Virtual Network Azure

Table of Contents
Overview
Virtual networks
User-defined routes and IP forwarding
Virtual network peering
Business continuity
FAQ
IP addressing
Classic
IP addressing
Access control lists
Get Started
Create your first virtual network
How To
Plan and design
Virtual networks
Network security groups
Deploy
Virtual networks
User-defined routes
Virtual machines
Connectivity scenarios
Security scenarios
Classic
Configure
Virtual machines
Classic
Manage
Virtual networks
Network interfaces (NICs)
Virtual machines
Public IP addresses
Troubleshoot
Routes
Throughput testing
Cannot delete virtual networks
VM to VM connectivity problems
Reference
Code samples
PowerShell (Resource Manager)
PowerShell (Classic)
Azure CLI
Java
REST (Resource Manager)
REST (Classic)
Related
Virtual Machines
Application Gateway
Azure DNS
Traffic Manager
Load Balancer
VPN Gateway
ExpressRoute
Resources
Azure roadmap
Networking blog
Networking forum
Pricing
Pricing calculator
Stack Overflow
Azure Virtual Network
7/25/2017 6 min to read Edit Online
The Azure Virtual Network service enables you to securely connect Azure resources to each other with virtual
networks (VNets). A VNet is a representation of your own network in the cloud. A VNet is a logical isolation of the
Azure cloud dedicated to your subscription. You can also connect VNets to your on-premises network. The
following picture shows some of the capabilities of the Azure Virtual Network service:
To learn more about the following Azure Virtual Network capabilities, click the capability:
Isolation: VNets are isolated from one another. You can create separate VNets for development, testing, and
production that use the same CIDR address blocks. Conversely, you can create multiple VNets that use
different CIDR address blocks and connect networks together. You can segment a VNet into multiple subnets.
Azure provides internal name resolution for VMs and Cloud Services role instances connected to a VNet. You
can optionally configure a VNet to use your own DNS servers, instead of using Azure internal name
resolution.
Internet connectivity: All Azure Virtual Machines (VM) and Cloud Services role instances connected to a
VNet have access to the Internet, by default. You can also enable inbound access to specific resources, as
needed.
Azure resource connectivity: Azure resources such as Cloud Services and VMs can be connected to the
same VNet. The resources can connect to each other using private IP addresses, even if they are in different
subnets. Azure provides default routing between subnets, VNets, and on-premises networks, so you don't
have to configure and manage routes.
VNet connectivity: VNets can be connected to each other, enabling resources connected to any VNet to
communicate with any resource on any other VNet.
On-premises connectivity: VNets can be connected to on-premises networks through private network
connections between your network and Azure, or through a site-to-site VPN connection over the Internet.
Traffic filtering: VM and Cloud Services role instances network traffic can be filtered inbound and outbound
by source IP address and port, destination IP address and port, and protocol.
Routing: You can optionally override Azure's default routing by configuring your own routes, or using BGP
routes through a network gateway.
Network isolation and segmentation

You can implement multiple VNets within each Azure subscription and Azure region. Each VNet is isolated from
other VNets. For each VNet you can:
Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns
resources connected to the VNet a private IP address from the address space you assign.
Segment the VNet into one or more subnets and allocate a portion of the VNet address space to each subnet.
Use Azure-provided name resolution or specify your own DNS server for use by resources connected to a
VNet. To learn more about name resolution in VNets, read the Name resolution for VMs and Cloud Services
article.
Connect to the Internet

All resources connected to a VNet have outbound connectivity to the Internet by default. The private IP address of
the resource is source network address translated (SNAT) to a public IP address by the Azure infrastructure. To
learn more about outbound Internet connectivity, read the Understanding outbound connections in Azure article.
You can change the default connectivity by implementing custom routing and traffic filtering.
To communicate inbound to Azure resources from the Internet, or to communicate outbound to the Internet
without SNAT, a resource must be assigned a public IP address. To learn more about public IP addresses, read the
Public IP addresses article.
Connect Azure resources

You can connect several Azure resources to a VNet, such as Virtual Machines (VM), Cloud Services, App Service
Environments, and Virtual Machine Scale Sets. VMs connect to a subnet within a VNet through a network
interface (NIC). To learn more about NICs, read the Network interfaces article.
Connect virtual networks

You can connect VNets to each other, enabling resources connected to either VNet to communicate with each
other across VNets. You can use either or both of the following options to connect VNets to each other:
Peering: Enables resources connected to different Azure VNets within the same Azure location to
communicate with each other. The bandwidth and latency across the VNets is the same as if the resources
were connected to the same VNet. To learn more about peering, read the Virtual network peering article.
VNet-to-VNet connection: Enables resources connected to different Azure VNet within the same, or
different Azure locations. Unlike peering, bandwidth is limited between VNets because traffic must flow
through an Azure VPN Gateway. To learn more about connecting VNets with a VNet-to-VNet connection, read
the Configure a VNet-to-VNet connection article.
Connect to an on-premises network

You can connect your on-premises network to a VNet using any combination of the following options:
Point-to-site virtual private network (VPN): Established between a single PC connected to your network
and the VNet. This connection type is great if you're just getting started with Azure, or for developers, because
it requires little or no changes to your existing network. The connection uses the SSTP protocol to provide
encrypted communication over the Internet between the PC and the VNet. The latency for a point-to-site VPN
is unpredictable, since the traffic traverses the Internet.
Site-to-site VPN: Established between your VPN device and an Azure VPN Gateway. This connection type
enables any on-premises resource you authorize to access a VNet. The connection is an IPSec/IKE VPN that
provides encrypted communication over the Internet between your on-premises device and the Azure VPN
gateway. The latency for a site-to-site connection is unpredictable, since the traffic traverses the Internet.
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This
connection is private. Traffic does not traverse the Internet. The latency for an ExpressRoute connection is
predictable, since traffic doesn't traverse the Internet.
To learn more about all the previous connection options, read the Connection topology diagrams article.
Filter network traffic
You can filter network traffic between subnets using either or both of the following options:
Network security groups (NSG): Each NSG can contain multiple inbound and outbound security rules that
enable you to filter traffic by source and destination IP address, port, and protocol. You can apply an NSG to
each NIC in a VM. You can also apply an NSG to the subnet a NIC, or other Azure resource, is connected to. To
learn more about NSGs, read the Network security groups article.
Network virtual appliances (NVA): An NVA is a VM running software that performs a network function,
such as a firewall. View a list of available NVAs in the Azure Marketplace. NVAs are also available that provide
WAN optimization and other network traffic functions. NVAs are typically used with user-defined or BGP
routes. You can also use an NVA to filter traffic between VNets.
Route network traffic

Azure creates route tables that enable resources connected to any subnet in any VNet to communicate with each
other, by default. You can implement either or both of the following options to override the default routes Azure
creates:
User-defined routes: You can create custom route tables with routes that control where traffic is routed to
for each subnet. To learn more about user-defined routes, read the User-defined routes article.
BGP routes: If you connect your VNet to your on-premises network using an Azure VPN Gateway or
ExpressRoute connection, you can propagate BGP routes to your VNets.
Pricing
There is no charge for virtual networks, subnets, route tables, or network security groups. Outbound Internet
bandwidth usage, public IP addresses, virtual network peering, VPN Gateways, and ExpressRoute each have their
own pricing structures. View the Virtual network, VPN Gateway, and ExpressRoute pricing pages for more
information.
FAQ
To review frequently asked questions about Virtual Network, see the Virtual Network FAQ article.
Next steps
Create your first VNet, and connect a few VMs to it, by completing the steps in the Create your first virtual
network article.
Create a point-to-site connection to a VNet by completing the steps in the Configure a point-to-site
connection article.
Learn about some of the other key network capabilities of Azure.
User-defined routes and IP forwarding
When you add virtual machines (VMs) to a virtual network (VNet) in Azure, you will notice that the VMs are able
to communicate with each other over the network, automatically. You do not need to specify a gateway, even
though the VMs are in different subnets. The same is true for communication from the VMs to the public Internet,
and even to your on-premises network when a hybrid connection from Azure to your own datacenter is present.
This flow of communication is possible because Azure uses a series of system routes to define how IP traffic flows.
System routes control the flow of communication in the following scenarios:
From within the same subnet.
From a subnet to another within a VNet.
From VMs to the Internet.
From a VNet to another VNet through a VPN gateway.
From a VNet to another VNet through VNet Peering (Service Chaining).
From a VNet to your on-premises network through a VPN gateway.
The figure below shows a simple setup with a VNet, two subnets, and a few VMs, along with the system routes
that allow IP traffic to flow.
Although the use of system routes facilitates traffic automatically for your deployment, there are cases in which
you want to control the routing of packets through a virtual appliance. You can do so by creating user defined
routes that specify the next hop for packets flowing to a specific subnet to go to your virtual appliance instead, and
enabling IP forwarding for the VM running as the virtual appliance.
The figure below shows an example of user defined routes and IP forwarding to force packets sent to one subnet
from another to go through a virtual appliance on a third subnet.
IMPORTANT
User-defined routes are applied to traffic leaving a subnet from any resource (such as network interfaces attached to VMs)
in the subnet. You cannot create routes to specify how traffic enters a subnet from the Internet, for instance. The appliance
you are forwarding traffic to cannot be in the same subnet where the traffic originates. Always create a separate subnet for
your appliances.
Route resource
Packets are routed over a TCP/IP network based on a route table defined at each node on the physical network. A
route table is a collection of individual routes used to decide where to forward packets based on the destination IP
address. A route consists of the following:
PROPERTY DESCRIPTION CONSTRAINTS CONSIDERATIONS
Address Prefix The destination CIDR to Must be a valid CIDR range Make sure the Address
which the route applies, representing addresses on prefix does not contain the
such as 10.1.0.0/16. the public Internet, Azure address for the Next hop
virtual network, or on- address, otherwise your
premises datacenter. packets will enter in a loop
going from the source to
the next hop without ever
reaching the destination.
Next hop type The type of Azure hop the Must be one of the Consider using Virtual
packet should be sent to. following values: Appliance to direct traffic
Virtual Network. to a VM or Azure Load
Represents the local virtual Balancer internal IP address.
network. For instance, if you This type allows the
have two subnets, specification of an IP address
10.1.0.0/16 and 10.2.0.0/16 as described below. Consider
in the same virtual network, using a None type to stop
the route for each subnet in packets from flowing to a
the route table will have a given destination.
next hop value of Virtual
Network.
Virtual Network Gateway.
Represents an Azure S2S
VPN Gateway.
Internet. Represents the
default Internet gateway
provided by the Azure
Infrastructure.
Virtual Appliance.
Represents a virtual
appliance you added to your
Azure virtual network.
None. Represents a black
hole. Packets forwarded to a
black hole will not be
forwarded at all.
Next hop address The next hop address Must be an IP address that If the IP address represents
contains the IP address is reachable within the a VM, make sure you enable
packets should be Virtual Network where the IP forwarding in Azure for
forwarded to. Next hop User Defined Route is the VM. If the IP address
values are only allowed in applied, without going represents the internal IP
routes where the next hop through a Virtual Network address of Azure Load
type is Virtual Appliance. Gateway. The IP address Balancer, make sure you
has to be on the same have a matching load
Virtual Network where it is balancing rule for each port
applied, or on a peered you wish to load balance.
Virtual Network.
In Azure PowerShell some of the "NextHopType" values have different names:

Virtual Network is VnetLocal
Virtual Network Gateway is VirtualNetworkGateway
Virtual Appliance is VirtualAppliance
Internet is Internet
None is None
System routes
Every subnet created in a virtual network is automatically associated with a route table that contains the following
system route rules:
Local Vnet Rule: This rule is automatically created for every subnet in a virtual network. It specifies that there
is a direct link between the VMs in the VNet and there is no intermediate next hop.
On-premises Rule: This rule applies to all traffic destined to the on-premises address range and uses VPN
gateway as the next hop destination.
Internet Rule: This rule handles all traffic destined to the public Internet (address prefix 0.0.0.0/0) and uses the
infrastructure internet gateway as the next hop for all traffic destined to the Internet.
User-defined routes
For most environments you will only need the system routes already defined by Azure. However, you may need to
create a route table and add one or more routes in specific cases, such as:
Force tunneling to the Internet via your on-premises network.
Use of virtual appliances in your Azure environment.
In the scenarios above, you will have to create a route table and add user defined routes to it. You can have
multiple route tables, and the same route table can be associated to one or more subnets. And each subnet can
only be associated to a single route table. All VMs and cloud services in a subnet use the route table associated to
that subnet.
Subnets rely on system routes until a route table is associated to the subnet. Once an association exists, routing is
done based on Longest Prefix Match (LPM) among both user defined routes and system routes. If there is more
than one route with the same LPM match then a route is selected based on its origin in the following order:
1. User defined route
2. BGP route (when ExpressRoute is used)
3. System route
To learn how to create user defined routes, see How to Create Routes and Enable IP Forwarding in Azure.
IMPORTANT
User defined routes are only applied to Azure VMs and cloud services. For instance, if you want to add a firewall virtual
appliance between your on-premises network and Azure, you will have to create a user defined route for your Azure route
tables that forwards all traffic going to the on-premises address space to the virtual appliance. You can also add a user
defined route (UDR) to the GatewaySubnet to forward all traffic from on-premises to Azure through the virtual appliance.
This is a recent addition.
BGP routes
If you have an ExpressRoute connection between your on-premises network and Azure, you can enable BGP to
propagate routes from your on-premises network to Azure. These BGP routes are used in the same way as system
routes and user defined routes in each Azure subnet. For more information see ExpressRoute Introduction.
IMPORTANT
You can configure your Azure environment to use force tunneling through your on-premises network by creating a user
defined route for subnet 0.0.0.0/0 that uses the VPN gateway as the next hop. However, this only works if you are using a
VPN gateway, not ExpressRoute. For ExpressRoute, forced tunneling is configured through BGP.
IP forwarding
As described above, one of the main reasons to create a user defined route is to forward traffic to a virtual
appliance. A virtual appliance is nothing more than a VM that runs an application used to handle network traffic in
some way, such as a firewall or a NAT device.
This virtual appliance VM must be able to receive incoming traffic that is not addressed to itself. To allow a VM to
receive traffic addressed to other destinations, you must enable IP Forwarding for the VM. This is an Azure setting,
not a setting in the guest operating system.
Next steps
Learn how to create routes in the Resource Manager deployment model and associate them to subnets.
Learn how to create routes in the classic deployment model and associate them to subnets.
Virtual network peering enables you to connect two virtual networks in the same region through the Azure
backbone network. Once peered, the two virtual networks appear as one, for connectivity purposes. The two
virtual networks are still managed as separate resources, but virtual machines in the peered virtual networks can
communicate with each other directly, by using private IP addresses.
The traffic between virtual machines in the peered virtual networks is routed through the Azure infrastructure,
much like traffic is routed between virtual machines in the same virtual network. Some of the benefits of using
virtual network peering include:
A low-latency, high-bandwidth connection between resources in different virtual networks.
The ability to use resources such as network appliances and VPN gateways as transit points in a peered virtual
network.
The ability to peer two virtual networks created through the Azure Resource Manager deployment model or to
peer one virtual network created through Resource Manager to a virtual network created through the classic
deployment model. Read the Understand Azure deployment models article to learn more about the differences
between the two Azure deployment models.
Requirements and constraints

The peered virtual networks must exist in the same Azure region. You can connect virtual networks in different
Azure regions using a VPN Gateway.
The peered virtual networks must have non-overlapping IP address spaces.
Address spaces cannot be added to, or deleted from a virtual network once a virtual network is peered with
another virtual network.
Virtual network peering is between two virtual networks. There is no derived transitive relationship across
peerings. For example, if virtualNetworkA is peered with virtualNetworkB, and virtualNetworkB is peered with
virtualNetworkC, virtualNetworkA is not peered to virtualNetworkC.
You can peer virtual networks that exist in two different subscriptions, as long a privileged user (see specific
permissions) of both subscriptions authorizes the peering, and the subscriptions are associated to the same
Azure Active Directory tenant. You can use a VPN Gateway to connect virtual networks in subscriptions
associated to different Active Directory tenants.
Virtual networks can be peered if both are created through the Resource Manager deployment model or if one
virtual network is created through the Resource Manager deployment model and the other is created through
the classic deployment model. Two virtual networks created through the classic deployment model cannot be
peered to each other, however. You can use a VPN Gateway to connect two virtual networks created through
the classic deployment model.
Though the communication between virtual machines in peered virtual networks has no additional bandwidth
restrictions, there is a maximum network bandwidth depending on the virtual machine size that still applies. To
learn more about maximum network bandwidth for different virtual machine sizes, read the Windows or Linux
virtual machine sizes articles.
Azure-provided internal DNS name resolution for virtual machines doesn't work across peered virtual
networks. Virtual machines have internal DNS names that are resolvable only within the local virtual network.
You can however, configure virtual machines connected to peered virtual networks as DNS servers for a virtual
network. For further details, read the Name resolution using your own DNS server article.
Connectivity
After two virtual networks are peered, resources in either virtual network can directly connect with resources in
the peered virtual network. The two virtual networks have full IP-level connectivity.
The network latency for a round trip between two virtual machines in peered virtual networks is the same as for a
round trip within a single virtual network. The network throughput is based on the bandwidth that's allowed for
the virtual machine, proportionate to its size. There isn't any additional restriction on bandwidth within the
peering.
The traffic between virtual machines in peered virtual networks is routed directly through the Azure back-end
infrastructure, not through a gateway.
Virtual machines connected to a virtual network can access the internal load-balanced endpoints in the peered
virtual network. Network security groups can be applied in either virtual network to block access to other virtual
networks or subnets, if desired.
When configuring virtual network peering, you can either open or close the network security group rules between
the virtual networks. If you open full connectivity between peered virtual networks (which is the default option),
you can apply network security groups to specific subnets or virtual machines to block or deny specific access. To
learn more about network security groups, read the Network security groups overview article.
Service chaining
You can configure user-defined routes that point to virtual machines in peered virtual networks as the "next hop"
IP address to enable service chaining. Service chaining enables you to direct traffic from one virtual network to a
virtual appliance in a peered virtual network through user-defined routes.
You can also effectively build hub-and-spoke type environments, where the hub can host infrastructure
components such as a network virtual appliance. All the spoke virtual networks can then peer with the hub virtual
network. Traffic can flow through network virtual appliances that are running in the hub virtual network. In short,
virtual network peering enables the next hop IP address on the user-defined route to be the IP address of a virtual
machine in the peered virtual network. To learn more about user-defined routes, read the user-defined routes
overview article.
Gateways and on-premises connectivity

Each virtual network, regardless of whether it is peered with another virtual network, can still have its own
gateway and use it to connect to an on-premises network. You can also configure Virtual network-to-virtual
network connections by using gateways, even though the virtual networks are peered.
When both options for virtual network interconnectivity are configured, the traffic between the virtual networks
flows through the peering configuration (that is, through the Azure backbone).
When virtual networks are peered, you can also configure the gateway in the peered virtual network as a transit
point to an on-premises network. In this case, the virtual network that is using a remote gateway cannot have its
own gateway. A virtual network can have only one gateway. The gateway can be either a local or remote gateway
(in the peered virtual network), as shown in the following picture:
Gateway transit is not supported in the peering relationship between virtual networks created through different
deployment models. Both virtual networks in the peering relationship must have been created through Resource
Manager for a gateway transit to work.
When the virtual networks that are sharing a single Azure ExpressRoute connection are peered, the traffic
between them goes through the peering relationship (that is, through the Azure backbone network). You can still
use local gateways in each virtual network to connect to the on-premises circuit. Alternatively, you can use a
shared gateway and configure transit for on-premises connectivity.
Provisioning
Virtual network peering is a privileged operation. Its a separate function under the VirtualNetworks namespace. A
user can be given specific rights to authorize peering. A user who has read-write access to the virtual network
inherits these rights automatically.
A user who is either an admin or a privileged user of the peering ability can initiate a peering operation on
another virtual network. If there is a matching request for peering on the other side, and if other requirements are
met, the peering is established.
Limits
There are limits on the number of peerings that are allowed for a single virtual network. For more information,
review the Azure networking limits.
Pricing
There is a nominal charge for ingress and egress traffic that utilizes a virtual network peering. For more
information, see the pricing page.
Next steps
Complete a virtual network peering tutorial. A virtual network peering is created between virtual networks
created through the same, or different deployment models that exist in the same, or different subscriptions.
Complete a tutorial for one of the following scenarios:
AZURE DEPLOYMENT MODEL SUBSCRIPTION
Both Resource Manager Same
Different
One Resource Manager, one classic Same
Different
Learn how to create a hub and spoke network topology

Learn about all virtual network peering settings and how to change them
Virtual Network Business Continuity
Overview
A Virtual Network (VNet) is a logical representation of your network in the cloud. It allows you to define your own
private IP address space and segment the network into subnets. VNets serves as a trust boundary to host your
compute resources such as Azure Virtual Machines and Cloud Services (web/worker roles). A VNet allows direct
private IP communication between the resources hosted in it. A Virtual Network can also be linked to an on-
premises network through one of the hybrid options such as a VPN Gateway or ExpressRoute.
A VNet is created within the scope of a region. You can create VNets with same address space in two different
regions (i.e. US East and US West but cannot connect them to one another directly).
Business Continuity
There could be several different ways that your application could be disrupted. A given region could be completely
cut off due to a natural disaster or a partial disaster due to a failure of multiple devices/services. The impact on the
VNet service is different in each of these situations.
Q: What do you do in the event of an outage to an entire region? i.e. if a region is completely cutoff due
to a natural disaster? What happens to the Virtual Networks hosted in the region?
A: The Virtual Network and the resources in the affected region remains inaccessible during the time of the service
disruption.
Q: What can I to do re-create the same Virtual Network in a different region?

A: Virtual Network (VNet) is fairly lightweight resource. You can invoke Azure APIs to create a VNet with the same
address space in a different region. To re-create the same environment that was present in the affected region, you
have to make API calls to re-deploy your Cloud Services (web/worker roles) and Virtual Machines that you had. You
will also have to spin up a VPN Gateway and connect to your on-premises network if you had on-premises
connectivity (such as in a hybrid deployment).
The instructions for creating a VNet are found here.
Q: Can a replica of a VNet in a given region be re-created in another region ahead of time?
A: Yes, you can create two VNets using the same private IP address space and resources in two different regions
ahead of time. If a customer was hosting internet facing services in the VNet, they could have set up Traffic
Manager to geo-route traffic to the region that is active. However, a customer cannot connect two VNets with the
same address space to their on-premises network as it would cause routing issues. At the time of a disaster and
loss of a VNet in one region, a customer can connect the other VNet in the available region with matching address
space to their on-premises network.
The instructions for creating a VNet are found here.
Azure Virtual Network frequently asked questions
(FAQ)
Virtual Network basics

What is an Azure Virtual Network (VNet)?
An Azure Virtual Network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the
Azure cloud dedicated to your subscription. You can use VNets to provision and manage virtual private networks
(VPNs) in Azure and, optionally, link the VNets with other VNets in Azure, or with your on-premises IT
infrastructure to create hybrid or cross-premises solutions. Each VNet you create has its own CIDR block, and can
be linked to other VNets and on-premises networks as long as the CIDR blocks do not overlap. You also have
control of DNS server settings for VNets, and segmentation of the VNet into subnets.
Use VNets to:
Create a dedicated private cloud-only VNet Sometimes you don't require a cross-premises configuration for
your solution. When you create a VNet, your services and VMs within your VNet can communicate directly and
securely with each other in the cloud. This keeps traffic securely within the VNet, but still allows you to
configure endpoint connections for the VMs and services that require Internet communication as part of your
solution.
Securely extend your data center With VNets, you can build traditional site-to-site (S2S) VPNs to securely scale
your datacenter capacity. S2S VPNs use IPSEC to provide a secure connection between your corporate VPN
gateway and Azure.
Enable hybrid cloud scenarios VNets give you the flexibility to support a range of hybrid cloud scenarios. You
can securely connect cloud-based applications to any type of on-premises system such as mainframes and Unix
systems.
How do I know if I need a VNet?
The Virtual network overview article provides a decision table that will help you decide the best network design
option for you.
How do I get started?
Visit the Virtual network documentation to get started. This content provides overview and deployment
information for all the VNet features.
Can I use VNets without cross-premises connectivity?
Yes. You can use a VNet without using hybrid connectivity. This is particularly useful if you want to run Microsoft
Windows Server Active Directory domain controllers and SharePoint farms in Azure.
Can I perform WAN optimization between VNets or a VNet and my on-premises data center?
Yes. You can deploy a WAN optimization network virtual appliance from several vendors through the Azure
Marketplace.
Configuration
What tools do I use to create a VNet?
You can use the following tools to create or configure a VNet:
Azure Portal (for classic and Resource Manager VNets).
A network configuration file (netcfg - for classic VNets only). See the Configure a VNet using a network
configuration file article.
PowerShell (for classic and Resource Manager VNets).
Azure CLI (for classic and Resource Manager VNets).
What address ranges can I use in my VNets?
Any IP address range defined in RFC 1918. For example, 10.0.0.0/16.
Can I have public IP addresses in my VNets?
Yes. For more information about public IP address ranges, see the Public IP address space in a virtual network
article. Your public IP addresses will not be directly accessible from the Internet.
Is there a limit to the number of subnets in my VNet?
Yes. Read the Azure limits article for details. Subnet address spaces cannot overlap one another.
Are there any restrictions on using IP addresses within these subnets?
Yes. Azure reserves some IP addresses within each subnet. The first and last IP addresses of the subnets are
reserved for protocol conformance, along with 3 more addresses used for Azure services.
How small and how large can VNets and subnets be?
The smallest subnet we support is a /29 and the largest is a /8 (using CIDR subnet definitions).
Can I bring my VLANs to Azure using VNets?
No. VNets are Layer-3 overlays. Azure does not support any Layer-2 semantics.
Can I specify custom routing policies on my VNets and subnets?
Yes. You can use User Defined Routing (UDR). For more information about UDR, visit User Defined Routes and IP
Forwarding.
Do VNets support multicast or broadcast?
No. We do not support multicast or broadcast.
What protocols can I use within VNets?
You can use TCP, UDP, and ICMP TCP/IP protocols within VNets. Multicast, broadcast, IP-in-IP encapsulated
packets, and Generic Routing Encapsulation (GRE) packets are blocked within VNets.
Can I ping my default routers within a VNet?
No.
Can I use tracert to diagnose connectivity?
No.
Can I add subnets after the VNet is created?
Yes. Subnets can be added to VNets at any time as long as the subnet address is not part of another subnet in the
VNet.
Can I modify the size of my subnet after I create it?
Yes. You can add, remove, expand, or shrink a subnet if there are no VMs or services deployed within it.
Can I modify subnets after I created them?
Yes. You can add, remove, and modify the CIDR blocks used by a VNet.
Can I connect to the internet if I am running my services in a VNet?
Yes. All services deployed within a VNet can connect to the internet. Every cloud service deployed in Azure has a
publicly addressable VIP assigned to it. You will have to define input endpoints for PaaS roles and endpoints for
virtual machines to enable these services to accept connections from the internet.
Do VNets support IPv6?
No. You cannot use IPv6 with VNets at this time.
Can a VNet span regions?
No. A VNet is limited to a single region.
Can I connect a VNet to another VNet in Azure?
Yes. You can connect one VNet to another VNet using:
An Azure VPN Gateway. Read the Configure a VNet-to-VNet connection article for details.
VNet peering. Read the VNet peering overview article for details.
Name Resolution (DNS)

What are my DNS options for VNets?
Use the decision table on the Name Resolution for VMs and Role Instances page to guide you through all the DNS
options available.
Can I specify DNS servers for a VNet?
Yes. You can specify DNS server IP addresses in the VNet settings. This will be applied as the default DNS server(s)
for all VMs in the VNet.
How many DNS servers can I specify?
Reference the Azure limits article for details.
Can I modify my DNS servers after I have created the network?
Yes. You can change the DNS server list for your VNet at any time. If you change your DNS server list, you will
need to restart each of the VMs in your VNet in order for them to pick up the new DNS server.
What is Azure -provided DNS and does it work with VNets?
Azure-provided DNS is a multi-tenant DNS service offered by Microsoft. Azure registers all of your VMs and cloud
service role instances in this service. This service provides name resolution by hostname for VMs and role
instances contained within the same cloud service, and by FQDN for VMs and role instances in the same VNet.
Read the Name Resolution for VMs and Role Instances article to learn more about DNS.
NOTE
There is a limitation at this time to the first 100 cloud services in a VNet for cross-tenant name resolution using Azure-
provided DNS. If you are using your own DNS server, this limitation does not apply.
Can I override my DNS settings on a per-VM / service basis?

Yes. You can set DNS servers on a per-cloud service basis to override the default network settings. However, we
recommend that you use network-wide DNS as much as possible.
Can I bring my own DNS suffix?
No. You cannot specify a custom DNS suffix for your VNets.
Connecting virtual machines

Can I deploy VMs to a VNet?
Yes. All network interfaces (NIC) attached to a VM deployed through the Resource Manager deployment model
must be connected to a VNet. VMs deployed through the classic deployment model can optionally be connected to
a VNet.
What are the different types of IP addresses I can assign to VMs?
Private: Assigned to each NIC within each VM. The address is assigned using either the static or dynamic
method. Private IP addresses are assigned from the range that you specified in the subnet settings of your VNet.
Resources deployed through the classic deployment model are assigned private IP addresses, even if they're
not connected to a VNet. A private IP address assigned with the dynamic method remains assigned to a
resource until the resource is deleted (VMs or Cloud Service deployment slots). A private IP address assigned
with the dynamic method may change when a VM is restarted after having been in the stopped (deallocated)
state. A private IP address assigned with the static method remains assigned to a resource until the resource is
deleted. If you need to ensure that the private IP address for a resource never changes until the resource is
deleted, assign a private IP address with the static method.
Public: Optionally assigned to NICs attached to VMs deployed through the Azure Resource Manager
deployment model. The address can be assigned with the static or dynamic allocation method. All VMs and
Cloud Services role instances deployed through the classic deployment model exist within a cloud service,
which is assigned a dynamic, public virtual IP (VIP) address. A public static IP address, called a Reserved IP
address, can optionally be assigned as a VIP. You can assign public IP addresses to individual VMs or Cloud
Services role instances deployed through the classic deployment model. These addresses are called Instance
level public IP (ILPIP addresses and can be assigned dynamically.
Can I reserve a private IP address for a VM that I will create at a later time?
No. You cannot reserve a private IP address. If a private IP address is available it will be assigned to a VM or role
instance by the DHCP server. That VM may or may not be the one that you want the private IP address to be
assigned to. You can, however, change the private IP address of an already created VM to any available private IP
address.
Do private IP addresses change for VMs in a VNet?
It depends. Dynamic private IP addresses remain with a VM until its stopped (deallocated) or deleted. Static private
IP addresses aren't released from a VM until it's deleted.
Can I manually assign IP addresses to NICs within the VM operating system?
Yes, but it's not recommended. Manually changing the IP address for a NIC within a VM's operating system could
potentially lead to losing connectivity to the VM if the IP address assigned to a NIC within the Azure VM were to
change.
What happens to my IP addresses if I stop a Cloud Service deployment slot or shutdown a VM from within the
operating system?
Nothing. The IP addresses (public VIP, public, and private) remain assigned to the cloud service deployment slot or
VM. Dynamic addresses are only released if a VM is stopped (deallocated) or deleted, or a cloud service
deployment slot is deleted. Clicking the Stop button for a VM within the Azure portal sets its state to Stopped
(deallocated). In this case, the VM will lose its IP addresses.
Can I move VMs from one subnet to another subnet in a VNet without re -deploying?
Yes. You can find more information in the How to move a VM or role instance to a different subnet article.
Can I configure a static MAC address for my VM?
No. A MAC address cannot be statically configured.
Will the MAC address remain the same for my VM once it has been created?
Yes, the MAC address remains the same for a VM deployed through both the Resource Manager and classic
deployment models until it's deleted. Previously, the MAC address was released if the VM was stopped
(deallocated), but now the MAC address is retained even when the VM is in the deallocated state.
Can I connect to the internet from a VM in a VNet?
Yes. All VMs and Cloud Services role instances deployed within a VNet can connect to the Internet.
Azure services that connect to VNets

Can I use Azure App Service Web Apps with a VNet?
Yes. You can deploy Web Apps inside a VNet using an ASE (App Service Environment). All Web Apps can securely
connect and access resources in your Azure VNet if you have a point-to-site connection configured for your VNet.
For more information, see the following articles:
Creating Web Apps in an App Service Environment
Integrate your app with an Azure Virtual Network
Using VNet Integration and Hybrid Connections with Web Apps
Can I deploy Cloud Services with web and worker roles (PaaS ) in a VNet?
Yes. You can (optionally) deploy Cloud Services role instances within VNets. To do so, you specify the VNet name
and the role/subnet mappings in the network configuration section of your service configuration. You do not need
to update any of your binaries.
Can I connect a Virtual Machine Scale Set (VMSS ) to a VNet?
Yes. You must connect a VMSS to a VNet.
Can I move my services in and out of VNets?
No. You cannot move services in and out of VNets. You will have to delete and re-deploy the service to move it to
another VNet.
Security
What is the security model for VNets?
VNets are completely isolated from one another, and other services hosted in the Azure infrastructure. A VNet is a
trust boundary.
Can I restrict inbound or outbound traffic flow to VNet-connected resources?
Yes. You can apply Network Security Groups to individual subnets within a VNet, NICs attached to a VNet, or both.
Can I implement a firewall between VNet-connected resources?
Yes. You can deploy a firewall network virtual appliance from several vendors through the Azure Marketplace.
Is there information available about securing VNets?
Yes. See the Azure Network Security Overview article for details.
APIs, schemas, and tools

Can I manage VNets from code?
Yes. You can use REST APIs for VNets in the Azure Resource Manager and classic (Service Management))
deployment models.
Is there tooling support for VNets?
Yes. Learn more about using:
The Azure portal to deploy VNets through the Azure Resource Manager and classic deployment models.
PowerShell to manage VNets deployed through the Resource Manager and classic deployment models.
The Azure command-line interface (CLI) to manage VNets deployed through both deployment models.
IP address types and allocation methods in Azure
You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises
network, and the Internet. There are two types of IP addresses you can use in Azure:
Public IP addresses: Used for communication with the Internet, including Azure public-facing services
Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises
network when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure.
NOTE
Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This
article covers using the Resource Manager deployment model, which Microsoft recommends for most new deployments
instead of the classic deployment model.
If you are familiar with the classic deployment model, check the differences in IP addressing between classic and
Resource Manager.
Public IP addresses
Public IP addresses allow Azure resources to communicate with Internet and Azure public-facing services such as
Azure Redis Cache, Azure Event Hubs, SQL databases, and Azure storage.
In Azure Resource Manager, a public IP address is a resource that has its own properties. You can associate a
public IP address resource with any of the following resources:
Virtual machines (VM)
Internet-facing load balancers
VPN gateways
Application gateways
Allocation method
There are two methods in which an IP address is allocated to a public IP resource - dynamic or static. The default
allocation method is dynamic, where an IP address is not allocated at the time of its creation. Instead, the public IP
address is allocated when you start (or create) the associated resource (like a VM or load balancer). The IP address
is released when you stop (or delete) the resource. This causes the IP address to change when you stop and start a
resource.
To ensure the IP address for the associated resource remains the same, you can set the allocation method
explicitly to static. In this case an IP address is assigned immediately. It is released only when you delete the
resource or change its allocation method to dynamic.
NOTE
Even when you set the allocation method to static, you cannot specify the actual IP address assigned to the public IP
resource. Instead, it gets allocated from a pool of available IP addresses in the Azure location the resource is created in.
Static public IP addresses are commonly used in the following scenarios:

End-users need to update firewall rules to communicate with your Azure resources.
DNS name resolution, where a change in IP address would require updating A records.
Your Azure resources communicate with other apps or services that use an IP address-based security model.
You use SSL certificates linked to an IP address.
NOTE
The list of IP ranges from which public IP addresses (dynamic/static) are allocated to Azure resources is published at Azure
Datacenter IP ranges.
DNS hostname resolution

You can specify a DNS domain name label for a public IP resource, which creates a mapping for
domainnamelabel.location.cloudapp.azure.com to the public IP address in the Azure-managed DNS servers. For
instance, if you create a public IP resource with contoso as a domainnamelabel in the West US Azure location,
the fully-qualified domain name (FQDN) contoso.westus.cloudapp.azure.com will resolve to the public IP
address of the resource. You can use this FQDN to create a custom domain CNAME record pointing to the public
IP address in Azure.
IMPORTANT
Each domain name label created must be unique within its Azure location.
Virtual machines
You can associate a public IP address with a Windows or Linux VM by assigning it to its network interface. In the
case of a VM with multiple network interfaces, you can assign it to the primary network interface only. You can
assign either a dynamic or a static public IP address to a VM.
Internet-facing load balancers
You can associate a public IP address with an Azure Load Balancer, by assigning it to the load balancer frontend
configuration. This public IP address serves as a load-balanced virtual IP address (VIP). You can assign either a
dynamic or a static public IP address to a load balancer front-end. You can also assign multiple public IP addresses
to a load balancer front-end, which enables multi-VIP scenarios like a multi-tenant environment with SSL-based
websites.
VPN gateways
Azure VPN Gateway is used to connect an Azure virtual network (VNet) to other Azure VNets or to an on-premises
network. You need to assign a public IP address to its IP configuration to enable it to communicate with the
remote network. Currently, you can only assign a dynamic public IP address to a VPN gateway.
You can associate a public IP address with an Azure Application Gateway, by assigning it to the gateway's
frontend configuration. This public IP address serves as a load-balanced VIP. Currently, you can only assign a
dynamic public IP address to an application gateway frontend configuration.
At-a-glance
The table below shows the specific property through which a public IP address can be associated to a top-level
resource, and the possible allocation methods (dynamic or static) that can be used.
TOP-LEVEL RESOURCE IP ADDRESS ASSOCIATION DYNAMIC STATIC
Virtual machine Network interface Yes Yes

Load balancer Front end configuration Yes Yes
VPN gateway Gateway IP configuration Yes No
Application gateway Front end configuration Yes No
Private IP addresses
Private IP addresses allow Azure resources to communicate with other resources in a virtual network or an on-
premises network through a VPN gateway or ExpressRoute circuit, without using an Internet-reachable IP address.
In the Azure Resource Manager deployment model, a private IP address is associated to the following types of
Azure resources:
VMs
Internal load balancers (ILBs)
Allocation method
A private IP address is allocated from the address range of the subnet to which the resource is attached. The
address range of the subnet itself is a part of the VNet's address range.
There are two methods in which a private IP address is allocated: dynamic or static. The default allocation method
is dynamic, where the IP address is automatically allocated from the resource's subnet (using DHCP). This IP
address can change when you stop and start the resource.
You can set the allocation method to static to ensure the IP address remains the same. In this case, you also need
to provide a valid IP address that is part of the resource's subnet.
Static private IP addresses are commonly used for:
VMs that act as domain controllers or DNS servers.
Resources that require firewall rules using IP addresses.
Resources accessed by other apps/resources through an IP address.
Virtual machines
A private IP address is assigned to the network interface of a Windows or Linux VM. In case of a multi-network
interface VM, each interface gets a private IP address assigned. You can specify the allocation method as either
dynamic or static for a network interface.
Internal DNS hostname resolution (for VMs )
All Azure VMs are configured with Azure-managed DNS servers by default, unless you explicitly configure custom
DNS servers. These DNS servers provide internal name resolution for VMs that reside within the same VNet.
When you create a VM, a mapping for the hostname to its private IP address is added to the Azure-managed DNS
servers. In case of a multi-network interface VM, the hostname is mapped to the private IP address of the primary
network interface.
VMs configured with Azure-managed DNS servers will be able to resolve the hostnames of all VMs within their
VNet to their private IP addresses.
Internal load balancers (ILB ) & Application gateways
You can assign a private IP address to the front end configuration of an Azure Internal Load Balancer (ILB) or an
Azure Application Gateway. This private IP address serves as an internal endpoint, accessible only to the resources
within its virtual network (VNet) and the remote networks connected to the VNet. You can assign either a dynamic
or static private IP address to the front end configuration.
At-a-glance
The table below shows the specific property through which a private IP address can be associated to a top-level
resource, and the possible allocation methods (dynamic or static) that can be used.
Virtual machine Network interface Yes Yes
Load balancer Front end configuration Yes Yes
Application gateway Front end configuration Yes Yes
Limits
The limits imposed on IP addressing are indicated in the full set of limits for networking in Azure. These limits are
per region and per subscription. You can contact support to increase the default limits up to the maximum limits
based on your business needs.
Pricing
Public IP addresses may have a nominal charge. To learn more about IP address pricing in Azure, review the IP
address pricing page.
Next steps
Deploy a VM with a static public IP using the Azure portal
Deploy a VM with a static public IP using a template
Deploy a VM with a static private IP address using the Azure portal
IP address types and allocation methods (classic) in
Azure
You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises
network, and the Internet. There are two types of IP addresses you can use in Azure: public and private.
Public IP addresses are used for communication with the Internet, including Azure public-facing services.
Private IP addresses are used for communication within an Azure virtual network (VNet), a cloud service, and your
on-premises network when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure.
IMPORTANT
article covers using the classic deployment model. Microsoft recommends that most new deployments use Resource
Manager. Learn about IP addresses in Resource Manager by reading the IP addresses article.
Public IP addresses
Public IP addresses allow Azure resources to communicate with Internet and Azure public-facing services such as
Azure Redis Cache, Azure Event Hubs, SQL databases, and Azure storage.
A public IP address is associated with the following resource types:
Cloud services
IaaS Virtual Machines (VMs)
PaaS role instances
VPN gateways
Allocation method
When a public IP address needs to be assigned to an Azure resource, it is dynamically allocated from a pool of
available public IP address within the location the resource is created. This IP address is released when the resource
is stopped. In case of a cloud service, this happens when all the role instances are stopped, which can be avoided by
using a static (reserved) IP address (see Cloud Services).
NOTE
The list of IP ranges from which public IP addresses are allocated to Azure resources is published at Azure Datacenter IP
ranges.
DNS hostname resolution

When you create a cloud service or an IaaS VM, you need to provide a cloud service DNS name which is unique
across all resources in Azure. This creates a mapping in the Azure-managed DNS servers for dnsname.cloudapp.net
to the public IP address of the resource. For instance, when you create a cloud service with a cloud service DNS
name of contoso, the fully-qualified domain name (FQDN) contoso.cloudapp.net will resolve to a public IP
address (VIP) of the cloud service. You can use this FQDN to create a custom domain CNAME record pointing to
the public IP address in Azure.
Cloud services
A cloud service always has a public IP address referred to as a virtual IP address (VIP). You can create endpoints in a
cloud service to associate different ports in the VIP to internal ports on VMs and role instances within the cloud
service.
A cloud service can contain multiple IaaS VMs, or PaaS role instances, all exposed through the same cloud service
VIP. You can also assign multiple VIPs to a cloud service, which enables multi-VIP scenarios like multi-tenant
environment with SSL-based websites.
You can ensure the public IP address of a cloud service remains the same, even when all the role instances are
stopped, by using a static public IP address, referred to as Reserved IP. You can create a static (reserved) IP resource
in a specific location and assign it to any cloud service in that location. You cannot specify the actual IP address for
the reserved IP, it is allocated from pool of available IP addresses in the location it is created. This IP address is not
released until you explicitly delete it.
Static (reserved) public IP addresses are commonly used in the scenarios where a cloud service:
requires firewall rules to be setup by end-users.
depends on external DNS name resolution, and a dynamic IP would require updating A records.
consumes external web services which use IP based security model.
uses SSL certificates linked to an IP address.
NOTE
When you create a classic VM, a container cloud service is created by Azure, which has a virtual IP address (VIP). When the
creation is done through portal, a default RDP or SSH endpoint is configured by the portal so you can connect to the VM
through the cloud service VIP. This cloud service VIP can be reserved, which effectively provides a reserved IP address to
connect to the VM. You can open additional ports by configuring more endpoints.
IaaS VMs and PaaS role instances

You can assign a public IP address directly to an IaaS VM or PaaS role instance within a cloud service. This is
referred to as an instance-level public IP address (ILPIP). This public IP address can be dynamic only.
NOTE
This is different from the VIP of the cloud service, which is a container for IaaS VMs or PaaS role instances, since a cloud
service can contain multiple IaaS VMs, or PaaS role instances, all exposed through the same cloud service VIP.
VPN gateways
A VPN gateway can be used to connect an Azure VNet to other Azure VNets or on-premises networks. A VPN
gateway is assigned a public IP address dynamically, which enables communication with the remote network.
An Azure Application gateway can be used for Layer7 load-balancing to route network traffic based on HTTP.
Application gateway is assigned a public IP address dynamically, which serves as the load-balanced VIP.
At a glance
The table below shows each resource type with the possible allocation methods (dynamic/static), and ability to
assign multiple public IP addresses.
RESOURCE DYNAMIC STATIC MULTIPLE IP ADDRESSES
Cloud service Yes Yes Yes

IaaS VM or PaaS role Yes No No

instance
VPN gateway Yes No No
Application gateway Yes No No
Private IP addresses
Private IP addresses allow Azure resources to communicate with other resources in a cloud service or a virtual
network(VNet), or to on-premises network (through a VPN gateway or ExpressRoute circuit), without using an
Internet-reachable IP address.
In Azure classic deployment model, a private IP address can be assigned to the following Azure resources:
Internal load balancer
Application gateway
Virtual machines (VMs) created with the classic deployment model are always placed in a cloud service, similar to
PaaS role instances. The behavior of private IP addresses are thus similar for these resources.
It is important to note that a cloud service can be deployed in two ways:
As a standalone cloud service, where it is not within a virtual network.
As part of a virtual network.
Allocation method
In case of a standalone cloud service, resources get a private IP address allocated dynamically from the Azure
datacenter private IP address range. It can be used only for communication with other VMs within the same cloud
service. This IP address can change when the resource is stopped and started.
In case of a cloud service deployed within a virtual network, resources get private IP address(es) allocated from the
address range of the associated subnet(s) (as specified in its network configuration). This private IP address(es) can
be used for communication between all VMs within the VNet.
Additionally, in case of cloud services within a VNet, a private IP address is allocated dynamically (using DHCP) by
default. It can change when the resource is stopped and started. To ensure the IP address remains the same, you
need to set the allocation method to static, and provide a valid IP address within the corresponding address range.
Static private IP addresses are commonly used for:
VMs that act as domain controllers or DNS servers.
VMs that require firewall rules using IP addresses.
VMs running services accessed by other apps through an IP address.
Internal DNS hostname resolution
All Azure VMs and PaaS role instances are configured with Azure-managed DNS servers by default, unless you
explicitly configure custom DNS servers. These DNS servers provide internal name resolution for VMs and role
instances that reside within the same VNet or cloud service.
When you create a VM, a mapping for the hostname to its private IP address is added to the Azure-managed DNS
servers. In case of a multi-NIC VM, the hostname is mapped to the private IP address of the primary NIC. However,
this mapping information is restricted to resources within the same cloud service or VNet.
In case of a standalone cloud service, you will be able to resolve hostnames of all VMs/role instances within the
same cloud service only. In case of a cloud service within a VNet, you will be able to resolve hostnames of all the
VMs/role instances within the VNet.
Internal load balancers (ILB ) & Application gateways
You can assign a private IP address to the front end configuration of an Azure Internal Load Balancer (ILB) or an
Azure Application Gateway. This private IP address serves as an internal endpoint, accessible only to the resources
within its virtual network (VNet) and the remote networks connected to the VNet. You can assign either a dynamic
or static private IP address to the front end configuration. You can also assign multiple private IP addresses to
enable multi-vip scenarios.
At a glance
The table below shows each resource type with the possible allocation methods (dynamic/static), and ability to
assign multiple private IP addresses.
VM (in a standalone cloud Yes Yes Yes

service)
PaaS role instance (in a Yes No Yes

standalone cloud service)
VM or PaaS role instance (in Yes Yes Yes

a VNet)
Internal load balancer front Yes Yes Yes

end
Application gateway front Yes Yes Yes

end
Limits
The table below shows the limits imposed on IP addressing in Azure per subscription. You can contact support to
increase the default limits up to the maximum limits based on your business needs.
DEFAULT LIMIT MAXIMUM LIMIT
Public IP addresses (dynamic) 5 contact support
Reserved public IP addresses 20 contact support
Public VIP per deployment (cloud 5 contact support

service)
Private VIP (ILB) per deployment (cloud 1 1

service)
Make sure you read the full set of limits for Networking in Azure.
Pricing
In most cases, public IP addresses are free. There is a nominal charge to use additional and/or static public IP
addresses. Make sure you understand the pricing structure for public IPs.
Differences between Resource Manager and classic deployments

Below is a comparison of IP addressing features in Resource Manager and the classic deployment model.
RESOURCE CLASSIC RESOURCE MANAGER
Public IP Address VM Referred to as an ILPIP Referred to as a public IP

(dynamic only) (dynamic or static)
Assigned to an IaaS VM or a Associated to the VM's NIC

PaaS role instance
Internet facing load Referred to as VIP (dynamic) Referred to as a public IP

balancer or Reserved IP (static) (dynamic or static)
Assigned to a cloud service Associated to the load

balancer's front end config
Private IP Address VM Referred to as a DIP Referred to as a private IP

address
Assigned to an IaaS VM or a Assigned to the VM's NIC

PaaS role instance
Internal load balancer (ILB) Assigned to the ILB Assigned to the ILB's front
(dynamic or static) end configuration (dynamic
or static)
Next steps
Deploy a VM with a static private IP address using the Azure portal.
What is an endpoint access control list?
IMPORTANT
article covers using the classic deployment model. Microsoft recommends that most new deployments use the Resource
Manager deployment model.
An endpoint access control list (ACL) is a security enhancement available for your Azure deployment. An ACL
provides the ability to selectively permit or deny traffic for a virtual machine endpoint. This packet filtering
capability provides an additional layer of security. You can specify network ACLs for endpoints only. You can't
specify an ACL for a virtual network or a specific subnet contained in a virtual network. It is recommended to use
network security groups (NSGs) instead of ACLs, whenever possible. To learn more about NSGs, see Network
security group overview
ACLs can be configured by using either PowerShell or the Azure portal. To configure a network ACL by using
PowerShell, see Managing access control lists for endpoints using PowerShell. To configure a network ACL by
using the Azure portal, see How to set up endpoints to a virtual machine.
Using Network ACLs, you can do the following:
Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine
input endpoint.
Blacklist IP addresses
Create multiple rules per virtual machine endpoint
Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to
highest)
Specify an ACL for a specific remote subnet IPv4 address.
See the Azure limits article for ACL limits.
How ACLs work

An ACL is an object that contains a list of rules. When you create an ACL and apply it to a virtual machine endpoint,
packet filtering takes place on the host node of your VM. This means the traffic from remote IP addresses is filtered
by the host node for matching ACL rules instead of on your VM. This prevents your VM from spending the
precious CPU cycles on packet filtering.
When a virtual machine is created, a default ACL is put in place to block all incoming traffic. However, if an
endpoint is created for (port 3389), then the default ACL is modified to allow all inbound traffic for that endpoint.
Inbound traffic from any remote subnet is then allowed to that endpoint and no firewall provisioning is required.
All other ports are blocked for inbound traffic unless endpoints are created for those ports. Outbound traffic is
allowed by default.
Example Default ACL table
RULE # REMOTE SUBNET ENDPOINT PERMIT/DENY
100 0.0.0.0/0 3389 Permit

Permit and deny
You can selectively permit or deny network traffic for a virtual machine input endpoint by creating rules that
specify "permit" or "deny". It's important to note that by default, when an endpoint is created, all traffic is permitted
to the endpoint. For that reason, it's important to understand how to create permit/deny rules and place them in
the proper order of precedence if you want granular control over the network traffic that you choose to allow to
reach the virtual machine endpoint.
Points to consider:
1. No ACL By default when an endpoint is created, we permit all for the endpoint.
2. Permit - When you add one or more "permit" ranges, you are denying all other ranges by default. Only packets
from the permitted IP range will be able to communicate with the virtual machine endpoint.
3. Deny - When you add one or more "deny" ranges, you are permitting all other ranges of traffic by default.
4. Combination of Permit and Deny - You can use a combination of "permit" and "deny" when you want to
carve out a specific IP range to be permitted or denied.
Rules and rule precedence

Network ACLs can be set up on specific virtual machine endpoints. For example, you can specify a network ACL for
an RDP endpoint created on a virtual machine which locks down access for certain IP addresses. The table below
shows a way to grant access to public virtual IPs (VIPs) of a certain range to permit access for RDP. All other remote
IPs are denied. We follow a lowest takes precedence rule order.
Multiple rules
In the example below, if you want to allow access to the RDP endpoint only from two public IPv4 address ranges
(65.0.0.0/8, and 159.0.0.0/8), you can achieve this by specifying two Permit rules. In this case, since RDP is created
by default for a virtual machine, you may want to lock down access to the RDP port based on a remote subnet. The
example below shows a way to grant access to public virtual IPs (VIPs) of a certain range to permit access for RDP.
All other remote IPs are denied. This works because network ACLs can be set up for a specific virtual machine
endpoint and access is denied by default.
Example Multiple rules
100 65.0.0.0/8 3389 Permit
200 159.0.0.0/8 3389 Permit
Rule order
Because multiple rules can be specified for an endpoint, there must be a way to organize rules in order to
determine which rule takes precedence. The rule order specifies precedence. Network ACLs follow a lowest takes
precedence rule order. In the example below, the endpoint on port 80 is selectively granted access to only certain IP
address ranges. To configure this, we have a deny rule (Rule # 100) for addresses in the 175.1.0.1/24 space. A
second rule is then specified with precedence 200 that permits access to all other addresses under 175.0.0.0/8.
Example Rule precedence
100 175.1.0.1/24 80 Deny
200 175.0.0.0/8 80 Permit

Network ACLs and load balanced sets
Network ACLs can be specified on a load balanced set endpoint. If an ACL is specified for a load balanced set, the
network ACL is applied to all virtual machines in that load balanced set. For example, if a load balanced set is
created with "Port 80" and the load balanced set contains 3 VMs, the network ACL created on endpoint "Port 80" of
one VM will automatically apply to the other VMs.
Next Steps
Manage access control lists for endpoints using PowerShell
Create your first virtual network
Learn how to create a virtual network (VNet) with two subnets, create two virtual machines (VM), and connect each
VM to one of the subnets, as shown in the following picture:
An Azure virtual network (VNet) is a representation of your own network in the cloud. You can control your Azure
network settings and define DHCP address blocks, DNS settings, security policies, and routing. To learn more about
VNet concepts, read the Virtual Network overview article. Complete the following steps to create the resources
shown in the picture:
1. Create a VNet with two subnets
2. Create two VMs, each with one network interface (NIC), and associate a network security group (NSG) to each
NIC
3. Connect to and from the VMs
4. Delete all resources. You incur charges for some of the resources created in this exercise while they're
provisioned. To minimize the charges, after you complete the exercise, be sure to complete the steps in this
section to delete the resources you create.
You will have a basic understanding of how you can use a VNet after completing the steps in this article. Next steps
are provided so you can learn more about how to use VNets at a deeper level.
Create a virtual network with two subnets

To create a virtual network with two subnets, complete the steps that follow. Different subnets are typically used to
control the flow of traffic between subnets.
1. Log in to the Azure portal. If you dont already have an account, you can sign up for a free one-month trial.
2. In the Favorites pane, of the portal, click New.
3. In the New blade, click Networking. In the Networking blade, click Virtual network, as shown in the
following picture:
4. In the Virtual network blade, leave Resource Manager selected as the deployment model, and click Create.
5. In the Create virtual network blade that appears, enter the following values, then click Create:
SETTING VALUE DETAILS
Name MyVNet The name must be unique within the

resource group.
Address space 10.0.0.0/16 You can specify any address space

you like in CIDR notation.
Subnet name Front-end The subnet name must be unique

within the virtual network.
Subnet address range 10.0.0.0/24 The range you specify must exist
within the address space you defined
for the virtual network.
Subscription [Your subscription] Select a subscription to create the

VNet in. A VNet exists within a single
subscription.
Resource group Create new: MyRG Create a resource group. The

resource group name must be
unique within the subscription you
selected. To learn more about
resource groups, read the Resource
Manager overview article.
Location West US Typically the location that is closest

to your physical location is selected.
The VNet takes a few seconds to create. Once its created, you see the Azure portal dashboard.
6. With the virtual network created, in the Azure portal Favorites pane, click All resources. Click the MyVNet
virtual network in the All resources blade. If the subscription you selected already has several resources in
it, you can enter MyVNet in the Filter by name box to easily access the VNet.
7. The MyVNet blade opens and displays information about the VNet, as shown in the following picture:
8. As shown in the previous picture, click Subnets to display a list of the subnets within the VNet. The only
subnet that exists is Front-end, the subnet you created in step 5.
9. In the MyVNet - Subnets blade, click + Subnet to create a subnet with the following information and click
OK to create the subnet:
Name Back-end The name must be unique within the

virtual network.
Address range 10.0.1.0/24 The range you specify must exist

within the address space you defined
for the virtual network.
Network security group and Route None (default) Network security groups (NSG)s are
table covered later in this article. To learn
more about user-defined routes,
read the User-defined routes article.
10. After the new subnet is added to the VNet, you can close the MyVNet Subnets blade, then close the All
resources blade.
Create virtual machines

With the VNet and subnets created, you can create the VMs. For this exercise, both VMs run the Windows Server
operating system, though they can run any operating system supported by Azure, including several different Linux
distributions.
Create the web server VM
To create the web server VM, complete the following steps:
1. In the Azure portal favorites pane, click New, Compute, then Windows Server 2016 Datacenter.
2. In the Windows Server 2016 Datacenter blade, click Create.
3. In the Basics blade that appears, enter or select the following values and click OK:
Name MyWebServer This VM serves as a web server that

Internet resources connect to.
VM disk type SSD
User name Your choice
Password and Confirm password Your choice
Subscription The subscription must be the same

subscription that you selected in step
5 of the Create a virtual network with
two subnets section of this article.
The VNet you connect a VM to must
exist in the same subscription as the
VM.
Resource group Use existing: Select MyRG Though were using the same
resource group as we did for the
VNet, the resources dont have to
exist in the same resource group.
Location West US The location must be the same

location that you specified in step 5
of the Create a virtual network with
VMs and the VNets they connect to
must exist in the same location.
4. In the Choose a size blade, click DS1_V2 Standard, then click Select. Read the Windows VM sizes article for
a list of all Windows VM sizes supported by Azure.
5. In the Settings blade, enter or select the following values and click OK:
Storage: Use managed disks Yes
Virtual network Select MyVNet You can select any VNet that exists in
the same location as the VM youre
creating. To learn more about VNets
and subnets, read the Virtual
network article.
Subnet Select Front-end You can select any subnet that exists
within the VNet.
Public IP address Accept the default A public IP address enables you to

connect to the VM from the Internet.
To learn more about public IP
addresses, read the IP addresses
article.
Network security group (firewall) Accept the default Click the (new) MyWebServer-nsg
default NSG the portal created to
view its settings. In the Create
network security group blade that
opens, notice that it has one inbound
rule that allows TCP/3389 (RDP)
traffic from any source IP address.
All other values Accept the defaults To learn more about the remaining
settings, read the About VMs article.
Network security groups (NSG) enable you to create inbound/outbound rules for the type of network traffic
that can flow to and from the VM. By default, all inbound traffic to the VM is denied. You might add
additional inbound rules for TCP/80 (HTTP) and TCP/443 (HTTPS) for a production web server. There is no
rule for outbound traffic because by default, all outbound traffic is allowed. You can add/remove rules to
control traffic per your policies. Read the Network security groups article to learn more about NSGs.
6. In the Summary blade, review the settings and click OK to create the VM. A status tile is displayed on the
portal dashboard as the VM creates. It may take a few minutes to create. You dont need to wait for it to
complete. You can continue to the next step while the VM is created.
Create the database server VM
To create the database server VM, complete the following steps:
1. In the Favorites pane, click New, Compute, then Windows Server 2016 Datacenter.
2. In the Windows Server 2016 Datacenter blade, click Create.
3. In the Basics blade, enter or select the following values, then click OK:
Name MyDBServer This VM serves as a database server

that the web server connects to, but
that the Internet cannot connect to.
VM disk type SSD
User name Your choice
Password and Confirm password Your choice
Subscription The subscription must be the same

subscription that you selected in Step
5 of the Create a virtual network with
Resource group Use existing: Select MyRG Though were using the same
resource group as we did for the
VNet, the resources dont have to
exist in the same resource group.
Location West US The location must be the same

location that you specified in step 5
of the Create a virtual network with
4. In the Choose a size blade, click DS1_V2 Standard, then click Select.
5. In the Settings blade, enter or select the following values and click OK:
Storage: Use managed disks Yes
Virtual network Select MyVNet You can select any VNet that exists in
the same location as the VM youre
creating.
Subnet Select Back-end by clicking the You can select any subnet that exists
Subnet box, then selecting Back- within the VNet.
end from the Choose a subnet
blade
Public IP address None Click the default address, Without a public IP address, you can
then click None from the Choose only connect to the VM from
public IP address blade another VM connected to the same
VNet. You cannot connect to it
directly from the Internet.
Network security group (firewall) Accept the default Like the default NSG created for the
MyWebServer VM, this NSG also has
the same default inbound rule. You
might add an additional inbound rule
for TCP/1433 (MS SQL) for a
database server. There is no rule for
outbound traffic because by default,
all outbound traffic is allowed. You
can add/remove rules to control
traffic per your policies.
All other values Accept the defaults
6. In the Summary blade, review the settings and click OK to create the VM. A status tile is displayed on the
portal dashboard as the VM creates. It may take a few minutes to create. You dont need to wait for it to
complete. You can continue to the next step while the VM is created.
Review resources
Though you created one VNet and two VMs, the Azure portal created several additional resources for you in the
MyRG resource group. Review the contents of the MyRG resource group by completing the following steps:
1. In the Favorites pane, click More services.
2. In the More services pane, type Resource groups in the box that has the word Filter in it. Click Resource
groups when you see it in the filtered list.
3. In the Resource groups pane, click the MyRG resource group. If you have many existing resource groups in
your subscription, you can type MyRG in the box that contains the text Filter by name to quickly access the
MyRG resource group.
4. In the MyRG blade, you see that the resource group contains 12 resources, as shown in the following
picture:
To learn more about VMs, disks, and storage accounts, read the Virtual machine, Disk, and Storage account
overview articles. You can see the two default NSGs the portal created for you. You can also see that the portal
created two network interface (NIC) resources. A NIC enables a VM to connect to other resources over the VNet.
Read the NIC article to learn more about NICs. The portal also created one Public IP address resource. Public IP
addresses are one setting for a public IP address resource. To learn more about public IP addresses, read the IP
addresses article.
Connect to the VMs

With your VNet and two VMs created, you can now connect to the VMs by completing the steps in the following
sections:
Connect to the web server VM from the Internet
To connect to the web server VM from the Internet, complete the following steps:
1. In the portal, open the MyRG resource group by completing the steps in the Review resources section of this
article.
2. In the MyRG blade, click the MyWebServer VM.
3. In the MyWebServer blade, click Connect, as shown in the following picture:
4. Allow your browser to download the MyWebServer.rdp file, then open it.
5. If you receive a dialog box informing you that the publisher of the remote connection cannot be verified, click
Connect.
6. When entering your credentials, ensure you login with the user name and password you specified in step 3 of
the Create the web server VM section of this article. If the Windows Security box that appears doesnt list the
correct credentials, you may need to click More choices, then Use a different account, so you can specify the
correct user name and password). Click OK to connect to the VM.
7. If you receive a Remote Desktop Connection box informing you that the identity of the remote computer
cannot be verified, click Yes.
8. You are now connected to the MyWebServer VM from the Internet. Leave the remote desktop connection open
to complete the steps in the next section.
The remote connection is to the public IP address assigned to the public IP address resource the portal created in
step 5 of the Create a virtual network with two subnets section of this article. The connection is allowed because
the default rule created in the MyWebServer-nsg NSG permitted TCP/3389 (RDP) inbound to the VM from any
source IP address. If you try to connect to the VM over any other port, the connection fails, unless you add
additional inbound rules to the NSG allowing the additional ports.
NOTE
If you add additional inbound rules to the NSG, ensure that the same ports are open on the Windows firewall, or the
connection fails.
Connect to the Internet from the web server VM

To connect outbound to the Internet from the web server VM, complete the following steps:
1. If you dont already have a remote connection to the MyWebServerVM open, make a remote connection to the
VM by completing the steps in the Connect to the web server VM from the Internet section of this article.
2. From the Windows desktop, open Internet Explorer. In the Setup Internet Explorer 11 dialog box, click Dont
use recommended settings, then click OK. Its recommended to accept the recommended settings for a
production server.
3. In the Internet Explorer address bar, enter bing.com. If you receive an Internet Explorer dialog box, click Add,
then Add in the Trusted sites dialog box and click Close. Repeat this process for any other Internet Explorer
dialog boxes.
4. At the Bing search page, enter whatsmyipaddress, then click the magnifying glass button. Bing returns the
public IP address assigned to the public IP address resource created by the portal when you created the VM.
If you examine the settings for the MyWebServer-ip resource, you see the same IP address assigned to the
public IP address resource, as shown in the picture that follows. The IP address assigned to your VM is
different however.
5. Leave the remote desktop connection open to complete the steps in the next section.
You are able to connect to the Internet from the VM because all outbound connectivity from the VM is allowed by
default. You can limit outbound connectivity by adding addition rules to the NSG applied to the NIC, to the subnet
the NIC is connected to, or both.
If the VM is put in the stopped (deallocated) state using the portal, the public IP address can change. If you require
that the public IP address never change, you can use the static allocation method for the IP address, rather than the
dynamic allocation method (which is the default). To learn more about the differences between allocation methods,
read the IP address types and allocation methods article.
Connect to the database server VM from the web server VM
To connect to the database server VM from the web server VM, complete the following steps:
1. If you dont already have a remote connection to the MyWebServer VM open, make a remote connection to the
VM by completing the steps in the Connect to the web server VM from the Internet section of this article.
2. Click the Start button in the lower-left corner of the Windows desktop, then start typing remote desktop. When
the Start menu list displays Remote Desktop Connection, click it.
3. In the Remote Desktop Connection dialog box, enter MyDBServer for the computer name and click Connect.
4. Enter the user name and passwords you entered in step 3 of the Create the database server VM section of this
article, then click OK.
5. If you receive a dialog box informing you that the identity of the remote computer cannot be verified, click Yes.
6. Leave the remote desktop connection to both servers open to complete the steps in the next section.
You are able to make the connection to the database server VM from the web server VM for the following reasons:
TCP/3389 inbound connections are enabled for any source IP in the default NSG created in step 5 of the Create
the database server VM section of this article.
You initiated the connection from the web server VM, which is connected to the same VNet as the database
server VM. To connect to a VM that doesnt have a public IP address assigned to it, you must connect from
another VM connected to the same VNet, even if the VM is connected to a different subnet.
Even though the VMs are connected to different subnets, Azure creates default routes that enable connectivity
between subnets. You can override the default routes by creating your own however. Read the User-defined
routes article to learn more about routing in Azure.
If you try to initiate a remote connection to the database server VM from the Internet, as you did in the Connect to
the web server VM from the Internet section of this article, you see that the Connect option is grayed out. Connect
is grayed out because there is no public IP address assigned to the VM, so inbound connections to it from the
Internet are not possible.
Connect to the Internet from the database server VM
Connect outbound to the Internet from the database server VM by completing the following steps:
1. If you dont already have a remote connection to the MyDBServer VM open from the MyWebServer VM,
complete the steps in the Connect to the database server VM from the web server VM section of this article.
2. From the Windows desktop on the MyDBServer VM, open Internet Explorer and respond to the dialog boxes as
you did in steps 2 and 3 of the Connect to the Internet from the web server VM section of this article.
3. In the address bar, enter bing.com.
4. Click Add in the Internet Explorer dialog box that appears, then Add, then Close in the Trusted sites dialog box.
Complete these steps in any additional dialog boxes appear.
5. At the Bing search page, enter whatsmyipaddress, then click the magnifying glass button. Bing returns the
public IP address currently assigned to the VM by the Azure infrastructure. 6. Close the remote desktop to the
MyDBServer VM from the MyWebServer VM, then close the remote connection to the MyWebServer VM.
The outbound connection to the Internet is allowed because all outbound traffic is allowed by default, even though
a public IP address resource is not assigned to the MyDBServer VM. All VMs, by default, are able to connect
outbound to the Internet, with or without a public IP address resource assigned to the VM. You are not able to
connect to the public IP address from the Internet however, like you were able to for the MyWebServer VM that
has a public IP address resource assigned.
Delete all resources

To delete all resources created in this article, complete the following steps:
1. To view the MyRG resource group created in this article, complete steps 1-3 in the Review resources section of
this article. Once again, review the resources in the resource group. If you created the MyRG resource group,
per previous steps, you see the 12 resources shown in the picture in step 4.
2. In the MyRG blade, click the Delete button.
3. The portal requires you to type the name of the resource group to confirm that you want to delete it. If you see
resources other than the resources shown in step 4 of the Review resources section of this article, click Cancel.
If you see only the 12 resources created as part of this article, type MyRG for the resource group name, then
click Delete. Deleting a resource group deletes all resources within the resource group, so always be sure to
confirm the contents of a resource group before deleting it. The portal deletes all resources contained within the
resource group, then deletes the resource group itself. This process takes several minutes.
Next steps
In this exercise, you created a VNet and two VMs. You specified come custom settings during VM creation, and
accepted several default settings. We recommend that you read the following articles, before deploying production
VNets and VMs, to ensure you understand all available settings:
Virtual networks
Public IP addresses
Network interfaces
Virtual machines
Plan and design Azure Virtual Networks
Creating a VNet to experiment with is easy enough, but chances are, you will deploy multiple VNets over time to
support the production needs of your organization. With some planning and design, you will be able to deploy
VNets and connect the resources you need more effectively. If you are not familiar with VNets, it's recommended
that you learn about VNets and how to deploy one before proceeding.
Plan
A thorough understanding of Azure subscriptions, regions, and network resources is critical for success. You can
use the list of considerations below as a starting point. Once you understand those considerations, you can define
the requirements for your network design.
Considerations
Before answering the planning questions below, consider the following:
Everything you create in Azure is composed of one or more resources. A virtual machine (VM) is a resource, the
network adapter interface (NIC) used by a VM is a resource, the public IP address used by a NIC is a resource,
the VNet the NIC is connected to is a resource.
You create resources within an Azure region and subscription. Resources can only be connected to a virtual
network that exists in the same region and subscription the resource is in.
You can connect virtual networks to each other by using:
Virtual network peering: The virtual networks must exist in the same Azure region. Bandwidth between
resources in peered virtual networks is the same as if the resources were connected to the same virtual
network.
An Azure VPN Gateway: The virtual networks can exist in the same, or different Azure regions.
Bandwidth between resources in virtual networks connected through a VPN Gateway is limited by the
bandwidth of the VPN Gateway.
You can connect VNets to your on-premises network by using one of the connectivity options available in Azure.
Different resources can be grouped together in resource groups, making it easier to manage the resource as a
unit. A resource group can contain resources from multiple regions, as long as the resources belong to the same
subscription.
Define requirements
Use the questions below as a starting point for your Azure network design.
1. What Azure locations will you use to host VNets?
2. Do you need to provide communication between these Azure locations?
3. Do you need to provide communication between your Azure VNet(s) and your on-premises datacenter(s)?
4. How many Infrastructure as a Service (IaaS) VMs, cloud services roles, and web apps do you need for your
solution?
5. Do you need to isolate traffic based on groups of VMs (i.e. front end web servers and back end database
servers)?
6. Do you need to control traffic flow using virtual appliances?
7. Do users need different sets of permissions to different Azure resources?
Understand VNet and subnet properties
VNet and subnets resources help define a security boundary for workloads running in Azure. A VNet is
characterized by a collection of address spaces, defined as CIDR blocks.
NOTE
Network administrators are familiar with CIDR notation. If you are not familiar with CIDR, learn more about it.
VNets contain the following properties.
PROPERTY DESCRIPTION CONSTRAINTS
name VNet name String of up to 80 characters. May

contain letters, numbers, underscore,
periods, or hyphens. Must start with a
letter or number. Must end with a
letter, number, or underscore. Can
contains upper or lower case letters.
location Azure location (also referred to as Must be one of the valid Azure
region). locations.
addressSpace Collection of address prefixes that make Must be an array of valid CIDR address
up the VNet in CIDR notation. blocks, including public IP address
ranges.
subnets Collection of subnets that make up the see the subnet properties table below.
VNet
dhcpOptions Object that contains a single required

property named dnsServers.
dnsServers Array of DNS servers used by the VNet. Must be an array of up to 10 DNS
If no server is specified, Azure internal servers, by IP address.
name resolution is used.
A subnet is a child resource of a VNet, and helps define segments of address spaces within a CIDR block, using IP
address prefixes. NICs can be added to subnets, and connected to VMs, providing connectivity for various
workloads.
Subnets contain the following properties.
name Subnet name String of up to 80 characters. May

contain letters, numbers, underscore,
periods, or hyphens. Must start with a
letter or number. Must end with a
letter, number, or underscore. Can
contains upper or lower case letters.
location Azure location (also referred to as Must be one of the valid Azure
region). locations.
addressPrefix Single address prefix that make up the Must be a single CIDR block that is part
subnet in CIDR notation of one of the VNet's address spaces.
networkSecurityGroup NSG applied to the subnet

routeTable Route table applied to the subnet
ipConfigurations Collection of IP configuration objects

used by NICs connected to the subnet
Name resolution
By default, your VNet uses Azure-provided name resolution to resolve names inside the VNet, and on the public
Internet. However, if you connect your VNets to your on-premises data centers, you need to provide your own DNS
server to resolve names between your networks.
Limits
Review the networking limits in the Azure limits article to ensure that your design doesn't conflict with any of the
limits. Some limits can be increased by opening a support ticket.
Role -Based Access Control (RBAC )
You can use Azure RBAC to control the level of access different users may have to different resources in Azure. That
way you can segregate the work done by your team based on their needs.
As far as virtual networks are concerned, users in the Network Contributor role have full control over Azure
Resource Manager virtual network resources. Similarly, users in the Classic Network Contributor role have full
control over classic virtual network resources.
NOTE
You can also create your own roles to separate your administrative needs.
Design
Once you know the answers to the questions in the Plan section, review the following before defining your VNets.
Number of subscriptions and VNets
You should consider creating multiple VNets in the following scenarios:
VMs that need to be placed in different Azure locations. VNets in Azure are regional. They cannot span
locations. Therefore you need at least one VNet for each Azure location you want to host VMs in.
Workloads that need to be completely isolated from one another. You can create separate VNets, that
even use the same IP address spaces, to isolate different workloads from one another.
Keep in mind that the limits you see above are per region, per subscription. That means you can use multiple
subscriptions to increase the limit of resources you can maintain in Azure. You can use a site-to-site VPN, or an
ExpressRoute circuit, to connect VNets in different subscriptions.
Subscription and VNet design patterns
The table below shows some common design patterns for using subscriptions and VNets.
SCENARIO DIAGRAM PROS CONS

Single subscription, two Only one subscription to Maximum number of VNets

VNets per app manage. per Azure region. You need
more subscriptions after
that. Review the Azure limits
article for details.
One subscription per app, Uses only two VNets per Harder to manage when
two VNets per app subscription. there are too many apps.
One subscription per Balance between number of Maximum number of VNets

business unit, two VNets per subscriptions and VNets. per business unit
app. (subscription). Review the
Azure limits article for details.
One subscription per Balance between number of Apps must be isolated by

business unit, two VNets per subscriptions and VNets. using subnets and NSGs.
group of apps.
Number of subnets
You should consider multiple subnets in a VNet in the following scenarios:
Not enough private IP addresses for all NICs in a subnet. If your subnet address space does not contain
enough IP addresses for the number of NICs in the subnet, you need to create multiple subnets. Keep in mind
that Azure reserves 5 private IP addresses from each subnet that cannot be used: the first and last addresses of
the address space (for the subnet address, and multicast) and 3 addresses to be used internally (for DHCP and
DNS purposes).
Security. You can use subnets to separate groups of VMs from one another for workloads that have a multi-
layer structure, and apply different network security groups (NSGs) for those subnets.
Hybrid connectivity. You can use VPN gateways and ExpressRoute circuits to connect your VNets to one
another, and to your on-premises data center(s). VPN gateways and ExpressRoute circuits require a subnet of
their own to be created.
Virtual appliances. You can use a virtual appliance, such as a firewall, WAN accelerator, or VPN gateway in an
Azure VNet. When you do so, you need to route traffic to those appliances and isolate them in their own subnet.
Subnet and NSG design patterns
The table below shows some common design patterns for using subnets.
Single subnet, NSGs per Only one subnet to manage. Multiple NSGs necessary to
application layer, per app isolate each application.
One subnet per app, NSGs Fewer NSGs to manage. Multiple subnets to manage.
per application layer
One subnet per application Balance between number of Maximum number of NSGs
layer, NSGs per app. subnets and NSGs. per subscription. Review the
Azure limits article for details.
One subnet per application Possibly smaller number of Multiple subnets to manage.
layer, per app, NSGs per NSGs.
subnet
Sample design
To illustrate the application of the information in this article, consider the following scenario.
You work for a company that has 2 data centers in North America, and two data centers Europe. You identified 6
different customer facing applications maintained by 2 different business units that you want to migrate to Azure
as a pilot. The basic architecture for the applications are as follows:
App1, App2, App3, and App4 are web applications hosted on Linux servers running Ubuntu. Each application
connects to a separate application server that hosts RESTful services on Linux servers. The RESTful services
connect to a back end MySQL database.
App5 and App6 are web applications hosted on Windows servers running Windows Server 2012 R2. Each
application connects to a back end SQL Server database.
All apps are currently hosted in one of the company's data centers in North America.
The on-premises data centers use the 10.0.0.0/8 address space.
You need to design a virtual network solution that meets the following requirements:
Each business unit should not be affected by resource consumption of other business units.
You should minimize the amount of VNets and subnets to make management easier.
Each business unit should have a single test/development VNet used for all applications.
Each application is hosted in 2 different Azure data centers per continent (North America and Europe).
Each application is completely isolated from each other.
Each application can be accessed by customers over the Internet using HTTP.
Each application can be accessed by users connected to the on-premises data centers by using an encrypted
tunnel.
Connection to on-premises data centers should use existing VPN devices.
The company's networking group should have full control over the VNet configuration.
Developers in each business unit should only be able to deploy VMs to existing subnets.
All applications will be migrated as they are to Azure (lift-and-shift).
The databases in each location should replicate to other Azure locations once a day.
Each application should use 5 front end web servers, 2 application servers (when necessary), and 2 database
servers.
Plan
You should start your design planning by answering the question in the Define requirements section as shown
below.
1. What Azure locations will you use to host VNets?
2 locations in North America, and 2 locations in Europe. You should pick those based on the physical
location of your existing on-premises data centers. That way your connection from your physical locations to
Azure will have a better latency.
2. Do you need to provide communication between these Azure locations?
Yes. Since the databases must be replicated to all locations.
3. Do you need to provide communication between your Azure VNet(s) and your on-premises data center(s)?
Yes. Since users connected to the on-premises data centers must be able to access the applications through
an encrypted tunnel.
4. How many IaaS VMs do you need for your solution?
200 IaaS VMs. App1, App2, App3, and App4 require 5 web servers each, 2 applications servers each, and 2
database servers each. That's a total of 9 IaaS VMs per application, or 36 IaaS VMs. App5 and App6 require 5
web servers and 2 database servers each. That's a total of 7 IaaS VMs per application, or 14 IaaS VMs.
Therefore, you need 50 IaaS VMs for all applications in each Azure region. Since we need to use 4 regions,
there will be 200 IaaS VMs.
You will also need to provide DNS servers in each VNet, or in your on-premises data centers to resolve
name between your Azure IaaS VMs and your on-premises network.
5. Do you need to isolate traffic based on groups of VMs (i.e. front end web servers and back end database
servers)?
Yes. Each application should be completely isolated from each other, and each application layer should also
be isolated.
6. Do you need to control traffic flow using virtual appliances?
No. Virtual appliances can be used to provide more control over traffic flow, including more detailed data
plane logging.
7. Do users need different sets of permissions to different Azure resources?
Yes. The networking team needs full control on the virtual networking settings, while developers should only
be able to deploy their VMs to pre-existing subnets.
Design
You should follow the design specifying subscriptions, VNets, subnets, and NSGs. We will discuss NSGs here, but
you should learn more about NSGs before finishing your design.
Number of subscriptions and VNets
The following requirements are related to subscriptions and VNets:
Each business unit should not be affected by resource consumption of other business units.
You should minimize the amount of VNets and subnets.
Each business unit should have a single test/development VNet used for all applications.
Each application is hosted in 2 different Azure data centers per continent (North America and Europe).
Based on those requirements, you need a subscription for each business unit. That way, consumption of resources
from a business unit will not count towards limits for other business units. And since you want to minimize the
number of VNets, you should consider using the one subscription per business unit, two VNets per group of
apps pattern as seen below.
You also need to specify the address space for each VNet. Since you need connectivity between the on-premises
data centers and the Azure regions, the address space used for Azure VNets cannot clash with the on-premises
network, and the address space used by each VNet should not clash with other existing VNets. You could use the
address spaces in the table below to satisfy these requirements.
SUBSCRIPTION VNET AZURE REGION ADDRESS SPACE
BU1 ProdBU1US1 West US 172.16.0.0/16
BU1 ProdBU1US2 East US 172.17.0.0/16
BU1 ProdBU1EU1 North Europe 172.18.0.0/16
BU1 ProdBU1EU2 West Europe 172.19.0.0/16
BU1 TestDevBU1 West US 172.20.0.0/16
BU2 TestDevBU2 West US 172.21.0.0/16
BU2 ProdBU2US1 West US 172.22.0.0/16
BU2 ProdBU2US2 East US 172.23.0.0/16
BU2 ProdBU2EU1 North Europe 172.24.0.0/16
BU2 ProdBU2EU2 West Europe 172.25.0.0/16
Number of subnets and NSGs

The following requirements are related to subnets and NSGs:
You should minimize the amount of VNets and subnets.
Each application is completely isolated from each other.
Each application can be accessed by customers over the Internet using HTTP.
Each application can be accessed by users connected to the on-premises data centers by using an encrypted
tunnel.
Connection to on-premises data centers should use existing VPN devices.
The databases in each location should replicate to other Azure locations once a day.
Based on those requirements, you could use one subnet per application layer, and use NSGs to filter traffic per
application. That way, you only have 3 subnets in each VNet (front end, application layer, and data layer) and one
NSG per application per subnet. In this case, you should consider using the one subnet per application layer,
NSGs per app design pattern. The figure below shows the use of the design pattern representing the
ProdBU1US1 VNet.
However, you also need to create an extra subnet for the VPN connectivity between the VNets, and your on-
premises data centers. And you need to specify the address space for each subnet. The figure below shows a
sample solution for ProdBU1US1 VNet. You would replicate this scenario for each VNet. Each color represents a
different application.
Access Control
The following requirements are related to access control:
The company's networking group should have full control over the VNet configuration.
Developers in each business unit should only be able to deploy VMs to existing subnets.
Based on those requirements, you could add users from the networking team to the built-in Network Contributor
role in each subscription; and create a custom role for the application developers in each subscription giving them
rights to add VMs to existing subnets.
Next steps
Deploy a virtual network based on a scenario.
Understand how to load balance IaaS VMs and manage routing over multiple Azure regions.
Learn more about NSGs and how to plan and design an NSG solution.
Learn more about your cross-premises and VNet connectivity options.
Filter network traffic with network security groups
A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources
connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or
individual network interfaces (NIC) attached to VMs (Resource Manager). When an NSG is associated to a
subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also
associating an NSG to a VM or NIC.
NOTE
Azure has two different deployment models for creating and working with resources: Resource Manager and classic.
This article covers using both models, but Microsoft recommends that most new deployments use the Resource
Manager model.
NSG resource
NSGs contain the following properties:
Name Name for the NSG Must be unique within the Since you may need to
region. create several NSGs, make
Can contain letters, sure you have a naming
numbers, underscores, convention that makes it
periods, and hyphens. easy to identify the
Must start with a letter or function of your NSGs.
number.
Must end with a letter,
number, or underscore.
Cannot exceed 80
characters.
Region Azure region where the NSGs can only be To learn about how many
NSG is created. associated to resources NSGs you can have per
within the same region as region, read the Azure
the NSG. limits article.
Resource group The resource group the Although an NSG exists in Resource groups are used
NSG exists in. a resource group, it can be to manage multiple
associated to resources in resources together, as a
any resource group, as deployment unit.
long as the resource is part You may consider grouping
of the same Azure region the NSG with resources it is
as the NSG. associated to.
Rules Inbound or outbound rules See the NSG rules section

that define what traffic is of this article.
allowed or denied.
NOTE
Endpoint-based ACLs and network security groups are not supported on the same VM instance. If you want to use an
NSG and have an endpoint ACL already in place, first remove the endpoint ACL. To learn how to remove an ACL, read
the Managing Access Control Lists (ACLs) for Endpoints by using PowerShell article.
NSG rules
NSG rules contain the following properties:
Name Name for the rule. Must be unique within the You may have several rules
region. within an NSG, so make
Can contain letters, sure you follow a naming
numbers, underscores, convention that allows you
periods, and hyphens. to identify the function of
Must start with a letter or your rule.
number.
Must end with a letter,
number, or underscore.
Cannot exceed 80
characters.
Protocol Protocol to match for the TCP, UDP, or * Using * as a protocol

rule. includes ICMP (East-West
traffic only), as well as UDP
and TCP, and may reduce
the number of rules you
need.
At the same time, using *
might be too broad an
approach, so it's
recommended that you use
* only when necessary.
Source port range Source port range to Single port number from 1 Source ports could be
match for the rule. to 65535, port range ephemeral. Unless your
(example: 1-65535), or * client program is using a
(for all ports). specific port, use * in most
cases.
Try to use port ranges as
much as possible to avoid
the need for multiple rules.
Multiple ports or port
ranges cannot be grouped
by a comma.
Destination port range Destination port range to Single port number from 1 Try to use port ranges as
match for the rule. to 65535, port range much as possible to avoid
(example: 1-65535), or * the need for multiple rules.
(for all ports). Multiple ports or port
ranges cannot be grouped
by a comma.
Source address prefix Source address prefix or Single IP address (example: Consider using ranges,
tag to match for the rule. 10.10.10.10), IP subnet default tags, and * to
(example: 192.168.1.0/24), reduce the number of rules.
default tag, or * (for all
addresses).
Destination address Destination address prefix Single IP address (example: Consider using ranges,
prefix or tag to match for the 10.10.10.10), IP subnet default tags, and * to
rule. (example: 192.168.1.0/24), reduce the number of rules.
default tag, or * (for all
addresses).
Direction Direction of traffic to match Inbound or outbound. Inbound and outbound

for the rule. rules are processed
separately, based on
direction.
Priority Rules are checked in the Number between 100 and Consider creating rules
order of priority. Once a 4096. jumping priorities by 100
rule applies, no more rules for each rule to leave space
are tested for matching. for new rules you might
create in the future.
Access Type of access to apply if Allow or deny. Keep in mind that if an

the rule matches. allow rule is not found for a
packet, the packet is
dropped.
NSGs contain two sets of rules: Inbound and outbound. The priority for a rule must be unique within each set.
The previous picture shows how NSG rules are processed.

