🌐 Azure Networking Wiki
This single-page Azure Networking reference consolidates the entire Azure networking wiki into one document. Use the index to navigate directly to any section. Each section includes a brief overview, CLI examples, and troubleshooting tips.
📑 Index (tap to jump)
- 00 - Getting Started › Azure Login Methods
- 00 - Getting Started › Subscriptions & RBAC
- 00 - Getting Started › Resource Groups & Regions
- 01 - Core Concepts › Virtual Networks (VNet)
- 01 - Core Concepts › Subnets & IP Addressing
- 01 - Core Concepts › NSG and ASG
- 01 - Core Concepts › Azure DNS
- 02 - Connectivity › VPN Gateway
- 02 - Connectivity › ExpressRoute
- 02 - Connectivity › VNet Peering
- 02 - Connectivity › Private Link & Endpoints
- 03 - Load Balancing › Azure Load Balancer
- 03 - Load Balancing › Application Gateway
- 03 - Load Balancing › Traffic Manager
- 03 - Load Balancing › Front Door
- 04 - Security & Firewall › Azure Firewall
- 04 - Security & Firewall › Firewall Policy
- 04 - Security & Firewall › NVAs / Third-party Firewalls
- 05 - Routing & Diagnostics › User Defined Routes (UDR)
- 05 - Routing & Diagnostics › Route Tables
- 05 - Routing & Diagnostics › Network Watcher
- 05 - Routing & Diagnostics › Packet Capture
- 06 - Troubleshooting › VPN Troubleshooting
- 06 - Troubleshooting › AppGW Backend Health Issues
- 06 - Troubleshooting › DNS Resolution Issues
- 06 - Troubleshooting › ExpressRoute Troubleshooting
00 - Getting Started › Azure Login Methods
Overview: Methods to authenticate with Azure: Portal, CLI, PowerShell, Cloud Shell, Managed Identities and Service Principals. Use interactive login for manual tasks and service principals or managed identity for automation.
Portal (web)
- URL: https://portal.azure.com — best for visual tasks and quick exploration.
Azure CLI (recommended for scripts & automation)
# interactive
az login
# service principal (automation)
az login --service-principal -u <appId> -p <password> --tenant <tenantId>
# device code (no browser)
az login --use-device-code
# set subscription
az account set --subscription <subscription-id>
PowerShell (Az module)
Install-Module -Name Az -Force
Connect-AzAccount
Cloud Shell — Browser-hosted shell with CLI and PowerShell preinstalled: https://shell.azure.com
Managed Identity (VM/Function)
az login --identity
Notes & tips:
- Store automation credentials in Key Vault and use managed identity where possible.
- Keep least privilege (e.g.,
Network Contributor) for networking automation.
00 - Getting Started › Subscriptions & RBAC
Overview: Subscriptions contain billing & quotas; RBAC controls access via roles at different scopes (subscription, resource group, resource).
Useful CLI:
az account show
az account list -o table
az role assignment list --assignee [email protected]
az role assignment create --assignee <user> --role "Network Contributor" --scope /subscriptions/<subId>/resourceGroups/<rg>
Best practices:
- Organize subscriptions with Management Groups for enterprise scale.
- Use built-in roles (Owner, Contributor, Reader) or create custom roles with minimal privileges.
- Log and audit with Activity Logs and Azure AD reports.
00 - Getting Started › Resource Groups & Regions
Overview: Resource Groups provide lifecycle and management boundaries. Regions determine placement (latency, compliance, pricing).
Commands:
az group create --name myRG --location eastus
az group delete --name myRG
az account list-locations -o table
Design tips:
- Keep environment-specific resource groups (dev/prod).
- Co-locate dependent resources to reduce latency and egress costs.
- Use naming conventions like
<env>-<app>-<region>-rgfor consistency.
01 - Core Concepts › Virtual Networks (VNet)
Overview: VNet is the virtual network boundary in Azure; contains subnets, route tables, NSGs. VNets are regional resources and can be peered.
Create a VNet (CLI):
az network vnet create --resource-group myRG --name myVNet --address-prefix 10.0.0.0/16 --subnet-name app-subnet --subnet-prefix 10.0.1.0/24
Verify:
az network vnet show -g myRG -n myVNet -o table
Design notes:
- Plan CIDR to avoid overlap with on-prem or other VNets.
- Use hub-and-spoke patterns for central services (VPN, firewall, peering).
01 - Core Concepts › Subnets & IP Addressing
Overview: Subnets subdivide VNet address space. Azure reserves the first 4 and the last IP in each subnet (5 addresses reserved total).
Commands:
az network vnet subnet create --vnet-name myVNet -g myRG -n db-subnet --address-prefix 10.0.2.0/24
az network vnet subnet list -g myRG --vnet-name myVNet -o table
Planning tips:
- Avoid extremely small subnets; Azure reserves addresses.
