Flash sale is here! Get Extra 25% off on ALL COURSES! Use coupon code FLASH25. Ends today.
Domain 04 · Revision Notes

Implement and manage virtual networking

VNets, NSGs, Load Balancers, DNS, VPN Gateways & Azure Firewall

01

Azure DNS — Public Zones, Private Zones & NS Delegation

Azure DNS allows you to host both public and private DNS zones within Azure. A public DNS zone serves records to the internet at large, while a private DNS zone serves records only to linked virtual networks. Understanding how each type works — and crucially how they are made authoritative — is fundamental to DNS configuration in Azure.

Making a Public Zone Internet-Resolvable

Creating a public DNS zone in Azure does not automatically make it resolvable from the internet. For internet clients to resolve names in the zone, you must update the NS (Name Server) records at your domain registrar to point to the four Azure name servers assigned to the zone. Once the registrar delegates authority to Azure's name servers, external DNS resolvers will follow that delegation. Modifying the SOA record at the registrar, or creating additional NS records inside the Azure zone itself, does not accomplish this delegation.

Private DNS Zones — VNet Links and Resolution
  • A private DNS zone must be linked to a VNet before any VM in that VNet can resolve records in the zone.
  • A VNet link can optionally enable auto-registration, which causes Azure to automatically create DNS A records for VMs in that VNet when they start.
  • Auto-registration only registers the VM's private IP address — never its public IP. A VM without a private IP (no NIC connected to the VNet) will not be auto-registered.
  • A VNet can be linked to up to 1,000 private DNS zones; a single private DNS zone can be linked to up to 1,000 VNets.
⚠ Assigning a Role to a Zone Does Not Create DNS Records

Assigning users an Owner or Contributor role on a public DNS zone gives those users permission to manage records in the zone through RBAC. It does not cause DNS A records to be automatically created or registered. Auto-registration is a feature of private DNS zone VNet links, not a result of role assignments. Assigning a role to a public zone has no effect on automatic record creation.


02

Private DNS Auto-Registration — Rules & Behaviour

When a VNet link to a private DNS zone has auto-registration enabled, Azure monitors VMs in that VNet and maintains DNS A records that map each VM's hostname to its private IP address. This eliminates the need to manually create and update DNS records as VMs are added, resized, or restarted.

Auto-Registration Behaviour
  • Records are created when a VM starts (and its NIC is assigned a private IP). Records are removed when the VM is deleted.
  • Only the VM's private IP address is registered — never the public IP, even if the VM has one.
  • For auto-registration to work, the VNet must be linked to the private zone and the link must have auto-registration enabled.
  • A VM connected to a VNet that is not linked to the private zone will not have its record auto-registered, even if the zone exists in the same subscription.
  • A VM in a VNet that is linked to the zone but with auto-registration disabled can still resolve records from the zone — it just does not get its own record created automatically.
Resolution vs Registration — Two Separate Capabilities of a VNet Link

The VNet link controls two things independently. Resolution: whether VMs in the linked VNet can query the private zone (always enabled when the link exists). Registration: whether VMs in the linked VNet get their records automatically added to the zone (only when the auto-registration toggle is enabled on the link). A VNet can be linked for resolution-only, or for both resolution and registration.

⚠ VM Must Be in the Linked VNet for Auto-Registration

Auto-registration is scoped to the VNet that is linked with registration enabled. A VM in a different VNet — even a peered VNet — will not have its record auto-registered into the zone unless that VNet also has its own link to the zone with registration enabled. Simply being reachable via peering is not sufficient for auto-registration to occur.


03

DNS Resolution Priority — VNet vs NIC vs Private Zone

Azure DNS resolution follows a strict priority order that determines which DNS server a VM uses. The NIC-level setting always takes precedence, followed by the VNet-level setting, and finally Azure-provided DNS. A private DNS zone is only consulted when Azure-provided DNS is in use — if a custom DNS server is configured at the VNet or NIC level, the private zone is bypassed entirely.

DNS Resolution Priority Order
  1. NIC-level custom DNS — if a specific DNS server IP is configured directly on the network interface, that VM uses only that DNS server, regardless of the VNet's settings.
  2. VNet-level custom DNS — if no NIC-level DNS is set, the VM uses whichever custom DNS servers are configured on the VNet.
  3. Azure-provided DNS (168.63.129.16) — used only when neither the NIC nor the VNet has a custom DNS server configured. Azure-provided DNS is what queries private DNS zones.
⚠ Custom DNS Server Bypasses Private DNS Zones

Private DNS zones are resolved by Azure's internal DNS resolver (168.63.129.16). If a VNet is configured to use a custom DNS server instead of Azure-provided DNS, VMs in that VNet send their queries to the custom server — not to Azure's resolver. As a result, the private DNS zone link is completely irrelevant for those VMs. They will only resolve names that the custom DNS server knows about, not names from the private zone.

Worked Example — Same Zone Name, Different Sources

A private DNS zone contoso.com is linked to VNET1 (Azure-provided DNS) and VNET2 (custom DNS = VM4). VM4 runs its own authoritative DNS for contoso.com with different records.

VMVNet DNSQueries Serverserver1.contoso.com Resolves to
VM1 (VNET1)Azure-providedAzure DNS → private zonePrivate zone record (e.g. 131.107.3.3)
VM2 (VNET2)Custom: VM4VM4's DNS serverVM4's zone record (e.g. 131.107.2.3)
VM3 (VNET3)Custom: VM4VM4's DNS serverVM4's zone record (e.g. 131.107.2.3)

Even though VNET2 is linked to the private zone, VM2 does not see the private zone's records because its VNet uses VM4 as the DNS server instead of Azure-provided DNS.

Making a Custom DNS Server Available Across Multiple VNets

If a DNS server VM (e.g. VM1 on VNET1) needs to serve DNS to VMs in VNET2 and VNET3, those VNets must be able to reach VM1 over the network. The correct solution is to configure peering between the VNets so that VNET2 and VNET3 can communicate with VM1. Simply adding service endpoints does not establish connectivity between VNets. After peering is in place, setting the DNS server IP on VNET2 and VNET3 to VM1's private IP completes the configuration.


04

VNet Peering — Constraints, Address Space Conflicts & Cross-Tenant

VNet peering creates a direct, low-latency connection between two virtual networks using the Microsoft backbone. Peered VNets behave as if they are part of the same network for routing purposes, but the peering relationship itself has strict requirements — most importantly that the two VNets must not have overlapping IP address spaces.

Address Space Overlap — The Peering Blocker

Before peering two VNets, their address spaces must be entirely non-overlapping. The overlap check is performed against the VNet's declared address space, not just the subnets currently in use. If VNet1 has address space 10.11.0.0/16 and VNet2 has 10.11.0.0/17, VNet2's address space is a subset of VNet1's — they overlap and cannot be peered. To resolve this, the address space of one VNet must be modified first. Simply deleting subnets or adding gateway subnets does not resolve an address space conflict.

Peering Is Non-Transitive

Peering does not propagate beyond the directly peered pair. If VNET1 is peered with VNET2, and VNET1 is also peered with VNET3, then VNET2 and VNET3 can each communicate with VNET1 — but VNET2 cannot communicate with VNET3 through VNET1. For VNET2 to reach VNET3, a direct peering between them must be created. This non-transitive behaviour is fundamental and cannot be configured away without hub-spoke routing or VPN gateway transit.

Cross-Subscription and Cross-Tenant Peering

VNet peering works across different subscriptions and across different Microsoft Entra tenants. No resources need to be moved between subscriptions to enable the peering. The peering is established from both sides — one side initiates and the other authorises. Cross-tenant peering is particularly useful for connecting networks managed by partner organisations without requiring VPN gateways or ExpressRoute circuits.

⚠ What "Packets from VNET1 can be routed to" Means in Practice

In a peering topology where VNET1 is peered with VNET2 and VNET1 is also peered with VNET3, packets from VNET1 can reach both VNET2 and VNET3 directly. However, packets from VNET2 can only reach VNET1 — not VNET3, because there is no direct peering between VNET2 and VNET3. Each pair needs its own peering link for direct communication.


05

VNet Peering — Disconnected Status & Bidirectional Requirement

VNet peering must be configured on both sides of the relationship — each VNet must have an outbound peering pointing to the other. When only one side is configured, the peering entry shows a status of Disconnected rather than Connected, and no traffic can flow across it.

Why Peering Shows "Disconnected"

A Disconnected peering means the peering object exists on this VNet, but the matching reciprocal peering on the remote VNet has not been created or has since been deleted. Azure requires both sides to acknowledge the peering before traffic can flow. A Disconnected peering is purely a configuration gap — the fix is to go to the peer VNet and add the corresponding peering back to this VNet.

Resolving a Disconnected Peering

If vNET6 shows a peering to vNET1 with status Disconnected, navigate to vNET1 and add a peering pointing back to vNET6. Once both sides are configured with compatible settings (non-overlapping address spaces, same subscription or authorised cross-subscription), the status on both sides changes to Connected.

⚠ Disconnected ≠ Overlapping Address Space

Overlapping address spaces prevent peering from being created at all — you would receive an error during the peering creation attempt. A Disconnected status is a different and more benign problem: the peering was created on one side but the other side is missing. Modifying address spaces does not resolve a Disconnected status. Disconnected hosts cannot communicate with each other across the peering at all — not even partially.


06

VNet Address Space vs Subnets

A virtual network's address space is the pool of IP addresses that the VNet "owns." Subnets are subdivisions carved out from within that address space and are the actual network segments that VMs connect to. Both the address space and the subnets must be correctly configured before a VM can receive an IP address from a desired range.

When a Desired IP Range Is Not Yet Available
  • If the desired range (e.g. 192.168.1.0/24) falls completely outside the VNet's declared address space, the address space must be added to the VNet first. Only then can a subnet be created within that range.
  • If the desired range falls within the VNet's address space but no subnet covers it, a new subnet must be created within that range.
  • Adding a network interface alone does not provision an IP range — NICs are assigned to existing subnets.
Example

VNet1 has address space 10.0.0.0/16 with one subnet 10.0.1.0/24. A VM needs an IP from 10.2.1.0/24. Since 10.2.1.0/24 is outside 10.0.0.0/16, you must first add 10.2.0.0/16 (or a covering range) to the VNet's address space, and then create a subnet in the 10.2.1.0/24 range. If instead a VM needs 10.0.2.0/24, that range is inside the address space but has no subnet — so only a new subnet needs to be created.


07

Subnet IP Addressing (CIDR) — Usable Host Count

Azure reserves five IP addresses in every subnet: the network address, the broadcast address, and three addresses used by Azure for internal infrastructure services. The usable host count is therefore the total addresses in the subnet minus five.

Formula and Common Subnet Sizes

Usable hosts = 2(32 − prefix length) − 5

Subnet SizeTotal AddressesAzure ReservedUsable for VMs
/242565251
/251285123
/2664559
/2732527
/2816511
/29853
⚠ Special Subnet Size Requirements
  • AzureBastionSubnet — minimum /26 (59 usable addresses). Azure enforces this minimum and will not accept smaller subnets.
  • AzureFirewallSubnet — minimum /26.
  • GatewaySubnet — minimum /27 is recommended; /29 is the absolute minimum but limits gateway scalability.

08

Network Virtual Appliances, User-Defined Routes & Route Table Association

By default, Azure routes traffic between subnets, VNets, and the internet using system routes. When you need to override this behaviour — for example, to force traffic through a Network Virtual Appliance (NVA) for inspection before it reaches its destination — you create a route table with custom User-Defined Routes (UDRs) and associate it with the relevant subnet.

Configuring a UDR to Send Traffic Through an NVA
  • Destination (address prefix) — the CIDR range of the traffic you want to intercept. To route all traffic from a VPN gateway to VNet resources through an NVA, set the prefix to the VNet's address space (e.g. 10.0.0.0/16).
  • Next hop type — set to Virtual appliance. This is the only next hop type that requires an explicit next hop IP address.
  • Next hop IP address — the private IP of the NVA. Other next hop types (Internet, VirtualNetwork, VirtualNetworkGateway, None) do not require an explicit IP — they route to system-managed endpoints.
Route Table Association — Subnets Only

A route table can only be associated with subnets. You cannot associate a route table directly with a VNet or with a NIC. When a route table is associated with a subnet, its custom routes apply to all resources connected to that subnet. To route inbound VPN gateway traffic through an NVA, the route table must be associated with the GatewaySubnet — this causes traffic arriving at the VPN gateway to be redirected to the NVA before entering other subnets.

⚠ Route Tables Are Regional Resources

A route table can only be associated with subnets within VNets in the same Azure region as the route table. A route table created in East US cannot be associated with a subnet in a VNet located in West US, even if they share the same resource group or subscription. When selecting which subnets a route table can be applied to, region takes precedence over all other factors.


09

VPN Gateway Transit Routing & Service Chaining

When two VNets are peered and one of them has a VPN gateway connected to an on-premises network, the gateway can optionally be shared so that the peered VNet's traffic can also flow through it to reach on-premises. This pattern — called gateway transit — avoids deploying a second VPN gateway in the peered VNet, reducing cost.