Default Tags
Default tags are system-provided identifiers to address a category of IP addresses. You can use default tags in
the source address prefix and destination address prefix properties of any rule. There are three default
tags you can use:
VirtualNetwork (Resource Manager) (VIRTUAL_NETWORK for classic): This tag includes the virtual
network address space (CIDR ranges defined in Azure), all connected on-premises address spaces, and
connected Azure VNets (local networks).
AzureLoadBalancer (Resource Manager) (AZURE_LOADBALANCER for classic): This tag denotes Azures
infrastructure load balancer. The tag translates to an Azure datacenter IP where Azures health probes
originate.
Internet (Resource Manager) (INTERNET for classic): This tag denotes the IP address space that is outside
the virtual network and reachable by public Internet. The range includes the Azure owned public IP space.
Default rules
All NSGs contain a set of default rules. The default rules cannot be deleted, but because they are assigned the
lowest priority, they can be overridden by the rules that you create.
The default rules allow and disallow traffic as follows:
Virtual network: Traffic originating and ending in a virtual network is allowed both in inbound and
outbound directions.
Internet: Outbound traffic is allowed, but inbound traffic is blocked.
Load balancer: Allow Azures load balancer to probe the health of your VMs and role instances. If you are
not using a load balanced set you can override this rule.
Inbound default rules
SOURCE DESTINATIO DESTINATIO

NAME PRIORITY SOURCE IP PORT N IP N PORT PROTOCOL ACCESS
AllowVNetI 65000 VirtualNet * VirtualNet * * Allow

nBound work work
AllowAzure 65001 AzureLoad * * * * Allow

LoadBalanc Balancer
erInBound
DenyAllInB 65500 * * * * * Deny

ound
Outbound default rules
SOURCE DESTINATIO DESTINATIO

NAME PRIORITY SOURCE IP PORT N IP N PORT PROTOCOL ACCESS
AllowVnet 65000 VirtualNet * VirtualNet * * Allow

OutBound work work
AllowIntern 65001 * * Internet * * Allow

etOutBoun
d
DenyAllOu 65500 * * * * * Deny

tBound
Associating NSGs
You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as
follows:
VM (classic only): Security rules are applied to all traffic to/from the VM.
NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is
associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources
connected to the VNet.
You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a
NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following
order:
Inbound traffic
1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is
dropped.
2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule
that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule
that allows traffic.
Outbound traffic
1. NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule
that denies traffic, packets are dropped.
2. NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are
dropped, even if a VM\NIC NSG has a matching rule that allows traffic.
NOTE
Although you can only associate a single NSG to a subnet, VM, or NIC; you can associate the same NSG to as many
resources as you want.
Implementation
You can implement NSGs in the Resource Manager or classic deployment models using the following tools:
DEPLOYMENT TOOL CLASSIC RESOURCE MANAGER
Azure portal Yes Yes
PowerShell Yes Yes
Azure CLI V1 Yes Yes
Azure CLI V2 No Yes
Azure Resource Manager template No Yes
Planning
Before implementing NSGs, you need to answer the following questions:
1. What types of resources do you want to filter traffic to or from? You can connect resources such as NICs
(Resource Manager), VMs (classic), Cloud Services, Application Service Environments, and VM Scale Sets.
2. Are the resources you want to filter traffic to/from connected to subnets in existing VNets?
For more information on planning for network security in Azure, read the Cloud services and network security
article.
Design considerations
Once you know the answers to the questions in the Planning section, review the following sections before
defining your NSGs:
Limits
There are limits to the number of NSGs you can have in a subscription and number of rules per NSG. To learn
more about the limits, read the Azure limits article.
VNet and subnet design
Since NSGs can be applied to subnets, you can minimize the number of NSGs by grouping your resources by
subnet, and applying NSGs to subnets. If you decide to apply NSGs to subnets, you may find that existing
VNets and subnets you have were not defined with NSGs in mind. You may need to define new VNets and
subnets to support your NSG design and deploy your new resources to your new subnets. You could then
define a migration strategy to move existing resources to the new subnets.
Special rules
If you block traffic allowed by the following rules, your infrastructure can't communicate with essential Azure
services:
Virtual IP of the host node: Basic infrastructure services such as DHCP, DNS, and health monitoring are
provided through the virtualized host IP address 168.63.129.16. This public IP address belongs to Microsoft
and is the only virtualized IP address used in all regions for this purpose. This IP address maps to the
physical IP address of the server machine (host node) hosting the VM. The host node acts as the DHCP
relay, the DNS recursive resolver, and the probe source for the load balancer health probe and the machine
health probe. Communication to this IP address is not an attack.
Licensing (Key Management Service): Windows images running in VMs must be licensed. To ensure
licensing, a request is sent to the Key Management Service host servers that handle such queries. The
request is made outbound through port 1688.
ICMP traffic
The current NSG rules only allow for protocols TCP or UDP. There is not a specific tag for ICMP. However,
ICMP traffic is allowed within a VNet by the AllowVNetInBound default rule, that allows traffic to and from any
port and protocol within the VNet.
Subnets
Consider the number of tiers your workload requires. Each tier can be isolated by using a subnet, with an
NSG applied to the subnet.
If you need to implement a subnet for a VPN gateway, or ExpressRoute circuit, do not apply an NSG to that
subnet. If you do so, cross-VNet or cross-premises connectivity may fail.
If you need to implement a network virtual appliance (NVA), connect the NVA to its own subnet and create
user-defined routes (UDR) to and from the NVA. You can implement a subnet level NSG to filter traffic in
and out of this subnet. To learn more about UDRs, read the User-defined routes article.
Load balancers
Consider the load balancing and network address translation (NAT) rules for each load balancer used by
each of your workloads. NAT rules are bound to a back-end pool that contains NICs (Resource Manager) or
VMs/Cloud Services role instances (classic). Consider creating an NSG for each back-end pool, allowing
only traffic mapped through the rules implemented in the load balancers. Creating an NSG for each back-
end pool guarantees that traffic coming to the back-end pool directly (rather than through the load
balancer), is also filtered.
In classic deployments, you create endpoints that map ports on a load balancer to ports on your VMs or
role instances. You can also create your own individual public-facing load balancer through Resource
Manager. The destination port for incoming traffic is the actual port in the VM or role instance, not the port
exposed by a load balancer. The source port and address for the connection to the VM is a port and
address on the remote computer in the Internet, not the port and address exposed by the load balancer.
When you create NSGs to filter traffic coming through an internal load balancer (ILB), the source port and
address range applied are from the originating computer, not the load balancer. The destination port and
address range are those of the destination computer, not the load balancer.
Other
Endpoint-based access control lists (ACL) and NSGs are not supported on the same VM instance. If you
want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. For
information about how to remove an endpoint ACL, see the Manage endpoint ACLs article.
In Resource Manager, you can use an NSG associated to a NIC for VMs with multiple NICs to enable
management (remote access) on a per NIC basis. Associating unique NSGs to each NIC enables separation
of traffic types across NICs.
Similar to the use of load balancers, when filtering traffic from other VNets, you must use the source
address range of the remote computer, not the gateway connecting the VNets.
Many Azure services cannot be connected to VNets. If an Azure resource is not connected to a VNet, you
cannot use an NSG to filter traffic to the resource. Read the documentation for the services you use to
determine whether the service can be connected to a VNet.
Sample deployment
To illustrate the application of the information in this article, consider a common scenario of a two tier
application shown in the following picture:
As shown in the diagram, the Web1 and Web2 VMs are connected to the FrontEnd subnet, and the DB1 and
DB2 VMs are connected to the BackEnd subnet. Both subnets are part of the TestVNet VNet. The application
components each run within an Azure VM connected to a VNet. The scenario has the following requirements:
1. Separation of traffic between the WEB and DB servers.
2. Load balancing rules forward traffic from the load balancer to all web servers on port 80.
3. Load balancer NAT rules forward traffic coming into the load balancer on port 50001 to port 3389 on the
WEB1 VM.
4. No access to the front-end or back-end VMs from the Internet, except requirements 2 and 3.
5. No outbound Internet access from the WEB or DB servers.
6. Access from the FrontEnd subnet is allowed to port 3389 of any web server.
7. Access from the FrontEnd subnet is allowed to port 3389 of any DB server.
8. Access from the FrontEnd subnet is allowed to port 1433 of all DB servers.
9. Separation of management traffic (port 3389) and database traffic (1433) on different NICs in DB servers.
Requirements 1-6 (except requirements 3 and 4) are all confined to subnet spaces. The following NSGs meet
the previous requirements, while minimizing the number of NSGs required:
FrontEnd
Inbound rules
SOURCE DESTINATIO
ADDRESS SOURCE N ADDRESS DESTINATIO
RULE ACCESS PRIORITY RANGE PORT RANGE N PORT PROTOCOL
Allow- Allow 100 Internet * * 80 TCP

Inbound-
HTTP-
Internet

Inbound-
RDP-
Internet
Deny- Deny 300 Internet * * * TCP

Inbound-
All
Outbound rules
SOURCE DESTINATIO
Deny- Deny 100 * * Internet * *

Internet-All
BackEnd
Inbound rules
SOURCE DESTINATIO
Deny- Deny 100 Internet * * * *

Internet-All
Outbound rules
SOURCE DESTINATIO
Deny- Deny 100 * * Internet * *

Internet-All
The following NSGs are created and associated to NICs in the following VMs:
WEB1
Inbound rules
SOURCE DESTINATIO

Inbound-
RDP-
Internet

Inbound-
HTTP-
Internet
NOTE
The source address range for the previous rules is Internet, not the virtual IP address of for the load balancer. The
source port is , not 500001. NAT rules for load balancers are not the same as NSG security rules. NSG security rules
are always related to the original source and final destination of traffic, **not* the load balancer between the two.
WEB2
Inbound rules
SOURCE DESTINATIO
Deny- Deny 100 Internet * * 3389 TCP

Inbound-
RDP-
Internet

Inbound-
HTTP-
Internet
DB servers (Management NIC )
Inbound rules
SOURCE DESTINATIO
Allow- Allow 100 192.168.1. * * 3389 TCP

Inbound- 0/24
RDP-
Front-end
DB servers (Database traffic NIC )

Inbound rules
SOURCE DESTINATIO
Allow- Allow 100 192.168.1. * * 1433 TCP

Inbound- 0/24
SQL-Front-
end
Since some of the NSGs are associated to individual NICs, the rules are for resources deployed through
Resource Manager. Rules are combined for subnet and NIC, depending on how they are associated.
Next steps
Deploy NSGs (Resource Manager).
Deploy NSGs (classic).
Manage NSG logs.
Troubleshoot NSGs
Create a virtual network with multiple subnets
In this tutorial, learn how to create a basic Azure virtual network that has separate public and private subnets.
Resources in virtual networks can communicate with each other, and with resources in other networks connected
to a virtual network. You can create Azure resources, like Virtual machines, App Service environments, Virtual
machine scale sets, Azure HDInsight, and Cloud services in the same, or different subnets within a virtual
network. Creating resources in different subnets enables you to filter network traffic in and out of subnets
independently with network security groups, and to route traffic between subnets through network virtual
appliances, such as a firewall, if you choose to.
The following sections include steps that you can take to create a virtual network by using the Azure portal, the
Azure command-line interface (Azure CLI), Azure PowerShell, and an Azure Resource Manager template. The
result is the same, regardless of which tool you use to create the virtual network. Click a tool link to go to that
section of the tutorial. Learn more about all virtual network and subnet settings.
This article provides steps to create a virtual network through the Resource Manager deployment model, which is
the deployment model we recommend using when creating new virtual networks. If you need to create a virtual
network (classic), see Create a virtual network (classic). If you're not familiar with Azure's deployment models,
see Understand Azure deployment models.
Azure portal
1. In an Internet browser, go to the Azure portal. Log in using your Azure account. If you don't have an Azure
account, you can sign up for a free trial.
2. In the portal, click +New > Networking > Virtual network.
3. On the Create virtual network blade, enter the following values, and then click Create:
SETTING VALUE
Name myVnet
Address space 10.0.0.0/16
Subnet name Public
Subnet address range 10.0.0.0/24
Resource group Leave Create new selected, and then enter

myResourceGroup.
Subscription and location Select your subscription and location.
If you're new to Azure, learn more about resource groups, subscriptions, and locations (also referred to as
regions).
4. In the portal, you can create only one subnet when you create a virtual network. In this tutorial, you create a
second subnet after you create the virtual network. You might later create Internet-accessible resources in the
Public subnet. You also might create resources that aren't accessible from the Internet in the Private subnet.
To create the second subnet, in the Search resources box at the top of the page, enter myVnet. In the search
results, click myVnet. If you have multiple virtual networks with the same name in your subscription, check
the resource groups that are listed under each virtual network. Ensure that you click the myVnet search result
that has the resource group myResourceGroup.
5. On the myVnet blade, under SETTINGS, click Subnets.
6. On the myVnet - Subnets blade, click +Subnet.
7. On the Add subnet blade, for Name, enter Private. For Address range, enter 10.0.1.0/24. Click OK.
8. On the myVnet - Subnets blade, review the subnets. You can see the Public and Private subnets that you
created.
9. Optional: Complete additional tutorials listed under Next steps to filter network traffic in and out of each
subnet with network security groups, to route traffic between subnets through a network virtual appliance, or
to connect the virtual network to other virtual networks or on-premises networks.
10. Optional: Delete the resources that you create in this tutorial by completing the steps in Delete resources.
Azure CLI
Azure CLI commands are the same, whether you execute the commands from Windows, Linux, or macOS.
However, there are scripting differences between operating system shells. The script in the following steps
executes in a Bash shell.
1. Install and configure the Azure CLI. Ensure you have the most recent version of the Azure CLI installed. To get
help for CLI commands, type az <command> --help . Rather than installing the CLI and its pre-requisites, you
can use the Azure Cloud Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the
Azure portal. The Cloud Shell has the Azure CLI preinstalled and configured to use with your account. To use
the Cloud Shell, click the Cloud Shell (>_) button at the top of the portal or just click the Try it button in the
steps that follow.
2. If running the CLI locally, log in to Azure with the az login command. If using the Cloud Shell, you're already
logged in.
3. Review the following script and its comments. In your browser, copy the script and paste it into your CLI
session:
#!/bin/bash
# Create a resource group.

az group create \
--name myResourceGroup \
--location eastus
# Create a virtual network with one subnet named Public.

az network vnet create \
--name myVnet \
--resource-group myResourceGroup \
--subnet-name Public
# Create an additional subnet named Private in the virtual network.

az network vnet subnet create \
--name Private \
--address-prefix 10.0.1.0/24 \
--vnet-name myVnet \
--resource-group myResourceGroup
4. When the script is finished running, review the subnets for the virtual network. Copy the following
command, and then paste it into your CLI session:
az network vnet subnet list --resource-group myResourceGroup --vnet-name myVnet --output table
subnet with network security groups, to route traffic between subnets through a network virtual appliance,
or to connect the virtual network to other virtual networks or on-premises networks.
PowerShell
1. Install the latest version of the PowerShell AzureRm module. If you're new to Azure PowerShell, see Azure
PowerShell overview.
2. In a PowerShell session, log in to Azure with your Azure account using the login-azurermaccount
command.
3. Review the following script and its comments. In your browser, copy the script and paste it into your
PowerShell session:

New-AzureRmResourceGroup `
-Name myResourceGroup `
-Location eastus
# Create the public and private subnets.

$Subnet1 = New-AzureRmVirtualNetworkSubnetConfig `
-Name Public `
-AddressPrefix 10.0.0.0/24
$Subnet2 = New-AzureRmVirtualNetworkSubnetConfig `
-Name Private `
# Create a virtual network.

$Vnet=New-AzureRmVirtualNetwork `
-ResourceGroupName myResourceGroup `
-Location eastus `
-Name myVnet `
-AddressPrefix 10.0.0.0/16 `
-Subnet $Subnet1,$Subnet2
4. To review the subnets for the virtual network, copy the following command, and then paste it into your
PowerShell session:
$Vnet.subnets | Format-Table Name, AddressPrefix
subnet with network security groups, to route traffic between subnets through a network virtual appliance,
or to connect the virtual network to other virtual networks or on-premises networks.
Resource Manager template

You can deploy a virtual network by using an Azure Resource Manager template. To learn more about templates,
see What is Resource Manager. To access the template and to learn about its parameters, see the Create a virtual
network with two subnets template. You can deploy the template by using the portal, Azure CLI, or PowerShell.
Optional steps after you deploy the template:
1. Complete additional tutorials listed under Next steps to filter network traffic in and out of each subnet with
network security groups, to route traffic between subnets through a network virtual appliance, or to connect
the virtual network to other virtual networks or on-premises networks.
2. Delete the resources that you create in this tutorial by completing the steps in any subsections of Delete
resources.
Azure portal
1. In your browser, open the template page.
2. Click the Deploy to Azure button. If you're not already logged in to Azure, log in on the Azure portal login
screen that appears.
3. Sign in to the portal by using your Azure account. If you don't have an Azure account, you can sign up for a
free trial.
4. Enter the following values for the parameters:
PARAMETER VALUE
Subscription Select your subscription
Resource group myResourceGroup
Location Select a location
Vnet Name myVnet
Vnet Address Prefix 10.0.0.0/16
Subnet1Prefix 10.0.0.0/24
Subnet1Name Public
Subnet2Prefix 10.0.1.0/24
Subnet2Name Private
5. Agree to the terms and conditions, and then click Purchase to deploy the virtual network.
Azure CLI
1. Install and configure the Azure CLI. Ensure you have the most recent version of the Azure CLI installed. To get
help for CLI commands, type az <command> --help . Rather than installing the CLI and its pre-requisites, you
can use the Azure Cloud Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the
Azure portal. The Cloud Shell has the Azure CLI preinstalled and configured to use with your account. To use
the Cloud Shell, click the Cloud Shell >_ button at the top of the portal, or just click the Try it button in the
steps that follow.
2. If running the CLI locally, log in to Azure with the az login command. If using the Cloud Shell, you're already
logged in.
3. To create a resource group for the virtual network, copy the following command and paste it into your CLI
session:
az group create --name myResourceGroup --location eastus
4. You can deploy the template by using one of the following parameters options:
Default parameter values. Enter the following command:
az group deployment create --resource-group myResourceGroup --name VnetTutorial --template-uri
https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/101-vnet-two-
subnets/azuredeploy.json`
Custom parameter values. Download and modify the template before you deploy the template.
You also can deploy the template by using parameters at the command line, or deploy the template
with a separate parameters file. To download the template and parameters files, click the Browse
on GitHub button on the Create a virtual network with two subnets template page. In GitHub, click
the azuredeploy.parameters.json or azuredeploy.json file. Then, click the Raw button to display
the file. In your browser, copy the contents of the file. Save the contents to a file on your computer.
You can modify the parameter values in the template, or deploy the template with a separate
parameters file.
To learn more about how to deploy templates by using these methods, type
az group deployment create --help .
PowerShell
2. In a PowerShell session, to sign in with your Azure account, enter login-azurermaccount .
3. To create a resource group for the virtual network, enter the following command:
New-AzureRmResourceGroup -Name myResourceGroup -Location eastus
4. You can deploy the template by using one of the following parameters options:
Default parameter values. Enter the following command:
New-AzureRmResourceGroupDeployment -Name VnetTutorial -ResourceGroupName myResourceGroup -

TemplateUri https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/101-vnet-
two-subnets/azuredeploy.json
Custom parameter values. Download and modify the template before you deploy it. You also can
deploy the template by using parameters at the command line, or deploy the template with a
separate parameters file. To download the template and parameters files, click the Browse on
GitHub button on the Create a virtual network with two subnets template page. In GitHub, click the
azuredeploy.parameters.json or azuredeploy.json file. Then, click the Raw button to display the
file. In your browser, copy the contents of the file. Save the contents to a file on your computer. You
can modify the parameter values in the template, or deploy the template with a separate
parameters file.
To learn more about how to deploy templates by using these methods, type
Get-Help New-AzureRmResourceGroupDeployment .
Delete resources
When you finish this tutorial, you might want to delete the resources that you created, so that you don't incur
usage charges. Deleting a resource group also deletes all resources that are in the resource group.
Azure portal
1. In the portal search box, enter myResourceGroup. In the search results, click myResourceGroup.
2. On the myResourceGroup blade, click the Delete icon.
3. To confirm the deletion, in the TYPE THE RESOURCE GROUP NAME box, enter myResourceGroup, and
then click Delete.
Azure CLI
In a CLI session, enter the following command:
az group delete --name myResourceGroup --yes
PowerShell
In a PowerShell session, enter the following command:
Remove-AzureRmResourceGroup -Name myResourceGroup -Force
Next steps
To learn about all virtual network and subnet settings, see Manage virtual networks and Manage virtual
network subnets. You have various options for using virtual networks and subnets in a production
environment to meet different requirements.
Filter inbound and outbound subnet traffic by creating and applying network security groups to subnets.
Route traffic between subnets through a network virtual appliance, by creating user-defined routes and apply
the routes to each subnet.
Create a Windows or a Linux virtual machine in an existing virtual network.
Connect two virtual networks by creating a virtual network peering between the virtual networks.
Connect the virtual network to an on-premises network by using a VPN Gateway or Azure ExpressRoute
circuit.
Create a virtual network using PowerShell
network settings and define DHCP address blocks, DNS settings, security policies, and routing. You can also further
segment your VNet into subnets and deploy Azure IaaS virtual machines (VMs) and PaaS role instances, in the
same way you can deploy physical and virtual machines to your on-premises datacenter. In essence, you can
expand your network to Azure, bringing your own IP address blocks. Read the virtual network overview if you are
not familiar with VNets.
Azure has two deployment models: Azure Resource Manager and classic. Microsoft recommends creating
resources through the Resource Manager deployment model. To learn more about the differences between the
two models, read the Understand Azure deployment models article.
This article explains how to create a VNet through the Resource Manager deployment model using PowerShell.
You can also create a VNet through Resource Manager using other tools or create a VNet through the classic
deployment model by selecting a different option from the following list:
Scenario
To better illustrate how to create a VNet and subnets, this document will use the scenario below.
In this scenario you will create a VNet named TestVNet with a reserved CIDR block of 192.168.0.0./16. Your VNet
will contain the following subnets:
FrontEnd, using 192.168.1.0/24 as its CIDR block.
BackEnd, using 192.168.2.0/24 as its CIDR block.
Create a virtual network

To create a virtual network using PowerShell, complete the following steps:
1. Install and configure Azure PowerShell, by following the steps in the How to Install and Configure Azure
PowerShell article.
2. If necessary, create a new resource group, as shown below. For this scenario, create a resource group
named TestRG. For more information about resource groups, visit Azure Resource Manager Overview.
New-AzureRmResourceGroup -Name TestRG -Location centralus
Expected output:
ResourceGroupName : TestRG
Location : centralus
ProvisioningState : Succeeded
Tags :
ResourceId : /subscriptions/[Subscription Id]/resourceGroups/TestRG
3. Create a new VNet named TestVNet:
New-AzureRmVirtualNetwork -ResourceGroupName TestRG -Name TestVNet `

-AddressPrefix 192.168.0.0/16 -Location centralus
Expected output:
Name : TestVNet
Id : /subscriptions/[Subscription
Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet
Etag : W/"[Id]"
Tags :
AddressSpace : {
"AddressPrefixes": [
"192.168.0.0/16"
]
}
DhcpOptions : {}
Subnets : []
VirtualNetworkPeerings : []
4. Store the virtual network object in a variable:
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName TestRG -Name TestVNet
TIP
You can combine steps 3 and 4 by running
$vnet = New-AzureRmVirtualNetwork -ResourceGroupName TestRG -Name TestVNet -AddressPrefix
192.168.0.0/16 -Location centralus
.
5. Add a subnet to the new VNet variable:
Add-AzureRmVirtualNetworkSubnetConfig -Name FrontEnd `

-VirtualNetwork $vnet -AddressPrefix 192.168.1.0/24
Expected output:
Name : TestVNet
Etag : W/"[Id]"
Tags :
AddressSpace : {
"192.168.0.0/16"
]
}
DhcpOptions : {}
Subnets : [
{
"Name": "FrontEnd",
"AddressPrefix": "192.168.1.0/24"
}
]
6. Repeat step 5 above for each subnet you want to create. The following command creates the BackEnd
subnet for the scenario:
Add-AzureRmVirtualNetworkSubnetConfig -Name BackEnd `

-VirtualNetwork $vnet -AddressPrefix 192.168.2.0/24
7. Although you create subnets, they currently only exist in the local variable used to retrieve the VNet you
create in step 4 above. To save the changes to Azure, run the following command:
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
Expected output:
Name : TestVNet
Etag : W/"[Id]"
Tags :
AddressSpace : {
"192.168.0.0/16"
]
}
DhcpOptions : {
"DnsServers": []
}
Subnets : [
{
"Name": "FrontEnd",
"Etag": "W/\"[Id]\"",
"Id": "/subscriptions/[Subscription
Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontEnd",
"AddressPrefix": "192.168.1.0/24",
"IpConfigurations": [],
"ProvisioningState": "Succeeded"
},
{
"Name": "BackEnd",
"Etag": "W/\"[Id]\"",
Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/BackEnd",
"AddressPrefix": "192.168.2.0/24",
}
]
Next steps
Learn how to connect:
A virtual machine (VM) to a virtual network by reading the Create a Windows VM article. Instead of creating a
VNet and subnet in the steps of the articles, you can select an existing VNet and subnet to connect a VM to.
The virtual network to other virtual networks by reading the Connect VNets article.
The virtual network to an on-premises network using a site-to-site virtual private network (VPN) or
ExpressRoute circuit. Learn how by reading the Connect a VNet to an on-premises network using a site-to-site
VPN and Link a VNet to an ExpressRoute circuit articles.
Create a virtual network using the Azure CLI 2.0
two models, read the Understand Azure deployment models article.
CLI versions to complete the task

You can complete the task using one of the following CLI versions:
Azure CLI 1.0 our CLI for the classic and resource management deployment models
Azure CLI 2.0 - our next generation CLI for the resource management deployment model (this article)`
You can also create a VNet through Resource Manager using other tools or create a VNet through the
classic deployment model by selecting a different option from the following list:
Scenario

To create a virtual network using the Azure CLI 2.0, complete the following steps:
1. Install and configure the latest Azure CLI 2.0 and log in to an Azure account using az login.
2. Create a resource group for your VNet using the az group create command with the --name and
--location arguments:
az group create --name TestRG --location centralus
3. Create a VNet and a subnet:

--name TestVNet \
--resource-group TestRG \
--location centralus \
--address-prefix 192.168.0.0/16 \
--subnet-name FrontEnd \
--subnet-prefix 192.168.1.0/24
Expected output:
{
"newVNet": {
"addressSpace": {
"addressPrefixes": [
"192.168.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": []
},
"provisioningState": "Succeeded",
"resourceGuid": "<guid>",
"subnets": [
{
"etag": "W/\"<guid>\"",
"id":
"/subscriptions/<guid>/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subne
ts/FrontEnd",
"name": "FrontEnd",
"properties": {
"addressPrefix": "192.168.1.0/24",
"provisioningState": "Succeeded"
},
"resourceGroup": "TestRG"
}
]
}
}
Parameters used:
--name TestVNet : Name of the VNet to be created.
--resource-group TestRG : # The resource group name that controls the resource.
--location centralus : The location into which to deploy.
--address-prefix 192.168.0.0/16 : The address prefix and block.
--subnet-name FrontEnd : The name of the subnet.
--subnet-prefix 192.168.1.0/24 : The address prefix and block.
To list the basic information to use in the next command, you can query the VNet using a query filter:
az network vnet list --query '[?name==`TestVNet`].
{Where:location,Name:name,Group:resourceGroup}' -o table
Which produces the following output:

Where Name Group
centralus TestVNet TestRG
4. Create a subnet:

--address-prefix 192.168.2.0/24 \
--name BackEnd \
--vnet-name TestVNet
Expected output:
{
"addressPrefix": "192.168.2.0/24",
"etag": "W/\"<guid> \"",
"id":
ts/BackEnd",
"ipConfigurations": null,
"name": "BackEnd",
"networkSecurityGroup": null,
"resourceGroup": "TestRG",
"resourceNavigationLinks": null,
"routeTable": null
}
Parameters used:
--address-prefix 192.168.2.0/24 : Subnet CIDR block.
--name BackEnd : Name of the new subnet.
--resource-group TestRG : The resource group.
--vnet-name TestVNet : The name of the owning VNet.
5. Query the properties of the new VNet:
az network vnet show \

-g TestRG \
-n TestVNet \
--query '{Name:name,Where:location,Group:resourceGroup,Status:provisioningState,SubnetCount:subnets |
length(@)}' \
-o table
Expected output:
Name Where Group Status SubnetCount
TestVNet centralus TestRG Succeeded 2
6. Query the properties of the subnets:

az network vnet subnet list \
-g TestRG \
--vnet-name testvnet \
--query '[].{Name:name,CIDR:addressPrefix,Status:provisioningState}' \
-o table
Expected output:
Name CIDR Status
FrontEnd 192.168.1.0/24 Succeeded

BackEnd 192.168.2.0/24 Succeeded
Next steps
A virtual machine (VM) to a virtual network by reading the Create a Linux VM article. Instead of creating a VNet
and subnet in the steps of the articles, you can select an existing VNet and subnet to connect a VM to.
VPN and Link a VNet to an ExpressRoute circuit.
Create a virtual network using an Azure Resource
Manager template
resources through the Resource Manager deployment model. To learn more about the differences between the two
models, read the Understand Azure deployment models article.
This article explains how to create a VNet through the Resource Manager deployment model using an Azure
Resource Manager template. You can also create a VNet through Resource Manager using other tools or create a
VNet through the classic deployment model by selecting a different option from the following list:
You will learn how to download and modify and existing ARM template from GitHub, and deploy the template
from GitHub, PowerShell, and the Azure CLI.
If you are simply deploying the ARM template directly from GitHub, without any changes, skip to deploy a template
from github.
Scenario
Download and understand the Azure Resource Manager template

You can download the existing template for creating a VNet and two subnets from GitHub, make any changes you
might want, and reuse it. To do so, complete the following steps:
1. Navigate to the sample template page.
2. Click azuredeploy.json, and then click RAW.
3. Save the file to a a local folder on your computer.
4. If you are familiar with templates, skip to step 7.
5. Open the file you just saved and look at the contents under parameters in line 5. ARM template parameters
provide a placeholder for values that can be filled out during deployment.
PARAMETER DESCRIPTION
location Azure region where the VNet will be created
vnetName Name for the new VNet
addressPrefix Address space for the VNet, in CIDR format
subnet1Name Name for the first VNet
subnet1Prefix CIDR block for the first subnet
subnet2Name Name for the second VNet
subnet2Prefix CIDR block for the second subnet
IMPORTANT
Azure Resource Manager templates maintained in GitHub can change over time. Make sure you check the template
before using it.
6. Check the content under resources and notice the following:

type. Type of resource being created by the template. In this case,
Microsoft.Network/virtualNetworks, which represent a VNet.
name. Name for the resource. Notice the use of [parameters('vnetName')], which means the name
will provided as input by the user or a parameter file during deployment.
properties. List of properties for the resource. This template uses the address space and subnet
properties during VNet creation.
7. Navigate back to the sample template page.
8. Click azuredeploy-paremeters.json, and then click RAW.
9. Save the file to a a local folder on your computer.
10. Open the file you just saved and edit the values for the parameters. Use the following values below to
deploy the VNet described in the scenario:
{
"location": {
"value": "Central US"
},
"vnetName": {
"value": "TestVNet"
},
"addressPrefix": {
"value": "192.168.0.0/16"
},
"subnet1Name": {
"value": "FrontEnd"
},
"subnet1Prefix": {
"value": "192.168.1.0/24"
},
"subnet2Name": {
"value": "BackEnd"
},
"subnet2Prefix": {
"value": "192.168.2.0/24"
}
}
11. Save the file.
Deploy the template using PowerShell

Complete the following steps to deploy the template you downloaded by using PowerShell:
1. Install and configure Azure PowerShell by completing the steps in the How to Install and Configure Azure
PowerShell article.
2. Run the following command to create a new resource group:
New-AzureRmResourceGroup -Name TestRG -Location centralus
The command creates a resource group named TestRG in the Central US azure region. For more information
about resource groups, visit Azure Resource Manager Overview.
Expected output:
Tags :
Permissions :
Actions NotActions
======= ==========
*
ResourceId : /subscriptions/[Id]/resourceGroups/TestRG
3. Run the following command to deploy the new VNet using the template and parameter files you
downloaded and modified above:
New-AzureRmResourceGroupDeployment -Name TestVNetDeployment -ResourceGroupName TestRG `

-TemplateFile C:\ARM\azuredeploy.json -TemplateParameterFile C:\ARM\azuredeploy-parameters.json
Expected output:
DeploymentName : TestVNetDeployment
Timestamp : [Date and time]
Mode : Incremental
TemplateLink :
Parameters :
Name Type Value
=============== ========================= ==========
location String Central US
vnetName String TestVNet
addressPrefix String 192.168.0.0/16
subnet1Prefix String 192.168.1.0/24
subnet1Name String FrontEnd
subnet2Prefix String 192.168.2.0/24
subnet2Name String BackEnd
Outputs :
4. Run the following command to view the properties of the new VNet:
Get-AzureRmVirtualNetwork -ResourceGroupName TestRG -Name TestVNet
Expected output:
Name : TestVNet
Id :
/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet
Etag : W/"[Id]"
Tags :
AddressSpace : {
"192.168.0.0/16"
]
}
DhcpOptions : {
"DnsServers": null
}
NetworkInterfaces : null
Subnets : [
{
"Name": "FrontEnd",
"Etag": "W/\"[Id]\"",
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/
FrontEnd",
"AddressPrefix": "192.168.1.0/24",
"NetworkSecurityGroup": null,
"RouteTable": null,
},
{
"Name": "BackEnd",
"Etag": "W/\"[Id]\"",
"Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/BackEnd"
,
"AddressPrefix": "192.168.2.0/24",
"NetworkSecurityGroup": null,
"RouteTable": null,
}
]
Deploy the template using click-to-deploy

You can reuse pre-defined Azure Resource Manager templates uploaded to a GitHub repository maintained by
Microsoft and open to the community. These templates can be deployed straight out of GitHub, or downloaded and
modified to fit your needs. To deploy a template that creates a VNet with two subnets, complete the following
steps:
1. From a browser, navigate to https://github.com/Azure/azure-quickstart-templates.
2. Scroll down the list of templates, and click 101-vnet-two-subnets. Check the README.md file, as shown
below.
3. Click Deploy to Azure. If necessary, enter your Azure login credentials.
4. In the Parameters blade, enter the values you want to use to create your new VNet, and then click OK. The
following figure shows the values for the scenario:
5. Click Resource group and select a resource group to add the VNet to, or click Create new to add the VNet
to a new resource group. The following figure shows the resource group settings for a new resource group
called TestRG:
6. If necessary, change the Subscription and Location settings for your VNet.
7. If you do not want to see the VNet as a tile in the Startboard, disable Pin to Startboard.
8. Click Legal terms, read the terms, and click Buy to agree.
9. Click Create to create the VNet.
10. Once the deployment is complete, in the Azure portal click More services, type virtual networks in the filter
box that appears, then click Virtual networks to see the Virtual networks blade. In the blade, click TestVNet. In
the TestVNet blade, click Subnets to see the created subnets, as shown in the following picture:
Next steps
A virtual machine (VM) to a virtual network by reading the Create a Windows VM or Create a Linux VM articles.
Instead of creating a VNet and subnet in the steps of the articles, you can select an existing VNet and subnet to
connect a VM to.
VPN and Link a VNet to an ExpressRoute circuit articles.
Create network security groups using the Azure
portal
You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters
(NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based on
traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can be
changed at any time, and changes are applied to all associated instances.
For more information about NSGs, visit what is an NSG.
IMPORTANT
Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure
Resource Manager and classic. Make sure you understand deployment models and tools before you work with any Azure
resource. You can view the documentation for different tools by clicking the tabs at the top of this article.
This article covers the Resource Manager deployment model. You can also create NSGs in the classic deployment
model.
Scenario
To better illustrate how to create NSGs, this document will use the scenario below.
In this scenario you will create an NSG for each subnet in the TestVNet virtual network, as described below:
NSG-FrontEnd. The front end NSG will be applied to the FrontEnd subnet, and contain two rules:
rdp-rule. This rule will allow RDP traffic to the FrontEnd subnet.
web-rule. This rule will allow HTTP traffic to the FrontEnd subnet.
NSG-BackEnd. The back end NSG will be applied to the BackEnd subnet, and contain two rules:
sql-rule. This rule allows SQL traffic only from the FrontEnd subnet.
web-rule. This rule denies all internet bound traffic from the BackEnd subnet.
The combination of these rules create a DMZ-like scenario, where the back end subnet can only receive incoming
traffic for SQL from the front end subnet, and has no access to the Internet, while the front end subnet can
communicate with the Internet, and receive incoming HTTP requests only.
The sample PowerShell commands below expect a simple environment already created based on the scenario
above. If you want to run the commands as they are displayed in this document, first build the test environment
by deploying this template, click Deploy to Azure, replace the default parameter values if necessary, and follow
the instructions in the portal. The steps below use RG-NSG as the name of the resource group the template was
deployed to.
Create the NSG-FrontEnd NSG

To create the NSG-FrontEnd NSG as shown in the scenario above, follow the steps below.
1. From a browser, navigate to http://portal.azure.com and, if necessary, sign in with your Azure account.
2. Click Browse > > Network Security Groups.
3. In the Network security groups blade, click Add.

4. In the Create network security group blade, create an NSG named NSG-FrontEnd in the RG-NSG
resource group, and then click Create.
Create rules in an existing NSG

To create rules in an existing NSG from the Azure portal, follow the steps below.
1. Click Browse > > Network security groups.
2. In the list of NSGs, click NSG-FrontEnd > Inbound security rules
3. In the list of Inbound security rules, click Add.
4. In the Add inbound security rule blade, create a rule named web-rule with priority of 200 allowing access
via TCP to port 80 to any VM from any source, and then click OK. Notice that most of these settings are
default values already.
5. After a few seconds you will see the new rule in the NSG.
6. Repeat steps to 6 to create an inbound rule named rdp-rule with a priority of 250 allowing access via TCP to
port 3389 to any VM from any source.
Associate the NSG to the FrontEnd subnet

1. Click Browse > > Resource groups > RG-NSG.
2. In the RG-NSG blade, click ... > TestVNet.
3. In the Settings blade, click Subnets > FrontEnd > Network security group > NSG-FrontEnd.
4. In the FrontEnd blade, click Save.

Create the NSG-BackEnd NSG
To create the NSG-BackEnd NSG and associate it to the BackEnd subnet, follow the steps below.
1. Repeat the steps in Create the NSG-FrontEnd NSG to create an NSG named NSG-BackEnd
2. Repeat the steps in Create rules in an existing NSG to create the inbound rules in the table below.
INBOUND RULE OUTBOUND RULE
3. Repeat the steps in Associate the NSG to the FrontEnd subnet to associate the NSG-Backend NSG to the
BackEnd subnet.
Next Steps
Learn how to manage existing NSGs
Enable logging for NSGs.
Create network security groups using PowerShell
two models, read the Understand Azure deployment models article. This article covers the Resource Manager
deployment model. You can also create NSGs in the classic deployment model.
Scenario
above. If you want to run the commands as they are displayed in this document, first build the test environment by
deploying this template, click Deploy to Azure, replace the default parameter values if necessary, and follow the
instructions in the portal.
How to create the NSG for the front end subnet

To create an NSG named NSG-FrontEnd based on the scenario, complete the following steps:
1. If you have never used Azure PowerShell, see How to Install and Configure Azure PowerShell and follow the
instructions all the way to the end to sign into Azure and select your subscription.
2. Create a security rule allowing access from the Internet to port 3389.
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" `

-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
-SourceAddressPrefix Internet -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange 3389
$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule -Description "Allow HTTP" `

-SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 80
4. Add the rules created above to a new NSG named NSG-FrontEnd.
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName TestRG -Location westus `

-Name "NSG-FrontEnd" -SecurityRules $rule1,$rule2
5. Check the rules created in the NSG by typing the following:
$nsg
Output showing just the security rules:

SecurityRules : [
{
"Name": "rdp-rule",
"Etag": "W/\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"",
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-
FrontEnd/securityRules/rdp-rule",
"Description": "Allow RDP",
"Protocol": "Tcp",
"SourcePortRange": "*",
"DestinationPortRange": "3389",
"SourceAddressPrefix": "Internet",
"DestinationAddressPrefix": "*",
"Access": "Allow",
"Priority": 100,
"Direction": "Inbound",
},
{
"Name": "web-rule",
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-
FrontEnd/securityRules/web-rule",
"Description": "Allow HTTP",
"Protocol": "Tcp",
"Access": "Allow",
"Priority": 101,
}
]
6. Associate the NSG created above to the FrontEnd subnet.

Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd `
-AddressPrefix 192.168.1.0/24 -NetworkSecurityGroup $nsg
Output showing only the FrontEnd subnet settings, notice the value for the NetworkSecurityGroup
property:
Subnets : [
{
"Name": "FrontEnd",
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontEn
d",
"AddressPrefix": "192.168.1.0/24",
"IpConfigurations": [
{
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICWeb2/ipConfigur
ations/ipconfig1"
},
{
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1/ipConfigur
ations/ipconfig1"
}
],
"NetworkSecurityGroup": {
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd"
},
"RouteTable": null,
}
WARNING
The output for the command above shows the content for the virtual network configuration object, which only exists
on the computer where you are running PowerShell. You need to run the Set-AzureRmVirtualNetwork cmdlet to
save these settings to Azure.
7. Save the new VNet settings to Azure.
Output showing just the NSG portion:
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd"
}
How to create the NSG for the back-end subnet

To create an NSG named NSG-BackEnd based on the scenario above, complete the following steps:
1. Create a security rule allowing access from the front-end subnet to port 1433 (default port used by SQL
Server).
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name frontend-rule `

-Description "Allow FE subnet" `
-SourceAddressPrefix 192.168.1.0/24 -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange 1433
2. Create a security rule blocking access to the Internet.
$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule `

-Description "Block Internet" `
-Access Deny -Protocol * -Direction Outbound -Priority 200 `
-SourceAddressPrefix * -SourcePortRange * `
-DestinationAddressPrefix Internet -DestinationPortRange *
3. Add the rules created above to a new NSG named NSG-BackEnd.
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName TestRG `

-Location westus -Name "NSG-BackEnd" `
-SecurityRules $rule1,$rule2
4. Associate the NSG created above to the BackEnd subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name BackEnd `

-AddressPrefix 192.168.2.0/24 -NetworkSecurityGroup $nsg
Output showing only the BackEnd subnet settings, notice the value for the NetworkSecurityGroup
property:
Subnets : [
{
"Name": "BackEnd",
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/BackEnd
",
"AddressPrefix": "192.168.2.0/24",
"IpConfigurations": [...],
xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-BackEnd"
},
"RouteTable": null,
}
5. Save the new VNet settings to Azure.
How to remove an NSG

To delete an existing NSG, called NSG-Frontend in this case, follow the step below:
Run the Remove-AzureRmNetworkSecurityGroup shown below and be sure to include the resource group the
NSG is in.
Remove-AzureRmNetworkSecurityGroup -Name "NSG-FrontEnd" -ResourceGroupName "TestRG"

Create network security groups using the Azure CLI
2.0

Azure CLI 2.0 - our next generation CLI for the resource management deployment model (this article)
Scenario
The sample Azure CLI 2.0 commands following expect a simple environment already created based on the
scenario preceding.
Create the NSG for the FrontEnd subnet

To create an NSG named NSG-FrontEnd based on the scenario preceding, follow the steps following.
1. If you haven't yet, install and configure the latest Azure CLI 2.0 and log in to an Azure account using az
login.
2. Create an NSG using the az network nsg create command.
az network nsg create \

--resource-group testrg \
--name NSG-FrontEnd \
--location centralus
Parameters:
--resource-group : Name of the resource group where the NSG is created. For our scenario, TestRG.
--location : Azure region where the new NSG is created. For our scenario, westus.
--name : Name for the new NSG. For our scenario, NSG-FrontEnd.
The expected output is quite a bit of information including a list of all the default rules. The following
example shows the default rules using a JMESPATH query filter with the table output format:
az network nsg show \

-g testrg \
-n nsg-frontend \
--query 'defaultSecurityRules[].
{Access:access,Desc:description,DestPortRange:destinationPortRange,Direction:direction,Priority:
priority}' \
-o table
Output:
Access Desc DestPortRange Direction

Priority
Allow Allow inbound traffic from all VMs in VNET * Inbound

65000
Allow Allow inbound traffic from azure load balancer * Inbound
65001
Deny Deny all inbound traffic * Inbound
65500
Allow Allow outbound traffic from all VMs to all VMs in VNET * Outbound
65000
Allow Allow outbound traffic from all VMs to Internet * Outbound
65001
Deny Deny all outbound traffic * Outbound
65500
3. Create a rule that allows access to port 3389 (RDP) from the Internet with the az network nsg rule create
command.
NOTE
Depending on the shell you are using, you might need to modify the * character in the arguments following so as
not to expand the argument before execution.
az network nsg rule create \

--nsg-name NSG-FrontEnd \
--name rdp-rule \
--access Allow \
--protocol Tcp \
--direction Inbound \
--priority 100 \
--source-address-prefix Internet \
--source-port-range "*" \
--destination-address-prefix "*" \
--destination-port-range 3389
Expected output:
{
"access": "Allow",
"description": null,
"destinationAddressPrefix": "*",
"destinationPortRange": "3389",
"direction": "Inbound",
"etag": "W/\"<guid>\"",
"id":
"/subscriptions/<guid>/resourceGroups/testrg/providers/Microsoft.Network/networkSecurityGroups/NSG-
FrontEnd/securityRules/rdp-rule",
"name": "rdp-rule",
"priority": 100,
"protocol": "Tcp",
"resourceGroup": "testrg",
"sourceAddressPrefix": "Internet",
"sourcePortRange": "*"
}
Parameters:
--resource-group testrg : The resource group to use. Note that it is case-insensitive.
--nsg-name NSG-FrontEnd : Name of the NSG in which the rule is created.
--name rdp-rule : Name for the new rule.
--access Allow : Access level for the rule (Deny or Allow).
--protocol Tcp : Protocol (Tcp, Udp, or *).
--direction Inbound : Direction of the connection (Inbound or Outbound).
--priority 100 : Priority for the rule.
--source-address-prefix Internet : Source address prefix in CIDR or using default tags.
--source-port-range "*" : Source port or port range. Port that opened the connection.
--destination-address-prefix "*" : Destination address prefix in CIDR or using default tags.
--destination-port-range 3389 : Destination port or port range. Port that receives the connection request.
4. Create a rule that allows access to port 80 (HTTP) from the Internet az network nsg rule create command.
--name web-rule \
--access Allow \
--protocol Tcp \
--priority 200 \
--source-address-prefix Internet \
Expected putput:
{
"access": "Allow",
"etag": "W/\"<guid>\"",
"id":
FrontEnd/securityRules/web-rule",
"name": "web-rule",
"priority": 200,
"protocol": "Tcp",
}
5. Bind the NSG to the FrontEnd subnet with the az network vnet subnet update command.
az network vnet subnet update \

--vnet-name TestVNET \
--name FrontEnd \
--network-security-group NSG-FrontEnd
Expected output:
{
"addressPrefix": "192.168.1.0/24",
"etag": "W/\"<guid>\"",
"id":
"/subscriptions/<guid>/resourceGroups/testrg/providers/Microsoft.Network/virtualNetworks/TestVNET/subne
ts/FrontEnd",
"ipConfigurations": [
{
"etag": null,
"id":
"/subscriptions/<guid>/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC/ipCo
nfigurations/ipconfig1",
"name": null,
"privateIpAddress": null,
"privateIpAllocationMethod": null,
"provisioningState": null,
"publicIpAddress": null,
"resourceGroup": "TestRG",
"subnet": null
}
],
"name": "FrontEnd",
"networkSecurityGroup": {
"defaultSecurityRules": null,
"etag": null,
"id":
"/subscriptions/<guid>f/resourceGroups/testrg/providers/Microsoft.Network/networkSecurityGroups/NSG-
FrontEnd",
"location": null,
"name": null,
"networkInterfaces": null,
"resourceGuid": null,
"securityRules": null,
"subnets": null,
"tags": null,
"type": null
},
"routeTable": null
}
Create the NSG for the BackEnd subnet

To create an NSG named NSG-BackEnd based on the scenario preceding, follow the steps following.
1. Create the NSG-BackEnd NSG with az network nsg create.

--name NSG-BackEnd \
As in step 2, preceding, the expected output is quite large, including default rules.
2. Create a rule that allows access to port 1433 (SQL) from the FrontEnd subnet with the az network nsg
rule create command.
--nsg-name NSG-BackEnd \
--name sql-rule \
--access Allow \
--protocol Tcp \
--priority 100 \
--source-address-prefix 192.168.1.0/24 \
Expected output:
{
"access": "Allow",
"etag": "W/\"<guid>\"",
"id":
BackEnd/securityRules/sql-rule",
"name": "sql-rule",
"priority": 100,
"protocol": "Tcp",
"sourceAddressPrefix": "192.168.1.0/24",
}
3. Create a rule that denies access to the Internet using the az network nsg rule create command.

--nsg-name NSG-BackEnd \
--name web-rule \
--access Deny \
--protocol Tcp \
--direction Outbound \
--priority 200 \
--source-address-prefix "*" \
--destination-port-range "*"
Expected putput:
{
"access": "Deny",
"destinationPortRange": "*",
"direction": "Outbound",
"etag": "W/\"<guid>\"",
"id":
BackEnd/securityRules/web-rule",
"name": "web-rule",
"priority": 200,
"protocol": "Tcp",
"sourceAddressPrefix": "*",
}
4. Bind the NSG to the BackEnd subnet using the az network vnet subnet set command.

--vnet-name TestVNET \
--name BackEnd \
--network-security-group NSG-BackEnd
Expected output:
{
"addressPrefix": "192.168.2.0/24",
"etag": "W/\"<guid>\"",
"id":
"/subscriptions/<guid>/resourceGroups/testrg/providers/Microsoft.Network/virtualNetworks/TestVNET/subne
ts/BackEnd",
"name": "BackEnd",
"etag": null,
"id":
BackEnd",
"location": null,
"name": null,
"subnets": null,
"tags": null,
"type": null
},
"routeTable": null
}
Create network security groups using an Azure
Resource Manager template
IMPORTANT
This article covers the Resource Manager deployment model. You can also create NSGs in the classic deployment
model.
Scenario
NSG resources in a template file

You can view and download the sample template.
The following section shows the definition of the front-end NSG, based on the scenario.
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('frontEndNSGName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "NSG - Front End"
},
"properties": {
"securityRules": [
{
"name": "rdp-rule",
"properties": {
"description": "Allow RDP",
"protocol": "Tcp",
"sourcePortRange": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "web-rule",
"properties": {
"description": "Allow WEB",
"protocol": "Tcp",
"sourcePortRange": "*",
"access": "Allow",
"priority": 101,
"direction": "Inbound"
}
}
]
}
To associate the NSG to the front-end subnet, you have to change the subnet definition in the template, and use
the reference id for the NSG.
"subnets": [
{
"name": "[parameters('frontEndSubnetName')]",
"properties": {
"addressPrefix": "[parameters('frontEndSubnetPrefix')]",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('frontEndNSGName'))]"
}
}
},
Notice the same being done for the back-end NSG and the back-end subnet in the template.
Deploy the ARM template by using click to deploy

The sample template available in the public repository uses a parameter file containing the default values used to
generate the scenario described above. To deploy this template using click to deploy, follow this link, click Deploy
to Azure, replace the default parameter values if necessary, and follow the instructions in the portal.
Deploy the ARM template by using PowerShell

To deploy the ARM template you downloaded by using PowerShell, follow the steps below.
1. If you have never used Azure PowerShell, follow the instructions in the How to Install and Configure Azure
PowerShell to install and configure it.
2. Run the New-AzureRmResourceGroup cmdlet to create a resource group using the template.
New-AzureRmResourceGroup -Name TestRG -Location uswest `

-TemplateFile 'https://raw.githubusercontent.com/telmosampaio/azure-templates/master/201-IaaS-
WebFrontEnd-SQLBackEnd/azuredeploy.json' `
-TemplateParameterFile 'https://raw.githubusercontent.com/telmosampaio/azure-templates/master/201-IaaS-
WebFrontEnd-SQLBackEnd/azuredeploy.parameters.json'
Expected output:
Location : westus
Tags :
Permissions :
Actions NotActions
======= ==========
*
Resources :
Name Type Location
================== ======================================= ========
sqlAvSet Microsoft.Compute/availabilitySets westus
webAvSet Microsoft.Compute/availabilitySets westus
SQL1 Microsoft.Compute/virtualMachines westus
Web1 Microsoft.Compute/virtualMachines westus
Web2 Microsoft.Compute/virtualMachines westus
TestNICSQL1 Microsoft.Network/networkInterfaces westus
TestNICSQL2 Microsoft.Network/networkInterfaces westus
TestNICWeb1 Microsoft.Network/networkInterfaces westus
TestNICWeb2 Microsoft.Network/networkInterfaces westus
NSG-BackEnd Microsoft.Network/networkSecurityGroups westus
NSG-FrontEnd Microsoft.Network/networkSecurityGroups westus
TestPIPSQL1 Microsoft.Network/publicIPAddresses westus
TestPIPSQL2 Microsoft.Network/publicIPAddresses westus
TestPIPWeb1 Microsoft.Network/publicIPAddresses westus
TestPIPWeb2 Microsoft.Network/publicIPAddresses westus
TestVNet Microsoft.Network/virtualNetworks westus
testvnetstorageprm Microsoft.Storage/storageAccounts westus
testvnetstoragestd Microsoft.Storage/storageAccounts westus
Deploy the ARM template by using the Azure CLI

To deploy the ARM template by using the Azure CLI, follow the steps below.
1. If you have never used Azure CLI, see Install and Configure the Azure CLI and follow the instructions up to the
point where you select your Azure account and subscription.
2. Run the azure config mode command to switch to Resource Manager mode, as shown below.
azure config mode arm
The following is the expected output for the command:
info: New mode is arm
3. Run the azure group deployment create cmdlet to deploy the new VNet by using the template and
parameter files you downloaded and modified above. The list shown after the output explains the
parameters used.
azure group create -n TestRG -l westus -f 'https://raw.githubusercontent.com/telmosampaio/azure-

templates/master/201-IaaS-WebFrontEnd-SQLBackEnd/azuredeploy.json' -e
'https://raw.githubusercontent.com/telmosampaio/azure-templates/master/201-IaaS-WebFrontEnd-
SQLBackEnd/azuredeploy.parameters.json'
Expected output:
info: Executing command group create
info: Getting resource group TestRG
info: Creating resource group TestRG
info: Created resource group TestRG
info: Initializing template configurations and parameters
info: Creating a deployment
info: Created template deployment "azuredeploy"
data: Id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx/resourceGroups/TestRG
data: Name: TestRG
data: Location: westus
data: Provisioning State: Succeeded
data: Tags: null
data:
info: group create command OK
-n (or --name). Name of the resource group to be created.

-l (or --location). Azure region where the resource group will be created.
-f (or --template-file). Path to your ARM template file.
-e (or --parameters-file). Path to your ARM parameters file.
How to create NSGs (classic) in PowerShell
(NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based
on traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can
be changed at any time, and changes are applied to all associated instances.
IMPORTANT
Before you work with Azure resources, it's important to understand that Azure currently has two deployment models:
Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any
Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article.
This article covers the classic deployment model. You can also create NSGs in the Resource Manager deployment
model.
Scenario
by creating a VNet.
How to create the NSG for the front-end subnet

To create an NSG named named NSG-FrontEnd based on the scenario above, follow the steps below:
2. Create a network security group named NSG-FrontEnd.
New-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" -Location uswest `

-Label "Front end subnet NSG"
Expected output:
Name Location Label
NSG-FrontEnd West US Front end subnet NSG
Get-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" `

| Set-AzureNetworkSecurityRule -Name rdp-rule `
-Action Allow -Protocol TCP -Type Inbound -Priority 100 `
-SourceAddressPrefix Internet -SourcePortRange '*' `
-DestinationAddressPrefix '*' -DestinationPortRange '3389'
Expected output:
Name : NSG-FrontEnd
Location : Central US
Label : Front end subnet NSG
Rules :
Type: Inbound
Name Priority Action Source Address Source Port Destination

Destination Protocol
Prefix Range Address Prefix
Port Range
rdp-rule 100 Allow INTERNET * *

3389 TCP
ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK *
*
ALLOW AZURE LOAD 65001 Allow AZURE_LOADBALAN * * *
*
BALANCER INBOUND CER
DENY ALL INBOUND 65500 Deny * * * *
*
Type: Outbound

Port Range
ALLOW VNET OUTBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK *

*
ALLOW INTERNET 65001 Allow * * INTERNET *
*
OUTBOUND
DENY ALL OUTBOUND 65500 Deny * * * *
*

| Set-AzureNetworkSecurityRule -Name web-rule `
Expected output:
Name : NSG-FrontEnd
Label : Front end subnet NSG
Rules :
Type: Inbound

Port Range
rdp-rule 100 Allow INTERNET * *

3389 TCP
web-rule 200 Allow INTERNET * * 80
TCP
*
*
*
Type: Outbound

Prefix Range Address Prefix Port
Range

*
*
OUTBOUND
*
How to create the NSG for the back end subnet

1. Create a network security group named NSG-BackEnd.
New-AzureNetworkSecurityGroup -Name "NSG-BackEnd" -Location uswest `

-Label "Back end subnet NSG"
Expected output:
Name Location Label
NSG-BackEnd West US Back end subnet NSG
2. Create a security rule allowing access from the front end subnet to port 1433 (default port used by SQL
Server).
| Set-AzureNetworkSecurityRule -Name rdp-rule `
-SourceAddressPrefix 192.168.1.0/24 -SourcePortRange '*' `
Expected output:
Name : NSG-BackEnd
Label : Back end subnet NSG
Rules :
Type: Inbound

Port Range
fe-rule 100 Allow 192.168.1.0/24 * *

1433 TCP
*
*
*
Type: Outbound

Port Range

*
*
OUTBOUND
*
3. Create a security rule blocking access from the subnet to the Internet.
Get-AzureNetworkSecurityGroup -Name "NSG-BackEnd" `

| Set-AzureNetworkSecurityRule -Name block-internet `
-Action Deny -Protocol '*' -Type Outbound -Priority 200 `
-SourceAddressPrefix '*' -SourcePortRange '*' `
-DestinationAddressPrefix Internet -DestinationPortRange '*'
Expected output:
Name : NSG-BackEnd
Label : Back end subnet NSG
Rules :
Type: Inbound

Port Range
fe-rule 100 Allow 192.168.1.0/24 * *

1433 TCP
*
*
*
Type: Outbound

Port Range
block-internet 200 Deny * * INTERNET *

*
*
*
OUTBOUND
*
How to create NSGs (classic) in the Azure CLI
IMPORTANT
This article covers the classic deployment model. You can also create NSGs in the Resource Manager deployment
model.
Scenario
The sample Azure CLI commands below expect a simple environment already created based on the scenario
by creating a VNet.
How to create the NSG for the front end subnet

To create an NSG named named NSG-FrontEnd based on the scenario above, follow the steps below.
2. Run the azure config mode command to switch to classic mode, as shown below.
azure config mode asm
Expected output:
info: New mode is asm
3. Run the azure network nsg create command to create an NSG.
azure network nsg create -l uswest -n NSG-FrontEnd
Expected output:
info: Executing command network nsg create
info: Creating a network security group "NSG-FrontEnd"
info: Looking up the network security group "NSG-FrontEnd"
data: Name : NSG-FrontEnd
data: Location : West US
data: Security group rules:
data: Name Source IP Source Port Destination IP
Destination Port Protocol Type Action Prior
ity Default
data: --------------------------------- ------------------ ----------- --------------- --------
-------- -------- -------- ------ -----
--- -------
data: ALLOW VNET OUTBOUND VIRTUAL_NETWORK * VIRTUAL_NETWORK *
* Outbound Allow 65000
true
data: ALLOW VNET INBOUND VIRTUAL_NETWORK * VIRTUAL_NETWORK *
* Inbound Allow 65000
true
data: ALLOW AZURE LOAD BALANCER INBOUND AZURE_LOADBALANCER * * *
true
data: ALLOW INTERNET OUTBOUND * * INTERNET *
true
data: DENY ALL OUTBOUND * * * *
* Outbound Deny 65500
true
data: DENY ALL INBOUND * * * *
* Inbound Deny 65500
true
info: network nsg create command OK
Parameters:
-l (or --location). Azure region where the new NSG will be created. For our scenario, westus.
-n (or --name). Name for the new NSG. For our scenario, NSG-FrontEnd.
4. Run the azure network nsg rule create command to create a rule that allows access to port 3389 (RDP)
from the Internet.
azure network nsg rule create -a NSG-FrontEnd -n rdp-rule -c Allow -p Tcp -r Inbound -y 100 -f
Internet -o * -e * -u 3389
Expected output:
info: Executing command network nsg rule create

info: Creating a network security rule "rdp-rule"
data: Name : rdp-rule
data: Source address prefix : INTERNET
data: Source Port : *
data: Destination address prefix : *
data: Destination Port : 3389
data: Protocol : TCP
data: Type : Inbound
data: Action : Allow
data: Priority : 100
info: network nsg rule create command OK
Parameters:
-a (or --nsg-name). Name of the NSG in which the rule will be created. For our scenario, NSG-
FrontEnd.
-n (or --name). Name for the new rule. For our scenario, rdp-rule.
-c (or --action). Access level for the rule (Deny or Allow).
-p (or --protocol). Protocol (Tcp, Udp, or *) for the rule.
-r (or --type). Direction of connection (Inbound or Outbound).
-y (or --priority). Priority for the rule.
-f (or --source-address-prefix). Source address prefix in CIDR or using default tags.
-o (or --source-port-range). Source port, or port range.
-e (or --destination-address-prefix). Destination address prefix in CIDR or using default tags.
-u (or --destination-port-range). Destination port, or port range.
5. Run the azure network nsg rule create command to create a rule that allows access to port 80 (HTTP) from
the Internet.
azure network nsg rule create -a NSG-FrontEnd -n web-rule -c Allow -p Tcp -r Inbound -y 200 -f
Internet -o * -e * -u 80
Expected putput:

info: Creating a network security rule "web-rule"
data: Name : web-rule
data: Source address prefix : INTERNET
6. Run the azure network nsg subnet add command to link the NSG to the front end subnet.
azure network nsg subnet add -a NSG-FrontEnd --vnet-name TestVNet --subnet-name FrontEnd
Expected output:
info: Executing command network nsg subnet add

info: Looking up the subnet "FrontEnd"
info: Looking up network configuration
info: Creating a network security group "NSG-FrontEnd"
info: network nsg subnet add command OK
How to create the NSG for the back end subnet

To create an NSG named named NSG-BackEnd based on the scenario above, follow the steps below.
1. Run the azure network nsg create command to create an NSG.
azure network nsg create -l uswest -n NSG-BackEnd
Expected output:
info: Executing command network nsg create

info: Creating a network security group "NSG-BackEnd"
info: Looking up the network security group "NSG-BackEnd"
data: Name : NSG-BackEnd
data: Security group rules:
data: Name Source IP Source Port Destination IP
Destination Port Protocol Type Action Prior
ity Default
data: --------------------------------- ------------------ ----------- --------------- --------
-------- -------- -------- ------ -----
--- -------
data: ALLOW VNET OUTBOUND VIRTUAL_NETWORK * VIRTUAL_NETWORK *
true
data: ALLOW VNET INBOUND VIRTUAL_NETWORK * VIRTUAL_NETWORK *
true
data: ALLOW AZURE LOAD BALANCER INBOUND AZURE_LOADBALANCER * * *
true
data: ALLOW INTERNET OUTBOUND * * INTERNET *
true
data: DENY ALL OUTBOUND * * * *
* Outbound Deny 65500
true
data: DENY ALL INBOUND * * * *
* Inbound Deny 65500
true
info: network nsg create command OK
Parameters:
2. Run the azure network nsg rule create command to create a rule that allows access to port 1433 (SQL)
from the front end subnet.
azure network nsg rule create -a NSG-BackEnd -n sql-rule -c Allow -p Tcp -r Inbound -y 100 -f
192.168.1.0/24 -o * -e * -u 1433
Expected output:
info: Creating a network security rule "sql-rule"
data: Name : sql-rule
data: Source address prefix : 192.168.1.0/24
3. Run the azure network nsg rule create command to create a rule that denies access to the Internet.
azure network nsg rule create -a NSG-BackEnd -n web-rule -c Deny -p Tcp -r Outbound -y 200 -f * -o * -
e Internet -u 80
Expected putput:

info: Creating a network security rule "web-rule"
data: Name : web-rule
data: Source address prefix : *
data: Destination address prefix : INTERNET
data: Type : Outbound
data: Action : Deny
4. Run the azure network nsg subnet add command to link the NSG to the back end subnet.
azure network nsg subnet add -a NSG-BackEnd --vnet-name TestVNet --subnet-name BackEnd
Expected output:
info: Executing command network nsg subnet add

info: Looking up the network security group "NSG-BackEndX"
info: Looking up the subnet "BackEnd"
info: Creating a network security group "NSG-BackEndX"
info: network nsg subnet add command OK
Create User-Defined Routes (UDR) using PowerShell
Some of the cases where virtual appliances can be used include:
Monitoring traffic with an intrusion detection system (IDS)
Controlling traffic with a firewall
For more information about UDR and IP forwarding, visit User Defined Routes and IP Forwarding.
IMPORTANT
This article covers the Resource Manager deployment model. You can also create UDRs in the classic deployment
model.
Scenario
To better illustrate how to create UDRs, this document will use the scenario below.
In this scenario you will create one UDR for the Front end subnet and another UDR for the Back end subnet , as
described below:
UDR-FrontEnd. The front end UDR will be applied to the FrontEnd subnet, and contain one route:
RouteToBackend. This route will send all traffic to the back end subnet to the FW1 virtual machine.
UDR-BackEnd. The back end UDR will be applied to the BackEnd subnet, and contain one route:
RouteToFrontend. This route will send all traffic to the front end subnet to the FW1 virtual machine.
The combination of these routes will ensure that all traffic destined from one subnet to another will be routed to
the FW1 virtual machine, which is being used as a virtual appliance. You also need to turn on IP forwarding for that
VM, to ensure it can receive traffic destined to other VMs.
Prerequisite: Install the Azure PowerShell Module

To perform the steps in this article, you'll need to to install and configure Azure PowerShell and follow the
NOTE
If you don't have an Azure account, you'll need one. Go sign up for a free trial here.
Create the UDR for the front-end subnet

To create the route table and route needed for the front-end subnet based on the scenario above, complete the
following steps:
1. Create a route used to send all traffic destined to the back-end subnet (192.168.2.0/24) to be routed to the
FW1 virtual appliance (192.168.0.4).
$route = New-AzureRmRouteConfig -Name RouteToBackEnd `

-AddressPrefix 192.168.2.0/24 -NextHopType VirtualAppliance `
-NextHopIpAddress 192.168.0.4
2. Create a route table named UDR-FrontEnd in the westus region that contains the route.
$routeTable = New-AzureRmRouteTable -ResourceGroupName TestRG -Location westus `

-Name UDR-FrontEnd -Route $route
3. Create a variable that contains the VNet where the subnet is. In our scenario, the VNet is named TestVNet.
4. Associate the route table created above to the FrontEnd subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd `

-AddressPrefix 192.168.1.0/24 -RouteTable $routeTable
WARNING
The output for the command above shows the content for the virtual network configuration object, which only exists
on the computer where you are running PowerShell. You need to run the Set-AzureVirtualNetwork cmdlet to save
these settings to Azure.
5. Save the new subnet configuration in Azure.
Expected output:
Name : TestVNet
Location : westus
Etag : W/"[Id]"
Tags :
Name Value
=========== =====
displayName VNet
AddressSpace : {
"192.168.0.0/16"
]
}
DhcpOptions : {
"DnsServers": null
}
Subnets : [
...,
{
"Name": "FrontEnd",
"Etag": "W/\"[Id]\"",
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets
/FrontEnd",
"AddressPrefix": "192.168.1.0/24",
{
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICWEB2/ipConfigurations/ipconf
ig1"
},
{
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICWEB1/ipConfigurations/ipconf
ig1"
}
],
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd"
},
"RouteTable": {
Id]/resourceGroups/TestRG/providers/Microsoft.Network/routeTables/UDR-FrontEnd"
},
},
...
]
Create the UDR for the back-end subnet

To create the route table and route needed for the back-end subnet based on the scenario above, follow the steps
below.
1. Create a route used to send all traffic destined to the front-end subnet (192.168.1.0/24) to be routed to the
FW1 virtual appliance (192.168.0.4).
$route = New-AzureRmRouteConfig -Name RouteToFrontEnd `
-AddressPrefix 192.168.1.0/24 -NextHopType VirtualAppliance `
2. Create a route table named UDR-BackEnd in the uswest region that contains the route created above.
$routeTable = New-AzureRmRouteTable -ResourceGroupName TestRG -Location westus `

-Name UDR-BackEnd -Route $route
3. Associate the route table created above to the BackEnd subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name BackEnd `

-AddressPrefix 192.168.2.0/24 -RouteTable $routeTable
4. Save the new subnet configuration in Azure.
Expected output:
Name : TestVNet
Location : westus
Etag : W/"[Id]"
Tags :
Name Value
=========== =====
displayName VNet
AddressSpace : {
"192.168.0.0/16"
]
}
DhcpOptions : {
"DnsServers": null
}
Subnets : [
...,
{
"Name": "BackEnd",
"Etag": "W/\"[Id]\"",
Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/BackEnd",
"AddressPrefix": "192.168.2.0/24",
{
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICSQL2/ipConfigurations/ipconf
ig1"
},
{
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICSQL1/ipConfigurations/ipconf
ig1"
}
],
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-BacEnd"
},
"RouteTable": {
Id]/resourceGroups/TestRG/providers/Microsoft.Network/routeTables/UDR-BackEnd"
},
}
]
Enable IP forwarding on FW1

To enable IP forwarding in the NIC used by FW1, follow the steps below.
1. Create a variable that contains the settings for the NIC used by FW1. In our scenario, the NIC is named
NICFW1.
$nicfw1 = Get-AzureRmNetworkInterface -ResourceGroupName TestRG -Name NICFW1
2. Enable IP forwarding, and save the NIC settings.

$nicfw1.EnableIPForwarding = 1
Set-AzureRmNetworkInterface -NetworkInterface $nicfw1
Expected output:
Name : NICFW1
Location : westus
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICFW1
Etag : W/"[Id]"
Tags :
Name Value
=========== =======================
displayName NetworkInterfaces - DMZ
VirtualMachine : {
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/FW1"
}
IpConfigurations : [
{
"Name": "ipconfig1",
"Etag": "W/\"[Id]\"",
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICFW1/ipConfigurations/ipconfi
g1",
"PrivateIpAddress": "192.168.0.4",
"PrivateIpAllocationMethod": "Static",
"Subnet": {
Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/DMZ"
},
"PublicIpAddress": {
Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPFW1"
},
"LoadBalancerBackendAddressPools": [],
"LoadBalancerInboundNatRules": [],
}
]
DnsSettings : {
"DnsServers": [],
"AppliedDnsServers": [],
"InternalDnsNameLabel": null,
"InternalFqdn": null
}
EnableIPForwarding : True
NetworkSecurityGroup : null
Primary : True
Create User-Defined Routes (UDR) using the Azure
CLI 2.0

Scenario
Scenario
described below:
the FW1 virtual machine, which is being used as a virtual appliance. You also need to turn on IP forwarding for that
VM, to ensure it can receive traffic destined to other VMs.
Create the UDR for the front-end subnet

To create the route table and route needed for the front end subnet based on the scenario above, follow the steps
below.
1. Create a route table for the front-end subnet with the az network route-table create command:
az network route-table create \

--name UDR-FrontEnd
Output:
{
"etag": "W/\"<guid>\"",
"id": "/subscriptions/<guid>/resourceGroups/testrg/providers/Microsoft.Network/routeTables/UDR-
FrontEnd",
"location": "centralus",
"name": "UDR-FrontEnd",
"routes": [],
"subnets": null,
"tags": null,
"type": "Microsoft.Network/routeTables"
}
2. Create a route that sends all traffic destined to the back-end subnet (192.168.2.0/24) to the FW1 VM
(192.168.0.4) using the az network route-table route create command:
az network route-table route create \

--name RouteToBackEnd \
--route-table-name UDR-FrontEnd \
--address-prefix 192.168.2.0/24 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address 192.168.0.4
Output:
{
"addressPrefix": "192.168.2.0/24",
"etag": "W/\"<guid>\"",
FrontEnd/routes/RouteToBackEnd",
"name": "RouteToBackEnd",
"nextHopIpAddress": "192.168.0.4",
"nextHopType": "VirtualAppliance",
"resourceGroup": "testrg"
}
Parameters:
--route-table-name. Name of the route table where the route will be added. For our scenario, UDR-
FrontEnd.
--address-prefix. Address prefix for the subnet where packets are destined to. For our scenario,
192.168.2.0/24.
--next-hop-type. Type of object traffic will be sent to. Possible values are VirtualAppliance,
VirtualNetworkGateway, VNETLocal, Internet, or None.
--next-hop-ip-address. IP address for next hop. For our scenario, 192.168.0.4.
3. Run the az network vnet subnet update command to associate the route table created above with the
FrontEnd subnet:

--name FrontEnd \
--route-table UDR-FrontEnd
Output:
{
"addressPrefix": "192.168.1.0/24",
"etag": "W/\"<guid>\"",
"id":
"/subscriptions/<guid>/resourceGroups/testrg/providers/Microsoft.Network/virtualNetworks/testvnet/subne
ts/FrontEnd",
"name": "FrontEnd",
"routeTable": {
"etag": null,
FrontEnd",
"location": null,
"name": null,
"routes": null,
"subnets": null,
"tags": null,
"type": null
}
}
Parameters:
--vnet-name. Name of the VNet where the subnet is located. For our scenario, TestVNet.

To create the route table and route needed for the back-end subnet based on the scenario above, complete the
following steps:
1. Run the following command to create a route table for the back-end subnet:
az network route-table create \

--name UDR-BackEnd \
2. Run the following command to create a route in the route table to send all traffic destined to the front-end
subnet (192.168.1.0/24) to the FW1 VM (192.168.0.4):
az network route-table route create \

--name RouteToFrontEnd \
--route-table-name UDR-BackEnd \
--address-prefix 192.168.1.0/24 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address 192.168.0.4
3. Run the following command to associate the route table with the BackEnd subnet:

--name BackEnd \
--route-table UDR-BackEnd
Enable IP forwarding on FW1

To enable IP forwarding in the NIC used by FW1, complete the following steps:
1. Run the az network nic show command with a JMESPATH filter to display the current enable-ip-
forwarding value for Enable IP forwarding. It should be set to false.
az network nic show \

--nname nicfw1 \
--query 'enableIpForwarding' -o tsv
Output:
false
2. Run the following command to enable IP forwarding:

az network nic update \
--name nicfw1 \
--ip-forwarding true
You can examine the output streamed to the console, or just retest for the specific enableIpForwarding
value:
az network nic show -g testrg -n nicfw1 --query 'enableIpForwarding' -o tsv
Output:
true
Parameters:
--ip-forwarding: true or false.
Create User-Defined Routes (UDR) using a template
IMPORTANT
resource. You can view the documentation for different tools by clicking the tabs at the top of this article. This article covers
the Resource Manager deployment model.
Scenario
described below:
the FW1 virtual machine, which is being used as a virtual appliance. You also need to turn on IP forwarding for
that VM, to ensure it can receive traffic destined to other VMs.
UDR resources in a template file

The following section shows the definition of the front-end UDR in the azuredeploy-vnet-nsg-udr.json file for
the scenario:
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/routeTables",
"name": "[parameters('frontEndRouteTableName')]",
"tags": {
"displayName": "UDR - FrontEnd"
},
"properties": {
"routes": [
{
"name": "RouteToBackEnd",
"properties": {
"addressPrefix": "[parameters('backEndSubnetPrefix')]",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('vmaIpAddress')]"
}
}
]
To associate the UDR to the front-end subnet, you have to change the subnet definition in the template, and use
the reference id for the UDR.
"subnets": [
"name": "[parameters('frontEndSubnetName')]",
"properties": {
"addressPrefix": "[parameters('frontEndSubnetPrefix')]",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('frontEndNSGName'))]"
},
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', parameters('frontEndRouteTableName'))]"
}
},
Notice the same being done for the back-end NSG and the back-end subnet in the template.
You also need to ensure that the FW1 VM has the IP forwarding property enabled on the NIC that will be used to
receive and forward packets. The section below shows the definition of the NIC for FW1 in the azuredeploy-nsg-
udr.json file, based on the scenario above.
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/networkInterfaces",
"location": "[variables('location')]",
"tags": {
"displayName": "NetworkInterfaces - DMZ"
},
"name": "[concat(variables('fwVMSettings').nicName, copyindex(1))]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('fwVMSettings').pipName, copyindex(1))]",
"[concat('Microsoft.Resources/deployments/', 'vnetTemplate')]"
],
"properties": {
{
"name": "ipconfig1",
"properties": {
"enableIPForwarding": true,
"privateIPAllocationMethod": "Static",
"privateIPAddress": "[concat('192.168.0.',copyindex(4))]",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('fwVMSettings').pipName,
copyindex(1)))]"
},
"subnet": {
"id": "[variables('dmzSubnetRef')]"
}
}
}
]
},
"copy": {
"name": "fwniccount",
"count": "[parameters('fwCount')]"
}
Deploy the template by using click to deploy

generate the scenario described above. To deploy this template using click to deploy, follow this link, click Deploy
to Azure, replace the default parameter values if necessary, and follow the instructions in the portal.
2. Run the following command to create a resource group:
New-AzureRmResourceGroup -Name TestRG -Location westus
3. Run the following command to deploy the template:
New-AzureRmResourceGroupDeployment -Name DeployUDR -ResourceGroupName TestRG `

-TemplateUri https://raw.githubusercontent.com/telmosampaio/azure-templates/master/IaaS-NSG-
UDR/azuredeploy.json `
-TemplateParameterUri https://raw.githubusercontent.com/telmosampaio/azure-templates/master/IaaS-
NSG-UDR/azuredeploy.parameters.json
Expected output:
Location : westus
Tags :
Permissions :
Actions NotActions
======= ==========
*
Resources :
Name Type Location
================== ======================================= ========
ASFW Microsoft.Compute/availabilitySets westus
ASSQL Microsoft.Compute/availabilitySets westus
ASWEB Microsoft.Compute/availabilitySets westus
FW1 Microsoft.Compute/virtualMachines westus
WEB1 Microsoft.Compute/virtualMachines westus
WEB2 Microsoft.Compute/virtualMachines westus
NICFW1 Microsoft.Network/networkInterfaces westus
NICSQL1 Microsoft.Network/networkInterfaces westus
NICSQL2 Microsoft.Network/networkInterfaces westus
NICWEB1 Microsoft.Network/networkInterfaces westus
NICWEB2 Microsoft.Network/networkInterfaces westus
NSG-BackEnd Microsoft.Network/networkSecurityGroups westus
NSG-FrontEnd Microsoft.Network/networkSecurityGroups westus
PIPFW1 Microsoft.Network/publicIPAddresses westus
PIPSQL1 Microsoft.Network/publicIPAddresses westus
PIPSQL2 Microsoft.Network/publicIPAddresses westus
PIPWEB1 Microsoft.Network/publicIPAddresses westus
PIPWEB2 Microsoft.Network/publicIPAddresses westus
UDR-BackEnd Microsoft.Network/routeTables westus
UDR-FrontEnd Microsoft.Network/routeTables westus
TestVNet Microsoft.Network/virtualNetworks westus
testvnetstorageprm Microsoft.Storage/storageAccounts westus
testvnetstoragestd Microsoft.Storage/storageAccounts westus
Deploy the template by using the Azure CLI

To deploy the ARM template by using the Azure CLI, complete the following steps:
2. Run the following command to switch to Resource Manager mode:
Here is the expected output for the command above:
3. From your browser, navigate to https://raw.githubusercontent.com/telmosampaio/azure-

templates/master/IaaS-NSG-UDR/azuredeploy.parameters.json, copy the contents of the json file,
and paste into a new file in your computer. For this scenario, you would be copying the values below to a
file named c:\udr\azuredeploy.parameters.json.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"fwCount": {
"value": 1
},
"webCount": {
"value": 2
},
"sqlCount": {
"value": 2
}
}
}
4. Run the following command to deploy the new VNet by using the template and parameter files you
downloaded and modified above:
azure group create -n TestRG -l westus --template-uri

'https://raw.githubusercontent.com/telmosampaio/azure-templates/master/IaaS-NSG-UDR/azuredeploy.json' -
e 'c:\udr\azuredeploy.parameters.json'
Expected output:

info: Getting resource group TestRG
info: Updating resource group TestRG
info: Updated resource group TestRG
info: Initializing template configurations and parameters
info: Creating a deployment
data: Id: /subscriptions/[Subscription Id]/resourceGroups/TestRG
data: Name: TestRG
data: Tags: null
data:
5. Run the following command to view the resources created in the new resource group:
azure group show TestRG
Expected result:
info: Executing command group show

info: Listing resource groups
info: Listing resources for the group
data: Id: /subscriptions/[Subscription Id]/resourceGroups/TestRG
data: Name: TestRG
data: Tags: null
data: Resources:
data:
data: Id : /subscriptions/[Subscription
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/availabilitySets/ASFW
data: Name : ASFW
data: Type : availabilitySets
data: Tags : displayName=AvailabilitySet - DMZ
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/availabilitySets/ASSQL
data: Name : ASSQL
data: Tags : displayName=AvailabilitySet - SQL
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/availabilitySets/ASWEB
data: Name : ASWEB
data: Tags : displayName=AvailabilitySet - Web
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/FW1
data: Name : FW1
data: Type : virtualMachines
data: Tags : displayName=VMs - DMZ
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/SQL1
data: Name : SQL1
data: Tags : displayName=VMs - SQL
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/SQL2
data: Name : SQL2
data: Tags : displayName=VMs - SQL
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/WEB1
data: Name : WEB1
data: Tags : displayName=VMs - Web
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/WEB2
data: Name : WEB2
data: Tags : displayName=VMs - Web
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICFW1
data: Name : NICFW1
data: Type : networkInterfaces
data: Tags : displayName=NetworkInterfaces - DMZ
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICSQL1
data: Name : NICSQL1
data: Tags : displayName=NetworkInterfaces - SQL
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICSQL2
data: Name : NICSQL2
data: Tags : displayName=NetworkInterfaces - SQL
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICWEB1
data: Name : NICWEB1
data: Tags : displayName=NetworkInterfaces - Web
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICWEB2
data: Name : NICWEB2
data: Tags : displayName=NetworkInterfaces - Web
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-BackEnd
data: Name : NSG-BackEnd
data: Type : networkSecurityGroups
data: Tags : displayName=NSG - Front End
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd
data: Name : NSG-FrontEnd
data: Type : networkSecurityGroups
data: Tags : displayName=NSG - Remote Access
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPFW1
data: Name : PIPFW1
data: Type : publicIPAddresses
data: Tags : displayName=PublicIPAddresses - DMZ
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPSQL1
data: Name : PIPSQL1
data: Tags : displayName=PublicIPAddresses - SQL
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPSQL2
data: Name : PIPSQL2
data: Tags : displayName=PublicIPAddresses - SQL
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPWEB1
data: Name : PIPWEB1
data: Tags : displayName=PublicIPAddresses - Web
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPWEB2
data: Name : PIPWEB2
data: Tags : displayName=PublicIPAddresses - Web
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/routeTables/UDR-BackEnd
data: Name : UDR-BackEnd
data: Type : routeTables
data: Tags : displayName=Route Table - Back End
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Network/routeTables/UDR-FrontEnd
data: Name : UDR-FrontEnd
data: Type : routeTables
data: Tags : displayName=UDR - FrontEnd
data:
data: Name : TestVNet
data: Type : virtualNetworks
data: Tags : displayName=VNet
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Storage/storageAccounts/testvnetstorageprm
data: Name : testvnetstorageprm
data: Type : storageAccounts
data: Tags : displayName=Storage Account - Premium
data:
Id]/resourceGroups/TestRG/providers/Microsoft.Storage/storageAccounts/testvnetstoragestd
data: Name : testvnetstoragestd
data: Type : storageAccounts
data: Tags : displayName=Storage Account - Simple
data:
data: Permissions:
data: Actions: *
data: NotActions:
data:
info: group show command OK
TIP
If you do not see all the resources, run the azure group deployment show command to ensure the provisioning state of
the deployment is Succeded.
Control routing and use virtual appliances (classic)
using PowerShell
IMPORTANT
resource. You can view the documentation for different tools by selecting an option at the top of this article. This article
covers the classic deployment model.
Scenario
described below:
The sample Azure PowerShell commands below expect a simple environment already created based on the
scenario above. If you want to run the commands as they are displayed in this document, create the environment
shown in create a VNet (classic) using PowerShell.

NOTE
Create the UDR for the front end subnet

below.
1. Run the following command to create a route table for the front-end subnet:
New-AzureRouteTable -Name UDR-FrontEnd -Location uswest `

-Label "Route table for front end subnet"
2. Run the following command to create a route in the route table to send all traffic destined to the back-end
Get-AzureRouteTable UDR-FrontEnd `
|Set-AzureRoute -RouteName RouteToBackEnd -AddressPrefix 192.168.2.0/24 `
-NextHopType VirtualAppliance `
3. Run the following command to associate the route table with the FrontEnd subnet:
Set-AzureSubnetRouteTable -VirtualNetworkName TestVNet `

-SubnetName FrontEnd `
-RouteTableName UDR-FrontEnd

To create the route table and route needed for the back end subnet based on the scenario, complete the following
steps:
New-AzureRouteTable -Name UDR-BackEnd `

-Location uswest `
-Label "Route table for back end subnet"
Get-AzureRouteTable UDR-BackEnd
| Set-AzureRoute `
-RouteName RouteToFrontEnd `
Set-AzureSubnetRouteTable -VirtualNetworkName TestVNet `
-SubnetName BackEnd `
-RouteTableName UDR-BackEnd
Enable IP forwarding on the FW1 VM

To enable IP forwarding in the FW1 VM, complete the following steps:
1. Run the following command to check the status of IP forwarding:
Get-AzureVM -Name FW1 -ServiceName TestRGFW `

| Get-AzureIPForwarding
2. Run the following command to enable IP forwarding for the FW1 VM:
Get-AzureVM -Name FW1 -ServiceName TestRGFW `

| Set-AzureIPForwarding -Enable
Control routing and use virtual appliances (classic)
using the Azure CLI
IMPORTANT
This article covers the classic deployment model. You can also control routing and use virtual appliances in the
Resource Manager deployment model.
Scenario
described below:
above. If you want to run the commands as they are displayed in this document, create the environment shown in
create a VNet (classic) using the Azure CLI.
Prerequisite: Install the Azure CLI

To perform the steps in this article, you need to install the Azure Command-Line Interface for Mac, Linux, and
Windows (Azure CLI) and you need to log on to Azure.
NOTE
If you don't have an Azure account, you need one. Go sign up for a free trial here. In addition, to follow along completely
you need to have either jq or some other JSON parsing tool or library installed.
Create the UDR for the front end subnet

below.
1. Run the following command to switch to classic mode:
Output:
info: New mode is asm
2. Run the following command to create a route table for the front-end subnet:
azure network route-table create -n UDR-FrontEnd -l uswest
Output:
info: Executing command network route-table create

info: Creating route table "UDR-FrontEnd"
info: Getting route table "UDR-FrontEnd"
data: Name : UDR-FrontEnd
info: network route-table create command OK
Parameters:
3. Run the following command to create a route in the route table to send all traffic destined to the back-end
azure network route-table route set -r UDR-FrontEnd -n RouteToBackEnd -a 192.168.2.0/24 -t

VirtualAppliance -p 192.168.0.4
Output:
info: Executing command network route-table route set

info: Getting route table "UDR-FrontEnd"
info: Setting route "RouteToBackEnd" in a route table "UDR-FrontEnd"
info: network route-table route set command OK
Parameters:
-r (or --route-table-name). Name of the route table where the route will be added. For our scenario,
UDR-FrontEnd.
-a (or --address-prefix). Address prefix for the subnet where packets are destined to. For our scenario,
192.168.2.0/24.
-t (or --next-hop-type). Type of object traffic will be sent to. Possible values are VirtualAppliance,
VirtualNetworkGateway, VNETLocal, Internet, or None.
-p (or --next-hop-ip-address). IP address for next hop. For our scenario, 192.168.0.4.
4. Run the following command to associate the route table created with the FrontEnd subnet:
azure network vnet subnet route-table add -t TestVNet -n FrontEnd -r UDR-FrontEnd
Output:
info: Executing command network vnet subnet route-table add

info: Looking up the subnet "FrontEnd"
info: Looking up network gateway route tables in virtual network "TestVNet" subnet "FrontEnd"
info: Associating route table "UDR-FrontEnd" and subnet "FrontEnd"
info: Looking up network gateway route tables in virtual network "TestVNet" subnet "FrontEnd"
data: Route table name : UDR-FrontEnd
data: Routes:
info: network vnet subnet route-table add command OK
Parameters:
-t (or --vnet-name). Name of the VNet where the subnet is located. For our scenario, TestVNet.
-n (or --subnet-name. Name of the subnet the route table will be added to. For our scenario, FrontEnd.

To create the route table and route needed for the back-end subnet based on the scenario, complete the following
steps:
azure network route-table create -n UDR-BackEnd -l uswest
azure network route-table route set -r UDR-BackEnd -n RouteToFrontEnd -a 192.168.1.0/24 -t

VirtualAppliance -p 192.168.0.4
azure network vnet subnet route-table add -t TestVNet -n BackEnd -r UDR-BackEnd

Create a virtual network peering - Resource
Manager, same subscription
In this tutorial, you learn to create a virtual network peering between virtual networks created through Resource
Manager. Both virtual networks exist in the same subscription. Peering two virtual networks enables resources in
different virtual networks to communicate with each other with the same bandwidth and latency as though the
resources were in the same virtual network. Learn more about Virtual network peering.
The steps to create a virtual network peering are different, depending on whether the virtual networks are in the
same, or different, subscriptions, and which Azure deployment model the virtual networks are created through.
Learn how to create a virtual network peering in other scenarios by clicking the scenario from the following table:
AZURE DEPLOYMENT MODEL AZURE SUBSCRIPTION
Both Resource Manager Different
One Resource Manager, one classic Different
A virtual network peering cannot be created between two virtual networks deployed through the classic
deployment model. A virtual network peering can only be created between two virtual networks that exist in the
same Azure region. If you need to connect virtual networks that were both created through the classic deployment
model, or that exist in different Azure regions, you can use an Azure VPN Gateway to connect the virtual networks.
You can use the Azure portal, the Azure command-line interface (CLI), Azure PowerShell, or an Azure Resource
Manager template to create a virtual network peering. Click any of the previous tool links to go directly to the steps
for creating a virtual network peering using your tool of choice.
Create peering - Azure portal

1. Log in to the Azure portal. The account you log in with must have the necessary permissions to create a virtual
network peering. See the Permissions section of this article for details.
2. Click + New, click Networking, then click Virtual network.
3. In the Create virtual network blade, enter, or select values for the following settings, then click Create:
Name: myVnet1
Address space: 10.0.0.0/16
Subnet name: default
Subnet address range: 10.0.0.0/24
Subscription: Select your subscription
Resource group: Select Create new and enter myResourceGroup
Location: East US
4. Complete steps 2-3 again specifying the following values in step 3:
Name: myVnet2
Resource group: Select Use existing and select myResourceGroup
Location: East US
5. In the Search resources box at the top of the portal, type myResourceGroup. Click myResourceGroup when it
appears in the search results. A blade appears for the myresourcegroup resource group. The resource group
contains the two virtual networks created in previous steps.
6. Click myVNet1.
7. In the myVnet1 blade that appears, click Peerings from the vertical list of options on the left side of the blade.
8. In the myVnet1 - Peerings blade that appeared, click + Add
9. In the Add peering blade that appears, enter, or select the following options, then click OK:
Name: myVnet1ToMyVnet2
Virtual network deployment model: Select Resource Manager.
Virtual network: Click Choose a virtual network, then click myVnet2.
Allow virtual network access: Ensure that Enabled is selected. No other settings are used in this
tutorial. To learn about all peering settings, read Manage virtual network peerings.
10. After clicking OK in the previous step, the Add peering blade closes and you see the myVnet1 - Peerings
blade again. After a few seconds, the peering you created appears in the blade. Initiated is listed in the
PEERING STATUS column for the myVnet1ToMyVnet2 peering you created. You've peered Vnet1 to Vnet2,
but now you must peer myVnet2 to myVnet1. The peering must be created in both directions to enable
resources in the virtual networks to communicate with each other.
11. Complete steps 5-10 again for myVnet2. Name the peering myVnet2ToMyVnet1.
12. A few seconds after clicking OK to create the peering for MyVnet2, the myVnet2ToMyVnet1 peering you just
created is listed with Connected in the PEERING STATUS column.
13. Complete steps 5-7 again for MyVnet1. The PEERING STATUS for the myVnet1ToVNet2 peering is now also
Connected. The peering is successfully established after you see Connected in the PEERING STATUS column
for both virtual networks in the peering.
14. Optional: Though creating virtual machines is not covered in this tutorial, you can create a virtual machine in
each virtual network and connect from one virtual machine to the other, to validate connectivity.
15. Optional: To delete the resources that you create in this tutorial, complete the steps in the Delete resources
section of this article.
Any Azure resources you create in either virtual network are now able to communicate with each other through
their IP addresses. If you're using default Azure name resolution for the virtual networks, the resources in the
virtual networks are not able to resolve names across the virtual networks. If you want to resolve names across
virtual networks in a peering, you must create your own DNS server. Learn how to set up Name resolution using
your own DNS server.
Create peering - Azure CLI

The following script:
Requires the Azure CLI version 2.0.4 or later. To find the version, run the az --version command. If you need
to upgrade, see Install Azure CLI 2.0.
Works in a Bash shell. For options on running Azure CLI scripts on Windows client, see Running the Azure CLI
in Windows.
Instead of installing the CLI and its dependencies, you can use the Azure Cloud Shell. The Azure Cloud Shell is a
free Bash shell that you can run directly within the Azure portal. It has the Azure CLI preinstalled and configured to
use with your account. Click the Try it button in the script that follows, which invokes a Cloud Shell that logs you
can log in to your Azure account with. To execute the script, click the Copy button and paste the contents into your
Cloud Shell.
1. Create a resource group and two virtual networks.
#!/bin/bash
# Variables for common values used throughout the script.

rgName="myResourceGroup"
location="eastus"

az group create \
--name $rgName \
--location $location
# Create virtual network 1.

