Lab 01 – Virtual Networks & Subnets

⏱️ Total Estimated Time: 50 minutes

Real-Life Scenario

Company: FinServe Solutions

FinServe is migrating to Azure and needs to design their network architecture. They need to create virtual networks with proper subnetting strategy, assign static private IPs for critical services, restrict access to storage using service endpoints, create private connections without exposing data to the internet, and plan IP address space for future growth.

The Challenge: Design a network that isolates workloads, restricts access, and scales without redesign?

❗

Core Learning Objective

VNets are the foundation of Azure networking. You'll learn subnetting strategy, IP planning, service endpoints vs private endpoints, and access restriction patterns. This is essential for designing secure, scalable cloud infrastructure.

Objectives

Create a VNet with multiple subnets and custom address space
Assign static private IPs to resources
Configure service endpoints to restrict PaaS access
Configure private endpoints for fully private PaaS connectivity
Design IP address space for growth

Prerequisites

Signed in to Azure Portal at portal.azure.com
Basic understanding of CIDR notation (e.g., /16, /24, /26)

Part 1 – Create the VNet and subnets

⏱️ 15 minutes

ℹ️

VNet Fundamentals

A Virtual Network is your private network in Azure. Subnets segment the VNet for organization and security. Each subnet gets a portion of the VNet's address space using CIDR notation.

✓

Step 1: Create Virtual Network and First Subnet

In the Azure Portal, search for Virtual networks > Create
Fill in the Basics tab:

Resource group: Create new and name it rg-az104-lab12
Name: vnet-hub
Region: East US

Click Next: IP Addresses
Configure the address space and first subnet:

IPv4 address space: 10.50.0.0/16 (65,536 addresses)
Subnet name: subnet-web
Subnet address range: 10.50.1.0/24 (256 addresses, ~251 usable)

Click Review + create > Create
Wait for the VNet to be created (typically 1-2 minutes)

❗

Reserved IPs in Subnets

Each subnet reserves 5 IPs: .0 (network), .1 (gateway), .2/.3 (DNS), and broadcast. A /24 (256 IPs) has only ~251 usable IPs for resources. Always account for this when planning.

✓

Step 2: Add Additional Subnets

Navigate to vnet-hub > Subnets (left menu under Settings)
Click + Subnet to add the data subnet:

Name: subnet-data
Subnet address range: 10.50.2.0/24
Click Add

Click + Subnet again to add the management subnet:

Name: subnet-mgmt
Subnet address range: 10.50.3.0/24
Click Add

Verify all three subnets appear in the subnets list

Part 1 Validation

VNet vnet-hub created in East US with address space 10.50.0.0/16

Three subnets created: subnet-web (10.50.1.0/24), subnet-data (10.50.2.0/24), subnet-mgmt (10.50.3.0/24)

No overlapping address spaces between subnets

Resource group rg-az104-lab12 created

After Part 1

VNet vnet-hub created with /16 address space (65,536 addresses)
Three subnets created, each with /24 (256 addresses, ~251 usable)
You understand CIDR notation and address space planning
You know 5 IPs are reserved per subnet

Part 2 – Static private IP

⏱️ 8 minutes

ℹ️

Static vs Dynamic IPs

Dynamic IPs can change when resources restart. Static IPs are permanently assigned to a resource. Critical services (databases, DNS servers) should use static IPs.

