3: Virtual networking fundamentals

Difficulty: Easy

Introduction

In this lab, we will build the basic networking foundation for Justin Verstijnen Inc. in Microsoft Azure.

You will create a virtual network, configure custom DNS settings, create and associate a Network Security Group, and create a second virtual network. After that, you will configure VNet peering so that both virtual networks can communicate with each other.

This lab is not necessarily a complete step-by-step guide for every button in the Azure Portal. The main goal is to achieve the required end-state, understand what you are building and become more comfortable with Azure networking concepts.

The Azure Portal is updated regularly, so some buttons or menu names may be slightly different when you perform this lab.

Requirements

• Around 30 minutes of your time
• Access to an Azure subscription
• Basic knowledge of the Azure Portal
• Basic understanding of IP addressing and subnets
• Basic understanding of firewall rules
• Basic understanding of DNS

Minimizing Azure costs

This lab only uses networking resources, so the costs should be very low compared to virtual machines. However, you should still clean up resources when you are done testing.

To minimize costs during this lab, use the following guidelines:

• Use one lab resource group, so everything can be removed quickly
• Do not deploy virtual machines unless you need them for testing
• Review all resources before deleting the resource group
• Check the Cost analysis page in your Azure subscription

My best recommendation is to complete the lab, take screenshots or notes of your configuration, test if everything works and remove the resource group afterwards.

Lab objective

Justin Verstijnen Inc. wants to create a basic Azure network design with two virtual networks.

The first virtual network will be used as the main lab network. It must use a custom DNS configuration and have a Network Security Group attached to the subnet.

The second virtual network will be used to test VNet peering. After the peering is created, both virtual networks should be able to communicate with each other.

Resource group

You need to use this resource group:

If the resource group does not exist yet, you can create it before starting the lab.

Virtual networks

You need to create the following virtual networks:

When working with subnets, you can use this subnet calculator:

https://tools.justinverstijnen.nl/subnetcalculator

DNS configuration

Configure the following DNS servers on JV-VNET01:

Important note: Azure reserves the first 3 IP addresses and last 2 in every subnet. In a real production environment, you should make sure the custom DNS IP address is actually usable and reachable. For this lab, configure the DNS settings according to the required objective.

Network Security Group

Create this Network Security Group:

The NSG must contain two inbound allow rules:

The NSG must be associated with the default subnet in JV-VNET01.

3.1 Creating the resource group

Start by creating or opening the lab resource group.

• Open the Azure Portal
• Find and open “Resource groups”
• Create a new resource group
• Use the resource group name JV-LAB
• Place it in the region “West Europe”
• Finish the wizard

Use the following values as a guideline:

You can also create the resource group with Azure Cloud Shell.

az group create \
  --name JV-LAB \
  --location westeurope

3.2 Creating the first virtual network

Now create the first virtual network.

• Open the Azure Portal
• Find and open “Virtual networks”
• Create a new virtual network
• Use the resource group JV-LAB
• Use the virtual network name JV-VNET01
• Place it in the region “West Europe”
• Configure the address space 10.69.0.0/16
• Create a subnet named default
• Configure the subnet address range 10.69.0.0/24
• Finish the wizard

Use the following values as a guideline:

You can also create the virtual network with Azure Cloud Shell.

az network vnet create \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --location westeurope \
  --address-prefixes 10.69.0.0/16 \
  --subnet-name default \
  --subnet-prefixes 10.69.0.0/24

3.3 Configuring custom DNS on JV-VNET01

After creating the first virtual network, configure the DNS servers.

• Open the Azure Portal
• Find and open “Virtual networks”
• Open JV-VNET01
• Go to “DNS servers”
• Choose “Custom”
• Add the following DNS servers:

• Save the configuration

The first DNS server is the custom DNS server for this lab. The second DNS server is the Azure platform DNS IP address.

You can also configure the DNS settings with Azure Cloud Shell.

az network vnet update \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --dns-servers 10.69.0.1 168.63.129.16

If virtual machines are already connected to this virtual network, they may need to be restarted before they use the new DNS configuration.

3.4 Creating the Network Security Group

Now create the Network Security Group for the first virtual network.

• Open the Azure Portal
• Find and open “Network Security Groups”
• Create a new Network Security Group
• Use the resource group JV-LAB
• Use the name JV-NSG-VNET01
• Place it in the region “West Europe”
• Finish the wizard

Use the following values as a guideline:

You can also create the Network Security Group with Azure Cloud Shell.

az network nsg create \
  --resource-group JV-LAB \
  --name JV-NSG-VNET01 \
  --location westeurope

3.5 Creating the HTTP and HTTPS rules

Create two inbound security rules in the Network Security Group.

The first rule allows HTTP traffic to 10.69.0.4.

• Open the Azure Portal
• Find and open “Network Security Groups”
• Open JV-NSG-VNET01
• Go to “Inbound security rules”
• Create a new rule
• Use the following values:

Now create the second rule for HTTPS.

You can also create both rules with Azure Cloud Shell.

az network nsg rule create \
  --resource-group JV-LAB \
  --nsg-name JV-NSG-VNET01 \
  --name Allow-HTTP-Inbound \
  --priority 1000 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes '*' \
  --source-port-ranges '*' \
  --destination-address-prefixes 10.69.0.4 \
  --destination-port-ranges 80

az network nsg rule create \
  --resource-group JV-LAB \
  --nsg-name JV-NSG-VNET01 \
  --name Allow-HTTPS-Inbound \
  --priority 1010 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes '*' \
  --source-port-ranges '*' \
  --destination-address-prefixes 10.69.0.4 \
  --destination-port-ranges 443

3.6 Associating the NSG with the subnet

A Network Security Group is not directly associated with an entire virtual network. Instead, it is associated with a subnet or a network interface.