--name myVnet1 \
--resource-group $rgName \
--location $location \
--address-prefix 10.0.0.0/16

--name myVnet2 \
2. Create a virtual network peering between the two virtual networks.
# Get the id for VNet1.

vnet1Id=$(az network vnet show \
--name myVnet1 \
--query id --out tsv)

--name myVnet2 \
--query id \
--out tsv)
# Peer VNet1 to VNet2.

az network vnet peering create \
--name myVnet1ToMyVnet2 \
--vnet-name myVnet1 \
--remote-vnet-id $vnet2Id \
--allow-vnet-access

--remote-vnet-id $vnet1Id \
--allow-vnet-access
3. After the script executes, review the peerings for each virtual network.
az network vnet peering list \
--output table
Run the previous command again, replacing myVnet1 with myVnet2. The output of both commands shows
Connected in the PeeringState column.
Any Azure resources you create in either virtual network are now able to communicate with each other
through their IP addresses. If you're using default Azure name resolution for the virtual networks, the
resources in the virtual networks are not able to resolve names across the virtual networks. If you want to
resolve names across virtual networks in a peering, you must create your own DNS server. Learn how to set
up Name resolution using your own DNS server.
4. Optional: Though creating virtual machines is not covered in this tutorial, you can create a virtual machine
in each virtual network and connect from one virtual machine to the other, to validate connectivity.
5. Optional: To delete the resources that you create in this tutorial, complete the steps in Delete resources in this
article.
Create peering - PowerShell

2. To start a PowerShell session, go to Start, enter powershell, and then click PowerShell.
3. In PowerShell, log in to Azure by entering the login-azurermaccount command. The account you log in with
must have the necessary permissions to create a virtual network peering. See the Permissions section of this
4. Create a resource group and two virtual networks. To execute the script, copy the following script, paste it
into PowerShell, and then press Enter after the last line appears on the screen:

$rgName='myResourceGroup'
$location='eastus'

-Name $rgName `
-Location $location

$vnet1 = New-AzureRmVirtualNetwork `
-ResourceGroupName $rgName `
-Name 'myVnet1' `
-AddressPrefix '10.0.0.0/16' `
-Location $location

-Name 'myVnet2' `
-Location $location
5. Create a virtual network peering between the two virtual networks. Copy the following script, paste in to
PowerShell, and then press Enter after the last line appears on the screen:
Add-AzureRmVirtualNetworkPeering `
-Name 'myVnet1ToMyVnet2' `
-VirtualNetwork $vnet1 `
-RemoteVirtualNetworkId $vnet2.Id

-Name 'myVnet2ToMyVnet1' `
-RemoteVirtualNetworkId $vnet1.Id
6. To review the subnets for the virtual network, copy the following command, paste in to PowerShell, and
then press Enter :
Get-AzureRmVirtualNetworkPeering `
-VirtualNetworkName myVnet1 `
| Format-Table VirtualNetworkName, PeeringState
Run the previous command again, replacing myVnet1 with myVnet2. The output of both commands shows
Connected in the PeeringState column.
article.
Create peering - Resource Manager template

1. Reference Create a virtual network peering Resource Manager template. Instructions are provided with the
template for deploying the template using the Azure portal, PowerShell, or the Azure CLI. Log in to whichever
tool you choose to deploy the template with using an account that has the necessary permissions to create a
virtual network peering. See the Permissions section of this article for details.
section of this article, using either the Azure portal, PowerShell, or the Azure CLI.
Permissions
The accounts you use to create a virtual network peering must have the necessary role or permissions. For
example, if you were peering two virtual networks named VNet1 and VNet2, your account must be assigned the
following minimum role or permissions for each virtual network:
VIRTUAL NETWORK ROLE PERMISSIONS

VNet1 Network Contributor Microsoft.Network/virtualNetworks/virt

ualNetworkPeerings/write
VNet2 Network Contributor Microsoft.Network/virtualNetworks/pee

r
Learn more about built-in roles and assigning specific permissions to custom roles (Resource Manager only).
Delete resources
When you've finished this tutorial, you might want to delete the resources you created in the tutorial, so you don't
incur usage charges. Deleting a resource group also deletes all resources that are in the resource group.
Azure portal
3. To confirm the deletion, in the TYPE THE RESOURCE GROUP NAME box, enter myResourceGroup, and then
click Delete.
Azure CLI
Enter the following command:
PowerShell
Enter the following command:
Remove-AzureRmResourceGroup -Name myResourceGroup -force
Next steps
Thoroughly familiarize yourself with important virtual network peering constraints and behaviors before
creating a virtual network peering for production use.
Learn about all virtual network peering settings.
Learn how to create a hub and spoke network topology with virtual network peering.
Create a virtual network peering - Resource
Manager, different subscriptions
In this tutorial, you learn to create a virtual network peering between virtual networks created through Resource
Manager. The virtual networks exist in different subscriptions. Peering two virtual networks enables resources in
different virtual networks to communicate with each other with the same bandwidth and latency as though the
resources were in the same virtual network. Learn more about Virtual network peering.
same Azure region. When creating a virtual network peering between virtual networks that exist in different
subscriptions, the subscriptions must both be associated to the same Azure Active Directory tenant. If you don't
already have an Azure Active Directory tenant, you can quickly create one. If you need to connect virtual networks
that were both created through the classic deployment model, or that exist in different Azure regions, or that exist
in subscriptions associated to different Azure Active Directory tenants, you can use an Azure VPN Gateway to
connect the virtual networks.
You can use the Azure portal, the Azure command-line interface (CLI), Azure PowerShell, or an Azure Resource
Manager template to create a virtual network peering. Click any of the previous tool links to go directly to the steps
for creating a virtual network peering using your tool of choice.

This tutorial uses different accounts for each subscription. If you're using an account that has permissions to both
subscriptions, you can use the same account for all steps, skip the steps for logging out of the portal, and skip the
steps for assigning another user permissions to the virtual networks.
1. Log in to the Azure portal as UserA. The account you log in with must have the necessary permissions to create
a virtual network peering. See the Permissions section of this article for details.
Name: myVnetA
Subscription: Select subscription A.
Resource group: Select Create new and enter myResourceGroupA
Location: East US
4. In the Search resources box at the top of the portal, type myVnetA. Click myVnetA when it appears in the
search results. A blade appears for the myVnetA virtual network.
5. In the myVnetA blade that appears, click Access control (IAM) from the vertical list of options on the left side
of the blade.
6. In the myVnetA - Access control (IAM) blade that appears, click + Add.
7. In the Add permissions blade that appears, select Network contributor in the Role box.
8. In the Select box, select a UserB, or type UserB's email address to search for it. The list of users shown is from
the same Azure Active Directory tenant as the virtual network you're setting up the peering for.
9. Click Save.
10. In the myVnetA - Access control (IAM) blade, click Properties from the vertical list of options on the left side
of the blade. Copy the RESOURCE ID, which is used in a later step. The resource ID is similar to the following
example:
/subscriptions//resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA.
11. Log out of the portal as UserA, then log in as UserB.
12. Complete steps 2-3, entering or selecting the following values in step 3:
Name: myVnetB
Subscription: Select subscription B.
Resource group: Select Create new and enter myResourceGroupB
Location: East US
13. In the Search resources box at the top of the portal, type myVnetB. Click myVnetB when it appears in the
search results. A blade appears for the myVnetB virtual network.
14. In the myVnetB blade that appears, click Properties from the vertical list of options on the left side of the
blade. Copy the RESOURCE ID, which is used in a later step. The resource ID is similar to the following example:
/subscriptions//resourceGroups/myResoureGroupB/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnetB.
15. Click Access control (IAM) in the myVnetB blade and then complete steps 5-10 for myVnetB, entering UserA
in step 8.
16. Log out of the portal as UserB and log in as UserA.
search results. A blade appears for the myVnet virtual network.
18. Click myVnetA.
19. In the myVnetA blade that appears, click Peerings from the vertical list of options on the left side of the blade.
20. In the myVnetA - Peerings blade that appeared, click + Add
Name: myVnetAToMyVnetB
Virtual network deployment model: Select Resource Manager.
I know my resource ID: Check this box.
Resource ID: Enter the resource ID from step 14.
22. After clicking OK in the previous step, the Add peering blade closes and you see the myVnetA - Peerings
blade again. After a few seconds, the peering you created appears in the blade. Initiated is listed in the
PEERING STATUS column for the myVnetAToMyVnetB peering you created. You've peered myVnetA to
myVnetB, but now you must peer myVnetB to myVnetA. The peering must be created in both directions to
enable resources in the virtual networks to communicate with each other.
23. Log out of the portal as UserA and log in as UserB.
24. Complete steps 17-21 again for myVnetB. In step 21, name the peering myVnetBToMyVnetA, select myVnetA
for Virtual network, and enter the ID from step 10 in the Resource ID box.
25. A few seconds after clicking OK to create the peering for myVnetB, the myVnetBToMyVnetA peering you just
created is listed with Connected in the PEERING STATUS column.
27. Complete steps 17-19 again. The PEERING STATUS for the myVnetAToVNetB peering is now also
Connected. The peering is successfully established after you see Connected in the PEERING STATUS column
for both virtual networks in the peering. Any Azure resources you create in either virtual network are now able
to communicate with each other through their IP addresses. If you're using default Azure name resolution for
the virtual networks, the resources in the virtual networks are not able to resolve names across the virtual
networks. If you want to resolve names across virtual networks in a peering, you must create your own DNS
server. Learn how to set up Name resolution using your own DNS server.

subscriptions, you can use the same account for all steps, skip the steps for logging out of Azure, and remove the
lines of script that create user role assignments. Replace UserA@azure.com and UserB@azure.com in all of the
following scripts with the usernames you're using for UserA and UserB.
The following script:
Requires the Azure CLI version 2.0.4 or later. To find the version, run az --version . If you need to upgrade, see
Install Azure CLI 2.0.
Works in a Bash shell. For options on running Azure CLI scripts on Windows client, see Running the Azure CLI
in Windows.
Instead of installing the CLI and its dependencies, you can use the Azure Cloud Shell. The Azure Cloud Shell is a
free Bash shell that you can run directly within the Azure portal. It has the Azure CLI preinstalled and configured to
use with your account. Click the Try it button in the script that follows, which invokes a Cloud Shell that you can
log in to your Azure account with.
1. Open a CLI session and log in to Azure as UserA using the azure login command. The account you log in with
must have the necessary permissions to create a virtual network peering. See the Permissions section of this
2. Copy the following script to a text editor on your PC, replace <SubscriptionA-Id> with the ID of
SubscriptionA, then copy the modified script, paste it in your CLI session, and press Enter . If you don't
know your subscription Id, enter the 'az account show` command. The value for id in the output is your
subscription Id.
az group create \
--name myResourceGroupA \
--location eastus
# Create virtual network A.

--name myVnetA \
--resource-group myResourceGroupA \
--location eastus \
# Assign UserB permissions to virtual network A.

az role assignment create \
--assignee UserB@azure.com \
--role "Network Contributor" \
--scope /subscriptions/<SubscriptionA-
Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVnetA
The permission assignment for UserB is not a requirement. Peering can be established even if users
individually raise peering requests for their respective virtual networks, as long as the requests match.
Adding a privileged user of myVNetB as a network contributor in the local virtual network makes it easier to
do the setup.
3. Log out of Azure as UserA using the az logout command, then log in to Azure as UserB. The account you log
in with must have the necessary permissions to create a virtual network peering. See the Permissions section of
this article for details.
4. Create myVnetB. Copy the script contents in step 2 to a text editor on your PC. Replace <SubscriptionA-Id>
with the ID of SubscriptionB. Change 10.0.0.0/16 to 10.1.0.0/16, change all As to B, and all Bs to A. Copy the
modified script, paste it in to your CLI session, and press Enter .
5. Log out of Azure as UserB and log in to Azure as UserA.
6. Create a virtual network peering from myVnetA to myVnetB. Copy the following script contents to a text
editor on your PC. Replace <SubscriptionB-Id> with the ID of SubscriptionB. To execute the script, copy the
modified script, paste it into your CLI session, and press Enter.
# Get the id for myVnetA.

vnetAId=$(az network vnet show \
--name myVnetA \
# Peer myVNetA to myVNetB.

--name myVnetAToMyVnetB \
--vnet-name myVnetA \
--remote-vnet-id /subscriptions/<SubscriptionB-
Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVnetB \
--allow-vnet-access
7. View the peering state of myVnetA.

--output table
The state is Initiated. It changes to Connected once you create the peering to myVnetA from myVnetB.
8. Log out UserA from Azure and log in to Azure as UserB.
9. Create the peering from myVnetB to myVnetA. Copy the script contents in step 6 to a text editor on your PC.
Replace <SubscriptionB-Id> with the ID for SubscriptionA and change all As to B and all Bs to A. Once you've
made the changes, copy the modified script, paste it into your CLI session, and press Enter .
10. View the peering state of myVnetB. Copy the script contents in step 7 to a text editor on your PC. Change A
to B for the resource group and virtual network names, copy the script, paste the modified script in to your
CLI session, and then press Enter . The peering state is Connected. The peering state of myVnetA changes
to Connected after you've created the peering from myVnetB to myVnetA. You can log UserA back in to
Azure and complete step 7 again to verify the peering state of myVnetA.
NOTE
The peering is not established until the peering state is Connected for both virtual networks.
article.

2. Start a PowerShell session.
3. In PowerShell, log in to Azure as UserA by entering the login-azurermaccount command. The account you log in
with must have the necessary permissions to create a virtual network peering. See the Permissions section of
this article for details.
4. Create a resource group and virtual network A. Copy the following script to a text editor on your PC.
Replace <SubscriptionA-Id> with the ID of SubscriptionA. If you don't know your subscription Id, enter the
Get-AzureRmSubscription command to view it. The value for Id in the returned output is your subscription
ID. To execute the script, copy the modified script, paste it in to PowerShell, and then press Enter .
-Name MyResourceGroupA `
-Location eastus

$vNetA = New-AzureRmVirtualNetwork `
-ResourceGroupName MyResourceGroupA `
-Name 'myVnetA' `
-Location eastus
# Assign UserB permissions to myVnetA.

New-AzureRmRoleAssignment `
-SignInName UserB@azure.com `
-RoleDefinitionName "Network Contributor" `
-Scope /subscriptions/<SubscriptionA-
The permission assignment for UserB is not a requirement. Peering can be established even if users
individually raise peering requests for their respective virtual networks, as long as the requests match.
Adding a privileged user of the other virtual network as a user in the local virtual network makes it easier to
do the setup.
5. Log out UserA from Azure and log in UserB. The account you log in with must have the necessary permissions
to create a virtual network peering. See the Permissions section of this article for details.
6. Copy the script contents in step 4 to a text editor on your PC. Replace <SubscriptionA-Id> with the ID for
subscription B. Change 10.0.0.0/16 to 10.1.0.0/16. Change all As to B and all Bs to A. To execute the script, copy
the modified script, paste into PowerShell, and then press Enter .
7. Log out UserB from Azure and log in UserA.
8. Create the peering from myVnetA to myVnetB. Copy the following script to a text editor on your PC. Replace
<SubscriptionB-Id> with the ID of subscription B. To execute the script, copy the modified script, paste in to
PowerShell, and then press Enter .
# Peer myVnetA to myVnetB.

$vNetA=Get-AzureRmVirtualNetwork -Name myVnetA -ResourceGroupName myResourceGroupA
-Name 'myVnetAToMyVnetB' `
-VirtualNetwork $vNetA `
-RemoteVirtualNetworkId "/subscriptions/<SubscriptionB-
Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/virtualNetworks/myVnetB"
9. View the peering state of myVnetA.
-ResourceGroupName myResourceGroupA `
-VirtualNetworkName myVnetA `
The state is Initiated. It changes to Connected once you setup the peering to myVnetA from myVnetB.
10. Log out UserA from Azure and log in UserB.
11. Create the peering from myVnetB to myVnetA. Copy the script contents in step 8 to a text editor on your PC.
Replace <SubscriptionB-Id> with the ID of subscription A and change all As to B and all Bs to A. To execute the
script, copy the modified script, paste it in to PowerShell, and then press Enter .
12. View the peering state of myVnetB. Copy the script contents in step 9 to a text editor on your PC. Change A
to B for the resource group and virtual network names. To execute the script, paste the modified script into
PowerShell, and then press Enter . The state is Connected. The peering state of myVnetA changes to
Connected after you've created the peering from myVnetB to myVnetA. You can log UserA back in to
Azure and complete step 9 again to verify the peering state of myVnetA.
NOTE
The peering is not established until the peering state is Connected for both virtual networks.
article.
Create peering - Resource Manager template

1. Complete the steps in the Portal, Azure CLI, or PowerShell sections of this article to create a virtual network and
assign the appropriate permissions to the account in each subscription.
2. Save the text that follows to a file on your local computer. Replace <subscription ID> with UserA's
subscription ID. You might save the file as vnetpeeringA.json, for example.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
},
"resources": [
{
"apiVersion": "2016-06-01",
"type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
"name": "myVnetA/myVnetAToMyVnetB",
"properties": {
"allowVirtualNetworkAccess": true,
"allowForwardedTraffic": false,
"allowGatewayTransit": false,
"useRemoteGateways": false,
"remoteVirtualNetwork": {
"id": "/subscriptions/<subscription
ID>/resourceGroups/PeeringTest/providers/Microsoft.Network/virtualNetworks/myVnetB"
}
}
}
]
}
3. Log into Azure as UserA and deploy the template using the portal, PowerShell, or the Azure CLI. Specify the
file name you saved the example json text in step 2 to.
4. Copy the example json from step 2 to a file on your computer and make changes to the lines that begin with:
name: Change myVnetA/myVnetAToMyVnetB to myVnetB/myVnetBToMyVnetA.
id: Replace <subscription ID> with UserB's subscription ID and change myVnetB to myVnetA.
5. Complete step 3 again, logged into Azure as UserB.
section of this article, using either the Azure portal, PowerShell, or the Azure CLI.
Permissions
example, if you were peering two virtual networks named myVnetA and myVnetB, your account must be
assigned the following minimum role or permissions for each virtual network:
myVnetA Network Contributor Microsoft.Network/virtualNetworks/virt

ualNetworkPeerings/write
myVnetB Network Contributor Microsoft.Network/virtualNetworks/pee

r
Delete resources
Azure portal
1. Log in to the Azure portal as UserA.
2. In the portal search box, enter myResourceGroupA. In the search results, click myResourceGroupA.
3. On the myResourceGroupA blade, click the Delete icon.
4. To confirm the deletion, in the TYPE THE RESOURCE GROUP NAME box, enter myResourceGroupA, and
then click Delete.
5. Log out of the portal as UserA and log in as UserB.
6. Complete steps 2-4 for myResourceGroupB.
Azure CLI
1. Log in to Azure as UserA and execute the following command:
az group delete --name myResourceGroupA --yes
2. Log out of Azure as UserA and log in as UserB.

3. Execute the following command:
az group delete --name myResourceGroupB --yes
PowerShell
1. Log in to Azure as UserA and execute the following command:
Remove-AzureRmResourceGroup -Name myResourceGroupA -force
2. Log out of Azure as UserA and log in as UserB.

3. Execute the following command:
Remove-AzureRmResourceGroup -Name myResourceGroupB -force
Next steps
Create a virtual network peering - different
deployment models, same subscription
In this tutorial, you learn to create a virtual network peering between virtual networks created through different
deployment models. Both virtual networks exist in the same subscription. Peering two virtual networks enables
resources in different virtual networks to communicate with each other with the same bandwidth and latency as
though the resources were in the same virtual network. Learn more about Virtual network peering.
same Azure region. If you need to connect virtual networks that were both created through the classic deployment
model, or that exist in different Azure regions, you can use an Azure VPN Gateway to connect the virtual networks.
You can use the Azure portal, the Azure command-line interface (CLI), or Azure PowerShell to create a virtual
network peering. Click any of the previous tool links to go directly to the steps for creating a virtual network
peering using your tool of choice.
Create peering - Portal

1. Log in to the Azure portal. The account you log in with must have the necessary permissions to create a virtual
network peering. See the Permissions section of this article for details.
Name: myVnet1
Resource group: Select Create new and enter myResourceGroup
Location: East US
4. Click + New. In the Search the Marketplace box, type Virtual network. Click Virtual network when it
appears in the search results.
5. In the Virtual network blade, select Classic in the Select a deployment model box, and then click Create.
Name: myVnet2
Name: myVnet2
Resource group: Select Use existing and select myResourceGroup
Location: East US
7. In the Search resources box at the top of the portal, type myResourceGroup. Click myResourceGroup when it
appears in the search results. A blade appears for the myresourcegroup resource group. The resource group
contains the two virtual networks created in previous steps.
8. Click myVNet1.
9. In the myVnet1 blade that appears, click Peerings from the vertical list of options on the left side of the blade.
10. In the myVnet1 - Peerings blade that appeared, click + Add
Name: myVnet1ToMyVnet2
Virtual network deployment model: Select Classic.
Virtual network: Click Choose a virtual network, then click myVnet2.
12. After clicking OK in the previous step, the Add peering blade closes and you see the myVnet1 - Peerings
blade again. After a few seconds, the peering you created appears in the blade. Connected is listed in the
PEERING STATUS column for the myVnet1ToMyVnet2 peering you created.
The peering is now established. Any Azure resources you create in either virtual network are now able to
communicate with each other through their IP addresses. If you're using default Azure name resolution for
the virtual networks, the resources in the virtual networks are not able to resolve names across the virtual
networks. If you want to resolve names across virtual networks in a peering, you must create your own DNS
server. Learn how to set up Name resolution using your own DNS server.

1. Install the Azure CLI 1.0 to create the virtual network (classic).
2. Open a command session and log in to Azure using the azure login command.
3. Run the CLI in Service Management mode by entering the azure config mode asm command.
4. Enter the following command to create the virtual network (classic):
azure network vnet create --vnet myVnet2 --address-space 10.1.0.0 --cidr 16 --location "East US"
5. Create a resource group and a virtual network (Resource Manager). You can use either the CLI 1.0 or 2.0
(install). In this tutorial, the CLI 2.0 is used to create the virtual network (Resource Manager), since 2.0 must
be used to create the peering. Execute the following bash CLI script from your local machine with the CLI
2.0.4 or later installed. For options on running bash CLI scripts on Windows client, see Running the Azure
CLI in Windows. You can also run the script using the Azure Cloud Shell. The Azure Cloud Shell is a free
Bash shell that you can run directly within the Azure portal. It has the Azure CLI preinstalled and configured
to use with your account. Click the Try it button in the script that follows, which invokes a Cloud Shell that
logs you can log in to your Azure account with. To execute the script, click the Copy button and paste, the
contents into your Cloud Shell, then press Enter .
#!/bin/bash

az group create \
--name myResourceGroup \
--location eastus
# Create the virtual network (Resource Manager).

--name myVnet1 \
--location eastus \
6. Create a virtual network peering between the two virtual networks created through the different
deployment models. Copy the following script to a text editor on your PC. Replace <subscription id> with
your subscription Id. If you don't know your subscription Id, enter the az account show command. The
value for id in the output is your subscription Id. Paste the modified script in to your CLI session, and then
press Enter .

--name myVnet1 \

--remote-vnet-id /subscriptions/<subscription id>/resourceGroups/Default-
Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnet2 \
--allow-vnet-access
7. After the script executes, review the peering for the virtual network (Resource Manager). Copy the following
command, paste it in your CLI session, and then press Enter :

--output table
The output shows Connected in the PeeringState column.

article.
1. Install the latest version of the PowerShell Azure and AzureRm modules. If you're new to Azure PowerShell, see
Azure PowerShell overview.
3. In PowerShell, log in to Azure by entering the Add-AzureAccount command.
4. To create a virtual network (classic) with PowerShell, you must create a new, or modify an existing, network
configuration file. Learn how to export, update, and import network configuration files. The file should
include the following VirtualNetworkSite element for the virtual network used in this tutorial:
<VirtualNetworkSite name="myVnet2" Location="East US">

<AddressSpace>
<AddressPrefix>10.1.0.0/16</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="default">
</Subnet>
</Subnets>
</VirtualNetworkSite>
WARNING
Importing a changed network configuration file can cause changes to existing virtual networks (classic) in your
subscription. Ensure you only add the previous virtual network and that you don't change or remove any existing
virtual networks from your subscription.
5. Log in to Azure to create the virtual network (Resource Manager) by entering the login-azurermaccount
command. The account you log in with must have the necessary permissions to create a virtual network
peering. See the Permissions section of this article for details.
6. Create a resource group and a virtual network (Resource Manager). Copy the script, paste it into
PowerShell, and then press Enter .

New-AzureRmResourceGroup -Name myResourceGroup -Location eastus
# Create the virtual network (Resource Manager).

-Name 'myVnet1' `
-Location eastus
deployment models. Copy the following script to a text editor on your PC. Replace <subscription id> with
your subscription Id. If you don't know your subscription Id, enter the Get-AzureRmSubscription command
to view it. The value for Id in the returned output is your subscription ID. To execute the script, copy the
modified script from your text editor, then right-click in your PowerShell session, and then press Enter .
-Name myVnet1ToMyVnet2 `
-RemoteVirtualNetworkId /subscriptions/<subscription Id>/resourceGroups/Default-
Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnet2
command, paste it in your PowerShell session, and then press Enter :
-VirtualNetworkName myVnet1 `

article.
Permissions
example, if you were peering two virtual networks named myVnet1 and myVnet2, your account must be assigned
the following minimum role or permissions for each virtual network:
VIRTUAL NETWORK DEPLOYMENT MODEL ROLE PERMISSIONS
myVnet1 Resource Manager Network Contributor Microsoft.Network/virtualNe

tworks/virtualNetworkPeerin
gs/write
Classic Classic Network Contributor N/A
myVnet2 Resource Manager Network Contributor Microsoft.Network/virtualNe

tworks/peer
Classic Classic Network Contributor Microsoft.ClassicNetwork/vir

tualNetworks/peer
Delete resources
Azure portal
3. To confirm the deletion, in the TYPE THE RESOURCE GROUP NAME box, enter myResourceGroup, and then
click Delete.
Azure CLI
1. Use the Azure CLI 2.0 to delete the virtual network (Resource Manager) with the following command:
2. Use the Azure CLI 1.0 to delete the virtual network (classic) with the following commands:
azure network vnet delete --vnet myVnet2 --quiet
PowerShell
1. Enter the following command to delete the virtual network (Resource Manager):
Remove-AzureRmResourceGroup -Name myResourceGroup -Force
2. To delete the virtual network (classic) with PowerShell, you must modify an existing network configuration
file. Learn how to export, update, and import network configuration files. Remove the following
VirtualNetworkSite element for the virtual network used in this tutorial:
<VirtualNetworkSite name="myVnet2" Location="East US">

<AddressSpace>
</AddressSpace>
<Subnets>
</Subnet>
</Subnets>
WARNING
subscription. Ensure you only remove the previous virtual network and that you don't change or remove any other
existing virtual networks from your subscription.
Next steps
Create a virtual network peering - different
deployment models and subscriptions
In this tutorial, you learn to create a virtual network peering between virtual networks created through different
deployment models. The virtual networks exist in different subscriptions. Peering two virtual networks enables
resources in different virtual networks to communicate with each other with the same bandwidth and latency as
though the resources were in the same virtual network. Learn more about Virtual network peering.
same Azure region. When creating a virtual network peering between virtual networks that exist in different
subscriptions, the subscriptions must both be associated to the same Azure Active Directory tenant. If you don't
already have an Azure Active Directory tenant, you can quickly create one. If you need to connect virtual networks
that were both created through the classic deployment model, or that exist in different Azure regions, or that exist
in subscriptions associated to different Azure Active Directory tenants, you can use an Azure VPN Gateway to
connect the virtual networks.
WARNING
Creating a virtual network peering between virtual networks in created through different Azure deployment models that
exist in different subscriptions is currently in preview. Virtual network peerings created in this scenario may not have the
same level of availability and reliability as creating a virtual network peering in scenarios in general availability release. Virtual
network peerings created in this scenario are not supported, may have constrained capabilities, and may not be available in
all Azure regions. For the most up-to-date notifications on availability and status of this feature, check the Azure Virtual
Network updates page.
You can use the Azure portal, the Azure command-line interface (CLI), or Azure PowerShell to create a virtual
network peering. Click any of the previous tool links to go directly to the steps for creating a virtual network
peering using your tool of choice.
Register for the preview

To register for the preview, complete the steps that follow for both subscriptions that contain the virtual networks
you want to peer. The only tool you can use to register for the preview is PowerShell.
2. Start a PowerShell session and log in to Azure using the login-azurermaccount command.
3. Register your subscription for the preview by entering the following commands:
Register-AzureRmProviderFeature `
-FeatureName AllowClassicCrossSubscriptionPeering `
-ProviderNamespace Microsoft.Network
Register-AzureRmResourceProvider `
Do not complete the steps in the Portal, Azure CLI, or PowerShell sections of this article until the
RegistrationState output you receive after entering the following command is Registered for both
subscriptions:
Get-AzureRmProviderFeature `
-FeatureName AllowClassicCrossSubscriptionPeering `

subscriptions, you can use the same account for all steps, skip the steps for logging out of the portal, and skip the
steps for assigning another user permissions to the virtual networks. Before completing any of the following steps,
you must register for the preview. To register, complete the steps in the Register for the preview section of this
article. Do not continue with the remaining steps until both subscriptions are registered for the preview.
1. Log in to the Azure portal as UserA. The account you log in with must have the necessary permissions to create
a virtual network peering. See the Permissions section of this article for details.
Name: myVnetA
Subscription: Select subscription A.
Resource group: Select Create new and enter myResourceGroupA
Location: East US
search results. A blade appears for the myVnetA virtual network.
5. In the myVnetA blade that appears, click Access control (IAM) from the vertical list of options on the left side
of the blade.
6. In the myVnetA - Access control (IAM) blade that appears, click + Add.
7. In the Add permissions blade that appears, select Network contributor in the Role box.
8. In the Select box, select UserB, or type UserB's email address to search for it. The list of users shown is from
the same Azure Active Directory tenant as the virtual network you're setting up the peering for. Click UserB
when it appears in the list.
9. Click Save.
10. Log out of the portal as UserA, then log in as UserB.
11. Click + New, type Virtual network in the Search the Marketplace box, then click Virtual network in the
search results.
12. In the Virtual Network blade that appears, select Classic in the Select a deployment model box, then click
Create.
13. In the Create virtual network (classic) box that appears, enter the following values:
Name: myVnetB
Subscription: Select subscription B.
Resource group: Select Create new and enter myResourceGroupB
Location: East US
15. In the myVnetB blade that appears, click Properties from the vertical list of options on the left side of the
blade. Copy the RESOURCE ID, which is used in a later step. The resource ID is similar to the following
example:
/subscriptions//resourceGroups/myResoureGroupB/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnetB
16. Complete steps 5-9 for myVnetB, entering UserA in step 8.
search results. A blade appears for the myVnet virtual network.
19. Click myVnetA.
20. In the myVnetA blade that appears, click Peerings from the vertical list of options on the left side of the blade.
21. In the myVnetA - Peerings blade that appeared, click + Add
Name: myVnetAToMyVnetB
Virtual network deployment model: Select Classic.
I know my resource ID: Check this box.
Resource ID: Enter the resource ID of myVnetB from step 15.
23. After clicking OK in the previous step, the Add peering blade closes and you see the myVnetA - Peerings
blade again. After a few seconds, the peering you created appears in the blade. Connected is listed in the
PEERING STATUS column for the myVnetAToMyVnetB peering you created. The peering is now
established. There is no need to peer the virtual network (classic) to the virtual network (Resource
Manager).

Before completing any of the following steps, you must register for the preview. To register, complete the steps in
the Register for the preview section of this article. Do not continue with the remaining steps until both
subscriptions are registered for the preview.
1. Install the Azure CLI 1.0 to create the virtual network (classic).
2. Open a CLI session and log in to Azure as UserB using the azure login command.
3. Run the CLI in Service Management mode by entering the azure config mode asm command.
4. Enter the following command to create the virtual network (classic):
azure network vnet create --vnet myVnetB --address-space 10.1.0.0 --cidr 16 --location "East US"
5. The remaining steps must be completed using a bash shell with the Azure CLI 2.0.4 or later installed, or by
using the Azure Cloud Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the
Azure portal. It has the Azure CLI preinstalled and configured to use with your account. Click the Try it button
in the scripts that follow, which opens a Cloud Shell that logs you in to your Azure account. For options on
running bash CLI scripts on a Windows client, see Running the Azure CLI in Windows.
6. Copy the following script to a text editor on your PC. Replace <SubscriptionB-Id> with your subscription ID.
If you don't know your subscription Id, enter the az account show command. The value for id in the output
is your subscription Id. Copy the modified script, paste it in to your CLI 2.0 session, and then press Enter .

--assignee UserA@azure.com \
--role "Classic Network Contributor" \
--scope /subscriptions/<SubscriptionB-Id>/resourceGroups/Default-
Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnetB
When you created the virtual network (classic) in step 4, Azure created the virtual network in the Default-
Networking resource group.
7. Log UserB out of Azure and log in as UserA in the CLI 2.0.
8. Create a resource group and a virtual network (Resource Manager). Copy the following script, paste it in to
your CLI session, and then press Enter .
#!/bin/bash

rgName="myResourceGroupA"
location="eastus"

az group create \
--name $rgName \
# Create virtual network A (Resource Manager).

--name myVnetA \
# Get the id for myVnetA.

vNetAId=$(az network vnet show \
--name myVnetA \
# Assign UserB permissions to myVnetA.

--assignee UserB@azure.com \
--role "Network Contributor" \
--scope $vNetAId
deployment models. Copy the following script to a text editor on your PC. Replace <SubscriptionB-id> with
your subscription Id. If you don't know your subscription Id, enter the az account show command. The
value for id in the output is your subscription Id. Azure created the virtual network (classic) you created in
step 4 in a resource group named Default-Networking. Paste the modified script in your CLI session, and
then press Enter .

--name myVnetAToMyVnetB \
--remote-vnet-id /subscriptions/<SubscriptionB-id>/resourceGroups/Default-
Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnetB \
--allow-vnet-access
script, and then paste it in your CLI session:

--output table

article.

Before completing any of the following steps, you must register for the preview. To register, complete the steps in
the Register for the preview section of this article. Do not continue with the remaining steps until both
subscriptions are registered for the preview.
1. Install the latest version of the PowerShell Azure and AzureRm modules. If you're new to Azure PowerShell, see
Azure PowerShell overview.
3. In PowerShell, log in to UserB's subscription as UserB by entering the Add-AzureAccount command.
4. To create a virtual network (classic) with PowerShell, you must create a new, or modify an existing, network
configuration file. Learn how to export, update, and import network configuration files. The file should
include the following VirtualNetworkSite element for the virtual network used in this tutorial:
<VirtualNetworkSite name="myVnetB" Location="East US">

<AddressSpace>
</AddressSpace>
<Subnets>
</Subnet>
</Subnets>
WARNING
5. Log in to UserB's subscription as UserB to use Resource Manager commands by entering the
login-azurermaccount command.
6. Assign UserA permissions to virtual network B. Copy the following script to a text editor on your PC and
replace <SubscriptionB-id> with the ID of subscription B. If you don't know the subscription Id, enter the
ID. Azure created the virtual network (classic) you created in step 4 in a resource group named Default-
Networking. To execute the script, copy the modified script, paste it in to PowerShell, and then press Enter .
-SignInName UserA@azure.com `
-RoleDefinitionName "Classic Network Contributor" `
-Scope /subscriptions/<SubscriptionB-id>/resourceGroups/Default-
7. Log out of Azure as UserB and log in to UserA's subscription as UserA by entering the
login-azurermaccount command. The account you log in with must have the necessary permissions to
create a virtual network peering. See the Permissions section of this article for details.
8. Create the virtual network (Resource Manager) by copying the following script, pasting it in to PowerShell,
and then pressing Enter :
# Variables for common values

$rgName='MyResourceGroupA'
$location='eastus'

-Name $rgName `
-Location $location

$vnetA = New-AzureRmVirtualNetwork `
-Name 'myVnetA' `
-Location $location
9. Assign UserB permissions to myVnetA. Copy the following script to a text editor on your PC and replace
<SubscriptionA-Id> with the ID of subscription A. If you don't know the subscription Id, enter the
ID. Paste the modified version of the script in PowerShell, and then press Enter to execute it.
-SignInName UserB@azure.com `
-RoleDefinitionName "Network Contributor" `
-Scope /subscriptions/<SubscriptionA-
10. Copy the following script to a text editor on your PC, and replace <SubscriptionB-id> with the ID of
subscription B. To peer myVnetA to myVNetB, copy the modified script, paste it in to PowerShell, and then
press Enter .
-Name 'myVnetAToMyVnetB' `
-VirtualNetwork $vnetA `
-RemoteVirtualNetworkId /subscriptions/<SubscriptionB-id>/resourceGroups/Default-
11. View the peering state of myVnetA by copying the following script, pasting it into PowerShell, and pressing
Enter .
-VirtualNetworkName myVnetA `
The state is Connected. It changes to Connected once you setup the peering to myVnetA from myVnetB.
article.
Permissions
example, if you were peering two virtual networks named myVnetA and myVnetB, your account must be assigned
the following minimum role or permissions for each virtual network:
myVnetA Resource Manager Network Contributor Microsoft.Network/virtualNe

tworks/virtualNetworkPeerin
gs/write
myVnetB Resource Manager Network Contributor Microsoft.Network/virtualNe

tworks/peer
Classic Classic Network Contributor Microsoft.ClassicNetwork/vir

tualNetworks/peer
Delete resources
Azure portal
1. In the portal search box, enter myResourceGroupA. In the search results, click myResourceGroupA.
2. On the myResourceGroupA blade, click the Delete icon.
3. To confirm the deletion, in the TYPE THE RESOURCE GROUP NAME box, enter myResourceGroupA, and
then click Delete.
5. In the myVnetB blade, click Delete.
6. To confirm the deletion, click Yes in the Delete virtual network box.
Azure CLI
1. Log in to Azure using the CLI 2.0 to delete the virtual network (Resource Manager) with the following
command:
az group delete --name myResourceGroupA --yes
2. Log in to Azure using the Azure CLI 1.0 to delete the virtual network (classic) with the following commands:
azure network vnet delete --vnet myVnetB --quiet
PowerShell
1. At the PowerShell command prompt, enter the following command to delete the virtual network (Resource
Manager):
Remove-AzureRmResourceGroup -Name myResourceGroupA -Force
2. To delete the virtual network (classic) with PowerShell, you must modify an existing network configuration
file. Learn how to export, update, and import network configuration files. Remove the following
VirtualNetworkSite element for the virtual network used in this tutorial:
<VirtualNetworkSite name="myVnetB" Location="East US">

<AddressSpace>
</AddressSpace>
<Subnets>
</Subnet>
</Subnets>
WARNING
subscription. Ensure you only remove the previous virtual network and that you don't change or remove any other
existing virtual networks from your subscription.
Next steps
Create a VM with a static public IP address using the
Azure portal
You can create virtual machines (VMs) in Azure and expose them to the public Internet by using a public IP address.
By default, Public IPs are dynamic and the address associated to them may change when the VM is deleted. To
guarantee that the VM always uses the same public IP address, you need to create a static Public IP.
Before you can implement static Public IPs in VMs, it is necessary to understand when you can use static Public IPs,
and how they are used. Read the IP addressing overview to learn more about IP addressing in Azure.
NOTE
Scenario
This document will walk through a deployment that uses a static public IP address allocated to a virtual machine
(VM). In this scenario, you have a single VM with its own static public IP address. The VM is part of a subnet named
FrontEnd and also has a static private IP address (192.168.1.101) in that subnet.
You may need a static IP address for web servers that require SSL connections in which the SSL certificate is linked
to an IP address.
You can follow the steps below to deploy the environment shown in the figure above.
Create a VM with a static public IP

To create a VM with a static public IP address in the Azure portal, complete the following steps:
1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
2. On the top left hand corner of the portal, click New>>Compute>Windows Server 2012 R2 Datacenter.
3. In the Select a deployment model list, select Resource Manager and click Create.
4. In the Basics blade, enter the VM information as shown below, and then click OK.
5. In the Choose a size blade, click A1 Standard as shown below, and then click Select.
6. In the Settings blade, click Public IP address, then in the Create public IP address blade, under
Assignment, click Static as shown below. And then click OK.
7. In the Settings blade, click OK.

8. Review the Summary blade, as shown below, and then click OK.
9. Notice the new tile in your dashboard.
10. Once the VM is created, the Settings blade will be displayed as shown below
Create a VM with a static public IP address using
PowerShell
You can create virtual machines (VMs) in Azure and expose them to the public Internet by using a public IP
address. By default, Public IPs are dynamic and the address associated to them may change when the VM is
deleted. To guarantee that the VM always uses the same public IP address, you need to create a static Public IP.
NOTE
Scenario
to an IP address.

NOTE
Step 1 - Start your script
You can download the full PowerShell script used here. Follow the steps below to change the script to work in your
environment.
Change the values of the variables below based on the values you want to use for your deployment. The following
values map to the scenario used in this article:
# Set variables resource group

$rgName = "IaaSStory"
$location = "West US"
# Set variables for VNet

$vnetName = "WTestVNet"
$vnetPrefix = "192.168.0.0/16"
$subnetName = "FrontEnd"
$subnetPrefix = "192.168.1.0/24"
# Set variables for storage

$stdStorageAccountName = "iaasstorystorage"
# Set variables for VM

$vmSize = "Standard_A1"
$diskSize = 127
$publisher = "MicrosoftWindowsServer"
$offer = "WindowsServer"
$sku = "2012-R2-Datacenter"
$version = "latest"
$vmName = "WEB1"
$osDiskName = "osdisk"
$nicName = "NICWEB1"
$privateIPAddress = "192.168.1.101"
$pipName = "PIPWEB1"
$dnsName = "iaasstoryws1"
Step 2 - Create the necessary resources for your VM

Before creating a VM, you need a resource group, VNet, public IP, and NIC to be used by the VM.
1. Create a new resource group.
New-AzureRmResourceGroup -Name $rgName -Location $location
2. Create the VNet and subnet.
$vnet = New-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name $vnetName `

-AddressPrefix $vnetPrefix -Location $location
Add-AzureRmVirtualNetworkSubnetConfig -Name $subnetName `

-VirtualNetwork $vnet -AddressPrefix $subnetPrefix
3. Create the public IP resource.
$pip = New-AzureRmPublicIpAddress -Name $pipName -ResourceGroupName $rgName `

-AllocationMethod Static -DomainNameLabel $dnsName -Location $location
4. Create the network interface (NIC) for the VM in the subnet created above, with the public IP. Notice the first
cmdlet retrieving the VNet from Azure, this is necessary since a Set-AzureRmVirtualNetwork was executed to
change the existing VNet.
$vnet = Get-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $rgName

$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName
$nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $rgName `
-Subnet $subnet -Location $location -PrivateIpAddress $privateIPAddress `
-PublicIpAddress $pip
5. Create a storage account to host the VM OS drive.
$stdStorageAccount = New-AzureRmStorageAccount -Name $stdStorageAccountName `

-ResourceGroupName $rgName -Type Standard_LRS -Location $location
Step 3 - Create the VM

Now that all necessary resources are in place, you can create a new VM.
1. Create the configuration object for the VM.
$vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
2. Get credentials for the VM local administrator account.
$cred = Get-Credential -Message "Type the name and password for the local administrator account."
3. Create a VM configuration object.
$vmConfig = Set-AzureRmVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmName `

-Credential $cred -ProvisionVMAgent -EnableAutoUpdate
4. Set the operating system image for the VM.
$vmConfig = Set-AzureRmVMSourceImage -VM $vmConfig -PublisherName $publisher `

-Offer $offer -Skus $sku -Version $version
5. Configure the OS disk.
$osVhdUri = $stdStorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $osDiskName + ".vhd"

$vmConfig = Set-AzureRmVMOSDisk -VM $vmConfig -Name $osDiskName -VhdUri $osVhdUri -CreateOption
fromImage
6. Add the NIC to the VM.
$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $nic.Id -Primary
7. Create the VM.
New-AzureRmVM -VM $vmConfig -ResourceGroupName $rgName -Location $location
8. Save the script file.

Step 4 - Run the script
After making any necessary changes, and understanding the script show above, run the script.
1. From a PowerShell console, or PowerShell ISE, run the script above.
2. The following output should be displayed after a few minutes:
ResourceGroupName : IaaSStory
Location : westus
Tags :
ResourceId : /subscriptions/[Subscription ID]/resourceGroups/IaaSStory
AddressSpace : Microsoft.Azure.Commands.Network.Models.PSAddressSpace
DhcpOptions : Microsoft.Azure.Commands.Network.Models.PSDhcpOptions
Subnets : {FrontEnd}
AddressSpaceText : {
"192.168.0.0/16"
]
}
DhcpOptionsText : {}
SubnetsText : [
{
"Name": "FrontEnd",
"AddressPrefix": "192.168.1.0/24"
}
]
Location : westus
ResourceGuid : [Id]
Tag : {}
TagsTable :
Name : WTestVNet
Etag : W/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
ID]/resourceGroups/IaaSStory/providers/Microsoft.Network/virtualNetworks/WTestVNet
AddressSpace :
Microsoft.Azure.Commands.Network.Models.PSAddressSpace
DhcpOptions :
Microsoft.Azure.Commands.Network.Models.PSDhcpOptions
Subnets :
{FrontEnd}
ProvisioningState :
Succeeded
AddressSpaceText :
{
"192.168.0.0/16"
]
}
DhcpOptionsText : {
"DnsServers": []
}
SubnetsText : [
{
"Name": "FrontEnd",
"Etag": [Id],
ID]/resourceGroups/IaaSStory/providers/Microsoft.Network/virtualNetworks/WTestVNet/subnets/FrontEnd",
"AddressPrefix": "192.168.1.0/24",
}
]
Location : westus
ResourceGuid : [Id]
Tag : {}
TagsTable :
TagsTable :
Name : WTestVNet
Etag : [Id]
Id]/resourceGroups/IaaSStory/providers/Microsoft.Network/virtualNetworks/WTestVNet
TrackingOperationId : [Id]
RequestId : [Id]
Status : Succeeded
StatusCode : OK
Output :
StartTime : [Subscription Id]
EndTime : [Subscription Id]
Error :
ErrorText :
Create a VM with a static public IP address using the
Azure CLI 2.0
Azure has two different deployment models for creating and working with resources: Resource Manager and
classic. This article covers using the Resource Manager deployment model, which Microsoft recommends for most
new deployments instead of the classic deployment model.
Scenario
to an IP address.
Create the VM
You can complete this task using the Azure CLI 2.0 (this article) or the Azure CLI 1.0. The values in "" for the
variables in the steps that follow create resources with settings from the scenario. Change the values, as
appropriate, for your environment.
1. Install the Azure CLI 2.0 if you don't already have it installed.
2. Create an SSH public and private key pair for Linux VMs by completing the steps in the Create an SSH public
and private key pair for Linux VMs.
3. From a command shell, login with the command az login .
4. Create the VM by executing the script that follows on a Linux or Mac computer. The Azure public IP address,
virtual network, network interface, and VM resources must all exist in the same location. Though the resources
don't all have to exist in the same resource group, in the following script they do.
RgName="IaaSStory"
Location="westus"
az group create \
--name $RgName \
--location $Location
# Create a public IP address resource with a static IP address using the --allocation-method Static option.
# If you do not specify this option, the address is allocated dynamically. The address is assigned to the
# resource from a pool of IP adresses unique to each Azure region. The DnsName must be unique within the
# Azure location it's created in. Download and view the file from https://www.microsoft.com/en-
us/download/details.aspx?id=41653#
# that lists the ranges for each region.
PipName="PIPWEB1"
DnsName="iaasstoryws1"
az network public-ip create \
--name $PipName \
--resource-group $RgName \
--location $Location \
--allocation-method Static \
--dns-name $DnsName
# Create a virtual network with one subnet
VnetName="TestVNet"
VnetPrefix="192.168.0.0/16"
SubnetName="FrontEnd"
SubnetPrefix="192.168.1.0/24"
--name $VnetName \
--address-prefix $VnetPrefix \
--subnet-name $SubnetName \
--subnet-prefix $SubnetPrefix
# Create a network interface connected to the VNet with a static private IP address and associate the public
IP address
# resource to the NIC.
NicName="NICWEB1"
PrivateIpAddress="192.168.1.101"
az network nic create \
--name $NicName \
--subnet $SubnetName \
--vnet-name $VnetName \
--private-ip-address $PrivateIpAddress \
--public-ip-address $PipName
# Create a new VM with the NIC
VmName="WEB1"
# Replace the value for the VmSize variable with a value from the
# https://docs.microsoft.com/azure/virtual-machines/virtual-machines-linux-sizes article.
VmSize="Standard_DS1"
# Replace the value for the OsImage variable with a value for *urn* from the output returned by entering
# the àz vm image list` command.
OsImage="credativ:Debian:8:latest"
Username='adminuser'
# Replace the following value with the path to your public key file.
SshKeyValue="~/.ssh/id_rsa.pub"
az vm create \
--name $VmName \
--image $OsImage \
--size $VmSize \
--nics $NicName \
--admin-username $Username \
--ssh-key-value $SshKeyValue
# If creating a Windows VM, remove the previous line and you'll be prompted for the password you want to
configure for the VM.
In addition to creating a VM, the script creates:

A single premium managed disk by default, but you have other options for the disk type you can create. Read
the Create a Linux VM using the Azure CLI 2.0 article for details.
Virtual network, subnet, NIC, and public IP address resources. Alternatively, you can use existing virtual network,
subnet, NIC, or public IP address resources. To learn how to use existing network resources rather than creating
additional resources, enter az vm create -h .
Validate VM creation and public IP address

1. Enter the command az resource list --resouce-group IaaSStory --output table to see a list of the resources
created by the script. There should be five resources in the returned output: network interface, disk, public IP
address, virtual network, and a virtual machine.
2. Enter the command az network public-ip show --name PIPWEB1 --resource-group IaaSStory --output table . In
the returned output, note the value of IpAddress and that the value of PublicIpAllocationMethod is Static.
3. Before executing the following command, remove the <>, replace Username with the name you used for the
Username variable in the script, and replace ipAddress with the ipAddress from the previous step. Run the
following command to connect to the VM: ssh -i ~/.ssh/azure_id_rsa <Username>@<ipAddress> .
Remove the VM and associated resources

It's recommended that you delete the resources created in this exercise if you won't use them in production. VM,
public IP address, and disk resources incur charges, as long as they're provisioned. To remove the resources
created during this exercise, complete the following steps:
1. To view the resources in the resource group, run the az resource list --resource-group IaaSStory command.
2. Confirm there are no resources in the resource group, other than the resources created by the script in this
article.
3. To delete all resources created in this exercise, run the az group delete -n IaaSStory command. The command
deletes the resource group and all the resources it contains.
Next steps
Any network traffic can flow to and from the VM created in this article. You can define inbound and outbound rules
within an NSG that limit the traffic that can flow to and from the network interface, the subnet, or both. To learn
more about NSGs, read the NSG overview article.
Create a VM with a static public IP address using an
Azure Resource Manager template
NOTE
Scenario
to an IP address.
Public IP address resources in a template file

The following section shows the definition of the public IP resource, based on the scenario above:
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[variables('webVMSetting').pipName]",
"properties": {
"publicIPAllocationMethod": "Static"
},
"tags": {
"displayName": "PublicIPAddress - Web"
}
},
Notice the publicIPAllocationMethod property, which is set to Static. This property can be either Dynamic
(default value) or Static. Setting it to static guarantees that the public IP address assigned will never change.
The following section shows the association of the public IP address with a network interface:
{
"apiVersion": "2015-06-15",
"name": "[variables('webVMSetting').nicName]",
"tags": {
"displayName": "NetworkInterface - Web"
},
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('webVMSetting').pipName)]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('vnetName'))]"
],
"properties": {
{
"properties": {
"privateIPAddress": "[variables('webVMSetting').ipAddress]",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('webVMSetting').pipName)]"
},
"subnet": {
"id": "[variables('frontEndSubnetRef')]"
}
}
}
]
}
},
Notice the publicIPAddress property pointing to the Id of a resource named

variables('webVMSetting').pipName. That is the name of the public IP resource shown above.
Finally, the network interface above is listed in the networkProfile property of the VM being created.
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('webVMSetting').nicName)]"
}
]
}
Deploy the template by using click to deploy
generate the scenario described above. To deploy this template using click to deploy, click Deploy to Azure in the
Readme.md file for the VM with static PIP template. Replace the default parameter values if desired and enter
values for the blank parameters. Follow the instructions in the portal to create a virtual machine with a static public
IP address.
Deploy the template by using PowerShell

To deploy the template you downloaded by using PowerShell, follow the steps below.
1. If you have never used Azure PowerShell, complete the steps in the How to Install and Configure Azure
PowerShell article.
2. In a PowerShell console, run the New-AzureRmResourceGroup cmdlet to create a new resource group, if
necessary. If you already have a resource group created, go to step 3.
New-AzureRmResourceGroup -Name PIPTEST -Location westus
Expected output:
ResourceGroupName : PIPTEST
Location : westus
Tags :
ResourceId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/StaticPublicIP
3. In a PowerShell console, run the New-AzureRmResourceGroupDeployment cmdlet to deploy the template.
New-AzureRmResourceGroupDeployment -Name DeployVM -ResourceGroupName PIPTEST `

-TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/IaaS-
Story/03-Static-public-IP/azuredeploy.json `
-TemplateParameterUri https://raw.githubusercontent.com/Azure/azure-quickstart-
templates/master/IaaS-Story/03-Static-public-IP/azuredeploy.parameters.json
Expected output:
DeploymentName : DeployVM
ResourceGroupName : PIPTEST
Timestamp : [Date and time]
Mode : Incremental
TemplateLink :
Uri : https://raw.githubusercontent.com/Azure/azure-quickstart-
templates/mas
ter/IaaS-Story/03-Static-public-IP/azuredeploy.json
ContentVersion : 1.0.0.0
Parameters :
Name Type Value
======================== ========================= ==========
vnetName String WTestVNet
vnetPrefix String 192.168.0.0/16
frontEndSubnetName String FrontEnd
frontEndSubnetPrefix String 192.168.1.0/24
storageAccountNamePrefix String iaasestd
stdStorageType String Standard_LRS
osType String Windows
adminUsername String adminUser
adminPassword SecureString
Outputs :
Deploy the template by using the Azure CLI

To deploy the template by using the Azure CLI, complete the following steps:
1. If you have never used Azure CLI, follow the steps in the Install and Configure the Azure CLI article to install and
configure it.
2. Run the azure config mode command to switch to Resource Manager mode, as shown below.
The expected output for the command above:
3. Open the parameter file, select its content, and save it to a file in your computer. For this example, the
parameters are saved to a file named parameters.json. Change the parameter values within the file if
desired, but at a minimum, it's recommended that you change the value for the adminPassword parameter
to a unique, complex password.
4. Run the azure group deployment create cmd to deploy the new VNet by using the template and parameter
files you downloaded and modified above. In the command below, replace with the path you saved the file
to.
azure group create -n PIPTEST2 -l westus --template-uri https://raw.githubusercontent.com/Azure/azure-

quickstart-templates/master/IaaS-Story/03-Static-public-IP/azuredeploy.json -e <path>\parameters.json
Expected output (lists parameter values used):

+ Getting resource group PIPTEST2
+ Creating resource group PIPTEST2
info: Created resource group PIPTEST2
+ Initializing template configurations and parameters
+ Creating a deployment
data: Id: /subscriptions/[Subscription ID]/resourceGroups/PIPTEST2
data: Name: PIPTEST2
data: Tags: null
data:
Reserved IP addresses (Classic)
IP addresses in Azure fall into two categories: dynamic and reserved. Public IP addresses managed by Azure are
dynamic by default. That means that the IP address used for a given cloud service (VIP) or to access a VM or role
instance directly (ILPIP) can change from time to time, when resources are shut down or stopped (deallocated).
To prevent IP addresses from changing, you can reserve an IP address. Reserved IPs can be used only as a VIP,
ensuring that the IP address for the cloud service remains the same, even as resources are shut down or stopped
(deallocated). Furthermore, you can convert existing dynamic IPs used as a VIP to a reserved IP address.
IMPORTANT
Manager model. Learn how to reserve a static public IP address using the Resource Manager deployment model.
To learn more about IP addresses in Azure, read the IP addresses article.
When do I need a reserved IP?

You want to ensure that the IP is reserved in your subscription. If you want to reserve an IP address that
is not released from your subscription under any circumstance, you should use a reserved public IP.
You want your IP to stay with your cloud service even across stopped or deallocated state (VMs). If
you want your service to be accessed by using an IP address that doesn't change, even when VMs in the cloud
service are shut down or stop (deallocated).
You want to ensure that outbound traffic from Azure uses a predictable IP address. You may have
your on-premises firewall configured to allow only traffic from specific IP addresses. By reserving an IP, you
know the source IP address, and don't need to update your firewall rules due to an IP change.
FAQ
1. Can I use a reserved IP for all Azure services?
No. Reserved IPs can only be used for VMs and cloud service instance roles exposed through a VIP.
2. How many reserved IPs can I have?
For details, see the Azure limits article.
3. Is there a charge for reserved IPs?
Sometimes. For pricing details, see the Reserved IP Address Pricing Details page.
4. How do I reserve an IP address?
You can use PowerShell, the Azure Management REST API, or the Azure portal to reserve an IP address in an
Azure region. A reserved IP address is associated to your subscription.
5. Can I use a reserved IP with affinity group-based VNets?
No. Reserved IPs are only supported in regional VNets. Reserved IPs are not supported for VNets that are
associated with affinity groups. For more information about associating a VNet with a region or affinity group,
see the About Regional VNets and Affinity Groups article.
Manage reserved VIPs

Ensure you have installed and configured PowerShell by completing the steps in the Install and configure
PowerShell article.
Before you can use reserved IPs, you must add it to your subscription. To create a reserved IP from the pool of
public IP addresses available in the Central US location, run the following command:
New-AzureReservedIP ReservedIPName MyReservedIP Location "Central US"
Notice, however, that you cannot specify what IP is being reserved. To view what IP addresses are reserved in
your subscription, run the following PowerShell command, and notice the values for ReservedIPName and
Address:
Get-AzureReservedIP
Expected output:
ReservedIPName : MyReservedIP
Address : 23.101.114.211
Id : d73be9dd-db12-4b5e-98c8-bc62e7c42041
Label :
State : Created
InUse : False
ServiceName :
DeploymentName :
OperationDescription : Get-AzureReservedIP
OperationId : 55e4f245-82e4-9c66-9bd8-273e815ce30a
OperationStatus : Succeeded
NOTE
When you create a reserved IP address with PowerShell, you cannot specify a resource group to create the reserved IP in.
Azure places it into a resource group named Default-Networking automatically. If you create the reserved IP using the
Azure portal, you can specify any resource group you choose. If you create the reserved IP in a resource group other than
Default-Networking however, whenever you reference the reserved IP with commands such as Get-AzureReservedIP
and Remove-AzureReservedIP , you must reference the name Group resource-group-name reserved-ip-name. For
example, if you create a reserved IP named myReservedIP in a resource group named myResourceGroup, you must
reference the name of the reserved IP as Group myResourceGroup myReservedIP.
Once an IP is reserved, it remains associated to your subscription until you delete it. To delete a reserved IP, run
the following PowerShell command:
Remove-AzureReservedIP -ReservedIPName "MyReservedIP"
Reserve the IP address of an existing cloud service

You can reserve the IP address of an existing cloud service by adding the -ServiceName parameter. To reserve the
IP address of a cloud service TestService in the Central US location, run the following PowerShell command:
New-AzureReservedIP ReservedIPName MyReservedIP Location "Central US" -ServiceName TestService
Associate a reserved IP to a new cloud service

The following script creates a new reserved IP, then associates it to a new cloud service named TestService.
New-AzureReservedIP ReservedIPName MyReservedIP Location "Central US"
$image = Get-AzureVMImage|?{$_.ImageName -like "*RightImage-Windows-2012R2-x64*"}
New-AzureVMConfig -Name TestVM -InstanceSize Small -ImageName $image.ImageName `

| Add-AzureProvisioningConfig -Windows -AdminUsername adminuser -Password MyP@ssw0rd!! `
| New-AzureVM -ServiceName TestService -ReservedIPName MyReservedIP -Location "Central US"
NOTE
When you create a reserved IP to use with a cloud service, you still refer to the VM by using VIP:<port number> for
inbound communication. Reserving an IP does not mean you can connect to the VM directly. The reserved IP is assigned
to the cloud service that the VM has been deployed to. If you want to connect to a VM by IP directly, you have to
configure an instance-level public IP. An instance-level public IP is a type of public IP (called an ILPIP) that is assigned
directly to your VM. It cannot be reserved. For more information, read the Instance-level Public IP (ILPIP) article.
Remove a reserved IP from a running deployment

To remove a reserved IP added to a new cloud service, run the following PowerShell command:
Remove-AzureReservedIPAssociation -ReservedIPName MyReservedIP -ServiceName TestService
NOTE
Removing a reserved IP from a running deployment does not remove the reservation from your subscription. It simply
frees the IP to be used by another resource in your subscription.
Associate a reserved IP to a running deployment

The following commands create a cloud service named TestService2 with a new VM named TestVM2. The existing
reserved IP named MyReservedIP is then associated to the cloud service.
$image = Get-AzureVMImage|?{$_.ImageName -like "*RightImage-Windows-2012R2-x64*"}
New-AzureVMConfig -Name TestVM2 -InstanceSize Small -ImageName $image.ImageName `

| Add-AzureProvisioningConfig -Windows -AdminUsername adminuser -Password MyP@ssw0rd!! `
| New-AzureVM -ServiceName TestService2 -Location "Central US"
Set-AzureReservedIPAssociation -ReservedIPName MyReservedIP -ServiceName TestService2
Associate a reserved IP to a cloud service by using a service

configuration file
You can also associate a reserved IP to a cloud service by using a service configuration (CSCFG) file. The
following sample xml shows how to configure a cloud service to use a reserved VIP named MyReservedIP:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="ReservedIPSample"
xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*"
schemaVersion="2014-01.2.3">
<Role name="WebRole1">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString"
value="UseDevelopmentStorage=true" />
</ConfigurationSettings>
</Role>
<NetworkConfiguration>
<AddressAssignments>
<ReservedIPs>
<ReservedIP name="MyReservedIP"/>
</ReservedIPs>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>
Next steps
Understand how IP addressing works in the classic deployment model.
Learn about reserved private IP addresses.
Learn about Instance Level Public IP (ILPIP) addresses.
Configure private IP addresses for a virtual machine
using the Azure portal
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP
address from a range that you specify, based on the subnet they are connected to. That address is retained by the
VMs and role instances, until they are decommissioned. You decommission a VM or role instance by stopping it
from PowerShell, the Azure CLI, or the Azure portal. In those cases, once the VM or role instance starts again, it will
receive an available IP address from the Azure infrastructure, which might not be the same it previously had. If you
shut down the VM or role instance from the guest operating system, it retains the IP address it had.
In certain cases, you want a VM or role instance to have a static IP address, for example, if your VM is going to run
DNS or will be a domain controller. You can do so by setting a static private IP address.
IMPORTANT
This article covers the Resource Manager deployment model. You can also manage static private IP address in the
classic deployment model.
Scenario
To better illustrate how to configure a static IP address for a VM, this document will use the scenario below.
In this scenario you will create a VM named DNS01 in the FrontEnd subnet, and set it to use a static IP address of
192.168.1.101.
The sample steps below expect a simple environment already created. If you want to run the steps as they are
displayed in this document, first build the test environment described in create a vnet.
How to create a VM for testing static private IP addresses

You cannot set a static private IP address during the creation of a VM in the Resource Manager deployment mode
by using the Azure portal. You must create the VM first, tehn set its private IP to be static.
To create a VM named DNS01 in the FrontEnd subnet of a VNet named TestVNet, follow the steps below.
2. Click NEW > Compute > Windows Server 2012 R2 Datacenter, notice that the Select a deployment
model list already shows Resource Manager, and then click Create, as seen in the figure below.
3. In the Basics blade, enter the name of the VM to be created (DNS01 in our scenario), the local administrator
account, and password, as seen in the figure below.
4. Make sure the Location selected is Central US, then click Select existing under Resource group, then
click Resource group again, then click TestRG, and then click OK.
5. In the Choose a size blade, select A1 Standard, and then click Select.
6. In teh Settings blade, make sure the following properties are set are set with the values below, and then
click OK.
-Storage account: vnetstorage
Network: TestVNet
Subnet: FrontEnd
7. In the Summary blade, click OK. Notice the tile below displayed in your dashboard.
How to retrieve static private IP address information for a VM

To view the static private IP address information for the VM created with the steps above, execute the steps below.
1. From the Azure Azure portal, click BROWSE ALL > Virtual machines > DNS01 > All settings > Network
interfaces and then click on the only network interface listed.
2. In the Network interface blade, click All settings > IP addresses and notice the Assignment and IP
address values.
How to add a static private IP address to an existing VM

To add a static private IP address to the VM created using the steps above, follow the steps below:
1. From the IP addresses blade shown above, click Static under Assignment.
2. Type 192.168.1.101 for IP address, and then click Save.
NOTE
If after clicking Save you notice that the assignment is still set to Dynamic, it means that the IP address you typed is
already in use. Try a different IP address.
How to remove a static private IP address from a VM

To remove the static private IP address from the VM created above, complete the following step:
From the IP addresses blade shown above, click Dynamic under Assignment, and then click Save.
Next steps
Learn about reserved public IP addresses.
Learn about instance-level public IP (ILPIP) addresses.
Consult the Reserved IP REST APIs.
using PowerShell
two models, read the Understand Azure deployment models article. This article covers the Resource Manager
deployment model. You can also manage static private IP address in the classic deployment model.
Scenario
192.168.1.101.
described in create a vnet.
Create a VM with a static private IP address

To create a VM named DNS01 in the FrontEnd subnet of a VNet named TestVNet with a static private IP of
192.168.1.101, follow the steps below:
1. Set variables for the storage account, location, resource group, and credentials to be used. You will need to
enter a user name and password for the VM. The storage account and resource group must already exist.
$stName = "vnetstorage"
$locName = "Central US"
$rgName = "TestRG"
$cred = Get-Credential -Message "Type the name and password of the local administrator account."
2. Retrieve the virtual network and subnet you want to create the VM in.

$subnet = $vnet.Subnets[0].Id
3. If necessary, create a public IP address to access the VM from the Internet.
$pip = New-AzureRmPublicIpAddress -Name TestPIP -ResourceGroupName $rgName `

-Location $locName -AllocationMethod Dynamic
4. Create a NIC using the static private IP address you want to assign to the VM. Make sure the IP is from the
subnet range you are adding the VM to. This is the main step for this article, where you set the private IP to
be static.
$nic = New-AzureRmNetworkInterface -Name TestNIC -ResourceGroupName $rgName `

-Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id `
-PrivateIpAddress 192.168.1.101
5. Create the VM using the NIC created above.
$vm = New-AzureRmVMConfig -VMName DNS01 -VMSize "Standard_A1"

$vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName DNS01 `
-Credential $cred -ProvisionVMAgent -EnableAutoUpdate
$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer `
-Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id
$osDiskUri = $storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/WindowsVMosDisk.vhd"
$vm = Set-AzureRmVMOSDisk -VM $vm -Name "windowsvmosdisk" -VhdUri $osDiskUri `
-CreateOption fromImage
New-AzureRmVM -ResourceGroupName $rgName -Location $locName -VM $vm
Expected output:
EndTime : [Date and time]

Error :
Output :
StartTime : [Date and time]
Status : Succeeded
TrackingOperationId : [Id]
RequestId : [Id]
StatusCode : OK
Retrieve static private IP address information for a network interface

To view the static private IP address information for the VM created with the script above, run the following
PowerShell command and observe the values for PrivateIpAddress and PrivateIpAllocationMethod:
Get-AzureRmNetworkInterface -Name TestNIC -ResourceGroupName TestRG
Expected output:
Name : TestNIC
Id :
/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC
Etag : W/"[Id]"
Tags :
VirtualMachine : {
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/DNS01"
}
{
"Etag": "W/\"[Id]\"",
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC/ipConfigurati
ons/ipconfig1",
"PrivateIpAllocationMethod": "Static",
"Subnet": {
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontE
nd"
},
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/TestPIP"
},
}
]
DnsSettings : {
"DnsServers": [],
}
EnableIPForwarding : False
Primary : True
Remove a static private IP address from a network interface

To remove the static private IP address added to the VM in the script above, run the following PowerShell
commands:
$nic=Get-AzureRmNetworkInterface -Name TestNIC -ResourceGroupName TestRG

$nic.IpConfigurations[0].PrivateIpAllocationMethod = "Dynamic"
Set-AzureRmNetworkInterface -NetworkInterface $nic
Expected output:
Name : TestNIC
Id :
/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC
Etag : W/"[Id]"
Tags :
VirtualMachine : {
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/WindowsVM"
}
{
"Etag": "W/\"[Id]\"",
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC/ipConfigurati
ons/ipconfig1",
"PrivateIpAllocationMethod": "Dynamic",
"Subnet": {
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontE
nd"
},
"Id":
"/subscriptions/[Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/TestPIP"
},
}
]
DnsSettings : {
"DnsServers": [],
}
EnableIPForwarding : False
Primary : True
Add a static private IP address to a network interface

To add a static private IP address to the VM created using the script above, run the following commands:
$nic=Get-AzureRmNetworkInterface -Name TestNIC -ResourceGroupName TestRG

$nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"
$nic.IpConfigurations[0].PrivateIpAddress = "192.168.1.101"
Change the allocation method for a private IP address assigned to a

network interface
A private IP address is assigned to a NIC with the static or dynamic allocation method. Dynamic IP addresses can
change after starting a VM that was previously in the stopped (deallocated) state. This can potentially cause issues
if the VM is hosting a service that requires the same IP address, even after restarts from a stopped (deallocated)
state. Static IP addresses are retained until the VM is deleted. To change the allocation method of an IP address,
run the following script, which changes the allocation method from dynamic to static. If the allocation method for
the current private IP address is static, change Static to Dynamic before executing the script.
$RG = "TestRG"
$NIC_name = "testnic1"
$nic = Get-AzureRmNetworkInterface -ResourceGroupName $RG -Name $NIC_name

$nic.IpConfigurations[0].PrivateIpAllocationMethod = 'Static'
$IP = $nic.IpConfigurations[0].PrivateIpAddress
Write-Host "The allocation method is now set to"$nic.IpConfigurations[0].PrivateIpAllocationMethod"for the IP

address" $IP"." -NoNewline
If you don't know the name of the NIC, you can view a list of NICs within a resource group by entering the
following command:
Get-AzureRmNetworkInterface -ResourceGroupName $RG | Where-Object {$_.ProvisioningState -eq 'Succeeded'}
Next steps
using the Azure CLI 2.0

IMPORTANT
This article covers the Resource Manager deployment model. You can also manage static private IP address in the
classic deployment model.
Scenario
192.168.1.101.
NOTE
The sample Azure CLI 2.0 commands below expect a simple environment already created. If you want to run the commands
as they are displayed in this document, first build the test environment described in create a vnet.
Specify a static private IP address when creating a VM

1. If you haven't yet, install and configure the latest Azure CLI 2.0 and log in to an Azure account using az
login.
2. Create a public IP for the VM with the az network public-ip create command. The list shown after the output
explains the parameters used.
NOTE
You may want or need to use different values for your arguments in this and subsequent steps, depending upon
your environment.

--name TestPIP \
--allocation-method Static
Expected output:
{
"publicIp": {
"idleTimeoutInMinutes": 4,
"ipAddress": "52.176.43.167",
"publicIPAllocationMethod": "Static",
"resourceGuid": "79e8baa3-33ce-466a-846c-37af3c721ce1"
}
}
--resource-group : Name of the resource group in which to create the public IP.
--name : Name of the public IP.
--location : Azure region in which to create the public IP.
3. Run the az network nic create command to create a NIC with a static private IP. The list shown after the
output explains the parameters used.

--name TestNIC \
--subnet FrontEnd \
--private-ip-address 192.168.1.101 \
Expected output:
{
"newNIC": {
"dnsSettings": {
"appliedDnsServers": [],
"dnsServers": []
},
"enableIPForwarding": false,
{
"etag": "W/\"<guid>\"",
"id":
"/subscriptions/<guid>/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC/ipCo
nfigurations/ipconfig1",
"properties": {
"primary": true,
"privateIPAddress": "192.168.1.101",
"subnet": {
"id":
ts/FrontEnd",
}
},
}
],
"resourceGuid": "<guid>"
}
}
Parameters:
--private-ip-address : Static private IP address for the NIC.
--vnet-name : Name of the VNet in wihch to create the NIC.
--subnet : Name of the subnet in which to create the NIC.
4. Run the azure vm create command to create the VM using the public IP and NIC created above. The list
shown after the output explains the parameters used.
az vm create \
--name DNS01 \
--image Debian \
--admin-username adminuser \
--ssh-key-value ~/.ssh/id_rsa.pub \
--nics TestNIC
Expected output:
{
"fqdns": "",
"id":
"/subscriptions/<guid>/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/DNS01",
"macAddress": "00-0D-3A-92-C1-66",
"powerState": "VM running",
"privateIpAddress": "192.168.1.101",
"publicIpAddress": "",
}
Parameters other than the basic az vm create parameters.

--nics : Name of the NIC to which the VM is attached.
Retrieve static private IP address information for a VM

To view the static private IP address that you created, run the following Azure CLI command and observe the
values for Private IP alloc-method and Private IP address:
az vm show -g TestRG -n DNS01 --show-details --query 'privateIps'
Expected output:
"192.168.1.101"
To display the specific IP information of the NIC for that VM, query the NIC specifically:
az network nic show \

-g testrg \
-n testnic \
--query 'ipConfigurations[0].{PrivateAddress:privateIpAddress,IPVer:privateIpAddressVersion,IpAllocMethod:p
rivateIpAllocationMethod,PublicAddress:publicIpAddress}'
The output is something like:
{
"IPVer": "IPv4",
"IpAllocMethod": "Static",
"PrivateAddress": "192.168.1.101",
"PublicAddress": null
}
Remove a static private IP address from a VM

You cannot remove a static private IP address from a NIC in Azure CLI for resource manager deployments. You
must:
Create a new NIC that uses a dynamic IP
Set the NIC on the VM do the newly created NIC.
To change the NIC for the VM used in the commands above, follow the steps below.
1. Run the azure network nic create command to create a new NIC using dynamic IP allocation with a new
IP address. Note that because no IP address is specified, the allocation method is Dynamic.

--name TestNIC2 \
--subnet FrontEnd \
Expected output:
{
"newNIC": {
"dnsSettings": {
"dnsServers": []
},
"enableIPForwarding": false,
{
"etag": "W/\"<guid>\"",
"id":
"/subscriptions/<guid>/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC2/ipC
onfigurations/ipconfig1",
"properties": {
"primary": true,
"privateIPAddress": "192.168.1.4",
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id":
ts/FrontEnd",
}
},
}
],
"resourceGuid": "0808a61c-476f-4d08-98ee-0fa83671b010"
}
}
2. Run the azure vm set command to change the NIC used by the VM.
azure vm set -g TestRG -n DNS01 -N TestNIC2
Expected output:
[
{
"id": "/subscriptions/0e220bf6-5caa-4e9f-8383-
51f16b6c109f/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNIC3",
"primary": true,
}
]
NOTE
If the VM is large enough to have more than one NIC, run the azure network nic delete command to delete the
old NIC.
Next steps
(Classic) using the Azure portal
from PowerShell, the Azure CLI, or the Azure portal. In those cases, once the VM or role instance starts again, it
will receive an available IP address from the Azure infrastructure, which might not be the same it previously had. If
you shut down the VM or role instance from the guest operating system, it retains the IP address it had.
IMPORTANT
This article covers the classic deployment model. You can also manage a static private IP address in the Resource
Scenario
192.168.1.101.
The sample steps below expect a simple environment already created. If you want to run the steps as they are
displayed in this document, first build the test environment described in create a vnet.
How to specify a static private IP address when creating a VM

2. Click NEW > Compute > Windows Server 2012 R2 Datacenter, notice that the Select a deployment
model list already shows Classic, and then click Create.
3. In the Create VM blade, enter the name of the VM to be created (DNS01 in our scenario), the local
administrator account, and password.
4. Click Optional Configuration > Network > Virtual Network, and then click TestVNet. If TestVNet is
not available, make sure you are using the Central US location and have created the test environment
described at the beginning of this article.
5. In the Network blade, make sure the subnet currently selected is FrontEnd, then click IP addresses, under
IP address assignment click Static, and then enter 192.168.1.101 for IP Address as seen below.
6. Click OK in the IP addresses blade, then click OK in the Network blade, and click OK in the Optional config
blade.
7. In the Create VM blade, click Create. Notice the tile below displayed in your dashboard.

To view the static private IP address information for the VM created with the steps above, execute the steps below.
1. From the Azure Azure portal, click BROWSE ALL > Virtual machines (classic) > DNS01 > All settings >
IP addresses and notice the IP address assignment and IP address as seen below.

To remove the static private IP address from the VM created above, follow the steps below.
1. From the IP addresses blade shown above, click Dynamic to the right of IP address assignment, then
click Save, and then click Yes.
To add a static private IP address to the VM created using the steps above, follow the steps below:
1. From the IP addresses blade shown above, click Static to the right of IP address assignment.
2. Type 192.168.1.101 for IP address, then click Save, and then click Yes.
Next steps
(Classic) using PowerShell
receive an available IP address from the Azure infrastructure, which might not be the same it previously had. If
IMPORTANT
Scenario
192.168.1.101.
The sample PowerShell commands below expect a simple environment already created. If you want to run the
commands as they are displayed in this document, first build the test environment described in Create a VNet.
How to verify if a specific IP address is available

To verify if the IP address 192.168.1.101 is available in a VNet named TestVNet, run the following PowerShell
command and verify the value for IsAvailable:
Test-AzureStaticVNetIP VNetName TestVNet IPAddress 192.168.1.101
Expected output:
IsAvailable : True
AvailableAddresses : {}
OperationDescription : Test-AzureStaticVNetIP
OperationId : fd3097e1-5f4b-9cac-8afa-bba1e3492609

The PowerShell script below creates a new cloud service named TestService, then retrieves an image from Azure,
creates a VM named DNS01 in the new cloud service using the retrieved image, sets the VM to be in a subnet
named FrontEnd, and sets 192.168.1.7 as a static private IP address for the VM:
New-AzureService -ServiceName TestService -Location "Central US"

$image = Get-AzureVMImage | where {$_.ImageName -like "*RightImage-Windows-2012R2-x64*"}
New-AzureVMConfig -Name DNS01 -InstanceSize Small -ImageName $image.ImageName |
Add-AzureProvisioningConfig -Windows -AdminUsername adminuser -Password MyP@ssw0rd!! |
Set-AzureSubnet SubnetNames FrontEnd |
Set-AzureStaticVNetIP -IPAddress 192.168.1.7 |
New-AzureVM -ServiceName TestService VNetName TestVNet
Expected output:
WARNING: No deployment found in service: 'TestService'.

OperationDescription OperationId OperationStatus
-------------------- ----------- ---------------
New-AzureService fcf705f1-d902-011c-95c7-b690735e7412 Succeeded
New-AzureVM 3b99a86d-84f8-04e5-888e-b6fc3c73c4b9 Succeeded

To view the static private IP address information for the VM created with the script above, run the following
PowerShell command and observe the values for IpAddress:
Get-AzureVM -Name DNS01 -ServiceName TestService
Expected output:
DeploymentName : TestService
Name : DNS01
Label :
VM : Microsoft.WindowsAzure.Commands.ServiceManagement.Model.PersistentVM
InstanceStatus : Provisioning
IpAddress : 192.168.1.7
InstanceStateDetails : Windows is preparing your computer for first use...
PowerState : Started
InstanceErrorCode :
InstanceFaultDomain : 0
InstanceName : DNS01
InstanceUpgradeDomain : 0
InstanceSize : Small
HostName : rsR2-797
AvailabilitySetName :
DNSName : http://testservice000.cloudapp.net/
Status : Provisioning
GuestAgentStatus : Microsoft.WindowsAzure.Commands.ServiceManagement.Model.GuestAgentStatus
ResourceExtensionStatusList : {Microsoft.Compute.BGInfo}
PublicIPAddress :
PublicIPName :
NetworkInterfaces : {}
ServiceName : TestService
OperationDescription : Get-AzureVM
OperationId : 34c1560a62f0901ab75cde4fed8e8bd1
OperationStatus : OK

To remove the static private IP address added to the VM in the script above, run the following PowerShell
command:
Get-AzureVM -ServiceName TestService -Name DNS01 |

Remove-AzureStaticVNetIP |
Update-AzureVM
Expected output:

-------------------- ----------- ---------------
Update-AzureVM 052fa6f6-1483-0ede-a7bf-14f91f805483 Succeeded

To add a static private IP address to the VM created using the script above, runt he following command:
Get-AzureVM -ServiceName TestService -Name DNS01 |

Set-AzureStaticVNetIP -IPAddress 192.168.1.7 |
Update-AzureVM
Expected output:

-------------------- ----------- ---------------
Update-AzureVM 77d8cae2-87e6-0ead-9738-7c7dae9810cb Succeeded
Next steps
(Classic) using the Azure CLI 1.0
from PowerShell, the Azure CLI, or the Azure portal. In those cases, once the VM or role instance starts again, it
will receive an available IP address from the Azure infrastructure, which might not be the same it previously had. If
IMPORTANT
The sample Azure CLI commands below expect a simple environment already created. If you want to run the
commands as they are displayed in this document, first build the test environment described in create a vnet.

To create a new VM named DNS01 in a new cloud service named TestService based on the scenario above, follow
these steps:
2. Run the azure service create command to create the cloud service.
azure service create TestService --location uscentral
Expected output:
info: Executing command service create

info: Creating cloud service
data: Cloud service name TestService
info: service create command OK
3. Run the azure create vm command to create the VM. Notice the value for a static private IP address. The
list shown after the output explains the parameters used.
azure vm create -l centralus -n DNS01 -w TestVNet -S "192.168.1.101" TestService
bd507d3a70934695bc2128e3e5a255ba__RightImage-Windows-2012R2-x64-v14.2 adminuser AdminP@ssw0rd
Expected output:
info: Executing command vm create

warn: --vm-size has not been specified. Defaulting to "Small".
info: Looking up image bd507d3a70934695bc2128e3e5a255ba__RightImage-Windows-2012R2-x64-v14.2
info: Looking up virtual network
info: Looking up cloud service
warn: --location option will be ignored
info: Getting cloud service properties
info: Looking up deployment
info: Retrieving storage accounts
info: Creating VM
info: OK
info: vm create command OK
-l (or --location). Azure region where the VM will be created. For our scenario, centralus.
-n (or --vm-name). Name of the VM to be created.
-w (or --virtual-network-name). Name of the VNet where the VM will be created.
-S (or --static-ip). Static private IP address for the VM.
TestService. Name of the cloud service where the VM will be created.
bd507d3a70934695bc2128e3e5a255ba__RightImage-Windows-2012R2-x64-v14.2. Image used to
create the VM.
adminuser. Local administrator for the Windows VM.
AdminP@ssw0rd. Local administrator password for the Windows VM.

