Learn Azure VNet Terraform — Your First Cloud Network in Code

🌤️ Introduction

When building infrastructure in Microsoft Azure, everything starts with networking. In this article, you’ll learn step-by-step how to create an Azure VNet Terraform, define subnets, and attach Network Security Groups (NSGs) for traffic control.

If you’ve already explored the OCI Virtual Cloud Network (VCN) with Terraform, you’ll immediately notice the parallels between OCI and Azure networking.
Both define private IP spaces, subnets, and routing — but Azure uses Resource Groups instead of OCI Compartments as logical containers.

This guide will help you build a clean, modular, and reusable Azure network foundation using Terraform.

🧩 Step 1 — Create a Resource Group (like a Compartment in OCI)

Every Azure resource must live inside a Resource Group. Think of it as the Azure equivalent of an OCI Compartment — a logical boundary for access control, lifecycle, and cost management.

resource "azurerm_resource_group" "foggykitchen-rg" {
  name     = "foggykitchen-rg"
  location = "East US"
}

This Resource Group will host all network resources — your VNet, Subnets, and Network Security Groups.

🌐 Step 2 — Define the Azure Virtual Network (VNet) with Terraform

The Azure Virtual Network (VNet) is the foundation of every Azure deployment.
It defines your private IP space and enables communication between virtual machines, databases, and other services.

resource "azurerm_virtual_network" "foggykitchen-vnet" {
  name                = "foggykitchen-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.foggykitchen.location
  resource_group_name = azurerm_resource_group.foggykitchen.name
}

👉 The following diagram illustrates a simple Azure VNet built with Terraform — the same network architecture used in the Multicloud Foundations course.
It shows how core networking components come together inside a single Resource Group:

🧩 Virtual Network (VNet) – defines the private IP address space 10.0.0.0/16.
🧱 Public and Private Subnets – logical segments for frontend and backend workloads (10.0.1.0/24, 10.0.2.0/24).
🛡️ Network Security Group (NSG) – enforces inbound and outbound security rules.
🌐 NAT Gateway – allows outbound Internet connectivity from private subnets.
📦 Resource Group – the Azure equivalent of an OCI Compartment.

This architecture demonstrates how easily you can provision a complete azure vnet terraform setup — modular, secure, and ready for extensions like Load Balancers, File Storage, or Peering.

Figure 1. Azure Virtual Network (VNet) built with Terraform — two subnets (foggykitchen_public_subnet and foggykitchen_private_subnet) within the address space 10.0.0.0/16, protected by an NSG and connected through a NAT Gateway.

🧱 Step 3 — Create Subnets inside your Azure VNet

A subnet divides the address space of your Azure VNet into logical sections — for example, frontend, backend, and database tiers.

resource "azurerm_subnet" "foggykitchen-public-subnet" {
  name                 = "foggykitchen-public-subnet"
  resource_group_name  = azurerm_resource_group.foggykitchen.foggykitchen-rg
  virtual_network_name = azurerm_virtual_network.foggykitchen-vnet.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_subnet" "foggykitchen-private-subnet" {
  name                 = "foggykitchen-private-subnet"
  resource_group_name  = azurerm_resource_group.foggykitchen.foggykitchen-rg
  virtual_network_name = azurerm_virtual_network.foggykitchen-vnet.name
  address_prefixes     = ["10.0.2.0/24"]
}

Each subnet becomes a logical zone within your Azure VNet — perfect for isolating workloads and applying security policies.

🧰 Step 4 — Add a Network Security Group (NSG)

In Azure, Network Security Groups (NSGs) control inbound and outbound traffic —
similar to Security Lists and Network Security Groups in OCI.

Here’s a Terraform definition for an NSG:

resource "azurerm_network_security_group" "backend_nsg" {
  name                = "backend-nsg"
  location            = azurerm_resource_group.foggykitchen-rg.location
  resource_group_name = azurerm_resource_group.foggykitchen-rg.name

  security_rule {
    name                       = "allow-ssh"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

Now associate it with your subnet:

resource "azurerm_subnet_network_security_group_association" "backend_assoc" {
  subnet_id                 = azurerm_subnet.foggykitchen-private-subnet.id
  network_security_group_id = azurerm_network_security_group.backend_nsg.id
}

For an OCI comparison, read OCI Security Lists vs Network Security Groups — What to Use and When.

⚙️ Step 5 — Apply and Verify

Once your configuration is ready, run:

terraform init
terraform plan
terraform apply

Then open Azure Portal → Virtual Networks → foggykitchen-vnet → Subnets
to verify that both frontend and backend subnets exist and have their NSG attached.

Tip: Terraform automatically tracks resource dependencies,
so you can reuse your azure vnet terraform code in later modules (Load Balancer, File Storage etc.).

🧭 Summary

In this tutorial, you’ve learned how to use Terraform to create an Azure VNet, subnets, and NSGs — the fundamental elements of any Azure infrastructure.

You also saw how these Azure concepts align with OCI: