Address space: Just like in a on-premises network, VNets need to be assigned an IP address space. Each resource in a VNet is going to be assigned a private IP address from this address space, so don’t work with overlapping address spaces. Unless you want headaches later on!
Subnets: Again, this isn’t any different from the on-premises world. Subnets allow for segmenting VNets in to one or more sub-networks. That gives you the ability to deploy resources in to specific subnets.
Regions: VNets are scoped to a single region or location. But it is possible to connect multiple VNets togethet using Virtual Network Peering.
Subscription: Hey! This is a paying service after all! VNets belong to a subscription… They are not accessible outside of this subscription unless you do funkey stuff.
Virtual Network (VNet): A virtual network is a network in Azure. Here resources can get deployed to, and communicate with each other, the internet, or on-premises.
Virtual Network Service Endpoint: This service extends the virtal network private address space and the identity of a VNet to the services on Azure, by a direct connects. It’s a service that provides an extra layer of security.
VNet Peering: If you ever wanted to connect Azure VNets together, then VNet peering has you covered! After peering this network will appear as one, in a very Dragonball Z-esque fashion.
Global VNet Peering: Like regular VNet peering, but it allows VNets accross regions to be connected to each other. So if you’re building a solution that has to live in different regions, Global VNet peering is the way to go!
Point-to-site (P2S) VPN: This connection type is established between a virtual network and a single computer in your network. It has it’s advantages, like for developpers, but in general it’s not going to be the best long-term approach.
Site-to-Site (S2S) VPN: Establishing a S2S VPN between the on-premises and Azure VPN Gateway enables any on-premises resource to access a VNet, if it is authorized.
Azure ExpressRoute (ER): Like a S2S VPN, but routed through a private partner. No traffic on ER goes over the internet. Available in multiple flavors, and fairly expensive, but if you want a direct, stable, internet-independent connection to the Azure BackBone, ER is the only way to fly!
Security Groups: These contain inbound and outbound security rules that allow for filtering traffic to and from resources based on source, destination, port, and protocol.
Azure Virtual Appliance: These are virtual machines which perform network functions. They could be firewalls, WAN Optimizers, or any sort of network function.
Route Tables: When used in Azure, route tables will override the default routing traffic behavior. Be forewarned, here be dragons!
Border gateway protocol (BGP) routes: Another way of overriding the default routing behavior in Azure. BGP routes can be propagated from on-premises to the VNets, if the networks are connected using Azure VPN gateway or ExpressRoute connections.