To view the static private IP address information for the VM created with the script above, run the following Azure
CLI command and observe the value for Network StaticIP:
azure vm static-ip show DNS01
Expected output:
info: Executing command vm static-ip show

info: Getting virtual machines
data: Network StaticIP "192.168.1.101"
info: vm static-ip show command OK

To remove the static private IP address added to the VM in the script above, run the following Azure CLI
command:
azure vm static-ip remove DNS01
Expected output:
info: Executing command vm static-ip remove
info: Reading network configuration
info: Updating network configuration
info: vm static-ip remove command OK
How to add a static private IP to an existing VM

To add a static private IP address to the VM created using the script above, runt he following command:
azure vm static-ip set DNS01 192.168.1.101
Expected output:
info: Executing command vm static-ip set

info: Reading network configuration
info: Updating network configuration
info: vm static-ip set command OK
Next steps
Create and manage a Windows virtual machine that
has multiple NICs
Virtual machines (VMs) in Azure can have multiple virtual network interface cards (NICs) attached to them. A
common scenario is to have different subnets for front-end and back-end connectivity, or a network dedicated to a
monitoring or backup solution. This article details how to create a VM that has multiple NICs attached to it. You
also learn how to add or remove NICs from an existing VM. Different VM sizes support a varying number of NICs,
so size your VM accordingly.
For detailed information, including how to create multiple NICs within your own PowerShell scripts, see deploying
multiple-NIC VMs.
Prerequisites
Make sure that you have the latest Azure PowerShell version installed and configured.
In the following examples, replace example parameter names with your own values. Example parameter names
include myResourceGroup, myVnet, and myVM.
Create a VM with multiple NICs

First, create a resource group. The following example creates a resource group named myResourceGroup in the
EastUs location:
New-AzureRmResourceGroup -Name "myResourceGroup" -Location "EastUS"
Create virtual network and subnets

A common scenario is for a virtual network to have two or more subnets. One subnet may be for front-end traffic,
the other for back-end traffic. To connect to both subnets, you then use multiple NICs on your VM.
1. Define two virtual network subnets with New-AzureRmVirtualNetworkSubnetConfig. The following example
defines the subnets for mySubnetFrontEnd and mySubnetBackEnd:
$mySubnetFrontEnd = New-AzureRmVirtualNetworkSubnetConfig -Name "mySubnetFrontEnd" `

-AddressPrefix "192.168.1.0/24"
$mySubnetBackEnd = New-AzureRmVirtualNetworkSubnetConfig -Name "mySubnetBackEnd" `
-AddressPrefix "192.168.2.0/24"
2. Create your virtual network and subnets with New-AzureRmVirtualNetwork. The following example creates
a virtual network named myVnet:
$myVnet = New-AzureRmVirtualNetwork -ResourceGroupName "myResourceGroup" `

-Location "EastUs" `
-Name "myVnet" `
-AddressPrefix "192.168.0.0/16" `
-Subnet $mySubnetFrontEnd,$mySubnetBackEnd
Create multiple NICs

Create two NICs with New-AzureRmNetworkInterface. Attach one NIC to the front-end subnet and one NIC to the
back-end subnet. The following example creates NICs named myNic1 and myNic2:
$frontEnd = $myVnet.Subnets|?{$_.Name -eq 'mySubnetFrontEnd'}

$myNic1 = New-AzureRmNetworkInterface -ResourceGroupName "myResourceGroup" `
-Name "myNic1" `
-SubnetId $frontEnd.Id
$backEnd = $myVnet.Subnets|?{$_.Name -eq 'mySubnetBackEnd'}

-Name "myNic2" `
-SubnetId $backEnd.Id
Typically you also create a network security group or load balancer to help manage and distribute traffic across
your VMs. The more detailed multiple-NIC VM article guides you through creating a network security group and
assigning NICs.
Create the virtual machine
Now start to build your VM configuration. Each VM size has a limit for the total number of NICs that you can add to
a VM. For more information, see Windows VM sizes.
1. Set your VM credentials to the $cred variable as follows:
$cred = Get-Credential
2. Define your VM with New-AzureRmVMConfig. The following example defines a VM named myVM and uses
a VM size that supports more than two NICs (Standard_DS3_v2):
$vmConfig = New-AzureRmVMConfig -VMName "myVM" -VMSize "Standard_DS3_v2"
3. Create the rest of your VM configuration with Set-AzureRmVMOperatingSystem and Set-

AzureRmVMSourceImage. The following example creates a Windows Server 2016 VM:
$vmConfig = Set-AzureRmVMOperatingSystem -VM $vmConfig `

-Windows `
-ComputerName "myVM" `
-Credential $cred `
-ProvisionVMAgent `
-EnableAutoUpdate
$vmConfig = Set-AzureRmVMSourceImage -VM $vmConfig `
-PublisherName "MicrosoftWindowsServer" `
-Offer "WindowsServer" `
-Skus "2016-Datacenter" `
-Version "latest"
4. Attach the two NICs that you previously created with Add-AzureRmVMNetworkInterface:
$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $myNic1.Id -Primary

$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $myNic2.Id
5. Finally, create your VM with New-AzureRmVM:
New-AzureRmVM -VM $vmConfig -ResourceGroupName "myResourceGroup" -Location "EastUs"

Add a NIC to an existing VM
To add a virtual NIC to an existing VM, you deallocate the VM, add the virtual NIC, then start the VM.
1. Deallocate the VM with Stop-AzureRmVM. The following example deallocates the VM named myVM in
myResourceGroup:
Stop-AzureRmVM -Name "myVM" -ResourceGroupName "myResourceGroup"
2. Get the existing configuration of the VM with Get-AzureRmVm. The following example gets information for
the VM named myVM in myResourceGroup:
$vm = Get-AzureRmVm -Name "myVM" -ResourceGroupName "myResourceGroup"
3. The following example creates a virtual NIC with New-AzureRmNetworkInterface named myNic3 that is
attached to mySubnetBackEnd. The virtual NIC is then attached to the VM named myVM in
myResourceGroup with Add-AzureRmVMNetworkInterface:
# Get info for the back end subnet

$myVnet = Get-AzureRmVirtualNetwork -Name "myVnet" -ResourceGroupName "myResourceGroup"
$backEnd = $myVnet.Subnets|?{$_.Name -eq 'mySubnetBackEnd'}
# Create a virtual NIC

-Name "myNic3" `
-SubnetId $backEnd.Id
# Get the ID of the new virtual NIC and add to VM

$nicId = (Get-AzureRmNetworkInterface -ResourceGroupName "myResourceGroup" -Name "MyNic3").Id
Add-AzureRmVMNetworkInterface -VM $vm -Id $nicId | Update-AzureRmVm -ResourceGroupName "myResourceGroup"
Primary virtual NICs

One of the NICs on a multi-NIC VM needs to be primary. If one of the existing virtual NICs on the VM is
already set as primary, you can skip this step. The following example assumes that two virtual NICs are now
present on a VM and you wish to add the first NIC ( [0] ) as the primary:
# List existing NICs on the VM and find which one is primary

$vm.NetworkProfile.NetworkInterfaces
# Set NIC 0 to be primary

$vm.NetworkProfile.NetworkInterfaces[0].Primary = $true
$vm.NetworkProfile.NetworkInterfaces[1].Primary = $false
# Update the VM state in Azure

Update-AzureRmVM -VM $vm -ResourceGroupName "myResourceGroup"
4. Start the VM with Start-AzureRmVm:
Start-AzureRmVM -ResourceGroupName "myResourceGroup" -Name "myVM"
Remove a NIC from an existing VM

To remove a virtual NIC from an existing VM, you deallocate the VM, remove the virtual NIC, then start the VM.
1. Deallocate the VM with Stop-AzureRmVM. The following example deallocates the VM named myVM in
myResourceGroup:
Stop-AzureRmVM -Name "myVM" -ResourceGroupName "myResourceGroup"
2. Get the existing configuration of the VM with Get-AzureRmVm. The following example gets information for
the VM named myVM in myResourceGroup:
$vm = Get-AzureRmVm -Name "myVM" -ResourceGroupName "myResourceGroup"
3. Get information about the NIC remove with Get-AzureRmNetworkInterface. The following example gets
information about myNic3:
# List existing NICs on the VM if you need to determine NIC name

$vm.NetworkProfile.NetworkInterfaces
$nicId = (Get-AzureRmNetworkInterface -ResourceGroupName "myResourceGroup" -Name "myNic3").Id
4. Remove the NIC with Remove-AzureRmVMNetworkInterface and then update the VM with Update-
AzureRmVm. The following example removes myNic3 as obtained by $nicId in the preceding step:
Remove-AzureRmVMNetworkInterface -VM $vm -NetworkInterfaceIDs $nicId | `

Update-AzureRmVm -ResourceGroupName "myResourceGroup"
5. Start the VM with Start-AzureRmVm:
Start-AzureRmVM -Name "myVM" -ResourceGroupName "myResourceGroup"
Create multiple NICs with templates

Azure Resource Manager templates provide a way to create multiple instances of a resource during deployment,
such as creating multiple NICs. Resource Manager templates use declarative JSON files to define your
environment. For more information, see overview of Azure Resource Manager. You can use copy to specify the
number of instances to create:
"copy": {
"name": "multiplenics",
"count": "[parameters('count')]"
}
For more information, see creating multiple instances by using copy.

You can also use copyIndex() to append a number to a resource name. You can then create myNic1, MyNic2 and
so on. The following code shows an example of appending the index value:
"name": "[concat('myNic', copyIndex())]",
You can read a complete example of creating multiple NICs by using Resource Manager templates.
Next steps
Review Windows VM sizes when you're trying to create a VM that has multiple NICs. Pay attention to the
maximum number of NICs that each VM size supports.
How to create a Linux virtual machine in Azure with
multiple network interface cards
You can create a virtual machine (VM) in Azure that has multiple virtual network interfaces (NICs) attached to it. A
common scenario is to have different subnets for front-end and back-end connectivity, or a network dedicated to a
monitoring or backup solution. This article details how to create a VM with multiple NICs attached to it and how to
add or remove NICs from an existing VM. For detailed information, including how to create multiple NICs within
your own Bash scripts, read more about deploying multi-NIC VMs. Different VM sizes support a varying number of
NICs, so size your VM accordingly.
This article details how to create a VM with multiple NICs with the Azure CLI 2.0. You can also perform these steps
with the Azure CLI 1.0.
Create supporting resources

Install the latest Azure CLI 2.0 and log in to an Azure account using az login.
In the following examples, replace example parameter names with your own values. Example parameter names
included myResourceGroup, mystorageaccount, and myVM.
First, create a resource group with az group create. The following example creates a resource group named
myResourceGroup in the eastus location:
az group create --name myResourceGroup --location eastus
Create the virtual network with az network vnet create. The following example creates a virtual network named
myVnet and subnet named mySubnetFrontEnd:

--name myVnet \
--address-prefix 192.168.0.0/16 \
--subnet-name mySubnetFrontEnd \
--subnet-prefix 192.168.1.0/24
Create a subnet for the back-end traffic with az network vnet subnet create. The following example creates a subnet
named mySubnetBackEnd:

--name mySubnetBackEnd \
Create a network security group with az network nsg create. The following example creates a network security
group named myNetworkSecurityGroup:
--name myNetworkSecurityGroup
Create and configure multiple NICs

Create two NICs with az network nic create. The following example creates two NICs, named myNic1 and myNic2,
connected the network security group, with one NIC connecting to each subnet:

--name myNic1 \
--subnet mySubnetFrontEnd \
--network-security-group myNetworkSecurityGroup
--name myNic2 \
--subnet mySubnetBackEnd \
Create a VM and attach the NICs

When you create the VM, specify the NICs you created with --nics . You also need to take care when you select
the VM size. There are limits for the total number of NICs that you can add to a VM. Read more about Linux VM
sizes.
Create a VM with az vm create. The following example creates a VM named myVM:
az vm create \
--name myVM \
--image UbuntuLTS \
--size Standard_DS3_v2 \
--admin-username azureuser \
--generate-ssh-keys \
--nics myNic1 myNic2
Add a NIC to a VM
The previous steps created a VM with multiple NICs. You can also add NICs to an existing VM with the Azure CLI
2.0.
Create another NIC with az network nic create. The following example creates a NIC named myNic3 connected to
the back-end subnet and network security group created in the previous steps:

--name myNic3 \
--subnet mySubnetBackEnd \
To add a NIC to an existing VM, first deallocate the VM with az vm deallocate. The following example deallocates
the VM named myVM:
az vm deallocate --resource-group myResourceGroup --name myVM
Add the NIC with az vm nic add. The following example adds myNic3 to myVM:
az vm nic add \
--vm-name myVM \
--nics myNic3
Start the VM with az vm start:
az vm start --resource-group myResourceGroup --name myVM
Remove a NIC from a VM

To remove a NIC from an existing VM, first deallocate the VM with az vm deallocate. The following example
deallocates the VM named myVM:
az vm deallocate --resource-group myResourceGroup --name myVM
Remove the NIC with az vm nic remove. The following example removes myNic3 from myVM:
az vm nic remove \
--vm-name myVM
--nics myNic3
Start the VM with az vm start:
az vm start --resource-group myResourceGroup --name myVM
Create multiple NICs using Resource Manager templates

Azure Resource Manager templates use declarative JSON files to define your environment. You can read an
overview of Azure Resource Manager. Resource Manager templates provide a way to create multiple instances of a
resource during deployment, such as creating multiple NICs. You use copy to specify the number of instances to
create:
"copy": {
"name": "multiplenics"
"count": "[parameters('count')]"
}
Read more about creating multiple instances using copy.

You can also use a copyIndex() to then append a number to a resource name, which allows you to create myNic1 ,
myNic2 , etc. The following shows an example of appending the index value:
"name": "[concat('myNic', copyIndex())]",

You can read a complete example of creating multiple NICs using Resource Manager templates.
Configure guest OS for multiple NICs

When creating multiple NICs for a Linux Guest-OS based VM it is required to create additional routing rules which
allows to send and receive traffic belonging to a specific NIC only. Otherwise traffic belonging to eth1 can not be
processed correct, due to the defined default route.
Solution
First add two routing tables to the file /etc/iproute2/rt_tables
echo "200 eth0-rt" >> /etc/iproute2/rt_tables

echo "201 eth1-rt" >> /etc/iproute2/rt_tables
To make the change persistent and applied during the network stack activation, it is required to alter the
/etc/sysconfig/network-scipts/ifcfg-eth0 and /etc/sysconfig/network-scipts/ifcfg-eth1 file. Alter the line
"NM_CONTROLLED=yes" to "NM_CONTROLLED=no". Without this step the additonal rules/routing we are going to
add taking no effect.
Next step is to extend the routing tables. In order to make the next steps more visible let's assume we have the
following setup in place
Routing
default via 10.0.1.1 dev eth0 proto static metric 100

10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.4 metric 100
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.5 metric 101
168.63.129.16 via 10.0.1.1 dev eth0 proto dhcp metric 100
169.254.169.254 via 10.0.1.1 dev eth0 proto dhcp metric 100
Interfaces
lo: inet 127.0.0.1/8 scope host lo

eth0: inet 10.0.1.4/24 brd 10.0.1.255 scope global eth0
eth1: inet 10.0.1.5/24 brd 10.0.1.255 scope global eth1
With the above information it is possible to create the following additional files as root
/etc/sysconfig/network-scripts/rule-eth0
/etc/sysconfig/network-scripts/route-eth0
/etc/sysconfig/network-scripts/rule-eth1
/etc/sysconfig/network-scripts/route-eth1
The content of each file is the following
cat /etc/sysconfig/network-scripts/rule-eth0
from 10.0.1.4/32 table eth0-rt
to 10.0.1.4/32 table eth0-rt
cat /etc/sysconfig/network-scripts/route-eth0
10.0.1.0/24 dev eth0 table eth0-rt
default via 10.0.1.1 dev eth0 table eth0-rt
cat /etc/sysconfig/network-scripts/rule-eth1
from 10.0.1.5/32 table eth1-rt
to 10.0.1.5/32 table eth1-rt
cat /etc/sysconfig/network-scripts/route-eth1
10.0.1.0/24 dev eth1 table eth1-rt
default via 10.0.1.1 dev eth1 table eth1-rt
After the files got created and popultated it is necessary to restart the network service systemctl restart network
Connecting from the outside against either eth0 or eth1 is possible now
Next steps
Review Linux VM sizes when trying to creating a VM with multiple NICs. Pay attention to the maximum number of
NICs each VM size supports.
Create a VM (Classic) with multiple NICs using
PowerShell
You can create virtual machines (VMs) in Azure and attach multiple network interfaces (NICs) to each of your VMs.
Multiple NICs enable separation of traffic types across NICs. For example, one NIC might communicate with the
Internet, while another communicates only with internal resources not connected to the Internet. The ability to
separate network traffic across multiple NICs is required for many network virtual appliances, such as application
delivery and WAN optimization solutions.
IMPORTANT
Manager model. Learn how to perform these steps using the Resource Manager deployment model.
Scenario
This document will walk through a deployment that uses multiple NICs in VMs in a specific scenario. In this
scenario, you have a two-tiered IaaS workload hosted in Azure. Each tier is deployed in its own subnet in a virtual
network (VNet). The front end tier is composed of several web servers, grouped together in a load balancer set for
high availability. The back end tier is composed of several database servers. These database servers will be
deployed with two NICs each, one for database access, the other for management. The scenario also includes
Network Security Groups (NSGs) to control what traffic is allowed to each subnet, and NIC in the deployment. The
figure below shows the basic architecture of this scenario.
The following steps use a resource group named IaaSStory for the WEB servers and a resource group named
IaaSStory-BackEnd for the DB servers.
Prerequisites
Before you can create the DB servers, you need to create the IaaSStory resource group with all the necessary
resources for this scenario. To create these resources, complete the steps that follow. Create a virtual network by
following the steps in the Create a virtual network article.

NOTE
Create the back-end VMs

The back-end VMs depend on the creation of the following resources:
Backend subnet. The database servers will be part of a separate subnet, to segregate traffic. The script below
expects this subnet to exist in a vnet named WTestVnet.
Storage account for data disks. For better performance, the data disks on the database servers will use solid
state drive (SSD) technology, which requires a premium storage account. Make sure the Azure location you
deploy to support premium storage.
Availability set. All database servers will be added to a single availability set, to ensure at least one of the VMs
is up and running during maintenance.
You can download the full PowerShell script used here. Follow the steps below to change the script to work in your
environment.
1. Change the values of the variables below based on your existing resource group deployed above in
Prerequisites.
$location = "West US"

$vnetName = "WTestVNet"
$backendSubnetName = "BackEnd"
2. Change the values of the variables below based on the values you want to use for your backend deployment.
$backendCSName = "IaaSStory-Backend"
$prmStorageAccountName = "iaasstoryprmstorage"
$avSetName = "ASDB"
$vmSize = "Standard_DS3"
$diskSize = 127
$vmNamePrefix = "DB"
$dataDiskSuffix = "datadisk"
$ipAddressPrefix = "192.168.2."
$numberOfVMs = 2
Step 2 - Create necessary resources for your VMs

You need to create a new cloud service and a storage account for the data disks for all VMs. You also need to
specify an image, and a local administrator account for the VMs. To create these resources, complete the following
steps:
1. Create a new cloud service.
New-AzureService -ServiceName $backendCSName -Location $location
2. Create a new premium storage account.

New-AzureStorageAccount -StorageAccountName $prmStorageAccountName `
-Location $location -Type Premium_LRS
3. Set the storage account created above as the current storage account for your subscription.
$subscription = Get-AzureSubscription | where {$_.IsCurrent -eq $true}

Set-AzureSubscription -SubscriptionName $subscription.SubscriptionName `
-CurrentStorageAccountName $prmStorageAccountName
4. Select an image for the VM.
$image = Get-AzureVMImage `
| where{$_.ImageFamily -eq "SQL Server 2014 RTM Web on Windows Server 2012 R2"} `
| sort PublishedDate -Descending `
| select -ExpandProperty ImageName -First 1
5. Set the local administrator account credentials.
$cred = Get-Credential -Message "Enter username and password for local admin account"
Step 3 - Create VMs

You need to use a loop to create as many VMs as you want, and create the necessary NICs and VMs within the loop.
To create the NICs and VMs, execute the following steps.
1. Start a for loop to repeat the commands to create a VM and two NICs as many times as necessary, based
on the value of the $numberOfVMs variable.
for ($suffixNumber = 1; $suffixNumber -le $numberOfVMs; $suffixNumber++){
2. Create a VMConfig object specifying the image, size, and availability set for the VM.
$vmName = $vmNamePrefix + $suffixNumber

$vmConfig = New-AzureVMConfig -Name $vmName `
-ImageName $image `
-InstanceSize $vmSize `
-AvailabilitySetName $avSetName
3. Provision the VM as a Windows VM.
Add-AzureProvisioningConfig -VM $vmConfig -Windows `

-AdminUsername $cred.UserName `
-Password $cred.GetNetworkCredential().Password
4. Set the default NIC and assign it a static IP address.
Set-AzureSubnet -SubnetNames $backendSubnetName -VM $vmConfig

Set-AzureStaticVNetIP -IPAddress ($ipAddressPrefix+$suffixNumber+3) -VM $vmConfig
5. Add a second NIC for each VM.

Add-AzureNetworkInterfaceConfig -Name ("RemoteAccessNIC"+$suffixNumber) `
-SubnetName $backendSubnetName `
-StaticVNetIPAddress ($ipAddressPrefix+(53+$suffixNumber)) `
-VM $vmConfig
6. Create to data disks for each VM.
$dataDisk1Name = $vmName + "-" + $dataDiskSuffix + "-1"

Add-AzureDataDisk -CreateNew -VM $vmConfig `
-DiskSizeInGB $diskSize `
-DiskLabel $dataDisk1Name `
-LUN 0
$dataDisk2Name = $vmName + "-" + $dataDiskSuffix + "-2"

Add-AzureDataDisk -CreateNew -VM $vmConfig `
-DiskSizeInGB $diskSize `
-DiskLabel $dataDisk2Name `
-LUN 1
7. Create each VM, and end the loop.
New-AzureVM -VM $vmConfig `

-ServiceName $backendCSName `
-Location $location `
-VNetName $vnetName
}

Now that you downloaded and changed the script based on your needs, runt he script to create the back end
database VMs with multiple NICs.
1. Save your script and run it from the PowerShell command prompt, or PowerShell ISE. You will see the
initial output, as shown below.
New-AzureService xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Succeeded

New-AzureStorageAccount xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Succeeded
WARNING: No deployment found in service: 'IaaSStory-Backend'.
2. Fill out the information needed in the credentials prompt and click OK. The output below is returned.
New-AzureVM xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Succeeded

New-AzureVM xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Succeeded
Create a VM (Classic) with multiple NICs using the
Azure CLI 1.0
You can create virtual machines (VMs) in Azure and attach multiple network interfaces (NICs) to each of your VMs.
Multiple NICs enable separation of traffic types across NICs. For example, one NIC might communicate with the
Internet, while another communicates only with internal resources not connected to the Internet. The ability to
separate network traffic across multiple NICs is required for many network virtual appliances, such as application
delivery and WAN optimization solutions.
IMPORTANT
Manager model. Learn how to perform these steps using the Resource Manager deployment model.
Scenario
This document will walk through a deployment that uses multiple NICs in VMs in a specific scenario. In this
scenario, you have a two-tiered IaaS workload hosted in Azure. Each tier is deployed in its own subnet in a virtual
network (VNet). The front end tier is composed of several web servers, grouped together in a load balancer set for
high availability. The back end tier is composed of several database servers. These database servers will be
deployed with two NICs each, one for database access, the other for management. The scenario also includes
Network Security Groups (NSGs) to control what traffic is allowed to each subnet, and NIC in the deployment. The
figure below shows the basic architecture of this scenario.
The following steps use a resource group named IaaSStory for the WEB servers and a resource group named
IaaSStory-BackEnd for the DB servers.
Prerequisites
Before you can create the DB servers, you need to create the IaaSStory resource group with all the necessary
resources for this scenario. To create these resources, complete the steps that follow. Create a virtual network by
following the steps in the Create a virtual network article.
Prerequisite: Install the Azure CLI

To perform the steps in this article, you need to install the Azure Command-Line Interface for Mac, Linux, and
Windows (Azure CLI) and you need to log on to Azure.
NOTE
If you don't have an Azure account, you need one. Go sign up for a free trial here. In addition, to follow along completely you
need to have either jq or some other JSON parsing tool or library installed.
Deploy the back-end VMs

The back-end VMs depend on the creation of the following resources:
Storage account for data disks. For better performance, the data disks on the database servers will use solid
state drive (SSD) technology, which requires a premium storage account. Make sure the Azure location you
deploy to support premium storage.
NICs. Each VM will have two NICs, one for database access, and one for management.
Availability set. All database servers will be added to a single availability set, to ensure at least one of the VMs
is up and running during maintenance.
You can download the full bash script used here. Complete the following steps to change the script to work in your
environment:
1. Change the values of the variables below based on your existing resource group deployed above in
Prerequisites.
location="useast2"
vnetName="WTestVNet"
backendSubnetName="BackEnd"
2. Change the values of the variables below based on the values you want to use for your backend
deployment.
backendCSName="IaaSStory-Backend"
prmStorageAccountName="iaasstoryprmstorage"
image="0b11de9248dd4d87b18621318e037d37__RightImage-Ubuntu-14.04-x64-v14.2.1"
avSetName="ASDB"
vmSize="Standard_DS3"
diskSize=127
vmNamePrefix="DB"
osDiskName="osdiskdb"
dataDiskPrefix="db"
dataDiskName="datadisk"
ipAddressPrefix="192.168.2."
username='adminuser'
password='adminP@ssw0rd'
numberOfVMs=2
Step 2 - Create necessary resources for your VMs

1. Create a new cloud service for all backend VMs. Notice the use of the $backendCSName variable for the
resource group name, and $location for the Azure region.
azure service create --serviceName $backendCSName \

2. Create a premium storage account for the OS and data disks to be used by yours VMs.
azure storage account create $prmStorageAccountName \

--type PLRS
Step 3 - Create VMs with multiple NICs

1. Start a loop to create multiple VMs, based on the numberOfVMs variables.
for ((suffixNumber=1;suffixNumber<=numberOfVMs;suffixNumber++));
do
2. For each VM, specify the name and IP address of each of the two NICs.
nic1Name=$vmNamePrefix$suffixNumber-DA
x=$((suffixNumber+3))
ipAddress1=$ipAddressPrefix$x
nic2Name=$vmNamePrefix$suffixNumber-RA
x=$((suffixNumber+53))
ipAddress2=$ipAddressPrefix$x
3. Create the VM. Notice the usage of the --nic-config parameter, containing a list of all NICs with name,
subnet, and IP address.
azure vm create $backendCSName $image $username $password \

--connect $backendCSName \
--vm-name $vmNamePrefix$suffixNumber \
--vm-size $vmSize \
--availability-set $avSetName \
--blob-url $prmStorageAccountName.blob.core.windows.net/vhds/$osDiskName$suffixNumber.vhd \
--virtual-network-name $vnetName \
--subnet-names $backendSubnetName \
--nic-config $nic1Name:$backendSubnetName:$ipAddress1::,$nic2Name:$backendSubnetName:$ipAddress2::
4. For each VM, create two data disks.
azure vm disk attach-new $vmNamePrefix$suffixNumber \

$diskSize \
vhds/$dataDiskPrefix$suffixNumber$dataDiskName-1.vhd
azure vm disk attach-new $vmNamePrefix$suffixNumber \

$diskSize \
vhds/$dataDiskPrefix$suffixNumber$dataDiskName-2.vhd
done

Now that you downloaded and changed the script based on your needs, run the script to create the back end
database VMs with multiple NICs.
1. Save your script and run it from your Bash terminal. You will see the initial output, as shown below.
info: Executing command service create
info: Creating cloud service
data: Cloud service name IaaSStory-Backend
info: service create command OK
info: Executing command storage account create
info: Creating storage account
info: storage account create command OK
info: Looking up image 0b11de9248dd4d87b18621318e037d37__RightImage-Ubuntu-14.04-x64-v14.2.1
info: Creating VM
2. After a few minutes, the execution will end and you will see the rest of the output as shown below.
info: OK
info: Executing command vm disk attach-new
info: Adding Data-Disk
info: vm disk attach-new command OK
info: Looking up image 0b11de9248dd4d87b18621318e037d37__RightImage-Ubuntu-14.04-x64-v14.2.1
info: Creating VM
info: OK
Assign multiple IP addresses to virtual machines using
the Azure portal
An Azure Virtual Machine (VM) has one or more network interfaces (NIC) attached to it. Any NIC can have one
or more static or dynamic public and private IP addresses assigned to it. Assigning multiple IP addresses to a
VM enables the following capabilities:
Hosting multiple websites or services with different IP addresses and SSL certificates on a single server.
Serve as a network virtual appliance, such as a firewall or load balancer.
The ability to add any of the private IP addresses for any of the NICs to an Azure Load Balancer back-end
pool. In the past, only the primary IP address for the primary NIC could be added to a back-end pool. To
learn more about how to load balance multiple IP configurations, read the Load balancing multiple IP
configurations article.
Every NIC attached to a VM has one or more IP configurations associated to it. Each configuration is assigned
one static or dynamic private IP address. Each configuration may also have one public IP address resource
associated to it. A public IP address resource has either a dynamic or static public IP address assigned to it. To
learn more about IP addresses in Azure, read the IP addresses in Azure article.
There is a limit to how many private IP addresses can be assigned to a NIC. There is also a limit to how many
public IP addresses that can be used in an Azure subscription. See the Azure limits article for details.
This article explains how to create a virtual machine (VM) through the Azure Resource Manager deployment
model using the Azure portal. Multiple IP addresses cannot be assigned to resources created through the
classic deployment model. To learn more about Azure deployment models, read the Understand deployment
models article.
Scenario
A VM with a single NIC is created and connected to a virtual network. The VM requires three different private IP
addresses and two public IP addresses. The IP addresses are assigned to the following IP configurations:
IPConfig-1: Assigns a static private IP address and a static public IP address.
IPConfig-3: Assigns a static private IP address and no public IP address.
The IP configurations are associated to the NIC when the NIC is created and the NIC is attached to the VM when the
VM is created. The types of IP addresses used for the scenario are for illustration. You can assign whatever IP
address and assignment types you require.
NOTE
Though the steps in this article assigns all IP configurations to a single NIC, you can also assign multiple IP configurations to
any NIC in a multi-NIC VM. To learn how to create a VM with multiple NICs, read the Create a VM with multiple NICs article.
Create a VM with multiple IP addresses

If you want to create a VM with multiple IP addresses, or a static private IP address, you must create it using
PowerShell or the Azure CLI. Click the PowerShell or CLI options at the top of this article to learn how. You can
create a VM with a single dynamic private IP address and (optionally) a single public IP address using the portal by
following the steps in the Create a Windows VM or Create a Linux VM articles. After you create the VM, you can
change the IP address type from dynamic to static and add additional IP addresses using the portal by following
steps in the Add IP addresses to a VM section of this article.
Add IP addresses to a VM
You can add private and public IP addresses to a NIC by completing the steps that follow. The examples in the
following sections assume that you already have a VM with the three IP configurations described in the scenario in
this article, but it's not required that you do.
Core steps
1. Browse to the Azure portal at https://portal.azure.com and sign into it, if necessary.
2. In the portal, click More services > type virtual machines in the filter box, and then click Virtual machines.
3. In the Virtual machines blade, click the VM you want to add IP addresses to. Click Network interfaces in
the virtual machine blade that appears, and then select the network interface you want to add the IP
addresses to. In the example shown in the following picture, the NIC named myNIC from the VM named
myVM is selected:
4. In the blade that appears for the NIC you selected, click IP configurations.
Complete the steps in one of the sections that follow, based on the type of IP address you want to add.
Add a private IP address
Complete the following steps to add a new private IP address:
1. Complete the steps in the Core steps section of this article.
2. Click Add. In the Add IP configuration blade that appears, create an IP configuration named IPConfig-4
with 10.0.0.7 as a Static private IP address, then click OK.
NOTE
When adding a static IP address, you must specify an unused, valid address on the subnet the NIC is connected to. If
the address you select is not available, the portal will show an X for the IP address and you'll need to select a different
one.
3. Once you click OK, the blade will close and you'll see the new IP configuration listed. Click OK to close the
Add IP configuration blade.
4. You can click Add to add additional IP configurations, or close all open blades to finish adding IP addresses.
5. Add the private IP addresses to the VM operating system by completing the steps for your operating system in
the Add IP addresses to a VM operating system section of this article.
Add a public IP address
A public IP address is added by associating a public IP address resource to either a new IP configuration or an
existing IP configuration.
NOTE
Public IP addresses have a nominal fee. To learn more about IP address pricing, read the IP address pricing page. There is a
limit to the number of public IP addresses that can be used in a subscription. To learn more about the limits, read the Azure
limits article.
Create a public IP address resource

A public IP address is one setting for a public IP address resource. If you have a public IP address resource that is
not currently associated to an IP configuration that you want to associate to an IP configuration, skip the following
steps and complete the steps in one of the sections that follow, as you require. If you don't have an available public
IP address resource, complete the following steps to create one:
1. Browse to the Azure portal at https://portal.azure.com and sign into it, if necessary.
2. In the portal, click New > Networking > Public IP address.
3. In the Create public IP address blade that appears, enter a Name, select an IP address assignment type,
a Subscription, a Resource group, and a Location, then click Create, as shown in the following picture:
4. Complete the steps in one of the sections that follow to associate the public IP address resource to an IP
configuration.
Associate the public IP address resource to a new IP configuration
2. Click Add. In the Add IP configuration blade that appears, create an IP configuration named IPConfig-4.
Enable the Public IP address and select an existing, available public IP address resource from the Choose
public IP address blade that appears.
Once you've selected the public IP address resource, click OK and the blade will close. If you don't have an
existing public IP address, you can create one by completing the steps in the Create a public IP address
resource section of this article.
3. Review the new IP configuration. Even though a private IP address wasn't explicitly assigned, one was
automatically assigned to the IP configuration, because all IP configurations must have a private IP address.
4. You can click Add to add additional IP configurations, or close all open blades to finish adding IP addresses.
5. Add the private IP address to the VM operating system by completing the steps for your operating system in the
Add IP addresses to a VM operating system section of this article. Do not add the public IP address to the
operating system.
Associate the public IP address resource to an existing IP configuration
2. Click the IP configuration you want to add the public IP address resource to.
3. In the IPConfig blade that appears, click IP address.
4. In the Choose public IP address blade that appears, select a public IP address.
5. Click Save and the blades will close. If you don't have an existing public IP address, you can create one by
completing the steps in the Create a public IP address resource section of this article.
6. Review the new IP configuration.
7. You can click Add to add additional IP configurations, or close all open blades to finish adding IP addresses. Do
not add the public IP address to the operating system.
Add IP addresses to a VM operating system

Connect and login to a VM you created with multiple private IP addresses. You must manually add all the private IP
addresses (including the primary) that you added to the VM. Complete the following steps for your VM operating
system:
Windows
1. From a command prompt, type ipconfig /all. You only see the Primary private IP address (through DHCP).
2. Type ncpa.cpl in the command prompt to open the Network connections window.
3. Open the properties for the appropriate adapter: Local Area Connection.
4. Double-click Internet Protocol version 4 (IPv4).
5. Select Use the following IP address and enter the following values:
IP address: Enter the Primary private IP address
Subnet mask: Set based on your subnet. For example, if the subnet is a /24 subnet then the subnet mask
is 255.255.255.0.
Default gateway: The first IP address in the subnet. If your subnet is 10.0.0.0/24, then the gateway IP
address is 10.0.0.1.
Click Use the following DNS server addresses and enter the following values:
Preferred DNS server: If you are not using your own DNS server, enter 168.63.129.16. If you are
using your own DNS server, enter the IP address for your server.
Click the Advanced button and add additional IP addresses. Add each of the secondary private IP
addresses listed in step 8 to the NIC with the same subnet specified for the primary IP address.
WARNING
If you do not follow the steps above correctly, you may lose connectivity to your VM. Ensure the information
entered for step 5 is accurate before proceeding.
Click OK to close out the TCP/IP settings and then OK again to close the adapter settings. Your RDP
connection is re-established.
6. From a command prompt, type ipconfig /all. All IP addresses you added are shown and DHCP is turned off.
Validation (Windows)
To ensure you are able to connect to the internet from your secondary IP configuration via the public IP associated
it, once you have added it correctly using steps above, use the following command:
ping -S 10.0.0.5 hotmail.com

NOTE
For secondary IP configurations, you can only ping to the Internet if the configuration has a public IP address associated with
it. For primary IP configurations, a public IP address is not required to ping to the Internet.
Linux (Ubuntu)
1. Open a terminal window.
2. Make sure you are the root user. If you are not, enter the following command:
sudo -i
3. Update the configuration file of the network interface (assuming eth0).

Keep the existing line item for dhcp. The primary IP address remains configured as it was previously.
Add a configuration for an additional static IP address with the following commands:
cd /etc/network/interfaces.d/
ls
You should see a .cfg file.

4. Open the file. You should see the following lines at the end of the file:
auto eth0
iface eth0 inet dhcp
5. Add the following lines after the lines that exist in this file:
iface eth0 inet static

address <your private IP address here>
netmask <your subnet mask>
6. Save the file by using the following command:
:wq
7. Reset the network interface with the following command:
sudo ifdown eth0 && sudo ifup eth0
IMPORTANT
Run both ifdown and ifup in the same line if using a remote connection.
8. Verify the IP address is added to the network interface with the following command:
ip addr list eth0
You should see the IP address you added as part of the list.
Linux (Redhat, CentOS, and others)
sudo -i
3. Enter your password and follow instructions as prompted. Once you are the root user, navigate to the
network scripts folder with the following command:
cd /etc/sysconfig/network-scripts
4. List the related ifcfg files using the following command:
ls ifcfg-*
You should see ifcfg-eth0 as one of the files.

5. To add an IP address, create a configuration file for it as shown below. Note that one file must be created for
each IP configuration.
touch ifcfg-eth0:0
6. Open the ifcfg-eth0:0 file with the following command:
vi ifcfg-eth0:0
7. Add content to the file, eth0:0 in this case, with the following command. Be sure to update information based
on your IP address.
DEVICE=eth0:0
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.101.101
NETMASK=255.255.255.0
8. Save the file with the following command:
:wq
9. Restart the network services and make sure the changes are successful by running the following commands:
/etc/init.d/network restart
ifconfig
You should see the IP address you added, eth0:0, in the list returned.
Validation (Linux)
it, use the following command:
ping -I 10.0.0.5 hotmail.com
NOTE
For secondary IP configurations, you can only ping to the Internet if the configuration has a public IP address associated with
it. For primary IP configurations, a public IP address is not required to ping to the Internet.
For Linux VMs, when trying to validate outbound connectivity from a secondary NIC, you may need to add
appropriate routes. There are many ways to do this. Please see appropriate documentation for your Linux
distribution. The following is one method to accomplish this:
echo 150 custom >> /etc/iproute2/rt_tables
ip rule add from 10.0.0.5 lookup custom

ip route add default via 10.0.0.1 dev eth2 table custom
Be sure to replace:
10.0.0.5 with the private IP address that has a public IP address associated to it
10.0.0.1 to your default gateway
eth2 to the name of your secondary NIC
Assign multiple IP addresses to virtual machines
using PowerShell
An Azure Virtual Machine (VM) has one or more network interfaces (NIC) attached to it. Any NIC can have one or
more static or dynamic public and private IP addresses assigned to it. Assigning multiple IP addresses to a VM
enables the following capabilities:
The ability to add any of the private IP addresses for any of the NICs to an Azure Load Balancer back-end pool.
In the past, only the primary IP address for the primary NIC could be added to a back-end pool. To learn more
about how to load balance multiple IP configurations, read the Load balancing multiple IP configurations article.
Every NIC attached to a VM has one or more IP configurations associated to it. Each configuration is assigned one
static or dynamic private IP address. Each configuration may also have one public IP address resource associated
to it. A public IP address resource has either a dynamic or static public IP address assigned to it. To learn more
about IP addresses in Azure, read the IP addresses in Azure article.
model using PowerShell. Multiple IP addresses cannot be assigned to resources created through the classic
deployment model. To learn more about Azure deployment models, read the Understand deployment models
article.
Scenario
The IP configurations are associated to the NIC when the NIC is created and the NIC is attached to the VM when
the VM is created. The types of IP addresses used for the scenario are for illustration. You can assign whatever IP
NOTE

The steps that follow explain how to create an example VM with multiple IP addresses, as described in the scenario.
Change variable values as required for your implementation.
1. Open a PowerShell command prompt and complete the remaining steps in this section within a single
PowerShell session. If you don't already have PowerShell installed and configured, complete the steps in the
How to install and configure Azure PowerShell article.
2. Login to your account with the login-azurermaccount command.
3. Replace myResourceGroup and westus with a name and location of your choosing. Create a resource group.
A resource group is a logical container into which Azure resources are deployed and managed.
$RgName = "MyResourceGroup"
$Location = "westus"
-Name $RgName `
-Location $Location
4. Create a virtual network (VNet) and subnet in the same location as the resource group:
# Create a subnet configuration

$SubnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
-Name MySubnet `
# Create a virtual network

$VNet = New-AzureRmVirtualNetwork `
-ResourceGroupName $RgName `
-Location $Location `
-Name MyVNet `
-Subnet $subnetConfig
# Get the subnet object

$Subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $SubnetConfig.Name -VirtualNetwork $VNet
5. Create a network security group (NSG) and a rule. The NSG secures the VM using inbound and outbound
rules. In this case, an inbound rule is created for port 3389, which allows incoming remote desktop
connections.
# Create an inbound network security group rule for port 3389
$NSGRule = New-AzureRmNetworkSecurityRuleConfig `
-Name MyNsgRuleRDP `
-Protocol Tcp `
-Direction Inbound `
-Priority 1000 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389 -Access Allow
# Create a network security group

$NSG = New-AzureRmNetworkSecurityGroup `
-Name MyNetworkSecurityGroup `
-SecurityRules $NSGRule
6. Define the primary IP configuration for the NIC. Change 10.0.0.4 to a valid address in the subnet you
created, if you didn't use the value defined previously. Before assigning a static IP address, it's
recommended that you first confirm it's not already in use. Enter the command
Test-AzureRmPrivateIPAddressAvailability -IPAddress 10.0.0.4 -VirtualNetwork $VNet . If the address is
available, the output returns True. If it's not available, the output returns False and a list of addresses that
are available.
In the following commands, Replace with the unique DNS name to use. The name must be unique
across all public IP addresses within an Azure region. This is an optional parameter. It can be removed if you
only want to connect to the VM using the public IP address.
# Create a public IP address

$PublicIP1 = New-AzureRmPublicIpAddress `
-Name "MyPublicIP1" `
-DomainNameLabel <replace-with-your-unique-name> `
-AllocationMethod Static
#Create an IP configuration with a static private IP address and assign the public IP ddress to it
$IpConfigName1 = "IPConfig-1"
$IpConfig1 = New-AzureRmNetworkInterfaceIpConfig `
-Name $IpConfigName1 `
-Subnet $Subnet `
-PrivateIpAddress 10.0.0.4 `
-PublicIpAddress $PublicIP1 `
-Primary
When you assign multiple IP configurations to a NIC, one configuration must be assigned as the -Primary.
NOTE
Public IP addresses have a nominal fee. To learn more about IP address pricing, read the IP address pricing page.
There is a limit to the number of public IP addresses that can be used in a subscription. To learn more about the
limits, read the Azure limits article.
7. Define the secondary IP configurations for the NIC. You can add or remove configurations as necessary.
Each IP configuration must have a private IP address assigned. Each configuration can optionally have one
public IP address assigned.

$PublicIP2 = New-AzureRmPublicIpAddress `
-Name "MyPublicIP2" `
#Create an IP configuration with a static private IP address and assign the public IP ddress to it
$IpConfigName2 = "IPConfig-2"
-Name $IpConfigName2 `
-Subnet $Subnet `
-PublicIpAddress $PublicIP2
$IpConfigName3 = "IpConfig-3"
-Name $IPConfigName3 `
-Subnet $Subnet `
-PrivateIpAddress 10.0.0.6
8. Create the NIC and associate the three IP configurations to it:
$NIC = New-AzureRmNetworkInterface `
-Name MyNIC `
-NetworkSecurityGroupId $NSG.Id `
-IpConfiguration $IpConfig1,$IpConfig2,$IpConfig3
NOTE
Though all configurations are assigned to one NIC in this article, you can assign multiple IP configurations to every
NIC attached to the VM. To learn how to create a VM with multiple NICs, read the Create a VM with multiple NICs
article.
9. Create the VM by entering the following commands:

# Define a credential object. When you run these commands, you're prompted to enter a sername and
password for the VM you're reating.
$cred = Get-Credential
# Create a virtual machine configuration

$VmConfig = New-AzureRmVMConfig `
-VMName MyVM `
-VMSize Standard_DS1_v2 | `
Set-AzureRmVMOperatingSystem -Windows `
-ComputerName MyVM `
-Credential $cred | `
Set-AzureRmVMSourceImage `
-PublisherName MicrosoftWindowsServer `
-Offer WindowsServer `
-Skus 2016-Datacenter `
-Version latest | `
Add-AzureRmVMNetworkInterface `
-Id $NIC.Id
# Create the VM
New-AzureRmVM `
-VM $VmConfig
10. Add the private IP addresses to the VM operating system by completing the steps for your operating
system in the Add IP addresses to a VM operating system section of this article. Do not add the public IP
addresses to the operating system.
You can add private and public IP addresses to a NIC by completing the steps that follow. The examples in the
following sections assume that you already have a VM with the three IP configurations described in the scenario in
this article, but it's not required that you do.
1. Open a PowerShell command prompt and complete the remaining steps in this section within a single
PowerShell session. If you don't already have PowerShell installed and configured, complete the steps in the
2. Change the "values" of the following $Variables to the name of the NIC you want to add IP address to and
the resource group and location the NIC exists in:
$NicName = "MyNIC"
$RgName = "MyResourceGroup"
$Location = "westus"
If you don't know the name of the NIC you want to change, enter the following commands, then change the
values of the previous variables:
Get-AzureRmNetworkInterface | Format-Table Name, ResourceGroupName, Location
3. Create a variable and set it to the existing NIC by typing the following command:
$MyNIC = Get-AzureRmNetworkInterface -Name $NicName -ResourceGroupName $RgName
4. In the following commands, change MyVNet and MySubnet to the names of the VNet and subnet the NIC is
connected to. Enter the commands to retrieve the VNet and subnet objects the NIC is connected to:
$MyVNet = Get-AzureRMVirtualnetwork -Name MyVNet -ResourceGroupName $RgName
$Subnet = $MyVnet.Subnets | Where-Object { $_.Name -eq "MySubnet" }
If you don't know the VNet or subnet name the NIC is connected to, enter the following command:
$MyNIC.IpConfigurations
In the output, look for text similar to the following example output:
"Id":
"/subscriptions/[Id]/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVNet/
subnets/MySubnet"
In this output, MyVnet is the VNet and MySubnet is the subnet the NIC is connected to.
5. Complete the steps in one of the following sections, based on your requirements:
To add a private IP address to a NIC, you must create an IP configuration. The following command creates a
configuration with a static IP address of 10.0.0.7. When specifying a static IP address, it must be an unused
address for the subnet. It's recommended that you first test the address to ensure it's available by entering
the Test-AzureRmPrivateIPAddressAvailability -IPAddress 10.0.0.7 -VirtualNetwork $myVnet command. If the
IP address is available, the output returns True. If it's not available, the output returns False, and a list of
addresses that are available.
Add-AzureRmNetworkInterfaceIpConfig -Name IPConfig-4 -NetworkInterface `

$MyNIC -Subnet $Subnet -PrivateIpAddress 10.0.0.7
Create as many configurations as you require, using unique configuration names and private IP addresses
(for configurations with static IP addresses).
Add the private IP address to the VM operating system by completing the steps for your operating system
in the Add IP addresses to a VM operating system section of this article.
A public IP address is added by associating a public IP address resource to either a new IP configuration or
an existing IP configuration. Complete the steps in one of the sections that follow, as you require.
NOTE
Associate the public IP address resource to a new IP configuration

Whenever you add a public IP address in a new IP configuration, you must also add a private IP
address, because all IP configurations must have a private IP address. You can either add an existing
public IP address resource, or create a new one. To create a new one, enter the following command:
$myPublicIp3 = New-AzureRmPublicIpAddress `
-Name "myPublicIp3" `
To create a new IP configuration with a static private IP address and the associated myPublicIp3
public IP address resource, enter the following command:
Add-AzureRmNetworkInterfaceIpConfig `
-Name IPConfig-4 `
-NetworkInterface $myNIC `
-Subnet $Subnet `
-PublicIpAddress $myPublicIp3
Associate the public IP address resource to an existing IP configuration

A public IP address resource can only be associated to an IP configuration that doesn't already have
one associated. You can determine whether an IP configuration has an associated public IP address
by entering the following command:
$MyNIC.IpConfigurations | Format-Table Name, PrivateIPAddress, PublicIPAddress, Primary
You see output similar to the following:
Name PrivateIpAddress PublicIpAddress Primary
IPConfig-1 10.0.0.4 Microsoft.Azure.Commands.Network.Models.PSPublicIpAddress True

IPConfig-2 10.0.0.5 Microsoft.Azure.Commands.Network.Models.PSPublicIpAddress False
IpConfig-3 10.0.0.6 False
Since the PublicIpAddress column for IpConfig-3 is blank, no public IP address resource is currently
associated to it. You can add an existing public IP address resource to IpConfig-3, or enter the
following command to create one:
$MyPublicIp3 = New-AzureRmPublicIpAddress `
-Name "MyPublicIp3" `
-Location $Location -AllocationMethod Static
Enter the following command to associate the public IP address resource to the existing IP
configuration named IpConfig-3:
Set-AzureRmNetworkInterfaceIpConfig `
-Name IpConfig-3 `
-NetworkInterface $mynic `
-Subnet $Subnet `
-PublicIpAddress $myPublicIp3
6. Set the NIC with the new IP configuration by entering the following command:
Set-AzureRmNetworkInterface -NetworkInterface $MyNIC

7. View the private IP addresses and the public IP address resources assigned to the NIC by entering the
following command:
$MyNIC.IpConfigurations | Format-Table Name, PrivateIPAddress, PublicIPAddress, Primary
8. Add the private IP address to the VM operating system by completing the steps for your operating system in
the Add IP addresses to a VM operating system section of this article. Do not add the public IP address to the
operating system.

Connect and login to a VM you created with multiple private IP addresses. You must manually add all the private
IP addresses (including the primary) that you added to the VM. Complete the following steps for your VM
operating system:
Windows
Subnet mask: Set based on your subnet. For example, if the subnet is a /24 subnet then the subnet
mask is 255.255.255.0.
WARNING

NOTE
For secondary IP configurations, you can only ping to the Internet if the configuration has a public IP address associated
with it. For primary IP configurations, a public IP address is not required to ping to the Internet.
Linux (Ubuntu)
sudo -i

ls

auto eth0

:wq
IMPORTANT
ip addr list eth0
sudo -i
ls ifcfg-*

touch ifcfg-eth0:0
vi ifcfg-eth0:0
7. Add content to the file, eth0:0 in this case, with the following command. Be sure to update information
based on your IP address.
DEVICE=eth0:0
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.101.101
NETMASK=255.255.255.0
:wq
9. Restart the network services and make sure the changes are successful by running the following
commands:
ifconfig
Validation (Linux)
NOTE

Be sure to replace:
using the Azure CLI 2.0
model using the Azure CLI 2.0. Multiple IP addresses cannot be assigned to resources created through the classic
deployment model. To learn more about Azure deployment models, read the Understand deployment models
article.
Scenario
NOTE

You can complete this task using the Azure CLI 2.0 (this article) or the Azure CLI 1.0. Change the values, as
appropriate, for your environment. The steps that follow explain how to create an example VM with multiple IP
addresses, as described in the scenario. Change variable values in "" and IP address types as required for your
implementation.
1. Install the Azure CLI 2.0 if you don't already have it installed.
2. Create an SSH public and private key pair for Linux VMs by completing the steps in the Create an SSH public
and private key pair for Linux VMs.
3. From a command shell, login with the command az login and select the subscription you're using.
4. Create the VM by executing the script that follows on a Linux or Mac computer. The script creates a resource
group, one virtual network (VNet), one NIC with three IP configurations, and a VM with the two NICs attached
to it. The NIC, public IP address, virtual network, and VM resources must all exist in the same location and
subscription. Though the resources don't all have to exist in the same resource group, in the following script
they do.
#!/bin/sh
RgName="myResourceGroup"
Location="westcentralus"
az group create --name $RgName --location $Location
# Create a public IP address resource with a static IP address using the `--allocation-method Static` option.
If you
# do not specify this option, the address is allocated dynamically. The address is assigned to the resource
from a pool
# of IP adresses unique to each Azure region. Download and view the file from
# https://www.microsoft.com/en-us/download/details.aspx?id=41653 that lists the ranges for each region.
PipName="myPublicIP"
# This name must be unique within an Azure location.

DnsName="myDNSName"

--name $PipName \
--dns-name $DnsName\
# Create a virtual network with one subnet
VnetName="myVnet"
VnetPrefix="10.0.0.0/16"
VnetSubnetName="mySubnet"
VnetSubnetPrefix="10.0.0.0/24"

--name $VnetName \
--address-prefix $VnetPrefix \
--subnet-name $VnetSubnetName \
--subnet-prefix $VnetSubnetPrefix
# Create a network interface connected to the subnet and associate the public IP address to it. Azure will
create the
# first IP configuration with a static private IP address and will associate the public IP address resource to
it.
NicName="MyNic1"
--name $NicName \
--subnet $VnetSubnet1Name \
--private-ip-address 10.0.0.4
--vnet-name $VnetName \
--public-ip-address $PipName
# Create a second public IP address, a second IP configuration, and associate it to the NIC. This
configuration has a
# static public IP address and a static private IP address.

--name myPublicIP2 \
--dns-name mypublicdns2 \
az network nic ip-config create \

--nic-name $NicName \
--name IPConfig-2 \
--public-ip-name myPublicIP2
# Create a third IP configuration, and associate it to the NIC. This configuration has static private IP
address and # no public IP address.
azure network nic ip-config create \

--nic-name $NicName \
--name IPConfig-3
# Note: Though this article assigns all IP configurations to a single NIC, you can also assign multiple IP
configurations
# to any NIC in a VM. To learn how to create a VM with multiple NICs, read the Create a VM with multiple NICs
# article: https://docs.microsoft.com/azure/virtual-network/virtual-network-deploy-multinic-arm-cli.
# Create a VM and attach the NIC.
VmName="myVm"
# Replace the value for the following **VmSize** variable with a value from the
# https://docs.microsoft.com/azure/virtual-machines/virtual-machines-linux-sizes rticle. The script fails if
the VM size
# is not supported in the location you select. Run the àzure vm sizes --location estcentralus` command to get
a full list
# of VMs in US West Central, for example.
VmSize="Standard_DS1"
# Replace the value for the OsImage variable value with a value for *urn* from the utput returned by entering
the
the
# àz vm image list` command.
OsImage="credativ:Debian:8:latest"
Username="adminuser"
# Replace the following value with the path to your public key file. If you're creating a Windows VM, remove
the following
# line and you'll be prompted for the password you want to configure for the VM.
SshKeyValue="~/.ssh/id_rsa.pub"
az vm create \
--name $VmName \
--image $OsImage \
--size $VmSize \
--nics $NicName \
--admin-username $Username \
--ssh-key-value $SshKeyValue
In addition to creating a VM with a NIC with 3 IP configurations, the script creates:

A single premium managed disk by default, but you have other options for the disk type you can create. Read
the Create a Linux VM using the Azure CLI 2.0 article for details.
A virtual network with one subnet and two public IP addresses. Alternatively, you can use existing virtual
network, subnet, NIC, or public IP address resources. To learn how to use existing network resources rather
than creating additional resources, enter az vm create -h .
After the VM is created, enter the az network nic show --name MyNic1 --resource-group myResourceGroup command
to view the NIC configuration. Enter the
az network nic ip-config list --nic-name MyNic1 --resource-group myResourceGroup --output table to view a list of
the IP configurations associated to the NIC.
Add the private IP addresses to the VM operating system by completing the steps for your operating system in the
Add IP addresses to a VM operating system section of this article.
You can add additional private and public IP addresses to an existing NIC by completing the steps that follow. The
examples build upon the scenario described in this article.
1. Open a command shell and complete the remaining steps in this section within a single session. If you don't
already have Azure CLI installed and configured, complete the steps in the Azure CLI 2.0 installation article
and login to your Azure account with the az-login command.
2. Complete the steps in one of the following sections, based on your requirements:
To add a private IP address to a NIC, you must create an IP configuration using the command that follows.
The static IP address must be an unused address for the subnet.
--nic-name myNic1 \
--name IPConfig-4
Create as many configurations as you require, using unique configuration names and private IP addresses
(for configurations with static IP addresses).
A public IP address is added by associating it to either a new IP configuration or an existing IP configuration.
Complete the steps in one of the sections that follow, as you require.
Public IP addresses have a nominal fee. To learn more about IP address pricing, read the IP address pricing
page. There is a limit to the number of public IP addresses that can be used in a subscription. To learn more
about the limits, read the Azure limits article.
Associate the resource to a new IP configuration
Whenever you add a public IP address in a new IP configuration, you must also add a private IP
address, because all IP configurations must have a private IP address. You can either add an existing
public IP address resource, or create a new one. To create a new one, enter the following command:

--location westcentralus \
--dns-name mypublicdns3
To create a new IP configuration with a static private IP address and the associated myPublicIP3
public IP address resource, enter the following command:

--nic-name myNic1 \
--name IPConfig-5 \
--private-ip-address 10.0.0.8
--public-ip-address myPublicIP3
Associate the resource to an existing IP configuration A public IP address resource can only be
associated to an IP configuration that doesn't already have one associated. You can determine
whether an IP configuration has an associated public IP address by entering the following command:
az network nic ip-config list \

--nic-name myNic1 \
--query "[?provisioningState=='Succeeded'].{ Name: name, PublicIpAddressId: publicIpAddress.id
}" --output table
Returned output:
Name PublicIpAddressId
ipconfig1
/subscriptions/[Id]/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses
/myPublicIP1
IPConfig-2
/subscriptions/[Id]/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses
/myPublicIP2
IPConfig-3
Since the PublicIpAddressId column for IpConfig-3 is blank in the output, no public IP address
resource is currently associated to it. You can add an existing public IP address resource to IpConfig-
3, or enter the following command to create one:

--resource-group myResourceGroup
--location westcentralus \
--dns-name mypublicdns3 \
Enter the following command to associate the public IP address resource to the existing IP
configuration named IPConfig-3:
az network nic ip-config update \

--nic-name myNic1 \
--name IPConfig-3 \
--public-ip myPublicIP3
3. View the private IP addresses and the public IP address resource Ids assigned to the NIC by entering the
following command:
az network nic ip-config list \

--nic-name myNic1 \
--query "[?provisioningState=='Succeeded'].{ Name: name, PrivateIpAddress: privateIpAddress,
PrivateIpAllocationMethod: privateIpAllocationMethod, PublicIpAddressId: publicIpAddress.id }" --output
table
Returned output:
Name PrivateIpAddress PrivateIpAllocationMethod PublicIpAddressId
ipconfig1 10.0.0.4 Static

/subscriptions/[Id]/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/myPubl
icIP1
IPConfig-2 10.0.0.5 Static
icIP2
IPConfig-3 10.0.0.6 Static
icIP3
4. Add the private IP addresses you added to the NIC to the VM operating system by following the instructions
in the Add IP addresses to a VM operating system section of this article. Do not add the public IP addresses
to the operating system.
Connect and login to a VM you created with multiple private IP addresses. You must manually add all the private
IP addresses (including the primary) that you added to the VM. Complete the following steps for your VM
operating system:
Windows
mask is 255.255.255.0.
WARNING
NOTE
Linux (Ubuntu)
sudo -i
ls

auto eth0

:wq
IMPORTANT
ip addr list eth0
sudo -i
ls ifcfg-*

touch ifcfg-eth0:0
vi ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.101.101
NETMASK=255.255.255.0
:wq
commands:
ifconfig
Validation (Linux)
NOTE

Be sure to replace:
using an Azure Resource Manager template
This article explains how to create a virtual machine (VM) through the Azure Resource Manager deployment model
using a Resource Manager template. Multiple public and private IP addresses cannot be assigned to the same NIC
when deploying a VM through the classic deployment model. To learn more about Azure deployment models, read
the Understand deployment models article.
Scenario
NOTE
Template description
Deploying a template enables you to quickly and consistently create Azure resources with different configuration
values. Read the Resource Manager template walkthrough article if you're not familiar with Azure Resource
Manager templates. The Deploy a VM with multiple IP addresses template is utilized in this article.
Deploying the template creates the following resources:
RESOURCE NAME DESCRIPTION
Network interface myNic1 The three IP configurations described in

the scenario section of this article are
created and assigned to this NIC.
Public IP address resource 2 are created: myPublicIP and These resources are assigned static
myPublicIP2 public IP addresses and are assigned to
the IPConfig-1 and IPConfig-2 IP
configurations described in the scenario.
VM myVM1 A Standard DS3 VM.
Virtual network myVNet1 A virtual network with one subnet

named mySubnet.
Storage account Unique to the deployment A storage account.
When deploying the template, you must specify values for the following parameters:
NAME DESCRIPTION
adminUsername Admin username. The username must comply with Azure

username requirements.
adminPassword Admin password The password must comply with Azure

password requirements.
dnsLabelPrefix DNS name for PublicIPAddressName1. The DNS name will

resolve to one of the public IP addresses assigned to the VM.
The name must be unique within the Azure region (location)
you create the VM in.
dnsLabelPrefix1 DNS name for PublicIPAddressName2. The DNS name will

resolve to one of the public IP addresses assigned to the VM.
The name must be unique within the Azure region (location)
you create the VM in.
NAME DESCRIPTION
OSVersion The Windows/Linux version for the VM. The operating system
is a fully patched image of the given Windows/Linux version
selected.
imagePublisher The Windows/Linux image publisher for the selected VM.
imageOffer The Windows/Linux image for the selected VM.
Each of the resources deployed by the template is configured with several default settings. You can view these
settings through either of the following methods:
View the template on GitHub: If you're familiar with templates, you can view the settings within the
template.
View the settings after deploying: If you're not familiar with templates, you can deploy the template using
steps in one of the following sections and then view the settings after deployment.
You can use the Azure portal, PowerShell, or the Azure command-line interface (CLI) to deploy the template. All
methods produce the same result. To deploy the template, complete the steps in one of the following sections :
Deploy using the Azure portal

To deploy the template using the Azure portal, complete the following steps:
1. Modify the template, if desired. The template deploys the resources and settings listed in the resources section
of this article. To learn more about templates and how to author them, read the Authoring Azure Resource
Manager templatesarticle.
2. Deploy the template with one of the following methods:
Select the template in the portal: Complete the steps in the Deploy resources from custom template
article. Choose the pre-existing template named 101-vm-multiple-ipconfig.
Directly: Click the following button to open the template directly in the portal:
Regardless of the method you choose, you'll need to supply values for the parameters listed previously in this
article. After the VM is deployed, connect to the VM and add the private IP addresses to the operating system you
deployed by completing the steps in the Add IP addresses to a VM operating system section of this article. Do not
add the public IP addresses to the operating system.
Deploy using PowerShell

To deploy the template using PowerShell, complete the following steps:
1. Deploy the template by completing the steps in the Deploy a template with PowerShell article. The article
describes multiple options for deploying a template. If you choose to deploy using the
-TemplateUri parameter , the URI for this template is https://raw.githubusercontent.com/azure/azure-
quickstart-templates/master/101-vm-multiple-ipconfig/azuredeploy.json. If you choose to deploy using the
-TemplateFile parameter, copy the contents of the template file from GitHub into a new file on your
machine. Modify the template contents, if desired. The template deploys the resources and settings listed in
the resources section of this article. To learn more about templates and how to author them, read the
Authoring Azure Resource Manager templates article.
Regardless of the option you choose to deploy the template with, you must supply values for the parameter
values listed in the parameters section of this article. If you choose to supply parameters using a parameters
file, copy the contents of the parameters file from GitHub into a new file on your computer. Modify the
values in the file. Use the file you created as the value for the -TemplateParameterFile parameter.
To determine valid values for the OSVersion, ImagePublisher, and imageOffer parameters, complete the
steps in the Navigate and select Windows VM images article article.
TIP
If you're not sure whether a dnslabelprefix is available, enter the
Test-AzureRmDnsAvailability -DomainNameLabel <name-you-want-to-use> -Location <location> command to
find out. If it is available, the command will return True .
2. After the VM is deployed, connect to the VM and add the private IP addresses to the operating system you
deployed by completing the steps in the Add IP addresses to a VM operating system section of this article.
Do not add the public IP addresses to the operating system.
Deploy using the Azure CLI

To deploy the template using the Azure CLI 1.0, complete the following steps:
1. Deploy the template by completing the steps in the Deploy a template with the Azure CLI article. The article
describes multiple options for deploying the template. If you choose to deploy using the --template-uri (-
f), the URI for this template is https://raw.githubusercontent.com/azure/azure-quickstart-
templates/master/101-vm-multiple-ipconfig/azuredeploy.json. If you choose to deploy using the
--template-file (-f) parameter, copy the contents of the template file from GitHub into a new file on your
machine. Modify the template contents, if desired. The template deploys the resources and settings listed in
the resources section of this article. To learn more about templates and how to author them, read the
Authoring Azure Resource Manager templates article.
Regardless of the option you choose to deploy the template with, you must supply values for the parameter
values listed in the parameters section of this article. If you choose to supply parameters using a parameters
file, copy the contents of the parameters file from GitHub into a new file on your computer. Modify the
values in the file. Use the file you created as the value for the --parameters-file (-e) parameter.
To determine valid values for the OSVersion, ImagePublisher, and imageOffer parameters, complete the
steps in the Navigate and select Windows VM images article article.
2. After the VM is deployed, connect to the VM and add the private IP addresses to the operating system you
deployed by completing the steps in the Add IP addresses to a VM operating system section of this article.
Do not add the public IP addresses to the operating system.

Connect and login to a VM you created with multiple private IP addresses. You must manually add all the private IP
addresses (including the primary) that you added to the VM. Complete the following steps for your VM operating
system:
Windows
mask is 255.255.255.0.
WARNING
NOTE
Linux (Ubuntu)
sudo -i

ls

auto eth0

:wq
IMPORTANT
ip addr list eth0
sudo -i
ls ifcfg-*

touch ifcfg-eth0:0
vi ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.101.101
NETMASK=255.255.255.0
:wq
commands:
ifconfig
Validation (Linux)
NOTE

Be sure to replace:
Create a virtual machine with Accelerated
Networking
In this tutorial, you learn how to create an Azure Virtual Machine (VM) with Accelerated Networking. Accelerated
Networking is GA for Windows and in a Public Preview for specific Linux distributions. Accelerated networking
enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. This high-
performance path bypasses the host from the datapath reducing latency, jitter, and CPU utilization, for use with the
most demanding network workloads on supported VM types. The following picture shows communication between
two virtual machines (VM) with and without accelerated networking:
Without accelerated networking, all networking traffic in and out of the VM must traverse the host and the virtual
switch. The virtual switch provides all policy enforcement, such as network security groups, access control lists,
isolation, and other network virtualized services to network traffic. To learn more about virtual switches, read the
Hyper-V network virtualization and virtual switch article.
With accelerated networking, network traffic arrives at the VM's network interface (NIC), and is then forwarded to
the VM. All network policies that the virtual switch applies without accelerated networking are offloaded and
applied in hardware. Applying policy in hardware enables the NIC to forward network traffic directly to the VM,
bypassing the host and the virtual switch, while maintaining all the policy it applied in the host.
The benefits of accelerated networking only apply to the VM that it is enabled on. For the best results, it is ideal to
enable this feature on at least two VMs connected to the same Azure Virtual Network (VNet). When communicating
across VNets or connecting on-premises, this feature has minimal impact to overall latency.
WARNING
This Linux Public Preview may not have the same level of availability and reliability as features that are in general availability
release. The feature is not supported, may have constrained capabilities, and may not be available in all Azure locations. For
the most up-to-date notifications on availability and status of this feature, check the Azure Virtual Network updates page.
Benefits
Lower Latency / Higher packets per second (pps): Removing the virtual switch from the datapath removes
the time packets spend in the host for policy processing and increases the number of packets that can be
processed inside the VM.
Reduced jitter: Virtual switch processing depends on the amount of policy that needs to be applied and the
workload of the CPU that is doing the processing. Offloading the policy enforcement to the hardware removes
that variability by delivering packets directly to the VM, removing the host to VM communication and all
software interrupts and context switches.
Decreased CPU utilization: Bypassing the virtual switch in the host leads to less CPU utilization for processing
network traffic.
Limitations
The following limitations exist when using this capability:
Network interface creation: Accelerated networking can only be enabled for a new NIC. It cannot be enabled
for an existing NIC.
VM creation: A NIC with accelerated networking enabled can only be attached to a VM when the VM is created.
The NIC cannot be attached to an existing VM.
Regions: Windows VMs with accelerated networking are offered in most Azure regions. Linux VMs with
accelerated networking are offered in multiple regions. The regions this capability is available in is expanding.
Please see the Azure Virtual Networking Updates blog below for the latest information.
Supported operating systems: Windows: Microsoft Windows Server 2012 R2 Datacenter and Windows
Server 2016. Linux: Ubuntu Server 16.04 LTS with kernel 4.4.0-77 or higher, SLES 12 SP2, RHEL 7.3 and CentOS
7.3 (Published by Rogue Wave Software).
VM Size: General purpose and compute-optimized instance sizes with eight or more cores. For more
information, see the Windows and Linux VM sizes articles. The set of supported VM instance sizes will expand in
the future.
Deployment through Azure Resource Manager (ARM) only: Accelerated Networking is not available for
deployment through ASM/RDFE.
Changes to these limitations are announced through the Azure Virtual Networking updates page.
Create a Windows VM
You can use the Azure portal or Azure PowerShell to create the VM.
Portal
1. From an Internet browser, open the Azure portal and sign in with your Azure account. If you don't already have
an account, you can sign up for a free trial.
2. In the portal, click + New > Compute > Windows Server 2016 Datacenter.
3. In the Windows Server 2016 Datacenter blade that appears, leave Resource Manager selected under Select a
deployment model, and click Create.
4. In the Basics blade that appears, enter the following values, leave the remaining default options or select or
enter your own values, and click the OK button:
SETTING VALUE
Name MyVm
Resource group Leave Create new selected and enter MyResourceGroup
Location West US 2
If you're new to Azure, learn more about Resource groups, subscriptions, and locations (which are also
referred to as regions).
5. In the Choose a size blade that appears, enter 8 in the Minimum cores box, then click View all.
6. Click DS4_V2 Standard, or any supported VM, then click the Select button.
7. In the Settings blade that appears, leave all settings as-is, except click Enabled under Accelerated
networking, then click the OK button. Note: If, in previous steps, you selected values for VM size, operating
system, or location that aren't listed in the Limitations section of this article, Accelerated networking isn't
visible.
8. In the Summary blade that appears, click the OK button. Azure starts creating the VM. VM creation takes a few
minutes.
9. To install the accelerated networking driver for Windows, complete the steps in the Configure Windows section
of this article.
PowerShell
1. Install the latest version of the Azure PowerShell AzureRm module. If you're new to Azure PowerShell, read the
Azure PowerShell overview article.
2. Start a PowerShell session by clicking the Windows Start button, typing powershell, then clicking PowerShell
from the search results.
3. In your PowerShell window, enter the login-azurermaccount command to sign in with your Azure account. If you
don't already have an account, you can sign up for a free trial.
4. In your browser, copy the following script:
$RgName="MyResourceGroup"
$Location="westus2"
# Create a resource group

-Name $RgName `
-Location $Location
# Create a subnet
$Subnet = New-AzureRmVirtualNetworkSubnetConfig `
-Name MySubnet `

-Name MyVnet `
-Subnet $Subnet

$Pip = New-AzureRmPublicIpAddress `
-Name MyPublicIp `
# Create a virtual network interface and associate the public IP address to it

$Nic = New-AzureRmNetworkInterface `
-Name MyNic `
-SubnetId $Vnet.Subnets[0].Id `
-PublicIpAddressId $Pip.Id `
-EnableAcceleratedNetworking
# Define a credential object for the VM. PowerShell prompts you for a username and password.
$Cred = Get-Credential

-VMName MyVM -VMSize Standard_DS4_v2 | `
Set-AzureRmVMOperatingSystem `
-Windows `
-ComputerName myVM `
-Credential $Cred | `
-PublisherName MicrosoftWindowsServer `
-Offer WindowsServer `
-Skus 2016-Datacenter `
-Version latest | `
Add-AzureRmVMNetworkInterface -Id $Nic.Id
# Create the virtual machine.

New-AzureRmVM `
-VM $VmConfig
#
5. In your PowerShell window, right-click to paste the script and start executing it. You are prompted for a
username and password. Use these credentials to log in to the VM when connecting to it in the next step. If the
script fails, and you changed values in the script before executing it, confirm the values you used for VM size,
operating system, and location are listed in the Limitations section of this article.
6. To install the accelerated networking driver for Windows, complete the steps in the Configure Windows section
of this article.
Configure Windows
Once you create the VM in Azure, you must install the accelerated networking driver for Windows. Before
completing the following steps, you must have created a Windows VM with accelerated networking using either the
portal or PowerShell steps in this article.
2. In the box that contains the text Search resources at the top of the Azure portal, type MyVm. When MyVm
appears in the search results, click it.
3. In the MyVm blade that appears, click the Connect button in the top left corner of the blade. Note: If Creating
is visible under the Connect button, Azure has not yet finished creating the VM. Click Connect only after you no
longer see Creating under the Connect button.
4. Allow your browser to download the MyVm.rdp file. Once downloaded, click the file to open it.
5. Click the Connect button in the Remote Desktop Connection box that appears, notifying you that the
publisher of the remote connection can't be identified.
6. In the Windows Security box that appears, click More choices, then click Use a different account. Enter the
username and password you entered in step 4, then click the OK button.
7. Click the Yes button in the Remote Desktop Connection box that appears, notifying you that the identity of the
remote computer cannot be verified.
8. Right-click the Windows Start button and click Device Manager. Expand the Network adapters node.
Confirm that the Mellanox ConnectX-3 Virtual Function Ethernet Adapter appears, as shown in the
following picture:
9. Accelerated Networking is now enabled for your VM.
Create a Linux VM
You can use the Azure portal or Azure PowerShell to create an Ubuntu or SLES VM. For RHEL and CentOS VMs
there is a different workflow. Please see the instructions below.
Portal
1. Register for the accelerated networking for Linux preview by completing steps 1-5 of the Create a Linux VM -
PowerShell section of this article. You cannot register for the preview in the portal.
2. Complete steps 1-8 in the Create a Windows VM - portal section of this article. In step 2, click Ubuntu Server
16.04 LTS instead of Windows Server 2016 Datacenter. For this tutorial, choose to use a password, rather
than an SSH key, though for production deployments, you can use either. If Accelerated networking does not
appear when you complete step 7 of the Create a Windows VM - portal section of this article, it's likely for one of
the following reasons:
You are not yet registered for the preview. Confirm that your registration state is Registered, as
explained in step 4 of the Create a Linux VM - Powershell section of this article. Note: If you participated
in the Accelerated networking for Windows VMs preview (it's no longer necessary to register to use
Accelerated networking for Windows VMs), you are not automatically registered for the Accelerated
networking for Linux VMs preview. You must register for the Accelerated networking for Linux VMs
preview to participate in it.
You have not selected a VM size, operating system, or location listed in the Limitations section of this
article.
3. To install the accelerated networking driver for Linux, complete the steps in the Configure Linux section of this
article.
PowerShell
WARNING
If you create Linux VMs with accelerated networking in a subscription, and then attempt to create a Windows VM with
accelerated networking in the same subscription, the Windows VM creation may fail. During this preview, it's recommended
that you test Linux and Windows VMs with accelerated networking in separate subscriptions.
1. Install the latest version of the Azure PowerShell AzureRm module. If you're new to Azure PowerShell, read the
Azure PowerShell overview article.
2. Start a PowerShell session by clicking the Windows Start button, typing powershell, then clicking PowerShell
from the search results.
3. In your PowerShell window, enter the login-azurermaccount command to sign in with your Azure account. If you
don't already have an account, you can sign up for a free trial.
4. Register for the accelerated networking for Azure preview by completing the following steps:
Send an email to axnpreview@microsoft.com with your Azure subscription ID and intended use. Please
wait for an email confirmation from Microsoft about your subscription being enabled.
Enter the following command to confirm you are registered for the preview:
Get-AzureRmProviderFeature -FeatureName AllowAcceleratedNetworkingForLinux -ProviderNamespace

Microsoft.Network
Do not continue with step 5 until Registered appears in the output after you enter the previous
command. Your output must look like the following output before continuing:
FeatureName ProviderName RegistrationState

----------- ------------ -----------------
AllowAcceleratedNetworkingForLinux Microsoft.Network Registered
NOTE
If you participated in the Accelerated networking for Windows VMs preview (it's no longer necessary to
register to use Accelerated networking for Windows VMs), you are not automatically registered for the
Accelerated networking for Linux VMs preview. You must register for the Accelerated networking for Linux
VMs preview to participate in it.
5. In your browser, copy the following script substituting Ubuntu or SLES as desired. Again, Redhat and CentOS
have a different workflow outlined below:
$Location="westus2"

-Name $RgName `
-Location $Location
# Create a subnet
-Name MySubnet `

-Name MyVnet `
-Subnet $Subnet

-Name MyPublicIp `

-Name MyNic `
# Create a new Storage account and define the new VMs OSDisk name and its URI
# Must end with ".vhd" extension
$OSDiskName = "MyOsDiskName.vhd"
# Storage account name must be between 3 and 24 characters in length and use numbers and lower-case
letters only.
$OSDiskSAName = "thestorageaccountname"
$StorageAccount = New-AzureRmStorageAccount -ResourceGroupName $RgName -Name $OSDiskSAName -Type
"Standard_GRS" -Location $Location
$OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $OSDiskName

-Linux `
-PublisherName Canonical `
-Offer UbuntuServer `
-Skus 16.04-LTS `
-Version latest | `
Add-AzureRmVMNetworkInterface -Id $Nic.Id | `
Set-AzureRmVMOSDisk -Name $OSDiskName `
-VhdUri $OSDiskUri `
-CreateOption FromImage

New-AzureRmVM `
-VM $VmConfig
6. In your PowerShell window, right-click to paste the script and start executing it. You are prompted for a
username and password. Use these credentials to log in to the VM when connecting to it in the next step. If
the script fails, confirm that:
You are registered for the preview, as explained in step 4
If you changed VM size, operating system type, or location values in the script before executing it, that the
values are listed in the Limitations section of this article.
7. To install the accelerated networking driver for Linux, complete the steps in the Configure Linux section of this
article.
Configure Linux
Once you create the VM in Azure, you must install the accelerated networking driver for Linux. Before completing
the following steps, you must have created a Linux VM with accelerated networking using either the portal or
PowerShell steps in this article.
2. At the top of the portal, to the right of the Search resources bar, click the >_ icon to start a Bash cloud shell
(Preview). The Bash cloud shell pane appears at the bottom of the portal and after a few seconds, presents a
username@Azure:~$ prompt. Though you can SSH to the VM from your computer, rather than the cloud shell,
the instructions in this tutorial assume you're using the cloud shell.
3. At the top of the portal, in the box that contains the text Search resources, type MyVm. When MyVm appears in
the search results, click it.
4. In the MyVm blade that appears, click the Connect button in the top left corner of the blade. Note: If Creating
is visible under the Connect button, Azure has not yet finished creating the VM. Click Connect only after you no
longer see Creating under the Connect button.
5. Azure opens a box telling you to enter the ssh adminuser@<ipaddress> . Enter this command in the cloud shell (or
copy it from the box that appeared in step 4 and paste it in to the cloud shell), then press Enter.
6. Enter yes to the question asking you if you want to continue connecting, then press Enter.
7. Enter the password you entered when creating the VM. Once successfully logged in to the VM, you see an
adminuser@MyVm:~$ prompt. You are now logged in to the VM through the cloud shell session. Note: Cloud
shell sessions time out after 10 minutes of inactivity.
At this point, the instructions vary based on the distribution you are using.
Ubuntu/SLES
1. At the prompt, enter uname -r and confirm the version for:
Ubuntu is "4.4.0-77-generic," or greater
SLES is "4.4.59-92.20-default" or greater
2. Create a bond between the standard networking vNIC and the accelerated networking vNIC by running the
commands that follow. Network traffic uses the higher performing accelerated networking vNIC, while the
bond ensures that networking traffic is not interrupted across certain configuration changes.
wget https://raw.githubusercontent.com/LIS/lis-next/master/tools/sriov/configure_hv_sriov.sh
chmod +x ./configure_hv_sriov.sh
sudo ./configure_hv_sriov.sh
3. After running the script, the VM will restart after a 60 second pause.
4. Once the VM is restarted, reconnect to it by completing steps 5-7 again.
5. Run the ifconfig command and confirm that bond0 has come up and the interface is showing as UP.
NOTE
Applications using accelerated networking must communicate over the bond0 interface, not eth0. The interface name
may change before accelerated networking reaches general availability.
RHEL/CentOS
Creating a Red Hat Enterprise Linux or CentOS 7.3 VM requires some extra steps to load the latest drivers needed
for SR-IOV and the Virtual Function (VF) driver for the network card. The first phase of the instructions prepares an
image that can be used to make one or more virtual machines that have the drivers pre-loaded.
P h a se o n e : p r e p a r e a R e d H a t En t e r p r i se L i n u x o r C e n t O S 7.3 b a se i m a g e .
1. Provision a non-SRIOV CentOS 7.3 VM on Azure

2. Install LIS 4.2.2:
wget http://download.microsoft.com/download/6/8/F/68FE11B8-FAA4-4F8D-8C7D-74DA7F2CFC8C/lis-rpms-4.2.2-
2.tar.gz
tar -xvf lis-rpms-4.2.2-2.tar.gz
cd LISISO && sudo ./install.sh
3. Download config files
cd /etc/udev/rules.d/
sudo wget https://raw.githubusercontent.com/LIS/lis-next/master/tools/sriov/60-hyperv-vf-name.rules
cd /usr/sbin/
sudo wget https://raw.githubusercontent.com/LIS/lis-next/master/tools/sriov/hv_vf_name
sudo chmod +x hv_vf_name
cd /etc/sysconfig/network-scripts/
sudo wget https://raw.githubusercontent.com/LIS/lis-next/master/tools/sriov/ifcfg-vf1
4. Deprovision this VM
sudo waagent -deprovision+user
5. From Azure portal, stop this VM; and go to VMs "Disks", capture the OSDisks VHD URI. This URI contains
the base images VHD name and its storage account.
P h a se t w o : P r o v i si o n n e w V M s o n A z u r e
1. Provision new VMs based with New-AzureRMVMConfig using the base image VHD captured in phase one,
with AcceleratedNetworking enabled on the vNIC:
$Location="westus2"

-Name $RgName `
-Location $Location
# Create a subnet
-Name MySubnet `

-Name MyVnet `
-Subnet $Subnet

-Name MyPublicIp `
-Name MyNic `
# Specify the base image's VHD URI (from phase one step 5).
# Note: The storage account of this base image vhd should have "Storage service encryption" disabled
# See more from here: https://docs.microsoft.com/en-us/azure/storage/storage-service-encryption
# This is just an example URI, you will need to replace this when running this script
$sourceUri="https://myexamplesa.blob.core.windows.net/vhds/CentOS73-Base-Test120170629111341.vhd"
# Specify a URI for the location from which the new image binary large object (BLOB) is copied to start
the virtual machine.
# Must end with ".vhd" extension
$OsDiskName = "MyOsDiskName.vhd"
$destOsDiskUri = "https://myexamplesa.blob.core.windows.net/vhds/" + $OsDiskName
# Create a custom virtual machine configuration

-Linux `
Add-AzureRmVMNetworkInterface -Id $Nic.Id | `
Set-AzureRmVMOSDisk `
-Name $OsDiskName `
-SourceImageUri $sourceUri `
-VhdUri $destOsDiskUri `
-CreateOption FromImage `
-Linux

New-AzureRmVM `
-VM $VmConfig
2. After VMs boot up, check the VF device by "lspci" and check the Mellanox entry. For example, we should see
this item in the lspci output:
0001:00:02.0 Ethernet controller: Mellanox Technologies MT27500/MT27520 Family [ConnectX-3/ConnectX-3

Pro Virtual Function]
3. Run the bonding script by:
sudo bondvf.sh
4. Reboot the new VMs:
sudo reboot
The VM should start with bond0 configured and the Accelerated Networking path enabled. Run ifconfig to
confirm.
Configure a VNet-to-VNet VPN gateway connection
using PowerShell
This article shows you how to create a VPN gateway connection between virtual networks. The virtual networks can
be in the same or different regions, and from the same or different subscriptions. When connecting VNets from
different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
The steps in this article apply to the Resource Manager deployment model and use PowerShell. You can also create
this configuration using a different deployment tool or deployment model by selecting a different option from the
following list:
Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-
premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. If
your VNets are in the same region, you may want to consider connecting them using VNet Peering. VNet peering
does not use a VPN gateway. For more information, see VNet peering.
VNet-to-VNet communication can be combined with multi-site configurations. This lets you establish network
topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the
following diagram:
Why connect virtual networks?

You may want to connect virtual networks for the following reasons:
Cross region geo-redundancy and geo-presence
You can set up your own geo-replication or synchronization with secure connectivity without going over
Internet-facing endpoints.
With Azure Traffic Manager and Load Balancer, you can set up highly available workload with geo-
redundancy across multiple Azure regions. One important example is to set up SQL Always On with
Availability Groups spreading across multiple Azure regions.
Regional multi-tier applications with isolation or administrative boundary
Within the same region, you can set up multi-tier applications with multiple virtual networks connected
together due to isolation or administrative requirements.
For more information about VNet-to-VNet connections, see the VNet-to-VNet FAQ at the end of this article.
Which set of steps should I use?

In this article, you see two different sets of steps. One set of steps for VNets that reside in the same subscription,
and another for VNets that reside in different subscriptions. The key difference between the sets is whether you can
create and configure all virtual network and gateway resources within the same PowerShell session.
The steps in this article use variables that are declared at the beginning of each section. If you already are working
with existing VNets, modify the variables to reflect the settings in your own environment. If you want name
resolution for your virtual networks, see Name resolution.
How to connect VNets that are in the same subscription
Before you begin

Before beginning, you need to install the latest version of the Azure Resource Manager PowerShell cmdlets, at least
4.0 or later. For more information about installing the PowerShell cmdlets, see How to install and configure Azure
PowerShell.
Step 1 - Plan your IP address ranges
In the following steps, we create two virtual networks along with their respective gateway subnets and
configurations. We then create a VPN connection between the two VNets. Its important to plan the IP address
ranges for your network configuration. Keep in mind that you must make sure that none of your VNet ranges or
local network ranges overlap in any way. In these examples, we do not include a DNS server. If you want name
resolution for your virtual networks, see Name resolution.
We use the following values in the examples:
Values for TestVNet1:
VNet Name: TestVNet1
Resource Group: TestRG1
Location: East US
TestVNet1: 10.11.0.0/16 & 10.12.0.0/16
FrontEnd: 10.11.0.0/24
BackEnd: 10.12.0.0/24
GatewaySubnet: 10.12.255.0/27
GatewayName: VNet1GW
Public IP: VNet1GWIP
VPNType: RouteBased
Connection(1to4): VNet1toVNet4
Connection(1to5): VNet1toVNet5
ConnectionType: VNet2VNet
TestVNet2: 10.41.0.0/16 & 10.42.0.0/16
FrontEnd: 10.41.0.0/24
BackEnd: 10.42.0.0/24
Location: West US
VPNType: RouteBased
Connection: VNet4toVNet1
Step 2 - Create and configure TestVNet1
1. Declare your variables. This example declares the variables using the values for this exercise. In most cases,
you should replace the values with your own. However, you can use these variables if you are running
through the steps to become familiar with this type of configuration. Modify the variables if needed, then
copy and paste them into your PowerShell console.
$Sub1 = "Replace_With_Your_Subcription_Name"
$RG1 = "TestRG1"
$Location1 = "East US"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$GWName1 = "VNet1GW"
$GWIPName1 = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection14 = "VNet1toVNet4"
2. Connect to your account. Use the following example to help you connect:
Login-AzureRmAccount
Check the subscriptions for the account.
Get-AzureRmSubscription
Specify the subscription that you want to use.
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
4. Create the subnet configurations for TestVNet1. This example creates a virtual network named TestVNet1
and three subnets, one called GatewaySubnet, one called FrontEnd, and one called Backend. When
substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. If
you name it something else, your gateway creation fails.
The following example uses the variables that you set earlier. In this example, the gateway subnet is using a
/27. While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger
subnet that includes more addresses by selecting at least /28 or /27. This will allow for enough addresses to
accommodate possible additional configurations that you may want in the future.
$fesub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1

$besub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1
5. Create TestVNet1.
New-AzureRmVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 `

-Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1
6. Request a public IP address to be allocated to the gateway you will create for your VNet. Notice that the
AllocationMethod is Dynamic. You cannot specify the IP address that you want to use. It's dynamically
allocated to your gateway.
$gwpip1 = New-AzureRmPublicIpAddress -Name $GWIPName1 -ResourceGroupName $RG1 `

-Location $Location1 -AllocationMethod Dynamic
7. Create the gateway configuration. The gateway configuration defines the subnet and the public IP address to
use. Use the example to create your gateway configuration.
$vnet1 = Get-AzureRmVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1

$subnet1 = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
$gwipconf1 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName1 `
-Subnet $subnet1 -PublicIpAddress $gwpip1
8. Create the gateway for TestVNet1. In this step, you create the virtual network gateway for your TestVNet1.
VNet-to-VNet configurations require a RouteBased VpnType. Creating a gateway can often take 45 minutes
or more, depending on the selected gateway SKU.
New-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 `

-Location $Location1 -IpConfigurations $gwipconf1 -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1

Once you've configured TestVNet1, create TestVNet4. Follow the steps below, replacing the values with your own
when needed. This step can be done within the same PowerShell session because it is in the same subscription.
1. Declare your variables. Be sure to replace the values with the ones that you want to use for your
configuration.
$RG4 = "TestRG4"
$Location4 = "West US"
$VnetName4 = "TestVNet4"
$VnetPrefix41 = "10.41.0.0/16"
$VnetPrefix42 = "10.42.0.0/16"
$FESubPrefix4 = "10.41.0.0/24"
$BESubPrefix4 = "10.42.0.0/24"
$GWSubPrefix4 = "10.42.255.0/27"
3. Create the subnet configurations for TestVNet4.

New-AzureRmVirtualNetwork -Name $VnetName4 -ResourceGroupName $RG4 `

-Location $Location4 -AddressPrefix $VnetPrefix41,$VnetPrefix42 -Subnet $fesub4,$besub4,$gwsub4
5. Request a public IP address.

6. Create the gateway configuration.
$vnet4 = Get-AzureRmVirtualNetwork -Name $VnetName4 -ResourceGroupName $RG4

$gwipconf4 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName4 -Subnet $subnet4 -
PublicIpAddress $gwpip4
7. Create the TestVNet4 gateway. Creating a gateway can often take 45 minutes or more, depending on the
selected gateway SKU.
New-AzureRmVirtualNetworkGateway -Name $GWName4 -ResourceGroupName $RG4 `

-Location $Location4 -IpConfigurations $gwipconf4 -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1
Step 4 - Create the connections

1. Get both virtual network gateways. If both of the gateways are in the same subscription, as they are in the
example, you can complete this step in the same PowerShell session.
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
2. Create the TestVNet1 to TestVNet4 connection. In this step, you create the connection from TestVNet1 to
TestVNet4. You'll see a shared key referenced in the examples. You can use your own values for the shared
key. The important thing is that the shared key must match for both connections. Creating a connection can
take a short while to complete.
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection14 -ResourceGroupName $RG1 `

-VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet4gw -Location $Location1 `
-ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
3. Create the TestVNet4 to TestVNet1 connection. This step is similar to the one above, except you are creating
the connection from TestVNet4 to TestVNet1. Make sure the shared keys match. The connection will be
established after a few minutes.
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection41 -ResourceGroupName $RG4 `

-VirtualNetworkGateway1 $vnet4gw -VirtualNetworkGateway2 $vnet1gw -Location $Location4 `
-ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
4. Verify your connection. See the section How to verify your connection.
How to connect VNets that are in different subscriptions
In this scenario, we connect TestVNet1 and TestVNet5. TestVNet1 and TestVNet5 reside in a different subscription.
The subscriptions do not need to be associated with the same Active Directory tenant. The difference between
these steps and the previous set is that some of the configuration steps need to be performed in a separate
PowerShell session in the context of the second subscription. Especially when the two subscriptions belong to
different organizations.
You must complete Step 1 and Step 2 from the previous section to create and configure TestVNet1 and the VPN
Gateway for TestVNet1. For this configuration, you are not required to create TestVNet4 from the previous section,
although if you do create it, it will not conflict with these steps. Once you complete Step 1 and Step 2, continue with
Step 6 to create TestVNet5.
Step 6 - Verify the IP address ranges
It is important to make sure that the IP address space of the new virtual network, TestVNet5, does not overlap with
any of your VNet ranges or local network gateway ranges. In this example, the virtual networks may belong to
different organizations. For this exercise, you can use the following values for the TestVNet5:
Location: Japan East
TestVNet5: 10.51.0.0/16 & 10.52.0.0/16
FrontEnd: 10.51.0.0/24
BackEnd: 10.52.0.0/24
GatewaySubnet: 10.52.255.0.0/27
VPNType: RouteBased
Connection: VNet5toVNet1
This step must be done in the context of the new subscription. This part may be performed by the administrator in
a different organization that owns the subscription.
1. Declare your variables. Be sure to replace the values with the ones that you want to use for your
configuration.
$Sub5 = "Replace_With_the_New_Subcription_Name"
$RG5 = "TestRG5"
$Location5 = "Japan East"
$VnetName5 = "TestVNet5"
$VnetPrefix51 = "10.51.0.0/16"
$VnetPrefix52 = "10.52.0.0/16"
$FESubPrefix5 = "10.51.0.0/24"
$BESubPrefix5 = "10.52.0.0/24"
$GWSubPrefix5 = "10.52.255.0/27"
2. Connect to subscription 5. Open your PowerShell console and connect to your account. Use the following
sample to help you connect:
Check the subscriptions for the account.
Select-AzureRmSubscription -SubscriptionName $Sub5
4. Create the subnet configurations for TestVNet5.

