Subnets in Azure Virtual Networks
Understanding Subnets
Subnets are fundamental building blocks of Azure Virtual Networks (VNets). A subnet is a range of IP addresses within a VNet. When you create a VNet, you can divide it into multiple subnets. Dividing your VNet into subnets allows you to segment network traffic and enhance security. Each subnet within a VNet must have a unique name and IP address range. The IP address range of a subnet must be a subset of the VNet's address space.
Key benefits of using subnets include:
- Network Segmentation: Isolate resources and control traffic flow between different segments of your network.
- Security: Apply Network Security Groups (NSGs) and User Defined Routes (UDRs) at the subnet level to enforce granular security policies.
- Resource Organization: Group related resources within a subnet for better management and organization.
Subnet Address Spaces
When creating a subnet, you define its IP address range using CIDR (Classless Inter-Domain Routing) notation. The subnet's address range must be contained within the VNet's address space. Azure reserves the first four and the last IP address in each subnet for protocol conforming requirements. These addresses cannot be assigned to resources.
For example, if your VNet has an address space of 10.0.0.0/16, you can create subnets like:
10.0.1.0/2410.0.2.0/2410.0.3.0/24
Subnet Delegation
Subnet delegation allows you to delegate a subnet to a specific Azure service. This means that the subnet can only host resources for that particular service. This feature enhances security and simplifies the management of PaaS services within your VNet.
When you delegate a subnet, Azure automatically configures the necessary network configurations, such as service endpoints, for that service. This removes the burden of manual configuration.
Supported Services for Delegation
Some common services that support subnet delegation include:
- Azure App Service
- Azure SQL Database
- Azure Storage
- Azure Key Vault
- Azure Container Instances
- Azure Kubernetes Service (AKS)
Key Subnet Properties
When configuring a subnet, consider the following properties:
| Property | Description |
|---|---|
| Name | A unique name for the subnet within the VNet. |
| Address Range | The CIDR block for the subnet's IP addresses. |
| Network Security Group (NSG) | An optional NSG to associate with the subnet for security filtering. |
| Route Table | An optional route table to associate with the subnet for custom routing. |
| Service Endpoints | Enable direct connectivity from your VNet to specific Azure PaaS services. |
| Private Endpoint Network Policies | Enable or disable network policies for private endpoints on the subnet. |
| Delegation | Delegate the subnet to a specific Azure service. |
Creating and Managing Subnets
You can create and manage subnets using various Azure tools:
- Azure Portal: A graphical interface for managing Azure resources.
- Azure CLI: A command-line interface for interacting with Azure.
- Azure PowerShell: A scripting environment for managing Azure resources.
- ARM Templates/Bicep: Infrastructure as Code (IaC) for declarative deployments.
Example: Creating a Subnet with Azure CLI
az network vnet subnet create \
--resource-group MyResourceGroup \
--vnet-name MyVNet \
--name MySubnet \
--address-prefixes 10.0.1.0/24
Example: Delegating a Subnet to Azure App Service
az network vnet subnet update \
--resource-group MyResourceGroup \
--vnet-name MyVNet \
--name MyAppServiceSubnet \
--delegations "Microsoft.Web/serverfarms"
Best Practices for Subnets
To effectively utilize subnets in Azure, consider these best practices:
- Start with a Plan: Design your VNet and subnet structure before deployment.
- Allocate Sufficient IP Addresses: Over-provision slightly to accommodate future growth.
- Use Meaningful Names: Name subnets descriptively (e.g.,
web-subnet,app-subnet,db-subnet). - Implement NSGs: Apply NSGs to subnets to control traffic and enhance security.
- Leverage Delegation: Use subnet delegation for PaaS services to simplify management and improve security.
- Consider Future Connectivity: Plan for potential VNet peering, VPN gateways, or ExpressRoute connections.