Azure Network and Security
Virtual Network (VNet)
Plan IP Address Space
Example Enterprise VNet Planning:
Hub VNet: 10.0.0.0/16
├── GatewaySubnet: 10.0.0.0/24 (VPN/ExpressRoute)
├── AzureFirewallSubnet: 10.0.1.0/24
└── SharedServicesSubnet: 10.0.2.0/24
Spoke VNet - Production: 10.1.0.0/16
├── WebTier: 10.1.1.0/24
├── AppTier: 10.1.2.0/24
└── DataTier: 10.1.3.0/24
Spoke VNet - Development: 10.2.0.0/16
Network Security Group (NSG)
Create NSG Rules
# Create NSG
$nsg = New-AzNetworkSecurityGroup -Name "WebTier-NSG" `
-ResourceGroupName "MyRG" `
-Location "East Asia"
# Allow HTTPS inbound
$rule1 = New-AzNetworkSecurityRuleConfig -Name "Allow-HTTPS" `
-Protocol Tcp `
-Direction Inbound `
-Priority 100 `
-SourceAddressPrefix "Internet" `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 443 `
-Access Allow
$nsg | Add-AzNetworkSecurityRuleConfig -NetworkSecurityRuleConfig $rule1
$nsg | Set-AzNetworkSecurityGroup
Azure Firewall
Hub-Spoke Architecture
Private Link
Connect Azure SQL Private Endpoint
# Create private endpoint for Azure SQL
$privateEndpoint = New-AzPrivateEndpoint -Name "SQL-PrivateEndpoint" `
-ResourceGroupName "MyRG" `
-Location "East Asia" `
-Subnet $subnet `
-PrivateLinkServiceConnection $connection
Next Steps
- Azure Overview: Subscriptions and RBAC
- App Platform: App Service with VNet integration