✓

Step 1: Create Virtual Machine with Static IP

Search for Virtual machines > Create > Azure virtual machine
In the Basics tab, fill in:

Resource group: rg-az104-lab12
Virtual machine name: vm-data01
Image: Ubuntu 22.04 LTS
Size: Standard_B1s (cheapest option)
Authentication type: Password (for lab simplicity)
Create a username and password (remember these)

Click Next: Disks, then Next: Networking

✓

Step 2: Configure Network Settings

In the Networking tab, configure:

Virtual network: vnet-hub
Subnet: subnet-data
Public IP: None (keep this VM private for security)
NIC network security group: Basic

Click Next: Management, then Next: Advanced
In the Advanced tab, find Network Interface section
Set Private IP address assignment: Static
Set the static IP to 10.50.2.10

✓

Step 3: Complete VM Creation

Click Review + create
Review the configuration and click Create
Wait for the VM to be created (typically 2-3 minutes)
Once created, navigate to the VM > Networking and verify static IP 10.50.2.10

Part 2 Validation

VM vm-data01 created in subnet-data

VM has static private IP 10.50.2.10

VM has NO public IP (private only)

Network Security Group applied to network interface

After Part 2

VM deployed with static private IP within the VNet
VM is isolated (no public IP) and only reachable from within VNet
You understand static IP assignment for critical services
You can secure VMs by removing public IP exposure

Part 3 – Service Endpoints

⏱️ 10 minutes

ℹ️

Service Endpoints Overview

Service Endpoints extend your VNet's identity to Azure services (like Storage) over the Azure backbone. The PaaS resource keeps its public endpoint but can restrict access to specified subnets.

✓

Step 1: Enable Service Endpoint on Subnet

Navigate to vnet-hub > Subnets > select subnet-data
Scroll down to Service endpoints section
Click + Add in the Service endpoints area
In the dropdown, select Microsoft.Storage
Click Add to enable the service endpoint
Save the subnet configuration

✓

Step 2: Create Storage Account

Search for Storage accounts > Create
Fill in the Basics tab:

Resource group: rg-az104-lab12
Storage account name: stoaz104lab12 (must be globally unique, 3-24 chars, lowercase only)
Region: East US
Performance: Standard
Redundancy: Locally-redundant storage (LRS)

Click Review + create > Create

❗

Storage Account Naming

Storage account names must be globally unique (3-24 characters, lowercase letters and numbers only). If your choice is taken, add numbers until it's unique.

✓

Step 3: Restrict Storage Access via Service Endpoint

Navigate to your storage account > Networking (under Security + networking in left menu)
Under Public network access, select Enabled from selected virtual networks and IP addresses
Under Virtual networks, click + Add existing virtual network
Select:

Subscription: Your current subscription
Virtual network: vnet-hub
Subnets: subnet-data

Click Add
Set Default action to Deny
Click Save

Part 3 Validation

Service endpoint Microsoft.Storage enabled on subnet-data

Storage account created with LRS in rg-az104-lab12

Storage account networking restricted to vnet-hub/subnet-data with Default action = Deny

After Part 3

Service endpoint enabled on subnet to extend VNet identity to Storage
Storage account public access restricted to only the specified subnet
You understand how service endpoints add network security without private IPs
All other internet access to storage is denied

Part 4 – Private Endpoint

⏱️ 8 minutes

ℹ️

Private Endpoints vs Service Endpoints

Service Endpoints: Extend VNet identity to service, service keeps public endpoint. Private Endpoints: Give the PaaS service a private IP inside your VNet—fully removes public exposure.

✓

Step 1: Create Private Endpoint

Search for Private endpoints > Create
Fill in the Basics tab:

Resource group: rg-az104-lab12
Name: pe-storage
Region: East US

Click Next: Resource

✓

Step 2: Connect to Storage Resource

In the Resource tab, configure:

Connection method: Connect to an Azure resource in my directory
Resource type: Microsoft.Storage/storageAccounts
Resource: Select your storage account stoaz104lab12
Target sub-resource: blob

Click Next: Virtual Network

✓

Step 3: Configure VNet and DNS

In the Virtual Network tab, configure:

Virtual network: vnet-hub
Subnet: subnet-mgmt

Click Next: DNS
Enable Private DNS integration: Yes (auto-creates DNS zone for private resolution)
Click Review + create > Create
Wait for the private endpoint to be created (typically 1-2 minutes)

