Azure Virtual Network frequently asked

questions (FAQ)
Virtual Network basics
What is an Azure Virtual Network (VNet)?

An Azure Virtual Network (VNet) is a representation of your own network in the cloud. It is
a logical isolation of the Azure cloud dedicated to your subscription. You can use VNets to
provision and manage virtual private networks (VPNs) in Azure and, optionally, link the
VNets with other VNets in Azure, or with your on-premises IT infrastructure to create hybrid
or cross-premises solutions. Each VNet you create has its own CIDR block, and can be linked
to other VNets and on-premises networks as long as the CIDR blocks do not overlap. You
also have control of DNS server settings for VNets, and segmentation of the VNet into
subnets.

Use VNets to:

 Create a dedicated private cloud-only VNet Sometimes you don't require a cross-
premises configuration for your solution. When you create a VNet, your services and
VMs within your VNet can communicate directly and securely with each other in the
cloud. You can still configure endpoint connections for the VMs and services that
require Internet communication, as part of your solution.
 Securely extend your data center With VNets, you can build traditional site-to-site
(S2S) VPNs to securely scale your datacenter capacity. S2S VPNs use IPSEC to
provide a secure connection between your corporate VPN gateway and Azure.
 Enable hybrid cloud scenarios VNets give you the flexibility to support a range of
hybrid cloud scenarios. You can securely connect cloud-based applications to any
type of on-premises system such as mainframes and Unix systems.

How do I get started?

Visit the Virtual network documentation to get started. This content provides overview and
deployment information for all of the VNet features.

Can I use VNets without cross-premises connectivity?

Yes. You can use a VNet without connecting it to your premises. For example, you could run
Microsoft Windows Server Active Directory domain controllers and SharePoint farms solely
in an Azure VNet.

Can I perform WAN optimization between VNets or a VNet and my on-

premises data center?

Yes. You can deploy a WAN optimization network virtual appliance from several vendors
through the Azure Marketplace.
Configuration
What tools do I use to create a VNet?

You can use the following tools to create or configure a VNet:

 Azure portal
 PowerShell
 Azure CLI
 A network configuration file (netcfg - for classic VNets only). See the Configure a
VNet using a network configuration file article.

What address ranges can I use in my VNets?

Any IP address range defined in RFC 1918. For example, 10.0.0.0/16.

Can I have public IP addresses in my VNets?

Yes. For more information about public IP address ranges, see Create a virtual network.
Public IP addresses are not directly accessible from the internet.

Is there a limit to the number of subnets in my VNet?

Yes. See Azure limits for details. Subnet address spaces cannot overlap one another.

Are there any restrictions on using IP addresses within these subnets?

Yes. Azure reserves some IP addresses within each subnet. The first and last IP addresses of
each subnet are reserved for protocol conformance, along with the x.x.x.1-x.x.x.3 addresses
of each subnet, which are used for Azure services.

How small and how large can VNets and subnets be?

The smallest supported subnet is /29, and the largest is /8 (using CIDR subnet definitions).

Can I bring my VLANs to Azure using VNets?

No. VNets are Layer-3 overlays. Azure does not support any Layer-2 semantics.

Can I specify custom routing policies on my VNets and subnets?

Yes. You can create a route table and associate it to a subnet. For more information about
routing in Azure, see Routing overview.

Do VNets support multicast or broadcast?

No. Multicast and broadcast are not supported.

What protocols can I use within VNets?

You can use TCP, UDP, and ICMP TCP/IP protocols within VNets. Unicast is supported
within VNets, with the exception of Dynamic Host Configuration Protocol (DHCP) via
Unicast (source port UDP/68 / destination port UDP/67). Multicast, broadcast, IP-in-IP
encapsulated packets, and Generic Routing Encapsulation (GRE) packets are blocked within
VNets.

Can I ping my default routers within a VNet?

No.

Can I use tracert to diagnose connectivity?

No.

Can I add subnets after the VNet is created?

Yes. Subnets can be added to VNets at any time as long as the subnet address range is not
part of another subnet and there is available space left in the virtual network's address range.

Can I modify the size of my subnet after I create it?

Yes. You can add, remove, expand, or shrink a subnet if there are no VMs or services
deployed within it.

Can I modify subnets after I created them?

Yes. You can add, remove, and modify the CIDR blocks used by a VNet.

If I am running my services in a VNet, can I connect to the internet?