New-AzureRmVirtualNetwork -Name $VnetName5 -ResourceGroupName $RG5 -Location $Location5 `

-AddressPrefix $VnetPrefix51,$VnetPrefix52 -Subnet $fesub5,$besub5,$gwsub5
6. Request a public IP address.

7. Create the gateway configuration.
$vnet5 = Get-AzureRmVirtualNetwork -Name $VnetName5 -ResourceGroupName $RG5

$gwipconf5 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName5 -Subnet $subnet5 -
PublicIpAddress $gwpip5
8. Create the TestVNet5 gateway.
New-AzureRmVirtualNetworkGateway -Name $GWName5 -ResourceGroupName $RG5 -Location $Location5 `

-IpConfigurations $gwipconf5 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1
Step 8 - Create the connections

In this example, because the gateways are in the different subscriptions, we've split this step into two PowerShell
sessions marked as [Subscription 1] and [Subscription 5].
1. [Subscription 1] Get the virtual network gateway for Subscription 1. Log in and connect to Subscription 1
before running the following example:
Copy the output of the following elements and send these to the administrator of Subscription 5 via email
or another method.
$vnet1gw.Name
$vnet1gw.Id
These two elements will have values similar to the following example output:
PS D:\> $vnet1gw.Name
VNet1GW
PS D:\> $vnet1gw.Id
/subscriptions/b636ca99-6f88-4df4-a7c3-
2f8dc4545509/resourceGroupsTestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW
2. [Subscription 5] Get the virtual network gateway for Subscription 5. Log in and connect to Subscription 5
before running the following example:
Copy the output of the following elements and send these to the administrator of Subscription 1 via email
or another method.
$vnet5gw.Name
$vnet5gw.Id
These two elements will have values similar to the following example output:
PS C:\> $vnet5gw.Name
VNet5GW
PS C:\> $vnet5gw.Id
/subscriptions/66c8e4f1-ecd6-47ed-9de7-
7e530de23994/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW
3. [Subscription 1] Create the TestVNet1 to TestVNet5 connection. In this step, you create the connection
from TestVNet1 to TestVNet5. The difference here is that $vnet5gw cannot be obtained directly because it is
in a different subscription. You will need to create a new PowerShell object with the values communicated
from Subscription 1 in the steps above. Use the example below. Replace the Name, Id, and shared key with
your own values. The important thing is that the shared key must match for both connections. Creating a
connection can take a short while to complete.
Connect to Subscription 1 before running the following example:
$vnet5gw = New-Object Microsoft.Azure.Commands.Network.Models.PSVirtualNetworkGateway

$vnet5gw.Name = "VNet5GW"
$vnet5gw.Id = "/subscriptions/66c8e4f1-ecd6-47ed-9de7-
7e530de23994/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW"
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -
VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet5gw -Location $Location1 -ConnectionType
Vnet2Vnet -SharedKey 'AzureA1b2C3'
4. [Subscription 5] Create the TestVNet5 to TestVNet1 connection. This step is similar to the one above,
except you are creating the connection from TestVNet5 to TestVNet1. The same process of creating a
PowerShell object based on the values obtained from Subscription 1 applies here as well. In this step, be
sure that the shared keys match.
Connect to Subscription 5 before running the following example:
$vnet1gw = New-Object Microsoft.Azure.Commands.Network.Models.PSVirtualNetworkGateway

$vnet1gw.Name = "VNet1GW"
$vnet1gw.Id = "/subscriptions/b636ca99-6f88-4df4-a7c3-
2f8dc4545509/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW "
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection51 -ResourceGroupName $RG5 -
VirtualNetworkGateway1 $vnet5gw -VirtualNetworkGateway2 $vnet1gw -Location $Location5 -ConnectionType
Vnet2Vnet -SharedKey 'AzureA1b2C3'
How to verify a connection

IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a
network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more information
about network security groups, see What is a network security group?
You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection'
cmdlet, with or without '-Debug'.
1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in order
to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.
Get-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName MyRG
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
VNet-to-VNet FAQ
The VNet-to-VNet FAQ applies to VPN Gateway connections. If you are looking for VNet Peering, see Virtual
Network Peering
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the
source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using VNet
Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD
tenant?
No.
Can I use VNet-to -VNet to connect virtual networks in separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance. For example, you cant
create a connection between public Azure and the Chinese / German / US Gov Azure instances. For these scenarios,
consider using a Site-to-Site VPN connection.
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same
VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See the Virtual
Machines documentation for more information.
For information about BGP, see the BGP Overview and How to configure BGP.
Connect virtual networks from different deployment
models using the portal
This article shows you how to connect classic VNets to Resource Manager VNets to allow the resources located in
the separate deployment models to communicate with each other. The steps in this article primarily use the Azure
portal, but you can also create this configuration using the PowerShell by selecting the article from this list.
Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site
location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can create a
connection between VNets that are in different subscriptions and in different regions. You can also connect VNets
that already have connections to on-premises networks, as long as the gateway that they have been configured
with is dynamic or route-based. For more information about VNet-to-VNet connections, see the VNet-to-VNet FAQ
at the end of this article.
If your VNets are in the same region, you may want to instead consider connecting them using VNet Peering. VNet
peering does not use a VPN gateway. For more information, see VNet peering.
Before you begin
These steps assume that both VNets have already been created. If you are using this article as an exercise and
don't have VNets, there are links in the steps to help you create them.
Verify that the address ranges for the VNets do not overlap with each other, or overlap with any of the ranges
for other connections that the gateways may be connected to.
Install the latest PowerShell cmdlets for both Resource Manager and Service Management (classic). In this
article, we use both the Azure portal and PowerShell. PowerShell is required to create the connection from the
classic VNet to the Resource Manager VNet. For more information, see How to install and configure Azure
PowerShell.
Example settings
You can use these values to create a test environment, or refer to them to better understand the examples in this
article.
Classic VNet
VNet name = ClassicVNet
Address space = 10.0.0.0/24
Subnet-1 = 10.0.0.0/27
Resource Group = ClassicRG
Location = West US
GatewaySubnet = 10.0.0.32/28
Local site = RMVNetLocal
Resource Manager VNet
VNet name = RMVNet
Address space = 192.168.0.0/16
Subnet-1 = 192.168.1.0/24
GatewaySubnet = 192.168.0.0/26
Resource Group = RG1
Location = East US
Virtual network gateway name = RMGateway
Gateway type = VPN
VPN type = Route-based
Gateway Public IP address name = rmgwpip
Local network gateway = ClassicVNetLocal
Connection name = RMtoClassic
Connection overview
For this configuration, you create a VPN gateway connection over an IPsec/IKE VPN tunnel between the virtual
networks. Make sure that none of your VNet ranges overlap with each other, or with any of the local networks that
they connect to.
The following table shows an example of how the example VNets and local sites are defined:
CONNECTS TO LOCAL
VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE
ClassicVNet (10.0.0.0/24) West US RMVNetLocal

(192.168.0.0/16)
RMVNet (192.168.0.0/16) East US ClassicVNetLocal

(10.0.0.0/24)
Section 1 - Configure the classic VNet settings

In this section, you create the local network (local site) and the virtual network gateway for your classic VNet. If you
don't have a classic VNet and are running these steps as an exercise, you can create a VNet by using this article and
the Example settings values from above.
When using the portal to create a classic virtual network, you must navigate to the virtual network blade by using
the following steps, otherwise the option to create a classic virtual network does not appear:
1. Click the '+' to open the 'New' blade.
2. In the 'Search the marketplace' field, type 'Virtual Network'. If you instead, select Networking -> Virtual
Network, you will not get the option to create a classic VNet.
3. Locate 'Virtual Network' from the returned list and click it to open the Virtual Network blade.
4. On the virtual network blade, select 'Classic' to create a classic VNet.
If you already have a VNet with a VPN gateway, verify that the gateway is Dynamic. If it's Static, you must first
delete the VPN gateway, then proceed.
Screenshots are provided as examples. Be sure to replace the values with your own, or use the Example values.
1. Configure the local site
Open the Azure portal and sign in with your Azure account.
1. Navigate to All resources and locate the ClassicVNet in the list.
2. On the Overview blade, in the VPN connections section, click the Gateway graphic to create a gateway.
3. On the New VPN Connection blade, for Connection type, select Site-to-site.
4. For Local site, click Configure required settings. This opens the Local site blade.
5. On the Local site blade, create a name to refer to the Resource Manager VNet. For example, 'RMVNetLocal'.
6. If the VPN gateway for the Resource Manager VNet already has a Public IP address, use the value for the VPN
gateway IP address field. If you are doing these steps as an exercise, or don't yet have a virtual network
gateway for your Resource Manager VNet, you can make up a placeholder IP address. Make sure that the
placeholder IP address uses a valid format. Later, you replace the placeholder IP address with the Public IP
address of the Resource Manager virtual network gateway.
7. For Client Address Space, use the values for the virtual network IP address spaces for the Resource Manager
VNet. This setting is used to specify the address spaces to route to the Resource Manager virtual network.
8. Click OK to save the values and return to the New VPN Connection blade.
2. Create the virtual network gateway
1. On the New VPN Connection blade, select the Create gateway immediately checkbox and click
Optional gateway configuration to open the Gateway configuration blade.
2. Click Subnet - Configure required settings to open the Add subnet blade. The Name is already configured
with the required value GatewaySubnet.
3. The Address range refers to the range for the gateway subnet. Although you can create a gateway subnet with
a /29 address range (3 addresses), we recommend creating a gateway subnet that contains more IP addresses.
This will accommodate future configurations that may require more available IP addresses. If possible, use /27
or /28. If you are using these steps as an exercise, you can refer to the Example values. Click OK to create the
gateway subnet.
4. On the Gateway configuration blade, Size refers to the gateway SKU. Select the gateway SKU for your VPN
gateway.
5. Verify the Routing Type is Dynamic, then click OK to return to the New VPN Connection blade.
6. On the New VPN Connection blade, click OK to begin creating your VPN gateway. Creating a VPN gateway
can take up to 45 minutes to complete.
3. Copy the virtual network gateway Public IP address
After the virtual network gateway has been created, you can view the gateway IP address.
1. Navigate to your classic VNet, and click Overview.
2. Click VPN connections to open the VPN connections blade. On the VPN connections blade, you can view the
Public IP address. This is the Public IP address assigned to your virtual network gateway.
3. Write down or copy the IP address. You use it in later steps when you work with your Resource Manager local
network gateway configuration settings. You can also view the status of your gateway connections. Notice the
local network site you created is listed as 'Connecting'. The status will change after you have created your
connections.
4. Close the blade after copying the gateway IP address.
Section 2 - Configure the Resource Manager VNet settings

In this section, you create the virtual network gateway and the local network gateway for your Resource Manager
VNet. If you don't have a Resource Manager VNet and are running these steps as an exercise, you can create a VNet
by using this article and the Example settings values from above.
Screenshots are provided as examples. Be sure to replace the values with your own, or use the Example values.
1. Create a gateway subnet
Before creating a virtual network gateway, you first need to create the gateway subnet. Create a gateway subnet
with CIDR count of /28 or larger. (/27, /26, etc.)
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a
network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more information
about network security groups, see What is a network security group?
1. In the portal, navigate to the Resource Manager virtual network for which you want to create a virtual network
gateway.
2. In the Settings section of your VNet page, click Subnets to expand the Subnets page.
3. On the Subnets page, click +Gateway subnet to open the Add subnet page.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required in
order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values
to match your configuration requirements, then click OK at the bottom of the page to create the subnet.
2. Create a virtual network gateway

1. In the portal, on the left side, click + and type 'Virtual Network Gateway' in search. Locate Virtual network
gateway in the search return and click the entry. On the Virtual network gateway page, click Create at the
bottom of the page to open the Create virtual network gateway page.
2. On the Create virtual network gateway page, fill in the values for your virtual network gateway.
3. Name: Name your gateway. The name of your gateway is not the same as naming a gateway subnet. It's the
name of the gateway object you are creating.
4. Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
5. VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-
based VPN type.
6. SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type
you select.
7. Location: Adjust the Location field to point to the location where your virtual network is located. If the location
is not pointing to the region where your virtual network resides, the virtual network doesn't appear in the
'Choose a virtual network' dropdown.
8. Choose the virtual network to which you want to add a gateway. Click Virtual network to open the Choose a
virtual network page. Select the VNet. If you don't see your VNet, make sure the Location field is pointing to
the region in which your virtual network is located.
9. Public IP address: Create a public IP address object to which a public IP address will be dynamically assigned.
Click Public IP address to open the Choose public IP address page. Click +Create New to open the Create
public IP address page. Input a name for your public IP address. Click OK to save your changes. The IP address
is dynamically assigned when the VPN gateway is created. VPN Gateway currently only supports Dynamic
Public IP address allocation. However, it doesn't mean that the IP address changes after it has been assigned to
your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It
doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
10. Subscription: Verify that the correct subscription is selected.
11. Resource group: The Resource Group setting is determined by the Virtual Network that you select.
12. Don't adjust the Location after you've specified the previous settings.
13. Verify the settings. If you want your gateway to appear on the dashboard, you can select Pin to dashboard at
the bottom of the page.
14. Click Create to begin creating the gateway. The settings are validated and the gateway deploys. Creating a
gateway can take up to 45 minutes.
15. After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network
page. The gateway appears as a connected device. You can click the connected device (your virtual network
gateway) to view more information.
3. Create a local network gateway
The local network gateway specifies the address range and the Public IP address associated with your classic VNet
and its virtual network gateway.
If you are doing these steps as an exercise, refer to these settings:
CONNECTS TO LOCAL GATEWAY PUBLIC IP

VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE ADDRESS
ClassicVNet (10.0.0.0/24) West US RMVNetLocal The Public IP address

(192.168.0.0/16) that is assigned to the
ClassicVNet gateway
RMVNet (192.168.0.0/16) East US ClassicVNetLocal The Public IP address

(10.0.0.0/24) that is assigned to the
RMVNet gateway.
1. In the portal, from All resources, click +Add. In the Everything blade search box, type Local network
gateway, then click to return a list of resources. Click Local network gateway to open the blade, then click
Create to open the Create local network gateway blade.
2. On the Create local network gateway blade, specify a Name for your local network gateway object. If
possible, use something intuitive, such as ClassicVNetLocal or TestVNet1Local. This makes it easier for
you to identify the local network gateway in the portal.
3. Specify a valid Public IP address for the VPN device or virtual network gateway to which you want to connect.
If this local network represents an on-premises location: Specify the Public IP address of the VPN device
that you want to connect to. It cannot be behind NAT and has to be reachable by Azure.
If this local network represents another VNet: Specify the Public IP address that was assigned to the virtual
network gateway for that VNet.
If you don't yet have the IP address: You can make up a valid placeholder IP address, and then come back
and modify this setting before connecting.
4. Address Space refers to the address ranges for the network that this local network represents. You can add
multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other
networks to which you connect.
5. For Subscription, verify that the correct subscription is showing.
6. For Resource Group, select the resource group that you want to use. You can either create a new resource
group, or select one that you have already created.
7. For Location, select the location in which this resource will be created. You may want to select the same
location that your VNet resides in, but you are not required to do so.
8. Click Create to create the local network gateway.
Section 3 - Modify the classic VNet local site settings

In this section, you replace the placeholder IP address that you used when specifying the local site settings, with the
Resource Manager VPN gateway IP address. This section uses the classic (SM) PowerShell cmdlets.
1. In the Azure portal, navigate to the classic virtual network.
2. On the blade for your virtual network, click Overview.
3. In the VPN connections section, click the name of your local site in the graphic.
4. On the Site-to-site VPN connections blade, click the name of the site.
5. On the connection blade for your local site, click the name of the local site to open the Local site blade.
6. On the Local site blade, replace the VPN gateway IP address with the IP address of the Resource Manager
gateway.
7. Click OK to update the IP address.
Section 4 - Create Resource Manager to classic connection

In these steps, you configure the connection from the Resource Manager VNet to the classic VNet using the Azure
portal.
1. In All resources, locate the local network gateway. In our example, the local network gateway is
ClassicVNetLocal.
2. Click Configuration and verify that the IP address value is the VPN gateway for the classic VNet. Update, if
needed, then click Save. Close the blade.
3. In All resources, click the local network gateway.
4. Click Connections to open the Connections blade.
5. On the Connections blade, click + to add a connection.
6. On the Add connection blade, name the connection. For example, 'RMtoClassic'.
7. Site-to-Site is already selected on this blade.
8. Select the virtual network gateway that you want to associate with this site.
9. Create a shared key. This key is also used in the connection that you create from the classic VNet to the
Resource Manager VNet. You can generate the key or make one up. In our example, we use 'abc123', but you
can (and should) use something more complex.
10. Click OK to create the connection.
Section 5 - Create classic to Resource Manager connection

In these steps, you configure the connection from the classic VNet to the Resource Manager VNet. These steps
require PowerShell. You can't create this connection in the portal. Make sure you have downloaded and installed
both the classic (SM) and Resource Manager (RM) PowerShell cmdlets.
1. Connect to your Azure account
Open the PowerShell console with elevated rights and log in to your Azure account. The following cmdlet prompts
you for the login credentials for your Azure Account. After logging in, your account settings are downloaded so that
they are available to Azure PowerShell.
Get a list of your Azure subscriptions if you have more than one subscription.

Select-AzureRmSubscription -SubscriptionName "Name of subscription"
Add your Azure Account to use the classic PowerShell cmdlets (SM). To do so, you can use the following command:
Add-AzureAccount
2. View the network configuration file values

When you create a VNet in the Azure portal, the full name that Azure uses is not visible in the Azure portal. For
example, a VNet that appears to be named 'ClassicVNet' in the Azure portal may have a much longer name in the
network configuration file. The name might look something like: 'Group ClassicRG ClassicVNet'. In these steps, you
download the network configuration file and view the values.
Create a directory on your computer and then export the network configuration file to the directory. In this
example, the network configuration file is exported to C:\AzureNet.
Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
Open the file with a text editor and view the name for your classic VNet. Use the names in the network
configuration file when running your PowerShell cmdlets.
VNet names are listed as VirtualNetworkSite name =
Site names are listed as LocalNetworkSite name=
3. Create the connection
Set the shared key and create the connection from the classic VNet to the Resource Manager VNet. You cannot set
the shared key using the portal. Make sure you run these steps while logged in using the classic version of the
PowerShell cmdlets. To do so, use Add-AzureAccount. Otherwise, you will not be able to set the '-
AzureVNetGatewayKey'.
In this example, -VNetName is the name of the classic VNet as found in your network configuration file.
The -LocalNetworkSiteName is the name you specified for the local site, as found in your network
configuration file.
The -SharedKey is a value that you generate and specify. For this example, we used abc123, but you can
generate something more complex. The important thing is that the value you specify here must be the same
value that you specified when creating your Resource Manager to classic connection.
Set-AzureVNetGatewayKey -VNetName "Group ClassicRG ClassicVNet" `

-LocalNetworkSiteName "172B9E16_RMVNetLocal" -SharedKey abc123
Section 6 - Verify your connections

You can verify your connections by using the Azure portal or PowerShell. When verifying, you may need to wait a
minute or two as the connection is being created. When a connection is successful, the connectivity state changes
from 'Connecting' to 'Connected'.
To verify the connection from your classic VNet to your Resource Manager VNet
In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your classic virtual network.
2. On the virtual network blade, click Overview to access the VPN connections section of the blade.
3. On the VPN connections graphic, click the site.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
To verify the connection from your Resource Manager VNet to your classic VNet
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a
successful connection.
VNet-to-VNet FAQ
The VNet-to-VNet FAQ applies to VPN Gateway connections. If you are looking for VNet Peering, see Virtual
Network Peering
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the
source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using VNet
Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD
tenant?
No.
Can I use VNet-to -VNet to connect virtual networks in separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance. For example, you cant
create a connection between public Azure and the Chinese / German / US Gov Azure instances. For these scenarios,
consider using a Site-to-Site VPN connection.
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same
VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
Create a Site-to-Site connection in the Azure portal
This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-
premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You can
also create this configuration using a different deployment tool or deployment model by selecting a different
option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises
that has an externally facing public IP address assigned to it. For more information about VPN gateways, see
About VPN gateway.
Before you begin

Verify that you have met the following criteria before beginning your configuration:
Make sure you have a compatible VPN device and someone who is able to configure it. For more information
about compatible VPN devices and device configuration, see About VPN Devices.
Verify that you have an externally facing public IPv4 address for your VPN device. This IP address cannot be
located behind a NAT.
If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need
to coordinate with someone who can provide those details for you. When you create this configuration, you
must specify the IP address range prefixes that Azure will route to your on-premises location. None of the
subnets of your on-premises network can over lap with the virtual network subnets that you want to connect
to.
Example values
The examples in this article use the following values. You can use these values to create a test environment, or
refer to them to better understand the examples in this article.
Address Space:
10.11.0.0/16
10.12.0.0/16 (optional for this exercise)
Subnets:
FrontEnd: 10.11.0.0/24
BackEnd: 10.12.0.0/24 (optional for this exercise)
Location: East US
DNS Server: Optional. The IP address of your DNS server.
Virtual Network Gateway Name: VNet1GW
VPN Type: Route-based
Connection Type: Site-to-site (IPsec)
Gateway Type: VPN
Local Network Gateway Name: Site2
Connection Name: VNet1toSite2
1. Create a virtual network

To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below.
Use the example values if you are using these steps as a tutorial. If you are not doing these steps as a tutorial, be
sure to replace the values with your own. For more information about working with virtual networks, see the
Virtual Network Overview.
1. From a browser, navigate to the Azure portal and sign in with your Azure account.
2. Click New. In the Search the marketplace field, type 'Virtual Network'. Locate Virtual Network from the
returned list and click to open the Virtual Network blade.
3. Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource
Manager, and then click Create. This opens the 'Create virtual network' blade.
4. On the Create virtual network blade, configure the VNet settings. When you fill in the fields, the red
exclamation mark becomes a green check mark when the characters entered in the field are valid.
Name: Enter the name for your virtual network. In this example, we use TestVNet1.
Address space: Enter the address space. If you have multiple address spaces to add, add your first
address space. You can add additional address spaces later, after creating the VNet. Make sure that the
address space that you specify does not overlap with the address space for your on-premises location.
Subnet name: Add the first subnet name and subnet address range. You can add additional subnets
and the gateway subnet later, after creating this VNet.
Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by
using the drop-down.
Resource group: Select an existing resource group, or create a new one by typing a name for your new
resource group. If you are creating a new group, name the resource group according to your planned
configuration values. For more information about resource groups, visit Azure Resource Manager
Overview.
Location: Select the location for your VNet. The location determines where the resources that you
deploy to this VNet will reside.
5. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click
Create. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your
VNet. The tile changes as the VNet is being created.
2. Specify a DNS server

DNS is not required to create a Site-to-Site connection. However, if you want to have name resolution for
resources that are deployed to your virtual network, you should specify a DNS server. This setting lets you specify
the DNS server that you want to use for name resolution for this virtual network. It does not create a DNS server.
For more information about name resolution, see Name Resolution for VMs and role instances.
1. On the Settings page for your virtual network, navigate to DNS Servers and click to open the DNS servers
blade.
DNS Servers: Select select Custom.

Add DNS server: Enter the IP address of the DNS server that you want to use for name resolution.
2. When you are done adding DNS servers, click Save at the top of the blade.
3. Create the gateway subnet

The virtual network gateway uses specific subnet called the 'GatewaySubnet'. The gateway subnet contains the IP
addresses that are used by the VPN gateway services. When you create a gateway subnet, it must be named
'GatewaySubnet'. Naming a subnet 'GatewaySubnet' tells Azure where to create the gateway services. If you name
the subnet something else, your VPN gateway configuration will fail.
The IP addresses in the GatewaySubnet are allocated to the gateway services. When you create the
GatewaySubnet, you specify the number of IP addresses that the subnet contains. The size of the GatewaySubnet
that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a
GatewaySubnet as small as /29, we recommend that you create a larger subnet that includes more addresses by
selecting /27 or /28. Using a larger gateway subnet allows for enough IP addresses to accommodate possible
future configurations.
1. In the portal, navigate to the virtual network for which you want to create a virtual network gateway.
2. In the Settings section of your VNet page, click Subnets to expand the Subnets page.
3. On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. The GatewaySubnet
value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled
Address range values to match your configuration requirements.
5. To create the subnet, click OK at the bottom of the page.
4. Create the VPN gateway

1. On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and
click Virtual network gateway.
2. At the bottom of the 'Virtual network gateway' blade, click Create. This opens the Create virtual network
gateway blade.
3. On the Create virtual network gateway blade, specify the values for your virtual network gateway.
Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the
gateway object you are creating.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
VPN type: Select the VPN type that is specified for your configuration. Most configurations require a
Route-based VPN type.
SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN
type you select. For more information about gateway SKUs, see Gateway SKUs.
Location: You may need to scroll to see Location. Adjust the Location field to point to the location
where your virtual network is located. If the location is not pointing to the region where your virtual
network resides, the virtual network will not appear in the next step 'Choose a virtual network'
dropdown.
Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual
network to open the 'Choose a virtual network' blade. Select the VNet. If you don't see your VNet, make
sure the Location field is pointing to the region in which your virtual network is located.
Public IP address: The 'Create public IP address' blade creates a public IP address object. The public
IP address is dynamically assigned when the VPN gateway is created. VPN Gateway currently only
supports Dynamic Public IP address allocation. However, this does not mean that the IP address
changes after it has been assigned to your VPN gateway. The only time the Public IP address
changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting,
or other internal maintenance/upgrades of your VPN gateway.
First, click Public IP address to open the 'Choose public IP address' blade, then click +Create
New to open the 'Create public IP address' blade.
Next, input a Name for your public IP address, then click OK at the bottom of this blade to
save your changes.
4. Verify the settings. You can select Pin to dashboard at the bottom of the blade if you want your gateway
to appear on the dashboard.
5. Click Create to begin creating the VPN gateway. The settings will be validated and you'll see the "Deploying
Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need
to refresh your portal page to see the completed status.
After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in
the portal. The gateway will appear as a connected device. You can click the connected device (your virtual network
gateway) to view more information.
5. Create the local network gateway

The local network gateway typically refers to your on-premises location. You give the site a name by which Azure
can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection.
You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The
address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network
changes or you need to change the public IP address for the VPN device, you can easily update the values later.
1. In the portal, from All resources, click +Add.
2. In the Everything blade search box, type Local network gateway, then click to search. This will return a
list. Click Local network gateway to open the blade, then click Create to open the Create local network
gateway blade.
3. On the Create local network gateway blade, specify the values for your local network gateway.
Name: Specify a name for your local network gateway object.
IP address: This is the public IP address of the VPN device that you want Azure to connect to. Specify a
valid public IP address. The IP address cannot be behind NAT and has to be reachable by Azure. If you
don't have the IP address right now, you can use the values shown in the screen shot, but you'll need to
go back and replace your placeholder IP address with the public IP address of your VPN device.
Otherwise, Azure will not be able to connect.
Address Space refers to the address ranges for the network that this local network represents. You can
add multiple address space ranges. Make sure that the ranges you specify here do not overlap with
ranges of other networks that you want to connect to. Azure will route the address range that you
specify to the on-premises VPN device IP address. Use your own values here, not the values shown in
the screenshot.
Subscription: Verify that the correct subscription is showing.
Resource Group: Select the resource group that you want to use. You can either create a new resource
group, or select one that you have already created.
Location: Select the location that this object will be created in. You may want to select the same location
that your VNet resides in, but you are not required to do so.
4. When you have finished specifying the values, click Create at the bottom of the blade to create the local
network gateway.
6. Configure your VPN device

Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN
device. When configuring your VPN device, you need the following:
A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In
our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure
portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to
Virtual network gateways, then click the name of your gateway.
See the following links for configuration information:
For information about compatible VPN devices, see VPN Devices.
Before configuring your VPN device, check for any Known device compatibility issues for the VPN device that
you want to use.
For links to device configuration settings, see Validated VPN Devices. The device configuration links are
provided on a best-effort basis. It's always best to check with your device manufacturer for the latest
configuration information.
For an overview of VPN device configuration, see Overview of 3rd party VPN device configurations.
For information about editing device configuration samples, see Editing samples.
For cryptographic requirements, see About cryptographic requirements and Azure VPN gateways.
For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE parameters for Site-to-Site
VPN gateway connections.
For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet
connections.
To connect multiple policy-based VPN devices, see Connect Azure VPN gateways to multiple on-premises
policy-based VPN devices using PowerShell.
7. Create the VPN connection

Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.
1. Navigate to and open the blade for your virtual network gateway. There are multiple ways to navigate. In our
example, we navigated to the gateway 'VNet1GW' by going to TestVNet1 -> Overview -> Connected
devices -> VNet1GW.
2. On the blade for VNet1GW, click Connections. At the top of the Connections blade, click +Add to open the
Add connection blade.
3. On the Add connection blade, fill in the values to create your connection.
Name: Name your connection. We use VNet1toSite2 in our example.
Connection type: Select Site-to-site(IPSec).
Virtual network gateway: The value is fixed because you are connecting from this gateway.
Local network gateway: Click Choose a local network gateway and select the local network
gateway that you want to use. In our example, we use Site2.
Shared Key: the value here must match the value that you are using for your local on-premises VPN
device. In the example, we used 'abc123', but you can (and should) use something more complex. The
important thing is that the value you specify here must be the same value that you specified when
configuring your VPN device.
The remaining values for Subscription, Resource Group, and Location are fixed.
4. Click OK to create your connection. You'll see Creating Connection flash on the screen.
5. You can view the connection in the Connections blade of the virtual network gateway. The Status will go from
Unknown to Connecting, and then to Succeeded.
8. Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made
a successful connection.
To connect to a virtual machine
You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. The
best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than
computer name. That way, you are testing to see if you can connect, not whether name resolution is configured
properly.
1. Locate the private IP address. You can find the private IP address of a VM in multiple ways. Below, we show
the steps for the Azure portal and for PowerShell.
Azure portal - Locate your virtual machine in the Azure portal. View the properties for the VM. The
private IP address is listed.
PowerShell - Use the example to view a list of VMs and private IP addresses from your resource
groups. You don't need to modify this example before using it.
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
How to reset a VPN gateway
Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-
Site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but are not able to
establish IPsec tunnels with the Azure VPN gateways. For steps, see Reset a VPN gateway.
How to change a gateway SKU (resize a gateway)

For the steps to change a gateway SKU, see Gateway SKUs.
Next steps
For information about BGP, see the BGP Overview and How to configure BGP.
For information about Forced Tunneling, see About Forced Tunneling.
For information about Highly Available Active-Active connections, see Highly Available cross-premises and
VNet-to-VNet connectivity.
Connect a virtual network to an ExpressRoute circuit
This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits by using the Resource Manager
deployment model and the Azure portal. Virtual networks can either be in the same subscription, or they can be
part of another subscription.
Before you begin

Review the prerequisites, routing requirements, and workflows before you begin configuration.
You must have an active ExpressRoute circuit.
Follow the instructions to create an ExpressRoute circuit and have the circuit enabled by your connectivity
provider.
Ensure that you have Azure private peering configured for your circuit. See the Configure routing article
for routing instructions.
Ensure that Azure private peering is configured and the BGP peering between your network and
Microsoft is up so that you can enable end-to-end connectivity.
Ensure that you have a virtual network and a virtual network gateway created and fully provisioned.
Follow the instructions to create a virtual network gateway for ExpressRoute. A virtual network gateway
for ExpressRoute uses the GatewayType 'ExpressRoute', not VPN.
You can link up to 10 virtual networks to a standard ExpressRoute circuit. All virtual networks must be in the
same geopolitical region when using a standard ExpressRoute circuit.
You can link a virtual network outside of the geopolitical region of the ExpressRoute circuit, or connect a larger
number of virtual networks to your ExpressRoute circuit if you enabled the ExpressRoute premium add-on.
Check the FAQ for more details on the premium add-on.
You can view a video before beginning to better understand the steps.
Connect a virtual network in the same subscription to a circuit

To create a connection
NOTE
BGP configuration information will not show up if the layer 3 provider configured your peerings. If your circuit is in a
provisioned state, you should be able to create connections.
1. Ensure that your ExpressRoute circuit and Azure private peering have been configured successfully. Follow
the instructions in Create an ExpressRoute circuit and Configure routing. Your ExpressRoute circuit should
look like the following image:
2. You can now start provisioning a connection to link your virtual network gateway to your ExpressRoute
circuit. Click Connection > Add to open the Add connection blade, and then configure the values.
3. After your connection has been successfully configured, your connection object will show the information
for the connection.
To delete a connection
You can delete a connection by selecting the Delete icon on the blade for your connection.
Connect a virtual network in a different subscription to a circuit

You can share an ExpressRoute circuit across multiple subscriptions. The figure below shows a simple schematic of
how sharing works for ExpressRoute circuits across multiple subscriptions.
Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different
departments within an organization.
Each of the departments within the organization can use their own subscription for deploying their services, but
they can share a single ExpressRoute circuit to connect back to your on-premises network.
A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the
organization can use the ExpressRoute circuit.
NOTE
Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute circuit owner. All
virtual networks share the same bandwidth.
Administration - circuit owners and circuit users

The 'circuit owner' is an authorized Power User of the ExpressRoute circuit resource. The circuit owner can create
authorizations that can be redeemed by 'circuit users'. Circuit users are owners of virtual network gateways that are
not within the same subscription as the ExpressRoute circuit. Circuit users can redeem authorizations (one
authorization per virtual network).
The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization results
in all link connections being deleted from the subscription whose access was revoked.
Circuit owner operations
To create a connection authorization
The circuit owner creates an authorization. This results in the creation of an authorization key that can be used by a
circuit user to connect their virtual network gateways to the ExpressRoute circuit. An authorization is valid for only
one connection.
1. In the ExpressRoute blade, Click Authorizations and then type a name for the authorization and click Save.
2. Once the configuration is saved, copy the Resource ID and the Authorization Key.
To delete a connection authorization

You can delete a connection by selecting the Delete icon on the blade for your connection.
Circuit user operations
The circuit user needs the resource ID and an authorization key from the circuit owner.
To redeem a connection authorization
1. Click the +New button.
2. Search for "Connection" in the Marketplace, select it, and click Create.
3. Make sure the Connection type is set to "ExpressRoute".
4. Fill in the details, then click OK in the Basics blade.
5. In the Settings blade, Select the Virtual network gateway and check the Redeem authorization check
box.
6. Enter the Authorization key and the Peer circuit URI and give the connection a name. Click OK.
7. Review the information in the Summary blade and click OK.
To release a connection authorization
You can release an authorization by deleting the connection that links the ExpressRoute circuit to the virtual
network.
Next steps
For more information about ExpressRoute, see the ExpressRoute FAQ.
1 min to read
Edit O nline
Virtual appliance scenario
A common scenario among larger Azure customer is the need to provide a two-tiered application exposed to the
Internet, while allowing access to the back tier from an on-premises datacenter. This document will walk you
through a scenario using User Defined Routes (UDR), a VPN Gateway, and network virtual appliances to deploy a
two-tier environment that meets the following requirements:
Web application must be accessible from the public Internet only.
Web server hosting the application must be able to access a backend application server.
All traffic from the Internet to the web application must go through a firewall virtual appliance. This virtual
appliance will be used for Internet traffic only.
All traffic going to the application server must go through a firewall virtual appliance. This virtual appliance will
be used for access to the backend end server, and access coming in from the on-premises network via a VPN
Gateway.
Administrators must be able to manage the firewall virtual appliances from their on-premises computers, by
using a third firewall virtual appliance used exclusively for management purposes.
This is a standard DMZ scenario with a DMZ and a protected network. Such scenario can be constructed in Azure by
using NSGs, firewall virtual appliances, or a combination of both. The table below shows some of the pros and cons
between NSGs and firewall virtual appliances.
PROS CONS
NSG No cost. Complexity could vary in larger

Integrated into Azure RBAC. environments.
Rules can be created in ARM templates.
Firewall Full control over data plane. Cost of firewall appliance.

Central management through firewall Not integrated with Azure RBAC.
console.
The solution below uses firewall virtual appliances to implement a DMZ/protected network scenario.
Considerations
You can deploy the environment explained above in Azure using different features available today, as follows.
Virtual network (VNet). An Azure VNet acts in similar fashion to an on-premises network, and can be
segmented into one or more subnets to provide traffic isolation, and separation of concerns.
Virtual appliance. Several partners provide virtual appliances in the Azure Marketplace that can be used for the
three firewalls described above.
User Defined Routes (UDR). Route tables can contain UDRs used by Azure networking to control the flow of
packets within a VNet. These route tables can be applied to subnets. One of the newest features in Azure is the
ability to apply a route table to the GatewaySubnet, providing the ability to forward all traffic coming into the
Azure VNet from a hybrid connection to a virtual appliance.
IP Forwarding. By default, the Azure networking engine forward packets to virtual network interface cards
(NICs) only if the packet destination IP address matches the NIC IP address. Therefore, if a UDR defines that a
packet must be sent to a given virtual appliance, the Azure networking engine would drop that packet. To ensure
the packet is delivered to a VM (in this case a virtual appliance) that is not the actual destination for the packet,
you need to enable IP Forwarding for the virtual appliance.
Network Security Groups (NSGs). The example below does not make use of NSGs, but you could use NSGs
applied to the subnets and/or NICs in this solution to further filter the traffic in and out of those subnets and
NICs.
In this example there is a subscription that contains the following:

2 resource groups, not shown in the diagram.
ONPREMRG. Contains all resources necessary to simulate an on-premises network.
AZURERG. Contains all resources necessary for the Azure virtual network environment.
A VNet named onpremvnet used to mimic an on-premises datacenter segmented as listed below.
onpremsn1. Subnet containing a virtual machine (VM) running Ubuntu to mimic an on-premises server.
onpremsn2. Subnet containing a VM running Ubuntu to mimic an on-premises computer used by an
administrator.
There is one firewall virtual appliance named OPFW on onpremvnet used to maintain a tunnel to azurevnet.
A VNet named azurevnet segmented as listed below.
azsn1. External firewall subnet used exclusively for the external firewall. All Internet traffic will come in
through this subnet. This subnet only contains a NIC linked to the external firewall.
azsn2. Front end subnet hosting a VM running as a web server that will be accessed from the Internet.
azsn3. Backend subnet hosting a VM running a backend application server that will be accessed by the
front end web server.
azsn4. Management subnet used exclusively to provide management access to all firewall virtual
appliances. This subnet only contains a NIC for each firewall virtual appliance used in the solution.
GatewaySubnet. Azure hybrid connection subnet required for ExpressRoute and VPN Gateway to
provide connectivity between Azure VNets and other networks.
There are 3 firewall virtual appliances in the azurevnet network.
AZF1. External firewall exposed to the public Internet by using a public IP address resource in Azure. You
need to ensure you have a template from the Marketplace, or directly from your appliance vendor, that
provisions a 3-NIC virtual appliance.
AZF2. Internal firewall used to control traffic between azsn2 and azsn3. This is also a 3-NIC virtual
appliance.
AZF3. Management firewall accessible to administrators from the on-premises datacenter, and connected
to a management subnet used to manage all firewall appliances. You can find 2-NIC virtual appliance
templates in the Marketplace, or request one directly from your appliance vendor.
User Defined Routing (UDR)

Each subnet in Azure can be linked to a UDR table used to define how traffic initiated in that subnet is routed. If no
UDRs are defined, Azure uses default routes to allow traffic to flow from one subnet to another. To better
understand UDRs, visit What are User Defined Routes and IP Forwarding.
To ensure communication is done through the right firewall appliance, based on the last requirement above, you
need to create the following route table containing UDRs in azurevnet.
azgwudr
In this scenario, the only traffic flowing from on-premises to Azure will be used to manage the firewalls by
connecting to AZF3, and that traffic must go through the internal firewall, AZF2. Therefore, only one route is
necessary in the GatewaySubnet as shown below.
DESTINATION NEXT HOP EXPLANATION
10.0.4.0/24 10.0.3.11 Allows on-premises traffic to reach

management firewall AZF3
azsn2udr
10.0.3.0/24 10.0.2.11 Allows traffic to the backend subnet

hosting the application server through
AZF2
0.0.0.0/0 10.0.2.10 Allows all other traffic to be routed

through AZF1
azsn3udr
10.0.2.0/24 10.0.3.10 Allows traffic to azsn2 to flow from app

server to the webserver through AZF2
You also need to create route tables for the subnets in onpremvnet to mimic the on-premises datacenter.
onpremsn1udr
192.168.2.0/24 192.168.1.4 Allows traffic to onpremsn2 through

OPFW
onpremsn2udr
10.0.3.0/24 192.168.2.4 Allows traffic to the backed subnet in

Azure through OPFW
192.168.1.0/24 192.168.2.4 Allows traffic to onpremsn1 through

OPFW
IP Forwarding
UDR and IP Forwarding are features that you can use in combination to allow virtual appliances to be used to
control traffic flow in an Azure VNet. A virtual appliance is nothing more than a VM that runs an application used to
handle network traffic in some way, such as a firewall or a NAT device.
This virtual appliance VM must be able to receive incoming traffic that is not addressed to itself. To allow a VM to
receive traffic addressed to other destinations, you must enable IP Forwarding for the VM. This is an Azure setting,
not a setting in the guest operating system. Your virtual appliance still needs to run some type of application to
handle the incoming traffic, and route it appropriately.
To learn more about IP Forwarding, visit What are User Defined Routes and IP Forwarding.
As an example, imagine you have the following setup in an Azure vnet:
Subnet onpremsn1 contains a VM named onpremvm1.
Subnet onpremsn2 contains a VM named onpremvm2.
A virtual appliance named OPFW is connected to onpremsn1 and onpremsn2.
A user defined route linked to onpremsn1 specifies that all traffic to onpremsn2 must be sent to OPFW.
At this point, if onpremvm1 tries to establish a connection with onpremvm2, the UDR will be used and traffic will
be sent to OPFW as the next hop. Keep in mind that the actual packet destination is not being changed, it still says
onpremvm2 is the destination.
Without IP Forwarding enabled for OPFW, the Azure virtual networking logic will drop the packets, since it only
allows packets to be sent to a VM if the VMs IP address is the destination for the packet.
With IP Forwarding, the Azure virtual network logic will forward the packets to OPFW, without changing its original
destination address. OPFW must handle the packets and determine what to do with them.
For the scenario above to work, you must enable IP Forwarding on the NICs for OPFW, AZF1, AZF2, and AZF3 that
are used for routing (all NICs except the ones linked to the management subnet).
Firewall Rules
As described above, IP Forwarding only ensures packets are sent to the virtual appliances. Your appliance still needs
to decide what to do with those packets. In the scenario above, you will need to create the following rules in your
appliances:
OPFW
OPFW represents an on-premises device containing the following rules:
Route: All traffic to 10.0.0.0/16 (azurevnet) must be sent through tunnel ONPREMAZURE.
Policy: Allow all bidirectional traffic between port2 and ONPREMAZURE.
AZF1
AZF1 represents an Azure virtual appliance containing the following rules:
Policy: Allow all bidirectional traffic between port1 and port2.
AZF2
AZF2 represents an Azure virtual appliance containing the following rules:
Route: All traffic to 10.0.0.0/16 (onpremvnet) must be sent to the Azure gateway IP address (i.e. 10.0.0.1)
through port1.
Policy: Allow all bidirectional traffic between port1 and port2.
Network Security Groups (NSGs)

In this scenario, NSGs are not being used. However, you could apply NSGs to each subnet to restrict incoming and
outgoing traffic. For instance, you could apply the following NSG rules to the external FW subnet.
Incoming
Allow all TCP traffic from the Internet to port 80 on any VM in the subnet.
Deny all other traffic from the Internet.
Outgoing
Deny all traffic to the Internet.
High level steps

To deploy this scenario, follow the high level steps below.
1. Login to your Azure Subscription.
2. If you want to deploy a VNet to mimic the on-premises network, provision the resources that are part of
ONPREMRG.
3. Provision the resources that are part of AZURERG.
4. Provision the tunnel from onpremvnet to azurevnet.
5. Once all resources are provisioned, log on to onpremvm2 and ping 10.0.3.101 to test connectivity between
onpremsn2 and azsn3.
1 min to read
Edit O nline
Microsoft cloud services and network security
Microsoft cloud services deliver hyper-scale services and infrastructure, enterprise-grade capabilities, and many
choices for hybrid connectivity. Customers can choose to access these services either via the Internet or with Azure
ExpressRoute, which provides private network connectivity. The Microsoft Azure platform allows customers to
seamlessly extend their infrastructure into the cloud and build multi-tier architectures. Additionally, third parties
can enable enhanced capabilities by offering security services and virtual appliances. This white paper provides an
overview of security and architectural issues that customers should consider when using Microsoft cloud services
accessed via ExpressRoute. It also covers creating more secure services in Azure virtual networks.
Fast start
The following logic chart can direct you to a specific example of the many security techniques available with the
Azure platform. For quick reference, find the example that best fits your case. For expanded explanations, continue
reading through the paper.
Example 1: Build a perimeter network (also known as DMZ, demilitarized zone, or screened subnet) to help protect
applications with network security groups (NSGs).
Example 2: Build a perimeter network to help protect applications with a firewall and NSGs.
Example 3: Build a perimeter network to help protect networks with a firewall, user-defined route (UDR), and NSG.
Example 4: Add a hybrid connection with a site-to-site, virtual appliance virtual private network (VPN).
Example 5: Add a hybrid connection with a site-to-site, Azure VPN gateway.
Example 6: Add a hybrid connection with ExpressRoute.
Examples for adding connections between virtual networks, high availability, and service chaining will be added to
this document over the next few months.
Microsoft compliance and infrastructure protection

To help organizations comply with national, regional, and industry-specific requirements governing the collection
and use of individuals data, Microsoft offers over 40 certifications and attestations. The most comprehensive set
of any cloud service provider.
For more information, see the compliance information on the Microsoft Trust Center.
Microsoft has a comprehensive approach to protect cloud infrastructure needed to run hyper-scale global services.
Microsoft cloud infrastructure includes hardware, software, networks, and administrative and operations staff, in
addition to the physical data centers.
This approach provides a more secure foundation for customers to deploy their services in the Microsoft cloud.
The next step is for customers to design and create a security architecture to protect these services.
Traditional security architectures and perimeter networks

Although Microsoft invests heavily in protecting the cloud infrastructure, customers must also protect their cloud
services and resource groups. A multilayered approach to security provides the best defense. A perimeter network
security zone protects internal network resources from an untrusted network. A perimeter network refers to the
edges or parts of the network that sit between the Internet and the protected enterprise IT infrastructure.
In typical enterprise networks, the core infrastructure is heavily fortified at the perimeters, with multiple layers of
security devices. The boundary of each layer consists of devices and policy enforcement points. Each layer can
include a combination of the following network security devices: firewalls, Denial of Service (DoS) prevention,
Intrusion Detection or Protection Systems (IDS/IPS), and VPN devices. Policy enforcement can take the form of
firewall policies, access control lists (ACLs), or specific routing. The first line of defense in the network, directly
accepting incoming traffic from the Internet, is a combination of these mechanisms to block attacks and harmful
traffic while allowing legitimate requests further into the network. This traffic routes directly to resources in the
perimeter network. That resource may then talk to resources deeper in the network, transiting the next boundary
for validation first. The outermost layer is called the perimeter network because this part of the network is exposed
to the Internet, usually with some form of protection on both sides. The following figure shows an example of a
single subnet perimeter network in a corporate network, with two security boundaries.
There are many architectures used to implement a perimeter network. These architectures can range from a
simple load balancer to a multiple-subnet perimeter network with varied mechanisms at each boundary to block
traffic and protect the deeper layers of the corporate network. How the perimeter network is built depends on the
specific needs of the organization and its overall risk tolerance.
As customers move their workloads to public clouds, it is critical to support similar capabilities for perimeter
network architecture in Azure to meet compliance and security requirements. This document provides guidelines
on how customers can build a secure network environment in Azure. It focuses on the perimeter network, but also
includes a comprehensive discussion of many aspects of network security. The following questions inform this
discussion:
How can a perimeter network in Azure be built?
What are some of the Azure features available to build the perimeter network?
How can back-end workloads be protected?
How are Internet communications controlled to the workloads in Azure?
How can the on-premises networks be protected from deployments in Azure?
When should native Azure security features be used versus third-party appliances or services?
The following diagram shows various layers of security Azure provides to customers. These layers are both native
in the Azure platform itself and customer-defined features:
Inbound from the Internet, Azure DDoS helps protect against large-scale attacks against Azure. The next layer is
customer-defined public IP addresses (endpoints), which are used to determine which traffic can pass through the
cloud service to the virtual network. Native Azure virtual network isolation ensures complete isolation from all
other networks and that traffic only flows through user configured paths and methods. These paths and methods
are the next layer, where NSGs, UDR, and network virtual appliances can be used to create security boundaries to
protect the application deployments in the protected network.
The next section provides an overview of Azure virtual networks. These virtual networks are created by customers,
and are what their deployed workloads are connected to. Virtual networks are the basis of all the network security
features required to establish a perimeter network to protect customer deployments in Azure.
Overview of Azure virtual networks

Before Internet traffic can get to the Azure virtual networks, there are two layers of security inherent to the Azure
platform:
1. DDoS protection: DDoS protection is a layer of the Azure physical network that protects the Azure
platform itself from large-scale Internet-based attacks. These attacks use multiple bot nodes in an attempt
to overwhelm an Internet service. Azure has a robust DDoS protection mesh on all inbound, outbound, and
cross-Azure region connectivity. This DDoS protection layer has no user configurable attributes and is not
accessible to the customer. The DDoS protection layer protects Azure as a platform from large-scale attacks,
it also monitors out-bound traffic and cross-Azure region traffic. Using network virtual appliances on the
VNet, additional layers of resilience can be configured by the customer against a smaller scale attack that
doesn't trip the platform level protection. An example of DDoS in action; if an internet facing IP address was
attacked by a large-scale DDoS attack, Azure would detect the sources of the attacks and scrub the
offending traffic before it reached its intended destination. In almost all cases, the attacked endpoint isn't
affected by the attack. In the rare cases that an endpoint is affected, no traffic is affected to other endpoints,
only the attacked endpoint. Thus other customers and services would see no impact from that attack. It's
critical to note that Azure DDoS is only looking for large-scale attacks. It is possible that your specific service
could be overwhelmed before the platform level protection thresholds are exceeded. For example, a web
site on a single A0 IIS server, could be taken offline by a DDoS attack before Azure platform level DDoS
protection registered a threat.
2. Public IP Addresses: Public IP addresses (enabled via service endpoints, Public IP addresses, Application
Gateway, and other Azure features that present a public IP address to the internet routed to your resource)
allow cloud services or resource groups to have public Internet IP addresses and ports exposed. The
endpoint uses Network Address Translation (NAT) to route traffic to the internal address and port on the
Azure virtual network. This path is the primary way for external traffic to pass into the virtual network. The
Public IP addresses are configurable to determine which traffic is passed in, and how and where it's
translated on to the virtual network.
Once traffic reaches the virtual network, there are many features that come into play. Azure virtual networks are
the foundation for customers to attach their workloads and where basic network-level security applies. It is a
private network (a virtual network overlay) in Azure for customers with the following features and characteristics:
Traffic isolation: A virtual network is the traffic isolation boundary on the Azure platform. Virtual machines
(VMs) in one virtual network cannot communicate directly to VMs in a different virtual network, even if both
virtual networks are created by the same customer. Isolation is a critical property that ensures customer VMs
and communication remains private within a virtual network.
NOTE
Traffic isolation refers only to traffic inbound to the virtual network. By default outbound traffic from the VNet to the
internet is allowed, but can be prevented if desired by NSGs.
Multi-tier topology: Virtual networks allow customers to define multi-tier topology by allocating subnets and
designating separate address spaces for different elements or tiers of their workloads. These logical
groupings and topologies enable customers to define different access policy based on the workload types, and
also control traffic flows between the tiers.
Cross-premises connectivity: Customers can establish cross-premises connectivity between a virtual network
and multiple on-premises sites or other virtual networks in Azure. To construct a connection, customers can use
VNet Peering, Azure VPN Gateways, third-party network virtual appliances, or ExpressRoute. Azure supports
site-to-site (S2S) VPNs using standard IPsec/IKE protocols and ExpressRoute private connectivity.
NSG allows customers to create rules (ACLs) at the desired level of granularity: network interfaces, individual
VMs, or virtual subnets. Customers can control access by permitting or denying communication between the
workloads within a virtual network, from systems on customers networks via cross-premises connectivity, or
direct Internet communication.
UDR and IP Forwarding allow customers to define the communication paths between different tiers within a
virtual network. Customers can deploy a firewall, IDS/IPS, and other virtual appliances, and route network
traffic through these security appliances for security boundary policy enforcement, auditing, and inspection.
Network virtual appliances in the Azure Marketplace: Security appliances such as firewalls, load balancers,
and IDS/IPS are available in the Azure Marketplace and the VM Image Gallery. Customers can deploy these
appliances into their virtual networks, and specifically, at their security boundaries (including the perimeter
network subnets) to complete a multi-tiered secure network environment.
With these features and capabilities, one example of how a perimeter network architecture could be constructed in
Azure is the following diagram:
Perimeter network characteristics and requirements

The perimeter network is the front end of the network, directly interfacing communication from the Internet. The
incoming packets should flow through the security appliances, such as the firewall, IDS, and IPS, before reaching
the back-end servers. Internet-bound packets from the workloads can also flow through the security appliances in
the perimeter network for policy enforcement, inspection, and auditing purposes, before leaving the network.
Additionally, the perimeter network can host cross-premises VPN gateways between customer virtual networks
and on-premises networks.
Perimeter network characteristics
Referencing the previous figure, some of the characteristics of a good perimeter network are as follows:
Internet-facing:
The perimeter network subnet itself is Internet-facing, directly communicating with the Internet.
Public IP addresses, VIPs, and/or service endpoints pass Internet traffic to the front-end network and
devices.
Inbound traffic from the Internet passes through security devices before other resources on the front-
end network.
If outbound security is enabled, traffic passes through security devices, as the final step, before passing
to the Internet.
Protected network:
There is no direct path from the Internet to the core infrastructure.
Channels to the core infrastructure must traverse through security devices such as NSGs, firewalls, or
VPN devices.
Other devices must not bridge Internet and the core infrastructure.
Security devices on both the Internet-facing and the protected network facing boundaries of the
perimeter network (for example, the two firewall icons shown in the previous figure) may actually be a
single virtual appliance with differentiated rules or interfaces for each boundary. For example, one
physical device, logically separated, handling the load for both boundaries of the perimeter network.
Other common practices and constraints:
Workloads must not store business critical information.
Access and updates to perimeter network configurations and deployments are limited to only authorized
administrators.
Perimeter network requirements
To enable these characteristics, follow these guidelines on virtual network requirements to implement a successful
perimeter network:
Subnet architecture: Specify the virtual network such that an entire subnet is dedicated as the perimeter
network, separated from other subnets in the same virtual network. This separation ensures the traffic between
the perimeter network and other internal or private subnet tiers flows through a firewall or IDS/IPS virtual
appliance. User-defined routes on the boundary subnets are required to forward this traffic to the virtual
appliance.
NSG: The perimeter network subnet itself should be open to allow communication with the Internet, but that
does not mean customers should be bypassing NSGs. Follow common security practices to minimize the
network surfaces exposed to the Internet. Lock down the remote address ranges allowed to access the
deployments or the specific application protocols and ports that are open. There may be circumstances,
however, in which a complete lock-down is not possible. For example, if customers have an external website in
Azure, the perimeter network should allow the incoming web requests from any public IP addresses, but should
only open the web application ports: TCP on port 80 and/or TCP on port 443.
Routing table: The perimeter network subnet itself should be able to communicate to the Internet directly, but
should not allow direct communication to and from the back end or on-premises networks without going
through a firewall or security appliance.
Security appliance configuration: To route and inspect packets between the perimeter network and the rest
of the protected networks, the security appliances such as firewall, IDS, and IPS devices may be multi-homed.
They may have separate NICs for the perimeter network and the back-end subnets. The NICs in the perimeter
network communicate directly to and from the Internet, with the corresponding NSGs and the perimeter
network routing table. The NICs connecting to the back-end subnets have more restricted NSGs and routing
tables of the corresponding back-end subnets.
Security appliance functionality: The security appliances deployed in the perimeter network typically
perform the following functionality:
Firewall: Enforcing firewall rules or access control policies for the incoming requests.
Threat detection and prevention: Detecting and mitigating malicious attacks from the Internet.
Auditing and logging: Maintaining detailed logs for auditing and analysis.
Reverse proxy: Redirecting the incoming requests to the corresponding back-end servers. This
redirection involves mapping and translating the destination addresses on the front-end devices,
typically firewalls, to the back-end server addresses.
Forward proxy: Providing NAT and performing auditing for communication initiated from within the
virtual network to the Internet.
Router: Forwarding incoming and cross-subnet traffic inside the virtual network.
VPN device: Acting as the cross-premises VPN gateways for cross-premises VPN connectivity between
customer on-premises networks and Azure virtual networks.
VPN server: Accepting VPN clients connecting to Azure virtual networks.
TIP
Keep the following two groups separate: the individuals authorized to access the perimeter network security gear and the
individuals authorized as application development, deployment, or operations administrators. Keeping these groups separate
allows for a segregation of duties and prevents a single person from bypassing both applications security and network
security controls.
Questions to be asked when building network boundaries

In this section, unless specifically mentioned, the term "networks" refers to private Azure virtual networks created
by a subscription administrator. The term doesn't refer to the underlying physical networks within Azure.
Also, Azure virtual networks are often used to extend traditional on-premises networks. It is possible to
incorporate either site-to-site or ExpressRoute hybrid networking solutions with perimeter network architectures.
This hybrid link is an important consideration in building network security boundaries.
The following three questions are critical to answer when you're building a network with a perimeter network and
multiple security boundaries.
1) How many boundaries are needed?
The first decision point is to decide how many security boundaries are needed in a given scenario:
A single boundary: One on the front-end perimeter network, between the virtual network and the Internet.
Two boundaries: One on the Internet side of the perimeter network, and another between the perimeter
network subnet and the back-end subnets in the Azure virtual networks.
Three boundaries: One on the Internet side of the perimeter network, one between the perimeter network and
back-end subnets, and one between the back-end subnets and the on-premises network.
N boundaries: A variable number. Depending on security requirements, there is no limit to the number of
security boundaries that can be applied in a given network.
The number and type of boundaries needed vary based on a companys risk tolerance and the specific scenario
being implemented. This decision is often made together with multiple groups within an organization, often
including a risk and compliance team, a network and platform team, and an application development team. People
with knowledge of security, the data involved, and the technologies being used should have a say in this decision
to ensure the appropriate security stance for each implementation.
TIP
Use the smallest number of boundaries that satisfy the security requirements for a given situation. With more boundaries,
operations and troubleshooting can be more difficult, as well as the management overhead involved with managing the
multiple boundary policies over time. However, insufficient boundaries increase risk. Finding the balance is critical.
The preceding figure shows a high-level view of a three security boundary network. The boundaries are between
the perimeter network and the Internet, the Azure front-end and back-end private subnets, and the Azure back-end
subnet and the on-premises corporate network.
2) Where are the boundaries located?
Once the number of boundaries are decided, where to implement them is the next decision point. There are
generally three choices:
Using an Internet-based intermediary service (for example, a cloud-based Web application firewall, which is not
discussed in this document)
Using native features and/or network virtual appliances in Azure
Using physical devices on the on-premises network
On purely Azure networks, the options are native Azure features (for example, Azure Load Balancers) or network
virtual appliances from the rich partner ecosystem of Azure (for example, Check Point firewalls).
If a boundary is needed between Azure and an on-premises network, the security devices can reside on either side
of the connection (or both sides). Thus a decision must be made on the location to place security gear.
In the previous figure, the Internet-to-perimeter network and the front-to-back-end boundaries are entirely
contained within Azure, and must be either native Azure features or network virtual appliances. Security devices on
the boundary between Azure (back-end subnet) and the corporate network could be either on the Azure side or
the on-premises side, or even a combination of devices on both sides. There can be significant advantages and
disadvantages to either option that must be seriously considered.
For example, using existing physical security gear on the on-premises network side has the advantage that no new
gear is needed. It just needs reconfiguration. The disadvantage, however, is that all traffic must come back from
Azure to the on-premises network to be seen by the security gear. Thus Azure-to-Azure traffic could incur
significant latency, and affect application performance and user experience, if it was forced back to the on-
premises network for security policy enforcement.
3) How are the boundaries implemented?
Each security boundary will likely have different capability requirements (for example, IDS and firewall rules on the
Internet side of the perimeter network, but only ACLs between the perimeter network and back-end subnet).
Deciding on which device (or how many devices) to use depends on the scenario and security requirements. In the
following section, examples 1, 2, and 3 discuss some options that could be used. Reviewing the Azure native
network features and the devices available in Azure from the partner ecosystem shows the myriad options
available to solve virtually any scenario.
Another key implementation decision point is how to connect the on-premises network with Azure. Should you
use the Azure virtual gateway or a network virtual appliance? These options are discussed in greater detail in the
following section (examples 4, 5, and 6).
Additionally, traffic between virtual networks within Azure may be needed. These scenarios will be added in the
future.
Once you know the answers to the previous questions, the Fast Start section can help identify which examples are
most appropriate for a given scenario.
Examples: Building security boundaries with Azure virtual networks

Example 1 Build a perimeter network to help protect applications with NSGs
Back to Fast start | Detailed build instructions for this example
Environment description
In this example, there is a subscription that contains the following resources:
A single resource group
A virtual network with two subnets: FrontEnd and BackEnd
A Network Security Group that is applied to both subnets
A Windows server that represents an application web server (IIS01)
Two Windows servers that represent application back-end servers (AppVM01, AppVM02)
A Windows server that represents a DNS server (DNS01)
A public IP associated with the application web server
For scripts and an Azure Resource Manager template, see the detailed build instructions.
NSG description
In this example, an NSG group is built and then loaded with six rules.
TIP
Generally speaking, you should create your specific Allow rules first, followed by the more generic Deny rules. The given
priority dictates which rules are evaluated first. Once traffic is found to apply to a specific rule, no further rules are evaluated.
NSG rules can apply in either the inbound or outbound direction (from the perspective of the subnet).
Declaratively, the following rules are being built for inbound traffic:
1. Internal DNS traffic (port 53) is allowed.
2. RDP traffic (port 3389) from the Internet to any Virtual Machine is allowed.
3. HTTP traffic (port 80) from the Internet to web server (IIS01) is allowed.
4. Any traffic (all ports) from IIS01 to AppVM1 is allowed.
5. Any traffic (all ports) from the Internet to the entire virtual network (both subnets) is denied.
6. Any traffic (all ports) from the front-end subnet to the back-end subnet is denied.
With these rules bound to each subnet, if an HTTP request was inbound from the Internet to the web server, both
rules 3 (allow) and 5 (deny) would apply. But because rule 3 has a higher priority, only it would apply, and rule 5
would not come into play. Thus the HTTP request would be allowed to the web server. If that same traffic was
trying to reach the DNS01 server, rule 5 (deny) would be the first to apply, and the traffic would not be allowed to
pass to the server. Rule 6 (deny) blocks the front-end subnet from talking to the back-end subnet (except for
allowed traffic in rules 1 and 4). This rule-set protects the back-end network in case an attacker compromises the
web application on the front end. The attacker would have limited access to the back-end protected network
(only to resources exposed on the AppVM01 server).
There is a default outbound rule that allows traffic out to the Internet. For this example, were allowing outbound
traffic and not modifying any outbound rules. To lock down traffic in both directions, user-defined routing is
required (see example 3).
Conclusion
This example is a relatively simple and straightforward way of isolating the back-end subnet from inbound traffic.
For more information, see the detailed build instructions. These instructions include:
How to build this perimeter network with classic PowerShell scripts.
How to build this perimeter network with an Azure Resource Manager template.
Detailed descriptions of each NSG command.
Detailed traffic flow scenarios, showing how traffic is allowed or denied in each layer.
Example 2 Build a perimeter network to help protect applications with a firewall and NSGs
A virtual network with two subnets: FrontEnd and BackEnd
A network virtual appliance, in this case a firewall, connected to the front-end subnet
NSG description
In this example, an NSG group is built and then loaded with six rules.
TIP
Generally speaking, you should create your specific Allow rules first, followed by the more generic Deny rules. The given
priority dictates which rules are evaluated first. Once traffic is found to apply to a specific rule, no further rules are evaluated.
NSG rules can apply in either the inbound or outbound direction (from the perspective of the subnet).
1. Internal DNS traffic (port 53) is allowed.
2. RDP traffic (port 3389) from the Internet to any Virtual Machine is allowed.
3. Any Internet traffic (all ports) to the network virtual appliance (firewall) is allowed.
4. Any traffic (all ports) from IIS01 to AppVM1 is allowed.
5. Any traffic (all ports) from the Internet to the entire virtual network (both subnets) is denied.
6. Any traffic (all ports) from the front-end subnet to the back-end subnet is denied.
With these rules bound to each subnet, if an HTTP request was inbound from the Internet to the firewall, both rules
3 (allow) and 5 (deny) would apply. But because rule 3 has a higher priority, only it would apply, and rule 5 would
not come into play. Thus the HTTP request would be allowed to the firewall. If that same traffic was trying to reach
the IIS01 server, even though its on the front-end subnet, rule 5 (deny) would apply, and the traffic would not be
allowed to pass to the server. Rule 6 (deny) blocks the front-end subnet from talking to the back-end subnet
(except for allowed traffic in rules 1 and 4). This rule-set protects the back-end network in case an attacker
compromises the web application on the front end. The attacker would have limited access to the back-end
protected network (only to resources exposed on the AppVM01 server).
There is a default outbound rule that allows traffic out to the Internet. For this example, were allowing outbound
traffic and not modifying any outbound rules. To lock down traffic in both directions, user-defined routing is
required (see example 3).
Firewall rule description
On the firewall, forwarding rules should be created. Since this example only routes Internet traffic in-bound to the
firewall and then to the web server, only one forwarding network address translation (NAT) rule is needed.
The forwarding rule accepts any inbound source address that hits the firewall trying to reach HTTP (port 80 or 443
for HTTPS). It's sent out of the firewalls local interface and redirected to the web server with the IP Address of
10.0.1.5.
Conclusion
This example is a relatively straightforward way of protecting your application with a firewall and isolating the
back-end subnet from inbound traffic. For more information, see the detailed build instructions. These instructions
include:
How to build this perimeter network with classic PowerShell scripts.
How to build this example with an Azure Resource Manager template.
Detailed descriptions of each NSG command and firewall rule.
Example 3 Build a perimeter network to help protect networks with a firewall and UDR and NSG
A virtual network with three subnets: SecNet, FrontEnd, and BackEnd
A network virtual appliance, in this case a firewall, connected to the SecNet subnet
UDR description
By default, the following system routes are defined as:
Effective routes :
Address Prefix Next hop type Next hop IP address Status Source
-------------- ------------- ------------------- ------ ------
{10.0.0.0/16} VNETLocal Active Default
{0.0.0.0/0} Internet Active Default
{10.0.0.0/8} Null Active Default
The VNETLocal is always one or more defined address prefixes that make up the virtual network for that specific
network (that is, it changes from virtual network to virtual network, depending on how each specific virtual
network is defined). The remaining system routes are static and default as indicated in the table.
In this example, two routing tables are created, one each for the front-end and back-end subnets. Each table is
loaded with static routes appropriate for the given subnet. In this example, each table has three routes that direct
all traffic (0.0.0.0/0) through the firewall (Next hop = Virtual Appliance IP address):
1. Local subnet traffic with no Next Hop defined to allow local subnet traffic to bypass the firewall.
2. Virtual network traffic with a Next Hop defined as firewall. This next hop overrides the default rule that allows
local virtual network traffic to route directly.
3. All remaining traffic (0/0) with a Next Hop defined as the firewall.
TIP
Not having the local subnet entry in the UDR breaks local subnet communications.
In our example, 10.0.1.0/24 pointing to VNETLocal is critical! Without it, packet leaving the Web Server (10.0.1.4)
destined to another local server (for example) 10.0.1.25 will fail as they will be sent to the NVA. The NVA will send it to
the subnet, and the subnet will resend it to the NVA in an infinite loop.
The chances of a routing loop are typically higher on appliances with multiple NICs that are connected to separate
subnets, which is often of traditional, on-premises appliances.
Once the routing tables are created, they must be bound to their subnets. The front-end subnet routing table, once
created and bound to the subnet, would look like this output:
Effective routes :
-------------- ------------- ------------------- ------ ------
{10.0.1.0/24} VNETLocal Active
{10.0.0.0/16} VirtualAppliance 10.0.0.4 Active
NOTE
UDR can now be applied to the gateway subnet on which the ExpressRoute circuit is connected.
Examples of how to enable your perimeter network with ExpressRoute or site-to-site networking are shown in examples 3
and 4.
IP Forwarding description
IP Forwarding is a companion feature to UDR. IP Forwarding is a setting on a virtual appliance that allows it to
receive traffic not specifically addressed to the appliance, and then forward that traffic to its ultimate destination.
For example, if AppVM01 makes a request to the DNS01 server, UDR would route this traffic to the firewall. With
IP Forwarding enabled, the traffic for the DNS01 destination (10.0.2.4) is accepted by the appliance (10.0.0.4) and
then forwarded to its ultimate destination (10.0.2.4). Without IP Forwarding enabled on the firewall, traffic would
not be accepted by the appliance even though the route table has the firewall as the next hop. To use a virtual
appliance, its critical to remember to enable IP Forwarding along with UDR.
NSG description
In this example, an NSG group is built and then loaded with a single rule. This group is then bound only to the
front-end and back-end subnets (not the SecNet). Declaratively the following rule is being built:
Any traffic (all ports) from the Internet to the entire virtual network (all subnets) is denied.
Although NSGs are used in this example, its main purpose is as a secondary layer of defense against manual
misconfiguration. The goal is to block all inbound traffic from the Internet to either the front-end or back-end
subnets. Traffic should only flow through the SecNet subnet to the firewall (and then, if appropriate, on to the
front-end or back-end subnets). Plus, with the UDR rules in place, any traffic that did make it into the front-end or
back-end subnets would be directed out to the firewall (thanks to UDR). The firewall would see this traffic as an
asymmetric flow and would drop the outbound traffic. Thus there are three layers of security protecting the
subnets:
No Public IP addresses on any FrontEnd or BackEnd NICs.
NSGs denying traffic from the Internet.
The firewall dropping asymmetric traffic.
One interesting point regarding the NSG in this example is that it contains only one rule, which is to deny Internet
traffic to the entire virtual network, including the Security subnet. However, since the NSG is only bound to the
front-end and back-end subnets, the rule isnt processed on traffic inbound to the Security subnet. As a result,
traffic flows to the Security subnet.
Firewall rules
On the firewall, forwarding rules should be created. Since the firewall is blocking or forwarding all inbound,
outbound, and intra-virtual network traffic, many firewall rules are needed. Also, all inbound traffic hits the
Security Service public IP address (on different ports), to be processed by the firewall. A best practice is to diagram
the logical flows before setting up the subnets and firewall rules, to avoid rework later. The following figure is a
logical view of the firewall rules for this example:
NOTE
Based on the Network Virtual Appliance used, the management ports vary. In this example, a Barracuda NextGen Firewall is
referenced, which uses ports 22, 801, and 807. Consult the appliance vendor documentation to find the exact ports used for
management of the device being used.
Firewall rules description

In the preceding logical diagram, the security subnet is not shown because the firewall is the only resource on that
subnet. The diagram is showing the firewall rules and how they logically allow or deny traffic flows, not the actual
routed path. Also, the external ports selected for the RDP traffic are higher ranged ports (8014 8026) and were
selected to loosely align with the last two octets of the local IP address for easier readability (for example, local
server address 10.0.1.4 is associated with external port 8014). Any higher non-conflicting ports, however, could be
used.
For this example, we need seven types of rules:
External rules (for inbound traffic):
1. Firewall management rule: This App Redirect rule allows traffic to pass to the management ports of the
network virtual appliance.
2. RDP rules (for each Windows server): These four rules (one for each server) allow management of the
individual servers via RDP. The four RDP rules could also be collapsed into one rule, depending on the
capabilities of the network virtual appliance being used.
3. Application traffic rules: There are two of these rules, the first for the front-end web traffic, and the
second for the back-end traffic (for example, web server to data tier). The configuration of these rules
depends on the network architecture (where your servers are placed) and traffic flows (which direction
the traffic flows, and which ports are used).
The first rule allows the actual application traffic to reach the application server. While the other
rules allow for security and management, application traffic rules are what allow external users or
services to access the applications. For this example, there is a single web server on port 80. Thus
a single firewall application rule redirects inbound traffic to the external IP, to the web servers
internal IP address. The redirected traffic session would be translated via NAT to the internal
server.
The second rule is the back-end rule to allow the web server to talk to the AppVM01 server (but
not AppVM02) via any port.
Internal rules (for intra-virtual network traffic)
1. Outbound to Internet rule: This rule allows traffic from any network to pass to the selected networks.
This rule is usually a default rule already on the firewall, but in a disabled state. This rule should be
enabled for this example.
2. DNS rule: This rule allows only DNS (port 53) traffic to pass to the DNS server. For this environment,
most traffic from the front end to the back end is blocked. This rule specifically allows DNS from any
local subnet.
3. Subnet to subnet rule: This rule is to allow any server on the back-end subnet to connect to any server
on the front-end subnet (but not the reverse).
Fail-safe rule (for traffic that doesnt meet any of the previous):
1. Deny all traffic rule: This deny rule should always be the final rule (in terms of priority), and as such if a
traffic flow fails to match any of the preceding rules it is dropped by this rule. This rule is a default rule
and usually in-place and active. No modifications are usually needed to this rule.
TIP
On the second application traffic rule, to simplify this example, any port is allowed. In a real scenario, the most specific port
and address ranges should be used to reduce the attack surface of this rule.
Once the previous rules are created, its important to review the priority of each rule to ensure traffic is allowed or
denied as desired. For this example, the rules are in priority order.
Conclusion
This example is a more complex but complete way of protecting and isolating the network than the previous
examples. (Example 2 protects just the application, and Example 1 just isolates subnets). This design allows for
monitoring traffic in both directions, and protects not just the inbound application server but enforces network
security policy for all servers on this network. Also, depending on the appliance used, full traffic auditing and
awareness can be achieved. For more information, see the detailed build instructions. These instructions include:
How to build this example perimeter network with classic PowerShell scripts.
Detailed descriptions of each UDR, NSG command, and firewall rule.
Example 4 Add a hybrid connection with a site -to -site, virtual appliance VPN
Back to Fast start | Detailed build instructions available soon
Hybrid networking using a network virtual appliance (NVA) can be added to any of the perimeter network types
described in examples 1, 2, or 3.
As shown in the previous figure, a VPN connection over the Internet (site-to-site) is used to connect an on-
premises network to an Azure virtual network via an NVA.
NOTE
If you use ExpressRoute with the Azure Public Peering option enabled, a static route should be created. This static route
should route to the NVA VPN IP address out your corporate Internet and not via the ExpressRoute connection. The NAT
required on the ExpressRoute Azure Public Peering option can break the VPN session.
Once the VPN is in place, the NVA becomes the central hub for all networks and subnets. The firewall forwarding
rules determine which traffic flows are allowed, are translated via NAT, are redirected, or are dropped (even for
traffic flows between the on-premises network and Azure).
Traffic flows should be considered carefully, as they can be optimized or degraded by this design pattern,
depending on the specific use case.
Using the environment built in example 3, and then adding a site-to-site VPN hybrid network connection,
produces the following design:
The on-premises router, or any other network device that is compatible with your NVA for VPN, would be the VPN
client. This physical device would be responsible for initiating and maintaining the VPN connection with your NVA.
Logically to the NVA, the network looks like four separate security zones with the rules on the NVA being the
primary director of traffic between these zones:
Conclusion
The addition of a site-to-site VPN hybrid network connection to an Azure virtual network can extend the on-
premises network into Azure in a secure manner. In using a VPN connection, your traffic is encrypted and routes
via the Internet. The NVA in this example provides a central location to enforce and manage the security policy. For
more information, see the detailed build instructions (forthcoming). These instructions include:
How to build this example perimeter network with PowerShell scripts.
Detailed traffic flow scenarios, showing how traffic flows through this design.
Example 5 Add a hybrid connection with a site -to -site, Azure VPN gateway
Hybrid networking using an Azure VPN gateway can be added to either perimeter network type described in
examples 1 or 2.
As shown in the preceding figure, a VPN connection over the Internet (site-to-site) is used to connect an on-
premises network to an Azure virtual network via an Azure VPN gateway.
NOTE
If you use ExpressRoute with the Azure Public Peering option enabled, a static route should be created. This static route
should route to the NVA VPN IP address out your corporate Internet and not via the ExpressRoute WAN. The NAT required
on the ExpressRoute Azure Public Peering option can break the VPN session.
The following figure shows the two network edges in this example. On the first edge, the NVA and NSGs control
traffic flows for intra-Azure networks and between Azure and the Internet. The second edge is the Azure VPN
gateway, which is a separate and isolated network edge between on-premises and Azure.
Using the environment built in example 1, and then adding a site-to-site VPN hybrid network connection,
produces the following design:
Conclusion
The addition of a site-to-site VPN hybrid network connection to an Azure virtual network can extend the on-
premises network into Azure in a secure manner. Using the native Azure VPN gateway, your traffic is IPSec
encrypted and routes via the Internet. Also, using the Azure VPN gateway can provide a lower-cost option (no
additional licensing cost as with third-party NVAs). This option is most economical in example 1, where no NVA is
used. For more information, see the detailed build instructions (forthcoming). These instructions include:
Example 6 Add a hybrid connection with ExpressRoute
Hybrid networking using an ExpressRoute private peering connection can be added to either perimeter network
type described in examples 1 or 2.
As shown in the preceding figure, ExpressRoute private peering provides a direct connection between your on-
premises network and the Azure virtual network. Traffic transits only the service provider network and the
Microsoft Azure network, never touching the Internet.
TIP
Using ExpressRoute keeps corporate network traffic off the Internet. It also allows for service level agreements from your
ExpressRoute provider. The Azure Gateway can pass up to 10 Gbps with ExpressRoute, whereas with site-to-site VPNs, the
Azure Gateway maximum throughput is 200 Mbps.
As seen in the following diagram, with this option the environment now has two network edges. The NVA and
NSG control traffic flows for intra-Azure networks and between Azure and the Internet, while the gateway is a
separate and isolated network edge between on-premises and Azure.
Using the environment built in example 1, and then adding an ExpressRoute hybrid network connection, produces
the following design:
Conclusion
The addition of an ExpressRoute Private Peering network connection can extend the on-premises network into
Azure in a secure, lower latency, higher performing manner. Also, using the native Azure Gateway, as in this
example, provides a lower-cost option (no additional licensing as with third-party NVAs). For more information,
see the detailed build instructions (forthcoming). These instructions include:
References
Helpful websites and documentation
Access Azure with Azure Resource Manager:
Accessing Azure with PowerShell: https://docs.microsoft.com/powershell/azureps-cmdlets-docs/
Virtual networking documentation: https://docs.microsoft.com/azure/virtual-network/
Network security group documentation: https://docs.microsoft.com/azure/virtual-network/virtual-networks-
nsg
User-defined routing documentation: https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-
overview
Azure virtual gateways: https://docs.microsoft.com/azure/vpn-gateway/
Site-to-Site VPNs: https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-
powershell
ExpressRoute documentation (be sure to check out the Getting Started and How To sections):
https://docs.microsoft.com/azure/expressroute/
Example 1 Build a simple DMZ using NSGs with
classic PowerShell
Return to the Security Boundary Best Practices Page

This example creates a primitive DMZ with four Windows servers and Network Security Groups. This example
describes each of the relevant PowerShell commands to provide a deeper understanding of each step. There is also
a Traffic Scenario section to provide an in-depth step-by-step how traffic proceeds through the layers of defense in
the DMZ. Finally, in the references section is the complete code and instruction to build this environment to test and
experiment with various scenarios.
In this example a subscription contains the following resources:
Two cloud services: FrontEnd001 and BackEnd001
A Virtual Network, CorpNetwork, with two subnets; FrontEnd and BackEnd
A Windows Server that represents an application web server (IIS01)
Two windows servers that represent application back-end servers (AppVM01, AppVM02)
In the references section, there is a PowerShell script that builds most of the environment described in this example.
Building the VMs and Virtual Networks, although are done by the example script, are not described in detail in this
document.
To build the environment;
1. Save the network config xml file included in the references section (updated with names, location, and IP
addresses to match the given scenario)
2. Update the user variables in the script to match the environment the script is to be run against (subscriptions,
service names, etc.)
3. Execute the script in PowerShell
NOTE
The region signified in the PowerShell script must match the region signified in the network configuration xml file.
Once the script runs successfully additional optional steps may be taken, in the references section are two scripts to
set up the web server and app server with a simple web application to allow testing with this DMZ configuration.
The following sections provide a detailed description of Network Security Groups and how they function for this
example by walking through key lines of the PowerShell script.
Network Security Groups (NSG)

For this example, an NSG group is built and then loaded with six rules.
TIP
Generally speaking, you should create your specific Allow rules first and then the more generic Deny rules last. The
assigned priority dictates which rules are evaluated first. Once traffic is found to apply to a specific rule, no further rules are
evaluated. NSG rules can apply in either in the inbound or outbound direction (from the perspective of the subnet).
1. Internal DNS traffic (port 53) is allowed
2. RDP traffic (port 3389) from the Internet to any VM is allowed
3. HTTP traffic (port 80) from the Internet to web server (IIS01) is allowed
4. Any traffic (all ports) from IIS01 to AppVM1 is allowed
5. Any traffic (all ports) from the Internet to the entire VNet (both subnets) is Denied
6. Any traffic (all ports) from the Frontend subnet to the Backend subnet is Denied
With these rules bound to each subnet, if an HTTP request was inbound from the Internet to the web server, both
rules 3 (allow) and 5 (deny) would apply, but since rule 3 has a higher priority only it would apply and rule 5 would
not come into play. Thus the HTTP request would be allowed to the web server. If that same traffic was trying to
reach the DNS01 server, rule 5 (Deny) would be the first to apply and the traffic would not be allowed to pass to the
server. Rule 6 (Deny) blocks the Frontend subnet from talking to the Backend subnet (except for allowed traffic in
rules 1 and 4), this rule-set protects the Backend network in case an attacker compromises the web application on
the Frontend, the attacker would have limited access to the Backend protected network (only to resources
exposed on the AppVM01 server).
There is a default outbound rule that allows traffic out to the internet. For this example, were allowing outbound
traffic and not modifying any outbound rules. To lock down traffic in both directions, User Defined Routing is
required and is explored in Example 3 on the Security Boundary Best Practices Page.
Each rule is discussed in more detail as follows (Note: any item in the following list beginning with a dollar sign
(for example: $NSGName) is a user-defined variable from the script in the reference section of this document):
1. First a Network Security Group must be built to hold the rules:
New-AzureNetworkSecurityGroup -Name $NSGName `
-Location $DeploymentLocation `
-Label "Security group for $VNetName subnets in $DeploymentLocation"
2. The first rule in this example allows DNS traffic between all internal networks to the DNS server on the
backend subnet. The rule has some important parameters:
Type signifies in which direction of traffic flow this rule takes effect. The direction is from the
perspective of the subnet or Virtual Machine (depending on where this NSG is bound). Thus if Type is
Inbound and traffic is entering the subnet, the rule would apply and traffic leaving the subnet would not
be affected by this rule.
Priority sets the order in which a traffic flow is evaluated. The lower the number the higher the priority.
When a rule applies to a specific traffic flow, no further rules are processed. Thus if a rule with priority 1
allows traffic, and a rule with priority 2 denies traffic, and both rules apply to traffic then the traffic would
be allowed to flow (since rule 1 had a higher priority it took effect and no further rules were applied).
Action signifies if traffic affected by this rule is blocked or allowed.
Get-AzureNetworkSecurityGroup -Name $NSGName | `

Set-AzureNetworkSecurityRule -Name "Enable Internal DNS" `
-Type Inbound -Priority 100 -Action Allow `
-SourceAddressPrefix VIRTUAL_NETWORK -SourcePortRange '*' `
-DestinationAddressPrefix $VMIP[4] `
-DestinationPortRange '53' `
-Protocol *
3. This rule allows RDP traffic to flow from the internet to the RDP port on any server on the bound subnet.
This rule uses two special types of address prefixes; VIRTUAL_NETWORK and INTERNET. These tags are
an easy way to address a larger category of address prefixes.

Set-AzureNetworkSecurityRule -Name "Enable RDP to $VNetName VNet" `
-SourceAddressPrefix INTERNET -SourcePortRange '*' `
-DestinationAddressPrefix VIRTUAL_NETWORK `
-DestinationPortRange '3389' `
-Protocol *
4. This rule allows inbound internet traffic to hit the web server. This rule does not change the routing behavior.
The rule only allows traffic destined for IIS01 to pass. Thus if traffic from the Internet had the web server as
its destination this rule would allow it and stop processing further rules. (In the rule at priority 140 all other
inbound internet traffic is blocked). If you're only processing HTTP traffic, this rule could be further restricted
to only allow Destination Port 80.

Set-AzureNetworkSecurityRule -Name "Enable Internet to $VMName[0]" `
-DestinationPortRange '*' `
-Protocol *
5. This rule allows traffic to pass from the IIS01 server to the AppVM01 server, a later rule blocks all other
Frontend to Backend traffic. To improve this rule, if the port is known that should be added. For example, if
the IIS server is hitting only SQL Server on AppVM01, the Destination Port Range should be changed from
* (Any) to 1433 (the SQL port) thus allowing a smaller inbound attack surface on AppVM01 should the
web application ever be compromised.

Set-AzureNetworkSecurityRule -Name "Enable $VMName[1] to $VMName[2]" `
-SourceAddressPrefix $VMIP[1] -SourcePortRange '*' `
-Protocol *
6. This rule denies traffic from the internet to any servers on the network. With the rules at priority 110 and
120, the effect is to allow only inbound internet traffic to the firewall and RDP ports on servers and blocks
everything else. This rule is a "fail-safe" rule to block all unexpected flows.

Set-AzureNetworkSecurityRule `
-Name "Isolate the $VNetName VNet from the Internet" `
-Type Inbound -Priority 140 -Action Deny `
-Protocol *
7. The final rule denies traffic from the Frontend subnet to the Backend subnet. Since this rule is an Inbound
only rule, reverse traffic is allowed (from the Backend to the Frontend).