Part 4 Validation

Private endpoint pe-storage created in subnet-mgmt

Private endpoint connected to storage account blob resource

Private DNS zone created and integrated for private resolution

Storage account has a private IP visible in subnet-mgmt

After Part 4

Storage account now has a private IP endpoint inside subnet-mgmt
Traffic to storage never traverses the public internet
Private DNS resolves storage FQDN to private IP
You understand the difference: Service Endpoints (public + restricted) vs Private Endpoints (fully private)

Part 5 – IP address planning exercise

⏱️ 10 minutes

ℹ️

IP Planning Strategy

Plan your address space to accommodate current and future growth. Subnets cannot be easily resized after creation, so plan generously. Different services require different subnet sizes.

✓

Step 1: Review Address Space Allocation

Review your existing infrastructure based on 10.50.0.0/16:

subnet-web: 10.50.1.0/24 (250+ hosts)
subnet-data: 10.50.2.0/24 (60+ hosts)
subnet-mgmt: 10.50.3.0/24 (20+ hosts)

Remaining available space: 10.50.4.0 - 10.50.255.0 (much of the /16 is still unused)

✓

Step 2: Design for Growth

Plan subnets for future requirements:

AzureBastionSubnet: minimum /26 (64 addresses)
Example: 10.50.4.0/26
GatewaySubnet: recommended /26 or larger (for VPN/ExpressRoute)
Example: 10.50.4.64/26
AKS cluster subnet: 1,000+ hosts → /22 (1,024 addresses)
Example: 10.50.8.0/22

Verify: No overlapping address ranges

✓

Step 3: Understand Reserved Subnet Names

Azure has reserved subnet names for specific services:

GatewaySubnet: Required for VPN gateways and ExpressRoute
AzureBastionSubnet: Required for Azure Bastion (RDP/SSH access)
AzureFirewallSubnet: Required for Azure Firewall NVA

These names must be exact—you can only deploy those services in subnets with these names
Plan their size accordingly based on expected deployment scale

Part 5 Validation

Understand current subnet allocation within 10.50.0.0/16

Can design future subnets (Bastion, Gateway, AKS) without overlapping

Know the reserved subnet names and their purposes

Understand the importance of planning address space for growth

After Part 5

You designed IP address space accommodating current and future needs
You understand CIDR notation and subnet sizing (/24, /26, /22, etc.)
You know reserved subnet names and their purposes
You can plan growth without redesigning the entire VNet

Success Criteria

Lab Completion Checklist

VNet vnet-hub created with /16 address space (10.50.0.0/16)
Three subnets created with no overlapping address ranges
VM vm-data01 deployed with static private IP 10.50.2.10 in subnet-data
Service endpoint (Microsoft.Storage) enabled on subnet-data
Storage account created and restricted via service endpoint to subnet-data only
Private endpoint created for storage in subnet-mgmt with private DNS integration
IP address planning exercise completed for future growth

Cleanup

If you want to delete the resources created in this lab:

Navigate to Resource groups > select rg-az104-lab12
Click Delete resource group
Confirm the deletion
All resources (VNet, subnets, VMs, storage account, endpoints) will be deleted

Exam Tips

Reserved IPs: Each subnet reserves 5 IPs (.0, .1, .2, .3, broadcast). A /24 has 256 addresses but only ~251 usable.
Service Endpoint vs Private Endpoint: Service Endpoint keeps the public endpoint but restricts via VNet identity. Private Endpoint gives a private IP inside your VNet—fully removes public exposure.
VNet Constraints: VNets cannot span regions. Subnets cannot span VNets. Address spaces should not overlap if you plan VNet peering.
Reserved Subnet Names: GatewaySubnet, AzureBastionSubnet, AzureFirewallSubnet—these must be exact names for those services to deploy.
Static vs Dynamic: Use static IPs for critical infrastructure (databases, DNS). Dynamic is fine for ephemeral workloads.
Address Space Planning: Plan generously for growth. Resizing VNets/subnets after creation is difficult or impossible.