Here are the steps and explanations for ensuring that hosts on VNET2 can access hosts on both VNET1 and VNET3, but hosts on VNET1 and VNET3 cannot communicate through VNET2:

To connect different virtual networks in Azure, you need to use virtual network peering.  Vir tual network peering allows you to create low-latency, high-bandwidth connections between virtua l networks without using gatew ays or the internet 1 .

To create a virtual network peering, you need to go to the Azure portal and select your virtual network.  The n select Peerings under Settings a nd select + Add 2 .

On the Add peering page, enter or select the following information:

Name: Type a unique name for the peering from the source virt ual network to the destination virtual network.

Virtual network deployment model: Select Resource manager.

Subscription: Select the subscription that contains the destination virtual network.

Virtual network: Select the destination virtual network from the list or enter its resource ID.

Name of the peering from [destination virtual network] to [source virtual network] : Type a unique name for the peering from the destination virtual network to the source virtual network.

Configure virtual network access sett ings: Select Enabled to allow resources in both virtual networks to communicate with each other.

Allow forwarded traffic: Select Disabled to prevent traffic that originates from outside either of the peered virtual networks from being forwarded through eit her of them.

Allow gateway transit: Select Disabled to prevent either of the peered virtual networks from using a gateway in the other virtual network.

Use remote gateways: Select Disabled to prevent either of the peered virtual networks from using a gateway in the other virtual network as a transit point to another network.

Select Add to create the peering 2 .

Repeat the previous steps to create peerings between VNET2 and VNET1, and between VNET2 and VNET3. This will allow hosts on VNET2 to access hosts on both VNET1 and VNET3.

To prevent hosts on VNET1 and VNET3 from communicating through VNET2, you need to use network security groups (NSGs) to filter traffic between subnets.  NSGs are r ules that allow or deny inboun d or outbound traffic based on source o r destination IP address, port, or prot ocol 3 .

To create an NSG, you need to go to the Azure portal and select Create a resource. Search for network security group and select Network security group.  Then select Create 4 .

On the Create a network security group page, enter or select the following information:

Subscription: Select your subscription name.

Resource group: Select your resource group name.

Name: Type a unique name for your NSG.

Region: Select the same region as your virtual networks.

Select Review + create and then select Create to crea te your NSG 4 .

To add rules to your NSG, you need to go to the Network security groups service in the Azure portal and select your NSG.  T hen select Inbound security rule s or Outbound security rules under Settings and select + Add 4 .

On the Add inbound security rule page or Add outbound security rule page, enter or select the following information:

Source or Destination: Select CIDR block.

Source CIDR blocks or Destinatio n CIDR blocks: Enter the IP address range of the source or destination subnet that you want to filter. For example, 10.0.1.0/24 for VNET1 subnet 1, 10.0.2.0/24 for VNET2 subnet 1, and 10.0.3.0/24 for VNET3 subnet 1.

Protocol: Select Any to apply the rule t o any protocol.

Action: Select Deny to block traffic from or to the source or destination subnet.

Priority: Enter a number between 100 and 4096 that indicates the order of evaluation for this rule. Lower numbers have higher priority than higher numbers.

Na me: Type a unique name for your rule.

Select Add to create your rule 4 .

Repeat the previous steps to create inbound and outbound rules for your NSG that deny traffic between VNET1 and VNET3 subnets. For example, you can create an inbound rule that denies traffic from 10.0.1.0/24 (VNET1 subnet 1) to 10.0.3.0/24 (VNET3 subnet 1), and an outbound rule that denies traffic from 10.0.3.0/24 (VNET3 subnet 1) to 10.0.1.0/24 (VNET1 subnet 1).

To associate your NSG with a subnet, you need to go to the Virtual networks service in the Azure portal a nd select your virtual network.  Then select Subnets under Settings and select the subnet that you want to associ ate with y our NSG 5 .

On the Edit subnet page, under Network security group, select your NSG from the drop-down list.  Then select Save 5 .

Repeat the previous steps to associate your NSG with the subnets in VNET1 and VNET3 that you want to isolate from each other.