Azure Subnet Design¶
Divide the VNet into subnets based on the type of resources they will host, such as networking, host types, or for growth. This will help to isolate and secure different types of traffic.
Designing an Azure Virtual Network (VNet) with appropriate subnets is crucial for isolating and securing different types of traffic. Subnets should be divided based on the type of resources they will host, such as core networking services, virtual machines, databases, and PaaS services. This approach helps to enhance security, manageability, and scalability.
Example VNet Design¶
Below is an example VNet design based on a typical use case for a medium-large organization. The subnets are sized according to Microsoft's recommendations and are divided based on their functions.
VNet Address Space: 10.0.0.0/20
| Range | Subnet | Subnet Name | IP Use |
|---|---|---|---|
| 10.0.0.0 | 10.0.0.0/27 | AzureFirewallSubnet | 32 Core networking services |
| 10.0.0.32 | 10.0.0.32/27 | AzureExpressRouteGateway | 32 Core networking services |
| 10.0.0.64 | 10.0.0.64/27 | GatewaySubnet | 32 Core networking services |
| 10.0.0.96 | 10.0.0.96/27 | AzureFrontDoor | 32 Core networking services |
| 10.0.0.128 | 10.0.0.128/26 | AzureBastionSubnet | 64 Core networking services |
| 10.0.0.192 | 10.0.0.192/26 | - | 64 Spare |
| 10.0.1.0 | 10.0.1.0/25 | vmSubnet01 | 128 Virtual Machines |
| 10.0.1.128 | 10.0.1.128/25 | vmSubnet02 | 128 Virtual Machines |
| 10.0.2.0 | 10.0.2.0/25 | dbSubnet01 | 128 Databases |
| 10.0.2.128 | 10.0.2.128/25 | dbSubnet02 | 128 Databases |
| 10.0.3.0 | 10.0.3.0/24 | AzureSQLManagedInstances | 254 Azure SQL PaaS |
| 10.0.4.0 | 10.0.4.0/26 | AzureAppGatewayFrontend | 62 Azure App Gateway |
| 10.0.4.64 | 10.0.4.64/26 | AzureAppGatewayBackend | 62 Azure App Gateway |
| 10.0.4.128 | 10.0.4.128/26 | AzureAppGatewayManagement | 62 Azure App Gateway |
| 10.0.4.192 | 10.0.4.192/26 | - | 62 Spare |
| 10.0.5.0 | 10.0.5.0/24 | - | 254 Spare |
| 10.0.6.0 | 10.0.6.0/23 | - | 510 Spare |
| 10.0.8.0 | 10.0.8.0/21 | - | 2046 Spare |
Detailed Subnet Descriptions¶
Azure Firewall Subnet: - A dedicated subnet for deploying and managing Azure Firewall, providing security controls for network traffic.
Azure ExpressRoute Gateway Subnet: - A dedicated subnet for hosting the Azure ExpressRoute Gateway, enabling private connections to Azure services over a WAN.
Gateway Subnet: - Hosts the Azure Virtual Network Gateway, facilitating connectivity to on-premises networks and other Azure services.
Azure Front Door Subnet: - Hosts the Azure Front Door service, providing global load balancing and application delivery for web applications.
Azure Bastion Subnet: - A dedicated subnet for deploying and managing Azure Bastion, enabling secure remote access to VMs without a public IP.
Azure SQL Managed Instances Subnet: - A dedicated subnet for hosting Azure SQL Managed Instances, offering fully managed SQL Server databases.
Azure Application Gateway Subnet: - Hosts the Azure Application Gateway, providing load balancing, SSL/TLS termination, and web application firewall functionality.