS

Networking in AKS

AKS Security

CICD Workflow for AKS

Observability

Close out

​Table of Contents

​Virtual Networks (VNets) & CIDR Notation

​Subnets

​Network Security Groups (NSGs)

​Route Tables & User-Defined Routes (UDRs)

​VNet Peering

​Quick Reference

​Links and References

Watch Video

Table of Contents

Virtual Networks (VNets) & CIDR Notation

Subnets

Network Security Groups (NSGs)

Route Tables & User-Defined Routes (UDRs)

VNet Peering

Quick Reference

Links and References