Set-AzureNetworkSecurityRule `
-Name "Isolate the $FESubnet subnet from the $BESubnet subnet" `
-SourceAddressPrefix $FEPrefix -SourcePortRange '*' `
-DestinationAddressPrefix $BEPrefix `
-Protocol *
Traffic scenarios
(Allowed) Internet to web server
1. An internet user requests an HTTP page from FrontEnd001.CloudApp.Net (Internet Facing Cloud Service)
2. Cloud service passes traffic through open endpoint on port 80 towards IIS01 (the web server)
3. Frontend subnet begins inbound rule processing:
a. NSG Rule 1 (DNS) doesnt apply, move to next rule
b. NSG Rule 2 (RDP) doesnt apply, move to next rule
c. NSG Rule 3 (Internet to IIS01) does apply, traffic is allowed, stop rule processing
4. Traffic hits internal IP address of the web server IIS01 (10.0.1.5)
5. IIS01 is listening for web traffic, receives this request and starts processing the request
6. IIS01 asks the SQL Server on AppVM01 for information
7. Since there are no outbound rules on Frontend subnet, traffic is allowed
8. The Backend subnet begins inbound rule processing:
c. NSG Rule 3 (Internet to Firewall) doesnt apply, move to next rule
d. NSG Rule 4 (IIS01 to AppVM01) does apply, traffic is allowed, stop rule processing
9. AppVM01 receives the SQL Query and responds
10. Since there are no outbound rules on the Backend subnet, the response is allowed
a. There is no NSG rule that applies to Inbound traffic from the Backend subnet to the Frontend subnet, so
none of the NSG rules apply
b. The default system rule allowing traffic between subnets would allow this traffic so the traffic is allowed.
12. The IIS server receives the SQL response and completes the HTTP response and sends to the requestor
13. Since there are no outbound rules on the Frontend subnet the response is allowed, and the internet User
receives the web page requested.
(Allowed) RDP to backend
1. Server Admin on internet requests RDP session to AppVM01 on BackEnd001.CloudApp.Net:xxxxx where xxxxx is
the randomly assigned port number for RDP to AppVM01 (the assigned port can be found on the Azure portal
or via PowerShell)
2. Backend subnet begins inbound rule processing:
b. NSG Rule 2 (RDP) does apply, traffic is allowed, stop rule processing
3. With no outbound rules, default rules apply and return traffic is allowed
4. RDP session is enabled
5. AppVM01 prompts for the user name and password
(Allowed) Web server DNS look-up on DNS server
1. Web Server, IIS01, needs a data feed at www.data.gov, but needs to resolve the address.
2. The network configuration for the VNet lists DNS01 (10.0.2.4 on the Backend subnet) as the primary DNS
server, IIS01 sends the DNS request to DNS01
3. No outbound rules on Frontend subnet, traffic is allowed
NSG Rule 1 (DNS) does apply, traffic is allowed, stop rule processing
5. DNS server receives the request
6. DNS server doesnt have the address cached and asks a root DNS server on the internet
7. No outbound rules on Backend subnet, traffic is allowed
8. Internet DNS server responds, since this session was initiated internally, the response is allowed
9. DNS server caches the response, and responds to the initial request back to IIS01
b. The default system rule allowing traffic between subnets would allow this traffic so the traffic is allowed
12. IIS01 receives the response from DNS01
(Allowed) Web server access file on AppVM01
1. IIS01 asks for a file on AppVM01
c. NSG Rule 3 (Internet to IIS01) doesnt apply, move to next rule
4. AppVM01 receives the request and responds with file (assuming access is authorized)
5. Since there are no outbound rules on the Backend subnet, the response is allowed
7. The IIS server receives the file
(Denied) Web to backend server
1. An internet user tries to access a file on AppVM01 through the BackEnd001.CloudApp.Net service
2. Since there are no endpoints open for file share, this traffic would not pass the Cloud Service and wouldnt reach
the server
3. If the endpoints were open for some reason, NSG rule 5 (Internet to VNet) would block this traffic
(Denied) Web DNS look-up on DNS server
1. An internet user tries to look up an internal DNS record on DNS01 through the BackEnd001.CloudApp.Net
service
2. Since there are no endpoints open for DNS, this traffic would not pass the Cloud Service and wouldnt reach the
server
3. If the endpoints were open for some reason, NSG rule 5 (Internet to VNet) would block this traffic (Note: that
Rule 1 (DNS) would not apply for two reasons, first the source address is the internet, this rule only applies to
the local VNet as the source, also this rule is an Allow rule, so it would never deny traffic)
(Denied) Web to SQL access through firewall
1. An internet user requests SQL data from FrontEnd001.CloudApp.Net (Internet Facing Cloud Service)
2. Since there are no endpoints open for SQL, this traffic would not pass the Cloud Service and wouldnt reach the
firewall
3. If endpoints were open for some reason, the Frontend subnet begins inbound rule processing:
c. NSG Rule 3 (Internet to IIS01) does apply, traffic is allowed, stop rule processing
4. Traffic hits internal IP address of the IIS01 (10.0.1.5)
5. IIS01 isn't listening on port 1433, so no response to the request
Conclusion
This example is a relatively simple and straight forward way of isolating the back-end subnet from inbound traffic.
More examples and an overview of network security boundaries can be found here.
References
Main script and network config
Save the Full Script in a PowerShell script file. Save the Network Config into a file named NetworkConf1.xml.
Modify the user-defined variables as needed and run the script.
Full script
This script will, based on the user-defined variables;
1. Connect to an Azure subscription
2. Create a storage account
3. Create a VNet and two subnets as defined in the Network Config file
4. Build four windows server VMs
5. Configure NSG including:
Creating an NSG
Populating it with rules
Binding the NSG to the appropriate subnets
This PowerShell script should be run locally on an internet connected PC or server.
IMPORTANT
When this script is run, there may be warnings or other informational messages that pop in PowerShell. Only error messages
in red are cause for concern.
<#
.SYNOPSIS
Example of Network Security Groups in an isolated network (Azure only, no hybrid connections)
.DESCRIPTION
This script will build out a sample DMZ setup containing:
- A default storage account for VM disks
- Two new cloud services
- Two Subnets (FrontEnd and BackEnd subnets)
- One server on the FrontEnd Subnet
- Three Servers on the BackEnd Subnet
- Network Security Groups to allow/deny traffic patterns as declared
Before running script, ensure the network configuration file is created in

the directory referenced by $NetworkConfigFile variable (or update the
variable to reflect the path and file name of the config file being used).
.Notes
Security requirements are different for each use case and can be addressed in a
myriad of ways. Please be sure that any sensitive data or applications are behind
the appropriate layer(s) of protection. This script serves as an example of some
of the techniques that can be used, but should not be used for all scenarios. You
are responsible to assess your security needs and the appropriate protections
needed, and then effectively implement those protections.
FrontEnd Service (FrontEnd subnet 10.0.1.0/24)

IIS01 - 10.0.1.5
BackEnd Service (BackEnd subnet 10.0.2.0/24)

DNS01 - 10.0.2.4
AppVM01 - 10.0.2.5
AppVM02 - 10.0.2.6
#>
# Fixed Variables
$LocalAdminPwd = Read-Host -Prompt "Enter Local Admin Password to be used for all VMs"
$VMName = @()
$ServiceName = @()
$VMFamily = @()
$img = @()
$size = @()
$SubnetName = @()
$VMIP = @()
# User-Defined Global Variables

# These should be changes to reflect your subscription and services
# Invalid options will fail in the validation section
# Subscription Access Details

$subID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# VM Account, Location, and Storage Details

$LocalAdmin = "theAdmin"
$DeploymentLocation = "Central US"
$StorageAccountName = "vmstore02"
# Service Details
$FrontEndService = "FrontEnd001"
$BackEndService = "BackEnd001"
# Network Details
$VNetName = "CorpNetwork"
$FESubnet = "FrontEnd"
$FEPrefix = "10.0.1.0/24"
$BESubnet = "BackEnd"
$BEPrefix = "10.0.2.0/24"
$NetworkConfigFile = "C:\Scripts\NetworkConf1.xml"
# VM Base Disk Image Details

$SrvImg = Get-AzureVMImage | Where {$_.ImageFamily -match 'Windows Server 2012 R2 Datacenter'} | sort
PublishedDate -Descending | Select ImageName -First 1 | ForEach {$_.ImageName}
# NSG Details
$NSGName = "MyVNetSG"
# User-Defined VM Specific Configuration

# Note: To ensure proper NSG Rule creation later in this script:
# - The Web Server must be VM 0
# - The AppVM1 Server must be VM 1
# - The DNS server must be VM 3
#
# Otherwise the NSG rules in the last section of this
# script will need to be changed to match the modified
# VM array numbers ($i) so the NSG Rule IP addresses
# are aligned to the associated VM IP addresses.
# VM 0 - The Web Server

$VMName += "IIS01"
$ServiceName += $FrontEndService
$VMFamily += "Windows"
$img += $SrvImg
$size += "Standard_D3"
$SubnetName += $FESubnet
$VMIP += "10.0.1.5"
# VM 1 - The First Application Server

$VMName += "AppVM01"
$ServiceName += $BackEndService
$img += $SrvImg
$SubnetName += $BESubnet
$VMIP += "10.0.2.5"
# VM 2 - The Second Application Server

$img += $SrvImg
$VMIP += "10.0.2.6"
# VM 3 - The DNS Server

$VMName += "DNS01"
$img += $SrvImg
$VMIP += "10.0.2.4"
# ----------------------------- #
# ----------------------------- #
# No User-Defined Variables or #
# Configuration past this point #
# ----------------------------- #
# Get your Azure accounts

Add-AzureAccount
Set-AzureSubscription SubscriptionId $subID -ErrorAction Stop
Select-AzureSubscription -SubscriptionId $subID -Current -ErrorAction Stop
# Create Storage Account

If (Test-AzureName -Storage -Name $StorageAccountName) {
Write-Host "Fatal Error: This storage account name is already in use, please pick a different name." -
ForegroundColor Red
Return}
Else {Write-Host "Creating Storage Account" -ForegroundColor Cyan
New-AzureStorageAccount -Location $DeploymentLocation -StorageAccountName $StorageAccountName}
# Update Subscription Pointer to New Storage Account

Write-Host "Updating Subscription Pointer to New Storage Account" -ForegroundColor Cyan
Set-AzureSubscription SubscriptionId $subID -CurrentStorageAccountName $StorageAccountName -ErrorAction
Stop
# Validation
$FatalError = $false
If (-Not (Get-AzureLocation | Where {$_.DisplayName -eq $DeploymentLocation})) {

Write-Host "This Azure Location was not found or available for use" -ForegroundColor Yellow
$FatalError = $true}
If (Test-AzureName -Service -Name $FrontEndService) {

Write-Host "The FrontEndService service name is already in use, please pick a different service name." -
ForegroundColor Yellow
Else { Write-Host "The FrontEndService service name is valid for use." -ForegroundColor Green}
If (Test-AzureName -Service -Name $BackEndService) {

Write-Host "The BackEndService service name is already in use, please pick a different service name." -
Else { Write-Host "The BackEndService service name is valid for use." -ForegroundColor Green}
If (-Not (Test-Path $NetworkConfigFile)) {

Write-Host 'The network config file was not found, please update the $NetworkConfigFile variable to point
to the network config xml file.' -ForegroundColor Yellow
Else { Write-Host "The network configuration file was found" -ForegroundColor Green
If (-Not (Select-String -Pattern $DeploymentLocation -Path $NetworkConfigFile)) {
Write-Host 'The deployment location was not found in the network config file, please check the
network config file to ensure the $DeploymentLocation variable is correct and the network config file matches.'
-ForegroundColor Yellow
Else { Write-Host "The deployment location was found in the network config file." -ForegroundColor
Green}}
If ($FatalError) {
Write-Host "A fatal error has occurred, please see the above messages for more information." -
ForegroundColor Red
Return}
Else { Write-Host "Validation passed, now building the environment." -ForegroundColor Green}
# Create VNET
Write-Host "Creating VNET" -ForegroundColor Cyan
Set-AzureVNetConfig -ConfigurationPath $NetworkConfigFile -ErrorAction Stop
# Create Services
Write-Host "Creating Services" -ForegroundColor Cyan
New-AzureService -Location $DeploymentLocation -ServiceName $FrontEndService -ErrorAction Stop
New-AzureService -Location $DeploymentLocation -ServiceName $BackEndService -ErrorAction Stop
# Build VMs
$i=0
$VMName | Foreach {
Write-Host "Building $($VMName[$i])" -ForegroundColor Cyan
New-AzureVMConfig -Name $VMName[$i] -ImageName $img[$i] InstanceSize $size[$i] | `
Add-AzureProvisioningConfig -Windows -AdminUsername $LocalAdmin -Password $LocalAdminPwd | `
Set-AzureSubnet SubnetNames $SubnetName[$i] | `
Set-AzureStaticVNetIP -IPAddress $VMIP[$i] | `
Set-AzureVMMicrosoftAntimalwareExtension -AntimalwareConfiguration '{"AntimalwareEnabled" : true}'
| `
Remove-AzureEndpoint -Name "PowerShell" | `
New-AzureVM ServiceName $ServiceName[$i] -VNetName $VNetName -Location $DeploymentLocation
# Note: A Remote Desktop endpoint is automatically created when each VM is created.
$i++
}
# Add HTTP Endpoint for IIS01
Get-AzureVM -ServiceName $ServiceName[0] -Name $VMName[0] | Add-AzureEndpoint -Name HTTP -Protocol tcp -
LocalPort 80 -PublicPort 80 | Update-AzureVM
# Configure NSG
Write-Host "Configuring the Network Security Group (NSG)" -ForegroundColor Cyan
# Build the NSG

Write-Host "Building the NSG" -ForegroundColor Cyan
New-AzureNetworkSecurityGroup -Name $NSGName -Location $DeploymentLocation -Label "Security group for
$VNetName subnets in $DeploymentLocation"
# Add NSG Rules

Write-Host "Writing rules into the NSG" -ForegroundColor Cyan
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable Internal DNS" -
Type Inbound -Priority 100 -Action Allow `
-DestinationAddressPrefix $VMIP[3] -DestinationPortRange '53' `
-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable RDP to $VNetName

VNet" -Type Inbound -Priority 110 -Action Allow `
-DestinationAddressPrefix VIRTUAL_NETWORK -DestinationPortRange '3389' `
-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable Internet to

$($VMName[0])" -Type Inbound -Priority 120 -Action Allow `
-DestinationAddressPrefix $VMIP[0] -DestinationPortRange '*' `
-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable $($VMName[0]) to

-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Isolate the $VNetName

VNet from the Internet" -Type Inbound -Priority 140 -Action Deny `
-DestinationAddressPrefix VIRTUAL_NETWORK -DestinationPortRange '*' `
-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Isolate the $FESubnet

subnet from the $BESubnet subnet" -Type Inbound -Priority 150 -Action Deny `
-DestinationAddressPrefix $BEPrefix -DestinationPortRange '*' `
-Protocol *
# Assign the NSG to the Subnets

Write-Host "Binding the NSG to both subnets" -ForegroundColor Cyan
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $FESubnet -VirtualNetworkName
$VNetName
$VNetName
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $BESubnet -VirtualNetworkName
$VNetName
# Optional Post-script Manual Configuration

# Install Test Web App (Run Post-Build Script on the IIS Server)
# Install Backend resource (Run Post-Build Script on the AppVM01)
Write-Host
Write-Host "Build Complete!" -ForegroundColor Green
Write-Host
Write-Host "Optional Post-script Manual Configuration Steps" -ForegroundColor Gray
Write-Host " - Install Test Web App (Run Post-Build Script on the IIS Server)" -ForegroundColor Gray
Write-Host " - Install Backend resource (Run Post-Build Script on the AppVM01)" -ForegroundColor Gray
Write-Host
Network config file

Save this xml file with updated location and add the link to this file to the $NetworkConfigFile variable in the
preceding script.
<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-

instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="DNS01" IPAddress="10.0.2.4" />
<DnsServer name="Level3" IPAddress="209.244.0.3" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="CorpNetwork" Location="Central US">
<AddressSpace>
</AddressSpace>
<Subnets>
<Subnet name="FrontEnd">
</Subnet>
<Subnet name="BackEnd">
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="DNS01" />
<DnsServerRef name="Level3" />
</DnsServersRef>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
Sample application scripts

If you wish to install a sample application for this, and other DMZ Examples, one has been provided at the following
link: Sample Application Script
Next steps
Update and save XML file
Run the PowerShell script to build the environment
Install the sample application
Test different traffic flows through this DMZ
Example 2 Build a DMZ to protect applications with
a Firewall and NSGs

This example will create a DMZ with a firewall, four windows servers, and Network Security Groups. It will also walk
through each of the relevant commands to provide a deeper understanding of each step. There is also a Traffic
Scenario section to provide an in-depth step-by-step how traffic proceeds through the layers of defense in the DMZ.
Finally, in the references section is the complete code and instruction to build this environment to test and
experiment with various scenarios.
Environment Description
Two cloud services: FrontEnd001 and BackEnd001
A Virtual Network CorpNetwork, with two subnets: FrontEnd and BackEnd
A single Network Security Group that is applied to both subnets
A network virtual appliance, in this example a Barracuda NextGen Firewall, connected to the Frontend subnet
Two windows servers that represent application back end servers (AppVM01, AppVM02)
NOTE
Although this example uses a Barracuda NextGen Firewall, many of the different Network Virtual Appliances could be used for
this example.
In the references section below there is a PowerShell script that will build most of the environment described above.
document.
To build the environment:
service names, etc)
Note: The region signified in the PowerShell script must match the region signified in the network configuration
xml file.
Once the script runs successfully the following post-script steps may be taken:
1. Set up the firewall rules, this is covered in the section below titled: Firewall Rules.
2. Optionally in the references section are two scripts to set up the web server and app server with a simple web
application to allow testing with this DMZ configuration.
The next section explains most of the scripts statements relative to Network Security Groups.

For this example, a NSG group is built and then loaded with six rules.
TIP
Generally speaking, you should create your specific Allow rules first and then the more generic Deny rules last. The
assigned priority dictates which rules are evaluated first. Once traffic is found to apply to a specific rule, no further rules are
evaluated. NSG rules can apply in either in the inbound or outbound direction (from the perspective of the subnet).
1. Internal DNS traffic (port 53) is allowed
2. RDP traffic (port 3389) from the Internet to any VM is allowed
3. HTTP traffic (port 80) from the Internet to the NVA (firewall) is allowed
4. Any traffic (all ports) from IIS01 to AppVM1 is allowed
5. Any traffic (all ports) from the Internet to the entire VNet (both subnets) is Denied
6. Any traffic (all ports) from the Frontend subnet to the Backend subnet is Denied
With these rules bound to each subnet, if a HTTP request was inbound from the Internet to the web server, both
rules 3 (allow) and 5 (deny) would apply, but since rule 3 has a higher priority only it would apply and rule 5 would
not come into play. Thus the HTTP request would be allowed to the firewall. If that same traffic was trying to reach
the DNS01 server, rule 5 (Deny) would be the first to apply and the traffic would not be allowed to pass to the
server. Rule 6 (Deny) blocks the Frontend subnet from talking to the Backend subnet (except for allowed traffic in
rules 1 and 4), this protects the Backend network in case an attacker compromises the web application on the
Frontend, the attacker would have limited access to the Backend protected network (only to resources exposed on
the AppVM01 server).
There is a default outbound rule that allows traffic out to the internet. For this example, were allowing outbound
traffic and not modifying any outbound rules. To lock down traffic in both directions, User Defined Routing is
required, this is explored in a different example that can found in the main security boundary document.
The above discussed NSG rules are very similar to the NSG rules in Example 1 - Build a Simple DMZ with NSGs.
Please review the NSG Description in that document for a detailed look at each NSG rule and it's attributes.
Firewall Rules
A management client will need to be installed on a PC to manage the firewall and create the configurations needed.
See the documentation from your firewall (or other NVA) vendor on how to manage the device. The remainder of
this section will describe the configuration of the firewall itself, through the vendors management client (i.e. not the
Azure portal or PowerShell).
Instructions for client download and connecting to the Barracuda used in this example can be found here: Barracuda
NG Admin
On the firewall, forwarding rules will need to be created. Since this example only routes internet traffic in-bound to
the firewall and then to the web server, only one forwarding NAT rule is needed. On the Barracuda NextGen Firewall
used in this example the rule would be a Destination NAT rule (Dst NAT) to pass this traffic.
To create the following rule (or verify existing default rules), starting from the Barracuda NG Admin client
dashboard, navigate to the configuration tab, in the Operational Configuration section click Ruleset. A grid called,
Main Rules will show the existing active and deactivated rules on the firewall. In the upper right corner of this grid
is a small, green + button, click this to create a new rule (Note: your firewall may be locked for changes, if you
see a button marked Lock and you are unable to create or edit rules, click this button to unlock the ruleset and
allow editing). If you wish to edit an existing rule, select that rule, right-click and select Edit Rule.
Create a new rule and provide a name, such as "WebTraffic".
The Destination NAT rule icon looks like this:

The rule itself would look something like this:
Here any inbound address that hits the Firewall trying to reach HTTP (port 80 or 443 for HTTPS) will be sent out the
Firewalls DHCP1 Local IP interface and redirected to the Web Server with the IP Address of 10.0.1.5. Since the
traffic is coming in on port 80 and going to the web server on port 80 no port change was needed. However, the
Target List could have been 10.0.1.5:8080 if our Web Server listened on port 8080 thus translating the inbound port
80 on the firewall to inbound port 8080 on the web server.
A Connection Method should also be signified, for the Destination Rule from the Internet, "Dynamic SNAT" is most
appropriate.
Although only one rule has been created it's important that its priority is set correctly. If in the grid of all rules on
the firewall this new rule is on the bottom (below the "BLOCKALL" rule) it will never come into play. Ensure the
newly created rule for web traffic is above the BLOCKALL rule.
Once the rule is created, it must be pushed to the firewall and then activated, if this is not done the rule change will
not take effect. The push and activation process is described in the next section.
Rule Activation
With the ruleset modified to add this rule, the ruleset must be uploaded to the firewall and activated.
In the upper right hand corner of the management client are a cluster of buttons. Click the Send Changes button
to send the modified rules to the firewall, then click the Activate button.
With the activation of the firewall ruleset this example environment build is complete. Optionally, the post build
scripts in the References section can be run to add an application to this environment to test the below traffic
scenarios.
IMPORTANT
It is critical to realize that you will not hit the web server directly. When a browser requests an HTTP page from
FrontEnd001.CloudApp.Net, the HTTP endpoint (port 80) passes this traffic to the firewall not the web server. The firewall
then, according to the rule created above, NATs that request to the Web Server.
Traffic Scenarios
(Allowed) Web to Web Server through Firewall
1. Internet user requests HTTP page from FrontEnd001.CloudApp.Net (Internet Facing Cloud Service)
2. Cloud service passes traffic through open endpoint on port 80 to firewall local interface on 10.0.1.4:80
c. NSG Rule 3 (Internet to Firewall) does apply, traffic is allowed, stop rule processing
4. Traffic hits internal IP address of the firewall (10.0.1.4)
5. Firewall forwarding rule see this is port 80 traffic, redirects it to the web server IIS01
7. IIS01 asks the SQL Server on AppVM01 for information
10. AppVM01 receives the SQL Query and responds
11. Since there are no outbound rules on the Backend subnet the response is allowed
13. The IIS server receives the SQL response and completes the HTTP response and sends to the requestor
14. Since this is a NAT session from the firewall, the response destination (initially) is for the Firewall
15. The firewall receives the response from the Web Server and forwards back to the Internet User
16. Since there are no outbound rules on the Frontend subnet the response is allowed, and the Internet User
receives the web page requested.
(Allowed) RDP to Backend
1. Server Admin on internet requests RDP session to AppVM01 on BackEnd001.CloudApp.Net:xxxxx where xxxxx is
the randomly assigned port number for RDP to AppVM01 (the assigned port can be found on the Azure Portal
or via PowerShell)
2. Since the Firewall is only listening on the FrontEnd001.CloudApp.Net address, it is not involved with this traffic
flow
b. NSG Rule 2 (RDP) does apply, traffic is allowed, stop rule processing
4. With no outbound rules, default rules apply and return traffic is allowed
6. AppVM01 prompts for user name password
(Allowed) Web Server DNS lookup on DNS server
2. The network configuration for the VNet lists DNS01 (10.0.2.4 on the Backend subnet) as the primary DNS server,
IIS01 sends the DNS request to DNS01
a. NSG Rule 1 (DNS) does apply, traffic is allowed, stop rule processing
8. Internet DNS server responds, since this session was initiated internally, the response is allowed
9. DNS server caches the response, and responds to the initial request back to IIS01
(Allowed) Web Server access file on AppVM01
1. IIS01 asks for a file on AppVM01
4. AppVM01 receives the request and responds with file (assuming access is authorized)
5. Since there are no outbound rules on the Backend subnet the response is allowed
7. The IIS server receives the file
(Denied) Web direct to Web Server
Since the Web Server, IIS01, and the Firewall are in the same Cloud Service they share the same public facing IP
address. Thus any HTTP traffic would be directed to the firewall. While the request would be successfully served, it
cannot go directly to the Web Server, it passed, as designed, through the Firewall first. See the first Scenario in this
section for the traffic flow.
(Denied) Web to Backend Server
1. Internet user tries to access a file on AppVM01 through the BackEnd001.CloudApp.Net service
2. Since there are no endpoints open for file share, this would not pass the Cloud Service and wouldnt reach the
server
3. If the endpoints were open for some reason, NSG rule 5 (Internet to VNet) would block this traffic
(Denied) Web DNS lookup on DNS server
1. Internet user tries to lookup an internal DNS record on DNS01 through the BackEnd001.CloudApp.Net service
2. Since there are no endpoints open for DNS, this would not pass the Cloud Service and wouldnt reach the server
3. If the endpoints were open for some reason, NSG rule 5 (Internet to VNet) would block this traffic (Note: that
Rule 1 (DNS) would not apply for two reasons, first the source address is the internet, this rule only applies to
the local VNet as the source, also this is an Allow rule, so it would never deny traffic)
(Denied) Web to SQL access through Firewall
1. Internet user requests SQL data from FrontEnd001.CloudApp.Net (Internet Facing Cloud Service)
2. Since there are no endpoints open for SQL, this would not pass the Cloud Service and wouldnt reach the
firewall
3. If endpoints were open for some reason, the Frontend subnet begins inbound rule processing:
c. NSG Rule 2 (Internet to Firewall) does apply, traffic is allowed, stop rule processing
5. Firewall has no forwarding rules for SQL and drops the traffic
Conclusion
This is a relatively straight forward way of protecting your application with a firewall and isolating the back end
subnet from inbound traffic.
More examples and an overview of network security boundaries can be found here.
References
Main Script and Network Config
Modify the user defined variables as needed. Run the script, then follow the Firewall rule setup instruction above.
Full Script
This script will, based on the user defined variables:
2. Create a new storage account
3. Create a new VNet and two subnets as defined in the Network Config file
4. Build 4 windows server VMs
Creating a NSG
Populating it with rules
Binding the NSG to the appropriate subnets
IMPORTANT
<#
.SYNOPSIS
Example of DMZ and Network Security Groups in an isolated network (Azure only, no hybrid connections)
.DESCRIPTION
- Two new cloud services
- Two Subnets (FrontEnd and BackEnd subnets)
- A Network Virtual Appliance (NVA), in this case a Barracuda NextGen Firewall
- One server on the FrontEnd Subnet (plus the NVA on the FrontEnd subnet)
- Network Security Groups to allow/deny traffic patterns as declared

.Notes
Security requirements are different for each use case and can be addressed in a
myriad of ways. Please be sure that any sensitive data or applications are behind
the appropriate layer(s) of protection. This script serves as an example of some
of the techniques that can be used, but should not be used for all scenarios. You
are responsible to assess your security needs and the appropriate protections
needed, and then effectively implement those protections.

myFirewall - 10.0.1.4
IIS01 - 10.0.1.5

DNS01 - 10.0.2.4
AppVM01 - 10.0.2.5
AppVM02 - 10.0.2.6
#>
# Fixed Variables
$VMName = @()
$ServiceName = @()
$VMFamily = @()
$img = @()
$size = @()
$SubnetName = @()
$VMIP = @()
# User Defined Global Variables



# Service Details
# Network Details
$FEPrefix = "10.0.1.0/24"
$BEPrefix = "10.0.2.0/24"

$FWImg = Get-AzureVMImage | Where {$_.ImageFamily -match 'Barracuda NextGen Firewall'} | sort PublishedDate
-Descending | Select ImageName -First 1 | ForEach {$_.ImageName}
# NSG Details
# User Defined VM Specific Config

# Note: To ensure proper NSG Rule creation later in this script:
# - The Web Server must be VM 1
# - The AppVM1 Server must be VM 2
# - The DNS server must be VM 4
#
# Otherwise the NSG rules in the last section of this
# script will need to be changed to match the modified
# VM array numbers ($i) so the NSG Rule IP addresses
# are aligned to the associated VM IP addresses.
# VM 0 - The Network Virtual Appliance (NVA)

$VMName += "myFirewall"
$VMFamily += "Firewall"
$img += $FWImg
$size += "Small"
$VMIP += "10.0.1.4"

$VMName += "IIS01"
$img += $SrvImg
$VMIP += "10.0.1.5"
# VM 2 - The First Appliaction Server

$img += $SrvImg
$VMIP += "10.0.2.5"
# VM 3 - The Second Appliaction Server
$img += $SrvImg
$VMIP += "10.0.2.6"

$VMName += "DNS01"
$img += $SrvImg
$VMIP += "10.0.2.4"
# ----------------------------- #
# No User Defined Varibles or #
# ----------------------------- #

Add-AzureAccount

Write-Host "Fatal Error: This storage account name is already in use, please pick a diffrent name." -
ForegroundColor Red
Return}

Stop
# Validation




Else { Write-Host "The network config file was found" -ForegroundColor Green
network config file to ensure the $DeploymentLocation varible is correct and the netowrk config file matches.'
Green}}
If ($FatalError) {
Write-Host "A fatal error has occured, please see the above messages for more information." -
ForegroundColor Red
Return}
# Create VNET
# Create Services
# Build VMs
$i=0
$VMName | Foreach {
If ($VMFamily[$i] -eq "Firewall")
{
Add-AzureProvisioningConfig -Linux -LinuxUser $LocalAdmin -Password $LocalAdminPwd | `
# Set up all the EndPoints we'll need once we're up and running
# Note: Web traffic goes through the firewall, so we'll need to set up a HTTP endpoint.
# Also, the firewall will be redirecting web traffic to a new IP and Port in a
# forwarding rule, so the HTTP endpoint here will have the same public and local
# port and the firewall will do the NATing and redirection as declared in the
# firewall rule.
Add-AzureEndpoint -Name "MgmtPort1" -Protocol tcp -PublicPort 801 -LocalPort 801 -VM (Get-AzureVM
-ServiceName $ServiceName[$i] -Name $VMName[$i]) | Update-AzureVM
Add-AzureEndpoint -Name "HTTP" -Protocol tcp -PublicPort 80 -LocalPort 80 -VM (Get-AzureVM
# Note: A SSH endpoint is automatically created on port 22 when the appliance is created.
}
Else
{
Set-AzureVMMicrosoftAntimalwareExtension -AntimalwareConfiguration '{"AntimalwareEnabled" :
true}' | `
# Note: A Remote Desktop endpoint is automatically created when each VM is created.
}
$i++
}
# Configure NSG
# Build the NSG

# Add NSG Rules

Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable Internal DNS" -
Type Inbound -Priority 100 -Action Allow `
-DestinationAddressPrefix $VMIP[4] -DestinationPortRange '53' `
-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable RDP to $VNetName

VNet" -Type Inbound -Priority 110 -Action Allow `
-DestinationAddressPrefix VIRTUAL_NETWORK -DestinationPortRange '3389' `
-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable Internet to

-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Enable $($VMName[1]) to

-Protocol *

-Protocol *
Get-AzureNetworkSecurityGroup -Name $NSGName | Set-AzureNetworkSecurityRule -Name "Isolate the $FESubnet

subnet from the $BESubnet subnet" -Type Inbound -Priority 150 -Action Deny `
-DestinationAddressPrefix $BEPrefix -DestinationPortRange '*' `
-Protocol *
# Assign the NSG to the Subnets

Write-Host "Binding the NSG to both subnets" -ForegroundColor Cyan
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $FESubnet -VirtualNetworkName
$VNetName
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $BESubnet -VirtualNetworkName
$VNetName

# Configure Firewall
Write-Host
Write-Host
Write-Host " - Configure Firewall" -ForegroundColor Gray
Write-Host
Network Config File

Save this xml file with updated location and add the link to this file to the $NetworkConfigFile variable in the script
above.
<Dns>
<DnsServers>
</DnsServers>
</Dns>
<AddressSpace>
</AddressSpace>
<Subnets>
</Subnet>
</Subnet>
</Subnets>
<DnsServersRef>
</DnsServersRef>
Sample Application Scripts

Example 3 Build a DMZ to Protect Networks with a
Firewall, UDR, and NSG

This example will create a DMZ with a firewall, four windows servers, User Defined Routing, IP Forwarding, and
Network Security Groups. It will also walk through each of the relevant commands to provide a deeper
understanding of each step. There is also a Traffic Scenario section to provide an in-depth step-by-step how traffic
proceeds through the layers of defense in the DMZ. Finally, in the references section is the complete code and
instruction to build this environment to test and experiment with various scenarios.
Environment Setup
Three cloud services: SecSvc001, FrontEnd001, and BackEnd001
A Virtual Network CorpNetwork, with three subnets: SecNet, FrontEnd, and BackEnd
A network virtual appliance, in this example a firewall, connected to the SecNet subnet
Two windows servers that represent application back end servers (AppVM01, AppVM02)
In the references section below there is a PowerShell script that will build most of the environment described above.
document.
To build the environment:
service names, etc)
Note: The region signified in the PowerShell script must match the region signified in the network configuration
xml file.
Once the script runs successfully the following post-script steps may be taken:
1. Set up the firewall rules, this is covered in the section below titled: Firewall Rule Description.
2. Optionally in the references section are two scripts to set up the web server and app server with a simple web
application to allow testing with this DMZ configuration.
Once the script runs successfully the firewall rules will need to be completed, this is covered in the section titled:
Firewall Rules.
User Defined Routing (UDR)

By default, the following system routes are defined as:
Effective routes :
-------------- ------------- ------------------- ------ ------
{10.0.0.0/16} VNETLocal Active Default
{0.0.0.0/0} Internet Active Default
The VNETLocal is always the defined address prefix(es) of the VNet for that specific network (ie it will change from
VNet to VNet depending on how each specific VNet is defined). The remaining system routes are static and default
as above.
As for priority, routes are processed via the Longest Prefix Match (LPM) method, thus the most specific route in the
table would apply to a given destination address.
Therefore, traffic (for example to the DNS01 server, 10.0.2.4) intended for the local network (10.0.0.0/16) would be
routed across the VNet to its destination due to the 10.0.0.0/16 route. In other words, for 10.0.2.4, the 10.0.0.0/16
route is the most specific route, even though the 10.0.0.0/8 and 0.0.0.0/0 also could apply, but since they are less
specific they dont affect this traffic. Thus the traffic to 10.0.2.4 would have a next hop of the local VNet and simply
route to the destination.
If traffic was intended for 10.1.1.1 for example, the 10.0.0.0/16 route wouldnt apply, but the 10.0.0.0/8 would be the
most specific, and this the traffic would be dropped (black holed) since the next hop is Null.
If the destination didnt apply to any of the Null prefixes or the VNETLocal prefixes, then it would follow the least
specific route, 0.0.0.0/0 and be routed out to the Internet as the next hop and thus out Azures internet edge.
If there are two identical prefixes in the route table, the following is the order of preference based on the routes
source attribute:
1. "VirtualAppliance" = A User Defined Route manually added to the table
2. VPNGateway = A Dynamic Route (BGP when used with hybrid networks), added by a dynamic network
protocol, these routes may change over time as the dynamic protocol automatically reflects changes in peered
network
3. Default = The System Routes, the local VNet and the static entries as shown in the route table above.
NOTE
You can now use User Defined Routing (UDR) with ExpressRoute and VPN Gateways to force outbound and inbound cross-
premises traffic to be routed to a network virtual appliance (NVA).
Creating the local routes

In this example, two routing tables are needed, one each for the Frontend and Backend subnets. Each table is loaded
with static routes appropriate for the given subnet. For the purpose of this example, each table has three routes:
1. Local subnet traffic with no Next Hop defined to allow local subnet traffic to bypass the firewall
2. Virtual Network traffic with a Next Hop defined as firewall, this overrides the default rule that allows local VNet
traffic to route directly
3. All remaining traffic (0/0) with a Next Hop defined as the firewall
Once the routing tables are created they are bound to their subnets. For the Frontend subnet routing table, once
created and bound to the subnet should look like this:
Effective routes :
-------------- ------------- ------------------- ------ ------
{10.0.1.0/24} VNETLocal Active
For this example, the following commands are used to build the route table, add a user defined route, and then bind
the route table to a subnet (Note; any items below beginning with a dollar sign (e.g.: $BESubnet) are user defined
variables from the script in the reference section of this document):
1. First the base routing table must be created. This snippet shows the creation of the table for the Backend
subnet. In the script, a corresponding table is also created for the Frontend subnet.
New-AzureRouteTable -Name $BERouteTableName `
-Label "Route table for $BESubnet subnet"
2. Once the route table is created, specific user defined routes can be added. In this snipped, all traffic (0.0.0.0/0)
will be routed through the virtual appliance (a variable, $VMIP[0], is used to pass in the IP address assigned
when the virtual appliance was created earlier in the script). In the script, a corresponding rule is also created
in the Frontend table.
Get-AzureRouteTable $BERouteTableName | `
Set-AzureRoute -RouteName "All traffic to FW" -AddressPrefix 0.0.0.0/0 `

-NextHopIpAddress $VMIP[0]
3. The above route entry will override the default "0.0.0.0/0" route, but the default 10.0.0.0/16 rule still existing
which would allow traffic within the VNet to route directly to the destination and not to the Network Virtual
Appliance. To correct this behavior the follow rule must be added.
Set-AzureRoute -RouteName "Internal traffic to FW" -AddressPrefix $VNetPrefix `
4. At this point there is a choice to be made. With the above two routes all traffic will route to the firewall for
assessment, even traffic within a single subnet. This may be desired, however to allow traffic within a subnet
to route locally without involvement from the firewall a third, very specific rule can be added. This route
states that any address destine for the local subnet can just route there directly (NextHopType = VNETLocal).
Set-AzureRoute -RouteName "Allow Intra-Subnet Traffic" -AddressPrefix $BEPrefix `
-NextHopType VNETLocal
5. Finally, with the routing table created and populated with a user defined routes, the table must now be
bound to a subnet. In the script, the front end route table is also bound to the Frontend subnet. Here is the
binding script for the back end subnet.
Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName `
-SubnetName $BESubnet `
-RouteTableName $BERouteTableName
IP Forwarding
A companion feature to UDR, is IP Forwarding. This is a setting on a Virtual Appliance that allows it to receive traffic
not specifically addressed to the appliance and then forward that traffic to its ultimate destination.
As an example, if traffic from AppVM01 makes a request to the DNS01 server, UDR would route this to the firewall.
With IP Forwarding enabled, the traffic for the DNS01 destination (10.0.2.4) will be accepted by the appliance
(10.0.0.4) and then forwarded to its ultimate destination (10.0.2.4). Without IP Forwarding enabled on the Firewall,
traffic would not be accepted by the appliance even though the route table has the firewall as the next hop.
IMPORTANT
Its critical to remember to enable IP Forwarding in conjunction with User Defined Routing.
Setting up IP Forwarding is a single command and can be done at VM creation time. For the flow of this example
the code snippet is towards the end of the script and grouped with the UDR commands:
1. Call the VM instance that is your virtual appliance, the firewall in this case, and enable IP Forwarding (Note;
any item in red beginning with a dollar sign (e.g.: $VMName[0]) is a user defined variable from the script in
the reference section of this document. The zero in brackets, [0], represents the first VM in the array of VMs,
for the example script to work without modification, the first VM (VM 0) must be the firewall):
Get-AzureVM -Name $VMName[0] -ServiceName $ServiceName[0] | `
Set-AzureIPForwarding -Enable

In this example, a NSG group is built and then loaded with a single rule. This group is then bound only to the
Frontend and Backend subnets (not the SecNet). Declaratively the following rule is being built:
1. Any traffic (all ports) from the Internet to the entire VNet (all subnets) is Denied
Although NSGs are used in this example, its main purpose is as a secondary layer of defense against manual
misconfiguration. We want to block all inbound traffic from the internet to either the Frontend or Backend subnets,
traffic should only flow through the SecNet subnet to the firewall (and then if appropriate on to the Frontend or
Backend subnets). Plus, with the UDR rules in place, any traffic that did make it into the Frontend or Backend
subnets would be directed out to the firewall (thanks to UDR). The firewall would see this as an asymmetric flow
and would drop the outbound traffic. Thus there are three layers of security protecting the Frontend and Backend
subnets; 1) no open endpoints on the FrontEnd001 and BackEnd001 cloud services, 2) NSGs denying traffic from
the Internet, 3) the firewall dropping asymmetric traffic.
One interesting point regarding the Network Security Group in this example is that it contains only one rule, shown
below, which is to deny internet traffic to the entire virtual network which would include the Security subnet.

Set-AzureNetworkSecurityRule -Name "Isolate the $VNetName VNet `
from the Internet" `
-Protocol *
However, since the NSG is only bound to the Frontend and Backend subnets, the rule isnt processed on traffic
inbound to the Security subnet. As a result, even though the NSG rule says no Internet traffic to any address on the
VNet, because the NSG was never bound to the Security subnet, traffic will flow to the Security subnet.
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName `

-SubnetName $FESubnet -VirtualNetworkName $VNetName
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName `

-SubnetName $BESubnet -VirtualNetworkName $VNetName
Firewall Rules
On the firewall, forwarding rules will need to be created. Since the firewall is blocking or forwarding all inbound,
outbound, and intra-VNet traffic many firewall rules are needed. Also, all inbound traffic will hit the Security Service
public IP address (on different ports), to be processed by the firewall. A best practice is to diagram the logical flows
before setting up the subnets and firewall rules to avoid rework later. The following figure is a logical view of the
firewall rules for this example:
NOTE
Based on the Network Virtual Appliance used, the management ports will vary. In this example a Barracuda NextGen Firewall
is referenced which uses ports 22, 801, and 807. Please consult the appliance vendor documentation to find the exact ports
used for management of the device being used.
Logical Rule Description

In the logical diagram above, the security subnet is not shown since the firewall is the only resource on that subnet,
and this diagram is showing the firewall rules and how they logically allow or deny traffic flows and not the actual
routed path. Also, the external ports selected for the RDP traffic are higher ranged ports (8014 8026) and were
selected to somewhat align with the last two octets of the local IP address for easier readability (e.g. local server
address 10.0.1.4 is associated with external port 8014), however any higher non-conflicting ports could be used.
For this example, we need 7 types of rules, these rule types are described as follows:
External Rules (for inbound traffic):
1. Firewall Management Rule: This App Redirect rule allows traffic to pass to the management ports of the
network virtual appliance.
2. RDP Rules (for each windows server): These four rules (one for each server) will allow management of the
individual servers via RDP. This could also be bundled into one rule depending on the capabilities of the
Network Virtual Appliance being used.
3. Application Traffic Rules: There are two Application Traffic Rules, the first for the front end web traffic, and
the second for the back end traffic (eg web server to data tier). The configuration of these rules will
depend on the network architecture (where your servers are placed) and traffic flows (which direction the
traffic flows, and which ports are used).
The first rule will allow the actual application traffic to reach the application server. While the other
rules allow for security, management, etc., Application Rules are what allow external users or
services to access the application(s). For this example, there is a single web server on port 80, thus
a single firewall application rule will redirect inbound traffic to the external IP, to the web servers
internal IP address. The redirected traffic session would be NATd to the internal server.
The second Application Traffic Rule is the back end rule to allow the Web Server to talk to the
AppVM01 server (but not AppVM02) via any port.
Internal Rules (for intra-VNet traffic)
1. Outbound to Internet Rule: This rule will allow traffic from any network to pass to the selected networks.
This rule is usually a default rule already on the firewall, but in a disabled state. This rule should be
enabled for this example.
2. DNS Rule: This rule allows only DNS (port 53) traffic to pass to the DNS server. For this environment
most traffic from the Frontend to the Backend is blocked, this rule specifically allows DNS from any local
subnet.
3. Subnet to Subnet Rule: This rule is to allow any server on the back end subnet to connect to any server on
the front end subnet (but not the reverse).
Fail-safe Rule (for traffic that doesnt meet any of the above):
1. Deny All Traffic Rule: This should always be the final rule (in terms of priority), and as such if a traffic
flows fails to match any of the preceding rules it will be dropped by this rule. This is a default rule and
usually activated, no modifications are generally needed.
TIP
On the second application traffic rule, any port is allowed for easy of this example, in a real scenario the most specific port and
address ranges should be used to reduce the attack surface of this rule.
IMPORTANT
Once all of the above rules are created, its important to review the priority of each rule to ensure traffic will be allowed or
denied as desired. For this example, the rules are in priority order. It's easy to be locked out of the firewall due to mis-ordered
rules. At a minimum, ensure the management for the firewall itself is always the absolute highest priority rule.
Rule Prerequisites
One prerequisite for the Virtual Machine running the firewall are public endpoints. For the firewall to process traffic
the appropriate public endpoints must be open. There are three types of traffic in this example; 1) Management
traffic to control the firewall and firewall rules, 2) RDP traffic to control the windows servers, and 3) Application
Traffic. These are the three columns of traffic types in the upper half of logical view of the firewall rules above.
IMPORTANT
A key takeway here is to remember that all traffic will come through the firewall. So to remote desktop to the IIS01 server,
even though it's in the Front End Cloud Service and on the Front End subnet, to access this server we will need to RDP to the
firewall on port 8014, and then allow the firewall to route the RDP request internally to the IIS01 RDP Port. The Azure portal's
"Connect" button won't work because there is no direct RDP path to IIS01 (as far as the portal can see). This means all
connections from the internet will be to the Security Service and a Port, e.g. secscv001.cloudapp.net:xxxx (reference the above
diagram for the mapping of External Port and Internal IP and Port).
An endpoint can be opened either at the time of VM creation or post build as is done in the example script and
shown below in this code snippet (Note; any item beginning with a dollar sign (e.g.: $VMName[$i]) is a user defined
variable from the script in the reference section of this document. The $i in brackets, [$i], represents the array
number of a specific VM in an array of VMs):
Add-AzureEndpoint -Name "HTTP" -Protocol tcp -PublicPort 80 -LocalPort 80 `

-VM (Get-AzureVM -ServiceName $ServiceName[$i] -Name $VMName[$i]) | `
Update-AzureVM
Although not clearly shown here due to the use of variables, but endpoints are only opened on the Security Cloud
Service. This is to ensure that all inbound traffic is handled (routed, NAT'd, dropped) by the firewall.
A management client will need to be installed on a PC to manage the firewall and create the configurations needed.
See the documentation from your firewall (or other NVA) vendor on how to manage the device. The remainder of
this section and the next section, Firewall Rules Creation, will describe the configuration of the firewall itself,
through the vendors management client (i.e. not the Azure portal or PowerShell).
Instructions for client download and connecting to the Barracuda used in this example can be found here: Barracuda
NG Admin
Once logged onto the firewall but before creating firewall rules, there are two prerequisite object classes that can
make creating the rules easier; Network & Service objects.
For this example, three named network objects should be defined (one for the Frontend subnet and the Backend
subnet, also a network object for the IP address of the DNS server). To create a named network; starting from the
Barracuda NG Admin client dashboard, navigate to the configuration tab, in the Operational Configuration section
click Ruleset, then click Networks under the Firewall Objects menu, then click New in the Edit Networks menu. The
network object can now be created, by adding the name and the prefix:
This will create a named network for the FrontEnd subnet, a similar object should be created for the BackEnd subnet
as well. Now the subnets can be more easily referenced by name in the firewall rules.
For the DNS Server Object:
This single IP address reference will be utilized in a DNS rule later in the document.
The second prerequisite objects are Services objects. These will represent the RDP connection ports for each server.
Since the existing RDP service object is bound to the default RDP port, 3389, new Services can be created to allow
traffic from the external ports (8014-8026). The new ports could also be added to the existing RDP service, but for
ease of demonstration, an individual rule for each server can be created. To create a new RDP rule for a server;
starting from the Barracuda NG Admin client dashboard, navigate to the configuration tab, in the Operational
Configuration section click Ruleset, then click Services under the Firewall Objects menu, scroll down the list of
services and select the RDP service. Right-click and select copy, then right-click and select Paste. There is now a
RDP-Copy1 Service Object that can be edited. Right-click RDP-Copy1 and select Edit, the Edit Service Object
window will pop up as shown here:
The values can then be edited to represent the RDP service for a specific server. For AppVM01 the above default
RDP rule should be modified to reflect a new Service Name, Description, and external RDP Port used in the Figure 8
diagram (Note: the ports are changed from the RDP default of 3389 to the external port being used for this specific
server, in the case of AppVM01 the external Port is 8025) the modified service is shown below:
This process must be repeated to create RDP Services for the remaining servers; AppVM02, DNS01, and IIS01. The
creation of these Services will make the Rule creation simpler and more obvious in the next section.
NOTE
An RDP service for the Firewall is not needed for two reasons; 1) first the firewall VM is a Linux based image so SSH would be
used on port 22 for VM management instead of RDP, and 2) port 22, and two other management ports are allowed in the
first management rule described below to allow for management connectivity.
Firewall Rules Creation

There are three types of firewall rules used in this example, they all have distinct icons:
The Application Redirect rule:
The Destination NAT rule:
The Pass rule:

More information on these rules can be found at the Barracuda web site.
To create the following rules (or verify existing default rules), starting from the Barracuda NG Admin client
dashboard, navigate to the configuration tab, in the Operational Configuration section click Ruleset. A grid called,
Main Rules will show the existing active and deactivated rules on this firewall. In the upper right corner of this grid
is a small, green + button, click this to create a new rule (Note: your firewall may be locked for changes, if you
see a button marked Lock and you are unable to create or edit rules, click this button to unlock the rule set and
allow editing). If you wish to edit an existing rule, select that rule, right-click and select Edit Rule.
Once your rules are created and/or modified, they must be pushed to the firewall and then activated, if this is not
done the rule changes will not take effect. The push and activation process is described below the details rule
descriptions.
The specifics of each rule required to complete this example are described as follows:
Firewall Management Rule: This App Redirect rule allows traffic to pass to the management ports of the
network virtual appliance, in this example a Barracuda NextGen Firewall. The management ports are 801,
807 and optionally 22. The external and internal ports are the same (i.e. no port translation). This rule, SETUP-
MGMT-ACCESS, is a default rule and enabled by default (in Barracuda NextGen Firewall version 6.1).
TIP
The source address space in this rule is Any, if the management IP address ranges are known, reducing this scope would also
reduce the attack surface to the management ports.
RDP Rules: These Destination NAT rules will allow management of the individual servers via RDP. There are
four critical fields needed to create this rule:
1. Source to allow RDP from anywhere, the reference Any is used in the Source field.
2. Service use the appropriate Service Object created earlier, in this case AppVM01 RDP, the external
ports redirect to the servers local IP address and to port 3386 (the default RDP port). This specific rule is
for RDP access to AppVM01.
3. Destination should be the local port on the firewall, DCHP 1 Local IP or eth0 if using static IPs. The
ordinal number (eth0, eth1, etc) may be different if your network appliance has multiple local interfaces.
This is the port the firewall is sending out from (may be the same as the receiving port), the actual routed
destination is in the Target List field.
4. Redirection this section tells the virtual appliance where to ultimately redirect this traffic. The
simplest redirection is to place the IP and Port (optional) in the Target List field. If no port is used the
destination port on the inbound request will be used (ie no translation), if a port is designated the port
will also be NATd along with the IP address.
A total of four RDP rules will need to be created:
RULE NAME SERVER SERVICE TARGET LIST
RDP-to-IIS01 IIS01 IIS01 RDP 10.0.1.4:3389
RDP-to-DNS01 DNS01 DNS01 RDP 10.0.2.4:3389
RDP-to-AppVM01 AppVM01 AppVM01 RDP 10.0.2.5:3389
RDP-to-AppVM02 AppVM02 AppVm02 RDP 10.0.2.6:3389
TIP
Narrowing down the scope of the Source and Service fields will reduce the attack surface. The most limited scope that will
allow functionality should be used.
Application Traffic Rules: There are two Application Traffic Rules, the first for the front end web traffic, and
the second for the back end traffic (eg web server to data tier). These rules will depend on the network
architecture (where your servers are placed) and traffic flows (which direction the traffic flows, and which
ports are used).
First discussed is the front end rule for web traffic:
This Destination NAT rule allows the actual application traffic to reach the application server. While the other
rules allow for security, management, etc., Application Rules are what allow external users or services to
access the application(s). For this example, there is a single web server on port 80, thus the single firewall
application rule will redirect inbound traffic to the external IP, to the web servers internal IP address.
Note: that there is no port assigned in the Target List field, thus the inbound port 80 (or 443 for the Service
selected) will be used in the redirection of the web server. If the web server is listening on a different port, for
example port 8080, the Target List field could be updated to 10.0.1.4:8080 to allow for the Port redirection as
well.
The next Application Traffic Rule is the back end rule to allow the Web Server to talk to the AppVM01 server
(but not AppVM02) via Any service:
This Pass rule allows any IIS server on the Frontend subnet to reach the AppVM01 (IP Address 10.0.2.5) on
Any port, using any Protocol to access data needed by the web application.
In this screen shot an "<explicit-dest>" is used in the Destination field to signify 10.0.2.5 as the destination.
This could be either explicit as shown or a named Network Object (as was done in the prerequisites for the
DNS server). This is up to the administrator of the firewall as to which method will be used. To add 10.0.2.5
as an Explict Desitnation, double-click on the first blank row under <explicit-dest> and enter the address in
the window that pops up.
With this Pass Rule, no NAT is needed since this is internal traffic, so the Connection Method can be set to
"No SNAT".
Note: The Source network in this rule is any resource on the FrontEnd subnet, if there will only be one, or a
known specific number of web servers, a Network Object resource could be created to be more specific to
those exact IP addresses instead of the entire Frontend subnet.
TIP
This rule uses the service Any to make the sample application easier to setup and use, this will also allow ICMPv4 (ping) in a
single rule. However, this is not a recommended practice. The ports and protocols (Services) should be narrowed to the
minimum possible that allows application operation to reduce the attack surface across this boundary.
TIP
Although this rule shows an explicit-dest reference being used, a consistent approach should be used throughout the firewall
configuration. It is recommended that the named Network Object be used throughout for easier readability and
supportability. The explicit-dest is used here only to show an alternative reference method and is not generally recommended
(especially for complex configurations).
Outbound to Internet Rule: This Pass rule will allow traffic from any Source network to pass to the selected
Destination networks. This rule is a default rule usually already on the Barracuda NextGen firewall, but is in a
disabled state. Right-clicking on this rule can access the Activate Rule command. The rule shown here has
been modified to add the two local subnets that were created as references in the prerequisite section of this
document to the Source attribute of this rule.
DNS Rule: This Pass rule allows only DNS (port 53) traffic to pass to the DNS server. For this environment
most traffic from the FrontEnd to the BackEnd is blocked, this rule specifically allows DNS.
Note: In this screen shot the Connection Method is included. Because this rule is for internal IP to internal IP
address traffic, no NATing is required, this the Connection Method is set to No SNAT for this Pass rule.
Subnet to Subnet Rule: This Pass rule is a default rule that has been activated and modified to allow any
server on the back end subnet to connect to any server on the front end subnet. This rule is all internal traffic
so the Connection Method can be set to No SNAT.
Note: The Bi-directional checkbox is not checked (nor is it checked in most rules), this is significant for this
rule in that it makes this rule one directional, a connection can be initiated from the back end subnet to the
front end network, but not the reverse. If that checkbox was checked, this rule would enable bi-directional
traffic, which from our logical diagram is not desired.
Deny All Traffic Rule: This should always be the final rule (in terms of priority), and as such if a traffic flows
fails to match any of the preceding rules it will be dropped by this rule. This is a default rule and usually
activated, no modifications are generally needed.
IMPORTANT
Once all of the above rules are created, its important to review the priority of each rule to ensure traffic will be allowed or
denied as desired. For this example, the rules are in the order they should appear in the Main Grid of forwarding rules in the
Barracuda Management Client.
Rule Activation
With the ruleset modified to the specification of the logic diagram, the ruleset must be uploaded to the firewall and
then activated.
In the upper right hand corner of the management client are a cluster of buttons. Click the Send Changes button
to send the modified rules to the firewall, then click the Activate button.
With the activation of the firewall ruleset this example environment build is complete.
Traffic Scenarios
IMPORTANT
A key takeway is to remember that all traffic will come through the firewall. So to remote desktop to the IIS01 server, even
though it's in the Front End Cloud Service and on the Front End subnet, to access this server we will need to RDP to the
firewall on port 8014, and then allow the firewall to route the RDP request internally to the IIS01 RDP Port. The Azure portal's
"Connect" button won't work because there is no direct RDP path to IIS01 (as far as the portal can see). This means all
connections from the internet will be to the Security Service and a Port, e.g. secscv001.cloudapp.net:xxxx.
For these scenarios, the following firewall rules should be in place:

1. Firewall Management
2. RDP to IIS01
3. RDP to DNS01
4. RDP to AppVM01
5. RDP to AppVM02
6. App Traffic to the Web
7. App Traffic to AppVM01
8. Outbound to the Internet
9. Frontend to DNS01
10. Intra-Subnet Traffic (back end to front end only)
11. Deny All
The actual firewall ruleset will most likely have many other rules in addition to these, the rules on any given firewall
will also have different priority numbers than the ones listed here. This list and associated numbers are to provide
relevance between just these eleven rules and the relative priority amongst them. In other words; on the actual
firewall, the RDP to IIS01 may be rule number 5, but as long as its below the Firewall Management rule and
above the RDP to DNS01 rule it would align with the intention of this list. The list will also aid in the below
scenarios allowing brevity; e.g. FW Rule 9 (DNS). Also for brevity, the four RDP rules will be collectively called, the
RDP rules when the traffic scenario is unrelated to RDP.
Also recall that Network Security Groups are in-place for inbound internet traffic on the Frontend and Backend
subnets.
(Allowed) Internet to Web Server
1. Internet user requests HTTP page from SecSvc001.CloudApp.Net (Internet Facing Cloud Service)
2. Cloud service passes traffic through open endpoint on port 80 to firewall interface on 10.0.0.4:80
3. No NSG assigned to Security subnet, so system NSG rules allow traffic to firewall
5. Firewall begins rule processing:
a. FW Rule 1 (FW Mgmt) doesnt apply, move to next rule
b. FW Rules 2 - 5 (RDP Rules) dont apply, move to next rule
c. FW Rule 6 (App: Web) does apply, traffic is allowed, firewall NATs it to 10.0.1.4 (IIS01)
6. The Frontend subnet begins inbound rule processing:
a. NSG Rule 1 (Block Internet) doesnt apply (this traffic was NATd by the firewall, thus the source address is
now the firewall which is on the Security subnet and seen by the Frontend subnet NSG to be local traffic
and is thus allowed), move to next rule
b. Default NSG Rules allow subnet to subnet traffic, traffic is allowed, stop NSG rule processing
8. IIS01 attempts to initiates an FTP session to AppVM01 on Backend subnet
9. The UDR route on Frontend subnet makes the firewall the next hop
b. FW Rule 2 - 5 (RDP Rules) dont apply, move to next rule
c. FW Rule 6 (App: Web) doesnt apply, move to next rule
d. FW Rule 7 (App: Backend) does apply, traffic is allowed, firewall forwards traffic to 10.0.2.5 (AppVM01)
a. NSG Rule 1 (Block Internet) doesnt apply, move to next rule
13. AppVM01 receives the request and initiates the session and responds
14. The UDR route on Backend subnet makes the firewall the next hop
15. Since there are no outbound NSG rules on the Backend subnet the response is allowed
16. Because this is returning traffic on an established session the firewall passes the response back to the web server
(IIS01)
18. The IIS server receives the response, completes the transaction with AppVM01, and then completes building the
HTTP response, this HTTP response is sent to the requestor
19. Since there are no outbound NSG rules on the Frontend subnet the response is allowed
20. The HTTP response hits the firewall, and because this is the response to an established NAT session is accepted
by the firewall
21. The firewall then redirects the response back to the Internet User
22. Since there are no outbound NSG rules or UDR hops on the Frontend subnet the response is allowed, and the
Internet User receives the web page requested.
(Allowed) Internet RDP to Backend
1. Server Admin on internet requests RDP session to AppVM01 via SecSvc001.CloudApp.Net:8025, where 8025 is
the user assigned port number for the RDP to AppVM01 firewall rule
2. The cloud service passes traffic through the open endpoint on port 8025 to firewall interface on 10.0.0.4:8025
3. No NSG assigned to Security subnet, so system NSG rules allow traffic to firewall
b. FW Rule 2 (RDP IIS) doesnt apply, move to next rule
c. FW Rule 3 (RDP DNS01) doesnt apply, move to next rule
d. FW Rule 4 (RDP AppVM01) does apply, traffic is allowed, firewall NATs it to 10.0.2.5:3386 (RDP port on
AppVM01)
a. NSG Rule 1 (Block Internet) doesnt apply (this traffic was NATd by the firewall, thus the source address is
now the firewall which is on the Security subnet and seen by the Backend subnet NSG to be local traffic
and is thus allowed), move to next rule
6. AppVM01 is listening for RDP traffic and responds
7. With no outbound NSG rules, default rules apply and return traffic is allowed
8. UDR routes outbound traffic to the firewall as the next hop
9. Because this is returning traffic on an established session the firewall passes the response back to the internet
user
11. AppVM01 prompts for user name password
(Allowed) Web Server DNS lookup on DNS server
2. The network configuration for the VNet lists DNS01 (10.0.2.4 on the Backend subnet) as the primary DNS server,
IIS01 sends the DNS request to DNS01
4. No outbound NSG rules are bound to the Frontend subnet, traffic is allowed
c. FW Rules 6 & 7 (App Rules) dont apply, move to next rule
d. FW Rule 8 (To Internet) doesnt apply, move to next rule
e. FW Rule 9 (DNS) does apply, traffic is allowed, firewall forwards traffic to 10.0.2.4 (DNS01)
10. No outbound NSG rules on Backend subnet, traffic is allowed
d. FW Rule 8 (To Internet) does apply, traffic is allowed, session is SNAT out to root DNS server on the
Internet
12. Internet DNS server responds, since this session was initiated from the firewall, the response is accepted by the
firewall
13. As this is an established session, the firewall forwards the response to the initiating server, DNS01
15. The DNS server receives and caches the response, and then responds to the initial request back to IIS01
16. The UDR route on backend subnet makes the firewall the next hop
17. No outbound NSG rules exist on the Backend subnet, traffic is allowed
18. This is an established session on the firewall, the response is forwarded by the firewall back to the IIS server
(Allowed) Backend server to Frontend server
1. An administrator logged on to AppVM02 via RDP requests a file directly from the IIS01 server via windows file
explorer
2. The UDR route on Backend subnet makes the firewall the next hop
3. Since there are no outbound NSG rules on the Backend subnet the response is allowed
e. FW Rule 9 (DNS) doesnt apply, move to next rule
f. FW Rule 10 (Intra-Subnet) does apply, traffic is allowed, firewall passes traffic to 10.0.1.4 (IIS01)
6. Assuming proper authentication and authorization, IIS01 accepts the request and responds
7. The UDR route on Frontend subnet makes the firewall the next hop
8. Since there are no outbound NSG rules on the Frontend subnet the response is allowed
9. As this is an existing session on the firewall this response is allowed and the firewall returns the response to
AppVM02
11. AppVM02 receives the response
(Denied) Internet direct to Web Server
1. Internet user tries to access the web server, IIS01, through the FrontEnd001.CloudApp.Net service
2. Since there are no endpoints open for HTTP traffic, this would not pass through the Cloud Service and wouldnt
reach the server
3. If the endpoints were open for some reason, the NSG (Block Internet) on the Frontend subnet would block this
traffic
4. Finally, the Frontend subnet UDR route would send any outbound traffic from IIS01 to the firewall as the next
hop, and the firewall would see this as asymmetric traffic and drop the outbound response Thus there are at
least three independent layers of defense between the internet and IIS01 via its cloud service preventing
unauthorized/inappropriate access.
(Denied) Internet to Backend Server
1. Internet user tries to access a file on AppVM01 through the BackEnd001.CloudApp.Net service
2. Since there are no endpoints open for file share, this would not pass the Cloud Service and wouldnt reach the
server
3. If the endpoints were open for some reason, the NSG (Block Internet) would block this traffic
4. Finally, the UDR route would send any outbound traffic from AppVM01 to the firewall as the next hop, and the
firewall would see this as asymmetric traffic and drop the outbound response Thus there are at least three
independent layers of defense between the internet and AppVM01 via its cloud service preventing
(Denied) Frontend server to Backend Server
1. Assume IIS01 was compromised and is running malicious code trying to scan the Backend subnet servers.
2. The Frontend subnet UDR route would send any outbound traffic from IIS01 to the firewall as the next hop. This
is not something that can be altered by the compromised VM.
3. The firewall would process the traffic, if the request was to AppVM01, or to the DNS server for DNS lookups that
traffic could potentially be allowed by the firewall (due to FW Rules 7 and 9). All other traffic would be blocked
by FW Rule 11 (Deny All).
4. If advanced threat detection was enabled on the firewall (which is not covered in this document, see the vendor
documentation for your specific network appliance advanced threat capabilities), even traffic that would be
allowed by the basic forwarding rules discussed in this document could be prevented if the traffic contained
known signatures or patterns that flag an advanced threat rule.
(Denied) Internet DNS lookup on DNS server
1. Internet user tries to lookup an internal DNS record on DNS01 through BackEnd001.CloudApp.Net service
2. Since there are no endpoints open for DNS traffic, this would not pass through the Cloud Service and wouldnt
reach the server
3. If the endpoints were open for some reason, the NSG rule (Block Internet) on the Frontend subnet would block
this traffic
4. Finally, the Backend subnet UDR route would send any outbound traffic from DNS01 to the firewall as the next
hop, and the firewall would see this as asymmetric traffic and drop the outbound response Thus there are at
least three independent layers of defense between the internet and DNS01 via its cloud service preventing
(Denied) Internet to SQL access through Firewall
1. Internet user requests SQL data from SecSvc001.CloudApp.Net (Internet Facing Cloud Service)
2. Since there are no endpoints open for SQL, this would not pass the Cloud Service and wouldnt reach the
firewall
3. If SQL endpoints were open for some reason, the firewall would begin rule processing:
b. FW Rules 2 - 5 (RDP Rules) dont apply, move to next rule
c. FW Rule 6 & 7 (Application Rules) dont apply, move to next rule
e. FW Rule 9 (DNS) doesnt apply, move to next rule
f. FW Rule 10 (Intra-Subnet) doesnt apply, move to next rule
g. FW Rule 11 (Deny All) does apply, traffic is blocked, stop rule processing
References
Main Script and Network Config
Modify the user defined variables as needed. Run the script, then follow the Firewall rule setup instruction above.
Full Script
This script will, based on the user defined variables:
2. Create a new storage account
3. Create a new VNet and three subnets as defined in the Network Config file
4. Build five virtual machines; 1 firewall and 4 windows server VMs
5. Configure UDR including:
a. Creating two new route tables
b. Add routes to the tables
c. Bind tables to appropriate subnets
6. Enable IP Forwarding on the NVA
a. Creating a NSG
b. Adding a rule
c. Binding the NSG to the appropriate subnets
IMPORTANT
<#
.SYNOPSIS
Example of DMZ and User Defined Routing in an isolated network (Azure only, no hybrid connections)
.DESCRIPTION
- Three new cloud services
- Three Subnets (SecNet, FrontEnd, and BackEnd subnets)
- A Network Virtual Appliance (NVA), in this case a Barracuda NextGen Firewall
- One server on the FrontEnd Subnet
- IP Forwading from the FireWall out to the internet
- User Defined Routing FrontEnd and BackEnd Subnets to the NVA

.Notes
Everyone's security requirements are different and can be addressed in a myriad of ways.
Please be sure that any sensitive data or applications are behind the appropriate
layer(s) of protection. This script serves as an example of some of the techniques
that can be used, but should not be used for all scenarios. You are responsible to
assess your security needs and the appropriate protections needed, and then effectively
implement those protections.
Security Service (SecNet subnet 10.0.0.0/24)

myFirewall - 10.0.0.4

IIS01 - 10.0.1.4

DNS01 - 10.0.2.4
AppVM01 - 10.0.2.5
AppVM02 - 10.0.2.6
#>
# Fixed Variables
$VMName = @()
$ServiceName = @()
$VMFamily = @()
$img = @()
$size = @()
$SubnetName = @()
$VMIP = @()
# User Defined Global Variables



# Service Details
$SecureService = "SecSvc001"
# Network Details
$VNetPrefix = "10.0.0.0/16"
$SecNet = "SecNet"
$FEPrefix = "10.0.1.0/24"
$BEPrefix = "10.0.2.0/24"

$FWImg = Get-AzureVMImage | Where {$_.ImageFamily -match 'Barracuda NextGen Firewall'} | sort PublishedDate
-Descending | Select ImageName -First 1 | ForEach {$_.ImageName}
# UDR Details
$FERouteTableName = "FrontEndSubnetRouteTable"
$BERouteTableName = "BackEndSubnetRouteTable"
# NSG Details
# User Defined VM Specific Config

# Note: To ensure UDR and IP forwarding is setup
# properly this script requires VM 0 be the NVA.
# VM 0 - The Network Virtual Appliance (NVA)

$VMName += "myFirewall"
$ServiceName += $SecureService
$VMFamily += "Firewall"
$img += $FWImg
$size += "Small"
$SubnetName += $SecNet
$VMIP += "10.0.0.4"

$VMName += "IIS01"
$img += $SrvImg
$VMIP += "10.0.1.4"
# VM 2 - The First Appliaction Server

$img += $SrvImg
$VMIP += "10.0.2.5"
# VM 3 - The Second Appliaction Server

$img += $SrvImg
$VMIP += "10.0.2.6"

$VMName += "DNS01"
$img += $SrvImg
$VMIP += "10.0.2.4"
# ----------------------------- #
# No User Defined Varibles or #
# ----------------------------- #

Add-AzureAccount

Write-Host "Fatal Error: This storage account name is already in use, please pick a diffrent name." -
ForegroundColor Red
Return}

Stop
# Validation

If (Test-AzureName -Service -Name $SecureService) {

Write-Host "The SecureService service name is already in use, please pick a different service name." -

Else { Write-Host "The FrontEndService service name is valid for use" -ForegroundColor Green}


Else { Write-Host "The network config file was found" -ForegroundColor Green
network config file to ensure the $DeploymentLocation varible is correct and the netowrk config file matches.'
Green}}
If ($FatalError) {
Write-Host "A fatal error has occured, please see the above messages for more information." -
ForegroundColor Red
Return}
# Create VNET
# Create Services
New-AzureService -Location $DeploymentLocation -ServiceName $SecureService -ErrorAction Stop
# Build VMs
$i=0
$VMName | Foreach {
If ($VMFamily[$i] -eq "Firewall")
{
Add-AzureProvisioningConfig -Linux -LinuxUser $LocalAdmin -Password $LocalAdminPwd | `
# Set up all the EndPoints we'll need once we're up and running
# Note: All traffic goes through the firewall, so we'll need to set up all ports here.
# Also, the firewall will be redirecting traffic to a new IP and Port in a forwarding
# rule, so all of these endpoint have the same public and local port and the firewall
# will do the mapping, NATing, and/or redirection as declared in the firewall rules.
Add-AzureEndpoint -Name "HTTP" -Protocol tcp -PublicPort 80 -LocalPort 80 -VM (Get-AzureVM
Add-AzureEndpoint -Name "RDPWeb" -Protocol tcp -PublicPort 8014 -LocalPort 8014 -VM (Get-AzureVM
Add-AzureEndpoint -Name "RDPApp1" -Protocol tcp -PublicPort 8025 -LocalPort 8025 -VM (Get-AzureVM
Add-AzureEndpoint -Name "RDPApp2" -Protocol tcp -PublicPort 8026 -LocalPort 8026 -VM (Get-AzureVM
Add-AzureEndpoint -Name "RDPDNS01" -Protocol tcp -PublicPort 8024 -LocalPort 8024 -VM (Get-AzureVM
# Note: A SSH endpoint is automatically created on port 22 when the appliance is created.
}
Else
{
Set-AzureVMMicrosoftAntimalwareExtension -AntimalwareConfiguration '{"AntimalwareEnabled" :
true}' | `
Remove-AzureEndpoint -Name "RemoteDesktop" | `
}
$i++
}
# Configure UDR and IP Forwarding

Write-Host "Configuring UDR" -ForegroundColor Cyan
# Create the Route Tables

Write-Host "Creating the Route Tables" -ForegroundColor Cyan
New-AzureRouteTable -Name $BERouteTableName `
-Label "Route table for $BESubnet subnet"
New-AzureRouteTable -Name $FERouteTableName `
-Label "Route table for $FESubnet subnet"
# Add Routes to Route Tables

Write-Host "Adding Routes to the Route Tables" -ForegroundColor Cyan
Get-AzureRouteTable $BERouteTableName `
|Set-AzureRoute -RouteName "All traffic to FW" -AddressPrefix 0.0.0.0/0 `
|Set-AzureRoute -RouteName "Internal traffic to FW" -AddressPrefix $VNetPrefix `
|Set-AzureRoute -RouteName "Allow Intra-Subnet Traffic" -AddressPrefix $BEPrefix `
Get-AzureRouteTable $FERouteTableName `
|Set-AzureRoute -RouteName "All traffic to FW" -AddressPrefix 0.0.0.0/0 `
|Set-AzureRoute -RouteName "Internal traffic to FW" -AddressPrefix $VNetPrefix `
|Set-AzureRoute -RouteName "Allow Intra-Subnet Traffic" -AddressPrefix $FEPrefix `
# Assoicate the Route Tables with the Subnets

Write-Host "Binding Route Tables to the Subnets" -ForegroundColor Cyan
-SubnetName $BESubnet `
-RouteTableName $BERouteTableName
-SubnetName $FESubnet `
-RouteTableName $FERouteTableName
# Enable IP Forwarding on the Virtual Appliance

Get-AzureVM -Name $VMName[0] -ServiceName $ServiceName[0] `
|Set-AzureIPForwarding -Enable
# Configure NSG
# Build the NSG

# Add NSG Rule

# Add NSG Rule
-Protocol *
# Assign the NSG to two Subnets

# The NSG is *not* bound to the Security Subnet. The result
# is that internet traffic flows only to the Security subnet
# since the NSG bound to the Frontend and Backback subnets
# will Deny internet traffic to those subnets.
Write-Host "Binding the NSG to two subnets" -ForegroundColor Cyan
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $FESubnet -VirtualNetworkName $VNetName
Set-AzureNetworkSecurityGroupToSubnet -Name $NSGName -SubnetName $BESubnet -VirtualNetworkName $VNetName

# Configure Firewall
Write-Host
Write-Host
Write-Host " - Configure Firewall" -ForegroundColor Gray
Write-Host
Network Config File

Save this xml file with updated location and add the link to this file to the $NetworkConfigFile variable in the script
above.
<Dns>
<DnsServers>
</DnsServers>
</Dns>
<AddressSpace>
</AddressSpace>
<Subnets>
<Subnet name="SecNet">
</Subnet>
</Subnet>
</Subnet>
</Subnets>
<DnsServersRef>
</DnsServersRef>
Sample Application Scripts

Sample application for use with DMZs

These PowerShell scripts can be run locally on the IIS01 and AppVM01 servers to install and set up a simple web
application that displays an html page from the front-end IIS01 server with content from the back-end AppVM01
server.
This application provides a simple testing environment for many of the DMZ Examples and how changes on the
Endpoints, NSGs, UDR, and Firewall rules can affect traffic flows.
Firewall rule to allow ICMP

This simple PowerShell statement can be run on any Windows VM to allow ICMP (Ping) traffic. This firewall update
allows for easier testing and troubleshooting by allowing the ping protocol to pass through the windows firewall
(for most Linux distros ICMP is on by default).
# Turn On ICMPv4
New-NetFirewallRule -Name Allow_ICMPv4 -DisplayName "Allow ICMPv4" `
-Protocol ICMPv4 -Enabled True -Profile Any -Action Allow
If you use the following scripts, this firewall rule addition is the first statement.
IIS01 - Web application installation script

This script will:
1. Open IMCPv4 (Ping) on the local server windows firewall for easier testing
2. Install IIS and the .Net Framework v4.5
3. Create an ASP.NET web page and a Web.config file
4. Change the Default application pool to make file access easier
5. Set the Anonymous user to your admin account and password
This PowerShell script should be run locally while RDPd into IIS01.
# IIS Server Post Build Config Script

# Get Admin Account and Password
Write-Host "Please enter the admin account information used to create this VM:" -ForegroundColor Cyan
$theAdmin = Read-Host -Prompt "The Admin Account Name (no domain or machine name)"
$thePassword = Read-Host -Prompt "The Admin Password"
# Turn On ICMPv4
Write-Host "Creating ICMP Rule in Windows Firewall" -ForegroundColor Cyan
New-NetFirewallRule -Name Allow_ICMPv4 -DisplayName "Allow ICMPv4" -Protocol ICMPv4 -Enabled True -Profile
Any -Action Allow
# Install IIS
Write-Host "Installing IIS and .Net 4.5, this can take some time, like 15+ minutes..." -ForegroundColor
Cyan
add-windowsfeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-
Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Performance, Web-Stat-Compression, Web-
Security, Web-Filtering, Web-App-Dev, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Net-Ext, Web-Net-Ext45, Web-Asp-
Net45, Web-Mgmt-Tools, Web-Mgmt-Console
# Create Web App Pages
Write-Host "Creating Web page and Web.Config file" -ForegroundColor Cyan
$MainPage = '<%@ Page Language="vb" AutoEventWireup="false" %>
<%@ Import Namespace="System.IO" %>
<script language="vb" runat="server">
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Dim FILENAME As String = "\\10.0.2.5\WebShare\Rand.txt"
Dim objStreamReader As StreamReader
objStreamReader = File.OpenText(FILENAME)
Dim contents As String = objStreamReader.ReadToEnd()
lblOutput.Text = contents
objStreamReader.Close()
lblTime.Text = Now()
End Sub
</script>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>DMZ Example App</title>
</head>
<body style="font-family: Optima,Segoe,Segoe UI,Candara,Calibri,Arial,sans-serif;">
<form id="frmMain" runat="server">
<div>
<h1>Looks like you made it!</h1>
This is a page from the inside (a web server on a private network),<br />
and it is making its way to the outside! (If you are viewing this from the internet)<br />
<br />
The following sections show:
<ul style="margin-top: 0px;">
<li> Local Server Time - Shows if this page is or isnt cached anywhere</li>
<li> File Output - Shows that the web server is reaching AppVM01 on the backend subnet and
successfully returning content</li>
<li> Image from the Internet - Doesnt really show anything, but it made me happy to see this when
the app worked</li>
</ul>
<div style="border: 2px solid #8AC007; border-radius: 25px; padding: 20px; margin: 10px; width:
650px;">
<b>Local Web Server Time</b>: <asp:Label runat="server" ID="lblTime" /></div>
650px;">
<b>File Output from AppVM01</b>: <asp:Label runat="server" ID="lblOutput" /></div>
650px;">
<b>Image File Linked from the Internet</b>:<br />
<br />
<img src="http://sd.keepcalm-o-matic.co.uk/i/keep-calm-you-made-it-7.png" alt="You made it!"
width="150" length="175"/></div>
</div>
</form>
</body>
</html>'
$WebConfig ='<?xml version="1.0" encoding="utf-8"?>

<configuration>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<identity impersonate="true" />
<customErrors mode="Off"/>
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="Home.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>'
</configuration>'
$MainPage | Out-File -FilePath "C:\inetpub\wwwroot\Home.aspx" -Encoding ascii

$WebConfig | Out-File -FilePath "C:\inetpub\wwwroot\Web.config" -Encoding ascii
# Set App Pool to Clasic Pipeline to remote file access will work easier
Write-Host "Updaing IIS Settings" -ForegroundColor Cyan
c:\windows\system32\inetsrv\appcmd.exe set app "Default Web Site/" /applicationPool:".NET v4.5 Classic"
c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site/"
/section:system.webServer/security/authentication/anonymousAuthentication /userName:$theAdmin
/password:$thePassword /commit:apphost
# Make sure the IIS settings take

Write-Host "Restarting the W3SVC" -ForegroundColor Cyan
Restart-Service -Name W3SVC
Write-Host
Write-Host "Web App Creation Successfull!" -ForegroundColor Green
Write-Host
AppVM01 - File server installation script

This script sets up the back-end for this simple application. This script will:
1. Open IMCPv4 (Ping) on the firewall for easier testing
2. Create a directory for the web site
3. Create a text file to be remotely access by the web page
4. Set permissions on the directory and file to Anonymous to allow access
5. Turn off IE Enhanced Security to allow easier browsing from this server
IMPORTANT
Best Practice: Never turn off IE Enhanced Security on a production server, plus it's generally a bad idea to surf the web from
a production server. Also, opening up file shares for anonymous access is a bad idea, but done here for simplicity.
This PowerShell script should be run locally while RDPd into AppVM01. PowerShell is required to be run as
Administrator to ensure successful execution.
# AppVM01 Server Post Build Config Script
# PowerShell must be run as Administrator for Net Share commands to work
# Turn On ICMPv4
New-NetFirewallRule -Name Allow_ICMPv4 -DisplayName "Allow ICMPv4" -Protocol ICMPv4 -Enabled True -Profile
Any -Action Allow
# Create Directory
New-Item "C:\WebShare" -ItemType Directory
# Write out Rand.txt

$FileContent = "Hello, I'm the contents of a remote file on AppVM01."
$FileContent | Out-File -FilePath "C:\WebShare\Rand.txt" -Encoding ascii
# Set Permissions on share

$Acl = Get-Acl "C:\WebShare"
$AccessRule = New-Object system.security.accesscontrol.filesystemaccessrule("Everyone","ReadAndExecute,
Synchronize","ContainerInherit, ObjectInherit","InheritOnly","Allow")
$Acl.SetAccessRule($AccessRule)
Set-Acl "C:\WebShare" $Acl
# Create network share

Net Share WebShare=C:\WebShare "/grant:Everyone,READ"
# Turn Off IE Enhanced Security Configuration for Admins

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-
8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0
Write-Host
Write-Host "File Server Set up Successfull!" -ForegroundColor Green
Write-Host
DNS01 - DNS server installation script

There is no script included in this sample application to set up the DNS server. If testing of the firewall rules, NSG,
or UDR needs to include DNS traffic, the DNS01 server needs to be set up manually. The Network Configuration
xml file and Resource Manager Template for both examples includes DNS01 as the primary DNS server and the
public DNS server hosted by Level 3 as the backup DNS server. The Level 3 DNS server would be the actual DNS
server used for non-local traffic, and with DNS01 not setup, no local network DNS would occur.
Next steps
Run the IIS01 script on an IIS server
Run File Server script on AppVM01
Browse to the Public IP on IIS01 to validate your build
Create a virtual network (classic) with multiple subnets
IMPORTANT
article covers using the classic deployment model. Microsoft recommends creating most new virtual networks through the
Resource Manager deployment model.
In this tutorial, learn how to create a basic Azure virtual network (classic) that has separate public and private
subnets. You can create Azure resources, like Virtual machines and Cloud services in a subnet. Resources created in
virtual networks (classic) can communicate with each other, and with resources in other networks connected to a
virtual network.
Learn more about all virtual network and subnet settings.
WARNING
Virtual networks (classic) are immediately deleted by Azure when a subscription is disabled. Virtual networks (classic) are
deleted regardless of whether resources exist in the virtual network. If you later re-enable the subscription, resources that
existed in the virtual network must be recreated.
You can create a virtual network (classic) by using the Azure portal, the Azure command-line interface (CLI) 1.0, or
PowerShell.
Portal
1. In an Internet browser, go to the Azure portal. Log in using your Azure account. If you don't have an Azure
account, you can sign up for a free trial.
2. Click +New in the portal.
3. Enter Virtual network in the Search the Marketplace box at the top of the New blade that appears. Click
Virtual network when it appears in the search results.
4. Select Classic in the Select a deployment model box in the Virtual Network blade that appears, then click
Create.
5. Enter the following values on the Create virtual network (classic) blade and then click Create:
SETTING VALUE
Name myVnet
Address space 10.0.0.0/16
Subnet name Public
Subnet address range 10.0.0.0/24
Resource group Leave Create new selected, and then enter

myResourceGroup.
SETTING VALUE
Subscription and location Select your subscription and location.
If you're new to Azure, learn more about resource groups, subscriptions, and locations (also referred to as
regions).
6. In the portal, you can create only one subnet when you create a virtual network. In this tutorial, you create a
second subnet after you create the virtual network. You might later create Internet-accessible resources in the
Public subnet. You also might create resources that aren't accessible from the Internet in the Private subnet. To
create the second subnet, enter myVnet in the Search resources box at the top of the page. Click myVnet
when it appears in the search results.
7. Click Subnets (in the SETTINGS section) on the Create virtual network (classic) blade that appears.
8. Click +Add on the myVnet - Subnets blade that appears.
9. Enter Private for Name on the Add subnet blade. Enter 10.0.1.0/24 for Address range. Click OK.
10. On the myVnet - Subnets blade, you can see the Public and Private subnets that you created.
11. Optional: When you finish this tutorial, you might want to delete the resources that you created, so that you
don't incur usage charges:
Click Overview on the myVnet blade.
Click the Delete icon on the myVnet blade.
To confirm the deletion, click Yes in the Delete virtual network box.
Azure CLI
1. You can either install and configure the Azure CLI, or use the CLI within the Azure Cloud Shell. The Azure Cloud
Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI preinstalled and
configured to use with your account. To get help for CLI commands, type azure <command> --help .
2. In a CLI session, log in to Azure with the command that follows. If you click Try it in the box below, a Cloud
Shell opens. You can log in to your Azure subscription, without entering the following command:
azure login
3. To ensure the CLI is in Service Management mode, enter the following command:
4. Create a virtual network with a private subnet:
azure network vnet create --vnet myVnet --address-space 10.0.0.0 --cidr 16 --subnet-name Private --
subnet-start-ip 10.0.0.0 --subnet-cidr 24 --location "East US"
5. Create a public subnet within the virtual network:
azure network vnet subnet create --name Public --vnet-name myVnet --address-prefix 10.0.1.0/24
6. Review the virtual network and subnets:
azure network vnet show --vnet myVnet

7. Optional: You might want to delete the resources that you created when you finish this tutorial, so that you
don't incur usage charges:
azure network vnet delete --vnet myVnet --quiet
NOTE
Though you can't specify a resource group to create a virtual network (classic) in using the CLI, Azure creates the virtual
network in a resource group named Default-Networking.
PowerShell
1. Install the latest version of the PowerShell Azure module. If you're new to Azure PowerShell, see Azure
3. In PowerShell, log in to Azure by entering the Add-AzureAccount command.
4. Change the following path and filename, as appropriate, then export your existing network configuration file:
Get-AzureVNetConfig -ExportToFile c:\azure\NetworkConfig.xml
5. To create a virtual network with public and private subnets, use any text editor to add the
VirtualNetworkSite element that follows to the network configuration file.
<VirtualNetworkSite name="myVnet" Location="East US">

<AddressSpace>
</AddressSpace>
<Subnets>
<Subnet name="Private">
</Subnet>
<Subnet name="Public">
</Subnet>
</Subnets>
Review the full network configuration file schema.

6. Import the network configuration file:
Set-AzureVNetConfig -ConfigurationPath c:\azure\NetworkConfig.xml
WARNING
7. Review the virtual network and subnets:

Get-AzureVNetSite -VNetName "myVnet"
8. Optional: You might want to delete the resources that you created when you finish this tutorial, so that you
don't incur usage charges. To delete the virtual network, complete steps 4-6 again, this time removing the
VirtualNetworkSite element you added in step 5.
NOTE
Though you can't specify a resource group to create a virtual network (classic) in using PowerShell, Azure creates the virtual
network in a resource group named Default-Networking.
Next steps
To learn about all virtual network and subnet settings, see Manage virtual networks and Manage virtual network
subnets. You have various options for using virtual networks and subnets in a production environment to meet
different requirements.
To filter inbound and outbound subnet traffic, create and apply network security groups to subnets.
Create a Windows or a Linux virtual machine, and then connect it to an existing virtual network.
To connect two virtual networks in the same Azure location, create a virtual network peering between the virtual
networks. You can peer a virtual network (Resource Manager) to a virtual network (classic), but you cannot
create a peering between two virtual networks (classic).
Connect the virtual network to an on-premises network by using a VPN Gateway or Azure ExpressRoute circuit.
Create a virtual network (classic) by using the Azure
portal
network settings and define DHCP address blocks, DNS settings, security policies, and routing. You can also
further segment your VNet into subnets and deploy Azure IaaS virtual machines (VMs) and PaaS role instances, in
the same way you can deploy physical and virtual machines to your on-premises datacenter. In essence, you can
IMPORTANT
This document covers creating a VNet by using the classic deployment model. You can also create a virtual
network in the Resource Manager deployment model by using the Azure portal.
Scenario
How to create a classic VNet in the Azure portal

To create a classic VNet based on the scenario above, follow the steps below.
2. Click NEW > Networking > Virtual network, notice that the Select a deployment model list already
shows Classic, and then click Create, as seen in the figure below.
3. On the Virtual network blade, type the Name of the VNet, and then click Address space. Configure your
address space settings for the VNet and its first subnet, then click OK. The figure below shows the CIDR
block settings for our scenario.
4. Click Resource Group and select a resource group to add the VNet to, or click Create new resource
group to add the VNet to a new resource group. The figure below shows the resource group settings for a
new resource group called TestRG. For more information about resource groups, visit Azure Resource
Manager Overview.
5. If necessary, change the Subscription and Location settings for your VNet.
6. If you do not want to see the VNet as a tile in the Startboard, disable Pin to Startboard.
7. Click Create and notice the tile named Creating Virtual network as shown in the figure below.
8. Wait for the VNet to be created, and when you see the tile below, click it to add more subnets.
9. You should see the Configuration for your VNet as shown below.
10. Click Subnets > Add, then type a Name and specify an Address range (CIDR block) for your subnet, and
then click OK. The figure below shows the settings for our current scenario.
Create a virtual network (classic) using a network
configuration file with PowerShell
IMPORTANT
network in the Resource Manager deployment model.
Scenario
In this scenario you will create a VNet named TestVNet with a reserved CIDR block of 192.168.0.0./16. Your
VNet will contain the following subnets:
How to create a virtual network using a network config file from

PowerShell
Azure uses an xml file to define all virtual networks available to a subscription. You can download this file, edit it
to modify or delete existing virtual networks, and create new virtual networks. In this tutorial, you learn how to
download this file, referred to as network configuration (or netcfg) file, and edit it to create a new virtual network.
To learn more about the network configuration file, see the Azure virtual network configuration schema.
To create a virtual network with a netcfg file using PowerShell, complete the following steps:
1. If you have never used Azure PowerShell, complete the steps in the How to Install and Configure Azure
PowerShell article, then sign in to Azure and select your subscription.
2. From the Azure PowerShell console, use the Get-AzureVnetConfig cmdlet to download the network
configuration file to a directory on your computer by running the following command:
Get-AzureVNetConfig -ExportToFile c:\azure\NetworkConfig.xml
Expected output:
XMLConfiguration
----------------
<?xml version="1.0" encoding="utf-8"?>...
3. Open the file you saved in step 2 using any XML or text editor application, and look for the element. If you
have any networks already created, each network is displayed as its own element.
4. To create the virtual network described in this scenario, add the following XML just under the element:
<VirtualNetworkSite name="TestVNet" Location="East US">

<AddressSpace>
</AddressSpace>
<Subnets>
</Subnet>
</Subnet>
</Subnets>
5. Save the network configuration file.