Enabling Gateway Transit
  • On VNet A (the VNet that owns the VPN gateway): enable Allow gateway transit on the peering configuration pointing to VNet B.
  • On VNet B (the VNet without its own gateway): enable Use remote gateways on the peering configuration pointing to VNet A.
  • Once both settings are configured, on-premises traffic can reach VNet B by traversing VNet A's VPN gateway without requiring a separate gateway in VNet B.
⚠ VNet B Cannot Have Its Own Gateway When Using Remote Gateways

The "Use remote gateways" option is only available in VNet B when VNet B does not have its own virtual network gateway. If VNet B already has a gateway, the option is greyed out. Gateway transit is a cost-saving pattern specifically for hub-spoke topologies where the hub VNet owns the on-premises connectivity.

Service Chaining with UDRs

In a hub-spoke topology, spoke VNets (e.g. VNet2 and VNet3) are peered to a hub (VNet1). By default, spoke-to-spoke traffic cannot flow through the hub because peering is non-transitive. To enable spoke-to-spoke routing through a hub NVA, user-defined routes must be added to each spoke that point their traffic to the NVA's private IP in the hub. This is called service chaining — using a combination of peering, UDRs, and an NVA to achieve transitive connectivity.


10

Point-to-Site VPN — Setup Sequence

A Point-to-Site (P2S) VPN allows individual remote users to connect to an Azure VNet over an encrypted tunnel from their own devices, without requiring a dedicated on-premises VPN device. This is the right solution for remote workers who need access to Azure-hosted resources. Setting up P2S requires several prerequisites in the correct order.

P2S Setup Sequence
  1. Create a GatewaySubnet in the VNet — the VPN gateway requires a dedicated subnet named exactly GatewaySubnet. It cannot share a subnet with any other resource.
  2. Deploy a Virtual Network Gateway — choose type VPN, and select a SKU appropriate for the expected load. The gateway is deployed into the GatewaySubnet.
  3. Configure the address pool — specify the client IP address pool from which P2S clients will be assigned IPs when they connect. This pool must not overlap with the VNet's address space.
  4. Configure the authentication method (certificate-based, Azure AD, or RADIUS) and distribute the VPN client configuration to users.
⚠ P2S Does Not Require a Local Network Gateway

A Local Network Gateway is used for Site-to-Site VPN connections to represent the on-premises VPN device. It is not needed for P2S. VMs do not need public IP addresses for P2S — the VPN gateway provides the public-facing endpoint. Remote users connect to the VPN gateway's public IP, not directly to the VMs.


11

Site-to-Site VPN — GatewaySubnet Requirement

A Site-to-Site (S2S) VPN connects an Azure VNet to an on-premises network (or another VNet in a different region) through an encrypted IPsec/IKE tunnel. Unlike VNet peering, which works at the fabric level, an S2S connection requires a dedicated VPN gateway resource in the VNet.

S2S VPN Requirements
  • Each VNet must have a subnet named exactly GatewaySubnet. Azure will not allow a Virtual Network Gateway to be deployed without it.
  • A Virtual Network Gateway (type: VPN) must be deployed into the GatewaySubnet.
  • A Local Network Gateway must be created to represent the on-premises VPN device, specifying its public IP address and the on-premises address prefixes.
  • A Connection object links the VPN gateway to the local network gateway using a shared key.
⚠ Peering Does Not Require GatewaySubnet

VNet peering works at the Azure fabric level and does not use VPN gateways. A GatewaySubnet is only required when deploying a Virtual Network Gateway for VPN or ExpressRoute connectivity. If two VNets just need to be peered, no gateway infrastructure is necessary at all.

S2S Between Two Azure VNets Without Peering

Two Azure VNets can be connected via an S2S VPN instead of peering — this is less common but may be chosen for encryption requirements or when address spaces overlap. Both VNets must each have a GatewaySubnet, a VPN gateway, and a local network gateway representing the other VNet. A shared key is configured on both sides. This scenario is also needed when the two VNets are in separate Entra tenants and cross-tenant peering cannot be used for some reason.


12

Public IP Address Associations

A Public IP address resource in Azure is a standalone object that can be associated with specific Azure resources. It cannot be assigned to a VNet itself or to an arbitrary resource — only to specific supported resource types. Understanding which resources can hold a public IP is important for both architecture and exam scenarios.

Resources That Can Have a Public IP Associated
  • Network Interface (NIC) — a public IP is associated with a NIC, not with the VM directly. The VM gets its public IP via the NIC.
  • Load Balancer (frontend IP configuration) — public-facing load balancers use a public IP as their frontend.
  • VPN Gateway — requires a public IP to establish VPN tunnels with the internet or on-premises devices.
  • Application Gateway — can have a public IP for internet-facing ingress.
  • Azure Firewall — requires a public IP for internet-bound traffic.
  • Azure Bastion — requires a Standard SKU public IP.
  • NAT Gateway — uses a public IP for outbound SNAT.
Resources That Cannot Have a Public IP Associated
  • Virtual Networks (VNets) — VNets are private constructs and have no concept of a public IP address at the VNet level.
  • Subnets — subnets are address ranges within a VNet; they cannot be associated with public IPs.
  • Route tables and NSGs — these are policy objects and are not networking endpoints.

13

NSG Rules — Service Tags as Source or Destination

Service tags are named identifiers that represent groups of IP address prefixes for specific Azure services. Azure maintains and updates these prefix lists automatically, so using a service tag in an NSG rule means you never need to manually update IP ranges when the service's infrastructure changes. Service tags are available as both source and destination in inbound and outbound security rules.

Common Service Tags
  • AzureCloud — all Azure datacenter IP ranges globally. Blocking this prevents access to all Azure services.
  • AzurePortal — IP ranges used by the Azure portal (portal.azure.com). Use this tag to specifically block or allow portal access without affecting other internet or Azure traffic.
  • AzureKeyVault — IPs for Azure Key Vault. Used when you want to allow VMs to reach Key Vault specifically.
  • Internet — all IP addresses outside the VNet and outside Azure's known ranges (the public internet).
  • VirtualNetwork — the VNet's own address space plus all peered VNet address spaces and on-premises ranges connected via VPN or ExpressRoute.
  • AzureLoadBalancer — the health probe source IP used by Azure Load Balancers (168.63.129.16).
Blocking Access to a Specific Azure Service

To prevent VMs from accessing the Azure portal while still allowing other internet and Azure traffic, create an outbound Deny rule with the destination set to the AzurePortal service tag. Setting the destination to "Any" would block all outbound internet traffic — far broader than required. Using a specific IP address would require manual maintenance as Azure's infrastructure IPs change. The service tag approach is both precise and self-maintaining.


