4.1 — Foundation

Virtual Networks & Subnets

MS Docs

A VNet is your private network boundary in Azure. Nothing enters or leaves unless you explicitly allow it. Everything networking builds on VNets.

📖 Virtual Networks — Complete Explanation

A Virtual Network (VNet) is Azure's implementation of a software-defined network. There is no physical hardware you manage — Azure's network fabric creates isolated, private network spaces entirely in software.

Address space: When you create a VNet, you define one or more CIDR ranges (e.g., 10.40.0.0/16). This is the universe of IP addresses available to resources in this VNet. Azure recommends using private address ranges (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

Subnets divide the VNet address space into smaller segments. Each subnet gets its own CIDR block (e.g., 10.40.1.0/24 for web tier). Resources in the same subnet can communicate freely by default. Subnets are where you apply NSGs, route tables, and service endpoints.

Why subnet isolation matters: Put your web servers in one subnet, databases in another, management in a third. NSGs on the data subnet can say "only accept traffic from the web subnet" — even if someone compromises a web server, they cannot directly reach your database servers from the internet.

VNet scope: A VNet exists in exactly ONE region. You cannot stretch a VNet across regions. To connect resources across regions, you use VNet Peering. To connect to on-premises, you use VPN Gateway or ExpressRoute, both of which require a GatewaySubnet inside the VNet.

Kube context: Your Function Apps running in the Consumption plan cannot join a VNet — they need Premium plan for VNet Integration. Your VMs and Premium Function Apps sit in the Kube VNet, reaching Cosmos DB via a Private Endpoint in the pe-subnet, ensuring traffic never leaves your private network.

🏙️
The City Metaphor — Runs Through All of Phase 4

VNet = the city boundary. Your private space.
Subnet = neighbourhoods inside (web tier, data tier, mgmt).
NSG = traffic police at each neighbourhood checkpoint.
Public IP = the city address visible to outside world.
Peering = private road between two cities.
UDR = custom road signs overriding GPS (Azure routing).
DNS = the city phonebook.
NAT Gateway = your post office with a consistent return address.

VNet Architecture — Kube platform Production Network
VNET: kube-vnet · 10.40.0.0/16 · East US web-subnet 10.40.1.0/24 VM .4 VM .5 NSG: Allow 443 inbound data-subnet 10.40.2.0/24 SQL .4 Cosmos .5 NSG: Deny internet inbound AzureBastionSubnet 10.40.4.0/27 (exact name required) Azure Bastion Host pe-subnet 10.40.6.0/24 (Private Endpoints) Cosmos .10 Storage .11 KeyVault .12 AzureFirewallSubnet 10.40.5.0/26 Azure Firewall 10.40.5.4 (UDR next hop) 5 IPs reserved per subnet by Azure .0 network · .1 gateway · .2 DNS · .3 reserved · .255 broadcast → /24 = 251 usable VNets can span regions? NO — VNet = one region. Resource groups? Yes. Subscriptions? Via peering.

CIDR — Understanding Address Spaces

CIDRTotal IPsUsable in AzureAzure Use Case
/1665,53665,531Standard VNet (recommended)
/24256251Typical subnet — most tested
/273227Bastion subnet minimum
/266459Azure Firewall subnet minimum
/281611Small subnet, Gateway subnet minimum
⚠️
Overlapping Address Spaces Block Peering
Two VNets with the same or overlapping address space cannot be peered — Azure cannot route between them. Plan address spaces before deployment. Changing address space after resources exist is complex and risky.

Public IP — SKU Matters

FeatureBasic SKUStandard SKU
AllocationDynamic or StaticStatic only
Zone redundancy
Inbound defaultOpen (insecure)Closed — need NSG to allow
Standard Load Balancer✗ Incompatible✓ Required
StatusBeing deprecatedAlways use Standard
⚠️
SKU Mismatch = Deployment Fails
Standard Load Balancer + Basic Public IP = deployment error. Standard Public IP + Basic Load Balancer = deployment error. Always match SKUs. Use Standard+Standard everywhere.
4.2 — Security

NSG & Application Security Groups

MS Docs

NSG = stateful rule-based filter attached to subnet or NIC. Contains inbound and outbound rules. First matching rule wins — evaluation stops.