- Document assignments and leave buffer for growth.
01 - Core Concepts › NSG and ASG
Overview: NSG (Network Security Group) contains ordered rules by priority to allow/deny traffic. ASG (Application Security Group) is a logical grouping to reference in NSG rules.
Examples:
az network nsg create -g myRG -n myNSG
az network nsg rule create -g myRG --nsg-name myNSG -n AllowHttps --priority 100 --protocol Tcp --direction Inbound --source-address-prefixes '*' --destination-port-ranges 443 --access Allow
Tips:
- Use ASGs for app tier grouping to reduce rule churn.
- Keep NSG rules minimal and well-documented.
01 - Core Concepts › Azure DNS
Overview: Azure DNS manages public/private DNS zones. Private DNS Zones provide resolution inside VNets when linked.
Create private zone & link:
az network private-dns zone create -g myRG -n corp.internal
az network private-dns link vnet create -g myRG -n link1 --zone-name corp.internal --virtual-network /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/myVNet --registration-enabled false
Troubleshooting:
- Check VM resolver (Linux:
/etc/resolv.conf, Windows:ipconfig /all). - Use
nslookup/digfrom VM to validate.
02 - Connectivity › VPN Gateway
Overview: VPN Gateway supports site-to-site (IPsec/IKE), point-to-site, and VNet-to-VNet. Choose SKU by throughput and features (VpnGw1/2/3...).
Create (simplified):
az network public-ip create -g myRG -n myGWIP --allocation-method Static
az network vnet subnet create -g myRG --vnet-name myVNet -n GatewaySubnet --address-prefix 10.0.255.0/27
az network vnet-gateway create -g myRG -n myVNetGW --public-ip-address myGWIP --vnet myVNet --gateway-type Vpn --sku VpnGw1 --vpn-type RouteBased
Troubleshoot:
- Verify shared key and phase parameters match with on-prem.
- Use Azure Portal connections page for diagnostics.
02 - Connectivity › ExpressRoute
Overview: ExpressRoute provides private, dedicated connectivity to Azure through a connectivity provider. Use for predictable performance and high throughput.
Commands:
az network express-route list -o table
az network express-route show -g myRG -n myCircuit
Troubleshooting:
- Check circuit status with provider and Azure.
- Verify BGP session and advertised routes.
02 - Connectivity › VNet Peering
Overview: VNet peering connects VNets across subscriptions/regions for low-latency connectivity. Peering is non-transitive.
Create peering:
az network vnet peering create --name vnet1-to-vnet2 --resource-group rg1 --vnet-name vnet1 --remote-vnet /subscriptions/<sub>/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet2 --allow-vnet-access
Tips:
- For hub-and-spoke, enable gateway transit on hub if sharing gateway.
- Avoid overlapping IP ranges.
02 - Connectivity › Private Link & Endpoints
Overview: Private Link enables private access to PaaS resources using private endpoints. This assigns a NIC in your subnet with a private IP for the service endpoint.
Create private endpoint:
az network private-endpoint create --name myPe --resource-group myRG --vnet-name myVNet --subnet mySubnet --private-connection-resource-id /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/myStorage --group-ids blob --connection-name myConn
Notes:
- Use private DNS zone linking for transparent name resolution.
- Monitor connection state in Portal.
03 - Load Balancing › Azure Load Balancer
Overview: Layer-4 load balancer for TCP/UDP traffic (public/internal). Standard SKU recommended for production (better resiliency & features).
Create example:
az network lb create -g myRG -n myLB --sku Standard --frontend-ip-name myFront --backend-pool-name myPool
Health probe & rule example: Configure probe on a TCP port or HTTP path and create load-balancing rule pointing to backend pool.
03 - Load Balancing › Application Gateway
Overview: Layer-7 load balancer with WAF, path-based routing, SSL termination.
Create (simplified):
az network application-gateway create -g myRG -n appgw01 --sku WAF_v2 --capacity 2 --frontend-port 443 --http-settings-cookie-based-affinity Disabled
Backend health check:
az network application-gateway show-backend-health -g myRG -n appgw01
Tips:
- Use WAF in Detection mode to tune false positives before enabling Prevention.
- Ensure probe path returns expected HTTP 200 and correct host header.
03 - Load Balancing › Traffic Manager
Overview: DNS-based traffic routing for global endpoints (Priority, Weighted, Performance, Geographic).
Create profile example:
az network traffic-manager profile create -g myRG -n tm1 --routing-method Performance --unique-dns-name mytm0001
Notes: TTL and probe settings impact failover behaviour.
03 - Load Balancing › Front Door
Overview: Global edge routing, acceleration, and WAF. Use for CDN-like behaviour plus edge routing and TLS termination at edge.
Notes: Choose Front Door when global, latency-optimized routing and caching are required.