14

NSG Default Rules — Effective Traffic Analysis

Every NSG includes a set of built-in default rules that cannot be removed or modified, only overridden by higher-priority custom rules. These defaults establish the baseline security posture: all inbound internet traffic is denied, VNet-to-VNet traffic is allowed in both directions, and all outbound internet traffic is allowed. Understanding these defaults is essential for reasoning about connectivity in NSG analysis questions.

Default Inbound Rules
  • AllowVnetInBound (priority 65000) — allows all inbound traffic from the VirtualNetwork service tag to the VirtualNetwork service tag. This covers same-VNet communication and peered VNet communication.
  • AllowAzureLoadBalancerInBound (priority 65001) — allows health probe traffic from the Azure Load Balancer.
  • DenyAllInBound (priority 65500) — denies all other inbound traffic, including inbound from the internet. This is why a VM without a custom allow rule for port 3389 cannot be reached via RDP from the internet.
Default Outbound Rules
  • AllowVnetOutBound (priority 65000) — allows all outbound traffic to the VirtualNetwork service tag.
  • AllowInternetOutBound (priority 65001) — allows all outbound traffic to the internet. This is why VMs can reach the internet by default without any custom outbound rules.
  • DenyAllOutBound (priority 65500) — denies everything else not matched above.
⚠ Both Subnet-Level and NIC-Level NSGs Are Evaluated

Traffic passes through both the subnet-level NSG and the NIC-level NSG. For inbound traffic, the subnet NSG is evaluated first, then the NIC NSG — both must allow the traffic. For outbound traffic, the NIC NSG is evaluated first, then the subnet NSG — both must allow it. An allow rule at the subnet NSG can be overridden by a deny at the NIC NSG for inbound traffic. Inbound rules never affect outbound flows, and vice versa.

NSG Rules and Load Balancer Traffic — Source IP Is Preserved

Azure Load Balancer is a pass-through service that performs DNAT (changing the destination IP from the LB frontend IP to the backend VM IP). Importantly, the source IP is not changed — the backend VM sees the original client's IP as the packet source, not the load balancer's IP. This means NSG rules on backend VM NICs that allow or deny specific client IP ranges will match correctly against the original client IP. The AzureLoadBalancer service tag in NSG rules is specifically for health probe traffic (which originates from 168.63.129.16), not for actual application traffic flowing through the LB.


15

NSG Regional Constraints

An NSG is a regional resource — it belongs to a specific Azure region and can only be applied to subnets and NICs within VNets located in that same region. The resource group an NSG belongs to is irrelevant to where it can be applied.

NSG Application Rules
  • An NSG can be associated with subnets and NICs in any VNet in the same region, regardless of whether those VNets or NICs are in the same resource group or subscription as the NSG.
  • An NSG in East US cannot be applied to a subnet in a West US VNet, even if both are in the same resource group.
  • An NSG can be applied to multiple subnets and multiple NICs simultaneously, all within the same region.
⚠ Resource Group Is Irrelevant for NSG Association

When determining which VNets or subnets can use an NSG, only the Azure region matters. Resource group membership is a management and billing boundary, not a networking boundary. An NSG in RG1 (East US) can be applied to a subnet in a VNet in RG2 (East US) — the resource groups are different but the regions match. It cannot be applied to a subnet in a VNet in RG1 (West US) even though the resource groups match.


16

Automatically Applying NSG Rules with Azure Policy

When you need to enforce that all newly created NSGs in a subscription automatically include a specific security rule — for example, always blocking TCP port 8080 between VNets — Azure Policy is the correct mechanism. Unlike manual configuration, policies apply automatically to all matching resources at the time of creation and can remediate existing non-compliant resources.

Azure Policy for NSG Rule Enforcement
  • A custom policy definition with a deployIfNotExists or append effect can be used to ensure all NSGs contain a specific security rule.
  • The policy is assigned at the subscription or resource group scope, so it applies to all NSGs created anywhere within that scope.
  • Built-in policy definitions for NSGs may not cover highly specific rule requirements — a custom definition is typically needed for precise port-blocking scenarios.
What Does Not Work for Automated NSG Rule Enforcement
  • Resource locks — locks prevent deletion or modification of resources, but do not add security rules to newly created NSGs.
  • Unregistering a resource provider — unregistering Microsoft.Network would prevent any network resources from being created at all — far too disruptive and not the right tool.
  • Manual scripting without policy — does not apply to future NSGs automatically; requires continuous maintenance.

17

Load Balancer Types — Choosing the Right Service

Azure offers several load balancing services operating at different layers of the network stack and serving different use cases. Selecting the right one requires understanding the traffic type, the client's location (internal or internet), and whether application-layer features like WAF or URL routing are needed.

ServiceLayerFrontendBest For
Public Load BalancerL4 (TCP/UDP)Public IPDistributing internet client traffic across multiple VMs
Internal Load BalancerL4 (TCP/UDP)Private IPInternal tier-to-tier traffic; distributing traffic across VMs accessible only from within a VNet or VPN
Application Gateway (Standard)L7 (HTTP/S)Public or privateURL-based routing, SSL termination, session affinity, cookie-based stickiness
Application Gateway (WAF)L7 + WAFPublic or privateAll Standard features plus OWASP-based protection against SQL injection, XSS, and other web attacks
Traffic ManagerDNSDNS nameGlobal routing across multiple Azure regions; not for intra-VNet load balancing
Azure Front DoorL7 (global)Anycast POPGlobal HTTP/S acceleration with CDN, WAF, and failover
Internal Load Balancer for Tier-to-Tier Traffic

When web server VMs need to distribute requests equally across business logic VMs — where the communication is entirely private within a VNet — an Internal Load Balancer is the correct choice. It operates at Layer 4, does not require a public IP, and is accessible only from within the VNet or connected networks. An Application Gateway WAF is for protecting internet-facing HTTP/S ingress from external threats — not for private internal traffic distribution.


18

Standard Load Balancer — Backend Pool IP SKU Requirements

A Standard SKU Load Balancer imposes strict requirements on the public IP addresses of the VMs in its backend pool. Basic SKU and Standard SKU public IPs are not interchangeable — mixing them in the same backend pool causes the VM to be ineligible for inclusion.

Compatibility Rule for Standard LB Backend Pools

For a VM to be added to a Standard LB backend pool, the VM must have either no public IP address, or a Standard SKU public IP address. A VM with a Basic SKU public IP address cannot be added to a Standard LB backend pool. This rule applies regardless of whether the LB is public or internal.

Common Solutions Compared
Proposed ChangeResultWhy
Assign a Basic IP to VM1; add both VMsFailsVM1 now has Basic IP; VM2 still has Basic IP — both incompatible
Assign Standard IP to both VMsWorksBoth now have Standard IPs — compatible with Standard LB
Disassociate VM2's public IP entirelyWorksVM2 now has no public IP; both VMs are either no-IP or no-incompatible-IP
Stop (deallocate) VM2FailsStopping does not remove the IP; the Basic IP is still associated
Assign Standard IP to VM1 only, keep VM2's Basic IPFailsVM2 still has a Basic IP — the incompatibility remains
⚠ Stopping a VM Does Not Remove Its Public IP

Deallocating (stopping) a VM does not dissociate its public IP address. The IP remains associated with the NIC even while the VM is stopped. To remove the IP, the association must be explicitly removed through the portal, CLI, or PowerShell. Until that is done, a stopped VM with a Basic IP is still ineligible for the Standard LB backend pool.


19

Standard Load Balancer — Floating IP for NVA Active-Active

When Network Virtual Appliances (NVAs) are deployed in an active-active configuration behind a Standard Load Balancer, the LB needs to forward traffic to the NVAs without modifying the destination IP — so the NVA can see the original destination IP and forward the packet to the correct backend service. This requires the Floating IP feature (also known as Direct Server Return).

NVA Active-Active with Automatic Failover — Required Components
  1. Standard Load Balancer — HA Ports and Floating IP are Standard-only features; Standard is required.
  2. Frontend IP configuration, backend pool, and health probe — the backend pool contains both NVAs; the health probe monitors NVA health and enables automatic failover if one NVA becomes unhealthy.
  3. HA Ports load balancing rule with Floating IP enabled — HA Ports routes all protocols and ports in a single rule. Floating IP causes the destination IP in packets to remain unchanged (the packet arrives at the NVA still addressed to the LB's frontend IP), allowing the NVA to perform its forwarding decision based on the original destination.
What Floating IP Does

Normally, a load balancer performs Destination NAT (DNAT) — rewriting the destination IP from the LB's frontend IP to the backend VM's IP. With Floating IP enabled, this DNAT does not occur. The packet arrives at the NVA's NIC with the original frontend IP as the destination. The NVA's secondary IP or loopback must be configured to match the frontend IP so it accepts the packet. This allows the NVA to differentiate traffic for different backend services based on destination IP, enabling it to forward correctly.


20

Load Balancer Inbound NAT Rules

A standard load balancing rule distributes incoming connections across all healthy VMs in the backend pool. However, some scenarios require directing specific traffic to one specific VM — for example, RDP access for administration should always reach VM3 rather than being round-robined. This is what Inbound NAT rules are designed for.

Load Balancing Rule vs Inbound NAT Rule
Load Balancing RuleInbound NAT Rule
Traffic distributionSpreads across all healthy VMs in the poolAlways routes to one specific VM
Use caseGeneral application traffic (HTTP, HTTPS)Admin access (RDP, SSH) to a specific VM
TargetBackend pool (group of VMs)Specific NIC of a specific VM
Directing RDP to a Specific VM Behind a Load Balancer

If a public load balancer already distributes ports 80 and 443 across VM1, VM2, and VM3, and you need all RDP connections to go only to VM3, the correct configuration is to add an Inbound NAT rule mapping the LB's frontend IP on port 3389 directly to VM3's NIC on port 3389. No additional public IP or new load balancer is needed. A new load balancing rule would distribute RDP traffic across all VMs — not target VM3 exclusively.


21

Application Gateway — WAF Tier for Web Attack Protection

Azure Application Gateway is a Layer 7 load balancer that understands HTTP and HTTPS traffic. It comes in two tiers: Standard (load balancing and routing only) and WAF (Web Application Firewall, adding threat protection). The WAF tier inspects incoming requests against the OWASP Core Rule Set and blocks common web application attacks.

FeatureStandard TierWAF Tier
Layer 7 load balancingYesYes
SSL/TLS terminationYesYes
URL-based routingYesYes
Session affinity (cookie-based)YesYes
SQL injection protectionNoYes (OWASP rules)
Cross-site scripting (XSS) protectionNoYes
Web Application Firewall (WAF)NoYes
WAF for OWASP Threat Protection

The WAF tier enforces OWASP Core Rule Set rules, detecting and blocking attacks including SQL injection, cross-site scripting, command injection, and HTTP protocol violations. When the requirement is to protect web servers from SQL injection attacks, the correct answer is Application Gateway with the WAF tier. An Internal Load Balancer performs Layer 4 TCP/UDP load balancing and cannot inspect application-layer content. An NSG can filter by IP, port, and protocol — but cannot parse HTTP payloads to detect injection attacks.


22

Azure Bastion — Setup, SKU Tiers & Public IP Requirements

Azure Bastion provides secure browser-based RDP and SSH access to Azure VMs without exposing the VMs to the public internet. Users connect to Bastion through the Azure portal over HTTPS (port 443), and Bastion then connects to the target VM using RDP (3389) or SSH (22) over the private network. The VM itself requires no public IP address.

Bastion Deployment Requirements
  • A dedicated subnet named exactly AzureBastionSubnet is required in the VNet. The minimum size is /26 — Azure will not allow a smaller subnet.
  • A Standard SKU, Static, IPv4 public IP address must be associated with the Bastion resource. Basic SKU and IPv6 IPs are not supported.
  • An NSG inbound rule must allow port 443 from the internet — this is the port users use to reach Bastion from their browsers.
Basic vs Standard SKU — Capability Comparison
FeatureBasic SKUStandard SKU
Browser-based RDP/SSHYesYes
File upload and downloadNoYes
Host scaling (additional instances)NoYes
Native client (mstsc.exe) supportNoYes
Access to peered VNet VMsNo (same VNet only)Yes
IP-based connectionNoYes
Minimum subnet size/26 (both SKUs)
⚠ To Use mstsc.exe Through Bastion, Upgrade to Standard First

Connecting via the native Remote Desktop Connection client (mstsc.exe) requires the Standard SKU Bastion and the Native Client Support feature to be enabled. Basic SKU Bastion only supports browser-based connections through the Azure portal. If Bastion is currently Basic SKU and mstsc.exe connectivity is needed, the correct sequence is: first upgrade the SKU to Standard, then enable Native Client Support, then connect using mstsc.exe.

