Azure Subnet Design
Categories:
2 minute read
Below is an example VNet design based on what could be a typical use case for a medium-large organization. The subnets are sized according to Microsoft requirements, where documented, and split between functions such as core networking, virtual machines, databases and PaaS services. No design is perfect and allowing gaps for growth is important and sometime in the future you’re likely going to need to resize exisiting subnets or add new ones.
Example VNet address space of 10.0.0.0/20
| Range | Subnet | Subnet Name | IP | Use |
|---|---|---|---|---|
| 10.0.0.0 | 10.0.0.0/27 | AzureFirewallSubnet | 32 | Core networking services |
| 10.0.0.32/27 | AzureExpressRouteGateway | 32 | Core networking services | |
| 10.0.0.64/27 | GatewaySubnet | 32 | Core networking services | |
| 10.0.0.96/27 | AzureFrontDoor | 32 | Core networking services | |
| 10.0.0.128/26 | AzureBastionSubnet | 32 | Core networking services | |
| 10.0.0.255 | 10.0.0.192/26 | — | 32 | spare |
| 10.0.1.0 | 10.0.1.0/25 | vmSubnet01 | 128 | Virtual Machines |
| 10.0.1.255 | 10.0.128.0/25 | vmSubnet02 | 128 | Virtual Machines |
| 10.0.2.0 | 10.0.2.0/25 | dbSubnet01 | 128 | Databases |
| 10.0.2.255 | 10.0.128.0/25 | dbSubnet02 | 128 | Databases |
| 10.0.3.0 | 10.0.3.0/24 | Azure Sql Managed Instances | 254 | Azure Sql Paas |
| 10.0.4.0 | 10.0.4.0/26 | Azure Application Gateway/frontend | 62 | Azure App Gateway |
| 10.0.4.64/26 | Azure Application Gateway/backend | 62 | Azure App Gateway | |
| 10.0.4.128/26 | Azure Application Gateway/management | 62 | Azure App Gateway | |
| 10.0.4.255 | 10.0.4.192/26 | — | 62 | unused |
| 10.0.5.0/24 | 10.0.5.0/24 | — | 254 | spare |
| 10.0.6.0/23 | 10.0.6.0/23 | — | 510 | spare |
| 10.0.8.0/21 | 10.0.8.0/21 | — | 2046 | spare |
The Azure Firewall subnet is a dedicated subnet in a virtual network that is used to deploy and manage Azure Firewall.
The ExpressRoute Gateway subnet is a dedicated subnet in a virtual network that is used to host the Azure ExpressRoute Gateway, which provides dedicated private connectivity to Azure services over a private WAN connection
The Gateway Subnet is a dedicated subnet in a virtual network that is used to host the Azure Virtual Network Gateway, which provides connectivity to on-premises networks, remote sites, and other Azure services.
The Front Door subnet is a dedicated subnet in a virtual network that is used to host the Azure Front Door service, which provides global load balancing and application delivery for web applications
The Azure Bastion subnet is a dedicated subnet in a virtual network that is used to deploy and manage Azure Bastion
The SQL Managed Instance subnet is a dedicated subnet in a virtual network that is used to host the Azure SQL Managed Instance, which provides a fully managed SQL Server database engine in Azure.
The Application Gateway subnet is a dedicated subnet in a virtual network that is used to host the Azure Application Gateway, which provides application load balancing, SSL/TLS termination, and web application firewall (WAF) functionality.