NSG Evaluation Order — Inbound: Subnet First, NIC Second · Outbound: NIC First, Subnet Second
INBOUND TRAFFIC Internet Subnet NSG Evaluated FIRST inbound rules ALLOW NIC NSG Evaluated SECOND inbound rules VM ✓ BLOCKED ❌ Default Rules 65000: Allow VNet In 65001: Allow LB In 65500: Deny All In 65000: Allow VNet Out 65001: Allow Internet Out 65500: Deny All Out OUTBOUND: NIC NSG first, Subnet NSG second (reverse of inbound) Priority: lower number = higher priority · First match wins · Both NSGs must ALLOW for traffic to flow Stateful: if inbound HTTPS allowed, return traffic (outbound) auto-allowed — no outbound rule needed
Animated — Packet Flow: HTTPS from internet → VM through both NSGs
Internet TCP 443 → 10.40.1.4 Subnet NSG Rule 100: Allow 443 ALLOW ✓ (first) NIC NSG Rule 100: Allow 443 ALLOW ✓ (second) VM Reached ✓ If NIC NSG has Deny port 443 at priority 50 → blocked at NIC NSG. Subnet allowed it, NIC denied it. Diagnose: Network Watcher → Effective Security Rules → shows combined result of all NSGs on the NIC
⚠️
LB Health Probes Blocked — Missing AzureLoadBalancer Tag
LB health probes originate from AzureLoadBalancer service tag (168.63.129.16). If your NSG blocks this, all VMs show unhealthy even when working fine. Fix: add inbound Allow rule for AzureLoadBalancer tag on probe port, with priority lower than any deny rules.

Application Security Groups (ASG)

🏷️
The Metaphor

Without ASG your NSG rule says: "Allow IPs 10.40.1.4, 10.40.1.5, 10.40.1.6 to reach port 1433." VMSS scales to 20 VMs → edit 20 IPs in every rule.

With ASG: tag each web-server NIC with asg-web-servers. Rule says "Allow asg-web-servers to reach asg-db-servers port 1433." New VM added to VMSS → tag its NIC → automatically covered. Zero rule changes.

📋
ASG Constraints
All VMs in an ASG must be in the same VNet. One NIC can belong to multiple ASGs. ASG must be in the same region as VMs. Cannot span VNets or regions.
Azure CLI — NSG with ASG Rules
# Create ASGs
az network asg create -g RG-Prod --name asg-web-servers
az network asg create -g RG-Prod --name asg-db-servers

# Tag VM NIC with ASG
az network nic ip-config update \
  -g RG-Prod --nic-name web-vm-nic --name ipconfig1 \
  --application-security-groups asg-web-servers

# NSG rule using ASG names (not IPs)
az network nsg rule create \
  -g RG-Prod --nsg-name nsg-prod \
  --name web-to-db-sql --priority 100 \
  --source-asgs      asg-web-servers \
  --destination-asgs asg-db-servers \
  --destination-port-ranges 1433 \
  --protocol Tcp --access Allow
4.3 — Secure Access

Azure Bastion

MS Docs

Bastion provides browser-based RDP/SSH to VMs over HTTPS — no public IPs on VMs, no port 3389/22 exposed to internet.

Azure Bastion — VMs Need No Public IP
Engineer portal.azure.com HTTPS 443 only Azure Bastion AzureBastionSubnet /27 Standard Static Public IP Verifies identity via Azure RBAC private Your VNet — VMs need private IPs only VM-Web 10.40.1.4 only VM-DB 10.40.2.4 only Port 3389 ❌ never exposed
Animated — Bastion Connection: Browser → VM, no RDP port exposed
Browser portal.azure.com Click Connect HTTPS 443 Bastion Authenticates via Entra Checks RBAC permissions private VNet Target VM RDP/SSH over WebSocket No public IP needed ✓ Never exposed: Port 3389 (RDP) Port 22 (SSH) Session runs as HTML5 in browser — no RDP client needed. Fully managed, no agents on VMs.
RequirementValue
Subnet nameAzureBastionSubnet — exact, case-sensitive
Subnet minimum size/27 (32 IPs)
Public IP on Bastion itselfStandard SKU, Static
Other resources in subnet✗ Not allowed — dedicated subnet
Basic SKURDP/SSH only — no copy/paste, no file transfer
Standard SKUCopy/paste, file transfer, connect by IP, reach peered VNet VMs
⚠️
Two Most Tested Bastion Failures
1. Subnet named "bastion-subnet" or "BastionSubnet" → deployment fails. Must be exactly AzureBastionSubnet.
2. Subnet is /28 → deployment fails. Must be /27 minimum. Both are classic exam traps.
4.4 — Connectivity

VNet Peering

MS Docs

Peering connects two VNets over Microsoft's private backbone. Low latency, no VPN needed. But peering is NOT transitive and requires BOTH directions to be created.

