Azure Virtual Networks are the foundational networking layer for Azure workloads. Getting the network design right from the start avoids expensive retrofits as the environment grows.
VNet and address space planning
Azure VNet address space planning is difficult to undo: changing a VNet's address space after resources are deployed requires redeployment. Plan for growth: a /16 VNet (65,536 IPs) provides room for multiple subnets across all environments and future expansion. Subnet sizing: allocate subnets by role (AKS node pool subnet, AKS pod subnet for Azure CNI, App Services subnet, private endpoint subnet) with appropriate size for each. Azure reserves 5 IPs per subnet.
Network Security Groups as microsegmentation
NSGs filter traffic by source/destination IP, port, and protocol. They are the primary microsegmentation tool in Azure. The security standard: every subnet should have an NSG with a default-deny inbound rule and explicit allow rules for required traffic. The NSG rule priority model (lower numbers evaluated first, matched rule terminates evaluation) requires careful rule ordering. Application Security Groups (ASGs) allow rules to reference groups of VMs by logical name rather than IP addresses.
Private endpoints for PaaS services
Azure Private Endpoint creates a private IP address in your VNet for PaaS services (Storage, SQL, Key Vault, Service Bus, ACR). Network traffic to the service traverses the Azure backbone rather than the public internet. Private Endpoints eliminate the public endpoint of the PaaS service for your access, reducing the attack surface. DNS resolution for the service FQDN (mystorageaccount.blob.core.windows.net) resolves to the private IP via Private DNS Zones linked to the VNet.
VNet peering vs VPN gateways
VNet peering connects two VNets at the Azure backbone level with low latency and high bandwidth. Peered VNets can communicate as if on the same network. VPN Gateway connects VNets (or on-premises networks) via encrypted tunnels over the public internet, with higher latency and lower bandwidth. For Azure-to-Azure connectivity, VNet peering is the correct choice unless cross-region or cross-subscription routing requires hub-and-spoke topology with Azure Virtual WAN or Azure Route Server.