Did you know Microsoft owns and runs more than 600,000 kilometres of networking cables across the planet? That's connecting more than 70 Azure regions, and that's over 400 data centres!
Reading time 5 minutes Published: 27 January 2026
In short:
In the early days, networking was all physical: routers, switches, cables, the things you would touch. Today, in the cloud, all the “fun stuff” happens in code, now, “software-defined networking (SDN)”. When you create a virtual network (Vnet), Azure spins up servers and configures routing behind the scenes.
You don’t see the hardware anymore, but the logic remains; it's still important to understand it.
In Azure, VNets replace the old VLANs you’d use on-prem. You don’t create a physical switch anymore. Instead, you define a virtual network, and Azure takes care of routing in the background. It may seem simple, but the complex logic is still there.
“Developers start using Azure or AWS, or any cloud, and then just deploy something. But before workloads go to production, we need security and isolation. That's when networking really becomes a thing.”
Wesley Haakman, Principal Azure Architect & Microsoft MVP
Subnets work differently, too. For example, if you create a subnet like 172.16.0.0/16, Azure reserves five IPs: the first four and the last (172.16.0.0–172.16.0.3 and 172.16.255.255). One is used for the virtual router/default gateway, and the rest are reserved for Azure platform services within the SDN layer.
Even though routing between subnets is automatic inside a VNet, networking becomes important as workloads move toward production. If you connect multiple VNets, you’ll often need user-defined routes (UDRs). For example, in a hub-and-spoke design, traffic between spokes might need to pass through a central hub firewall. Altogether, it’s important to understand how Azure reserves IPs, manages routing, and handles subnet isolation. Any misunderstanding can break communication or compromise security in your environment.
You can’t just connect everything to a VNet. To secure and isolate traffic:
In Azure, resources in the same subnet communicate automatically. That’s different from traditional networking, where you needed physical connections. You need to plan which VNets or subnets can communicate and enforce isolation with firewalls or NSGs.
Zero Trust works best in a hub-and-spoke. Connect spokes only to the hub, not to each other. Even one open port across multiple Vnets can expose sensitive resources.
Most Azure services integrate with networking. Private endpoints, VMs, and front-end services like Application Gateway or Front Door can work with firewalls to secure traffic while maintaining flexibility. Finally, always avoid direct spoke-to-spoke connections unless necessary, as misconfigurations can create unintended paths and compromise security.
Seamlessly connecting on-premises environments to Azure is critical, particularly for enterprises seeking to extend their infrastructure.
But connecting on-prem environments adds another layer of complexity. VPNs work for simple setups, but enterprise networks often require ExpressRoute or Azure Virtual WAN for higher bandwidth and reliability.
Once your network is up and running, diagnosing issues in Azure differs from on-prem. You don’t ping cables or trace physical hops any more, but virtual flows.
Meanwhile, many checks are automated: the system monitors backbone connections, backend pools, and overall network health. You’ll know if a connection is down without having to run tests constantly. This reduces the need for continuous logging, though selective logging remains useful for diagnosing issues.
Fortunately, Azure automates many network checks. Health probes and diagnostic logs help track connectivity and traffic. Tools like Network Watcher let you inspect flows and identify blocked or failing connections.
Azure networking isn’t free, and design choices affect both cost and latency. Cross-region networking costs can add up quickly, leading to increased latency. Therefore, keep dependent workloads in the same region and plan for inter-region data transfer charges. Plan your network with these trade-offs in mind, as performance, reliability, and cost are closely linked.
To get the most out of Azure networking, follow these practices where possible:
All said, networking remains essential in today’s cloud infrastructure. Networking was complex, and maybe it became easier. But it can still be very complex, especially with the endless ways you can approach it, not to mention all the different features.
The tools changed, and you don’t see routers as you did in the early days anymore. But the logic didn’t.
And even now, it’s still the backbone of everything in Azure.
If you understand networking (routes, subnets, isolation, and security) you’ll understand the cloud faster and design better environments. It’s still valuable knowledge and always will be.
Intercept can help you secure your Azure cloud so you can focus on delivering value to your customers and driving business.