Peering: Both directions required · NOT transitive
Both Directions — Status: Connected VNet-Dev 10.10.0.0/16 Kube-Dev sub Dev→Prod Prod→Dev VNet-Prod 10.40.0.0/16 Kube-Prod sub Both sides show "Connected" — traffic flows NOT Transitive — A peered B, B peered C, but A cannot reach C VNet-A 10.1.0.0/16 peered VNet-B Hub peered VNet-C 10.3.0.0/16 A cannot reach C ❌ Solution: peer A↔C directly, or use hub firewall + UDR
Hub-Spoke Architecture — Shared Services Pattern
On-Premises 192.168.0.0/16 HUB VNet 10.0.0.0/16 VPN Gateway shared by spokes Azure Firewall 10.0.1.4 (UDR target) Bastion shared by spokes Spoke-Dev 10.10.0.0/16 Use Remote Gateways=ON · Forwarded Traffic=ON Spoke-QA 10.20.0.0/16 Use Remote Gateways=ON · Forwarded Traffic=ON Spoke-Prod 10.40.0.0/16 Use Remote Gateways=ON · Forwarded Traffic=ON Hub peering settings: Allow Gateway Transit=ON · Forwarded Traffic=ON · Both directions created
⚠️
Peering "Initiated" not "Connected" — Traffic Doesn't Flow
You created VNet-A → VNet-B peering. Status shows "Initiated". This is NOT connected. You must also create VNet-B → VNet-A peering. Only when BOTH show "Connected" does traffic flow. Think handshake — both parties must reach out.
📋
Three Peering Settings — Know Them All
Allow Gateway Transit (set on Hub): Hub shares its VPN Gateway. Spokes can reach on-prem without own gateway.
Use Remote Gateways (set on Spoke): Spoke uses Hub's gateway. Requires Hub to have Allow Gateway Transit ON.
Allow Forwarded Traffic (both): Traffic originating outside VNet is accepted. Required for spoke→hub→spoke routing.
Azure CLI — Peering Both Directions
# Direction 1: Dev → Prod
az network vnet peering create \
  -g RG-Dev --name Dev-to-Prod \
  --vnet-name vnet-dev \
  --remote-vnet /subscriptions/PROD-SUB-ID/resourceGroups/RG-Prod/providers/Microsoft.Network/virtualNetworks/vnet-prod \
  --allow-vnet-access --allow-forwarded-traffic

# Direction 2: Prod → Dev (REQUIRED — without this status = "Initiated")
az network vnet peering create \
  -g RG-Prod --name Prod-to-Dev \
  --vnet-name vnet-prod \
  --remote-vnet /subscriptions/DEV-SUB-ID/resourceGroups/RG-Dev/providers/Microsoft.Network/virtualNetworks/vnet-dev \
  --allow-vnet-access --allow-forwarded-traffic

# Verify — both should show "Connected"
az network vnet peering show -g RG-Dev --vnet-name vnet-dev \
  --name Dev-to-Prod --query peeringState
4.5 — Routing

User-Defined Routes (UDR)

MS Docs

Azure routes traffic using system routes by default. UDRs override those defaults — forcing traffic through a specific next hop (firewall, NVA). Most specific route wins.

🗺️
The Metaphor

Azure's default routing = car GPS picking fastest route. UDR = custom road signs overriding GPS. "All traffic to 10.40.0.0/16? Ignore GPS — go via the security checkpoint (Firewall) first." The packet must follow the road signs regardless of what the GPS says. Most specific sign wins — /16 sign beats /8 sign for a /24 destination.

