AzureAZ-104

Azure Virtual Network Design Explained for AZ-104

Every resource in Azure that needs a private IP address lives inside a Virtual Network. VNets are the foundation of Azure networking, and getting the design right at the start prevents painful re-addressing later. IP address planning, subnet segmentation, connectivity between VNets, and connectivity from on-premises to Azure are decisions that shape everything built on top of them. The AZ-104 exam tests VNet creation and address space planning, subnet design, VNet peering for inter-VNet connectivity, VPN Gateway and ExpressRoute for hybrid connectivity, and Azure DNS for name resolution both within Azure and for custom domains.

8 min

3 sections · 7 exam key points

VNet fundamentals: address spaces and subnets

A Virtual Network is defined by one or more address spaces expressed in CIDR notation. Resources within a VNet communicate privately using addresses from this space. Subnets divide the VNet address space into smaller segments, allowing you to group resources logically and apply different security policies to different groups. A web tier subnet, an application tier subnet, and a database subnet each get their own network controls even though they all live within the same VNet.

Azure reserves five IP addresses in every subnet: the network address, the default gateway, two Azure DNS addresses, and the broadcast address. Plan subnet sizes to account for these reservations and for future growth. CIDR /29 gives you only 3 usable addresses. A /24 gives 251. The rule is to plan more space than you think you need: re-addressing a subnet later requires migrating resources, which can be disruptive.

Some Azure services require dedicated subnets: Azure Bastion needs its own AzureBastionSubnet, VPN Gateway needs GatewaySubnet, Azure Firewall needs AzureFirewallSubnet, and Azure Application Gateway needs its own subnet as well. Reserve these subnets during initial VNet design even if you are not deploying those services immediately.

VNet peering, service endpoints, and hybrid connectivity

VNet peering connects two VNets so that resources in each can communicate using private IP addresses. Peering can be regional (within the same region) or global (across regions). Peered VNets must not have overlapping address spaces. Peering is non-transitive: if VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C unless you add a direct A-to-C peering or configure a hub VNet with route tables to forward traffic. Traffic in global peering traverses the Microsoft backbone, not the public internet.

Service endpoints extend a VNet's private address space to Azure service resources like Storage and SQL Database, so traffic from your VNet to those services routes over the Azure backbone rather than the public internet. Private endpoints go further: they place a private IP address from your VNet directly on an Azure PaaS resource, making it accessible by private IP and allowing you to block all public access to the service.

VPN Gateway provides encrypted connectivity between your VNet and on-premises networks. Site-to-Site VPN creates an IPsec tunnel over the public internet between your on-premises VPN device and an Azure VPN Gateway. Point-to-Site VPN connects individual client devices to the VNet. ExpressRoute provides a dedicated private circuit from your on-premises location to an Azure datacenter through a connectivity provider. ExpressRoute does not traverse the public internet, offers consistent bandwidth (50 Mbps to 100 Gbps), and lower latency than VPN, at higher cost and longer provisioning time.

How to choose the correct answer

Subnet sizing: Azure reserves 5 IPs per subnet. A /29 gives 3 usable, a /28 gives 11, a /24 gives 251.

VNet peering: non-transitive, no overlapping CIDR, works across regions and subscriptions.

Service endpoint: routes traffic to PaaS services over Azure backbone, resource still has public endpoint.

Private endpoint: gives PaaS resource a private IP in your VNet, enables disabling public access entirely.

VPN Gateway: IPsec over internet, active-active for redundancy. Fast to set up, variable performance.

ExpressRoute: private dedicated circuit, consistent SLA-backed bandwidth. Weeks to provision, higher cost.

Azure DNS: private zones for name resolution within VNets, public zones for internet-facing domains.

GatewaySubnet: required for VPN Gateway and ExpressRoute Gateway. Must be named exactly GatewaySubnet.

Azure hybrid connectivity options

Option	Path	Bandwidth	Latency	Best for
Site-to-Site VPN	IPsec over public internet	Up to ~1.25 Gbps per tunnel	Variable	Quick setup, moderate traffic, cost-sensitive
VNet Peering	Azure backbone (VNet to VNet)	No bandwidth limit	Low	Connecting Azure VNets within or across regions
ExpressRoute	Private dedicated circuit	50 Mbps to 100 Gbps	Consistent, low	High-bandwidth, low-latency on-premises to Azure
ExpressRoute + VPN	ExpressRoute primary, VPN failover	ExpressRoute bandwidth	Low (primary)	Maximum hybrid availability
Private Endpoint	Azure backbone (service to VNet)	N/A (PaaS access)	Low	Private PaaS access, disable public endpoint

Key exam facts — AZ-104

VNet address space: one or more CIDR blocks, no overlap with peered VNets or on-premises.
Azure reserves 5 IPs per subnet (first 4 and last). Plan subnet sizes accordingly.
VNet peering: non-transitive by default, requires route tables or NVA for transitive routing.
Service endpoints: traffic stays on Azure backbone, resource retains public IP, VNet restriction possible.
Private endpoints: private IP in VNet for PaaS resource, fully disables need for public access.
GatewaySubnet: specific name required, sized /27 or larger for VPN/ExpressRoute gateways.
ExpressRoute: not over internet, SLA-backed, requires connectivity provider, weeks to provision.

Common exam traps

VNet peering allows traffic to flow transitively through hub VNets without additional configuration.

VNet peering is non-transitive by default. For traffic to flow from spoke VNet A through hub VNet B to spoke VNet C, you need either route tables (User Defined Routes) pointing traffic through a network virtual appliance in the hub, or Azure Virtual WAN, which provides managed transitive routing. Simply peering the spokes to a hub is not enough for spoke-to-spoke communication.

Service endpoints and private endpoints provide the same level of network isolation.

Service endpoints route VNet traffic to PaaS services over the Microsoft backbone, and you can restrict the PaaS resource to allow only traffic from specific VNet subnets. However, the PaaS resource still has a public IP and remains accessible over the internet from other sources unless you also configure the service firewall. Private endpoints give the PaaS resource a private IP in your VNet, enabling you to disable the public endpoint entirely and make the service completely private.

ExpressRoute and VPN Gateway can be configured identically on Azure.

ExpressRoute and VPN Gateway use different gateway types in Azure and require different gateway SKUs. ExpressRoute circuits are provisioned through a connectivity provider and require physical cross-connects at an ExpressRoute location. VPN Gateway uses standard internet connectivity. Running both requires either two separate gateways or a gateway configured for coexistence mode. ExpressRoute provisioning takes weeks, not minutes.

Practice this topic

AZ-104practice questions

Test yourself on Azure VNet Design

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime