Back to Blog
AzureAZ-104NetworkingAdminTutorial

Design Azure Virtual Networks: Subnets, NSGs and Service Endpoints

Complete AZ-104 tutorial on VNets & Subnets. Learn address planning, NSG rules, UDR, service endpoints.

Daniel Urbano
October 21, 2025
9 min read
Design Azure Virtual Networks: Subnets, NSGs and Service Endpoints

Design Azure Virtual Networks: Subnets, NSGs, and Service Endpoints

Introduction

Azure Virtual Networks (VNet) are a fundamental building block for Azure networking, providing a secure and isolated environment for resources to communicate with each other. Understanding how to design and implement VNets, including subnets, Network Security Groups (NSGs), and service endpoints, is crucial for the AZ-104 certification as it ensures effective management of network traffic, security, and resource organization.

Designing a VNet involves careful address planning, defining subnets for organizing resources, implementing NSGs for controlling traffic, and utilizing service endpoints to enhance connectivity to Azure services. These aspects matter not only for exam success but also for real-world applications, such as establishing secure connections between resources and optimizing network performance. This tutorial will guide you through the essentials of designing Azure VNets, focusing on practical examples and best practices.

Prerequisites

To follow this tutorial, you need:

  • An active Azure subscription.
  • Appropriate RBAC permissions to create and manage VNets, NSGs, and subnets.
  • Familiarity with Azure CLI, PowerShell, and the Azure Portal.
  • Knowledge of basic networking concepts.

Core Concepts

Key Definitions

  • Virtual Network (VNet): A representation of your own network in Azure, allowing resources to securely communicate.
  • Subnet: A segment of a VNet that can contain Azure resources, helping to organize and secure them.
  • Network Security Group (NSG): A set of rules that control inbound and outbound traffic to network interfaces and subnets.
  • Service Endpoint: A feature that allows secure access to Azure services over a VNet.

Architecture

A VNet can contain multiple subnets, each defined by an IP address range. NSGs can be associated with subnets or individual network interfaces to enforce security policies. Service endpoints enhance security by providing direct access to Azure services without exposing the traffic to the public internet.

When to Use

Use VNets when you need:

  • Isolation of resources.
  • Control over traffic flow with NSGs.
  • Secure connection to Azure services with service endpoints.

Limitations

  • Subnet Limitations: Each VNet can have a maximum of 265 subnets.
  • NSG Rules: Each NSG can contain up to 400 rules.

Pricing Notes

Charges may apply for data transfer between VNets, particularly when resources are in different regions.

Syntax/Configuration

Azure CLI Command Structure

az network vnet create --name <vnet-name> --resource-group <resource-group> --address-prefix <address-prefix> --subnet-name <subnet-name> --subnet-prefix <subnet-prefix>

Azure PowerShell Command Structure

New-AzVirtualNetwork -Name <vnet-name> -ResourceGroupName <resource-group> -Location <location> -AddressPrefix <address-prefix> -Subnet <subnet-name>,<subnet-prefix>

Parameters Table

Parameter Description
<vnet-name> Name of the virtual network
<resource-group> Name of the resource group
<address-prefix> IP address range for the VNet
<subnet-name> Name of the subnet
<subnet-prefix> IP address range for the subnet
<location> Azure region for the resources

Practical Examples

1. Creating a Virtual Network using Azure CLI

az network vnet create --name MyVNet --resource-group MyResourceGroup --address-prefix 10.0.0.0/16 --subnet-name MySubnet --subnet-prefix 10.0.0.0/24

This command creates a VNet named "MyVNet" with a subnet "MySubnet".

2. Creating a Virtual Network using PowerShell

New-AzVirtualNetwork -Name MyVNet -ResourceGroupName MyResourceGroup -Location "East US" -AddressPrefix 10.0.0.0/16 -Subnet "MySubnet,10.0.0.0/24"

This command achieves the same as the CLI command but uses PowerShell syntax.

3. Adding a Subnet to an Existing VNet

az network vnet subnet create --address-prefix 10.0.1.0/24 --name MyNewSubnet --resource-group MyResourceGroup --vnet-name MyVNet

This command adds a new subnet "MyNewSubnet" to the existing VNet.

4. Creating a Network Security Group

az network nsg create --resource-group MyResourceGroup --name MyNSG

This command creates a new NSG named "MyNSG".

5. Adding NSG Rules

az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNSG --name AllowHTTP --protocol Tcp --priority 100 --destination-port-range 80 --access Allow --direction Inbound

This command adds a rule to allow HTTP traffic.