Yes. All services deployed within a VNet can connect outbound to the internet. To learn
more about outbound internet connections in Azure, see Outbound connections. If you want
to connect inbound to a resource deployed through Resource Manager, the resource must
have a public IP address assigned to it. To learn more about public IP addresses, see Public IP
addresses. Every Azure Cloud Service deployed in Azure has a publicly addressable VIP
assigned to it. You define input endpoints for PaaS roles and endpoints for virtual machines
to enable these services to accept connections from the internet.

Do VNets support IPv6?

No. You cannot use IPv6 with VNets at this time. You can however, assign IPv6 addresses to
Azure load balancers to load balance virtual machines. For details, see Overview of IPv6 for
Azure Load Balancer.

Can a VNet span regions?

No. A VNet is limited to a single region. A virtual network does, however, span availability
zones. To learn more about availability zones, see Availability zones overview. You can
connect virtual networks in different regions with virtual network peering. For details, see
Virtual network peering overview

Can I connect a VNet to another VNet in Azure?

Yes. You can connect one VNet to another VNet using either:

 Virtual network peering: For details, see VNet peering overview

 An Azure VPN Gateway: For details, see Configure a VNet-to-VNet connection.

Name Resolution (DNS)

What are my DNS options for VNets?

Use the decision table on the Name Resolution for VMs and Role Instances page to guide you
through all the DNS options available.

Can I specify DNS servers for a VNet?

Yes. You can specify DNS server IP addresses in the VNet settings. The setting is applied as
the default DNS server(s) for all VMs in the VNet.

How many DNS servers can I specify?

Reference Azure limits.

Can I modify my DNS servers after I have created the network?

Yes. You can change the DNS server list for your VNet at any time. If you change your DNS
server list, you will need to restart each of the VMs in your VNet in order for them to pick up
the new DNS server.

What is Azure-provided DNS and does it work with VNets?

Azure-provided DNS is a multi-tenant DNS service offered by Microsoft. Azure registers all
of your VMs and cloud service role instances in this service. This service provides name
resolution by hostname for VMs and role instances contained within the same cloud service,
and by FQDN for VMs and role instances in the same VNet. To learn more about DNS, see
Name Resolution for VMs and Cloud Services role instances.

There is a limitation to the first 100 cloud services in a VNet for cross-tenant name resolution
using Azure-provided DNS. If you are using your own DNS server, this limitation does not
apply.

Can I override my DNS settings on a per-VM or cloud service basis?

Yes. You can set DNS servers per VM or cloud service to override the default network
settings. However, it's recommended that you use network-wide DNS as much as possible.

Can I bring my own DNS suffix?

No. You cannot specify a custom DNS suffix for your VNets.

Connecting virtual machines

Can I deploy VMs to a VNet?

Yes. All network interfaces (NIC) attached to a VM deployed through the Resource Manager
deployment model must be connected to a VNet. VMs deployed through the classic
deployment model can optionally be connected to a VNet.

What are the different types of IP addresses I can assign to VMs?

 Private: Assigned to each NIC within each VM. The address is assigned using either
the static or dynamic method. Private IP addresses are assigned from the range that
you specified in the subnet settings of your VNet. Resources deployed through the
classic deployment model are assigned private IP addresses, even if they're not
connected to a VNet. The behavior of the allocation method is different depending on
whether a resource was deployed with the Resource Manager or classic deployment
model:
o Resource Manager: A private IP address assigned with the dynamic or static
method remains assigned to a virtual machine (Resource Manager) until the
resource is deleted. The difference is that you select the address to assign
when using static, and Azure chooses when using dynamic.
o Classic: A private IP address assigned with the dynamic method may change
when a virtual machine (classic) VM is restarted after having been in the
stopped (deallocated) state. If you need to ensure that the private IP address
for a resource deployed through the classic deployment model never changes,
assign a private IP address with the static method.
 Public: Optionally assigned to NICs attached to VMs deployed through the Azure
Resource Manager deployment model. The address can be assigned with the static or
dynamic allocation method. All VMs and Cloud Services role instances deployed
through the classic deployment model exist within a cloud service, which is assigned
a dynamic, public virtual IP (VIP) address. A public static IP address, called a
Reserved IP address, can optionally be assigned as a VIP. You can assign public IP
addresses to individual VMs or Cloud Services role instances deployed through the
classic deployment model. These addresses are called Instance level public IP (ILPIP
addresses and can be assigned dynamically.

