Create a virtual network using the Azure CLI

A virtual network enables Azure resources, such as virtual machines (VM), to communicate privately with each other and with the Internet. In this article, you learn how to create a virtual network. After creating a virtual network, you deploy two VMs into the virtual network. You then connect to one VM from the internet, and communicate privately with the other VM.

If you don't have an Azure subscription, create a free account before you begin.

Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. Just click the Copy button to copy the code, paste it into the Cloud Shell, and then press enter to run it. There are a few ways to launch the Cloud Shell:

Click Try It in the upper right corner of a code block. Cloud Shell in this article
Open Cloud Shell in your browser.
Click the Cloud Shell button on the menu in the upper right of the Azure portal. Cloud Shell in the portal

If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0.28 or later. To find the installed version, run az --version. If you need to install or upgrade, see Install Azure CLI 2.0.

Create a virtual network

Before you can create a virtual network, you must create a resource group to contain the virtual network. Create a resource group with az group create. The following example creates a resource group named myResourceGroup in the eastus location:

az group create --name myResourceGroup --location eastus

Create a virtual network with az network vnet create. The following example creates a default virtual network named myVirtualNetwork with one subnet named default:

az network vnet create \
  --name myVirtualNetwork \
  --resource-group myResourceGroup \
  --subnet-name default

Create virtual machines

Create two VMs in the virtual network:

Create the first VM

Create a VM with az vm create. If SSH keys do not already exist in a default key location, the command creates them. To use a specific set of keys, use the --ssh-key-value option. The --no-wait option creates the VM in the background, so that you can continue to the next step. The following example creates a VM named myVm1:

az vm create \
  --resource-group myResourceGroup \
  --name myVm1 \
  --image UbuntuLTS \
  --generate-ssh-keys \

Create the second VM

az vm create \
  --resource-group myResourceGroup \
  --name myVm2 \
  --image UbuntuLTS \

The VM takes a few minutes to create. After the VM is created, the Azure CLI returns output similar to the following example:

  "fqdns": "",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVm1",
  "location": "eastus",
  "macAddress": "00-0D-3A-23-9A-49",
  "powerState": "VM running",
  "privateIpAddress": "",
  "publicIpAddress": "",
  "resourceGroup": "myResourceGroup"

Take note of the publicIpAddress. This address is used to connect to the VM from the Internet in the next step.

Connect to a VM from the internet

Replace <publicIpAddress> with the public IP address of your myVm2 VM in the command the follows, and then enter the following command:

ssh <publicIpAddress>

Communicate privately between VMs

To confirm private communication between the myVm2 and myVm1 VMs, enter the following command:

ping myVm1 -c 4

You receive four replies from

Exit the SSH session with the myVm2 VM.

Clean up resources

When no longer needed, you can use az group delete to remove the resource group and all of the resources it contains:

az group delete --name myResourceGroup --yes

Next steps

In this article, you created a default virtual network and two VMs. You connected to one VM from the Internet and communicated privately between the VM and another VM. To learn more about virtual network settings, see Manage a virtual network.

By default, Azure allows unrestricted private communication between virtual machines, but only allows inbound SSH sessions to Linux VMs from the Internet. To learn how to allow or restrict different types of network communication to and from VMs, advance to the next tutorial.