Azure Virtual Network Subnets

This document provides a comprehensive guide to understanding and managing subnets within Azure Virtual Networks (VNets).

What are Subnets?

Subnets are a logical division of an Azure Virtual Network (VNet). By dividing a VNet into subnets, you can segment the VNet into smaller network segments. Each subnet is a range of IP addresses within the VNet's address space. You can then associate network security groups (NSGs) and route tables to subnets.

Benefits of Using Subnets

• Enhanced Security: Isolate resources and apply granular security policies using NSGs.
• Improved Organization: Group related resources logically, making management easier.
• Traffic Control: Direct network traffic flow between subnets or to external networks.
• IP Address Management: Efficiently allocate and manage IP address ranges.

Creating and Managing Subnets

Subnets are created within a VNet. Each VNet must have at least one subnet. When you create a subnet, you define its name, address range, and optionally associate it with a Network Security Group (NSG) and a Route Table.

Key Properties of a Subnet:

• Name: A unique identifier for the subnet within the VNet.
• Address Range: A contiguous block of IP addresses in CIDR notation that falls within the VNet's address space. Azure reserves the first four IP addresses and the last IP address in each subnet for protocol conforming.
• Network Security Group (NSG): (Optional) A collection of security rules that allow or deny network traffic to resources connected to a VNet.
• Route Table: (Optional) Defines custom routes to control the flow of traffic.
• Delegation: Allows specific Azure services to consume resources within the subnet.

IP Addressing within Subnets

Each subnet is assigned a block of IP addresses from the VNet's address space. Azure reserves the first four IP addresses and the last IP address in every subnet for internal use:

• .0: Network address
• .1: Default gateway for the subnet
• .2, .3: Reserved for Azure DNS
• .255 (for a /24 subnet) or the last address: Broadcast address

This means that for a subnet with a /24 prefix (256 addresses), only 251 addresses are available for your resources.

Example Subnet Configuration

Consider a VNet with an address space of 10.0.0.0/16. You could create the following subnets:

• Frontend Subnet: 10.0.1.0/24 (For public-facing resources like web servers)
• Backend Subnet: 10.0.2.0/24 (For application servers)
• Database Subnet: 10.0.3.0/24 (For database servers)

Subnet Delegation

Subnet delegation allows you to designate a specific Azure service to consume resources within a subnet. When a subnet is delegated to a service, it means that the service will manage the IP addresses within that subnet for its own resources. This simplifies the deployment and management of certain services.

Examples of services that can be delegated include Azure App Service, Azure Kubernetes Service (AKS), and Azure SQL Database.

Next Steps

Now that you understand subnets, you can explore how to:

• Configure Network Security Groups (NSGs) to control traffic flow.
• Set up VNet Peerings to connect VNets.
• Create a Virtual Network and Subnets using the Azure portal or CLI.

Back to Virtual Networks Learn about Network Security Groups