Route Table — Most Specific Prefix Wins (Longest Prefix Match)
Route Table: rt-spoke (attached to web-subnet) ADDRESS PREFIX NEXT HOP TYPE NEXT HOP IP 0.0.0.0/0 VirtualAppliance 10.0.1.4 (Firewall) All internet/unknown traffic → Hub Firewall first 10.40.0.0/16 VirtualAppliance 10.0.1.4 (Firewall) Prod VNet traffic → Firewall for inspection 10.99.0.0/16 None (Black Hole) — (dropped silently) Next Hop Types VirtualAppliance Firewall / NVA private IP VirtualNetworkGateway VPN / ExpressRoute gateway VirtualNetwork Stay within VNet None = Black Hole (drop)
Animated — UDR in action: VM traffic forced through Azure Firewall
VM Spoke Subnet UDR → FW UDR: 0.0.0.0/0 → 10.0.1.4 Azure Firewall 10.0.1.4 Inspects ALL traffic logs · rules · IDPS ALLOW BLOCK Internet Allowed destinations Blocked Malicious / denied Without UDR: traffic would bypass firewall entirely (direct internet) Route Table 0.0.0.0/0 → FW 10.40.0.0/16 → FW Associated to spoke-subnet ✓
⚠️
Route Table Must Be ASSOCIATED to Subnet — Creating It Is Not Enough
Creating a Route Table and adding routes does nothing until you associate it to a subnet. Portal: Route Table → Subnets → Associate. CLI: az network vnet subnet update --route-table. Forgetting the association is the #1 UDR exam mistake.
Azure CLI — Route Table + Associate to Subnet
# Create route table
az network route-table create -g RG-Prod --name rt-spoke-web

# Add route: all internet → Firewall
az network route-table route create \
  -g RG-Prod --route-table-name rt-spoke-web \
  --name default-to-fw \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address 10.0.1.4

# ASSOCIATE to subnet (required — without this nothing works)
az network vnet subnet update \
  -g RG-Prod --vnet-name vnet-prod \
  --name web-subnet \
  --route-table rt-spoke-web
4.6 — Private Connectivity

Service Endpoints & Private Endpoints

MS Docs

Two ways to connect to Azure PaaS services (Storage, Cosmos, SQL) without traffic going over public internet. Very different in how they work.

🔌
The Metaphor

Service Endpoint = a dedicated lane on the highway. Your traffic stays on Microsoft's road (backbone) instead of the public internet. But the destination (Storage) still has a public address — you just got a faster private-ish route to it.

Private Endpoint = the destination moves into your house. Storage gets a private IP address inside your VNet. No public address involved at all. Traffic never leaves your network.

Service Endpoint vs Private Endpoint — Traffic Path Comparison
Service Endpoint — Microsoft Backbone VM in VNet 10.40.1.4 MS backbone Storage Account still PUBLIC IP Firewall restricts to your subnet. But storage still has public endpoint. 2 steps: enable endpoint on subnet + add VNet rule in storage firewall Private Endpoint — Private IP in VNet VM in VNet 10.40.1.4 private VNet Storage Account PRIVATE IP 10.40.6.11 Traffic never leaves VNet. Can disable public endpoint entirely. Requires: Private DNS Zone linked to VNet for name resolution Service Endpoint Private Endpoint Free · Easy to configure Costs (per hour + data) · More complex On-prem access: ✗ No On-prem access: ✓ Via VPN/ExpressRoute Service still has public IP Service gets private IP — truly private
⚠️
Private Endpoint Needs Private DNS Zone — Easy to Miss
After creating a Private Endpoint for Storage, your VM resolves kubestg.blob.core.windows.net → still gets the public IP. Traffic goes over internet — private endpoint ignored.

Fix: Create Private DNS Zone (privatelink.blob.core.windows.net) → link to VNet → add A record pointing to private IP (10.40.6.11). Now DNS resolves to private IP → traffic stays in VNet.

Portal does this automatically if you tick "Integrate with private DNS zone" at creation time.
4.7 — Name Resolution

Azure DNS

MS Docs

Azure DNS handles two scenarios: Public DNS (internet-facing) and Private DNS (internal name resolution within VNets).

Public DNS Zone
Internet-Facing Name Resolution
Hosts DNS records for a domain (e.g. kubemind.in) so internet clients can resolve it.

Azure DNS becomes your authoritative nameserver — you delegate from your domain registrar to Azure's nameservers (ns1-xx.azure-dns.com).

