Subnets and IP Addressing

Subnets divide an Azure Virtual Network (VNet) into smaller, more manageable segments. They are fundamental to organising resources, controlling traffic flow, and applying security policies. This lesson covers subnet design, IP addressing in Azure, reserved addresses, and best practices for planning your network layout.

---

What Is a Subnet?

A subnet is a range of IP addresses within a VNet. Every resource that connects to a VNet — virtual machines, load balancers, application gateways — is deployed into a specific subnet.

Subnets serve several purposes:

• Segmentation — group resources by function, tier, or security requirement.
• Traffic control — apply Network Security Groups (NSGs) at the subnet level.
• Delegation — some Azure services require their own dedicated subnet (e.g. Azure App Service, Azure SQL Managed Instance, Azure Bastion).
• Routing — route tables can be attached to individual subnets.

---

Subnet Address Ranges

Each subnet receives a portion of the VNet's address space as a CIDR block. For example, if your VNet uses 10.0.0.0/16, you might create:

Subnet Name	CIDR	Usable IPs	Purpose
web	10.0.1.0/24	251	Web servers
app	10.0.2.0/24	251	Application tier
db	10.0.3.0/24	251	Database tier
AzureBastionSubnet	10.0.255.0/26	59	Azure Bastion (required name)
GatewaySubnet	10.0.254.0/27	27	VPN/ExpressRoute gateway (required name)

Important: Subnet ranges must not overlap with each other, and they must fit within the VNet's address space.

---

Azure Reserved IP Addresses

Azure reserves five IP addresses in every subnet:

Address	Purpose
x.x.x.0	Network address
x.x.x.1	Default gateway
x.x.x.2	Azure DNS mapping
x.x.x.3	Azure DNS mapping
x.x.x.255	Broadcast address (for /24; last address for other sizes)

For a /24 subnet (256 addresses), you get 251 usable IPs. For a /27 (32 addresses), you get only 27 usable IPs. Always account for these five reserved addresses when sizing subnets.

---

Public and Private IP Addresses

Private IP Addresses

Every NIC (network interface card) attached to a resource in a VNet receives a private IP from the subnet's range. Private IPs can be:

• Dynamic (default) — assigned by Azure DHCP and may change on VM restart.
• Static — you choose a specific IP that does not change. Use static IPs for DNS servers, domain controllers, and load balancer frontends.

Public IP Addresses

A public IP resource can be associated with a NIC, load balancer, VPN gateway, or Application Gateway to enable internet connectivity.