Choosing SKU and Public IP for Scale Scenarios

When the requirements include file upload/download, host scaling for many concurrent users, or access to VMs in peered VNets: Standard SKU Bastion is required. Standard SKU Bastion requires a Standard SKU public IP with static allocation. When the goal is to minimise the number of addresses on the AzureBastionSubnet, use /26 — this is both the minimum allowed size and therefore the smallest possible option.


23

Azure Bastion — Reach, Limitations & What It Can Protect

Azure Bastion's reach — which VMs it can connect to — depends on the SKU and the network topology. Understanding the boundary between what Bastion can and cannot reach is important for both designing solutions and analysing connectivity scenarios.

Which VMs Bastion Can Reach
  • Same VNet as Bastion — always reachable (both Basic and Standard SKU).
  • Directly peered VNets — reachable with Standard SKU only. The VNet must have a direct peering link to the Bastion's VNet.
  • Transitively peered VNetsnot reachable by either SKU. If Bastion is in VNet1, VNet1 is peered with VNet2, and VNet2 is peered with VNet3 — Bastion cannot reach VMs in VNet3 because VNet peering is non-transitive.
Resources Bastion Cannot Protect
  • Azure App Service web apps — web apps run on Microsoft-managed infrastructure and are not VMs with RDP/SSH capability. Bastion has no way to proxy connections to App Service workloads, even if the web app has VNet integration.
  • Storage accounts, SQL databases, and other PaaS services — these are not accessible via RDP or SSH protocols; Bastion is not a general-purpose proxy.
Worked Example — Bastion Reach in a Multi-VNet Topology
Target VMVNetRelationship to Bastion's VNetReachable via Bastion (Standard)?
VM1VNet1 (Bastion's VNet)Same VNetYes
VM2VNet2Direct peering to VNet1Yes — directly peered
VM3VNet3Peered to VNet2 only (transitive)No — transitive peering not supported

24

Azure Firewall — Regional Deployment & Public IP Requirements

Azure Firewall is a managed, cloud-native network security service deployed inside an AzureFirewallSubnet within a VNet. Because it lives inside the VNet, it must reside in the same Azure region as the VNet it protects. Its public IP address requirements are also strict, since the firewall needs a reliable, static, known IP for outbound traffic and policy application.

Region Constraint — VNet Region Matters, Resource Group Does Not

Azure Firewall can be deployed into any VNet in the same Azure region, regardless of which resource group the firewall or the VNet belongs to. A firewall being created in West US can be placed in any VNet that is also in West US — whether that VNet is in RG1, RG2, or any other resource group. It cannot be placed in a VNet in Central US even if that VNet and the firewall share the same resource group.

Public IP Requirements for Azure Firewall
PropertyRequired Value
SKUStandard (Basic SKU IPs are not supported)
AllocationStatic (dynamic IPs can change on restart)
IP versionIPv4 (IPv6 public IPs are not supported as firewall frontend IPs)
TierRegional or Global (both are supported)
⚠ Basic SKU and IPv6 Are Never Valid for Azure Firewall

Regardless of allocation method or tier, a Basic SKU public IP cannot be used with Azure Firewall. Similarly, an IPv6 public IP cannot be used as the firewall's frontend IP. Only Standard SKU, Static, IPv4 public IPs are compatible. Global tier IPs (Standard SKU, Static, IPv4) are also compatible when cross-region scenarios require it.


25

Network Watcher Diagnostic Tools

Azure Network Watcher provides a suite of on-demand diagnostic tools for troubleshooting network connectivity, routing, and security rule issues. Each tool answers a different type of question and operates at a different layer of the network stack. Selecting the right tool for a given task is a frequently tested skill.

Tool Comparison
ToolWhat It AnswersBest Used For
IP Flow VerifyWill a packet with these specific attributes (source IP, destination IP, port, protocol) be allowed or denied — and which NSG rule causes the decision?Identifying a specific NSG rule that blocks or allows a flow
Next HopWhat is the next hop for traffic from this VM to a given destination IP — and is it VNet, Virtual appliance, Internet, or None (black hole)?Diagnosing routing issues; finding misconfigured UDRs or black-hole routes
Connection TroubleshootCan this VM actually reach this destination (IP, FQDN, or port) right now — including end-to-end routing and security rules?Validating outbound connectivity from a VM to an external or internal host
Effective Security RulesWhat is the complete merged list of NSG rules (subnet + NIC levels) currently applied to a specific NIC?Reviewing all rules in effect on a VM's interface without checking each NSG separately
Packet CaptureWhat actual packets are being transmitted to and from a VM's NIC during a defined capture window?Deep traffic inspection over a time period — the only tool that captures actual packet contents
Connection MonitorIs connectivity between a source and destination consistently healthy over time?Ongoing monitoring with alerting; not a one-time point-in-time diagnostic
NSG Flow LogsWhich traffic flows have been allowed or denied by NSGs, recorded over time?Historical traffic analysis; prerequisite for Traffic Analytics
Matching Tools to Common Tasks
  • Identify an NSG rule preventing a packet from reaching a VMIP Flow Verify
  • Validate outbound connectivity from a VM to an external hostConnection Troubleshoot
  • Diagnose a routing misconfiguration (traffic going wrong direction)Next Hop
  • Inspect actual packet contents between two VMs for 3 hoursPacket Capture
  • See all NSG rules currently applying to a NICEffective Security Rules
⚠ Connection Monitor Is for Ongoing Monitoring, Not Packet Inspection

Connection Monitor measures whether connectivity is healthy over time and can trigger alerts when it degrades. It does not capture packet contents or record what data was transmitted. For inspecting actual network traffic between two VMs over a defined time window, Packet Capture is the correct tool — Connection Monitor does not do this. Azure Monitor metrics on "Network In/Out" similarly only show byte counts, not packet contents or individual connection data.


26

Traffic Analytics — Prerequisites & Required Resources

Traffic Analytics is a cloud-based solution that processes NSG flow log data and provides rich visualisations of network traffic patterns, including suspicious activity, geographic sources, and port usage. It requires several supporting resources to be configured before it can produce insights.

What Traffic Analytics Requires
  • NSG Flow Logs must be enabled on each NSG — flow logs record which traffic was allowed or denied by the NSG. Traffic Analytics has no data to analyse without flow logs.
  • A Log Analytics workspace must be configured as the destination for the processed flow log data. Traffic Analytics queries and stores its aggregated data in Log Analytics.
  • A storage account is used as an intermediate landing zone where raw flow log data is initially written before being processed into Log Analytics.
⚠ NSG Flow Logs Must Be Enabled Before Traffic Analytics Can Work

Traffic Analytics is an analysis layer on top of flow logs — it cannot operate without them. If the goal is to configure a Network Insights alert for suspicious traffic, the first step is always to enable NSG flow logs on the relevant NSGs. Without flow log data flowing into the Log Analytics workspace, there is nothing for Traffic Analytics to process. Deploying Connection Monitor, configuring data collection endpoints, or adding a private link does not provide the traffic data that Traffic Analytics needs.