Cannot use for apex domain CNAME: root domain (@ or kubemind.in) cannot have a CNAME — must use A record or Azure DNS alias record.
Private DNS Zone
Internal VNet Name Resolution
Resolves internal names (vm01.kube.internal) within your VNets only — invisible from internet.

Must link zone to VNet — without the link, VNet VMs cannot query the zone.

Auto-registration: link with auto-registration ON → VMs automatically get A records when they start. No manual management needed.

Used for: Private Endpoint DNS resolution, internal service discovery.
Record TypeMapsExam Notes
Ahostname → IPv4Most common — VMs, web apps, private endpoints
AAAAhostname → IPv6IPv6 equivalent of A record
CNAMEalias → another hostnameCannot use for apex/root domain
MXdomain → mail serverRequired for email routing
TXTdomain → arbitrary textDomain verification (Azure, Google, etc.)
NSzone → nameserversDelegation records — do not edit
PTRIP → hostname (reverse)Reverse DNS lookups
Alias (Azure-specific)Apex → Azure resourceSolves CNAME at apex — points to Traffic Manager, Front Door, etc.
Animated — Private DNS Resolution: VM → Private Endpoint
VM cosmos.documents .azure.com DNS query Azure DNS 168.63.129.16 checks Private DNS Zone linked to this VNet? lookup zone Private DNS Zone privatelink.documents .azure.com A record: 10.40.6.10 returns 10.40.6.10 Private Endpoint 10.40.6.10 VM connects to private IP ✓ Without DNS Zone linked: VM resolves cosmos.documents.azure.com → public IP → bypasses private endpoint
⚠️
CNAME Cannot Be Used for Root/Apex Domain
You cannot create a CNAME record for kubemind.in (apex/root). CNAME requires another hostname as the target, but apex records must be A or NS records per DNS spec. Solution: use Azure DNS Alias record which can point the apex to Azure Traffic Manager, Front Door, or a public IP resource.
4.8 — Traffic Distribution

Load Balancing

MS Docs

Azure has four load balancing services. Choosing the right one is a key exam scenario — each operates at a different layer for a different purpose.

ServiceLayerScopeHTTP/S featuresBest For
Azure Load BalancerLayer 4 (TCP/UDP)RegionalVMs, VMSS — raw TCP/UDP distribution
Application GatewayLayer 7 (HTTP/S)Regional✓ WAF, SSL offload, URL routingWeb apps — route /api vs /images to different backends
Azure Front DoorLayer 7 (HTTP/S)Global✓ WAF, CDN, SSL, anycastGlobal web apps — route users to nearest region
Traffic ManagerDNS (Layer 7)Global✗ DNS onlyDNS-based routing — failover, geographic, performance
Animated — LB Layer 4 vs AppGW Layer 7 traffic distribution
Azure Load Balancer — Layer 4 Client TCP:1433 Azure LB TCP/UDP only No URL awareness VM-1 VM-2 VM-3 Application Gateway — Layer 7 Browser HTTPS App Gateway Reads URL · WAF SSL termination /api/* → API pool /images/* → CDN pool Quick Decision Guide SQL / RDP / custom TCP → Azure LB HTTP + WAF + URL routing, regional → AppGW HTTP global + CDN + anycast → Front Door DNS-based failover, no HTTP → Traffic Manager ⚠️ Exam Trap Standard LB requires Standard public IP Basic + Standard mix = deployment fails Always use Standard SKU for both
📋
Decision Tree — Which Load Balancer?
"Non-HTTP traffic (SQL, RDP, custom TCP)" → Azure Load Balancer
"HTTP/S, URL-based routing, WAF, within one region" → Application Gateway
"Global, users in multiple continents, CDN" → Front Door
"DNS failover between regions, no SSL involvement" → Traffic Manager

Azure Load Balancer — Deep Dive

Public Load Balancer
Internet → Internal VMs
Has a public IP frontend. Internet traffic hits the public IP → distributed across backend pool of VMs.

Components:
Frontend IP: public IP address (Standard SKU)
Backend pool: VMs or VMSS instances
Health probe: HTTP/TCP check on backend VMs
Load balancing rule: frontend port → backend port
Inbound NAT rule: specific external port → specific VM
Internal (Private) Load Balancer
Internal Traffic Only
Has a private IP frontend. Traffic from within VNet distributed to backend pool.

Used for: multi-tier apps (web tier LB → app tier), internal microservices, database clusters.

SKU rule: Standard LB requires Standard public IP. Basic LB with Standard IP = fails. Basic LB being deprecated — always use Standard.
4.9 — Outbound Connectivity

NAT Gateway

MS Docs

NAT Gateway gives all VMs in a subnet a consistent, static outbound public IP — without needing a public IP on each VM. Outbound only.

📬
The Metaphor

Without NAT Gateway: each VM has its own return address. 100 VMs = 100 different IPs visible to external services. Whitelisting is a nightmare.

With NAT Gateway: all 100 VMs share one post office with one return address. External APIs whitelist one IP. NAT Gateway handles translating "which VM sent this?" internally. Mail goes out from one known address, responses come back to the right VM.

NAT Gateway — Consistent Outbound IP for All Subnet VMs
VM 10.40.1.4 VM 10.40.1.5 VM 10.40.1.6 NAT Gateway Outbound ONLY Public IP: 20.50.60.70 (static) ALL outbound from 20.50.60.70 Internet whitelist 20.50.60.70 NAT bypassed if: VM has own Public IP LB outbound rule exists Instance-level PIP wins
Animated — NAT Gateway Outbound: All VMs share one consistent public IP
VMs (subnet) private IPs only outbound req NAT Gateway SNAT: src=10.40.1.4 → src=20.50.60.70 consistent IP External API sees 20.50.60.70 ✓ response returns → NAT GW → routes to correct VM NAT is OUTBOUND ONLY — inbound traffic requires LB or public IP on VM. NAT Gateway does not allow inbound.
📋
NAT Gateway Priority — Who Wins?
If VM has instance-level Public IP → that IP is used for outbound (NAT bypassed).
If LB has outbound rule → LB frontend IP used (NAT bypassed).
If NAT Gateway assigned to subnet → NAT Gateway IP used.
If nothing → Azure assigns dynamic SNAT from shared pool (unpredictable, avoid in production).
Priority: Instance Public IP > LB Outbound Rule > NAT Gateway > Default SNAT
4.10 — Diagnostics

Network Watcher

MS Docs

Network Watcher is your diagnostic toolkit for Azure networking. Troubleshoot connectivity, view routing decisions, capture packets, and audit flow logs.

ToolWhat It DoesWhen to Use
IP Flow VerifyChecks if NSG allows or blocks a specific packet (src IP/port → dst IP/port)"My VM can't reach port 443 — which NSG rule is blocking it?"
Effective Security RulesShows combined NSG rules applied to a NIC (subnet NSG + NIC NSG merged)"What rules are actually active on this VM's NIC?"
Next HopShows where Azure will route a packet from a VM to a destination IP"Is my UDR working? Is traffic going to Firewall or directly?"
Connection TroubleshootTests end-to-end connectivity between two endpoints (TCP/ICMP)"Can VM-A reach VM-B on port 1433?"
NSG Flow LogsLogs every allowed/denied flow through NSG to Storage AccountAuditing, security investigations, traffic patterns
Packet CaptureCaptures VM network traffic to a file (like Wireshark remotely)Deep packet inspection, debugging application protocols
VPN DiagnosticsDiagnoses VPN Gateway connectivity issues"Site-to-site VPN not connecting — what's failing?"
📋
IP Flow Verify vs Next Hop — Know Which Tool
IP Flow Verify: "Is this specific connection blocked by NSG?" → tells you ALLOW or DENY and which rule.
Next Hop: "Where will traffic go from this VM to that destination?" → tells you the next hop type and IP (useful for UDR debugging).

Exam pattern: "VM can't reach external API despite NSG looking correct" → use Next Hop to check if UDR is sending traffic to wrong place.
Exam Prep

Phase 4 — Exam Q&A

Exam Guide

Click to reveal. Networking is the most tested phase in AZ-104.

QA subnet /24 has 256 addresses. How many are usable for VMs?
ANSWER
251 usable addresses.

Azure reserves 5 IPs: .0 (network), .1 (default gateway), .2 (DNS), .3 (future use), .255 (broadcast). 256 - 5 = 251 usable for VMs and other resources.
QA VM can reach other VMs in its subnet but cannot reach a VM in a peered VNet. What are the two most likely causes?
ANSWER
1. Peering is "Initiated" but not "Connected" — only one direction was created.
2. NSG on the destination VM's subnet or NIC is blocking the traffic.