For this lab, associate JV-NSG-VNET01 with the default subnet in JV-VNET01.

• Open the Azure Portal
• Find and open “Virtual networks”
• Open JV-VNET01
• Go to “Subnets”
• Open the default subnet
• Select the Network Security Group JV-NSG-VNET01
• Save the subnet configuration

You can also associate the NSG with the subnet using Azure Cloud Shell.

az network vnet subnet update \
  --resource-group JV-LAB \
  --vnet-name JV-VNET01 \
  --name default \
  --network-security-group JV-NSG-VNET01

3.7 Creating the second virtual network

Now create the second virtual network.

• Open the Azure Portal
• Find and open “Virtual networks”
• Create a new virtual network
• Use the resource group JV-LAB
• Use the virtual network name JV-VNET02
• Place it in the region “West Europe”
• Configure the address space 10.70.0.0/16
• Create a subnet named default
• Configure the subnet address range 10.70.0.0/24
• Finish the wizard

Use the following values as a guideline:

You can also create the second virtual network with Azure Cloud Shell.

az network vnet create \
  --resource-group JV-LAB \
  --name JV-VNET02 \
  --location westeurope \
  --address-prefixes 10.70.0.0/16 \
  --subnet-name default \
  --subnet-prefixes 10.70.0.0/24

3.8 Creating VNet peering from JV-VNET01 to JV-VNET02

Now configure VNet peering from JV-VNET01 to JV-VNET02. A Peering is a link between multiple networks over the Azure backbone. This ensures a fast and low latency but unencrypted connection.

• Open the Azure Portal
• Find and open “Virtual networks”
• Open JV-VNET01
• Go to “Peerings”
• Create a new peering
• Use the following values:

Finish the wizard.

If both virtual networks are in the same subscription and region, the Azure Portal can create both peering directions during the same wizard.

You can also create the peerings with Azure Cloud Shell.

VNET01_ID=$(az network vnet show \
  --resource-group JV-LAB \
  --name JV-VNET01 \
  --query id \
  --output tsv)

VNET02_ID=$(az network vnet show \
  --resource-group JV-LAB \
  --name JV-VNET02 \
  --query id \
  --output tsv)

az network vnet peering create \
  --resource-group JV-LAB \
  --vnet-name JV-VNET01 \
  --name JV-VNET01-to-JV-VNET02 \
  --remote-vnet "$VNET02_ID" \
  --allow-vnet-access

az network vnet peering create \
  --resource-group JV-LAB \
  --vnet-name JV-VNET02 \
  --name JV-VNET02-to-JV-VNET01 \
  --remote-vnet "$VNET01_ID" \
  --allow-vnet-access

3.9 Testing the lab objective

Now validate if the environment meets the requirements.

Check the following items:

• The resource group JV-LAB exists
• The virtual network JV-VNET01 exists
• JV-VNET01 uses address space 10.69.0.0/16
• JV-VNET01 contains the subnet default
• The subnet in JV-VNET01 uses address range 10.69.0.0/24
• JV-VNET01 has custom DNS configured
• The first DNS server is 10.69.0.1
• The second DNS server is 168.63.129.16
• The Network Security Group JV-NSG-VNET01 exists
• The NSG is associated with the default subnet in JV-VNET01
• The NSG contains an inbound rule for HTTP on TCP port 80
• The HTTP rule allows traffic to 10.69.0.4
• The NSG contains an inbound rule for HTTPS on TCP port 443
• The HTTPS rule allows traffic to 10.69.0.4
• The virtual network JV-VNET02 exists
• JV-VNET02 uses address space 10.70.0.0/16
• JV-VNET02 contains the subnet default
• The subnet in JV-VNET02 uses address range 10.70.0.0/24
• VNet peering exists from JV-VNET01 to JV-VNET02
• VNet peering exists from JV-VNET02 to JV-VNET01
• Both peering connections show as connected

If you have virtual machines in both networks, you can also test connectivity between them.

For example, from a VM in JV-VNET01, test a VM in JV-VNET02:

Test-NetConnection <private-ip-address-in-JV-VNET02>

Replace <private-ip-address-in-JV-VNET02> with the private IP address of a virtual machine in JV-VNET02.

3.10 Cleaning up the lab

When you are done, remove the resource group to prevent unexpected costs.

• Open “Resource groups”
• Open JV-LAB
• Review all resources in the resource group
• Click “Delete resource group”
• Type the resource group name
• Confirm the deletion

You can also remove the resource group with Azure Cloud Shell.

az group delete \
  --name JV-LAB

The lab is now done, let’s check your knowledge!

Knowledge check

End of the page 🎉

You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.

If you think something is wrong with this post or you want to know more, you can send me a message to one of my social profiles at: https://justinverstijnen.nl/about/

Go back to Blog homepage

If you find this page and blog very useful and you want to leave a donation, you can use the button below to buy me a beer. Hosting and maintaining a website takes a lot of time and money. Thank you in advance and cheers :)

The terms and conditions apply to this post.

• ←Previous
• Next→