Two Resources Needed for Traffic Analytics in Network Watcher

To use Traffic Analytics in Azure Network Watcher to monitor VM traffic, two resources must exist: a storage account (to receive the raw NSG flow log files) and a Log Analytics workspace (to receive the processed traffic data for querying and alerting). Microsoft Sentinel, Data Collection Rules, and Azure Monitor workbooks are not prerequisites for Traffic Analytics itself.


27

Azure Monitor Network Insights

Azure Monitor Network Insights provides a unified, topology-aware view of all networking resources in a subscription. It aggregates health, metrics, and alerts across VNets, VPN gateways, ExpressRoute circuits, load balancers, and other network components into a single dashboard. It is a monitoring and visualisation tool — not a real-time diagnostic or per-packet analysis tool.

What Network Insights Is Used For
  • Displaying a visual topology of network resources and their connectivity relationships.
  • Showing aggregate health and metrics across multiple networking resources simultaneously.
  • Surfacing configuration issues and alerts detected by Azure across monitored resources.
  • Viewing metrics for ExpressRoute circuits, VPN gateways, load balancers, and VNets in one place — particularly useful for hybrid environments where multiple ExpressRoute circuits connect to multiple on-premises datacenters.
⚠ Network Insights Does Not Diagnose Individual Port Blocks

Azure Monitor Network Insights is not an on-demand diagnostic tool for testing whether a specific port or IP is reachable. It aggregates existing metrics and health signals — it does not perform active probing. For diagnosing why a specific port is blocked or unreachable, use IP Flow Verify or Connection Troubleshoot from Network Watcher instead.


28

Service Endpoints & Forced Tunnelling

When a VNet has forced tunnelling enabled — which redirects all internet-bound traffic through a VPN gateway to on-premises — traffic from VMs to Azure services like Storage can end up routing inefficiently: leaving Azure entirely, traversing the on-premises network, then re-entering Azure over the internet. Service endpoints solve this by creating a direct, optimised route from the subnet to the Azure service over the Azure backbone.

How Service Endpoints Solve the Forced Tunnelling Problem

A service endpoint on a subnet creates a direct, high-priority route to the specified Azure service (e.g. Microsoft.Storage) over the Azure backbone. This route takes precedence over the forced tunnelling default route. Traffic from a VM to the storage account then flows: VM → Azure backbone → storage account — never leaving Azure's network and never passing through the VPN gateway or on-premises. The storage account's firewall can also be configured to only accept traffic from subnets with a service endpoint, preventing all other access.

What Does Not Route Traffic Over the Azure Backbone
  • Azure Peering Service — optimises the on-premises-to-Azure path for internet traffic; not for intra-Azure VM-to-service routing.
  • Microsoft Entra Application Proxy — provides remote access to on-premises apps; completely unrelated to Azure storage routing.
  • Azure Application Gateway — Layer 7 HTTP/S load balancer; does not route storage traffic.

29

Service Endpoint Policies — Filtering Which Resources a Subnet Can Reach

A service endpoint on a subnet allows that subnet to reach any Azure Storage account in any region by default. A service endpoint policy narrows this down, allowing you to specify exactly which storage accounts (by name or by subscription) the subnet is permitted to access. Any storage account not on the policy's allowed list becomes inaccessible from that subnet, even if the service endpoint is active.

Rules for Service Endpoint Policies
  • Regional constraint — a service endpoint policy must be created in the same region as the subnet it will be applied to. A policy in South Central US can only be applied to subnets in VNets located in South Central US.
  • Service endpoint required first — a subnet must already have the Microsoft.Storage service endpoint enabled before a storage service endpoint policy can be applied to it.
  • Without a policy — subnets with a Microsoft.Storage service endpoint can reach all storage accounts in Azure, regardless of region.
  • With a policy scoped to "all accounts in the subscription" — all three storage accounts in that subscription are accessible. This is permissive, not restrictive to one specific account.
Worked Example

Policy1 is created in South Central US and allows all storage accounts in the subscription.

SubnetVNet RegionStorage Endpoint?Policy1 Applicable?
Subnet1West EuropeNoNo — no service endpoint
Subnet2SE AsiaYesNo — wrong region
Subnet3South Central USYesYes — same region + endpoint enabled
Subnet4South Central USNoNo — no service endpoint

30

NIC Region Constraints

A Network Interface Card (NIC) is a regional resource. It must be created in the same region as the Virtual Network it will connect to. The region of the VM that will use the NIC, and the region of the resource group that contains the NIC, are both irrelevant — only the VNet's region matters.

NIC Creation Rule

To create a NIC and attach it to a VNet, the NIC must be created in the same Azure region as the VNet. If VNet1 is in East US, a NIC connecting to VNet1 must also be created in East US — regardless of where other resources like VMs, storage accounts, or resource groups are located. This constraint exists because NICs are bound to subnets, and subnets are parts of VNets which are regional.


31

VM Cross-Subscription Move — Which Resources Must Move Together

Moving a virtual machine to a different Azure subscription requires careful planning because a VM depends on several tightly coupled resources. Some must move together with the VM; others can remain in the source subscription or can be reconnected from the target subscription.

Resources That Must Move With the VM
  • The VM resource itself — the virtual machine definition, configuration, and metadata.
  • The OS disk (managed disk) — the VM cannot boot without its OS disk in the same subscription.
  • The Network Interface (NIC) — the NIC is directly attached to the VM and must travel with it. It can be reconnected to a VNet in the target subscription after the move.
Resources That Do Not Need to Move
  • Virtual Network (VNet) — VNets are not moved with the VM. The NIC is disconnected from the source VNet and reconnected to a VNet in the target subscription after the move.
  • Storage account — boot diagnostics storage is a separate resource and does not need to move with the VM.
  • Public IP address — public IPs are not required to move with the VM.
⚠ The VNet Stays Behind

This is the most commonly confused point in VM cross-subscription move scenarios. The Virtual Network does not travel with the VM. After the move, the NIC (which did travel) is reattached to a VNet already present in the target subscription, or a new VNet is created there for it. The source VNet continues to exist in the source subscription unchanged.


32

VNet Integration for Azure Web Apps

Azure App Service web apps run on Microsoft-managed infrastructure and by default cannot reach resources inside a VNet. When a web app needs to communicate with a VM or database inside a private VNet — for example, to query a MySQL database on a VM — the web app must be connected to the VNet using the VNet Integration feature.

