Quickstart: Use Azure CLI to create a virtual network

This quickstart shows you how to create a virtual network by using Azure CLI, the Azure command-line interface. You then create two virtual machines (VMs) in the network, securely connect to the VMs from the internet, and communicate privately between the VMs.

A virtual network is the fundamental building block for private networks in Azure. Azure Virtual Network enables Azure resources like VMs to securely communicate with each other and the internet.

Prerequisites

Create a resource group

  1. Use az group create to create a resource group to host the virtual network. Use the following code to create a resource group named test-rg in the chinanorth3 Azure region.

    az group create \
        --name test-rg \
        --location chinanorth3
    

Create a virtual network and subnet

  1. Use az network vnet create to create a virtual network named vnet-1 with a subnet named subnet-1 in the test-rg resource group.

    az network vnet create \
        --name vnet-1 \
        --resource-group test-rg \
        --address-prefix 10.0.0.0/16 \
        --subnet-name subnet-1 \
        --subnet-prefixes 10.0.0.0/24
    

Deploy Azure Bastion

Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration.

Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it. For more information about Azure Bastion, see Azure Bastion.

  1. Use az network vnet subnet create to create an Azure Bastion subnet for your virtual network. This subnet is reserved exclusively for Azure Bastion resources and must be named AzureBastionSubnet.

    az network vnet subnet create \
        --name AzureBastionSubnet \
        --resource-group test-rg \
        --vnet-name vnet-1 \
        --address-prefix 10.0.1.0/26
    
  2. Create a public IP address for Azure Bastion. This IP address is used to connect to the Bastion host from the internet. Use az network public-ip create to create a public IP address named public-ip in the test-rg resource group.

    az network public-ip create \
        --resource-group test-rg \
        --name public-ip \
        --sku Standard \
        --location chinanorth3 \
        --zone 1 2 3
    
  3. Use az network bastion create to create an Azure Bastion host in the AzureBastionSubnet of your virtual network.

    az network bastion create \
        --name bastion \
        --public-ip-address public-ip \
        --resource-group test-rg \
        --vnet-name vnet-1 \
        --location chinanorth3
    

It takes about 10 minutes for the Bastion resources to deploy. You can create VMs in the next section while Bastion deploys to your virtual network.

Create virtual machines

Use az vm create to create two VMs named VM1 and VM2 in the subnet-1 subnet of the virtual network. When you're prompted for credentials, enter user names and passwords for the VMs.

  1. To create the first VM, use the following command:

    az vm create \
        --resource-group test-rg \
        --admin-username azureuser \
        --authentication-type password \
        --name vm-1 \
        --image Ubuntu2204 \
        --public-ip-address ""
    
  2. To create the second VM, use the following command:

    az vm create \
        --resource-group test-rg \
        --admin-username azureuser \
        --authentication-type password \
        --name vm-2 \
        --image Ubuntu2204 \
        --public-ip-address ""
    

Tip

You can also use the --no-wait option to create a VM in the background while you continue with other tasks.

The VMs take a few minutes to create. After Azure creates each VM, Azure CLI returns output similar to the following message:

    {
      "fqdns": "",
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Compute/virtualMachines/vm-2",
      "location": "chinanorth3",
      "macAddress": "00-0D-3A-23-9A-49",
      "powerState": "VM running",
      "privateIpAddress": "10.0.0.5",
      "publicIpAddress": "",
      "resourceGroup": "test-rg"
      "zones": ""
    }

Note

VMs in a virtual network with a Bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in Bastion-hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the back-end pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the back-end pool of a standard load balancer, with or without outbound rules.
  • An Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Connect to a virtual machine

Connect to a virtual machine

  1. On the Virtual machines page, select vm-1.

  2. In the Overview of vm-1, select Connect.

  3. In the Connect to virtual machine page, select the Bastion tab.

  4. Select Use Bastion.

  5. Enter the username and password you created when you created the VM, and then select Connect.

  6. Select Use Bastion.

  7. At the bash prompt for vm-1, enter ping -c 4 vm-2.

    You get a reply similar to the following message:

    azureuser@vm-1:~$ ping -c 4 vm-2
    PING vm-2.3bnkevn3313ujpr5l1kqop4n4d.cx.internal.chinacloudapp.cn (10.0.0.5) 56(84) bytes of data.
    64 bytes from vm-2.internal.chinacloudapp.cn (10.0.0.5): icmp_seq=1 ttl=64 time=1.83 ms
    64 bytes from vm-2.internal.chinacloudapp.cn (10.0.0.5): icmp_seq=2 ttl=64 time=0.987 ms
    64 bytes from vm-2.internal.chinacloudapp.cn (10.0.0.5): icmp_seq=3 ttl=64 time=0.864 ms
    64 bytes from vm-2.internal.chinacloudapp.cn (10.0.0.5): icmp_seq=4 ttl=64 time=0.890 ms
    
  8. Close the Bastion connection to VM1.

  9. Repeat the steps in Connect to a virtual machine to connect to VM2.

  10. At the bash prompt for vm-2, enter ping -c 4 vm-1.

    You get a reply similar to the following message:

    azureuser@vm-2:~$ ping -c 4 vm-1
    PING vm-1.3bnkevn3313ujpr5l1kqop4n4d.cx.internal.chinacloudapp.cn (10.0.0.4) 56(84) bytes of data.
    64 bytes from vm-1.internal.chinacloudapp.cn (10.0.0.4): icmp_seq=1 ttl=64 time=0.695 ms
    64 bytes from vm-1.internal.chinacloudapp.cn (10.0.0.4): icmp_seq=2 ttl=64 time=0.896 ms
    64 bytes from vm-1.internal.chinacloudapp.cn (10.0.0.4): icmp_seq=3 ttl=64 time=3.43 ms
    64 bytes from vm-1.internal.chinacloudapp.cn (10.0.0.4): icmp_seq=4 ttl=64 time=0.780 ms
    
  11. Close the Bastion connection to VM2.

Clean up resources

When you're done with the virtual network and the VMs, use az group delete to remove the resource group and all its resources.

az group delete \
    --name test-rg \
    --yes

Next steps

In this quickstart, you created a virtual network with a default subnet that contains two VMs. You deployed Azure Bastion and used it to connect to the VMs, and securely communicated between the VMs. To learn more about virtual network settings, see Create, change, or delete a virtual network.

Private communication between VMs in a virtual network is unrestricted by default. Continue to the next article to learn more about configuring different types of VM network communications.