Virtual Network Subnetting
Subnetting is the process of dividing a large IP network into smaller, more manageable subnetworks. In Azure, subnetting is a fundamental concept for organizing and securing your Virtual Networks (VNets). By creating subnets, you can segment your network, apply granular security policies, and improve routing efficiency.
Key Concept: CIDR Notation
Subnets are defined using Classless Inter-Domain Routing (CIDR) notation. For example, 10.0.0.0/24 represents a network with 256 IP addresses, where the first 24 bits define the network and the remaining 8 bits define the host addresses.
Why Subnet Your VNet?
- Security: Isolate resources by placing them in different subnets and applying Network Security Groups (NSGs) to control traffic flow between them.
- Organization: Group related resources logically, making it easier to manage and understand your network topology.
- IP Address Management: Efficiently allocate IP address space to different segments of your network based on their needs.
- Routing: Define custom routes for traffic between subnets or to external networks.
Creating Subnets
When you create an Azure Virtual Network, it's assigned an address space. You then create subnets within this address space.
Subnet Size Considerations:
- Each subnet must have at least 5 IP addresses reserved for Azure use (first four and last IP address of the subnet).
- The smallest possible subnet size is
/29, which provides 8 IP addresses (3 usable). - Larger CIDR blocks provide more IP addresses for your resources.
Example: Subnetting a VNet
Let's say you create a VNet with the address space 10.1.0.0/16.
- You could create a subnet for your web servers:
10.1.1.0/24(256 IPs). - Another subnet for your application servers:
10.1.2.0/24(256 IPs). - A subnet for your database servers:
10.1.3.0/27(32 IPs).
Ensure that your chosen subnet address ranges do not overlap and are entirely contained within the VNet's address space.
Subnet Delegation
Subnet delegation allows you to delegate a subnet to a specific Azure service. This means that only that service can be deployed within that subnet, and it gains access to the subnet's resources and network configurations. Examples include:
- Azure Container Instances (ACI)
- Azure Kubernetes Service (AKS)
- Azure SQL Managed Instance
Best Practices
- Plan your IP addressing scheme carefully before creating your VNet and subnets.
- Use descriptive names for your subnets.
- Segment your network based on security requirements and resource roles.
- Allocate sufficient IP addresses to each subnet, but avoid over-allocation.
- Leverage subnet delegation where appropriate for specific Azure services.
Tip:
Start with larger CIDR blocks for subnets and then break them down if needed. This provides flexibility for future growth.