Here are some practices that should be followed in Azure, with regard to virtual networks:
- Use subnets for large IP address spaces
- Use Network Security Groups (NSG) to provide allow/deny rules for network traffic
However, it's best to avoid the following:
- Don't use split tunneling; instead, enable forced tunneling. An example of a split tunnel is like when you VPN to your corporate network from Starbucks, which you will then have access to all your corporate resources, but when you go to the internet it does not go through the VPN. When connected to a corporate network you want all your traffic to go through the VPN for security reason and to reduce risk, which is what happens when you enable forced tunneling.
Virtual networks are the core component for making your resources secure, so plan them wisely. Implement Azure DMZ if required. While making gateway subnets, keep their scope as small as possible, to avoid IP wastage.
The default system routes are usually all that you need, but you can create user-defined routes. The default system routes let Azure resources initiate communication between themselves, which is usually only what you need, but if you need more you can define your own user-defined routes.