-
External connectivity
Azure VNets enable selective exposure of resources to the Internet. For example, place web servers in a frontend subnet behind a public-facing load balancer so users anywhere can reach your website, while keeping backend systems private. Load balancers distribute incoming traffic across healthy servers and provide resilience and scale. -
Internal communication
Many workloads only need private, lateral communication. Use separate subnets for frontend and backend tiers so frontend servers can call backend services (for example, a web server talking to a database) using an internal load balancer or direct routing. This traffic stays inside the VNet, providing low latency and isolation from the Internet. -
Integrate on-premises networks (hybrid connectivity)
VNets support hybrid architectures by connecting on-premises datacenters or branch networks to Azure using VPN Gateway or ExpressRoute. With these connections, on-premises and cloud resources can communicate as if they were on the same local network. -
Control traffic with security policies and routes
Apply Network Security Groups (NSGs) to define allow/deny rules for inbound and outbound traffic at subnet or NIC level. Use NSGs to limit management access to specific IP ranges or permit only HTTP/HTTPS to web servers. Combined with Azure Firewall or third-party appliances, these controls enforce a layered security posture. -
Customize traffic paths
When you need deterministic routing, use User Defined Routes (UDRs) and custom route tables to define exact traffic paths. For example, route all outbound traffic through a firewall for inspection, or send inter-subnet traffic to a virtual appliance for filtering, logging, or protocol translation.

- Route all outbound traffic from a subnet through a firewall for inspection and logging.
- Send inter-subnet traffic to a virtual appliance for filtering, protocol translation, or deep packet inspection.
This lesson introduced the core capabilities of Azure VNets: selective external connectivity, isolated internal communication, hybrid on-premises integration, traffic control with security and routing, and customizable traffic paths. Use these capabilities together to design secure, scalable, and efficient cloud architectures.
Relevant links and references
- Azure Virtual Network overview
- Network Security Groups (NSGs)
- User Defined Routes (UDRs)
- Azure VPN Gateway
- ExpressRoute