6. From the Azure PowerShell console, use the Set-AzureVnetConfig cmdlet to upload the network
configuration file by running the following command:
Set-AzureVNetConfig -ConfigurationPath c:\azure\NetworkConfig.xml
Returned output:

-------------------- ----------- ---------------
Set-AzureVNetConfig <Id> Succeeded
If OperationStatus is not Succeeded in the returned output, check the xml file for errors and complete
step 6 again.
7. From the Azure PowerShell console, use the Get-AzureVnetSite cmdlet to verify that the new network
was added by running the following command:
Get-AzureVNetSite -VNetName TestVNet
The returned (abbreviated) output includes the following text:
AddressSpacePrefixes : {192.168.0.0/16}
Name : TestVNet
State : Created
Subnets : {FrontEnd, BackEnd}
OperationDescription : Get-AzureVNetSite
Create a virtual network (classic) by using the Azure
CLI
IMPORTANT
Before you work with Azure resources, it's important to understand that Azure currently has two deployment models:
Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any
Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article.
network in the Resource Manager deployment model by using the Azure CLI.
Scenario
In this scenario you will create a VNet named TestVNet with a reserved CIDR block of 192.168.0.0./16. Your
VNet will contain the following subnets:
How to create a classic VNet using Azure CLI

You can use the Azure CLI to manage your Azure resources from the command prompt from any computer
running Windows, Linux, or OSX. To create a VNet by using the Azure CLI, follow the steps below.
2. Run the azure network vnet create command to create a VNet and a subnet, as shown below. The list
shown after the output explains the parameters used.
azure network vnet create --vnet TestVNet -e 192.168.0.0 -i 16 -n FrontEnd -p 192.168.1.0 -r 24 -

l "Central US"
Expected output:
info: Executing command network vnet create

+ Looking up network configuration
+ Looking up locations
+ Setting network configuration
info: network vnet create command OK
--vnet. Name of the VNet to be created. For our scenario, TestVNet

-e (or --address-space). VNet address space. For our scenario, 192.168.0.0
-i (or -cidr). Network mask in CIDR format. For our scenario, 16.
-n (or --subnet-name). Name of the first subnet. For our scenario, FrontEnd.
-p (or --subnet-start-ip). Starting IP address for subnet, or subnet address space. For our scenario,
192.168.1.0.
-r (or --subnet-cidr). Network mask in CIDR format for subnet. For our scenario, 24.
-l (or --location). Azure region where the VNet will be created. For our scenario, Central US.
3. Run the azure network vnet subnet create command to create a subnet as shown below. The list shown
after the output explains the parameters used.
azure network vnet subnet create -t TestVNet -n BackEnd -a 192.168.2.0/24
info: Executing command network vnet subnet create

+ Creating subnet "BackEnd"
+ Setting network configuration
+ Looking up the subnet "BackEnd"
data: Name : BackEnd
data: Address prefix : 192.168.2.0/24
info: network vnet subnet create command OK
-t (or --vnet-name. Name of the VNet where the subnet will be created. For our scenario, TestVNet.
-n (or --name). Name of the new subnet. For our scenario, BackEnd.
-a (or --address-prefix). Subnet CIDR block. Four our scenario, 192.168.2.0/24.
4. Run the azure network vnet show command to view the properties of the new vnet, as shown below.
azure network vnet show

info: Executing command network vnet show
Virtual network name: TestVNet
+ Looking up the virtual network sites
data: Name : TestVNet
data: Location : Central US
data: State : Created
data: Address space : 192.168.0.0/16
data: Subnets:
data: Name : FrontEnd
data:
data: Name : BackEnd
data:
info: network vnet show command OK
Add network interfaces to or remove from virtual
machines
Learn how to add an existing network interface when creating a VM or add or remove network interfaces from an
existing VM in the stopped (deallocated) state. A network interface enables an Azure Virtual Machine (VM) to
communicate with Internet, Azure, and on-premises resources. A VM can have one or more network interfaces.
If you need to add, change, or remove IP addresses for a network interface, read the Manage network interface IP
addresses article. If you need to create, change, or delete network interfaces, read the Manage network interfaces
article.
Before you begin

Complete the following tasks before completing any steps in any section of this article:
Learn about how many network interfaces each Linux and Windows VM size supports by reviewing the Linux or
Windows VM sizes articles.
Log in to the Azure portal, Azure command-line interface (CLI), or Azure PowerShell with an Azure account. If
you don't already have an Azure account, sign up for a free trial account.
If using PowerShell commands to complete tasks in this article, install and configure Azure PowerShell. Ensure
you have the most recent version of the Azure PowerShell commandlets installed. To get help for PowerShell
commands, with examples, type get-help <command> -full .
If using Azure command-line interface (CLI) commands to complete tasks in this article, install and configure the
Azure CLI. Ensure you have the most recent version of the Azure CLI installed. To get help for CLI commands,
type az <command> --help . Rather than installing the CLI and its pre-requisites, you can use the Azure Cloud
Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure
CLI preinstalled and configured to use with your account. To use the Cloud Shell, click the Cloud Shell >_ button
at the top of the portal.
About network interfaces and VMs

You can add (attach) an existing network interface to a VM when you create the VM, provided the network interface
isn't currently attached to another VM. You can add a network interface to, or remove (detach) a network interface
to from an existing VM, provided the VM is in the stopped (deallocated) state. If you create a VM using the Azure
portal, the portal creates a network interface for you with default settings. The portal does not allow you to:
Specify an existing network interface to add when creating the VM
Create a VM with multiple network interfaces
Specify a name for the network interface (the portal creates the network interface with a default name)
You can use Azure PowerShell or the CLI to create a network interface or VM with all the previous attributes that
you cannot use the portal for. Before completing the tasks in the following sections, consider the following
constraints and behaviors:
All VM sizes support at least two network interfaces, but some VM sizes support more than two network
interfaces. In the past, some VM sizes only supported one network interface. To learn how many network
interfaces each VM size supports, read the Linux or Windows VM sizes articles.
In the past, network interfaces could only be added to VMs that supported multiple network interfaces and were
created with at least two network interfaces. You could not add a network interface to a VM that was created
with one network interface, even if the VM size supported multiple network interfaces. Conversely, you could
only remove network interfaces from a VM with at least three network interfaces, because VMs created with at
least two network interfaces always had to have at least two network interfaces. Neither of these constraints
apply anymore. You can now create a VM with any number of network interfaces (up to the number supported
by the VM size) and add or remove any number of network interfaces (from VMs in the stopped (deallocated)
state), as long as the VM always has at least one network interface.
By default, the first network interface in a VM is defined as the primary network interface. All other network
interfaces in the VM are secondary network interfaces.
Primary network interfaces are assigned a default gateway by the Azure DHCP servers, but secondary network
interfaces are not. Since secondary network interfaces aren't assigned a default gateway, they cannot
communicate with resources outside of their subnet, by default. To enable secondary network interfaces in a
Windows VM to communicate with resources outside their subnet, add routes to the operating system using
the route add command from a Windows command line. For Linux VMs, since the default behavior uses weak
host routing, we recommend restricting traffic for secondary network interfaces to a single subnet. If you
require connectivity outside the subnet for secondary network interfaces, enable policy-based routing to ensure
that ingress and egress traffic uses the same network interface.
By default, all outbound traffic from the VM is sent out the IP address assigned to the primary IP configuration
of the primary network interface. You control which IP address is used for outbound traffic within the VM's
operating system, but by default, it's through the primary network interface.
In the past, all VMs within the same availability set were required to have a single, or multiple, network
interfaces. VMs with any number of network interfaces can now exist in the same availability set, up to the
number supported by the VM size. You can only add a VM to an availability set when it's created though. To
learn more about availability sets, read the Manage the availability of VMs in Azure article.
While network interfaces in the same VM can be connected to different subnets within a VNet, the network
interfaces must all be connected to the same VNet.
You can add any IP address for any IP configuration of any primary or secondary network interface to an Azure
Load Balancer back-end pool. In the past, only the primary IP address for the primary network interface could
be added to a back-end pool. To learn more about IP addresses and configurations, read the Add, change, or
remove IP addresses article.
Deleting a VM does not delete the network interfaces that are attached to it. When a VM is deleted, the network
interfaces are detached from the VM. You can add the network interfaces to different VMs, or delete them.
If a network interface has a private IPv6 address assigned to it, you can attach it to a VM when creating the VM.
You cannot attach a network interface with an assigned IPv6 address to a VM after the VM is created. If you
attach a network interface with an assigned private IPv6 address when creating a virtual machine, you can only
attach that network interface to the virtual machine, regardless of how many network interfaces the VM size
supports. See Network interface IP addresses to learn more about assigning IP addresses to network interfaces.
Add existing network interfaces to a new VM

When you create a VM through the portal, the portal creates a network interface with default settings and attaches
it to the VM for you. You cannot add existing network interfaces to a new VM, or create a VM with multiple network
interfaces using the Azure portal. You can do both using the CLI or PowerShell. You can add as many network
interfaces to a VM as the VM size you're creating supports. To learn more about how many network interfaces each
VM size supports, read the Linux or Windows VM sizes articles. The network interfaces you add to a VM cannot
currently be attached to another VM. To learn more about creating network interfaces, read the Manage network
interfaces article.
WARNING
If a network interface has a private IPv6 address assigned to it, you can only add the network interface to the virtual machine
when creating the virtual machine. You cannot attach more than one network interface to the virtual machine when you
create the virtual machine, or after the virtual machine is created, as long as an IPv6 address is assigned to a network
interface attached to a virtual machine. See Network interface IP addresses to learn more about assigning IP addresses to
network interfaces.
Commands
TOOL COMMAND
CLI az vm create
PowerShell New-AzureRmVM
Add an existing network interface to an existing VM

You can add as many network interfaces to a VM as the VM size you're adding network interfaces to supports. To
learn how many network interfaces each VM size supports, read the Linux or Windows VM sizes articles. The VM
you want to add a network interface to must support the number of network interfaces you want to add and must
be in the stopped (deallocated) state. The network interfaces you want to add cannot currently be attached to
another VM. You cannot add network interfaces to an existing VM using the Azure portal. To add network
interfaces to an existing VM, you must use the CLI or PowerShell.
WARNING
If a network interface has a private IPv6 address assigned to it, it cannot be added to an existing virtual machine. You can
only add a network interface with an assigned private IPv6 address to a virtual machine when you create a virtual machine.
See Network interface IP addresses to learn more about assigning IP addresses to network interfaces.
TOOL COMMAND
CLI az vm nic add (reference) or detailed steps
PowerShell Add-AzureRmVMNetworkInterface (reference) or detailed

steps
View network interfaces for a VM

You can view the network interfaces currently attached to a VM to learn about each network interface's
configuration, and the IP addresses assigned to each network interface.
1. Log in to the Azure portal with an account that is assigned the Owner, Contributor, or Network Contributor role
for your subscription. To learn more about assigning roles to accounts, see Built-in roles for Azure role-based
access control.
2. In the box that contains the text Search resources at the top of the Azure portal, type virtual machines. When
virtual machines appears in the search results, click it.
3. In the Virtual machines blade that appears, click the name of the VM you want to view network interfaces for.
4. In the SETTINGS section of the virtual machine blade that appears for the VM you selected, click Network
interfaces. To learn about network interface settings and how to change them, read the Manage network
interfaces article. To learn about adding, changing, or removing IP addresses assigned to a network interface,
see Manage IP addresses.
Commands
TOOL COMMAND
CLI az vm show
PowerShell Get-AzureRmVM
Remove a network interface from a VM

The VM you want to remove (or detach) a network interface from must be in the stopped (deallocated) state and
must currently have at least two network interfaces attached to it. You can remove any network interface, but the
VM must always have at least one network interface attached to it. If you remove a primary network interface,
Azure assigns the primary attribute to the network interface that's been attached to the VM the longest.
1. Log in to the Azure portal with an account that is assigned the Owner, Contributor, or Network Contributor role
for your subscription. To learn more about assigning roles to accounts, see Built-in roles for Azure role-based
access control.
2. In the box that contains the text Search resources at the top of the Azure portal, type virtual machines. When
virtual machines appears in the search results, click it.
3. In the Virtual machines blade that appears, click the name of the VM you want to remove a network interface
for.
4. In the SETTINGS section of the virtual machine blade that appears for the VM you selected, click Network
interfaces. To learn about network interface settings and how to change them, read the Manage network
interfaces article. To learn about adding, changing, or removing IP addresses assigned to a network interface,
see Manage IP addresses.
5. In the network interfaces blade that appears, click the ... to the right of the network interface that you want to
detach.
6. Click Detach. If there is only one network interface attached to the virtual machine, the Detach option isn't
available. Click Yes in the confirmation box that appears.
Commands
TOOL COMMAND
CLI az vm nic remove (reference) or detailed steps
PowerShell Remove-AzureRMVMNetworkInterface (reference) or detailed

steps
Next steps
To create a VM with multiple network interfaces or IP addresses, read the following articles:
Commands
TASK TOOL
Create a VM with multiple NICs CLI, PowerShell

TASK TOOL
Create a single NIC VM with multiple IPv4 addresses CLI, PowerShell
Create a single NIC VM with a private IPv6 address (behind an CLI, PowerShell, Azure Resource Manager template
Azure Load Balancer)
Name Resolution for VMs and Role Instances
Depending on how you use Azure to host IaaS, PaaS, and hybrid solutions, you may need to allow the VMs and
role instances that you create to communicate with each other. Although this communication can be done by
using IP addresses, it is much simpler to use names that can be easily remembered and do not change.
When role instances and VMs hosted in Azure need to resolve domain names to internal IP addresses, they can
use one of two methods:
Azure-provided name resolution
Name resolution using your own DNS server (which may forward queries to the Azure-provided DNS servers)
The type of name resolution you use depends on how your VMs and role instances need to communicate with
each other.
The following table illustrates scenarios and corresponding name resolution solutions:
SCENARIO SOLUTION SUFFIX
Name resolution between role Azure-provided name resolution hostname or FQDN

instances or VMs located in the same
cloud service or virtual network
Name resolution between role Customer-managed DNS servers FQDN only

instances or VMs located in different forwarding queries between vnets for
virtual networks resolution by Azure (DNS proxy). see
Name resolution using your own DNS
server
Resolution of on-premises computer Customer-managed DNS servers (e.g. FQDN only

and service names from role instances on-premises domain controller, local
or VMs in Azure read-only domain controller or a DNS
secondary synced using zone transfers).
See Name resolution using your own
DNS server
Resolution of Azure hostnames from Forward queries to a customer- FQDN only

on-premises computers managed DNS proxy server in the
corresponding vnet, the proxy server
forwards queries to Azure for
resolution. See Name resolution using
your own DNS server
Reverse DNS for internal IPs Name resolution using your own DNS n/a
server
Name resolution between VMs or role Not applicable. Connectivity between n/a
instances located in different cloud VMs and role instances in different
services, not in a virtual network cloud services is not supported outside
a virtual network.
Azure-provided name resolution

Along with resolution of public DNS names, Azure provides internal name resolution for VMs and role instances
that reside within the same virtual network or cloud service. VMs/instances in a cloud service share the same DNS
suffix (so the hostname alone is sufficient) but in classic virtual networks different cloud services have different
DNS suffixes so the FQDN is needed to resolve names between different cloud services. In virtual networks in the
Resource Manager deployment model, the DNS suffix is consistent across the virtual network (so the FQDN is not
needed) and DNS names can be assigned to both NICs and VMs. Although Azure-provided name resolution does
not require any configuration, it is not the appropriate choice for all deployment scenarios, as seen on the table
above.
NOTE
In the case of web and worker roles, you can also access the internal IP addresses of role instances based on the role name
and instance number using the Azure Service Management REST API. For more information, see Service Management REST
API Reference.
Features and Considerations

Features:
Ease of use: No configuration is required in order to use Azure-provided name resolution.
The Azure-provided name resolution service is highly available, saving you the need to create and manage
clusters of your own DNS servers.
Can be used in conjunction with your own DNS servers to resolve both on-premises and Azure hostnames.
Name resolution is provided between role instances/VMs within the same cloud service without need for a
FQDN.
Name resolution is provided between VMs in virtual networks that use the Resource Manager deployment
model, without need for the FQDN. Virtual networks in the classic deployment model require the FQDN when
resolving names in different cloud services.
You can use hostnames that best describe your deployments, rather than working with auto-generated names.
Considerations:
The Azure-created DNS suffix cannot be modified.
You cannot manually register your own records.
WINS and NetBIOS are not supported. (You cannot see your VMs in Windows Explorer.)
Hostnames must be DNS-compatible (They must use only 0-9, a-z and '-', and cannot start or end with a '-'.
See RFC 3696 section 2.)
DNS query traffic is throttled for each VM. This shouldn't impact most applications. If request throttling is
observed, ensure that client-side caching is enabled. For more details, see Getting the most from Azure-
provided name resolution.
Only VMs in the first 180 cloud services are registered for each virtual network in a classic deployment model.
This does not apply to virtual networks in Resource Manager deployment models.
Getting the most from Azure -provided name resolution
Client-side Caching:
Not every DNS query needs to be sent across the network. Client-side caching helps reduce latency and improve
resilience to network blips by resolving recurring DNS queries from a local cache. DNS records contain a Time-To-
Live (TTL) which allows the cache to store the record for as long as possible without impacting record freshness,
so client-side caching is suitable for most situations.
The default Windows DNS Client has a DNS cache built-in. Some Linux distros do not include caching by default, it
is recommended that one be added to each Linux VM (after checking that there isn't a local cache already).
There are a number of different DNS caching packages available, e.g. dnsmasq, here are the steps to install
dnsmasq on the most common distros:
Ubuntu (uses resolvconf):
just install the dnsmasq package (sudo apt-get install dnsmasq).
SUSE (uses netconf):
install the dnsmasq package (sudo zypper install dnsmasq)
enable the dnsmasq service (systemctl enable dnsmasq.service)
start the dnsmasq service (systemctl start dnsmasq.service)
edit /etc/sysconfig/network/config and change NETCONFIG_DNS_FORWARDER="" to dnsmasq
update resolv.conf ("netconfig update") to set the cache as the local DNS resolver
OpenLogic (uses NetworkManager):
install the dnsmasq package (sudo yum install dnsmasq)
enable the dnsmasq service (systemctl enable dnsmasq.service)
start the dnsmasq service (systemctl start dnsmasq.service)
add prepend domain-name-servers 127.0.0.1; to /etc/dhclient-eth0.conf
restart the network service (service network restart) to set the cache as the local DNS resolver
NOTE
The 'dnsmasq' package is only one of the many DNS caches available for Linux. Before using it, please check its suitability for
your particular needs and that no other cache is installed.
Client-side Retries:
DNS is primarily a UDP protocol. As the UDP protocol doesn't guarantee message delivery, retry logic is handled
in the DNS protocol itself. Each DNS client (operating system) can exhibit different retry logic depending on the
creators preference:
Windows operating systems retry after 1 second and then again after another 2, 4 and another 4 seconds.
The default Linux setup retries after 5 seconds. It is recommended to change this to retry 5 times at 1 second
intervals.
To check the current settings on a Linux VM, 'cat /etc/resolv.conf' and look at the 'options' line, e.g.:
options timeout:1 attempts:5
The resolv.conf file is usually auto-generated and should not be edited. The specific steps for adding the 'options'
line vary by distro:
Ubuntu (uses resolvconf):
add the options line to '/etc/resolveconf/resolv.conf.d/head'
run 'resolvconf -u' to update
SUSE (uses netconf):
add 'timeout:1 attempts:5' to the NETCONFIG_DNS_RESOLVER_OPTIONS="" parameter in
'/etc/sysconfig/network/config'
run 'netconfig update' to update
OpenLogic (uses NetworkManager):
add 'echo "options timeout:1 attempts:5"' to '/etc/NetworkManager/dispatcher.d/11-dhclient'
run 'service network restart' to update
Name resolution using your own DNS server
There are a number of situations where your name resolution needs may go beyond the features provided by
Azure, for example when using Active Directory domains or when you require DNS resolution between virtual
networks (vnets). To cover these scenarios, Azure provides the ability for you to use your own DNS servers.
DNS servers within a virtual network can forward DNS queries to Azure's recursive resolvers to resolve
hostnames within that virtual network. For example, a Domain Controller (DC) running in Azure can respond to
DNS queries for its domains and forward all other queries to Azure. This allows VMs to see both your on-premises
resources (via the DC) and Azure-provided hostnames (via the forwarder). Access to Azure's recursive resolvers is
provided via the virtual IP 168.63.129.16.
DNS forwarding also enables inter-vnet DNS resolution and allows your on-premises machines to resolve Azure-
provided hostnames. In order to resolve a VM's hostname, the DNS server VM must reside in the same virtual
network and be configured to forward hostname queries to Azure. As the DNS suffix is different in each vnet, you
can use conditional forwarding rules to send DNS queries to the correct vnet for resolution. The following image
shows two vnets and an on-premises network doing inter-vnet DNS resolution using this method. An example
DNS forwarder is available in the Azure Quickstart Templates gallery and GitHub.
When using Azure-provided name resolution, an Internal DNS suffix (*.internal.cloudapp.net) is provided to each
VM using DHCP. This enables hostname resolution as the hostname records are in the internal.cloudapp.net zone.
When using your own name resolution solution, the IDNS suffix is not supplied to VMs because it interferes with
other DNS architectures (like domain-joined scenarios). Instead we provide a non-functioning placeholder
(reddog.microsoft.com).
If needed, the Internal DNS suffix can be determined using PowerShell or the API:
For virtual networks in Resource Manager deployment models, the suffix is available via the network interface
card resource or via the Get-AzureRmNetworkInterface cmdlet.
In classic deployment models, the suffix is available via the Get Deployment API call or via the Get-AzureVM -
Debug cmdlet.
If forwarding queries to Azure doesn't suit your needs, you will need to provide your own DNS solution. Your DNS
solution will need to:
Provide appropriate hostname resolution, e.g. via DDNS. Note, if using DDNS you may need to disable DNS
record scavenging as Azure's DHCP leases are very long and scavenging may remove DNS records
prematurely.
Provide appropriate recursive resolution to allow resolution of external domain names.
Be accessible (TCP and UDP on port 53) from the clients it serves and be able to access the internet.
Be secured against access from the internet, to mitigate threats posed by external agents.
NOTE
For best performance, when using Azure VMs as DNS servers, IPv6 should be disabled and an Instance-Level Public IP
should be assigned to each DNS server VM. If you choose to use Windows Server as your DNS server, this article provides
additional performance analysis and optimizations.
Specifying DNS servers

When using your own DNS servers, Azure provides the ability to specify multiple DNS servers per virtual network
or per network interface (Resource Manager) / cloud service (classic). DNS servers specified for a cloud
service/network interface get precedence over those specified for the virtual network.
NOTE
Network connection properties, such as DNS server IPs, should not be edited directly within Windows VMs as they may get
erased during service heal when the virtual network adaptor gets replaced.
When using the Resource Manager deployment model, DNS servers can be specified in the Portal, API/Templates
(vnet, nic) or PowerShell (vnet, nic).
When using the classic deployment model, DNS servers for the virtual network can be specified in the Portal or
the Network Configuration file. For cloud services, the DNS servers are specified via the Service Configuration file
or in PowerShell (New-AzureVM).
NOTE
If you change the DNS settings for a virtual network/virtual machine that is already deployed, you need to restart each
affected VM for the changes to take effect.
Next steps
Resource Manager deployment model:
Create or update a virtual network
Create or update a network interface card
New-AzureRmVirtualNetwork
New-AzureRmNetworkInterface
Classic deployment model:
Azure Service Configuration Schema
Virtual Network Configuration Schema
Configure a Virtual Network by Using a Network Configuration File
Optimize network throughput for Azure virtual
machines
Azure virtual machines (VM) have default network settings that can be further optimized for network throughput.
This article describes how to optimize network throughput for Microsoft Azure Windows and Linux VMs, including
major distributions such as Ubuntu, CentOS and Red Hat.
Windows VM
If your Windows VM is supported with Accelerated Networking, enabling that feature would be the optimal
configuration for throughput. For all other Windows VMs, using Receive Side Scaling (RSS) can reach higher
maximal throughput than a VM without RSS. RSS may be disabled by default in a Windows VM. Complete the
following steps to determine whether RSS is enabled and to enable it if it's disabled.
1. Enter the Get-NetAdapterRss PowerShell command to see if RSS is enabled for a network adapter. In the
following example output returned from the Get-NetAdapterRss , RSS is not enabled.
Name : Ethernet
InterfaceDescription : Microsoft Hyper-V Network Adapter
Enabled : False
2. Enter the following command to enable RSS:
Get-NetAdapter | % {Enable-NetAdapterRss -Name $_.Name}
The previous command does not have an output. The command changed NIC settings, causing temporary
connectivity loss for about one minute. A Reconnecting dialog box appears during the connectivity loss.
Connectivity is typically restored after the third attempt.
3. Confirm that RSS is enabled in the VM by entering the Get-NetAdapterRss command again. If successful, the
following example output is returned:
Name :Ethernet
InterfaceDescription : Microsoft Hyper-V Network Adapter
Enabled : True
Linux VM
RSS is always enabled by default in an Azure Linux VM. Linux kernels released since January, 2017 include new
network optimization options that enable a Linux VM to achieve higher network throughput.
Ubuntu
In order to get the optimization, first update to the latest supported version, as of June 2017, which is:
"Publisher": "Canonical",
"Offer": "UbuntuServer",
"Sku": "16.04-LTS",
"Version": "latest"
After the update is complete, enter the following commands to get the latest kernel:
apt-get -f install
apt-get --fix-missing install
apt-get clean
apt-get -y update
apt-get -y upgrade
Optional command:
apt-get -y dist-upgrade
Ubuntu Azure Preview kernel
WARNING
This Azure Linux Preview kernel may not have the same level of availability and reliability as Marketplace images and kernels
that are in general availability release. The feature is not supported, may have constrained capabilities, and may not be as
reliable as the default kernel. Do not use this kernel for production workloads.
Significant throughput performance can be achieved by installing the proposed Azure Linux kernel. To try this
kernel, add this line to /etc/apt/sources.list
#add this to the end of /etc/apt/sources.list (requires elevation)

deb http://archive.ubuntu.com/ubuntu/ xenial-proposed restricted main multiverse universe
Then run these commands as root.
apt-get update
apt-get install "linux-azure"
reboot
CentOS
In order to get the optimization, first update to the latest supported version, as of July 2017, which is:
"Publisher": "OpenLogic",
"Offer": "CentOS",
"Sku": "7.3",
"Version": "latest"
After the update is complete, install the latest Linux Integration Services (LIS). The throughput optimization is in LIS,
starting from 4.2.2-2. Enter the following commands to install LIS:
sudo yum update

sudo reboot
sudo yum install microsoft-hyper-v
Red Hat
In order to get the optimization, first update to the latest supported version, as of July 2017, which is:
"Publisher": "RedHat"
"Offer": "RHEL"
"Sku": "7.3"
"Version": "7.3.2017071923"
After the update is complete, install the latest Linux Integration Services (LIS). The throughput optimization is in LIS,
starting from 4.2. Enter the following commands to download and install LIS:
mkdir lis4.2.2-2
cd lis4.2.2-2
wget https://download.microsoft.com/download/6/8/F/68FE11B8-FAA4-4F8D-8C7D-74DA7F2CFC8C/lis-rpms-4.2.2-2.tar.gz
tar xvzf lis-rpms-4.2.2-2.tar.gz
cd LISISO
install.sh #or upgrade.sh if prior LIS was previously installed
Learn more about Linux Integration Services Version 4.2 for Hyper-V by viewing the download page.
Next steps
Now that the VM is optimized, see the result with Bandwidth/Throughput testing Azure VM for your scenario.
Learn more with Azure Virtual Network frequently asked questions (FAQ)
Viewing and modifying hostnames
To allow your role instances to be referenced by host name, you must set the value for the host name in the service
configuration file for each role. You do that by adding the desired host name to the vmName attribute of the Role
element. The value of the vmName attribute is used as a base for the host name of each role instance. For example,
if vmName is webrole and there are three instances of that role, the host names of the instances will be webrole0,
webrole1, and webrole2. You do not need to specify a host name for virtual machines in the configuration file,
because the host name for a virtual machine is populated based on the virtual machine name. For more information
about configuring a Microsoft Azure service, see Azure Service Configuration Schema (.cscfg File)
Viewing hostnames
You can view the host names of virtual machines and role instances in a cloud service by using any of the tools
below.
Azure Portal
You can use the Azure portal to view the host names for virtual machines on the overview blade for a virtual
machine. Keep in mind that the blade shows a value for Name and Host Name. Although they are initially the
same, changing the host name will not change the name of the virtual machine or role instance.
Role instances can also be viewed in the Azure portal, but when you list the instances in a cloud service, the host
name is not displayed. You will see a name for each instance, but that name does not represent the host name.
Service configuration file
You can download the service configuration file for a deployed service from the Configure blade of the service in
the Azure portal. You can then look for the vmName attribute for the Role name element to see the host name.
Keep in mind that this host name is used as a base for the host name of each role instance. For example, if
vmName is webrole and there are three instances of that role, the host names of the instances will be webrole0,
webrole1, and webrole2.
Remote Desktop
After you enable Remote Desktop (Windows), Windows PowerShell remoting (Windows), or SSH (Linux and
Windows) connections to your virtual machines or role instances, you can view the host name from an active
Remote Desktop connection in various ways:
Type hostname at the command prompt or SSH terminal.
Type ipconfig /all at the command prompt (Windows only).
View the computer name in the system settings (Windows only).
Azure Service Management REST API
From a REST client, follow these instructions:
1. Ensure that you have a client certificate to connect to the Azure portal. To obtain a client certificate, follow the
steps presented in How to: Download and Import Publish Settings and Subscription Information.
2. Set a header entry named x-ms-version with a value of 2013-11-01.
3. Send a request in the following format: https://management.core.windows.net/<subscrition-
id>/services/hostedservices/<service-name>?embed-detail=true
4. Look for the HostName element for each RoleInstance element.
WARNING
You can also view the internal domain suffix for your cloud service from the REST call response by checking the
InternalDnsSuffix element, or by running ipconfig /all from a command prompt in a Remote Desktop session (Windows), or
by running cat /etc/resolv.conf from an SSH terminal (Linux).
Modifying a hostname
You can modify the host name for any virtual machine or role instance by uploading a modified service
configuration file, or by renaming the computer from a Remote Desktop session.
Next steps
Name Resolution (DNS)
Azure Service Configuration Schema (.cscfg)
Azure Virtual Network Configuration Schema
Specify DNS settings using network configuration files
How to set up endpoints on a classic Windows virtual
machine in Azure
All Windows virtual machines that you create in Azure using the classic deployment model can automatically
communicate over a private network channel with other virtual machines in the same cloud service or virtual
network. However, computers on the Internet or other virtual networks require endpoints to direct the inbound
network traffic to a virtual machine. This article is also available for Linux virtual machines.
IMPORTANT
Azure has two different deployment models for creating and working with resources: Resource Manager and Classic. This
article covers using the Classic deployment model. Microsoft recommends that most new deployments use the Resource
Manager model.
In the Resource Manager deployment model, endpoints are configured using Network Security Groups (NSGs).
For more information, see Allow external access to your VM using the Azure portal.
When you create a Windows virtual machine in the Azure portal, common endpoints like those for Remote
Desktop and Windows PowerShell Remoting are typically created for you automatically. You can configure
additional endpoints while creating the virtual machine or afterwards as needed.
Each endpoint has a public port and a private port:
The public port is used by the Azure load balancer to listen for incoming traffic to the virtual machine from the
Internet.
The private port is used by the virtual machine to listen for incoming traffic, typically destined to an application
or service running on the virtual machine.
Default values for the IP protocol and TCP or UDP ports for well-known network protocols are provided when you
create endpoints with the Azure portal. For custom endpoints, you'll need to specify the correct IP protocol (TCP or
UDP) and the public and private ports. To distribute incoming traffic randomly across multiple virtual machines,
you'll need to create a load-balanced set consisting of multiple endpoints.
After you create an endpoint, you can use an access control list (ACL) to define rules that permit or deny the
incoming traffic to the public port of the endpoint based on its source IP address. However, if the virtual machine is
in an Azure virtual network, you should use network security groups instead. For details, see About network
security groups.
NOTE
Firewall configuration for Azure virtual machines is done automatically for ports associated with remote connectivity
endpoints that Azure sets up automatically. For ports specified for all other endpoints, no configuration is done automatically
to the firewall of the virtual machine. When you create an endpoint for the virtual machine, you'll need to ensure that the
firewall of the virtual machine also allows the traffic for the protocol and private port corresponding to the endpoint
configuration. To configure the firewall, see the documentation or on-line help for the operating system running on the
virtual machine.
Create an endpoint
1. If you haven't already done so, sign in to the Azure portal.
2. Click Virtual Machines, and then click the name of the virtual machine that you want to configure.
3. Click Endpoints in the Settings group. The Endpoints page lists all the current endpoints for the virtual
machine. (This example is a Windows VM. A Linux VM will by default show an endpoint for SSH.)
4. In the command bar above the endpoint entries, click Add.

5. On the Add endpoint page, type a name for the endpoint in Name.
6. In Protocol, choose either TCP or UDP.
7. In Public Port, type the port number for the incoming traffic from the Internet. In Private Port, type the port
number on which the virtual machine is listening. These port numbers can be different. Ensure that the firewall
on the virtual machine has been configured to allow the traffic corresponding to the protocol (in step 6) and
private port.
8. Click Ok.
The new endpoint will be listed on the Endpoints page.
Manage the ACL on an endpoint

To define the set of computers that can send traffic, the ACL on an endpoint can restrict traffic based upon source
IP address. Follow these steps to add, modify, or remove an ACL on an endpoint.
NOTE
If the endpoint is part of a load-balanced set, any changes you make to the ACL on an endpoint are applied to all endpoints
in the set.
If the virtual machine is in an Azure virtual network, we recommend network security groups instead of ACLs. For
details, see About network security groups.
1. If you haven't already done so, sign in to the Azure portal.
2. Click Virtual Machines, and then click the name of the virtual machine that you want to configure.
3. Click Endpoints. From the list, select the appropriate endpoint. The ACL list is at the bottom of the page.
4. Use rows in the list to add, delete, or edit rules for an ACL and change their order. The Remote Subnet
value is an IP address range for incoming traffic from the Internet that the Azure load balancer uses to
permit or deny the traffic based on its source IP address. Be sure to specify the IP address range in CIDR
format, also known as address prefix format. An example is 10.1.0.0/8 .
You can use rules to allow only traffic from specific computers corresponding to your computers on the Internet or
to deny traffic from specific, known address ranges.
The rules are evaluated in order starting with the first rule and ending with the last rule. This means that rules
should be ordered from least restrictive to most restrictive. For examples and more information, see What is a
Network Access Control List.
Next steps
To use an Azure PowerShell cmdlet to set up a VM endpoint, see Add-AzureEndpoint.
To use an Azure PowerShell cmdlet to manage an ACL on an endpoint, see Managing access control lists (ACLs)
for endpoints by using PowerShell.
If you created a virtual machine in the Resource Manager deployment model, you can use Azure PowerShell to
create network security groups to control traffic to the VM.
Manage endpoint access control lists using
PowerShell in the classic deployment model
You can create and manage Network Access Control Lists (ACLs) for endpoints by using Azure PowerShell or in the
Management Portal. In this topic, you'll find procedures for ACL common tasks that you can complete using
PowerShell. For the list of Azure PowerShell cmdlets see Azure Management Cmdlets. For more information about
ACLs, see What is a Network Access Control List (ACL)?. If you want to manage your ACLs by using the
Management Portal, see How to Set Up Endpoints to a Virtual Machine.
Manage Network ACLs by using Azure PowerShell

You can use Azure PowerShell cmdlets to create, remove, and configure (set) Network Access Control Lists (ACLs).
We've included a few examples of some of the ways you can configure an ACL using PowerShell.
To retrieve a complete list of the ACL PowerShell cmdlets, you can use either of the following:
Get-Help *AzureACL*
Get-Command -Noun AzureACLConfig
Create a Network ACL with rules that permit access from a remote subnet
The example below illustrates a way to create a new ACL that contains rules. This ACL is then applied to a virtual
machine endpoint. The ACL rules in the example below will allow access from a remote subnet. To create a new
Network ACL with permit rules for a remote subnet, open an Azure PowerShell ISE. Copy and paste the script
below, configuring the script with your own values, and then run the script.
1. Create the new network ACL object.
$acl1 = New-AzureAclConfig
2. Set a rule that permits access from a remote subnet. In the example below, you set rule 100 (which has
priority over rule 200 and higher) to allow the remote subnet 10.0.0.0/8 access to the virtual machine
endpoint. Replace the values with your own configuration requirements. The name "SharePoint ACL config"
should be replaced with the friendly name that you want to call this rule.
Set-AzureAclConfig AddRule ACL $acl1 Order 100 `

Action permit RemoteSubnet "10.0.0.0/8" `
Description "SharePoint ACL config"
3. For additional rules, repeat the cmdlet, replacing the values with your own configuration requirements. Be
sure to change the rule number Order to reflect the order in which you want the rules to be applied. The
lower rule number takes precedence over the higher number.

Description "web frontend ACL config"
4. Next, you can either create a new endpoint (Add) or set the ACL for an existing endpoint (Set). In this
example, we will add a new virtual machine endpoint called "web" and update the virtual machine endpoint
with the ACL settings.
Get-AzureVM ServiceName $serviceName Name $vmName `

| Add-AzureEndpoint Name "web" Protocol tcp Localport 80 - PublicPort 80 ACL $acl1 `
| Update-AzureVM
5. Next, combine the cmdlets and run the script. For this example, the combined cmdlets would look like this:
$acl1 = New-AzureAclConfig
Description "Sharepoint ACL config"
Description "web frontend ACL config"
|Add-AzureEndpoint Name "web" Protocol tcp Localport 80 - PublicPort 80 ACL $acl1 `
|Update-AzureVM
Remove a Network ACL rule that permits access from a remote subnet
The example below illustrates a way to remove a network ACL rule. To remove a Network ACL rule with permit
rules for a remote subnet, open an Azure PowerShell ISE. Copy and paste the script below, configuring the script
with your own values, and then run the script.
1. First step is to get the Network ACL object for the virtual machine endpoint. You'll then remove the ACL
rule. In this case, we are removing it by rule ID. This will only remove the rule ID 0 from the ACL. It does not
remove the ACL object from the virtual machine endpoint.

| Get-AzureAclConfig EndpointName "web" `
| Set-AzureAclConfig RemoveRule ID 0 ACL $acl1
2. Next, you must apply the Network ACL object to the virtual machine endpoint and update the virtual
machine.

| Set-AzureEndpoint ACL $acl1 Name "web" `
| Update-AzureVM
Remove a Network ACL from a virtual machine endpoint

In certain scenarios, you might want to remove a Network ACL object from a virtual machine endpoint. To do that,
open an Azure PowerShell ISE. Copy and paste the script below, configuring the script with your own values, and
then run the script.

| Remove-AzureAclConfig EndpointName "web" `
| Update-AzureVM
Next steps
What is a Network Access Control List (ACL)?
Create, change, or delete a virtual network
Learn how to create and delete a virtual network and change settings, like DNS servers and IP address spaces, for
an existing virtual network.
A virtual network is a representation of your own network in the cloud. A virtual network is a logical isolation of
the Azure cloud that is dedicated to your Azure subscription. For each virtual network that you create, you can:
Choose an address space to assign. An address space consists of one or more address ranges that are defined
by using Classless Inter-Domain Routing (CIDR) notation, like 10.0.0.0/16.
Choose to use the Azure-provided DNS server, or use your own DNS server. All resources that are connected to
the virtual network are assigned this DNS server to resolve names within the virtual network.
Segment the virtual network into subnets, each with its own address range, within the address space of the
virtual network. To learn how to create, change, and delete subnets, see Add, change, or delete subnets.
This article explains how to create, change, and delete virtual networks by using the Azure Resource Manager
deployment model.
Before you begin

Before you begin the tasks that are described in this article, complete the following prerequisites:
If you're new to working with virtual networks, we recommend that you review the exercise in Create your first
Azure virtual network. This exercise can help you become more familiar with virtual networks.
To learn about limits for virtual networks, review Azure limits.
Sign in to the Azure portal, the Azure command-line tool (Azure CLI), or Azure PowerShell by using your Azure
account. If you don't have an Azure account, sign up for a free trial account.
If you plan to use PowerShell commands to complete the tasks described in this article, you must first install
and configure Azure PowerShell. Ensure that you have the most recent version of the Azure PowerShell cmdlets
installed. To get help for PowerShell commands in the examples, enter get-help <command> -full .
If you plan to use Azure CLI commands to complete the tasks described in this article, you must first install and
configure Azure CLI. Ensure that you have the most recent version of Azure CLI installed. To get help with Azure
CLI commands, enter az <command> --help .

To create a virtual network:
1. Sign in to the portal with an account that is assigned permissions for the Network Contributor role (at a
minimum) for your subscription. To learn more about assigning roles and permissions to accounts, see Built-in
roles for Azure role-based access control.
2. Click New > Networking > Virtual network.
3. On the Virtual network blade, in the Select a deployment model box, leave Resource Manager selected,
and then click Create.
4. On the Create virtual network blade, enter or select values for the following settings, then click Create:
Name: The name must be unique in the resource group that you select to create the virtual network in.
You cannot change the name after the virtual network is created. You can create multiple virtual
networks over time. For naming suggestions, see Naming conventions. Following a naming convention
can help make it easier to manage multiple virtual networks.
Address space: Specify the address space in CIDR notation. The address space you define can be
public or private (RFC 1918). Whether you define the address space as public or private, the address
space is reachable only from within the virtual network, from interconnected virtual networks, and
from any on-premises networks that you have connected to the virtual network. You cannot add the
following address spaces:
224.0.0.0/4 (Multicast)
255.255.255.255/32 (Broadcast)
127.0.0.0/8 (Loopback)
169.254.0.0/16 (Link-local)
168.63.129.16/32 (Internal DNS)
Although you can define only one address space when you create the virtual network, you can add
more address spaces after the virtual network is created. To learn how to add an address space to an
existing virtual network, see Add or remove an address space in this article.
WARNING
If a virtual network has address spaces that overlap with another virtual network or on-premises network,
the two networks cannot be connected. Before you define an address space, consider whether you might
want to connect the virtual network to other virtual networks or on-premises networks in the future.
Subnet name: The subnet name must be unique within the virtual network. You cannot change the
subnet name after the subnet is created. The portal requires that you define one subnet when you
create a virtual network, even though a virtual network isn't required to have any subnets. In the
portal, you can define only one subnet when you create a virtual network. You can add more subnets
to the virtual network later, after the virtual network is created. To add a subnet to a virtual network,
see Create a subnet in Create, change, or delete subnets. You can create a virtual network that has
multiple subnets by using Azure CLI or PowerShell.
TIP
Sometimes, admins create different subnets to filter or control traffic routing between the subnets. Before
you define subnets, consider how you might want to filter and route traffic between your subnets. To learn
more about filtering traffic between subnets, see Network security groups. Azure automatically routes traffic
between subnets, but you can override Azure default routes. To learn how to override Azure default subnet
traffic routing, see User-defined routes.
Subnet address range: The range must be within the address space you entered for the virtual
network. The smallest range you can specify is /29, which provides eight IP addresses for the subnet.
Azure reserves the first and last address in each subnet for protocol conformance. Three additional
addresses are reserved for Azure service usage. As a result, a virtual network with a subnet address
range of /29 has only three usable IP addresses. If you plan to connect a virtual network to a VPN
gateway, you must create a gateway subnet. Learn more about specific address range considerations
for gateway subnets. You can change the address range after the subnet is created, under specific
conditions. To learn how to change a subnet address range, see Change subnet settings in Add,
change, or delete subnets.
Subscription: Select a subscription. You cannot use the same virtual network in more than one Azure
subscription. However, you can connect a virtual network in one subscription to virtual networks in other
subscriptions. To connect virtual networks in different subscriptions, use Azure VPN Gateway or virtual
network peering. Any Azure resource that you connect to the virtual network must be in the same
subscription as the virtual network.
Resource group: Select an existing resource group or create a new one. An Azure resource that you
connect to the virtual network can be in the same resource group as the virtual network or in a different
resource group.
Location: Select an Azure location, also known as a region. A virtual network can be in only one Azure
location. However, you can connect a virtual network in one location to a virtual network in another
location by using a VPN gateway. Any Azure resource that you connect to the virtual network must be in
the same location as the virtual network.
Commands
TOOL COMMAND
Azure CLI az network vnet create
PowerShell New-AzureRmVirtualNetwork
View virtual networks and settings

To view virtual networks and settings:
2. In the portal search box, enter virtual networks. In the search results, click Virtual networks.
3. On the Virtual networks blade, click the virtual network that you want to view settings for.
4. The following settings are listed on the blade for the virtual network you selected:
Overview: Provides information about the virtual network, including address space and DNS
servers. The following screenshot shows the overview settings for a virtual network named MyVNet:
On the Overview blade, you can move a virtual network to a different subscription or resource
group. To learn how to move a virtual network, see Move resources to a different resource group or
subscription. The article lists prerequisites, and how to move resources by using the Azure portal,
PowerShell, and Azure CLI. All resources that are connected to the virtual network must move with
the virtual network.
Address space: The address spaces that are assigned to the virtual network are listed. To learn how to
add and remove an address space, complete the steps in Add or remove an address space in this article.
Connected devices: Any resources that are connected to the virtual network are listed. In the preceding
screenshot, three network interfaces and one load balancer are connected to the virtual network. Any
new resources that you create and connect to the virtual network are listed. If you delete a resource that
was connected to the virtual network, it no longer appears in the list.
Subnets: A list of subnets that exist within the virtual network is shown. To learn how to add and remove
a subnet, see Create a subnet and Delete a subnet in Add, change, or delete subnets.
DNS servers: You can specify whether the Azure internal DNS server or a custom DNS server provides
name resolution for devices that are connected to the virtual network. When you create a virtual network
by using the Azure portal, Azure's DNS servers are used for name resolution within a virtual network, by
default. To modify the DNS servers, complete the steps in Add, change, or remove a DNS server in this
article.
Peerings: If there are existing peerings in the subscription, they are listed here. You can view settings for
existing peerings, or create, change, or delete peerings. To learn more about peerings, see Virtual
network peering.
Properties: Displays settings about the virtual network, including the virtual network's resource ID and
the Azure subscription it is in.
Diagram: The diagram provides a visual representation of all devices that are connected to the virtual
network. The diagram has some key information about the devices. To manage a device in this view, in
the diagram, click the device.
Common Azure settings: To learn more about common Azure settings, see the following information:
Activity log
Access control (IAM)
Tags
Locks
Automation script
Commands
TOOL COMMAND
Azure CLI az network vnet show
PowerShell Get-AzureRmVirtualNetwork
Add or remove an address space

You can add and remove address spaces for a virtual network. An address space must be specified in CIDR
notation, and cannot overlap with other address spaces within the same virtual network. The address spaces you
define can be public or private (RFC 1918). Whether you define the address space as public or private, the address
space is reachable only from within the virtual network, from interconnected virtual networks, and from any on-
premises networks that you have connected to the virtual network. You cannot add the following address spaces:
224.0.0.0/4 (Multicast)
255.255.255.255/32 (Broadcast)
127.0.0.0/8 (Loopback)
169.254.0.0/16 (Link-local)
168.63.129.16/32 (Internal DNS)
To add or remove an address space:
2. In the portal search box, enter virtual networks. In the search results, select Virtual networks.
3. On the Virtual networks blade, click the virtual network for which you want to add or remove an address
space.
4. On the virtual network blade, under SETTINGS, click Address space.
5. On the blade for the address space, complete one of the following options:
Add an address space: Enter the new address space. The address space cannot overlap with an existing
address space that is defined for the virtual network.
Remove an address space: Right-click an address space, and then click Remove. If a subnet exists in
the address space, you cannot remove the address space. To remove an address space, you must first
delete any subnets (and any resources that are connected to the subnets) that exist in the address space.
6. Click Save.
Commands
TOOL COMMAND
Azure CLI Resource Manager only
PowerShell Set-AzureRmVirtualNetwork
Add, change, or remove a DNS server
All VMs that are connected to the virtual network register with the DNS servers that you specify for the virtual
network. They also use the specified DNS server for name resolution. Each network interface (NIC) in a VM can
have its own DNS server settings. If a NIC has its own DNS server settings, they override the DNS server settings
for the virtual network. To learn more about NIC DNS settings, see Network interface tasks and settings. To learn
more about name resolution for VMs and role instances in Azure Cloud Services, see Name resolution for VMs and
role instances. To add, change, or remove a DNS server:
2. In the portal search box, type virtual networks. In the search results, select Virtual networks.
3. On the Virtual networks blade, click the virtual network you want to change DNS settings for.
4. On the virtual network blade, under SETTINGS, click DNS servers.
5. Select one of the following options on the blade that lists DNS servers:
Default (Azure-provided): All resource names and private IP addresses are automatically registered to
the Azure DNS servers. You can resolve names between any resources that are connected to the same
virtual network. You cannot use this option to resolve names across virtual networks. To resolve names
across virtual networks, you must use a custom DNS server.
Custom: You can add one or more servers, up to the Azure limit for a virtual network. To learn more
about DNS server limits, see Azure limits. You have the following options:
Add an address: Adds the server to your virtual network DNS servers list. This option also
registers the DNS server with Azure. If you've already registered a DNS server with Azure, you can
select that DNS server in the list.
Remove an address: Next to the server that you want to remove, click X. Deleting the server
removes the server only from this virtual network list. The DNS server remains registered in
Azure for your other virtual networks to use.
Reorder DNS server addresses: It's important to verify that you list your DNS servers in the
correct order for your environment. DNS server lists are used in the order that they are specified.
They do not work as a round-robin setup. If the first DNS server in the list can be reached, the
client uses that DNS server, regardless of whether the DNS server is functioning properly.
Remove all the DNS servers that are listed, and then add them back in the order that you want.
Change an address: Highlight the DNS server in the list, and then enter the new name.
6. Click Save.
7. Restart the VMs that are connected to the virtual network, so they are assigned the new DNS server settings.
VMs continue to use their current DNS settings until they are restarted.
Commands
TOOL COMMAND
Azure CLI az network vnet update
PowerShell Set-AzureRmVirtualNetwork
Delete a virtual network

You can delete a virtual network only if there are no resources connected to it. If there are resources connected to
any subnet within the virtual network, you must first delete the resources that are connected to all subnets within
the virtual network. The steps you take to delete a resource vary depending on the resource. To learn how to delete
resources that are connected to subnets, read the documentation for each resource type you want to delete. To
delete a virtual network:
1. Sign in to the portal with an account that is assigned (at a minimum) permissions for the Network Contributor
role for your subscription. To learn more about assigning roles and permissions to accounts, see Built-in roles
for Azure role-based access control.
3. On the Virtual networks blade, select the virtual network you want to delete.
4. On the virtual network blade, to confirm that there are no devices connected to the virtual network, under
SETTINGS, click Connected devices. If there are connected devices, you must delete them before you can
delete the virtual network. If there are no connected devices, click Overview.
5. At the top of the blade, click the Delete icon.
6. To confirm the deletion of the virtual network, click Yes.
Commands
TOOL COMMAND
Azure CLI azure network vnet delete
PowerShell Remove-AzureRmVirtualNetwork
Next steps
To create a VM and then connect it to a virtual network, see Create a virtual network and connect VMs.
To filter network traffic between subnets within a virtual network, see Create network security groups.
To peer a virtual network to another virtual network, see Create a virtual network peering.
To learn about options for connecting a virtual network to an on-premises network, see About VPN Gateway.
Add, change, or delete a virtual network subnet
Learn how to add, change, or delete a virtual network subnet.

If you're not familiar with virtual networks, before you add, change, or delete a subnet, we recommend that you
read Azure Virtual Network overview and Create, change, or delete a virtual network. All Azure resources
deployed into a virtual network are deployed into a subnet within a virtual network. Usually, multiple subnets are
created within a virtual network to:
Filter traffic between subnets. You can apply network security groups to subnets to filter inbound and
outbound network traffic for all resources (like virtual machines) that are in the virtual network. To learn more
about how to create a network security group, see Create network security groups.
Control routing between subnets. Azure creates default routes so that traffic is automatically routed
between subnets. You can override Azure default routes by creating user-defined routes. To learn more about
user-defined routes, see Create user-defined routes.
This article explains how to add, change, and delete a subnet for virtual networks that were created by using the
Azure Resource Manager deployment model.
Before you begin

Before you begin the tasks that are described in this article, complete the following prerequisites:
If you're new to working with virtual networks, we recommend that you review the exercise in Create your first
Azure virtual network. This exercise can help you become more familiar with virtual networks.
To learn about limits for virtual networks, review Azure limits.
Sign in to the Azure portal, the Azure command-line tool (Azure CLI), or Azure PowerShell by using your Azure
account. If you don't have an Azure account, sign up for a free trial account.
If you plan to use PowerShell commands to complete the tasks described in this article, you must first install
and configure Azure PowerShell. Ensure that you have the most recent version of the Azure PowerShell
cmdlets installed. To get help for PowerShell commands in the examples, enter get-help <command> -full .
If you plan to use Azure CLI commands to complete the tasks described in this article, you must either:
Install and configure the Azure CLI. Ensure that you have the most recent version of Azure CLI installed.
Use the Azure Cloud Shell. Instead of installing the CLI and its dependencies, you can use the Azure
Cloud Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It
has the Azure CLI preinstalled and configured to use with your account. To use the Cloud Shell, click the
Cloud Shell (>_) icon at the top of the Azure portal.
To get help with Azure CLI commands, enter az <command> --help .
Add a subnet
To add a subnet:
3. On the Virtual networks blade, click the virtual network you want to add a subnet to.
4. On the virtual network blade, click Subnets.
5. Click +Subnet.
6. On the Add subnet blade, enter values for the following parameters:
Name: The name must be unique within the virtual network.
Address range: The range must be unique within the address space for the virtual network. The range
cannot overlap with other subnet address ranges within the virtual network. The address space must be
specified by using Classless Inter-Domain Routing (CIDR) notation. For example, in a virtual network
with address space 10.0.0.0/16, you might define a subnet address space of 10.0.0.0/24. The smallest
range you can specify is /29, which provides eight IP addresses for the subnet. Azure reserves the first
and last address in each subnet for protocol conformance. Three additional addresses are reserved for
Azure service usage. As a result, defining a subnet with a /29 address range results in three usable IP
addresses in the subnet. If you plan to connect a virtual network to a VPN gateway, you must create a
gateway subnet. Learn more about specific address range considerations for gateway subnets. You can
change the address range after the subnet is added, under specific conditions. To learn how to change a
subnet address range, see Change subnet settings in this article.
Network security group: Optionally, you can associate an existing network security group with the
subnet to control inbound and outbound network traffic filtering for the subnet. The network security
group must exist in the same subscription and location as the virtual network. It also must be created by
using the Resource Manager deployment model. To learn more about how to create a network security
group, see Network security groups.
Route table: Optionally, you can associate an existing route table with the subnet to control network
traffic routing to other networks. The route table must exist in the same subscription and location as the
virtual network. It also must be created by using the Resource Manager deployment model. To learn
more about how to create route tables, see User-defined routes.
Users: You can control access to the subnet by using built-in roles or your own custom roles. To learn
more about assigning roles and users to access the subnet, see Use role assignment to manage access
to your Azure resources.
7. To add the subnet to the virtual network that you selected, click OK.
Commands
TOOL COMMAND
Azure CLI az network vnet subnet create
PowerShell New-AzureRmVirtualNetworkSubnetConfig, Add-

AzureRmVirtualNetworkSubnetConfig
Change subnet settings

You can change network security groups, route tables, and user access to a subnet by managing resources that
are in a subnet. To learn about these settings, in Add a subnet, see step 6. If you want to change the address space
of a subnet, you must first delete any resources that are in the subnet. The steps you take to delete a resource vary
depending on the resource. To learn how to delete resources that are in subnets, read the documentation for each
resource type that you want to delete. To change the address range for a subnet:
3. On the Virtual networks blade, click the virtual network for which you want to change a subnet address
range.
4. Click the subnet for which you want to change the address range.
5. On the subnet blade, in the Address range box, enter the new address range. The range must be unique within
the address space for the virtual network. The range cannot overlap with other subnet address ranges within
the virtual network. The address space must be specified by using CIDR notation. For example, in a virtual
network with address space 10.0.0.0/16, you might define a subnet address space of 10.0.0.0/24. The smallest
range you can specify is /29, which provides eight IP addresses for the subnet. Azure reserves the first and last
address in each subnet for protocol conformance. Three additional addresses are reserved for Azure service
usage. As a result, a subnet with a /29 address range has three usable IP addresses. If you plan to connect a
virtual network to a VPN gateway, you must create a gateway subnet. Learn more about specific address range
considerations for gateway subnets. You can change the address range after the subnet is created, under
specific conditions. To learn how to change a subnet address range, see Change subnet settings in this article.
6. Click Save.
Commands
TOOL COMMAND
Azure CLI az network vnet subnet update
PowerShell Set-AzureRmVirtualNetworkSubnetConfig
Delete a subnet
You can delete a subnet only if there are no resources in the subnet. If there are resources in the subnet, you must
delete the resources that are in the subnet before you can delete the subnet. The steps you take to delete a
resource vary depending on the resource. To learn how to delete resources that are in subnets, read the
documentation for each resource type that you want to delete. To delete a subnet:
3. On the Virtual networks blade, click the virtual network you want to delete a subnet from.
4. On the virtual network blade, under SETTINGS, click Subnets.
5. In the list of subnets that appears on the subnets blade, right-click the subnet you want to delete, click Delete,
and then click Yes to delete the subnet.
Commands
TOOL COMMAND
Azure CLI az network vnet delete
PowerShell Remove-AzureRmVirtualNetworkSubnetConfig
Next steps
To create a virtual machine in a subnet, see Create a virtual network and deploy VMs in the subnet.
Create, change, or delete a virtual network peering
Learn how to create, change, or delete a virtual network peering. Virtual network peering enables you to connect
two virtual networks in the same Azure location through the Azure backbone network. Once peered, the two virtual
networks are still managed as separate resources. Resources in either virtual network communicate with the same
latency and bandwidth as if the resources were in the same virtual network. If you're not familiar with virtual
network peering, we recommend reading the Virtual network peering overview and completing the Create a virtual
network peering tutorial, before completing the tasks in this article.
Before you begin

Complete the following tasks before completing steps in any section of this article:
Review the Azure limits article to learn about limits for peering.
you have the most recent version of the Azure PowerShell cmdlets installed. To get help for PowerShell
If using Azure Command-line interface (CLI) commands to complete tasks in this article, install and configure the
Azure CLI. Ensure you have the most recent version of the Azure CLI installed. To get help for CLI commands,
type az <command> --help . Rather than installing the CLI and its pre-requisites, you can use the Azure Cloud
Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. The Cloud Shell
has the Azure CLI preinstalled and configured to use with your account. To use the Cloud Shell, click the Cloud
Shell >_ button at the top of the portal.
Create a peering
NOTE
There are several requirements, constraints, and considerations to successfully create a virtual network peering. Before
creating a peering, ensure you've familiarized yourself with the requirements and constraints and required permissions.
1. Log in to the portal with an account that is assigned the necessary role or permissions.
2. In the box that contains the text Search resources at the top of the Azure portal, type virtual networks. When
Virtual networks appears in the search results, click it. Do not select Virtual networks (classic) if it appears in
the list, as you cannot create a peering from a virtual network deployed through the classic deployment model.
3. In the Virtual networks blade that appears, click the virtual network you want to create a peering for.
4. In the pane that appears for the virtual network you selected, click Peerings in the SETTINGS section.
5. Click + Add.
6. In the Add peering blade, enter or select values for the following settings:
Name: The name for the peering must be unique within the virtual network.
Virtual network deployment model: Select which deployment model the virtual network you want to
peer with was deployed through.
I know my resource ID: If you have read access to the virtual network you want to peer with, leave this
checkbox unchecked. If you don't have read access to the virtual network or subscription you want to
peer with, check this box. Enter the full resource ID of the virtual network you want to peer with in the
Resource ID box that appeared when you checked the box. The resource ID you enter must be for a
virtual network that exists in the same Azure location as this virtual network. The full resource ID looks
similar to /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/. You can get
the resource ID for a virtual network by viewing the properties for a virtual network. To learn how to view
the properties for a virtual network, see Manage virtual networks.
Subscription: Select the subscription of the virtual network you want to peer with. One or more
subscriptions are listed, depending on how many subscriptions your account has read access to. If you
checked the Resource ID checkbox, this setting isn't available. You can peer virtual networks in different
subscriptions as long as both virtual networks were created through Resource Manager. The ability to
peer across subscriptions created through different deployment models is in preview release. Register for
the preview before creating a peering between virtual networks deployed through different deployment
models that exist in different subscriptions. Learn more about how to register for the preview and peer
virtual networks created through different deployment models in different subscriptions.
Virtual network: Select the virtual network you want to peer with. You can select a virtual network
created through either Azure deployment model, but the virtual network must be in the same location as
the virtual network you're initiating the peering from. You must have read access to the virtual network
for it to be visible in the list. If a virtual network is listed, but grayed out, it may be because the address
space for the virtual network overlaps with the address space for this virtual network. If virtual network
address spaces overlap, they cannot be peered. If you checked the Resource ID checkbox, this setting
isn't available.
Allow virtual network access: Select Enabled (default) if you want to enable communication between
the two virtual networks. Enabling communication between virtual networks allows resources connected
to either virtual network to communicate with each other with the same bandwidth and latency as if they
were connected to the same virtual network. All communication between resources in the two virtual
networks is over the Azure private network. The VirtualNetwork default tag for network security groups
encompasses the virtual network and peered virtual network. To learn more about network security
group default tags, read the Network security groups overview article. Select Disabled if you don't want
traffic to flow to the peered virtual network. You might select Disabled if you've peered a virtual network
with another virtual network, but occasionally want to disable traffic flow between the two virtual
networks. You may find enabling/disabling is more convenient than deleting and re-creating peerings.
When this setting is disabled, traffic doesn't flow between the peered virtual networks.
Allow forwarded traffic: Check this box to allow traffic forwarded to the peered virtual network (traffic
not originating in the peered virtual network) to flow to this virtual network. Traffic forwarding is
common when you've deployed a network virtual appliance in the virtual network you're peering with
and created user-defined routes to forward traffic through the network virtual appliance. If you leave this
box unchecked (default), traffic forwarded from the peered virtual network cannot flow to this virtual
network. While enabling this capability allows the forwarded traffic through the peering, it does not
create any user-defined routes or network virtual appliances. User-defined routes and network virtual
appliances are created separately. Learn about user-defined routes.
Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual
network and want to allow traffic from the peered virtual network to flow through the gateway. For
example, this virtual network may be attached to an on-premises network through a virtual network
gateway. Checking this box allows traffic from the peered virtual network to flow through the
gateway attached to this virtual network. If you check this box, the peered virtual network cannot have
a gateway configured. The peered virtual network must have the Use remote gateway checkbox
checked when setting up the peering from the other virtual network to this virtual network. If you
leave this box unchecked (default), traffic from the peered virtual network still flows to this virtual
network, but cannot flow through a virtual network gateway attached to this virtual network. Learn
more about virtual network gateways.
You cannot enable this option if you're peering a virtual network (Resource Manager) with a virtual
network (classic). Though the traffic flows between the two virtual networks, the virtual network
(classic) traffic cannot flow through a network gateway attached to the virtual network (Resource
Manager).
Use remote gateways: Check this box to allow traffic from this virtual network to flow through a
virtual network gateway attached to the virtual network you're peering with. For example, the virtual
network you're peering with has a VPN gateway attached that enables communication to an on-
premises network. Checking this box allows traffic from this virtual network to flow through the VPN
gateway attached to the peered virtual network. If you check this box, the peered virtual network must
have a virtual network gateway attached to it and must have the Allow gateway transit checkbox
checked. If you leave this box unchecked (default), traffic from the peered virtual network can still flow
to this virtual network, but cannot flow through a virtual network gateway attached to this virtual
network.
You cannot enable this option if you're peering a virtual network (Resource Manager) with a virtual
network (classic). Though the traffic flows between the two virtual networks, the virtual network
(Resource Manager) traffic cannot flow through a network gateway attached to the virtual network
(classic).
7. Click the OK button to add the subnet to the virtual network you selected.
Commands
TOOL COMMAND
CLI az network vnet peering create
PowerShell Add-AzureRmVirtualNetworkPeering
Scenarios
A virtual network peering is created between virtual networks created through the same, or different deployment
models that exist in the same, or different subscriptions. Complete a step-by-step tutorial for one of the following
scenarios:
AZURE DEPLOYMENT MODEL SUBSCRIPTION
Different
Different
View or change peering settings

Virtual networks appears in the search results, click it.
3. In the Virtual networks blade that appears, click the virtual network you want to create a peering for.
4. In the pane that appears for the virtual network you selected, click Peerings in the SETTINGS section.
5. Click the peering you want to view or change settings for.
6. Change the appropriate setting. Read about the options for each setting in step 6 of the Create a peering
NOTE
There are several requirements, constraints, and considerations to successfully create a virtual network peering. Before
creating a peering, ensure you've familiarized yourself with the requirements and constraints and required
permissions.
7. Click Save.
Commands
TOOL COMMAND
CLI az network vnet peering list to list peerings for a virtual

network, az network vnet peering show to show settings for a
specific peering, and az network vnet peering update to
change peering settings.
PowerShell Get-AzureRmVirtualNetworkPeering to retrieve view peering

settings and Set-AzureRmVirtualNetworkPeering to change
settings.
Delete a peering
When a peering is deleted, traffic from a virtual network no longer flows to the peered virtual network. When
virtual networks deployed through Resource Manager are peered, each virtual network has a peering to the other
virtual network. Though deleting the peering from one virtual network disables the communication between the
virtual networks, it does not delete the peering from the other virtual network. The peering status for the peering
that exists in the other virtual network is Disconnected. You cannot recreate the peering until you re-create the
peering in the first virtual network and the peering status for both virtual networks changes to Connected.
If you want virtual networks to communicate sometimes, but not always, rather than deleting a peering, you can set
the Allow virtual network access setting to Disabled instead. To learn how, read step 6 of the Create a peering
section of this article. You may find disabling and enabling network access easier than deleting and recreating
peerings.
Virtual networks appears in the search results, click it.
3. In the Virtual networks blade that appears, click the virtual network you want to delete a peering from.
4. In the blade that appears for the virtual network you selected, click Peerings under Settings.
5. In the list of peerings that appears in the peerings blade, right-click the peering you want to delete, click Delete,
then Yes to delete the peering from the first virtual network.
6. Complete the previous steps to delete the peering from the other virtual network in the peering.
Commands
TOOL COMMAND
CLI az network vnet peering delete
PowerShell Remove-AzureRmVirtualNetworkPeering
Requirements and constraints
The virtual networks you peer must have non-overlapping IP address spaces.
You can't add address spaces to, or delete address spaces from a virtual network once a virtual network is
peered with another virtual network. To add or remove address spaces, delete the peering, add or remove the
address spaces, then re-create the peering. To add address spaces to, or remove address spaces from virtual
networks, read the Create, change, or delete virtual networks article.
You can peer two virtual networks deployed through Resource Manager or a virtual network deployed through
Resource Manager with a virtual network deployed through the classic deployment model. You cannot peer two
virtual networks created through the classic deployment model. If you're not familiar with Azure deployment
models, read the Understand Azure deployment models article. You can use a VPN Gateway to connect two
virtual networks created through the classic deployment model.
When peering two virtual networks created through Resource Manager, a peering must be configured for each
virtual network in the peering. When you create the peering to the second virtual network from the first virtual
network, the peering status is Initiated. When you create the peering from the second virtual network to the first
virtual network, its peering status is Connected. If you view the peering status for the first virtual network, you
see its status changed from Initiated to Connected. The peering is not successfully established until the peering
status for both virtual network peerings is Connected.
When peering a virtual network created through Resource Manager with a virtual network created through the
classic deployment model, you only configure a peering for the virtual network deployed through Resource
Manager. You cannot configure peering for a virtual network (classic), or between two virtual networks
deployed through the classic deployment model. When you create the peering from the virtual network
(Resource Manager) to the virtual network (Classic), the peering status is Updating, then shortly changes to
Connected.
A peering is established between two virtual networks. Peerings are not transitive. If you create peerings
between:
VirtualNetwork1 & VirtualNetwork2
VirtualNetwork2 & VirtualNetwork3
There is no peering between VirtualNetwork1 and VirtualNetwork3 through VirtualNetwork2. If you want to
create a virtual network peering between VirtualNetwork1 and VirtualNetwork3, you have to create a
peering between VirtualNetwork1 and VirtualNetwork3.
You can't resolve names in peered virtual networks using default Azure name resolution. To resolve names in
other virtual networks, you must use a custom DNS server. To learn how to set up your own DNS server, read
the Name resolution using your own DNS server article.
Resources in both virtual networks in the peering can communicate with each other with the same bandwidth
and latency as if they were in the same virtual network. Each virtual machine size has its own maximum network
bandwidth however. To learn more about maximum network bandwidth for different virtual machine sizes, read
the Windows or Linux virtual machine sizes articles.
You can peer virtual networks deployed through Resource Manager that are in the same, or different
subscriptions.
You can peer virtual networks deployed through different deployment models that are in the same, or different
subscriptions (preview).
The subscriptions that both virtual networks are in must be associated to the same Azure Active Directory
tenant. If you don't already have an AD tenant, you can quickly create one. You can use a VPN Gateway to
connect two virtual networks that exist in different subscriptions associated to different Active Directory tenants.
A virtual network can be peered to another virtual network, and also be connected to another virtual network
with an Azure virtual network gateway. When virtual networks are connected through both peering and a
gateway, traffic between the virtual networks flows through the peering configuration, rather than the gateway.
There is a nominal charge for ingress and egress traffic that utilizes a virtual network peering. For more
information, see the pricing page.
Permissions
The accounts you use to create a virtual network peering must have the necessary role or permissions. For example,
if you were peering two virtual networks named myVnetA and myVnetB, your account must be assigned the
following minimum role or permissions for each virtual network:
myVnetA Resource Manager Network Contributor Microsoft.Network/virtualNet

works/virtualNetworkPeering
s/write
myVnetB Resource Manager Network Contributor Microsoft.Network/virtualNet

works/peer
Classic Classic Network Contributor Microsoft.ClassicNetwork/virt

ualNetworks/peer
Next steps
Learn how to create a hub and spoke network topology
Configure a virtual network (classic) using a network
configuration file
IMPORTANT
You can create and configure a virtual network (classic) with a network configuration file using the Azure
command-line interface (CLI) 1.0 or Azure PowerShell. You cannot create or modify a virtual network through the
Azure Resource Manager deployment model using a network configuration file. You cannot use the Azure portal
to create or modify a virtual network (classic) using a network configuration file, however you can use the Azure
portal to create a virtual network (classic), without using a network configuration file.
Creating and configuring a virtual network (classic) with a network configuration file requires exporting, changing,
and importing the file.
Export a network configuration file

You can use PowerShell or the Azure CLI to export a network configuration file. PowerShell exports an XML file,
while the Azure CLI exports a json file.
PowerShell
1. Install Azure PowerShell and sign in to Azure.
2. Change the directory (and ensure it exists) and filename in the following command as desired, then run the
command to export the network configuration file:
Get-AzureVNetConfig -ExportToFile c:\azure\networkconfig.xml
Azure CLI 1.0

1. Install the Azure CLI 1.0. Complete the remaining steps from an Azure CLI 1.0 command prompt.
2. Log in to Azure by entering the azure login command.
3. Ensure you're in asm mode by entering the azure config mode asm command.
4. Change the directory (and ensure it exists) and filename in the following command as desired, then run the
command to export the network configuration file:
azure network export c:\azure\networkconfig.json
Create or modify a network configuration file

A network configuration file is an XML file (when using PowerShell) or a json file (when using the Azure CLI). You
can edit the file in any text, or XML/json editor. The Network configuration file schema settings article includes
details for all settings. For additional explanation of the settings, see View virtual networks and settings. The
changes you make to the file:
Must comply with the schema, or importing the network configuration file will fail.
Overwrite any existing network settings for your subscription, so use extreme caution when making
modifications. For example, reference the example network configuration files that follow. Say the original file
contained two VirtualNetworkSite instances, and you changed it, as shown in the examples. When you
import the file, Azure deletes the virtual network for the VirtualNetworkSite instance you removed in the file.
This simplified scenario assumes no resources were in the virtual network, as if there were, the virtual network
could not be deleted, and the import would fail.
IMPORTANT
Azure considers a subnet that has something deployed to it as in use. When a subnet is in use, it cannot be modified.
Before modifying subnet information in a network configuration file, move anything that you have deployed to the subnet
to a different subnet that isn't being modified. See Move a VM or Role Instance to a Different Subnet for details.
Example XML for use with PowerShell

The following example network configuration file creates a virtual network named myVirtualNetwork with an
address space of 10.0.0.0/16 in the East US Azure region. The virtual network contains one subnet named
mySubnet with an address prefix of 10.0.0.0/24.
<?xml version="1.0" encoding="utf-8"?>

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
<Dns />
<VirtualNetworkSite name="myVirtualNetwork" Location="East US">
<AddressSpace>
</AddressSpace>
<Subnets>
<Subnet name="mySubnet">
</Subnet>
</Subnets>
If the network configuration file you exported contains no contents, you can copy the XML in the previous
example, and paste it into a new file.
Example JSON for use with the Azure CLI 1.0
The following example network configuration file creates a virtual network named myVirtualNetwork with an
address space of 10.0.0.0/16 in the East US Azure region. The virtual network contains one subnet named
mySubnet with an address prefix of 10.0.0.0/24.
{
"VirtualNetworkConfiguration" : {
"Dns" : "",
"VirtualNetworkSites" : [
{
"AddressSpace" : [ "10.0.0.0/16" ],
"Location" : "East US",
"Name" : "myVirtualNetwork",
"Subnets" : [
{
"AddressPrefix" : "10.0.0.0/24",
"Name" : "mySubnet"
}
]
}
]
}
}
If the network configuration file you exported contains no contents, you can copy the json in the previous
example, and paste it into a new file.
Import a network configuration file

You can use PowerShell or the Azure CLI to import a network configuration file. PowerShell imports an XML file,
while the Azure CLI imports a json file. If the import fails, confirm that the file complies with the network
configuration schema.
PowerShell
1. Install Azure PowerShell and sign in to Azure.
2. Change the directory and filename in the following command as necessary, then run the command to
import the network configuration file:
Set-AzureVNetConfig -ConfigurationPath c:\azure\networkconfig.xml
Azure CLI 1.0

1. Install the Azure CLI 1.0. Complete the remaining steps from an Azure CLI 1.0 command prompt.
2. Log in to Azure by entering the azure login command.
3. Ensure you're in asm mode by entering the azure config mode asm command.
4. Change the directory and filename in the following command as necessary, then run the command to
import the network configuration file:
azure network import c:\azure\networkconfig.json

Migrate a virtual network (classic) from an affinity
group to a region
IMPORTANT
Affinity groups ensure that resources created within the same affinity group are physically hosted by servers that
are close together, enabling these resources to communicate quicker. In the past, affinity groups were a
requirement for creating virtual networks (classic). At that time, the network manager service that managed virtual
networks (classic) could only work within a set of physical servers or scale unit. Architectural improvements have
increased the scope of network management to a region.
As a result of these architectural improvements, affinity groups are no longer recommended, or required for virtual
networks (classic). The use of affinity groups for virtual networks (classic) is replaced by regions. Virtual networks
(classic) that are associated with regions are called regional virtual networks.
We recommend that you don't use affinity groups in general. Aside from the virtual network requirement, affinity
groups were also important to use to ensure resources, such as compute (classic) and storage (classic), were placed
near each other. However, with the current Azure network architecture, these placement requirements are no
longer necessary.
IMPORTANT
Although it is still technically possible to create a virtual network that is associated with an affinity group, there is no
compelling reason to do so. Many virtual network features, such as network security groups, are only available when using a
regional virtual network, and are not available for virtual networks that are associated with affinity groups.
Edit the network configuration file

1. Export the network configuration file. To learn how to export a network configuration file using PowerShell or
the Azure command-line interface (CLI) 1.0, see Configure a virtual network using a network configuration file.
2. Edit the network configuration file, replacing AffinityGroup with Location. You specify an Azure region for
Location.
NOTE
The Location is the region that you specified for the affinity group that is associated with your virtual network
(classic). For example, if your virtual network (classic) is associated with an affinity group that is located in West US,
when you migrate, your Location must point to West US.
Edit the following lines in your network configuration file, replacing the values with your own:
Old value: <VirtualNetworkSitename="VNetUSWest" AffinityGroup="VNetDemoAG">
New value: <VirtualNetworkSitename="VNetUSWest" Location="West US">
3. Save your changes and import the network configuration to Azure.
NOTE
This migration does NOT cause any downtime to your services.
What to do if you have a VM (classic) in an affinity group

VMs (classic) that are currently in an affinity group do not need to be removed from the affinity group. Once a VM
is deployed, it is deployed to a single scale unit. Affinity groups can restrict the set of available VM sizes for a new
VM deployment, but any existing VM that is deployed is already restricted to the set of VM sizes available in the
scale unit in which the VM is deployed. Because the VM is already deployed to a scale unit, removing a VM from an
affinity group has no effect on the VM.
Manage NSGs using the portal
After you create one or more Network Security Groups (NSGs), you need to be able to retrieve information about
your NSGs, add and remove rules, edit existing rules, associate or dissociate NSGs, and delete NSGs. In this article,
you will learn how to execute each of these tasks. Before you can manage NSGs, it's important to know how NSGs
work.
NOTE
Sample Scenario
To better illustrate how to manage NSGs, this article uses the scenario below.
traffic for SQL traffic from the front end subnet, and has no access to the Internet, while the front end subnet can
To deploy the scenario described above, follow this link, click Deploy to Azure, replace the default parameter
values if necessary, and follow the instructions in the portal. In the sample instructions below, the template was
used to deploy a resource group names RG-NSG.
Retrieve Information
You can view your existing NSGs, retrieve rules for an existing NSG, and find out what resources an NSG is
associated to.
View existing NSGs
To view all existing NSGs in a subscription, complete the following steps:
2. Click Browse > > Network security groups.
3. Check the list of NSGs in the Network security groups blade.

View NSGs in a resource group
To view the list of NSGs in the RG-NSG resource group, complete the following steps:
1. Click Resource groups > > RG-NSG > ....
2. In the list of resources, look for items displaying the NSG icon, as shown in the Resources blade below.
List all rules for an NSG
To view the rules of an NSG named NSG-FrontEnd, complete the following steps:
1. From the Network security groups blade, or the Resources blade shown above, click NSG-FrontEnd.
2. In the Settings tab, click Inbound security rules.
3. The Inbound security rules blade is displayed as shown below.

4. In the Settings tab, click Outbound security rules to see the outbound rules.
NOTE
To view default rules, click the Default rules icon at the top of the blade that displays the rules.
View NSGs associations

To view what resources the NSG-FrontEnd NSG is associate with, complete the following steps:
2. In the Settings tab, click Subnets to view what subnets are associated to the NSG.
3. In the Settings tab, click Network interfaces to view what NICs are associated to the NSG.
Manage rules
You can add rules to an existing NSG, edit existing rules, and remove rules.
Add a rule
To add a rule allowing inbound traffic to port 443 from any machine to the NSG-FrontEnd NSG, complete the
following steps:
2. In the Settings tab, click Inbound security rules.
3. In the Inbound security rules blade, click Add. Then, in the Add inbound security rule blade, fill the
values as shown below, and then click OK.
After a few seconds, notice the new rule in the Inbound security rules blade.
Change a rule
To change the rule created above to allow inbound traffic from the Internet only, complete the following steps:
2. In the Settings tab, click the rule created above.
3. In the allow-https blade, change the Source property as shown below, and then click Save.
Delete a rule
To delete the rule created above, complete the following steps:
2. In the Settings tab, click the rule created above.
3. In the allow-https blade, click Delete, and then click Yes.
Manage associations
You can associate an NSG to subnets and NICs. You can also dissociate an NSG from any resource it's associated
to.
Associate an NSG to a NIC
To associate the NSG-FrontEnd NSG to the TestNICWeb1 NIC, complete the following steps:
2. In the Settings tab, click Network interfaces > Associate > TestNICWeb1.
Dissociate an NSG from a NIC

To dissociate the NSG-FrontEnd NSG from the TestNICWeb1 NIC, complete the following steps:
1. From the Azure portal, click Resource groups > > RG-NSG > ... > TestNICWeb1.
2. In the TestNICWeb1 blade, click Change security... > None.
NOTE
You can also use this blade to associate the NIC to any existing NSG.
Dissociate an NSG from a subnet

To dissociate the NSG-FrontEnd NSG from the FrontEnd subnet, complete the following steps:
1. From the Azure portal, click Resource groups > > RG-NSG > ... > TestVNet.
2. In the Settings blade, click Subnets > FrontEnd > Network security group > None.
Associate an NSG to a subnet

To associate the NSG-FrontEnd NSG to the FronEnd subnet again, complete the following steps:
1. From the Azure portal, click Resource groups > > RG-NSG > ... > TestVNet.
2. In the Settings blade, click Subnets > FrontEnd > Network security group > NSG-FrontEnd.
NOTE
You can also associate an NSG to a subnet from thh NSG's Settings blade.
Delete an NSG
You can only delete an NSG if it's not associated to any resource. To delete an NSG, complete the following steps:.
1. From the Azure portal, click Resource groups > > RG-NSG > ... > NSG-FrontEnd.
2. In the Settings blade, click Network interfaces.
3. If there are any NICs listed, click the NIC, and follow step 2 in Dissociate an NSG from a NIC.
4. Repeat step 3 for each NIC.
5. In the Settings blade, click Subnets.
6. If there are any subnets listed, click the subnet and follow steps 2 and 3 in Dissociate an NSG from a subnet.
7. Scrolls left to the NSG-FrontEnd blade, then click Delete > Yes.
Next steps
Manage network security groups using PowerShell
work.
NOTE
Sample Scenario

NOTE
Retrieve Information
You can view your existing NSGs, retrieve rules for an existing NSG, and find out what resources an NSG is
associated to.
View existing NSGs
To view all existing NSGs in a subscription, run the Get-AzureRmNetworkSecurityGroup cmdlet.
Expected result:
Name :NSG-BackEnd
ResourceGroupName :RG-NSG
Location :westus
Id :/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/
Microsoft.Network/networkSecurityGroups/NSG-BackEnd
Etag : W/"[Id]"
ResourceGuid : [Id]
Tags :
SecurityRules : [...]
DefaultSecurityRules : [...]
NetworkInterfaces : [...]
Subnets : [...]
Name :NSG-FrontEnd
ResourceGroupName :RG-NSG
Location :eastus
Id :/subscriptions/[Subscription Id]/resourceGroups/NRP-RG/providers/
Microsoft.Network/networkSecurityGroups/NSG-FrontEnd
Etag : W/"[Id]"
ResourceGuid : [Id]
Tags :
Subnets : [...]
Name :WEB1
ResourceGroupName :RG101
Location :eastus2
Id :/subscriptions/[Subscription Id]/resourceGroups/RG101/providers/M
icrosoft.Network/networkSecurityGroups/WEB1
Etag : W/"[Id]"
ResourceGuid : [Id]
Tags :
Subnets : [...]
To view the list of NSGs in a specific resource group, run the Get-AzureRmNetworkSecurityGroup cmdlet.
Expected output:
Name : NSG-BackEnd
ResourceGroupName : RG-NSG
Location : westus
Id : /subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/
Microsoft.Network/networkSecurityGroups/NSG-BackEnd
Etag : W/"[Id]"
ResourceGuid : [Id]
Tags :
Subnets : [...]
Name : NSG-FrontEnd
ResourceGroupName : RG-NSG
Location : eastus
Id : /subscriptions/[Subscription Id]/resourceGroups/NRP-RG/providers/
Microsoft.Network/networkSecurityGroups/NSG-FrontEnd
Etag : W/"[Id]"
ResourceGuid : [Id]
Tags :
Subnets : [...]

To view the rules of an NSG named NSG-FrontEnd, enter the following command:
Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd | Select SecurityRules -

ExpandProperty SecurityRules
Expected output:
Name : rdp-rule
Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/rdp-rule
Etag : W/"[Id]"
Description : Allow RDP
Protocol : Tcp
SourcePortRange : *
DestinationPortRange : 3389
SourceAddressPrefix : Internet
DestinationAddressPrefix : *
Access : Allow
Priority : 100
Direction : Inbound
Name : web-rule
Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/web-rule
Etag : W/"[Id]"
Description : Allow HTTP
Protocol : Tcp
SourcePortRange : *
DestinationPortRange : 80
SourceAddressPrefix : Internet
DestinationAddressPrefix : *
Access : Allow
Priority : 101
Direction : Inbound
NOTE
You can also use
Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name "NSG-FrontEnd" | Select
DefaultSecurityRules -ExpandProperty DefaultSecurityRules
to list the default rules from the NSG-FrontEnd NSG.
View NSGs associations

To view what resources the NSG-FrontEnd NSG is associate with, run the following command:
Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd
Look for the NetworkInterfaces and Subnets properties as shown below:
NetworkInterfaces : []
Subnets : [
{
"Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG-
NSG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontEnd",
"IpConfigurations": []
}
]
In the previous example, the NSG is not associated to any network interfaces (NICs); it is associated to a subnet
named FrontEnd.
Manage rules
You can add rules to an existing NSG, edit existing rules, and remove rules.
Add a rule
To add a rule allowing inbound traffic to port 443 from any machine to the NSG-FrontEnd NSG, complete the
following steps:
1. Run the following command to retrieve the existing NSG and store it in a variable:
$nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd
2. Run the following command to add a rule to the NSG:
Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg `

-Name https-rule `
-Description "Allow HTTPS" `
-Access Allow `
-Protocol Tcp `
-Priority 102 `
-SourceAddressPrefix * `
3. To save the changes made to the NSG, run the following command:
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg
Expected output showing only the security rules:
Name : NSG-FrontEnd
...
SecurityRules : [
{
"Name": "rdp-rule",
...
},
{
"Name": "web-rule",
...
},
{
"Name": "https-rule",
"Etag": "W/\"[Id]\"",
"Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-
NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/https-rule",
"Description": "Allow HTTPS",
"Protocol": "Tcp",
"SourceAddressPrefix": "*",
"Access": "Allow",
"Priority": 102,
}
]
Change a rule
To change the rule created above to allow inbound traffic from the Internet only, follow the steps below.
2. Run the following command with the new rule settings:
Set-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg `

-Name https-rule `
-Description "Allow HTTPS" `
-Access Allow `
-Protocol Tcp `
-Priority 102 `
-SourceAddressPrefix Internet `
3. To save the changes made to the NSG, run the following command:
Expected output showing only the security rules:
Name : NSG-FrontEnd
...
SecurityRules : [
{
"Name": "rdp-rule",
...
},
{
"Name": "web-rule",
...
},
{
"Name": "https-rule",
"Etag": "W/\"[Id]\"",
NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/https-rule",
"Description": "Allow HTTPS",
"Protocol": "Tcp",
"Access": "Allow",
"Priority": 102,
}
]
Delete a rule
2. Run the following command to remove the rule from the NSG:
Remove-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name https-rule
3. Save the changes made to the NSG, by running the following command:
Expected output showing only the security rules, notice the https-rule is no longer listed:
Name : NSG-FrontEnd
...
SecurityRules : [
{
"Name": "rdp-rule",
...
},
{
"Name": "web-rule",
...
}
]
Manage associations
You can associate an NSG to subnets and NICs. You can also dissociate an NSG from any resource it's associated
to.
To associate the NSG-FrontEnd NSG to the TestNICWeb1 NIC, complete the following steps:
2. Run the following command to retrieve the existing NIC and store it in a variable:
$nic = Get-AzureRmNetworkInterface -ResourceGroupName RG-NSG -Name TestNICWeb1
3. Set the NetworkSecurityGroup property of the NIC variable to the value of the NSG variable, by entering
the following command:
$nic.NetworkSecurityGroup = $nsg
4. To save the changes made to the NIC, run the following command:
Expected output showing only the NetworkSecurityGroup property:

NetworkSecurityGroup : {
"SecurityRules": [],
"DefaultSecurityRules": [],
"NetworkInterfaces": [],
"Subnets": [],
NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd"
}

To dissociate the NSG-FrontEnd NSG from the TestNICWeb1 NIC, complete the following steps:
1. Run the following command to retrieve the existing NIC and store it in a variable:
$nic = Get-AzureRmNetworkInterface -ResourceGroupName RG-NSG -Name TestNICWeb1
2. Set the NetworkSecurityGroup property of the NIC variable to $null by running the following command:
$nic.NetworkSecurityGroup = $null
3. To save the changes made to the NIC, run the following command:
Expected output showing only the NetworkSecurityGroup property:

To dissociate the NSG-FrontEnd NSG from the FrontEnd subnet, complete the following steps:
1. Run the following command to retrieve the existing VNet and store it in a variable:
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName RG-NSG -Name TestVNet
2. Run the following command to retrieve the FrontEnd subnet and store it in a variable:
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd
3. Set the NetworkSecurityGroup property of the subnet variable to $null by entering the following
command:
$subnet.NetworkSecurityGroup = $null
4. To save the changes made to the subnet, run the following command:
Expected output showing only the properties of the FrontEnd subnet. Notice there isn't a property for
NetworkSecurityGroup:
...
Subnets : [
{
"Name": "FrontEnd",
"Etag": "W/\"[Id]\"",
"AddressPrefix": "192.168.1.0/24",
{
NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb2/ipConfigurations/ipconfig1"
},
{
NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1/ipConfigurations/ipconfig1"
}
],
},
...
]

To associate the NSG-FrontEnd NSG to the FronEnd subnet again, complete the following steps:
1. Run the following command to retrieve the existing VNet and store it in a variable:
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName RG-NSG -Name TestVNet
2. Run the following command to retrieve the FrontEnd subnet and store it in a variable:
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd
4. Set the NetworkSecurityGroup property of the subnet variable to $null by running the following
command:
$subnet.NetworkSecurityGroup = $nsg
5. To save the changes made to the subnet, run the following command:
Expected output showing only the NetworkSecurityGroup property of the FrontEnd subnet:
...
"SecurityRules": [],
"DefaultSecurityRules": [],
"NetworkInterfaces": [],
"Subnets": [],
NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd"
}
...
Delete an NSG
You can only delete an NSG if it's not associated to any resource. To delete an NSG, follow the steps below.
1. To check the resources associated to an NSG, run the azure network nsg show as shown in View NSGs
associations.
2. If the NSG is associated to any NICs, run the azure network nic set as shown in Dissociate an NSG from a NIC
for each NIC.
3. If the NSG is associated to any subnet, run the azure network vnet subnet set as shown in Dissociate an NSG
from a subnet for each subnet.
4. To delete the NSG, run the following command:
Remove-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd -Force
NOTE
The -Force parameter ensures you don't need to confirm the deletion.
Next steps
Manage network security groups using the Azure CLI
2.0

work.
NOTE
Sample Scenario
Prerequisite
If you haven't yet, install and configure the latest Azure CLI 2.0 and log in to an Azure account using az login.
View existing NSGs

To view the list of NSGs in a specific resource group, run the az network nsg list command with a -o table output
format:
az network nsg list -g RG-NSG -o table
Expected output:
Location Name ProvisioningState ResourceGroup ResourceGuid

---------- ------------ ------------------- --------------- ------------------------------------
centralus NSG-BackEnd Succeeded RG-NSG <guid>
centralus NSG-FrontEnd Succeeded RG-NSG <guid>

To view the rules of an NSG named NSG-FrontEnd, run the az network nsg show command using a JMESPATH
query filter and the -o table output format:
az network nsg show \

--resource-group RG-NSG \
--name NSG-FrontEnd \
--query '[defaultSecurityRules[],securityRules[]][].
{Name:name,Desc:description,Access:access,Direction:direction,DestPortRange:destinationPortRange,DestAddrPrefi
x:destinationAddressPrefix,SrcPortRange:sourcePortRange,SrcAddrPrefix:sourceAddressPrefix}' \
-o table
Expected output:
Name Desc Access Direction
DestPortRange DestAddrPrefix SrcPortRange SrcAddrPrefix
----------------------------- ------------------------------------------------------ -------- -----------
--------------- ---------------- -------------- -----------------
AllowVnetInBound Allow inbound traffic from all VMs in VNET Allow Inbound
* VirtualNetwork * VirtualNetwork
AllowAzureLoadBalancerInBound Allow inbound traffic from azure load balancer Allow Inbound
* * * AzureLoadBalancer
DenyAllInBound Deny all inbound traffic Deny Inbound
* * * *
AllowVnetOutBound Allow outbound traffic from all VMs to all VMs in VNET Allow Outbound
* VirtualNetwork * VirtualNetwork
AllowInternetOutBound Allow outbound traffic from all VMs to Internet Allow Outbound
* Internet * *
DenyAllOutBound Deny all outbound traffic Deny Outbound
* * * *
rdp-rule Allow Inbound
3389 * * Internet
web-rule Allow Inbound
80 * * Internet
NOTE
You can also use az network nsg rule list to list only the custom rules from an NSG .
View NSG associations

To view what resources the NSG-FrontEnd NSG is associate with, run the az network nsg show command as
shown below.
az network nsg show -g RG-NSG -n nsg-frontend --query '[subnets,networkInterfaces]'
Look for the networkInterfaces and subnets properties as shown below:
[
[
{
"addressPrefix": null,
"etag": null,
"id": "/subscriptions/<guid>/resourceGroups/RG-
NSG/providers/Microsoft.Network/virtualNetworks/TestVNET/subnets/FrontEnd",
"name": null,
"resourceGroup": "RG-NSG",
"routeTable": null
}
],
null
]
In the example above, the NSG is not associated to any network interfaces (NICs), and it is associated to a subnet
named FrontEnd.
Add a rule
To add a rule allowing inbound traffic to port 443 from any machine to the NSG-FrontEnd NSG, enter the
following command:

--name allow-https \
--description "Allow access to port 443 for HTTPS" \
--access Allow \
--protocol Tcp \
--priority 102 \
--source-address-prefix "*" \
--destination-port-range "443"
Expected output:
{
"access": "Allow",
"description": "Allow access to port 443 for HTTPS",
"etag": "W/\"<guid>\"",
"id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-
FrontEnd/securityRules/allow-https",
"name": "allow-https",
"priority": 102,
"protocol": "Tcp",
"sourceAddressPrefix": "*",
}
Change a rule
To change the rule created above to allow inbound traffic from the Internet only, run the az network nsg rule
update command:
az network nsg rule update \

--name allow-https \
--source-address-prefix Internet
Expected output:
{
"access": "Allow",
"description": "Allow access to port 443 for HTTPS",
"etag": "W/\"<guid>\"",
FrontEnd/securityRules/allow-https",
"name": "allow-https",
"priority": 102,
"protocol": "Tcp",
}
Delete a rule
To delete the rule created above, run the following command:
az network nsg rule delete \

--name allow-https

To associate the NSG-FrontEnd NSG to the TestNICWeb1 NIC, use the az network nic update command:
az network nic update \

--name TestNICWeb1 \
Expected output:
{
"dnsSettings": {
"dnsServers": [],
"internalDnsNameLabel": null,
"internalDomainNameSuffix": "k0wkaguidnqrh0ud.gx.internal.cloudapp.net",
"internalFqdn": null
},
"enableAcceleratedNetworking": false,
"enableIpForwarding": false,
"etag": "W/\"<guid>\"",
NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1",
{
"applicationGatewayBackendAddressPools": null,
"etag": "W/\"<guid>\"",
NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1/ipConfigurations/ipconfig1",
"loadBalancerBackendAddressPools": null,
"loadBalancerInboundNatRules": null,
"primary": true,
"primary": true,
"privateIpAddress": "192.168.1.6",
"privateIpAddressVersion": "IPv4",
"privateIpAllocationMethod": "Static",
"publicIpAddress": null,
"subnet": {
"addressPrefix": null,
"etag": null,
"name": null,
"routeTable": null
}
}
],
"macAddress": "00-0D-3A-91-A9-60",
"name": "TestNICWeb1",
"etag": null,
FrontEnd",
"location": null,
"name": null,
"subnets": null,
"tags": null,
"type": null
},
"primary": null,
"resourceGuid": "<guid>",
"tags": {},
"virtualMachine": null
}

To dissociate the NSG-FrontEnd NSG from the TestNICWeb1 NIC, run the az network nsg rule update command
again but replace the --network-security-group argument with an empty string ( "" ).
az network nic update --resource-group RG-NSG --name TestNICWeb3 --network-security-group ""
In the output, the networkSecurityGroup key is set to null.