6. Associating NSG with a Subnet

az network vnet subnet update --resource-group MyResourceGroup --vnet-name MyVNet --name MySubnet --network-security-group MyNSG

This command associates the NSG with the specified subnet.

7. Creating a Service Endpoint for Azure Storage

az network vnet subnet update --name MySubnet --resource-group MyResourceGroup --vnet-name MyVNet --service-endpoints Microsoft.Storage

This command enables a service endpoint for Azure Storage on the subnet.

8. Viewing NSG Flow Logs

az network nsg show-flow-logs --resource-group MyResourceGroup --nsg-name MyNSG

This command retrieves the flow logs for the NSG, providing visibility into traffic patterns.

Real-World Scenarios

Scenario 1: Isolated Development Environment

You need to set up an isolated environment for development teams to work without affecting production. Create a VNet with multiple subnets, each dedicated to different development projects, and apply NSG rules to restrict access between subnets.

Scenario 2: Secure Access to Azure SQL Database

To secure access to an Azure SQL Database, create a VNet with a service endpoint for SQL. This setup allows secure communication from application servers in the VNet without exposing the database to the public internet.

Scenario 3: Multi-Tier Application Architecture

Design a multi-tier application with a web tier, application tier, and database tier. Each tier can reside in different subnets, with NSGs controlling traffic between them based on security requirements.

Best Practices

  1. Plan IP Addressing: Allocate sufficient IP address space for future growth and avoid overlaps.
  2. Use NSGs Wisely: Define NSGs at the subnet level to simplify management while maintaining granular control at the NIC level.
  3. Enable Service Endpoints: Use service endpoints for Azure services to reduce exposure to the public internet and enhance security.
  4. Monitor Traffic: Regularly review NSG flow logs to identify unusual traffic patterns or unauthorized access attempts.
  5. Implement UDRs: Use User-Defined Routes (UDRs) to control traffic flow within your VNet and to external networks.

Common Errors

  1. Error: "Subnet is not available"

    • Cause: The subnet already exists or overlaps with another subnet.
    • Fix: Check existing subnets and modify the address range.

  2. Error: "Network Security Group rule limit exceeded"

    • Cause: Exceeding the maximum number of rules in an NSG.
    • Fix: Consolidate rules or create additional NSGs.

  3. Error: "Insufficient permissions to create resources"

    • Cause: Lack of required RBAC permissions.
    • Fix: Ensure the user has the necessary role assignments.

  4. Error: "Service endpoint not enabled"

    • Cause: Attempting to access a service endpoint that isn’t configured.
    • Fix: Ensure the service endpoint is enabled for the respective subnet.

Related Services/Commands

Service/Command Description
Azure Firewall Advanced network security for VNets
Azure VPN Gateway Securely connect on-premises networks to Azure
Azure ExpressRoute Dedicated private connection to Azure
User Defined Routes (UDR) Custom routing rules for network traffic
Azure Bastion Secure remote access to VMs without public IPs

Automation Script

Here's a PowerShell script to automate the creation of a VNet, subnets, and NSGs:

# Variables
$resourceGroup = "MyResourceGroup"
$vnetName = "MyVNet"
$location = "East US"
$vnetAddressPrefix = "10.0.0.0/16"
$subnetAddressPrefix = "10.0.0.0/24"
$nsgName = "MyNSG"

# Create Resource Group
New-AzResourceGroup -Name $resourceGroup -Location $location

# Create Virtual Network
$vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $vnetAddressPrefix

# Create Subnet
Add-AzVirtualNetworkSubnetConfig -Name "MySubnet" -AddressPrefix $subnetAddressPrefix -VirtualNetwork $vnet

# Create NSG
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location $location -Name $nsgName

# Add NSG Rule
Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AllowHTTP" -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80 -Access Allow

# Apply NSG to Subnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name "MySubnet" -NetworkSecurityGroup $nsg

# Save changes
$vnet | Set-AzVirtualNetwork

This script automates the creation of a resource group, a VNet, a subnet, and an NSG with a rule.

Conclusion

In this tutorial, we explored the design and implementation of Azure Virtual Networks, focusing on subnets, Network Security Groups, and service endpoints. We highlighted practical examples, real-world scenarios, best practices, and common errors to help you succeed in your AZ-104 exam and real-world Azure networking tasks.

To further enhance your understanding, consider exploring Microsoft Learn for guided labs and study paths related to Azure networking.

References

This tutorial aims to provide a comprehensive overview of designing Azure Virtual Networks, essential for both the AZ-104 exam and practical Azure networking tasks. 🚀