Design Rule
Choose address spaces and subnet boundaries carefully at the start. Networking refactors are harder than renaming a resource. Poor early design causes pain later, especially when AKS enters the picture.
Azure Networking with Terraform
Provision VNets, subnets, NSGs, and routing foundations with Terraform so later lessons can build AKS and CI/CD workflows on top of a solid network design.
🧒 Simple Explanation (ELI5)
Cloud networking is like designing roads, neighborhoods, gates, and traffic rules for your applications. Terraform lets you define that layout once so every environment gets the same safe structure.
🤔 Why Do We Need It?
- Networking mistakes create outages and security exposure.
- AKS and many Azure services depend on predictable subnet and routing design.
- Repeatable environments need standard address spaces and access rules.
🔧 Technical Explanation
In Azure, a common network foundation includes a resource group, virtual network, one or more subnets, network security groups, and sometimes route tables or private endpoints. Terraform makes these relationships explicit and versioned.
hcl
resource "azurerm_virtual_network" "platform" {
name = "vnet-platform-dev"
location = azurerm_resource_group.platform.location
resource_group_name = azurerm_resource_group.platform.name
address_space = ["10.20.0.0/16"]
}
resource "azurerm_subnet" "aks" {
name = "snet-aks"
resource_group_name = azurerm_resource_group.platform.name
virtual_network_name = azurerm_virtual_network.platform.name
address_prefixes = ["10.20.1.0/24"]
}| Component | Why It Matters |
|---|---|
| VNet | Top-level network boundary |
| Subnet | Separates workload zones and service placement |
| NSG | Controls traffic rules |
| Route Table | Controls path decisions for traffic flows |
Azure Platform Foundation
Resource Group
→
VNet
AKS Subnet
App Subnet
Data Subnet
→
Secure Platform Base
🧭
🌍 Real-World Use Case
A team preparing for AKS may use Terraform to create a shared VNet with dedicated subnets for the cluster, ingress, and private services. Later, the AKS module consumes those subnet IDs. CI/CD then deploys workloads into the cluster created inside that network boundary.
🛠️ Hands-on
Add an NSG
hcl
resource "azurerm_network_security_group" "aks" {
name = "nsg-aks-dev"
location = azurerm_resource_group.platform.location
resource_group_name = azurerm_resource_group.platform.name
}Associate the NSG to a Subnet
hcl
resource "azurerm_subnet_network_security_group_association" "aks" {
subnet_id = azurerm_subnet.aks.id
network_security_group_id = azurerm_network_security_group.aks.id
}🐛 Debugging Scenario
Problem: AKS provisioning fails later because the subnet is incorrectly configured.
- Check subnet size and delegated service requirements.
- Confirm route tables and NSGs do not block required control plane or node traffic.
- Review whether the subnet is shared with incompatible workloads.
⚠️
Networking Trap
Terraform can create exactly what you asked for even when the design is wrong. A clean plan does not mean the platform design is correct.
📋 Interview Questions
Beginner
What is a VNet in Azure?
It is a logically isolated Azure network where your subnets and many platform resources live.
Why create networking with Terraform?
To standardize design, reduce human error, and make environment creation repeatable and reviewable.
What does an NSG do?
It defines inbound and outbound traffic rules for Azure networking components such as subnets or NICs.
Why do subnet names and CIDRs matter?
They define placement and address boundaries for workloads, and poor choices can limit future growth.
How does Terraform help with AKS networking?
It provisions the network foundation and can pass subnet IDs into the AKS infrastructure layer.
Intermediate
Why is networking usually a separate Terraform concern from application deployment?
Because networking is foundational infrastructure with a broader blast radius and longer lifecycle than application releases.
What should you consider when choosing address space for Azure environments?
Future growth, overlap avoidance, peering needs, hybrid connectivity, and service-specific subnet requirements.
Why might a platform team expose subnet IDs as outputs?
So downstream modules like AKS or private services can attach to the approved network layout without recreating it.
What is the operational risk of placing too many services in one subnet?
It increases contention, complicates security boundaries, and makes later changes more disruptive.
Why do network changes deserve extra plan review?
Because a small infrastructure diff can have broad connectivity and security consequences.
Scenario-Based
An AKS deployment fails due to subnet constraints. What do you inspect first?
I inspect subnet size, network policies, NSGs, route tables, and whether the subnet meets AKS-specific requirements.
How do you prevent every project from inventing its own Azure network pattern?
Create reusable Terraform modules and environment standards for address space, subnet structure, tags, and security controls.
A plan wants to replace a subnet in production. How do you react?
I stop and investigate immediately because subnet replacement can disrupt dependent services and often needs a migration plan rather than a direct apply.
How does this lesson connect to CI/CD?
The network foundation is typically planned and applied through controlled pipelines before application delivery workflows ever reach AKS or Helm deployment stages.
Why is networking one of the most dangerous areas to manage carelessly with Terraform?
Because clean syntax does not guarantee safe architecture, and many network changes can impact many workloads at once.
🧾 Summary
Azure networking is a core Terraform use case because platform stability depends on repeatable network design. Build it deliberately now so AKS and later platform components have a solid foundation.