To dissociate the NSG-FrontEnd NSG from the FrontEnd subnet, again run the az network nsg rule update
command again but replace the --network-security-group argument with an empty string ( "" ).
--name FrontEnd \
--network-security-group ""
In the output, the networkSecurityGroup key is set to null.

To associate the NSG-FrontEnd NSG to the FrontEnd subnet again, run the following command:

--name FrontEnd \
In the output, the networkSecurityGroup key has something similar for the value:
"etag": null,
"id": "/subscriptions/0e220bf6-5caa-4e9f-8383-51f16b6c109f/resourceGroups/RG-
NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd",
"location": null,
"name": null,
"subnets": null,
"tags": null,
"type": null
}
Delete an NSG
You can only delete an NSG if it's not associated to any resource. To delete an NSG, follow the steps below.
1. To check the resources associated to an NSG, run the azure network nsg show as shown in View NSGs
associations.
2. If the NSG is associated to any NICs, run the azure network nic set as shown in Dissociate an NSG from a NIC
for each NIC.
3. If the NSG is associated to any subnet, run the azure network vnet subnet set as shown in Dissociate an NSG
from a subnet for each subnet.
4. To delete the NSG, run the following command:
az network nsg delete --resource-group RG-NSG --name NSG-FrontEnd
Next steps
5. Enable logging for NSGs.
Log analytics for network security groups (NSGs)
You can enable the following diagnostic log categories for NSGs:
Event: Contains entries for which NSG rules are applied to VMs and instance roles based on MAC address. The
status for these rules is collected every 60 seconds.
Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic.
NOTE
Diagnostic logs are only available for NSGs deployed through the Azure Resource Manager deployment model. You cannot
enable diagnostic logging for NSGs deployed through the classic deployment model. For a better understanding of the two
models, reference the Understanding Azure deployment models article.
Activity logging (previously known as audit or operational logs) is enabled by default for NSGs created through
either Azure deployment model. To determine which operations were completed on NSGs in the activity log, look
for entries that contain the following resource types:
Microsoft.ClassicNetwork/networkSecurityGroups
Microsoft.ClassicNetwork/networkSecurityGroups/securityRules
Microsoft.Network/networkSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules
Read the Overview of the Azure Activity Log article to learn more about activity logs.
Enable diagnostic logging

Diagnostic logging must be enabled for each NSG you want to collect data for. The Overview of Azure Diagnostic
Logs article explains where diagnostic logs can be sent. If you don't have an existing NSG, complete the steps in
the Create a network security group article to create one. You can enable NSG diagnostic logging using any of the
following methods:
Azure portal
To use the portal to enable logging, login to the portal. Click More services, then type network security groups.
Select the NSG you want to enable logging for. Follow the instructions for non-compute resources in the Enable
diagnostic logs in the portal article. Select NetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounter,
or both categories of logs.
PowerShell
To use PowerShell to enable logging, follow the instructions in the Enable diagnostic logs via PowerShell article.
Evaluate the following information before entering a command from the article:
You can determine the value to use for the -ResourceId parameter by replacing the following [text], as
appropriate, then entering the command
Get-AzureRmNetworkSecurityGroup -Name [nsg-name] -ResourceGroupName [resource-group-name] . The ID output
from the command looks similar to /subscriptions/[Subscription Id]/resourceGroups/[resource-
group]/providers/Microsoft.Network/networkSecurityGroups/[NSG name].
If you only want to collect data from log category add -Categories [category] to the end of the command in
the article, where category is either NetworkSecurityGroupEvent or NetworkSecurityGroupRuleCounter. If you
don't use the -Categories parameter, data collection is enabled for both log categories.
Azure command-line interface (CLI )
To use the CLI to enable logging, follow the instructions in the Enable diagnostic logs via CLI article. Evaluate the
following information before entering a command from the article:
You can determine the value to use for the -ResourceId parameter by replacing the following [text], as
appropriate, then entering the command azure network nsg show [resource-group-name] [nsg-name] . The ID
output from the command looks similar to /subscriptions/[Subscription Id]/resourceGroups/[resource-
group]/providers/Microsoft.Network/networkSecurityGroups/[NSG name].
If you only want to collect data from log category add -Categories [category] to the end of the command in
the article, where category is either NetworkSecurityGroupEvent or NetworkSecurityGroupRuleCounter. If you
don't use the -Categories parameter, data collection is enabled for both log categories.
Logged data
JSON-formatted data is written for both logs. The specific data written for each log type is listed in the following
sections:
Event log
This log contains information about which NSG rules are applied to VMs and cloud service role instances, based
on MAC address. The following example data is logged for each event:
{
"time": "[DATE-TIME]",
"systemId": "007d0441-5d6b-41f6-8bfd-930db640ec03",
"category": "NetworkSecurityGroupEvent",
"resourceId": "/SUBSCRIPTIONS/[SUBSCRIPTION-ID]/RESOURCEGROUPS/[RESOURCE-GROUP-
NAME]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG-NAME]",
"operationName": "NetworkSecurityGroupEvents",
"properties": {
"vnetResourceGuid":"{5E8AEC16-C728-441F-B0CA-B791E1DBC2F4}",
"subnetPrefix":"192.168.1.0/24",
"macAddress":"00-0D-3A-92-6A-7C",
"primaryIPv4Address":"192.168.1.4",
"ruleName":"UserRule_default-allow-rdp",
"direction":"In",
"priority":1000,
"type":"allow",
"conditions":{
"protocols":"6",
"destinationPortRange":"3389-3389",
"sourcePortRange":"0-65535",
"sourceIP":"0.0.0.0/0",
"destinationIP":"0.0.0.0/0"
}
}
}
Rule counter log

This log contains information about each rule applied to resources. The following example data is logged each
time a rule is applied:
{
"time": "[DATE-TIME]",
"systemId": "007d0441-5d6b-41f6-8bfd-930db640ec03",
"category": "NetworkSecurityGroupRuleCounter",
"resourceId": "/SUBSCRIPTIONS/[SUBSCRIPTION ID]/RESOURCEGROUPS/[RESOURCE-GROUP-
NAME]TESTRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG-NAME]",
"operationName": "NetworkSecurityGroupCounters",
"properties": {
"vnetResourceGuid":"{5E8AEC16-C728-441F-B0CA-791E1DBC2F4}",
"subnetPrefix":"192.168.1.0/24",
"macAddress":"00-0D-3A-92-6A-7C",
"primaryIPv4Address":"192.168.1.4",
"ruleName":"UserRule_default-allow-rdp",
"direction":"In",
"type":"allow",
"matchedConnections":125
}
}
View and analyze logs

To learn how to view activity log data, read the Overview of the Azure Activity Log article. To learn how to view
diagnostic log data, read the Overview of Azure Diagnostic Logs article. If you send diagnostics data to Log
Analytics, you can use the Azure Network Security Group analytics (preview) management solution for enhanced
insights.
Create, change, or delete a network interface
Learn how to create, change settings for, and delete a network interface. A network interface enables an Azure
Virtual Machine to communicate with Internet, Azure, and on-premises resources. When creating a virtual machine
using the Azure portal, the portal creates one network interface with default settings for you. You may instead
choose to create network interfaces with custom settings and add one or more network interfaces to a virtual
machine when you create it. You may also want to change default network interface settings for an existing
network interface. This article explains how to create a network interface with custom settings, change existing
settings, such as network filter (network security group) assignment, subnet assignment, DNS server settings, and
IP forwarding, and delete a network interface.
If you need to add, change, or remove IP addresses for a network interface, read the Manage IP addresses article. If
you need to add network interfaces to, or remove network interfaces from virtual machines, read the Add or
remove network interfaces article.
Before you begin

Review the Azure limits article to learn about limits for network interfaces.
If using Azure command-line interface (CLI) commands to complete tasks in this article, install and configure
the Azure CLI. Ensure you have the most recent version of the Azure CLI installed. To get help for CLI
commands, type az <command> --help . Rather than installing the CLI and its pre-requisites, you can use the
Azure Cloud Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It
Create a network interface

When creating a virtual machine using the Azure portal, the portal creates a network interface with default settings
for you. If you'd rather specify all your network interface settings, you can create a network interface with custom
settings and attach the network interface to a virtual machine when creating the virtual machine (using PowerShell
or the Azure CLI). You can also create a network interface and add it to an existing virtual machine (using
PowerShell or the Azure CLI). To learn how to create a virtual machine with an existing network interface or to add
to, or remove network interfaces from existing virtual machines, read the Add or remove network interfaces article.
Before creating a network interface, you must have an existing virtual network in the same location and
subscription you create a network interface in.
1. Log in to the Azure portal with an account that is assigned (at a minimum) permissions for the Network
Contributor role for your subscription. Read the Built-in roles for Azure role-based access control article to
learn more about assigning roles and permissions to accounts.
2. In the box that contains the text Search resources at the top of the Azure portal, type network interfaces. When
network interfaces appears in the search results, click it.
3. In the Network interfaces blade that appears, click + Add.
4. In the Create network interface blade that appears, enter, or select values for the following settings, then
click Create:
SETTING REQUIRED? DETAILS
Name Yes The name must be unique within the

resource group you select. Over time,
you'll likely have several network
interfaces in your Azure subscription.
Read the Naming conventions article
for suggestions when creating a
naming convention to make
managing several network interfaces
easier. The name cannot be changed
after the network interface is created.
Virtual network Yes Select the virtual network for the

network interface. You can only
assign a network interface to a virtual
network that exists in the same
subscription and location as the
network interface. Once a network
interface is created, you cannot
change the virtual network it is
assigned to. The virtual machine you
add the network interface to must
also exist in the same location and
subscription as the network interface.
Subnet Yes Select a subnet within the virtual

network you selected. You can
change the subnet the network
interface is assigned to after it's
created.
Private IP address assignment Yes In this setting, you're choosing the

assignment method for the IPv4
address. Choose from the following
assignment methods: Dynamic:
When selecting this option, Azure
automatically assigns an available
address from the address space of
the subnet you selected. Azure may
assign a different address to a
network interface when the virtual
machine it's in is started after having
been in the stopped (deallocated)
state. The address remains the same
if the virtual machine is restarted
without having been in the stopped
(deallocated) state. Static: When
selecting this option, you must
manually assign an available IP
address from within the address
space of the subnet you selected.
Static addresses do not change until
you change them or the network
interface is deleted. You can change
the assignment method after the
network interface is created. The
Azure DHCP server assigns this
address to the network interface
within the operating system of the
virtual machine.
Network security group No Leave set to None, select an existing

network security group, or create a
network security group. Network
security groups enable you to filter
network traffic in and out of a
network interface. You can apply zero
or one network security group to a
network interface. Zero or one
network security group can also be
applied to the subnet the network
interface is assigned to. When a
network security group is applied to
a network interface and the subnet
the network interface is assigned to,
sometimes unexpected results occur.
To troubleshoot network security
groups applied to network interfaces
and subnets, read the Troubleshoot
network security groups article.
Subscription Yes Select one of your Azure

subscriptions. The virtual machine
you attach a network interface to
and the virtual network you connect
it to must exist in the same
subscription.
Private IP address (IPv6) No If you select this checkbox, an IPv6

address is assigned to the network
interface, in addition to the IPv4
address assigned to the network
interface. See the IPv6 section of this
article for important information
about use of IPv6 with network
interfaces. You cannot select an
assignment method for the IPv6
address. If you choose to assign an
IPv6 address, it is assigned with the
dynamic method.
IPv6 name (only appears when the Yes, if the Private IP address (IPv6) This name is assigned to a secondary
Private IP address (IPv6) checkbox checkbox is checked. IP configuration for the network
is checked) interface. Learn more about IP
configurations in the View network
interface settings section of this
article.
Resource group Yes Select an existing resource group or

create one. A network interface can
exist in the same, or different
resource group, than the virtual
machine you attach it to, or the
virtual network you connect it to.
Location Yes The virtual machine you attach a

network interface to and the virtual
network you connect it to must exist
in the same location, also referred to
as a region.
The portal doesn't provide the option to assign a public IP address to the network interface when you create it,
though the portal does create a public IP address and assign it to a network interface when you create a virtual
machine using the portal. To learn how to add a public IP address to the network interface after creating it, read the
Manage IP addresses article. If you want to create a network interface with a public IP address, you must use the
CLI or PowerShell to create the network interface.
NOTE
Azure assigns a MAC address to the network interface only after the network interface is attached to a virtual machine and
the virtual machine is started the first time. You cannot specify the MAC address that Azure assigns to the network interface.
The MAC address remains assigned to the network interface until the network interface is deleted or the private IP address
assigned to the primary IP configuration of the primary network interface is changed. To learn more about IP addresses and
IP configurations, read the Manage IP addresses article.
Commands
TOOL COMMAND
CLI az network nic create
PowerShell New-AzureRmNetworkInterface
View network interface settings
You can view and change most settings for a network interface after it's created.
3. In the Network interfaces blade that appears, click the network interface you want to view or change settings
for.
4. The following settings are listed in the blade that appears for the network interface you selected:
Overview: Provides information about the network interface, such as the IP addresses assigned to it, the
virtual network/subnet the network interface is assigned to, and the virtual machine the network
interface is attached to (if it's attached to one). The following picture shows the overview settings for a
network interface named mywebserver256:
You can move a network interface to a different resource group or subscription by clicking (change)
next to the Resource group or Subscription name. If you move the network interface, you must move
all resources related to the network interface with it. If the network interface is attached to a virtual
machine, for example, you must also move the virtual machine, and other virtual machine-related
resources. To move a network interface, read the Move resource to a new resource group or subscription
article. The article lists prerequisites, and how to move resources using the Azure portal, PowerShell, and
the Azure CLI.
IP configurations: Public and private IPv4 and IPv6 addresses assigned to IP configurations are listed
here. If an IPv6 address is assigned to an IP configuration, the address is not displayed. Learn more about
IP configurations and how to add and remove IP addresses in the Configure IP addresses for an Azure
network interface article. IP forwarding and subnet assignment are also configured in this section. To
learn more about these settings, read the Enable or disable IP forwarding and Change subnet
assignment sections of this article.
DNS servers: You can specify which DNS server a network interface is assigned by the Azure DHCP
servers. The network interface can inherit the setting from the virtual network the network interface is
assigned to, or have a custom setting that overrides the setting for the virtual network it's assigned to. To
modify what's displayed, complete the steps in the Change DNS servers section of this article.
Network security group (NSG): Displays which NSG is associated to the network interface (if any). An
NSG contains inbound and outbound rules to filter network traffic for the network interface. If an NSG is
associated to the network interface, the name of the associated NSG is displayed. To modify what's
displayed, complete the steps in the Manage network security group associations article.
Properties: Displays key settings about the network interface, including its MAC address (blank if the
network interface isn't attached to a virtual machine), and the subscription it exists in.
Effective security rules: Security rules are listed if the network interface is attached to a running virtual
machine, and an NSG is associated to the network interface, the subnet it's assigned to, or both. To learn
more about what's displayed, read the Troubleshoot network security groups article. To learn more
about NSGs, read the Network security groups article.
Effective routes: Routes are listed if the network interface is attached to a running virtual machine. The
routes are a combination of the Azure default routes, any user-defined routes (UDR), and any BGP routes
that may exist for the subnet the network interface is assigned to. To learn more about what's displayed,
read the Troubleshoot routes article. To learn more about Azure default and UDRs, read the User-defined
routes article.
Common Azure Resource Manager settings: To learn more about common Azure Resource Manager
settings, read the Activity log, Access control (IAM), Tags, Locks, and Automation script articles.
Commands
If an IPv6 address is assigned to a network interface, the PowerShell output returns the fact that the address is
assigned, but it doesn't return the assigned address. Similarly, the CLI returns the fact that the address is assigned,
but returns null in its output for the address.
TOOL COMMAND
CLI az network nic list to view network interfaces in the

subscription; az network nic show to view settings for a
network interface
PowerShell Get-AzureRmNetworkInterface to view network interfaces in

the subscription or view settings for a network interface
Change DNS servers

The DNS server is assigned by the Azure DHCP server to the network interface within the virtual machine
operating system. The DNS server assigned is whatever the DNS server setting is for a network interface. To learn
more about name resolution settings for a network interface, see Name resolution for virtual machines. The
network interface can inherit the settings from the virtual network, or use its own unique settings that override the
setting for the virtual network.
for.
4. In the blade for the network interface you selected, click DNS servers under SETTINGS.
5. Click either:
Inherit from virtual network (default): Choose this option to inherit the DNS server setting defined
for the virtual network the network interface is assigned to. At the virtual network level, either a custom
DNS server or the Azure-provided DNS server is defined. The Azure-provided DNS server can resolve
hostnames for resources assigned to the same virtual network. FQDN must be used to resolve for
resources assigned to different virtual networks.
Custom: You can configure your own DNS server to resolve names across multiple virtual networks.
Enter the IP address of the server you want to use as a DNS server. The DNS server address you specify
is assigned only to this network interface and overrides any DNS setting for the virtual network the
network interface is assigned to.
6. Click Save.
Commands
TOOL COMMAND
CLI az network nic update
PowerShell Set-AzureRmNetworkInterface
Enable or disable IP forwarding

IP forwarding enables the virtual machine a network interface is attached to:
Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations
assigned to the network interface.
Send network traffic with a different source IP address than the one assigned to one of a network interface's IP
configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic
that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network
interfaces or a single network interface attached to it. While IP forwarding is an Azure setting, the virtual machine
must also run an application able to forward the traffic, such as firewall, WAN optimization, and load balancing
applications. When a virtual machine is running network applications, the virtual machine is often referred to as a
network virtual appliance. You can view a list of ready to deploy network virtual appliances in the Azure
Marketplace. IP forwarding is typically used with user-defined routes. To learn more about user-defined routes,
read the User-defined routes article.
3. In the Network interfaces blade that appears, click the network interface you want to enable or disable IP
forwarding for.
4. In the blade for the network interface you selected, click IP configurations in the SETTINGS section.
5. Click Enabled or Disabled (default setting) to change the setting.
6. Click Save.
Commands
TOOL COMMAND
CLI az network nic update
PowerShell Set-AzureRmNetworkInterface
Change subnet assignment

You can change the subnet, but not the virtual network, that a network interface is assigned to.
for.
4. Click IP configurations under SETTINGS in the blade for the network interface you selected. If any private IP
addresses for any IP configurations listed have (Static) next to them, you must change the IP address
assignment method to dynamic by completing the steps that follow. All private IP addresses must be assigned
with the dynamic assignment method to change the subnet assignment for the network interface. If the
addresses are assigned with the dynamic method, continue to step five. If any IPv4 addresses are assigned with
the static assignment method, complete the following steps to change the assignment method to dynamic:
Click the IP configuration you want to change the IPv4 address assignment method for from the list of IP
configurations.
In the blade that appears for the IP configuration, click Dynamic for the Assignment method. You
cannot assign an IPv6 address with the static assignment method.
Click Save.
5. Select the subnet you want to connect the network interface to from the Subnet drop-down list.
6. Click Save. New dynamic addresses are assigned from the subnet address range for the new subnet. After
assigning the network interface to a new subnet, you can assign a static IPv4 address from the new subnet
address range if you choose. To learn more about adding, changing, and removing IP addresses for a network
interface, read the Manage IP addresses article.
Commands
TOOL COMMAND
CLI az network nic ip-config update
PowerShell Set-AzureRmNetworkInterfaceIpConfig
Delete a network interface

You can delete a network interface as long as it's not attached to a virtual machine. If it is attached to a virtual
machine, you must first place the virtual machine in the stopped (deallocated) state, then detach the network
interface from the virtual machine, before you can delete the network interface. To detach a network interface from
a virtual machine, complete the steps in the Detach a network interface from a virtual machine section of the Add
or remove network interfaces article. Deleting a virtual machine detaches all network interfaces attached to it, but
does not delete the network interfaces.
3. Right-click the network interface you want to delete and click Delete.
4. Click Yes to confirm deletion of the network interface.
When you delete a network interface, any MAC or IP addresses assigned to it are released.
Commands
TOOL COMMAND
CLI az network nic delete

TOOL COMMAND
PowerShell Remove-AzureRmNetworkInterface
Next steps
To create a virtual machine with multiple network interfaces or IP addresses, read the following articles:
Commands
TASK TOOL
Create a single NIC VM with a private IPv6 address (behind CLI, PowerShell, Azure Resource Manager template
an Azure Load Balancer)
Add, change, or remove IP addresses for an Azure
network interface
Learn how to add, change, and remove public and private IP addresses for a network interface. Private IP
addresses assigned to a network interface enable a virtual machine to communicate with other resources in an
Azure virtual network and connected networks. A private IP address also enables outbound communication to
the Internet using an unpredictable IP address. A Public IP address assigned to a network interface enables
inbound communication to a virtual machine from the Internet. The address also enables outbound
communication from the virtual machine to the Internet using a predictable IP address. For details, see
Understanding outbound connections in Azure.
If you need to create, change, or delete a network interface, read the Manage a network interface article. If you
need to add network interfaces to or remove network interfaces from a virtual machine, read the Add or remove
network interfaces article.
Before you begin

Review the Azure limits article to learn about limits for public and private IP addresses.
If using PowerShell commands to complete tasks in this article, install and configure Azure PowerShell.
Ensure you have the most recent version of the Azure PowerShell commandlets installed. To get help for
PowerShell commands, with examples, type get-help <command> -full .
Azure Cloud Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal.
It has the Azure CLI preinstalled and configured to use with your account. To use the Cloud Shell, click the
Cloud Shell >_ button at the top of the portal.
Add IP addresses
You can add as many private and public IPv4 addresses as necessary to a network interface, within the limits
listed in the Azure limits article. You cannot use the portal to add an IPv6 address to an existing network
interface (though you can use the portal to add a private IPv6 address to a network interface when you create
the network interface). You can use PowerShell or the CLI to add a private IPv6 address to one secondary IP
configuration (as long as there are no existing secondary IP configurations) for an existing network interface that
is not attached to a virtual machine. You cannot use any tool to add a public IPv6 address to a network interface.
See IPv6 for details about using IPv6 addresses.
2. In the box that contains the text Search resources at the top of the Azure portal, type network interfaces.
When network interfaces appears in the search results, click it.
3. In the Network interfaces blade that appears, click the network interface you want to add an IPv4 address
for.
4. Click IP configurations in the SETTINGS section of the blade for the network interface you selected.
5. Click + Add in the blade that opens for IP configurations.
6. Specify the following, then click OK to close the Add IP configuration blade:
Name Yes Must be unique for the network

interface
Type Yes Since you're adding an IP

configuration to an existing network
interface, and each network interface
must have a primary IP
configuration, your only option is
Secondary.
Private IP address assignment Yes Dynamic addresses can change if

method the virtual machine is restarted after
having been in the stopped
(deallocated) state. Azure assigns an
available address from the address
space of the subnet the network
interface is connected to. Static
addresses aren't released until the
network interface is deleted. Specify
an IP address from the subnet
address space range that is not
currently in use by another IP
configuration.
Public IP address No Disabled: No public IP address

resource is currently associated to
the IP configuration. Enabled: Select
an existing IPv4 Public IP address, or
create a new one. To learn how to
create a public IP address, read the
Public IP addresses article.
7. Manually add secondary private IP addresses to the virtual machine operating system by completing the
instructions in the Assign multiple IP addresses to virtual machine operating systems article. See private IP
addresses for special considerations before manually adding IP addresses to a virtual machine operating
system. Do not add any public IP addresses to the virtual machine operating system.
Commands
TOOL COMMAND
CLI az network nic ip-config create
PowerShell Add-AzureRmNetworkInterfaceIpConfig
Change IP address settings

You may need to change the assignment method of an IPv4 address, change the static IPv4 address, or change
the public IP address assigned to a network interface. If you're changing the private IPv4 address of a secondary
IP configuration associated with a secondary network interface in a virtual machine (learn more about primary
and secondary network interfaces), place the virtual machine into the stopped (deallocated) state before
completing the following steps:
3. In the Network interfaces blade that appears, click the network interface you want to view or change IP
address settings for.
5. Click the IP configuration you want to modify from the list in the blade that opens for IP configurations.
6. Change the settings, as desired, using the information about the settings in step 6 of the Add an IP
configuration section of this article. Click Save to close the blade for the IP configuration you changed.
NOTE
If the primary network interface has multiple IP configurations and you change the private IP address of the primary IP
configuration, you must manually reassign the primary and secondary IP addresses to the network interface within
Windows (not required for Linux). To manually assign IP addresses to a network interface within an operating system, read
the Assign multiple IP addresses to virtual machines article. See private IP addresses for special considerations before
manually adding IP addresses to a virtual machine operating system. Do not add any public IP addresses to the virtual
machine operating system.
Commands
TOOL COMMAND
CLI az network nic ip-config update
PowerShell Set-AzureRMNetworkInterfaceIpConfig
Remove IP addresses
You can remove private and public IP addresses from a network interface, but a network interface must always
have at least one private IPv4 address assigned to it.
3. In the Network interfaces blade that appears, click the network interface you want to remove IP addresses
from.
5. Right-click a secondary IP configuration (you cannot delete the primary configuration) you want to delete,
click Delete, then click Yes to confirm the deletion. If the configuration had a public IP address resource
associated to it, the resource is dissociated from the IP configuration, but the resource is not deleted.
6. Close the IP configurations blade.
Commands
TOOL COMMAND
CLI az network nic ip-config delete
PowerShell Remove-AzureRmNetworkInterfaceIpConfig
IP configurations
Private and (optionally) public IP addresses are assigned to one or more IP configurations assigned to a network
interface. There are two types of IP configurations:
Primary
Each network interface is assigned one primary IP configuration. A primary IP configuration:
Has a private IPv4 address assigned to it. You cannot assign a private IPv6 address to a primary IP
configuration.
May also have a public IPv4 address assigned to it. You cannot assign a public IPv6 address to a primary or
secondary IP configuration. You can however, assign a public IPv6 address to an Azure load balancer, which
can load balance traffic to a virtual machine's private IPv6 address. For more information, see details and
limitations for IPv6.
Secondary
In addition to a primary IP configuration, a network interface may have zero or more secondary IP
configurations assigned to it. A secondary IP configuration:
Must have a private IPv4 or IPv6 address assigned to it. If the address is IPv6, the network interface can only
have one secondary IP configuration. If the address is IPv4, the network interface may have multiple
secondary IP configurations assigned to it. To learn more about how many private and public IPv4 addresses
can be assigned to a network interface, see the Azure limits article.
May also have a public IPv4 address assigned to it, if the private IP address is IPv4. If the private IP address is
IPv6, you cannot assign a public IPv4 or IPv6 address to the IP configuration. Assigning multiple IP addresses
to a network interface is helpful in scenarios such as:
Hosting multiple websites or services with different IP addresses and SSL certificates on a single
server.
A virtual machine serving as a network virtual appliance, such as a firewall or load balancer.
The ability to add any of the private IPv4 addresses for any of the network interfaces to an Azure Load
Balancer back-end pool. In the past, only the primary IPv4 address for the primary network interface
could be added to a back-end pool. To learn more about how to load balance multiple IPv4
configurations, see the Load balancing multiple IP configurations article.
The ability to load balance one IPv6 address assigned to a network interface. To learn more about how
to load balance to a private IPv6 address, see the Load balance IPv6 addresses article.
Address types
You can assign the following types of IP addresses to an IP configuration:
Private
Private IPv4 addresses enable a virtual machine to communicate with other resources in a virtual network or
other connected networks. A virtual machine cannot be communicated inbound to, nor can the virtual machine
communicate outbound with a private IPv6 address, with one exception. A virtual machine can communicate
with the Azure load balancer using an IPv6 address. For more information, see details and limitations for IPv6.
By default, the Azure DHCP servers assign the private IPv4 address for the primary IP configuration of the
network interface to the network interface within the virtual machine operating system. Unless necessary, you
should never manually set the IP address of a network interface within the virtual machine's operating system.
WARNING
If the IPv4 address set as the primary IP address of a network interface within a virtual machine's operating system is ever
different than the private IPv4 address assigned to the primary IP configuration of the primary network interface attached
to a virtual machine within Azure, you lose connectivity to the virtual machine.
There are scenarios where it's necessary to manually set the IP address of a network interface within the virtual
machine's operating system. For example, you must manually set the primary and secondary IP addresses of a
Windows operating system when adding multiple IP addresses to an Azure virtual machine. For a Linux virtual
machine, you may only need to manually set the secondary IP addresses. See Add IP addresses to a VM
operating system for details. When you manually set the IP address within the operating system, it's
recommended that you always assign the addresses to the IP configuration for a network interface using the
static (rather than dynamic) assignment method. Assigning the address using the static method ensures that the
address does not change within Azure. If you ever need to change the address assigned to an IP configuration,
it's recommended that you:
1. To ensure the virtual machine is receiving an address from the Azure DHCP servers, change the assignment
of the IP address back to DHCP within the operating system and restart the virtual machine.
2. Stop (deallocate) the virtual machine.
3. Change the IP address for the IP configuration within Azure.
4. Start the virtual machine.
5. Manually configure the secondary IP addresses within the operating system (and also the primary IP address
within Windows) to match what you set within Azure.
By following the previous steps, the private IP address assigned to the network interface within Azure, and within
a virtual machine's operating system, remain the same. To keep track of which virtual machines within your
subscription that you've manually set IP addresses within an operating system for, consider adding an Azure tag
to the virtual machines. You might use "IP address assignment: Static", for example. This way, you can easily find
the virtual machines within your subscription that you've manually set the IP address for within the operating
system.
In addition to enabling a virtual machine to communicate with other resources within the same, or connected
virtual networks, a private IP address also enables a virtual machine to communicate outbound to the Internet.
Outbound connections are source network address translated by Azure to an unpredictable public IP address. To
learn more about Azure outbound Internet connectivity, read the Azure outbound Internet connectivity article.
You cannot communicate inbound to a virtual machine's private IP address from the Internet.
Public
Public IP addresses enable inbound connectivity to a virtual machine from the Internet. Outbound connections to
the Internet use a predictable IP address. See Understanding outbound connections in Azure for details. You may
assign a public IP address to an IP configuration, but aren't required to. If you don't assign a public IP address to
a virtual machine, it can still communicate outbound to the Internet using its private IP address. To learn more
about public IP addresses, read the Public IP address article.
There are limits to the number of private and public IP addresses that you can assign to a network interface. For
details, read the Azure limits article.
NOTE
Azure translates a virtual machine's private IP address to a public IP address. As a result, the operating system is unaware
of any public IP addresses assigned to it, so there is no need to ever manually assign a public IP address within the
operating system.
Assignment methods
Public and private IP addresses are assigned using the following assignment methods:
Dynamic
Dynamic private IPv4 and IPv6 (optionally) addresses are assigned by default. Dynamic addresses can change if
the virtual machine is put into the stopped (deallocated) state, then started. If you don't want IPv4 addresses to
change for the life of the virtual machine, assign the addresses using the static method. You can only assign a
private IPv6 address using the dynamic assignment method. You cannot assign a public IPv6 address to an IP
configuration using either method.
Static
Addresses assigned using the static method do not change until a virtual machine is deleted. You manually
assign a static private IPv4 address to an IP configuration from the address space for the subnet the network
interface is in. You can (optionally) assign a public or private static IPv4 address to an IP configuration. You
cannot assign a static public or private IPv6 address to an IP configuration. To learn more about how Azure
assigns static public IPv4 addresses, see the Public IP address article.
IP address versions
You can specify the following versions when assigning addresses:
IPv4
Each network interface must have one primary IP configuration with an assigned private IPv4 address. You can
add one or more secondary IP configurations that each have an IPv4 private and (optionally) an IPv4 public IP
address.
IPv6
You can assign zero or one private IPv6 address to one secondary IP configuration of a network interface. The
network interface cannot have any existing secondary IP configurations. You cannot add an IP configuration with
an IPv6 address using the portal. Use PowerShell or the CLI to add an IP configuration with a private IPv6
address to an existing network interface. The network interface cannot be attached to an existing VM.
NOTE
Though you can create a network interface with an IPv6 address using the portal, you can't add an existing network
interface to a new, or existing virtual machine, using the portal. Use PowerShell or the Azure CLI 2.0 to create a network
interface with a private IPv6 address, then attach the network interface when creating a virtual machine. You cannot
attach a network interface with a private IPv6 address assigned to it to an existing virtual machine. You cannot add a
private IPv6 address to an IP configuration for any network interface attached to a virtual machine using any tools (portal,
CLI, or PowerShell).
You can't assign a public IPv6 address to a primary or secondary IP configuration.
Next steps
To create a virtual machine with different IP configurations, read the following articles:
TASK TOOL
Create a single NIC VM with a private IPv6 address (behind CLI, PowerShell, Azure Resource Manager template
an Azure Load Balancer)
Move a VM (Classic) or Cloud Services role instance
to a different subnet using PowerShell
You can use PowerShell to move your VMs (Classic) from one subnet to another in the same virtual network
(VNet). Role instances can be moved by editing the CSCFG file, rather than using PowerShell.
NOTE
This article explains how to move VMs deployed through the classic deployment model only.
Why move VMs to another subnet? Subnet migration is useful when the older subnet is too small and cannot be
expanded due to existing running VMs in that subnet. In that case, you can create a new, larger subnet and migrate
the VMs to the new subnet, then after migration is complete, you can delete the old empty subnet.
How to move a VM to another subnet

To move a VM, run the Set-AzureSubnet PowerShell cmdlet, using the example below as a template. In the example
below, we are moving TestVM from its present subnet, to Subnet-2. Be sure to edit the example to reflect your
environment. Note that whenever you run the Update-AzureVM cmdlet as part of a procedure, it will restart your
VM as part of the update process.
Get-AzureVM ServiceName TestVMCloud Name TestVM `

| Set-AzureSubnet SubnetNames Subnet-2 `
| Update-AzureVM
If you specified a static internal private IP for your VM, you'll have to clear that setting before you can move the VM
to a new subnet. In that case, use the following:
Get-AzureVM -ServiceName TestVMCloud -Name TestVM `

| Remove-AzureStaticVNetIP `
| Update-AzureVM
Get-AzureVM -ServiceName TestVMCloud -Name TestVM `
| Set-AzureSubnet -SubnetNames Subnet-2 `
| Update-AzureVM
To move a role instance to another subnet

To move a role instance, edit the CSCFG file. In the example below, we are moving "Role0" in virtual network
VNETName from its present subnet to Subnet-2. Because the role instance was already deployed, you'll just change
the Subnet name = Subnet-2. Be sure to edit the example to reflect your environment.
<NetworkConfiguration>
<VirtualNetworkSite name="VNETName" />
<AddressAssignments>
<InstanceAddress roleName="Role0">
<Subnets><Subnet name="Subnet-2" /></Subnets>
</InstanceAddress>
</AddressAssignments>
Create, change, or delete a public IP address
Learn about a public IP address and how to create, change, and delete one. A public IP address is a resource with
its own configurable settings. Assigning a public IP address to other Azure resources enables:
Inbound Internet connectivity to resources such as Azure Virtual Machines (VM), Azure Virtual Machine Scale
Sets, Azure VPN Gateway, Application gateways, and Internet-facing Azure Load Balancers. Azure resources
cannot receive inbound communication from the Internet without an assigned public IP address. While some
Azure resources are inherently accessible through public IP addresses, other resources must have public IP
addresses assigned to them to be accessible from the Internet.
Outbound connectivity to the Internet using a predictable IP address. For example, a virtual machine can
communicate outbound to the Internet without a public IP address assigned to it, but its address is network
address translated by Azure to an unpredictable public address. Assigning a public IP address to a resource
enables you to know which IP address is used for the outbound connection. Though predictable, the address
can change, depending on the assignment method chosen. For more information, see Create a public IP
address. To learn more about outbound connections from Azure resources, read the Understand outbound
connections article.
Before you begin

Review the Azure limits article to learn about limits for public IP addresses.
Azure Cloud Shell. The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It
Public IP addresses have a nominal charge. To view the pricing, read the IP address pricing page.
Create a public IP address

2. In the box that contains the text Search resources at the top of the Azure portal, type public ip address. When
Public IP addresses appears in the search results, click it.
3. Click + Add in the Public IP address blade that appears.
4. Enter or select values for the following settings in the Create public IP address blade that appears, then
click Create:
Name Yes The name must be unique within the

resource group you select.
IP Version Yes Select IPv4 or IPv6. While public IPv4

addresses can be assigned to several
Azure resources, an IPv6 public IP
address can only be assigned to an
Internet-facing load balancer. The
load balancer can load balance IPv6
traffic to Azure virtual machines.
Learn more about load balancing
IPv6 traffic to virtual machines.
IP address assignment Yes Dynamic: Dynamic addresses are

assigned only after the public IP
address is associated to a NIC
attached to a VM and the VM is
started for the first time. Dynamic
addresses can change if the VM the
NIC is attached to is stopped
(deallocated). The address remains
the same if the VM is rebooted or
stopped (but not deallocated). Static:
Static addresses are assigned when
the public IP address is created. Static
addresses do not change even if the
VM is put in the stopped
(deallocated) state. The address is
only released when the NIC is
deleted. You can change the
assignment method after the NIC is
created. If you select IPv6 for the IP
version, the only available
assignment method is Dynamic.
Idle timeout (minutes) No How many minutes to keep a TCP or

HTTP connection open without
relying on clients to send keep-alive
messages. If you select IPv6 for IP
Version, this value can't be changed.
DNS name label No Must be unique within the Azure

location you create the name in
(across all subscriptions and all
customers). The Azure public DNS
service automatically registers the
name and IP address so you can
connect to a resource with the name.
Azure appends
location.cloudapp.azure.com (where
location is the location you select) to
the name you provide to create the
fully qualified DNS name. If you
choose to create both address
versions, the same DNS name is
assigned to both the IPv4 and IPv6
addresses. The Azure DNS service
contains both IPv4 A and IPv6 AAAA
name records and responds with
both records when the DNS name is
looked up. The client chooses which
address (IPv4 or IPv6) to
communicate with.
Create an IPv6 (or IPv4) address No Whether IPv6 or IPv4 is displayed is

dependent on what you select for IP
Version. For example, if you select
IPv4 for IP Version, IPv6 is
displayed here.
Name (Only visible if you checked Yes, if you select the Create an IPv6 The name must be different than the
the Create an IPv6 (or IPv4) (or IPv4) checkbox. name you enter for the first Name in
address checkbox) this list. If you choose to create both
an IPv4 and an IPv6 address, the
portal creates two separate public IP
address resources, one with each IP
address version assigned to it.
IP address assignment (Only visible if Yes, if you select the Create an IPv6 If the checkbox says Create an IPv4
you checked the Create an IPv6 (or (or IPv4) checkbox. address, you can select an
IPv4) address checkbox) assignment method. If the checkbox
says Create an IPv6 address, you
cannot select an assignment method,
as it must be Dynamic.
Subscription Yes Must exist in the same subscription

as the resource you want to
associate the public IP address to.
Resource group Yes Can exist in the same, or different,

resource group as the resource you
want to associate the public IP
address to.
Location Yes Must exist in the same location, also

referred to as region, as the resource
you want to associate the public IP
address to.
Commands
Though the portal provides the option to create two public IP address resources (one IPv4 and one IPv6), the
following CLI and PowerShell commands create one resource with an address for one IP version or the other. If
you want two public IP address resources, one for each IP version, you must run the command twice, specifying
different names and versions for the public IP address resources.
TOOL COMMAND
CLI az network public-ip create
PowerShell New-AzureRmPublicIpAddress
View, change settings for, or delete a public IP address

2. In the box that contains the text Search resources at the top of the Azure portal, type public ip address. When
Public IP addresses appears in the search results, click it.
3. In the Public IP addresses blade that appears, click the name of the public IP address you want to view,
change settings for, or delete.
4. In the blade that appears for the public IP address, complete one of the following options depending on
whether you want to view, delete, or change the public IP address.
View: The Overview section of the blade shows key settings for the public IP address, such as the
network interface it's associated to (if the address is associated to a network interface). The portal does
not display the version of the address (IPv4 or IPv6). To view the version information, use the PowerShell
or CLI command to view the public IP address. If the IP address version is IPv6, the assigned address is
not displayed by the portal, PowerShell, or the CLI.
Delete: To delete the public IP address, click Delete in the Overview section of the blade. If the address
is currently associated to an IP configuration, it cannot be deleted. If the address is currently associated
with a configuration, click Dissociate to dissociate the address from the IP configuration.
Change: Click Configuration. Change settings using the information in step 4 of the Create a public IP
address section of this article. To change the assignment for an IPv4 address from static to dynamic, you
must first dissociate the public IPv4 address from the IP configuration it's associated to. You can then
change the assignment method to dynamic and click Associate to associate the IP address to the same
IP configuration, a different configuration, or you can leave it dissociated. To dissociate a public IP
address, in the Overview section, click Dissociate.
WARNING
When you change the assignment method from static to dynamic, you lose the IP address that was assigned to the public IP
address. While the Azure public DNS servers maintain a mapping between static or dynamic addresses and any DNS name
label (if you defined one), a dynamic IP address can change when the VM is started after being in the stopped (deallocated)
state. To prevent the address from changing, assign a static IP address.
Commands
TOOL COMMAND
CLI az network public-ip-list to list public IP addresses, az network

public-ip-show to show settings; az network public-ip update
to update; az network public-ip delete to delete
TOOL COMMAND
PowerShell Get-AzureRmPublicIpAddress to retrieve a public IP address

object and view its settings, Set-AzureRmPublicIpAddress to
update settings; Remove-AzureRmPublicIpAddress to delete
Next steps
Assign public IP addresses when creating the following Azure resources:
Windows or Linux virtual machines
Internet-facing Azure Load Balancer
Azure Application Gateway
Site-to-site connection using an Azure VPN Gateway
Azure Virtual Machine Scale Set
Troubleshoot Network Security Groups using the
Azure Portal
If you configured Network Security Groups (NSGs) on your virtual machine (VM) and are experiencing VM
connectivity issues, this article provides an overview of diagnostics capabilities for NSGs to help troubleshoot
further.
NSGs enable you to control the types of traffic that flow in and out of your virtual machines (VMs). NSGs can be
applied to subnets in an Azure Virtual Network (VNet), network interfaces (NIC), or both. The effective rules applied
to a NIC are an aggregation of the rules that exist in the NSGs applied to a NIC and the subnet it is connected to.
Rules across these NSGs can sometimes conflict with each other and impact a VM's network connectivity.
You can view all the effective security rules from your NSGs, as applied on your VM's NICs. This article shows how
to troubleshoot VM connectivity issues using these rules in the Azure Resource Manager deployment model. If
you're not familiar with VNet and NSG concepts, read the Virtual network and Network security groups overview
articles.
Using Effective Security Rules to troubleshoot VM traffic flow

The scenario that follows is an example of a common connection problem:
A VM named VM1 is part of a subnet named Subnet1 within a VNet named WestUS-VNet1. An attempt to connect
to the VM using RDP over TCP port 3389 fails. NSGs are applied at both the NIC VM1-NIC1 and the subnet
Subnet1. Traffic to TCP port 3389 is allowed in the NSG associated with the network interface VM1-NIC1, however
TCP ping to VM1's port 3389 fails.
While this example uses TCP port 3389, the following steps can be used to determine inbound and outbound
connection failures over any port.
View effective security rules for a virtual machine
Complete the following steps to troubleshoot NSGs for a VM:
You can view full list of the effective security rules on a NIC, from the VM itself. You can also add, modify, and
delete both NIC and subnet NSG rules from the effective rules blade, if you have permissions to perform these
operations.
1. Login to the Azure portal at https://portal.azure.com.
2. Click More services, then click Virtual machines in the list that appears.
3. Select a VM to troubleshoot from the list that appears and a VM blade with options appears.
4. Click Diagnose & solve problems and then select a common problem. For this example, I cant connect
to my Windows VM is selected.
5. Steps appear under the problem, as shown in the following picture:
Click effective security group rules in the list of recommended steps.

6. The Get effective security rules blade appears, as shown in the following picture:
Notice the following sections of the picture:
Scope: Set to VM1, the VM selected in step 3.
Network interface: VM1-NIC1 is selected. A VM can have multiple network interfaces (NIC). Each NIC
can have unique effective security rules. When troubleshooting, you may need to view the effective
security rules for each NIC.
Associated NSGs: NSGs can be applied to both the NIC and the subnet the NIC is connected to. In the
picture, an NSG has been applied to both the NIC and the subnet it's connected to. You can click on the
NSG names to directly modify rules in the NSGs.
VM1-nsg tab: The list of rules displayed in the picture is for the NSG applied to the NIC. Several default
rules are created by Azure whenever an NSG is created. You can't remove the default rules, but you can
override them with rules of higher priority. To learn more about default rules, read the NSG overview
article.
DESTINATION column: Some of the rules have text in the column, while others have address prefixes.
The text is the name of default tags applied to the security rule when it was created. The tags are system-
provided identifiers that represent multiple prefixes. Selecting a rule with a tag, such as
AllowInternetOutBound, lists the prefixes in the Address prefixes blade.
Download: The list of rules can be long. You can download a .csv file of the rules for offline analysis by
clicking Download and saving the file.
AllowRDP Inbound rule: This rule allows RDP connections to the VM.
7. Click the Subnet1-NSG tab to view the effective rules from the NSG applied to the subnet, as shown in the
following picture:
Notice the denyRDP Inbound rule. Inbound rules applied at the subnet are evaluated before rules applied at
the network interface. Since the deny rule is applied at the subnet, the request to connect to TCP 3389 fails,
because the allow rule at the NIC is never evaluated.
The denyRDP rule is the reason why the RDP connection is failing. Removing it should resolve the problem.
NOTE
If the VM associated with the NIC is not in a running state, or NSGs haven't been applied to the NIC or subnet, no
rules are shown.
8. To edit NSG rules, click Subnet1-NSG in the Associated NSGs section. This opens the Subnet1-NSG blade.
You can directly edit the rules by clicking on Inbound security rules.
9. After removing the denyRDP inbound rule in the Subnet1-NSG and adding an allowRDP rule, the effective
rules list looks like the following picture:
Confirm that TCP port 3389 is open by opening an RDP connection to the VM or using the PsPing tool. You
can learn more about PsPing by reading the PsPing download page.
View effective security rules for a network interface
If your VM traffic flow is impacted for a specific NIC, you can view a full list of the effective rules for the NIC from
the network interfaces context by completing the following steps:
2. Click More services, then click Network interfaces in the list that appears.
3. Select a network interface. In the following picture, a NIC named VM1-NIC1 is selected.
Notice that the Scope is set to the network interface selected. To learn more about the additional
information shown, read step 6 of the Troubleshoot NSGs for a VM section of this article.
NOTE
If an NSG is removed from a network interface, the subnet NSG is still effective on the given NIC. In this case, the
output would only show rules from the subnet NSG. Rules only appear if the NIC is attached to a VM.
4. You can directly edit rules for NSGs associated with a NIC and a subnet. To learn how, read step 8 of the View
effective security rules for a virtual machine section of this article.
View effective security rules for a network security group (NSG)

When modifying NSG rules, you may want to review the impact of the rules being added on a particular VM. You
can view a full list of the effective security rules for all the NICs that a given NSG is applied to, without having to
switch context from the given NSG blade. To troubleshoot effective rules within an NSG, complete the following
steps:
2. Click More services, then click Network security groups in the list that appears.
3. Select an NSG. In the following picture, an NSG named VM1-nsg was selected.
Notice the following sections of the previous picture:
Scope: Set to the NSG selected.
Virtual machine: When an NSG is applied to a subnet, it's applied to all network interfaces attached
to all VMs connected to the subnet. This list shows all VMs this NSG is applied to. You can select any
VM from the list.
NOTE
If an NSG is applied to only an empty subnet, VMs will not be listed. If an NSG is applied to a NIC which is not
associated with a VM, those NICs will also not be listed.
Network Interface: A VM can have multiple network interfaces. You can select a network interface
attached to the selected VM.
AssociatedNSGs: At any time, a NIC can have up to two effective NSGs, one applied to the NIC and the
other to the subnet. Although the scope is selected as VM1-nsg, if the NIC has an effective subnet NSG,
the output will show both NSGs.
4. You can directly edit rules for NSGs associated with a NIC or subnet. To learn how, read step 8 of the View
effective security rules for a virtual machine section of this article.
To learn more about the additional information shown, read step 6 of the View effective security rules for a
virtual machine section of this article.
NOTE
Though a subnet and NIC can each have only one NSG applied to them, an NSG can be associated to multiple NICs and
multiple subnets.
Considerations
Consider the following points when troubleshooting connectivity problems:
Default NSG rules will block inbound access from the internet and only permit VNet inbound traffic. Rules
should be explicitly added to allow inbound access from Internet, as required.
If there are no NSG security rules causing a VMs network connectivity to fail, the problem may be due to:
Firewall software running within the VM's operating system
Routes configured for virtual appliances or on-premises traffic. Internet traffic can be redirected to on-
premises via forced-tunneling. An RDP/SSH connection from the Internet to your VM may not work with
this setting, depending on how the on-premises network hardware handles this traffic. Read the
Troubleshooting Routes article to learn how to diagnose route problems that may be impeding the flow
of traffic in and out of the VM.
If you have peered VNets, by default, the VIRTUAL_NETWORK tag will automatically expand to include prefixes
for peered VNets. You can view these prefixes in the ExpandedAddressPrefix list, to troubleshoot any issues
related to VNet peering connectivity.
Effective security rules are only shown if there is an NSG associated with the VMs NIC and or subnet.
If there are no NSGs associated with the NIC or subnet and you have a public IP address assigned to your VM,
all ports will be open for inbound and outbound access. If the VM has a public IP address, applying NSGs to the
NIC or subnet is strongly recommended.
Troubleshoot Network Security Groups using Azure
PowerShell
If you configured Network Security Groups (NSGs) on your virtual machine (VM) and are experiencing VM
connectivity issues, this article provides an overview of diagnostics capabilities for NSGs to help troubleshoot
further.
NSGs enable you to control the types of traffic that flow in and out of your virtual machines (VMs). NSGs can be
applied to subnets in an Azure Virtual Network (VNet), network interfaces (NIC), or both. The effective rules applied
to a NIC are an aggregation of the rules that exist in the NSGs applied to a NIC and the subnet it is connected to.
Rules across these NSGs can sometimes conflict with each other and impact a VM's network connectivity.
You can view all the effective security rules from your NSGs, as applied on your VM's NICs. This article shows how
to troubleshoot VM connectivity issues using these rules in the Azure Resource Manager deployment model. If
you're not familiar with VNet and NSG concepts, read the Virtual network and Network security groups overview
articles.
Using Effective Security Rules to troubleshoot VM traffic flow

The scenario that follows is an example of a common connection problem:
A VM named VM1 is part of a subnet named Subnet1 within a VNet named WestUS-VNet1. An attempt to connect
to the VM using RDP over TCP port 3389 fails. NSGs are applied at both the NIC VM1-NIC1 and the subnet
Subnet1. Traffic to TCP port 3389 is allowed in the NSG associated with the network interface VM1-NIC1, however
TCP ping to VM1's port 3389 fails.
While this example uses TCP port 3389, the following steps can be used to determine inbound and outbound
connection failures over any port.
Detailed Troubleshooting Steps

Complete the following steps to troubleshoot NSGs for a VM:
1. Start an Azure PowerShell session and login to Azure. If you're not familiar with using Azure PowerShell, read
the How to install and configure Azure PowerShell article.
2. Enter the following command to return all NSG rules applied to a NIC named VM1-NIC1 in the resource
group RG1:
Get-AzureRmEffectiveNetworkSecurityGroup -NetworkInterfaceName VM1-NIC1 -ResourceGroupName RG1
TIP
If you don't know the name of a NIC, enter the following command to retrieve the names of all NICs in a resource
group:
Get-AzureRmNetworkInterface -ResourceGroupName RG1 | Format-Table Name
The following text is a sample of the effective rules output returned for the VM1-NIC1 NIC:
ID]/resourceGroups/RG1/providers/Microsoft.Network/networkSecurityGroups/VM1-NIC1-NSG"
}
Association : {
"NetworkInterface": {
ID]/resourceGroups/RG1/providers/Microsoft.Network/networkInterfaces/VM1-NIC1"
}
}
EffectiveSecurityRules : [
{
"Name": "securityRules/allowRDP",
"Protocol": "Tcp",
"SourcePortRange": "0-65535",
"DestinationPortRange": "3389-3389",
"DestinationAddressPrefix": "0.0.0.0/0",
"ExpandedSourceAddressPrefix": [ ],
"ExpandedDestinationAddressPrefix": [],
"Access": "Allow",
"Priority": 1000,
"Direction": "Inbound"
},
{
"Name": "defaultSecurityRules/AllowVnetInBound",
"Protocol": "All",
"SourceAddressPrefix": "VirtualNetwork",
"DestinationAddressPrefix": "VirtualNetwork",
"ExpandedSourceAddressPrefix": [
"10.9.0.0/16",
"168.63.129.16/32",
"10.0.0.0/16",
"10.1.0.0/16"
],
"ExpandedDestinationAddressPrefix": [
"10.9.0.0/16",
"168.63.129.16/32",
"10.0.0.0/16",
"10.1.0.0/16"
],
"Access": "Allow",
"Priority": 65000,
},
]
"Id":
"/subscriptions/[Subscription
ID]/resourceGroups/RG1/providers/Microsoft.Network/networkSecurityGroups/Subnet1-NSG"
}
Association : {
"Subnet": {
"Id":
"/subscriptions/[Subscription
ID]/resourceGroups/RG1/providers/Microsoft.Network/virtualNetworks/WestUS-VNet1/subnets/Subnet1"
}
}
EffectiveSecurityRules : [
{
"Name": "securityRules/denyRDP",
"Protocol": "Tcp",
... ],
"ExpandedDestinationAddressPrefix": [],
"Access": "Deny",
"Priority": 1000,
},
{
"Name": "defaultSecurityRules/AllowVnetInBound",
"Protocol": "All",
"SourceAddressPrefix": "VirtualNetwork",
"DestinationAddressPrefix": "VirtualNetwork",
"10.9.0.0/16",
"168.63.129.16/32",
"10.0.0.0/16",
"10.1.0.0/16"
],
"ExpandedDestinationAddressPrefix": [
"10.9.0.0/16",
"168.63.129.16/32",
"10.0.0.0/16",
"10.1.0.0/16"
],
"Access": "Allow",
"Priority": 65000,
},...
]
Note the following information in the output:

There are two NetworkSecurityGroup sections: One is associated with a subnet (Subnet1) and one is
associated with a NIC (VM1-NIC1). In this example, an NSG has been applied to each.
Association shows the resource (subnet or NIC) a given NSG is associated with. If the NSG resource is
moved/disassociated immediately before running this command, you may need to wait a few seconds
for the change to reflect in the command output.
The rule names that are prefaced with defaultSecurityRules: When an NSG is created, several default
security rules are created within it. Default rules can't be removed, but they can be overridden with
higher priority rules. Read the NSG overview article to learn more about NSG default security rules.
ExpandedAddressPrefix expands the address prefixes for NSG default tags. Tags represent multiple
address prefixes. Expansion of the tags can be useful when troubleshooting VM connectivity to/from
specific address prefixes. For example, with VNET peering, VIRTUAL_NETWORK tag expands to show
peered VNet prefixes in the previous output.
NOTE
The command only shows effective rules if an NSG is associated with either a subnet, a NIC, or both. A VM
may have multiple NICs with different NSGs applied. When troubleshooting, run the command for each NIC.
3. To ease filtering over larger number of NSG rules, enter the following commands to troubleshoot further:
$NSGs = Get-AzureRmEffectiveNetworkSecurityGroup -NetworkInterfaceName VM1-NIC1 -ResourceGroupName RG1

$NSGs.EffectiveSecurityRules | Sort-Object Direction, Access, Priority | Out-GridView
A filter for RDP traffic (TCP port 3389), is applied to the grid view, as shown in the following picture:
4. As you can see in the grid view, there are both allow and deny rules for RDP. The output from step 2 shows
that the DenyRDP rule is in the NSG applied to the subnet. For inbound rules, NSGs applied to the subnet
are processed first. If a match is found, the NSG applied to the network interface is not processed. In this
case, the DenyRDP rule from the subnet blocks RDP to the VM (VM1).
NOTE
A VM may have multiple NICs attached to it. Each may be connected to a different subnet. Since the commands in
the previous steps are run against a NIC, it's important to ensure that you specify the NIC you're having the
connectivity failure to. If you're not sure, you can always run the commands against each NIC attached to the VM.
5. To RDP into VM1, change the Deny RDP (3389) rule to Allow RDP(3389) in the Subnet1-NSG NSG. Confirm
that TCP port 3389 is open by opening an RDP connection to the VM or using the PsPing tool. You can learn
more about PsPing by reading the PsPing download page
You can or remove rules from an NSG by using the information in the output from the following command:
Get-Help *-AzureRmNetworkSecurityRuleConfig
Considerations
Consider the following points when troubleshooting connectivity problems:
Default NSG rules will block inbound access from the internet and only permit VNet inbound traffic. Rules
should be explicitly added to allow inbound access from Internet, as required.
If there are no NSG security rules causing a VMs network connectivity to fail, the problem may be due to:
Firewall software running within the VM's operating system
Routes configured for virtual appliances or on-premises traffic. Internet traffic can be redirected to on-
premises via forced-tunneling. An RDP/SSH connection from the Internet to your VM may not work with
this setting, depending on how the on-premises network hardware handles this traffic. Read the
Troubleshooting Routes article to learn how to diagnose route problems that may be impeding the flow
of traffic in and out of the VM.
If you have peered VNets, by default, the VIRTUAL_NETWORK tag will automatically expand to include prefixes
for peered VNets. You can view these prefixes in the ExpandedAddressPrefix list, to troubleshoot any issues
related to VNet peering connectivity.
Effective security rules are only shown if there is an NSG associated with the VMs NIC and or subnet.
If there are no NSGs associated with the NIC or subnet and you have a public IP address assigned to your VM,
all ports will be open for inbound and outbound access. If the VM has a public IP address, applying NSGs to the
NIC or subnet is strongly recommended.
Troubleshoot routes using the Azure Portal
If you are experiencing network connectivity issues to or from your Azure Virtual Machine (VM), routes may be
impacting your VM traffic flows. This article provides an overview of diagnostics capabilities for routes to help
troubleshoot further.
Route tables are associated with subnets and are effective on all network interfaces (NIC) in that subnet. The
following types of routes can be applied to each network interface:
System routes: By default, every subnet created in an Azure Virtual Network (VNet) has system route tables
that allow local VNet traffic, on-premises traffic via VPN gateways, and Internet traffic. System routes also exist
for peered VNets.
BGP routes: Propagated to network interfaces through ExpressRoute or site-to-site VPN connections. Learn
more about BGP routing by reading the BGP with VPN gateways and ExpressRoute overview articles.
User-defined routes (UDR): If you are using network virtual appliances or are forced-tunneling traffic to an
on-premises network via a site-to-site VPN, you may have user-defined routes (UDRs) associated with your
subnet route table. If you're not familiar with UDRs, read the user-defined routes article.
With the various routes that can be applied to a network interface, it can be difficult to determine which aggregate
routes are effective. To help troubleshoot VM network connectivity, you can view all the effective routes for a
network interface in the Azure Resource Manager deployment model.
Using Effective Routes to troubleshoot VM traffic flow

This article uses the following scenario as an example to illustrate how to troubleshoot the effective routes for a
network interface:
A VM (VM1) connected to the VNet (VNet1, prefix: 10.9.0.0/16) fails to connect to a VM(VM3) in a newly peered
VNet (VNet3, prefix 10.10.0.0/16). There are no UDRs or BGP routes applied to VM1-NIC1 network interface
connected to the VM, only system routes are applied.
This article explains how to determine the cause of the connection failure, using effective routes capability in Azure
Resource Management deployment model. While the example uses only system routes, the same steps can be used
to determine inbound and outbound connection failures over any route type.
NOTE
If your VM has more than one NIC attached, check effective routes for each of the NICs to diagnose network connectivity
issues to and from a VM.
View effective routes for a virtual machine

To see the aggregate routes that are applied to a VM, complete the following steps:
2. Click More services, then click Virtual machines in the list that appears.
3. Select a VM to troubleshoot from the list that appears and a VM blade with options appears.
4. Click Diagnose & solve problems and then select a common problem. For this example, I cant connect
to my Windows VM is selected.
5. Steps appear under the problem, as shown in the following picture:
Click effective routes in the list of recommended steps.

6. The Effective routes blade appears, as shown in the following picture:
If your VM has only one NIC, it is selected by default. If you have more than one NIC, select the NIC for which
you want to view the effective routes.
NOTE
If the VM associated with the NIC is not in a running state, effective routes will not be shown. Only the first 200
effective routes are shown in the portal. For the full list, click Download. You can further filter on the results from the
downloaded .csv file.
Notice the following in the output:

Source: Indicates the type of route. System routes are shown as Default, UDRs are shown as User and
gateway routes (static or BGP) are shown as VPNGateway.
State: Indicates state of the effective route. Possible values are Active or Invalid.
AddressPrefixes: Specifies the address prefix of the effective route in CIDR notation.
nextHopType: Indicates the next hop for the given route. Possible values are VirtualAppliance, Internet,
VNetLocal, VNetPeering, or Null. A value of Null for nextHopType in a UDR may indicate an invalid
route. For example, if nextHopType is VirtualAppliance and the network virtual appliance VM is not in a
provisioned/running state. If nextHopType is VPNGateway and there is no gateway
provisioned/running in the given VNet, the route may become invalid.
7. There is no route listed to the WestUS-VNET3 VNet (Prefix 10.10.0.0/16) from the WestUS-VNet1 (Prefix
10.9.0.0/16) in the picture in the previous step. In the following picture, the peering link is in the
Disconnected state:
The bi-directional link for the peering is broken, which explains why VM1 could not connect to VM3 in the
WestUS-VNet3 VNet.
8. The following picture shows the routes after establishing the bi-directional peering link:
For more troubleshooting scenarios for forced-tunneling and route evaluation, read the Considerations section of
this article.
View effective routes for a network interface
If network traffic flow is impacted for a particular network interface (NIC), you can view a full list of effective routes
on a NIC directly. To see the aggregate routes that are applied to a NIC, complete the following steps:
2. Click More services, then click Network interfaces
3. Search the list for the name of a NIC, or select it from the list that appears. In this example, VM1-NIC1 is
selected.
4. Select Effective routes in the Network interface blade, as shown in the following picture:
![](./media/virtual-network-routes-troubleshoot-portal/image6.png)
The Scope defaults to the network interface selected.
View effective routes for a route table

When modifying user-defined routes (UDRs) in a route table, you may want to review the impact of the routes
being added on a particular VM. A route table can be associated with any number of subnets. You can now view all
the effective routes for all the NICs that a given route table is applied to, without having to switch context from the
given route table blade.
For this example, a UDR (UDRoute) is specified in a route table (UDRouteTable). This route sends all Internet traffic
from Subnet1 in the WestUS-VNet1 VNet, through a network virtual appliance (NVA), in Subnet2 of the same VNet.
The route is shown in the following picture:
To see the aggregate routes for a route table, complete the following steps:
2. Click More services, then click Route tables
3. Search the list for the route table you want to see aggregate routes for and select it. In this example,
UDRouteTable is selected. A blade for the selected route table appears, as shown in the following picture:
4. Select Effective Routes in the Route table blade. The Scope is set to the route table you selected.
5. A route table can be applied to multiple subnets. Select the Subnet you want to review from the list. In this
example, Subnet1 is selected.
6. Select a Network Interface. All NICs connected to the selected subnet are listed. In this example, VM1-NIC1
is selected.
NOTE
If the NIC is not associated with a running VM, no effective routes are shown.
Considerations
A few things to keep in mind when reviewing the list of routes returned:
Routing is based on Longest Prefix Match (LPM) among UDRs, BGP and system routes. If there is more than
one route with the same LPM match, then a route is selected based on its origin in the following order:
User-defined route
BGP route
System (Default) route
With effective routes, you can only see effective routes that are LPM match based on all the availble
routes. By showing how the routes are actually evaluated for a given NIC, this makes it a lot easier to
troubleshoot specific routes that may be impacting connectivity to/from your VM.
If you have UDRs and are sending traffic to a network virtual appliance (NVA), with VirtualAppliance as
nextHopType, ensure that IP forwarding is enabled on the NVA receiving the traffic or packets are dropped.
If Forced tunneling is enabled, all outbound Internet traffic will be routed to on-premises. RDP/SSH from
Internet to your VM may not work with this setting, depending on how the on-premises handles this traffic.
Forced-tunneling can be enabled:
If using site-to-site VPN, by setting a user-defined route (UDR) with nextHopType as VPN Gateway
If a default route is advertised over BGP
For VNet peering traffic to work correctly, a system route with nextHopType VNetPeering must exist for the
peered VNets prefix range. If such a route doesnt exist and the VNet peering link looks OK:
Wait a few seconds and retry if it's a newly established peering link. It occasionally takes longer to
propagate routes to all the network interfaces in a subnet.
Network Security Group (NSG) rules may be impacting the traffic flows. For more information, see the
Troubleshoot Network Security Groups article.
Troubleshoot routes using Azure PowerShell
If you are experiencing network connectivity issues to or from your Azure Virtual Machine (VM), routes may be
impacting your VM traffic flows. This article provides an overview of diagnostics capabilities for routes to help
troubleshoot further.
Route tables are associated with subnets and are effective on all network interfaces (NIC) in that subnet. The
following types of routes can be applied to each network interface:
System routes: By default, every subnet created in an Azure Virtual Network (VNet) has system route tables
that allow local VNet traffic, on-premises traffic via VPN gateways, and Internet traffic. System routes also exist
for peered VNets.
BGP routes: Propagated to network interfaces through ExpressRoute or site-to-site VPN connections. Learn
more about BGP routing by reading the BGP with VPN gateways and ExpressRoute overview articles.
User-defined routes (UDR): If you are using network virtual appliances or are forced-tunneling traffic to an
on-premises network via a site-to-site VPN, you may have user-defined routes (UDRs) associated with your
subnet route table. If you're not familiar with UDRs, read the user-defined routes article.
With the various routes that can be applied to a network interface, it can be difficult to determine which aggregate
routes are effective. To help troubleshoot VM network connectivity, you can view all the effective routes for a
network interface in the Azure Resource Manager deployment model.
Using Effective Routes to troubleshoot VM traffic flow

This article uses the following scenario as an example to illustrate how to troubleshoot the effective routes for a
network interface:
A VM (VM1) connected to the VNet (VNet1, prefix: 10.9.0.0/16) fails to connect to a VM(VM3) in a newly peered
VNet (VNet3, prefix 10.10.0.0/16). There are no UDRs or BGP routes applied to VM1-NIC1 network interface
connected to the VM, only system routes are applied.
This article explains how to determine the cause of the connection failure, using effective routes capability in Azure
Resource Management deployment model. While the example uses only system routes, the same steps can be
used to determine inbound and outbound connection failures over any route type.
NOTE
If your VM has more than one NIC attached, check effective routes for each of the NICs to diagnose network connectivity
issues to and from a VM.
View effective routes for a virtual machine

To see the aggregate routes that are applied to a VM, complete the following steps:
View effective routes for a network interface
To see the aggregate routes that are applied to a network interface, complete the following steps:
1. Start an Azure PowerShell session and login to Azure. If youre not familiar with Azure PowerShell, read the
2. The following command returns all routes applied to a network interface named VM1-NIC1 in the resource
group RG1.
Get-AzureRmEffectiveRouteTable -NetworkInterfaceName VM1-NIC1 -ResourceGroupName RG1
TIP
If you dont know the name of a network interface, type the following command to retrieve the names of all network
interfaces in a resource group.*
Get-AzureRmNetworkInterface -ResourceGroupName RG1 | Format-Table Name
The following output looks similar to the output for each route applied to the subnet the NIC is connected
to:
Name :
State : Active
AddressPrefix : {10.9.0.0/16}
NextHopType : VNetLocal
NextHopIpAddress : {}
Name :
State : Active
AddressPrefix : {0.0.0.0/16}
NextHopType : Internet
NextHopIpAddress : {}
Notice the following in the output:

Name: Name of the effective route may be empty, unless explicitly specified, for user-defined routes.
State: Indicates state of the effective route. Possible values are "Active" or "Invalid"
AddressPrefixes: Specifies the address prefix of the effective route in CIDR notation.
nextHopType: Indicates the next hop for the given route. Possible values are VirtualAppliance, Internet,
VNetLocal, VNetPeering, or Null. A value of Null for nextHopType in a UDR may indicate an invalid
route. For example, if nextHopType is VirtualAppliance and the network virtual appliance VM is not in a
provisioned/running state. If nextHopType is VPNGateway and there is no gateway
provisioned/running in the given VNet, the route may become invalid.
NextHopIpAddress: Specifies the IP address of the next hop of the effective route.
The following command returns the routes in an easier to view table:
Get-AzureRmEffectiveRouteTable -NetworkInterfaceName VM1-NIC1 -ResourceGroupName RG1 | Format-Table
The following output is some of the output received for the scenario described previously:
Name State AddressPrefix NextHopType NextHopIpAddress

---- ----- ------------- ----------- ----------------
Active {10.9.0.0/16} VnetLocal {}
Active {0.0.0.0/0} Internet {}
3. There is no route listed to the WestUS-VNet3 VNet (Prefix 10.10.0.0/16)** from WestUS-VNet1 (Prefix
10.9.0.0/16) in the output from the previous step. As shown in the following picture, the VNet peering link
with the WestUS-VNet3 VNet is in the Disconnected state.
The bi-directional link for the peering is broken, which explains why VM1 could not connect to VM3 in the
WestUS-VNet3 VNet. Setup a bi-directional VNet peering link again for WestUS-VNet1 and WestUS-VNet3
VNets. The output returned after the VNet peering link is correctly established follows:
Name State AddressPrefix NextHopType NextHopIpAddress

---- ----- ------------- ----------- ----------------
Active {10.9.0.0/16} VnetLocal {}
Active {10.10.0.0/16} VNetPeering {}
Active {0.0.0.0/0} Internet {}
Once you determine the issue, you can add, remove, or change routes and route tables. Type the following
command to see a list of the commands used to do so:
Get-Help *-AzureRmRouteConfig
Considerations
A few things to keep in mind when reviewing the list of routes returned:
Routing is based on Longest Prefix Match (LPM) among UDRs, BGP and system routes. If there is more than
one route with the same LPM match, then a route is selected based on its origin in the following order:
User-defined route
BGP route
System (Default) route
With effective routes, you can only see effective routes that are LPM match based on all the availble
routes. By showing how the routes are actually evaluated for a given NIC, this makes it a lot easier to
troubleshoot specific routes that may be impacting connectivity to/from your VM.
If you have UDRs and are sending traffic to a network virtual appliance (NVA), with VirtualAppliance as
nextHopType, ensure that IP forwarding is enabled on the NVA receiving the traffic or packets are dropped.
If Forced tunneling is enabled, all outbound Internet traffic will be routed to on-premises. RDP/SSH from
Internet to your VM may not work with this setting, depending on how the on-premises handles this traffic.
Forced-tunneling can be enabled:
If using site-to-site VPN, by setting a user-defined route (UDR) with nextHopType as VPN Gateway
If a default route is advertised over BGP
For VNet peering traffic to work correctly, a system route with nextHopType VNetPeering must exist for the
peered VNets prefix range. If such a route doesnt exist and the VNet peering link looks OK:
Wait a few seconds and retry if it's a newly established peering link. It occasionally takes longer to
propagate routes to all the network interfaces in a subnet.
Network Security Group (NSG) rules may be impacting the traffic flows. For more information, see the
Troubleshoot Network Security Groups article.
Bandwidth/Throughput testing (NTTTCP)
When testing network throughput performance in Azure, it's best to use a tool that targets the network for testing
and minimizes the use of other resources that could impact performance. NTTTCP is recommended.
Copy the tool to two Azure VMs of the same size. One VM functions as SENDER and the other as RECEIVER.
Deploying VMs for testing
For the purposes of this test, the two VMs should be in either the same Cloud Service or the same Availability Set
so that we can use their internal IPs and exclude the Load Balancers from the test. It is possible to test with the VIP
but this kind of testing is outside the scope of this document.
Make a note of the RECEIVER's IP address. Let's call that IP "a.b.c.r"
Make a note of the number of cores on the VM. Let's call this "#num_cores"
Run the NTTTCP test for 300 seconds (or 5 minutes) on the sender VM and receiver VM.
Tip: When setting up this test for the first time, you might try a shorter test period to get feedback sooner. Once the
tool is working as expected, extend the test period to 300 seconds for the most accurate results.
NOTE
The sender and receiver must specify the same test duration parameter (-t).
To test a single TCP stream for 10 seconds:

Receiver parameters: ntttcp -r -t 10 -P 1
Sender parameters: ntttcp -s10.27.33.7 -t 10 -n 1 -P 1
NOTE
The preceding sample should only be used to confirm your configuration. Valid examples of testing are covered later in this
document.
Testing VMs running WINDOWS:

Get NTTTCP onto the VMs.
Download the latest version: https://gallery.technet.microsoft.com/NTttcp-Version-528-Now-f8b12769
Or search for it if moved: https://www.bing.com/search?q=ntttcp+download< -- should be first hit
Consider putting NTTTCP in separate folder, like c:\tools
Allow NTTTCP through the Windows firewall
On the RECEIVER, create an Allow rule on the Windows Firewall to allow the NTTTCP traffic to arrive. It's easiest to
allow the entire NTTTCP program by name rather than to allow specific TCP ports inbound.
Allow ntttcp through the Windows Firewall like this:
netsh advfirewall firewall add rule program=<PATH>\ntttcp.exe name="ntttcp" protocol=any dir=in action=allow
enable=yes profile=ANY
For example, if you copied ntttcp.exe to the "c:\tools" folder, this would be the command:
netsh advfirewall firewall add rule program=c:\tools\ntttcp.exe name="ntttcp" protocol=any dir=in action=allow
enable=yes profile=ANY
Running NTTTCP tests
Start NTTTCP on the RECEIVER (run from CMD, not from PowerShell):
ntttcp -r m [2*#num_cores],*,a.b.c.r -t 300
If the VM has four cores and an IP address of 10.0.0.4, it would look like this:
ntttcp -r m 8,*,10.0.0.4 -t 300
Start NTTTCP on the SENDER (run from CMD, not from PowerShell):
ntttcp -s m 8,*,10.0.0.4 -t 300
Wait for the results.
Testing VMs running LINUX:

Use nttcp-for-linux. It is available from https://github.com/Microsoft/ntttcp-for-linux
On the Linux VMs (both SENDER and RECEIVER), run these commands to prepare ntttcp-for-linux on your VMs:
CentOS - Install Git:
yum install gcc -y

yum install git -y
Ubuntu - Install Git:
apt-get -y install build-essential

apt-get -y install git
Make and Install on both:
git clone <https://github.com/Microsoft/ntttcp-for-linux>

cd ntttcp-for-linux/src
make && make install
As in the Windows example, we assume the Linux RECEIVER's IP is 10.0.0.4

Start NTTTCP-for-Linux on the RECEIVER:
ntttcp -r -t 300
And on the SENDER, run:
ntttcp -s10.0.0.4 -t 300
Test length defaults to 60 seconds if no time parameter is given
Testing between VMs running Windows and LINUX:

On this scenarios we should enable the no-sync mode so the test can run. This is done by using the -N flag for
Linux, and -ns flag for Windows.
From Linux to Windows:
Receiver :
ntttcp -r -m <2 x nr cores>,*,<Windows server IP>
Sender :
ntttcp -s -m <2 x nr cores>,*,<Windows server IP> -N -t 300
From Windows to Linux:

Receiver :
ntttcp -r -m <2 x nr cores>,*,<Linux server IP>
Sender :
ntttcp -s -m <2 x nr cores>,*,<Linux server IP> -ns -t 300
Next steps
Depending on results, there may be room to Optimize network throughput machines for your scenario.
Learn more wtih Azure Virtual Network frequently asked questions (FAQ)
Troubleshooting: Failed to delete a virtual network in
Azure
You might receive errors when you try to delete a virtual network in Microsoft Azure. This article provides
troubleshooting steps to help you resolve this problem.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and the Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
Troubleshooting guidance
1. Check whether a virtual network gateway is running in the virtual network.
2. Check whether an application gateway is running in the virtual network.
3. Check whether Azure Active Directory Domain Service is enabled in the virtual network.
4. Check whether the virtual network is connected to other resource.
5. Check whether a virtual machine is still running in the virtual network.
6. Check whether the virtual network is stuck in migration.
Troubleshooting steps
Check whether a virtual network gateway is running in the virtual network
To remove the virtual network, you must first remove the virtual network gateway.
For classic virtual networks, go to the Overview page of the classic virtual network in the Azure portal. In the VPN
connections section, if the gateway is running in the virtual network, you will see the IP address of the gateway.
For virtual networks, go to the Overview page of the virtual network. Check Connected devices for the virtual
network gateway.
Before you can remove the gateway, first remove any Connection objects in the gateway.
Check whether an application gateway is running in the virtual network
Go to the Overview page of the virtual network. Check the Connected devices for the application gateway.
If there is an application gateway, you must remove it before you can delete the virtual network.
Check whether Azure Active Directory Domain Service is enabled in the virtual network
If the Active Directory Domain Service is enabled and connected to the virtual network, you cannot delete this
virtual network.
To disable the service, follow these steps:

1. Go to the Azure classic portal.
2. In the left pane, select Active Directory.
3. Select the Azure Active Directory (Azure AD) directory that has Active Directory Domain Service enabled.
4. Select the Configure tab.
5. Under domain services, change the Enable domain services for this directory option to No.
Check whether the virtual network is connected to other resource
Check for Circuit Links, connections, and virtual network peerings. Any of these can cause a virtual network deletion
to fail.
The recommended deletion order is as follows:
1. Gateway connections
2. Gateways
3. IPs
4. Virtual network peerings
5. App Service Environment (ASE)
Check whether a virtual machine is still running in the virtual network
Make sure that no virtual machine is in the virtual network.
Check whether the virtual network is stuck in migration
If the virtual network is stuck in a migration state, it cannot be deleted. Run the following command to abort the
migration, and then delete the virtual network.
Move-AzureVirtualNetwork -VirtualNetworkName "Name" -Abort
Next steps
Azure Virtual Network
Azure Virtual Network frequently asked questions (FAQ)
Troubleshooting connectivity problems between
Azure VMs
You might experience connectivity problems between Azure virtual machines (VMs). This article provides
troubleshooting steps to help you resolve this problem.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and the Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
Symptom
One Azure VM cannot connect to another Azure VM.
Troubleshooting guidance
1. Check whether NIC is misconfigured
2. Check whether network traffic is blocked by NSG or UDR
3. Check whether network traffic is blocked by VM firewall
4. Check whether VM app or service is listening on the port
5. Check whether the problem is caused by SNAT
6. Check whether traffic is blocked by ACLs for the classic VM
7. Check whether the endpoint is created for the classic VM
8. Try to connect to a VM network share
9. Check Inter-Vnet connectivity
Troubleshooting steps
Follow these steps to troubleshoot the problem. After you complete each step, check whether the problem is
resolved.
Step 1: Check whether NIC is misconfigured
Follow the steps in How to reset network interface for Azure Windows VM.
If the problem occurs after you modify the network interface (NIC), follow these steps:
Multi-NIC VMs
1. Add a NIC.
2. Fix the problems in the bad NIC or remove the bad NIC. Then add the NIC again.
For more information, see Add network interfaces to or remove from virtual machines.
Single-NIC VM
Redeploy Windows VM
Redeploy Linux VM
Step 2: Check whether network traffic is blocked by NSG or UDR
Use Network Watcher IP Flow Verify and NSG Flow Logging to determine whether there is a Network Security
Group (NSG) or User-Defined Route (UDR) that is interfering with traffic flow.
Step 3: Check whether network traffic is blocked by VM firewall
Disable the firewall, and then test the result. If the problem is resolved, verify the firewall settings, and then re-
enable the firewall.
Step 4: Check whether VM app or service is listening on the port
You can use one of the following methods to check whether the VM app or service is listening on the port.
Run the following commands to check whether the server is listening on that port.
Windows VM
netstat ano
Linux VM
netstat -l
Run the telnet command on the virtual machine itself to test the port. If the test fails, the application or service
is not configured to listen on that port.
Step 5: Check whether the problem is caused by SNAT
In some scenarios, the VM is placed behind a load balance solution that has a dependency on resources outside of
Azure. In these scenarios, if you experience intermittent connection problems, the problem may be caused by SNAT
port exhaustion. To resolve the issue, create a VIP (or ILPIP for classic) for each VM that is behind the load balancer
and secure with NSG or ACL.
Step 6: Check whether traffic is blocked by ACLs for the classic VM
An access control list (ACL) provides the ability to selectively permit or deny traffic for a virtual machine endpoint.
For more information, see Manage the ACL on an endpoint.
Step 7: Check whether the endpoint is created for the classic VM
All VMs that you create in Azure by using the classic deployment model can automatically communicate over a
private network channel with other virtual machines in the same cloud service or virtual network. However,
computers on other virtual networks require endpoints to direct the inbound network traffic to a virtual machine.
For more information, see How to set up endpoints.
Step 8: Try to connect to a VM network share
If you cannot connect to a VM network share, the problem may be caused by unavailable NICs in the VM. To delete
the unavailable NICs, see How to delete the unavailable NICs
Step 9: Check Inter-Vnet connectivity
Use Network Watcher IP Flow Verify and NSG Flow Logging to determine whether there is a NSG or UDR that is
interfering with traffic flow. You can also verify your Inter-Vnet configuration here.
Need help? Contact support.
If you still need help, contact support to get your issue resolved quickly.

Virtual Network Azure

Uploaded by

Copyright:

Available Formats

Virtual Network Azure

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Virtual Network Azure

Uploaded by

Copyright:

Available Formats

Table of Contents

Network isolation and segmentation

Connect to the Internet

Connect Azure resources

Connect virtual networks

Connect to an on-premises network

Route network traffic

PROPERTY DESCRIPTION CONSTRAINTS CONSIDERATIONS

In Azure PowerShell some of the "NextHopType" values have different names:

Requirements and constraints

Gateways and on-premises connectivity

AZURE DEPLOYMENT MODEL SUBSCRIPTION

Both Resource Manager Same

One Resource Manager, one classic Same

Learn how to create a hub and spoke network topology

Q: What can I to do re-create the same Virtual Network in a different region?

Virtual Network basics

Name Resolution (DNS)

Can I override my DNS settings on a per-VM / service basis?

Connecting virtual machines

Azure services that connect to VNets

APIs, schemas, and tools

Static public IP addresses are commonly used in the following scenarios:

DNS hostname resolution

TOP-LEVEL RESOURCE IP ADDRESS ASSOCIATION DYNAMIC STATIC

Virtual machine Network interface Yes Yes

Load balancer Front end configuration Yes Yes

VPN gateway Gateway IP configuration Yes No

Application gateway Front end configuration Yes No

TOP-LEVEL RESOURCE IP ADDRESS ASSOCIATION DYNAMIC STATIC

Virtual machine Network interface Yes Yes

Load balancer Front end configuration Yes Yes

Application gateway Front end configuration Yes Yes

DNS hostname resolution

IaaS VMs and PaaS role instances

RESOURCE DYNAMIC STATIC MULTIPLE IP ADDRESSES

Cloud service Yes Yes Yes

IaaS VM or PaaS role Yes No No

VPN gateway Yes No No

Application gateway Yes No No

RESOURCE DYNAMIC STATIC MULTIPLE IP ADDRESSES

VM (in a standalone cloud Yes Yes Yes

PaaS role instance (in a Yes No Yes

VM or PaaS role instance (in Yes Yes Yes

Internal load balancer front Yes Yes Yes

Application gateway front Yes Yes Yes

DEFAULT LIMIT MAXIMUM LIMIT

Public IP addresses (dynamic) 5 contact support

Reserved public IP addresses 20 contact support

Public VIP per deployment (cloud 5 contact support

Private VIP (ILB) per deployment (cloud 1 1

Differences between Resource Manager and classic deployments

RESOURCE CLASSIC RESOURCE MANAGER

Public IP Address VM Referred to as an ILPIP Referred to as a public IP

Assigned to an IaaS VM or a Associated to the VM's NIC

Internet facing load Referred to as VIP (dynamic) Referred to as a public IP

Assigned to a cloud service Associated to the load

Private IP Address VM Referred to as a DIP Referred to as a private IP

Assigned to an IaaS VM or a Assigned to the VM's NIC