04 - Security & Firewall › Azure Firewall
Overview: Managed, stateful firewall supporting DNAT, SNAT, network & application rules, and logging to Log Analytics.
Create example:
az network firewall create -g myRG -n myFirewall --vnet-name myVNet
Create rule example:
az network firewall network-rule create --firewall-name myFirewall -g myRG --collection-name myColl --name AllowWeb --protocols TCP --destination-ports 80 443 --source-addresses '*' --destination-addresses '*'
Monitoring: Send logs to Log Analytics workspace and query with Kusto.
04 - Security & Firewall › Firewall Policy
Overview: Firewall Policy centralizes rule management, can be applied to multiple firewalls for consistent enforcement.
Commands:
az network firewall policy create -g myRG -n myPolicy
az network firewall policy rule-collection-group create --policy-name myPolicy -g myRG -n myGroup
Tip: Use versioned policies and test in dev before production roll-out.
04 - Security & Firewall › NVAs / Third-party Firewalls
Overview: NVAs (FortiGate, Palo Alto, etc.) are deployed in hub VNets for advanced inspection, IDS/IPS, or legacy policy needs.
Design considerations:
- Use UDRs to steer traffic to NVA.
- Provide management plane access (jumpbox) and monitoring.
- Consider HA topology and backend SNAT behavior.
05 - Routing & Diagnostics › User Defined Routes (UDR)
Overview: UDRs override system routes to steer traffic (to NVAs, next hop appliances, or on-prem).
Create example:
az network route-table create -g myRG -n myRouteTable
az network route-table route create -g myRG --route-table-name myRouteTable -n RouteToNVA --next-hop-type VirtualAppliance --next-hop-ip-address 10.0.10.4 --address-prefix 0.0.0.0/0
az network vnet subnet update -g myRG --vnet-name myVNet --name app-subnet --route-table myRouteTable
Notes: Associate route tables at subnet level and validate next-hop behavior with Network Watcher.
05 - Routing & Diagnostics › Route Tables
Overview: Route tables hold UDRs and are applied at subnet level.
CLI:
az network route-table show -g myRG -n myRouteTable -o table
az network route-table list -g myRG -o table
05 - Routing & Diagnostics › Network Watcher
Overview: Network Watcher provides packet capture, connection troubleshoot, next hop, IP flow verify, and NSG flow logs.
Useful commands:
az network watcher test-connectivity --source-resource <vm-id> --dest-address 8.8.8.8
az network watcher show-next-hop --resource-group myRG --vm myVM --target-ip-address 10.0.0.4
az network watcher ip-flow-verify --direction Outbound --local --resource <vm-id> --protocol TCP --local-port 443 --remote 10.0.0.5 --remote-port 443
05 - Routing & Diagnostics › Packet Capture
Overview: Use Network Watcher to capture traffic on VM NICs and save PCAP to storage account for download and analysis.
Start capture example:
az network watcher packet-capture create --resource-group myRG --vm myVM --name cap1 --storage-account mystorage --file-path capture1.pcap --time-limit 300
Retrieve capture: Use storage account to download PCAP and open in Wireshark.
06 - Troubleshooting › VPN Troubleshooting
Checklist:
- Confirm PSK and IKE versions match.
- Check Phase 1/2 lifetimes and transforms.
- Ensure local/remote network prefixes match selectors.
- Check Azure portal connection status and diagnostics.
Useful commands:
az network vpn-connection show -g myRG -n myConn
az network vpn-connection list -g myRG -o table
06 - Troubleshooting › AppGW Backend Health Issues
Symptoms: Backends appear unhealthy in App Gateway backend health.
Checks:
- Probe path returns 200 and uses correct Host header.
- NSG or firewall blocking health probe IP.
- Backend service listening on expected IP/port.
Debug command:
az network application-gateway show-backend-health -g myRG -n appgw01
06 - Troubleshooting › DNS Resolution Issues
Common causes: Wrong DNS server, missing private DNS zone links, or incorrect VM resolver config.
Checks & fixes:
# from Linux VM
cat /etc/resolv.conf
nslookup myservice.corp.internal
dig @127.0.0.53 myservice.corp.internal
Fixes: Link private DNS zone to VNet, configure forwarders, or update VM DNS settings.
06 - Troubleshooting › ExpressRoute Troubleshooting
Checklist:
- Verify circuit state with provider and in Azure.
- Check BGP session state and advertised prefixes.
- Validate route filters and service provider configuration.
Useful commands:
az network express-route show -g myRG -n myCircuit
az network express-route peer list -g myRG --name myCircuit -o table
🏁 Final Notes & Best Practices
- Keep this file under source control and update it centrally.
- Use IaC (Bicep/ARM/Terraform) for repeatable deployments.
- Protect credentials (Key Vault), rotate keys, and monitor logs (Log Analytics).