Check peering status first (both must show Connected). Then use IP Flow Verify to test if NSG is blocking. Check that Allow Forwarded Traffic is enabled if routing through a hub.
QAzure Bastion deployment fails with "subnet not found." The subnet is named AzurebasionSubnet with /27. What is wrong?
ANSWER
Typo in subnet name. Must be exactly "AzureBastionSubnet" — case-sensitive, no typos.

"AzurebasionSubnet" has a lowercase 'b' and missing 't' — Azure won't find it. Create a new subnet with the exact correct name: AzureBastionSubnet.⚠️ The /27 size is correct — that part is fine. The name is the issue here.
QA Function App on a VNet subnet cannot resolve the private DNS name for a Cosmos DB private endpoint. What is missing?
ANSWER
The Private DNS Zone (privatelink.documents.azure.com) is not linked to the VNet.

Private endpoint creates the DNS A record in the Private DNS Zone. But the VNet only queries zones that are linked to it. Without the link, the VNet uses public DNS → resolves to public IP → bypasses private endpoint entirely.

Fix: Private DNS Zone → Virtual Network Links → Add link to the VNet. Enable auto-registration optionally.
QAll VMs behind an Azure Standard Load Balancer show "unhealthy" in the backend pool. NSG and VMs look fine. What is the most likely cause?
ANSWER
NSG is blocking health probe traffic from the AzureLoadBalancer service tag.

LB health probes originate from 168.63.129.16 using the AzureLoadBalancer service tag. If NSG doesn't allow inbound from this tag on the probe port, probes fail → VMs show unhealthy → traffic stops being distributed.

Fix: Add NSG inbound allow rule — Source: AzureLoadBalancer, Destination: Any, Port: (your health probe port), Priority: lower than any deny rules.
QA UDR is created and routes added but traffic still goes directly to the internet instead of through the Firewall. What is most likely wrong?
ANSWER
The Route Table is not associated to the subnet.

Creating a Route Table and adding routes does nothing until it's associated to a subnet. Portal: Route Table → Subnets → + Associate. CLI: az network vnet subnet update --route-table.

Use Network Watcher → Next Hop to confirm where traffic is going and verify the UDR is applied.
QWhich tool would you use to identify: (a) which NSG rule is blocking port 1433, (b) whether traffic from VM-A to VM-B is being sent to the Firewall or directly?
ANSWER
(a) IP Flow Verify — tells you ALLOW or DENY and the exact rule name responsible.
(b) Next Hop — shows the next hop type (VirtualAppliance = going to Firewall, or Internet = going direct).

IP Flow Verify = NSG diagnostic. Next Hop = routing diagnostic. Two different tools for two different problems.
Phase 4 — Cheat Sheet
/24 subnet usable IPs251 (256 minus 5 Azure reserved)
Bastion subnet name (exact)AzureBastionSubnet · minimum /27
Bastion Public IP SKUStandard Static
NSG inbound evaluation orderSubnet NSG first, NIC NSG second
NSG outbound evaluation orderNIC NSG first, Subnet NSG second
LB health probes blockedAdd NSG rule: Allow AzureLoadBalancer tag inbound
Peering status "Initiated"Only one direction created — create the return peering too
Peering is NOTTransitive — A↔B + B↔C ≠ A can reach C
UDR not working despite routesRoute Table not associated to subnet
Service Endpoint vs Private EndpointSE = MS backbone route. PE = private IP in VNet
Private Endpoint DNS not resolvingPrivate DNS Zone not linked to VNet
CNAME at apex/root domainNot allowed — use Azure DNS Alias record
Which NSG rule blocking traffic?Network Watcher → IP Flow Verify
Is UDR sending to Firewall?Network Watcher → Next Hop
NAT Gateway outbound priorityInstance PIP > LB outbound rule > NAT Gateway > default SNAT
Standard LB + Basic Public IPFails — SKUs must match (both Standard)
Non-HTTP LB (SQL, RDP)Azure Load Balancer (Layer 4)
URL-based routing with WAFApplication Gateway (Layer 7, regional)
Global HTTP routing + CDNAzure Front Door
How was Phase 4 — Networking?
One tap — takes a second
✓ Saved — thank you!