Azure Virtual Networks are used in conjunction with Network Security Groups to effectively handle the networking side of Azure which is a Microsoft cloud solution. The NSGs are more like the firewalls where they allow or deny traffic based on rules for that subnet or specific IP address. Azure VNets on the other hand are something that groups resources into essentially blocks of cloud application services that can be interconnected.
Azure Virtual Networks (VNets)
Azure VNets are a type of grouping in Azure to segment parts of your network and assign IP addresses. These VNets can allow for VNet peering or even connect to an on-premises network through a VPN. It is a fundamental building block of Azure Networks that allows for private, secure, and public networks. VNets also allow for segmentation through subnets and can allow for assignment of IP addresses.
Allowing for Hybrid Connectivity ensures that a VPN or ExpressRoute can connect on-premises data centers. VNets also allow for VNet peering to connect networks with a scalable solution for complex topologies. You can also use Azure Virtual Network Manager to oversee networks at scale in a cross-subscription manner. VNets are different than the subnets and are more like VLANs in computer networking.
Azure Network Security Groups (NSGs)
The Network Security Groups in Azure allow for the filtering of a VNet when it is in place to allow or deny a specific IP or a group of IP addresses. They can work with route tables to do things like flow control. There are also capabilities like allowing or denying access to certain ports or protocols in addition to subnets and specific IP addresses.
Having some capabilities of a layer 3 and 4 firewall helps NSGs attach to subnets or Network Interface Cards (NICs) in Azure. Attaching them to subnets is more in line with best practices and allows for more simplicity of management. If the NSG is attached to a subnet it will be effective via inheritance for that subnet associated with the NSG.
Conclusion
Understanding more about VNets and NSGs will allow you to know more about the security side of Azure. For me this understanding is more of an extension of the SC-900 that I have and delves into more of the networking side of Azure which is the AZ-700 training materials. In order to truly understand something, you need to learn it and teach someone else the material.