R12.1-JA-2025June05
Understand Azure Network Tree
The network tree of Azure networking objects is structured based on their hierarchy as follows:
| Level 0 | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
| Tenant | Subscription | Region | VNet | Virtual Network Distributed Router | |
| Subnet | Virtual machines | ||||
| VPN Gateway | |||||
| ExpressRoute Gateway | |||||
| Application Gateway | |||||
| Azure Load Balancer (Internal) | |||||
| NAT Gateway | |||||
| Azure Firewall | |||||
Network Virtual Appliance (CSR1000V...) | |||||
| MSEE | |||||
| Azure Load Balancer (Public) | |||||
| Unassigned NAT Gateway | |||||
| Virtual WAN | Virtual WAN Hub | VPN Gateway | |||
| ExpressRoute Gateway | |||||
| Azure Firewall |
In the Network Tree, you will also find:
- The virtual network as a parent node includes a sub-node virtual network distributed router and subnet.
- The virtual network distributed router is a NetworkBrain conceptual component to simulate a virtual network as a network object to build relationships with other resources that belong to this virtual network.
- The virtual machine is listed under the subnet that belongs to this virtual network.
- The VPN gateway, ExpressRoute gateway, application gateway, Azure load balancer (internal), NAT gateway, and Azure firewall are listed under the virtual network to which they belong.
- The MSEE is simulated as a network object to connect with the virtual network and on-premises network, so it is listed under the region.
- The Azure load balancer (public) might not belong to a certain virtual network, so it is listed under the region.
- If the NAT gateway does not belong to any virtual network, it will be listed under the region as an unassigned NAT gateway.
- The Virtual WAN is used to connect networks within different regions, so it is listed under subscription. The virtual WAN hub is listed under virtual WAN, and the VPN gateway for vHub, ExpressRoute gateway for vHub and Azure firewall are listed under virtual WAN hub.
To view and understand the detailed information about your Azure network, complete the following steps:
- In the Network pane, select Azure > Network View. The hierarchy view of the Azure data model is organized in this order: Tenant > Subscription > Region > VNet.
- Expand a Tenant node to view the relationship between its child nodes.
- Select a VM node under a Subnet and click the Context Maps tab to view the corresponding L3 topology of the VM node. For more examples of context maps, refer to the Azure context map.
- Click the Device Details tab to view the details of the object, and the hyperlink will take you to the Azure portal directly.
Azure Context Map
The following table outlines the available context maps for Azure:
| Name | Description | Sample Context Map |
| Virtual Network Context Map | This context map helps you understand the relationship of resources within the same virtual network. The virtual machine will not be mapped by default due to its massive number. |  |
| Subnet Context Map | This context map helps you understand the virtual machine connecting to the same subnet within the virtual network. |  |
| Region Context Map | This context map displays all virtual networks and their resources relationship within the same region. |  |
| This context map also displays the management view for the selected region. |  | |
| VPN Context Map | This context map demonstrates the IPsec VPN connection between the VPN gateway and on-premise edge device. |  |
| ExpressRoute Gateway Context Map | This context map demonstrates the connection between ExpressRoute Gateway and the on-promise network via MSEE. |  |
| Virtual Hub Context Map | This context map demonstrates the resources used to connect to the on-premise network, the connected virtual network within the different region(s), and other connected virtual hub(s) via MS backbone in the Azure Virtual WAN solution. |  |