Filtering, Routing, and Integration
Start course
1h 5m

This course explores Azure Virtual Networks, how to create them, and how to connect them. It begins with a vNet overview, where you'll learn about basic Azure Virtual Network concepts and about some key best practices. We'll cover communications topics, filtering, routing, and integration, before working through a demo that shows you how to deploy a virtual network in Microsoft Azure.

After covering the basics of Azure Virtual Networks in the first half of this course, we'll use the second half to dive into VPNs, where you'll learn about site-to-site VPNs, point-to-site VPNs, ExpressRoute, and vNet peering. You'll also watch a demonstration from the Azure platform that shows you how to peer two vNets in Azure. 

If you have any feedback relating to this course, feel free to contact us at

Learning Objectives

  • Obtain a foundational understanding of Azure Virtual Networks including key concepts, best practices, communications, filtering, routing, and integration
  • Provision a virtual network
  • Understand what the Azure VPN Gateway is and what it does
  • Build a site-to-site VPN
  • Learn how to connect a single client computer to a virtual network using a point-to-site VPN gateway
  • Learn how to connect your on-premises network to Azure using ExpressRoute
  • Learn how to peer two Azure Virtual Networks

Intended Audience

This course is intended for anyone who wants to learn about Azure Virtual Networks, how to create them, and how to connect them.


To get the most out of this course, you should have a basic understanding of the Azure platform and networking in general.


Hello and welcome to Filtering, Routing, and Integration. In this lesson, we’ll take a look at ways you can filter network traffic in Azure and at ways you can route network traffic in Azure. We will also touch on ways you can integrate Azure services in a virtual network.

In a production environment, you’ll often find that you need to filter traffic between subnets. You’ll need to allow certain traffic while blocking other traffic. There are two key ways to accomplish this type of filtering. You can use security groups, or you can use network virtual appliances.

Security groups fall into two types: network security groups and application security groups. A network security group, when you create it in Azure, can be assigned to a specific NIC or to an entire subnet. Any rules that are defined within the network security group are then applied to that NIC or to all NICs and virtual machines on the subnet when the security group is applied to the entire subnet. This works for many, even most scenarios. However, if you need more flexibility, you can leverage an application security group.

When you deploy an application security group, you can logically group the NICs of several different virtual machines on the same virtual network and then apply a network security group rule to only those grouped NICs. This allows you to create different traffic rules for different groups of NICs on the same network without needing to assign the different rules on a one-off basis. You could essentially have a group of SQL VMs connected to the same vNet as your group of application VMs. Using a separate application security group for each group of VMs allows you to manage the network security rules for each different group of VMs – even though they all reside on the same network.

While security groups provide a great way to filter network traffic, you can also use network virtual appliances. A network virtual appliance (or NVA) is really just a virtual machine that is used to perform a specific network task. For example, you can deploy an NVA that acts as a firewall or one that provides WAN optimization.

Some available NVAs include the “Barracuda CloudGen WAF for Azure” and the “Citrix SD-WAN Center”.

While Azure automatically handles routing of network traffic between subnets, vNets, on-prem networks, and the internet by default, if you need to create your own routes, you can leverage route tables and BGP routes.

Route tables are custom tables that allow you to define custom routes that control how traffic is routed for each of your subnets.  BGP routes, or border gateway protocol routes, are typically used when you connect an Azure virtual network to an on-prem network via an ExpressRoute connection or via an Azure VPN Gateway. In these scenarios, you use BGP routes to propagate your existing on-prem BGP routes to your virtual networks in Azure.

The details of how BGP works are out of scope for this getting started course but if you want to learn more about BGP, you can visit the URL that you see on your screen:

Before we wrap this lesson up, let’s talk a little bit about virtual network integration. When you integrate an Azure service to an Azure virtual network, what you are really doing is enabling private access to whatever service you are integrating from VMs or other compute resources that reside on the virtual network.

You can create these integrations in a few different ways. For example, you can deploy a dedicated HDInsight instance and directly transfer data between it and SQL server that’s running on a VM on the virtual network, via a private IP address.

For more technical details on this option, visit the URL that you see on your screen:

Another way to achieve vNet integration is to use private links. A private link can be used to privately access a specific service instance from your virtual network or from your on-prem network.

To learn more about Private Link, visit the URL that you see on your screen:

Lastly, you can use service endpoints to extend a virtual network to a specific Azure service. When you configure service endpoints to access an Azure service, you can secure that service to the virtual network. In other words, you can use service endpoints to create secure and direct connectivity to Azure resources over an optimized route across the Azure backbone network.

To learn more about service endpoints, visit the URL that you see on your screen:

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.