Connecting a Web App to a VNet

VNet Integration is configured on the web app itself (under Settings → Networking → VNet Integration). Once connected, the web app can make outbound calls to resources within the VNet and any peered VNets or connected on-premises networks. Importantly, VNet Integration is outbound only — it allows the web app to initiate connections to VNet resources, but it does not expose the web app as a resource accessible from inside the VNet the way a private endpoint would.

⚠ VNet Integration ≠ NSG Applies to the Web App

Even after VNet Integration is configured, the web app itself is not a VNet resource in the traditional sense. An NSG associated with the VNet's subnet does not control inbound traffic to the web app — that is managed by App Service access restrictions. NSGs control traffic to and from VM NICs and subnet resources, not to App Service endpoints.

Web App Connecting to an On-Premises SMB Share

If a web app needs to connect to an on-premises SMB share, VNet Integration alone is not sufficient — the web app also needs a path from the VNet to on-premises. This requires a Virtual Network Gateway with a Site-to-Site or ExpressRoute connection to the on-premises network. Once the gateway provides the on-premises connectivity, VNet Integration gives the web app access to the VNet (and through it, to on-premises). An Application Gateway and Entra Application Proxy are not the right tools for this — Application Gateway is for inbound HTTP/S load balancing, and Application Proxy is for inbound remote access to on-premises web apps.


33

Azure Monitor Private Link Scope (AMPLS)

By default, Azure Monitor services — including Log Analytics workspaces and Application Insights resources — receive monitoring data over the public internet. When VMs must send monitoring data exclusively through a private VNet without traversing the internet, an Azure Monitor Private Link Scope (AMPLS) is used to create a private network path for monitoring traffic.

When AMPLS Is Required

If the requirement is that all virtual machines communicate with Azure Monitor only through the VNet — using private IPs and the Azure backbone rather than the public internet — the correct resource to create is an Azure Monitor Private Link Scope. AMPLS creates private endpoints for Azure Monitor, Log Analytics, and Application Insights, allowing monitoring agents on VMs to send data without any public internet exposure.

⚠ AMPLS Is Not the Same as a Standard Private Endpoint

While AMPLS uses private endpoints under the hood, it is a higher-level construct that manages the private connectivity for multiple Azure Monitor resources collectively. Creating a private endpoint directly for a Log Analytics workspace is possible but does not automatically cover all the Azure Monitor services the workspace depends on. AMPLS ensures comprehensive private connectivity across the entire Azure Monitor suite for the linked VNet.


34

Packet Capture vs Connection Monitor — Distinguishing the Right Tool

Two Network Watcher features are commonly confused: Packet Capture captures the actual network packets flowing to and from a VM's NIC, while Connection Monitor tests whether connectivity between endpoints is healthy over time. They serve fundamentally different purposes.

Packet Capture
  • Records the actual packets transmitted through a VM's NIC during a specified time window (e.g. 3 hours).
  • Output is a .pcap file that can be opened in Wireshark or similar tools for deep inspection.
  • Used when you need to see what data is flowing — payload contents, protocol details, or conversation traces between specific hosts.
  • This is the correct tool for "inspect all network traffic from VM1 to VM2 for a period of three hours."
Connection Monitor
  • Continuously tests whether a source endpoint (VM or on-premises host) can reach a destination endpoint (IP, FQDN, or port).
  • Reports latency, packet loss, and reachability over time — useful for detecting intermittent connectivity failures.
  • A single Connection Monitor can cover multiple source-destination pairs across multiple VNets, regions, and on-premises networks simultaneously.
  • This is the correct tool for "monitor connectivity between VMs and the on-premises network" — not for inspecting packet contents.
⚠ Azure Monitor Metrics Cannot Inspect Traffic

Creating an Azure Monitor metric on "Network In" and "Network Out" shows byte counts — the volume of data flowing in and out of a VM. It does not capture or inspect the actual packets. This is useful for performance monitoring but cannot answer questions about what traffic specifically is flowing between two VMs. Packet Capture is the only Network Watcher tool that captures actual packet content.


35

Networking RBAC Roles

Several built-in RBAC roles exist specifically for networking resources in Azure. Using the correct role at the correct scope is important for applying the principle of least privilege — giving users only the permissions they need for specific resources, not broad access to the entire subscription.

Key Networking Roles
RoleWhat It AllowsNotes
Network ContributorFull management of all network resources (VNets, NSGs, load balancers, route tables, etc.)Does not include permission to assign roles to others
Private DNS Zone ContributorCreate, read, update, and delete private DNS zones and record setsCannot manage public DNS zones or VNet links to public zones
DNS Zone ContributorManage DNS zones and record sets, but not VNet linksCovers both public and private zone record management
User Access AdministratorAssign RBAC roles to other users on a resourceRequired when a user needs to delegate access; does not grant resource management rights
ContributorFull management of all resource types except access controlAllows creating VMs and managing VNets; does not allow role assignments
Virtual Machine ContributorManage VMs but not VNets, storage, or access controlCannot manage virtual networks — insufficient for scenarios requiring both VM and VNet management
Deploying VMs and Managing VNets — Least Privilege

When a user needs to both deploy virtual machines and manage virtual networks, the least-privilege role is Contributor. The Virtual Machine Contributor role only covers VM management and cannot manage VNets. The Network Contributor role covers VNets but not VM deployment. Only Contributor (or a custom role combining both) covers both workloads. Owner is broader still because it also includes role assignment capability.

Adding a Backend Pool to a Load Balancer — Least Privilege

Adding a backend pool to a load balancer is a network resource operation. The least-privilege role for this task is Network Contributor on the load balancer resource — scoped directly to LB1, not to the entire resource group. Network Contributor at the resource group scope would grant the user access to all network resources in the group, which is broader than necessary if only LB1 needs management.

⚠ Assigning Roles to Other Users Requires User Access Administrator

The ability to assign RBAC roles to other users on a resource is not included in Contributor, Network Contributor, or any non-privileged role. To grant this capability, the user must be assigned the User Access Administrator role (or Owner, which includes it). If a user needs to assign the Reader role for VNet1 to other users, they need User Access Administrator (or Owner) at a scope that covers VNet1 — not just Contributor or Network Contributor.

📋 Want to know exactly how this domain is tested on the exam? See the Domain 04 Exam Guide — it maps every sub-topic to the type of question you'll face. You can also check the full AZ-104 Exam Syllabus for domain weightings.

Discussions (0)

Share how you reason through topics on this page. You can also share your feedback on this guide.

0 / 200 words
No comments yet — be the first to start the thread.