A Comprehensive Guide to Azure Virtual Network Addressing
Azure Virtual Network (VNet) enables you to create isolated and secure private networks in the cloud. A critical aspect of VNet configuration is IP addressing, which governs how resources within your network and external entities communicate. This document explores the fundamentals of IPv4 and IPv6 addressing within Azure VNets.
Understanding IP addressing is crucial for designing scalable, secure, and highly available cloud solutions. Azure supports both IPv4, the current standard, and the newer IPv6 protocol, offering flexibility for modern networking needs.
IPv4 addresses are the most commonly used internet protocol. In Azure VNets, you define address spaces using CIDR (Classless Inter-Domain Routing) notation.
When creating a VNet, you specify one or more address spaces. These are private IP address ranges that do not route over the internet. Azure reserves specific ranges for private use:
10.0.0.0/8 (10.0.0.0 to 10.255.255.255)172.16.0.0/12 (172.16.0.0 to 172.31.255.255)192.168.0.0/16 (192.168.0.0 to 192.168.255.255)You can also use public IP address ranges for your VNet address space, but these are not recommended for internal VNet communication as they can conflict with public internet routing.
Within a VNet's address space, you create subnets. Subnets are divisions of the VNet's IP address range. Each subnet must have an address range that is a subset of the VNet's address space.
10.0.1.0/24, the IP addresses 10.0.1.0, 10.0.1.1, 10.0.1.2, 10.0.1.3, and 10.0.1.255 are reserved.
The minimum subnet size is a /29 (which provides 8 IP addresses, 5 of which are usable).
Resources deployed within a subnet are assigned IP addresses from that subnet's range. Azure provides two types of IP address assignment:
For critical resources like domain controllers or database servers, static IP assignment is recommended.
Public IP addresses allow resources in your VNet to communicate with the internet and be reachable from the internet. These can be assigned to virtual machines, load balancers, and application gateways. Azure public IPs can be static or dynamic and come in Standard and Basic SKUs with different features and pricing.
IPv6 is the successor to IPv4, offering a vastly larger address space. Azure provides support for IPv6, allowing you to integrate both protocols within your VNet infrastructure.
When creating or updating a VNet, you can add an IPv6 address space. Azure provides a default Global Unicast Address (GUA) prefix for your VNet, or you can specify your own. You can also create Global or Unique Local Address (ULA) prefixes.
# Example of a global IPv6 address space
2001:db8:1234::/48
Similar to IPv4, you create subnets within your VNet's IPv6 address space. Each IPv6 subnet must have an address range that is a subset of the VNet's IPv6 address space. Azure recommends using /64 prefixes for IPv6 subnets, which is a standard practice and allows for sufficient addresses for devices within the subnet.
Azure also reserves IP addresses within an IPv6 subnet. This includes the first four and the last IP address for network functions.
Azure supports both dynamic and static assignment for IPv6 addresses to resources. You can assign unique IPv6 addresses from the subnet's range to your virtual machines and other network interfaces.
Azure supports dual-stack configurations, where resources can have both an IPv4 and an IPv6 address assigned. This is beneficial for applications that need to communicate over both protocols. You can configure dual-stack networking at the VNet, subnet, and individual network interface levels.
Carefully plan your VNet and subnet address spaces to avoid overlapping IP ranges, especially when using VNet peering or connecting to on-premises networks. Use CIDR notation effectively to allocate appropriate sizes for your subnets.
Create granular subnets for different application tiers or security zones. This allows for more precise network security group (NSG) rule application and better network segmentation.
For larger deployments, consider using an IP Address Management (IPAM) solution to track and manage your IP address space efficiently.
As the internet transitions to IPv6, consider adopting IPv6 for your Azure deployments to leverage its benefits, including a larger address space and potential performance improvements.
Always associate Network Security Groups (NSGs) with subnets or individual NICs to control inbound and outbound traffic flow based on IP addresses and ports.