The networking stack in Microsoft Azure is very important and is the foundation for other services, especially when we talk about IaaS. Setting up Azure networking correctly is very important, as it will be key to setting up your IaaS infrastructure and allowing your virtual machines to communicate. The networking stack in Azure is composed of two components, external and private. External is used to access service endpoints over the internet and private is used for communication between Azure services internally.

Almost all Azure services have external endpoints configured by default, but we have some special cases when we don't want to enable access over the internet. In these cases, we can disable external endpoints and set up these services to use private traffic only. This applies to PaaS as well, even though these services usually don't have private network access configured by default (except for some PaaS services that are designed for this, for example, app service isolated). In this chapter, we'll discuss basic networking features and will continue to explore networking options for specific services when the time comes.

IaaS usually has external endpoints configured as well, but we have the option to disable these and not allow access over the internet. On the other hand, IaaS always comes with a private network configured. Every virtual machine in Azure has to be assigned to a virtual network and have a private IP address assigned. Even if we have a single virtual machine configured and want to use it only for public access over the internet, a virtual network will be created in the background, and this VM will have a private IP address assigned. 

Azure networking also extends to VPN options, which allow you to access services only over a private network and private IP addresses. This allows you to secure resources further and disable any kind of public access. We will explore these features and options when we discuss hybrid cloud with Microsoft Azure.