Azure Networking: Subnets

The following points outline the fundamental concepts required to understand and work with Azure networking subnets:

• Address Space: The Virtual Network (VNet) is assigned an IP address space using CIDR notation (such as 10.0.0.0/16). Subnets are carved out from this space so that each subnet gets its own non-overlapping range.
• Subnet Address Range: Each subnet must have a unique address range within the VNet, specified in CIDR format (for example, 10.0.1.0/24). Overlapping address ranges within a VNet are not permitted.
• Subnet Size and Reservation: The smallest subnet size allowed in Azure is /29 (8 IP addresses). However, Azure reserves 5 IP addresses in every subnet—for network protocols and internal services—meaning fewer usable IPs.
• Subnet Delegation: You can delegate a subnet to a specific Azure service (like Azure Container Instances or Azure SQL) to allow that service exclusive control over the subnet’s resources and policies.
• Network Security Groups (NSG): Subnets can be linked to NSGs to filter inbound and outbound traffic, providing granular control and improving security for resources within the subnet.
• Service Endpoints and Route Tables: Service endpoints allow secure connectivity to Azure services directly from a subnet. Route tables can be associated to control the routing of traffic within and outside the VNet.

Address allocation and management are crucial steps when working with Azure networking subnets. This process involves defining subnet address ranges, planning for proper capacity, and understanding Azure's built-in IP reservations.

• Defining Subnet Address Ranges:
  When you create a subnet, you must assign it a portion of the parent Virtual Network's address space using CIDR notation (for example, 10.0.1.0/24). Subnet ranges within a VNet cannot overlap.
• Subnet Sizing and Planning:
  Choose a subnet size that provides enough IP addresses for your current and future resource needs. Keep in mind that Azure reserves five IP addresses in every subnet for protocol requirements.
• Azure IP Reservations:
  In every subnet, Azure automatically reserves the first four and the last IP address for internal protocol use. This means the number of usable IPs will always be less than the total shown by the CIDR block.
• Reference Table: Subnet Size and Usable IPs
  

  CIDR Notation	Total IP Addresses	Usable IP Addresses	Notes
  /29	8	3	Smallest allowed subnet size in Azure
  /24	256	251	Common subnet size for small workloads
  /16	65,536	65,531	Very large, for enterprise-scale workloads

• Subnet Modification and Deletion:
  You can only change a subnet’s address range if it contains no deployed resources. Subnets must be empty before deletion.

Tip: Always plan your subnets with future scaling in mind to avoid running out of available IP addresses.

Security and network control are essential when operating subnets in Azure. Azure provides several built-in mechanisms that allow you to precisely control network access and enforce robust security policies for your resources.

• Network Security Groups (NSGs):
  NSGs act as a virtual firewall for your subnets and resources. They allow or deny network traffic to and from resources using customizable rules based on source/destination IP, port, and protocol. NSGs can be applied at both the subnet and network interface level, and rules are processed in priority order to determine the final access[1][6][9].
• Subnet-Level Security:
  Associating an NSG to a subnet means all resources within that subnet automatically inherit the security rules. This helps create secure zones for workloads such as databases, web servers, or app tiers[1][9].
• Application Security Groups (ASGs):
  ASGs allow you to group virtual machines by workload or function, regardless of their IP addresses. NSG rules can then reference these groups, simplifying rule management and scaling as workloads grow[9].
• Custom Route Tables:
  You can associate custom route tables with your subnets to control the flow of outbound or cross-subnet traffic. User-defined routes (UDRs) give you granular control, routing traffic through network appliances for inspection, firewalling, or logging before it leaves the perimeter[7][10][13].
• Service Endpoints:
  By enabling service endpoints on a subnet, you ensure that the traffic between your subnet and supported Azure services (such as Storage or SQL) stays on the secure Azure backbone network, enhancing both security and performance[7][16].
• Logging and Monitoring:
  NSGs provide flow logs for analyzing allowed and denied traffic. This helps identify unauthorized access attempts and optimize rule configuration for compliance and auditing[9].

Tip: Always follow the principle of least privilege—deny by default, and open only what is strictly necessary. Regularly review and audit your NSGs, custom routes, and endpoints to adapt to evolving security requirements.

Effective management of Azure networking subnets requires knowing how to add, modify, and delete subnets, as well as configure key settings using the Azure Portal, CLI, or PowerShell.

• Adding a Subnet:
  To add a subnet, select your Virtual Network in the Azure portal, navigate to the Subnets section, and click + Subnet. Specify a unique name and non-overlapping address range (in CIDR notation), and optionally configure settings like Network Security Groups (NSG), route tables, or service endpoints for the subnet[6].
• Modifying Subnet Settings:
  You can change certain settings of a subnet, such as NSGs, route tables, service endpoints, subnet delegation, and address ranges (only if no resources exist in the subnet). Modifications can be done in the portal by selecting the subnet and updating configurations as needed. Note: To change an address range with resources present, first remove or move those resources[6].
• Deleting a Subnet:
  Subnets can be deleted only if they do not contain any resources. Remove associated virtual machines or services before deleting. This ensures that address ranges can be reclaimed or altered without conflict[6].
• Subnet Delegation and Policies:
  Delegation gives specific Azure services permission to manage resources in a subnet. You can set or change delegations unless a resource for that service is already present; in such cases, resources must be moved or deleted first. Private endpoint network policies and NAT gateway association may also be configured post-creation[6][18].
• Automation and Scripting:
  All management operations (add, modify, delete) can also be scripted using Azure CLI, PowerShell, or ARM templates. This allows for automated deployments and consistent network topologies across environments[6][8].

Tip: Always verify dependencies and review effective permissions before making changes to avoid disrupting connected services or applications.

Following best practices for Azure networking subnets ensures efficient network management, optimal security, and future-proof scalability.

• Design for Scale and Flexibility:
  Allocate subnet address ranges generously to accommodate future growth. Anticipate needs to add resources or new services without requiring disruptive reconfiguration.
• Use Network Security Groups (NSGs) Strategically:
  Apply NSGs at the subnet level for broad protection and at the network interface card (NIC) level for granular rule enforcement. Regularly review rules to follow the principle of least privilege.
• Avoid Overlapping Address Spaces:
  Plan your address space carefully, especially when connecting multiple VNets or integrating with on-premises networks. Overlapping ranges make peering and hybrid connections difficult.
• Delegate Subnets When Needed:
  Use subnet delegation for services like Azure App Service Environments or Azure SQL Managed Instances, as required by their deployment and management needs.
• Monitor and Audit Regularly:
  Enable NSG flow logs and monitor subnet traffic to detect anomalies or unauthorized access. Periodically audit network configurations for compliance and optimization.
• Document Subnet Purpose and Policies:
  Maintain clear documentation on each subnet’s intended use, assigned address range, applied policies, and dependencies to simplify future modifications and troubleshooting.
• Leverage Automation:
  Use templates, ARM scripts, or the Azure CLI for deploying and managing subnets. This ensures consistency, reduces errors, and eases replication in different environments.
• Keep Subnets as Logical Security Boundaries:
  Align subnets with application tiers, compliance zones, or specific workloads so that traffic control, segmentation, and monitoring remain effective and manageable.

Tip: Carefully planning your network topology and enforcing best practices early will help avoid costly redesigns as your Azure footprint grows.