Virtual Network Subnet Design Best Practices

Last updated: October 26, 2023 | Author: Microsoft Cloud Engineering Team

Designing subnets effectively is a critical step in building a secure, scalable, and manageable virtual network (VNet) in Azure. A well-thought-out subnet strategy can simplify network administration, improve security posture, and facilitate the deployment of complex applications. This article outlines key considerations and best practices for virtual network subnet design.

Understanding Subnets

A subnet is a division of an Azure virtual network's IP address space. Each subnet must contain a range of IP addresses that falls within the VNet's address space. You can then associate network security groups (NSGs) and route tables to subnets to control traffic flow and security policies.

Key Design Considerations

1. Address Space Planning

Careful planning of your VNet and subnet IP address ranges is paramount. Consider the following:

Future Growth: Allocate IP address ranges that accommodate anticipated growth in resources and potential expansion of your network. Avoid overly small CIDR blocks.
Organization: Design subnets to align with your application tiers, security zones, or functional groupings. For example, dedicated subnets for web servers, application servers, databases, or shared services.
Overlapping Addresses: Ensure no overlapping IP address ranges between VNets that will peer or connect via VPN/ExpressRoute.
Default Subnet Size: The smallest recommended subnet size is a /29, which provides 8 IP addresses. The Azure fabric reserves 5 IP addresses within each subnet for its own use, leaving 3 usable IP addresses. For most workloads, a /24 (256 addresses) or larger is generally recommended.

2. Security Zones

Implement a security zone strategy by dedicating subnets for different security levels. This allows you to apply granular security policies using Network Security Groups (NSGs) and Azure Firewall.

DMZ (Demilitarized Zone): A subnet for publicly accessible resources like web servers.
Internal/Application Zone: Subnets for application servers and services.
Database Zone: A highly restricted subnet for database servers.
Management/Jump Box Zone: A secure subnet for administrative access.

3. Application Tiering

Structure subnets to mirror your application architecture. This makes it easier to manage network policies and security for each tier.

Web Tier: Hosts web servers.
Application Tier: Hosts application logic.
Data Tier: Hosts databases.

4. Network Virtual Appliances (NVAs)

If you plan to use NVAs (like firewalls, intrusion detection systems), dedicate specific subnets for them. Often, a subnet named 'GatewaySubnet' is required for Azure VPN Gateway and ExpressRoute Gateway, and a subnet named 'AzureFirewallSubnet' is needed for Azure Firewall. These subnets have specific naming requirements.

5. Resource Group Association

While subnets reside within a VNet, consider how they align with your Azure Resource Group strategy. Grouping resources logically in Resource Groups can help with management and policy enforcement.

Best Practices Summary

Use descriptive subnet names: e.g., AppServers-Prod-Subnet, Database-Dev-Subnet.
Allocate sufficiently large CIDR blocks: Avoid running out of IP addresses due to unexpected growth.
Isolate workloads: Each workload or application tier should ideally have its own subnet.
Implement Network Security Groups (NSGs): Apply NSGs to subnets to control inbound and outbound traffic.
Leverage User Defined Routes (UDRs): Use UDRs to control routing between subnets, especially when using NVAs.
Plan for peering: Ensure non-overlapping IP address spaces if you plan to peer VNets.
Avoid small subnets for general use: /29 and /28 are too small for most production workloads.
Consider subnet delegation: For Azure PaaS services that require integration with your VNet (e.g., Azure SQL Database, Azure App Service), you can delegate subnets to those services.

Important: Once a subnet is created, you cannot change its address range. You must delete the subnet and recreate it if changes are needed.

Example Subnet Design

Consider a multi-tier application with development and production environments:

Production VNet (10.1.0.0/16)

GatewaySubnet (10.1.255.0/27) - For VPN/ExpressRoute gateways.
AzureFirewallSubnet (10.1.254.0/24) - For Azure Firewall.
DMZ-Prod-Subnet (10.1.1.0/24) - For public-facing web servers.
App-Prod-Subnet (10.1.2.0/24) - For application servers.
Database-Prod-Subnet (10.1.3.0/24) - For production databases.
SharedServices-Prod-Subnet (10.1.10.0/24) - For DNS, AD, etc.

Development VNet (10.2.0.0/16)

DMZ-Dev-Subnet (10.2.1.0/24) - For development web servers.
App-Dev-Subnet (10.2.2.0/24) - For development application servers.
Database-Dev-Subnet (10.2.3.0/24) - For development databases.

This approach provides clear separation, enhanced security, and scalability for your Azure deployments.