1# Networking-deep branch
2 
3Ask only what cannot be inferred. Volunteer the advanced switches.
4 
5| Topic | Question | Default offered |
6|---|---|---|
7| VNet | "Existing VNet, or new?" | If existing: ask name + RG; offer to list via `network_vnet_list` MCP or `az network vnet list` |
8| Subnet sizing | "Subnet CIDR?" | `/24` if new |
9| NSG | "Inbound rules: default (SSH/RDP from your IP) or paste a rule set?" | Restrict source to user's current public IP — fetch via `curl -s ifconfig.me` if not provided |
10| Public IP | "Public IP, or private only?" | Public unless user said "private", "internal", "no internet" |
11| Accelerated networking | "Enable accelerated networking?" | `true` if size supports it (most D/E/F series ≥ 2 vCPU) |
12| Private endpoints | "Any private endpoints to attach?" | Not by default; ask only if user mentioned data / Key Vault / storage targets |
13| Outbound | "Outbound: default Azure SNAT, NAT Gateway, or Firewall route?" | Default SNAT if user didn't mention egress; if mentioned, default NAT Gateway |
14| DNS | "Custom DNS servers?" | Azure-provided |
15| IP version | "IPv4 only or dual-stack?" | IPv4 |
16| Service endpoints | "Service endpoints on subnet?" | None unless user mentioned a target |
17 
18## Notes
19 
20- Don't auto-create a NAT Gateway just because the user said "secure" — confirm intent first; NAT Gateway is ~$30/mo before traffic.
21- If the user wants "private only", offer Azure Bastion as the management path; don't silently leave them with no way in.
22- `accelerated networking` defaults to **on** for supporting SKUs because the cost is zero and the throughput gain is large.
23