Can I reserve a private IP address for a VM that I will create at a later time?

No. You cannot reserve a private IP address. If a private IP address is available, it is assigned
to a VM or role instance by the DHCP server. The VM may or may not be the one that you
want the private IP address assigned to. You can, however, change the private IP address of
an already created VM, to any available private IP address.
Do private IP addresses change for VMs in a VNet?

It depends. If the VM was deployed through Resource Manager, no, regardless of whether the
IP address was assigned with the static or dynamic allocation method. If the VM was
deployed through the classic deployment model, dynamic IP addresses can change when a
VM is started after having been in the stopped (deallocated) state. The address is released
from a VM deployed through either deployment model when the VM is deleted.

Can I manually assign IP addresses to NICs within the VM operating system?

Yes, but it's not recommended unless necessary, such as when assigning multiple IP
addresses to a virtual machine. For details, see Adding multiple IP addresses to a virtual
machine. If the IP address assigned to an Azure NIC attached to a VM changes, and the IP
address within the VM operating system is different, you lose connectivity to the VM.

If I stop a Cloud Service deployment slot or shutdown a VM from within the

operating system, what happens to my IP addresses?

Nothing. The IP addresses (public VIP, public, and private) remain assigned to the cloud
service deployment slot or VM.

Can I move VMs from one subnet to another subnet in a VNet without
redeploying?

Yes. You can find more information in the How to move a VM or role instance to a different
subnet article.

Can I configure a static MAC address for my VM?

No. A MAC address cannot be statically configured.

Will the MAC address remain the same for my VM once it's created?

Yes, the MAC address remains the same for a VM deployed through both the Resource
Manager and classic deployment models until it's deleted. Previously, the MAC address was
released if the VM was stopped (deallocated), but now the MAC address is retained even
when the VM is in the deallocated state.

Can I connect to the internet from a VM in a VNet?

Yes. All VMs and Cloud Services role instances deployed within a VNet can connect to the
Internet.

Azure services that connect to VNets

Can I use Azure App Service Web Apps with a VNet?
Yes. You can deploy Web Apps inside a VNet using an ASE (App Service Environment). If
you have a point-to-site connection configured for your VNet, all Web Apps can securely
connect and access resources in the VNet. For more information, see the following articles:

 Creating Web Apps in an App Service Environment

 Integrate your app with an Azure Virtual Network
 Using VNet Integration and Hybrid Connections with Web Apps

Can I deploy Cloud Services with web and worker roles (PaaS) in a VNet?

Yes. You can (optionally) deploy Cloud Services role instances within VNets. To do so, you
specify the VNet name and the role/subnet mappings in the network configuration section of
your service configuration. You do not need to update any of your binaries.

Can I connect a Virtual Machine Scale Set (VMSS) to a VNet?

Yes. You must connect a VMSS to a VNet.

Is there a complete list of Azure services that can I deploy resources from into
a VNet?

Yes, For details, see Virtual network integration for Azure services.

Which Azure PaaS resources can I restrict access to from a VNet?

Resources deployed through some Azure PaaS services (such as Azure Storage and Azure
SQL Database), can restrict network access to only resources in a VNet through the use of
virtual network service endpoints. For details, see Virtual network service endpoints
overview.

Can I move my services in and out of VNets?

No. You cannot move services in and out of VNets. To move a resource to another VNet, you
have to delete and redeploy the resource.

Security
What is the security model for VNets?

VNets are isolated from one another, and other services hosted in the Azure infrastructure. A
VNet is a trust boundary.

Can I restrict inbound or outbound traffic flow to VNet-connected resources?

Yes. You can apply Network Security Groups to individual subnets within a VNet, NICs
attached to a VNet, or both.

Can I implement a firewall between VNet-connected resources?

Yes. You can deploy a firewall network virtual appliance from several vendors through the
Azure Marketplace.

Is there information available about securing VNets?

Yes. For details, see Azure Network Security Overview.

APIs, schemas, and tools

Can I manage VNets from code?

Yes. You can use REST APIs for VNets in the Azure Resource Manager and classic (Service
Management) deployment models.

Is there tooling support for VNets?

Yes. Learn more about using:

 The Azure portal to deploy VNets through the Azure Resource Manager and classic
deployment models.
 PowerShell to manage VNets deployed through the Resource Manager and classic
deployment models.
 The Azure command-line interface (CLI) to deploy and manage VNets deployed
through the Resource Manager and classic deployment models.