Understanding Virtual Network Subnets

This article delves into the concept of subnets within Azure Virtual Networks (VNets). Subnets are fundamental to segmenting your VNet into smaller, manageable address spaces, allowing for granular control over network traffic and security.

What is a Subnet?

A subnet is a division of an IP address range within a Virtual Network. When you create a VNet, it is assigned a private IP address space. You can then divide this address space into multiple subnets. Each subnet must have a unique name and an address range that is a subset of the VNet's address space.

Consider a VNet with the address space 10.0.0.0/16. You could divide this into two subnets:

Subnet 1: 10.0.1.0/24
Subnet 2: 10.0.2.0/24

Resources deployed within Azure, such as virtual machines, will be assigned an IP address from one of these subnets.

Benefits of Using Subnets

Network Segmentation: Isolate different types of workloads or tiers of applications (e.g., web tier, application tier, database tier) into separate subnets.
Security Control: Apply Network Security Groups (NSGs) and User Defined Routes (UDRs) at the subnet level to control traffic flow between subnets and to/from external networks.
IP Address Management: Efficiently allocate and manage IP addresses for your resources.
Performance: Reduce network congestion by segmenting traffic.

Key Considerations for Subnets

Address Space Allocation

When defining a subnet, you must specify its address range. This range must be within the VNet's address space and cannot overlap with other subnets in the same VNet. Azure reserves the first four and the last IP address in each subnet for IP resolution and broadcast purposes. This means you cannot use these addresses.

For a subnet with a /24 prefix, there are 256 addresses in total. After reserving 5 addresses, you have 251 usable IP addresses available for resources.

Subnet Sizing

The size of your subnet depends on the number of IP addresses you anticipate needing for the resources within it. It's generally recommended to over-provision slightly to accommodate future growth. However, excessively large subnets can lead to IP address exhaustion within the VNet.

Default Subnet

When you create a VNet without specifying any subnets, Azure automatically creates a default subnet that encompasses the entire VNet address space. While convenient for initial setup, it's best practice to create custom subnets for better organization and security.

System Reserved Subnets

Azure reserves a small portion of the subnet address space for internal Azure services. The exact number of reserved IPs varies by subnet size, but always consider the first four and last IP addresses as unusable.

Creating and Managing Subnets

You can create and manage subnets using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Azure Portal Example

Navigate to your Virtual Network resource in the Azure portal.
Under "Settings", select "Subnets".
Click "+ Subnet".
Provide a "Name" for the subnet (e.g., AppSubnet).
Specify the "Address range" (e.g., 10.0.1.0/24).
Configure Network Security Group (NSG) and Route Table (RT) if needed.
Click "OK" to create the subnet.

Tip: Plan your subnet strategy before deploying resources. Consider your application architecture, security requirements, and future scalability needs.

Subnets and Network Security Groups (NSGs)

NSGs are stateful packet security filters that you can associate with subnets or individual network interfaces. By applying an NSG to a subnet, you can control inbound and outbound traffic for all resources within that subnet.

For example, you might create an NSG for your web tier subnet that only allows inbound HTTP (port 80) and HTTPS (port 443) traffic from the internet, while blocking all other inbound traffic.

Subnets and User Defined Routes (UDRs)

UDRs allow you to override Azure's default system routes or add your own routes to a route table. Route tables can be associated with subnets, enabling you to direct traffic through specific network virtual appliances (NVAs) like firewalls or next-generation intrusion detection systems before it reaches its destination.

This is crucial for implementing centralized network security policies and traffic inspection.

Note: A subnet cannot have overlapping CIDR blocks with any other subnet in the same VNet.

Best Practices

Logical Naming: Use descriptive names for your subnets (e.g., WebSubnet, DatabaseSubnet, DMZSubnet).
Appropriate Sizing: Plan subnet sizes carefully to avoid IP exhaustion and ensure room for growth. Start with a sensible CIDR block that allows for expansion.
Granular Security: Apply NSGs at the subnet level for efficient security policy management.
Route Traffic Wisely: Utilize UDRs for advanced traffic routing scenarios.
Minimize Subnets if Unnecessary: While segmentation is good, avoid creating an excessive number of very small subnets if they don't serve a clear architectural or security purpose.

Conclusion

Subnetting is a core concept for building robust, secure, and scalable virtual networks in Azure. By effectively segmenting your VNet and applying appropriate security and routing controls, you can create a well-organized and protected cloud infrastructure.