Home Azure Networking Subnets & IP Addressing
Last updated: May 2026
Azure Networking Beginner AZ-104 ⏱ 13 min read

Subnets & IP Addressing

Subnets divide your VNet into smaller network segments — letting you organise resources, apply security policies at different levels, and control traffic flow between tiers. IP addressing determines how resources identify and find each other. Getting subnet design right from the start saves a lot of pain later — you can't change a subnet's address range while resources are deployed in it.

What you'll learn What subnets are and why they matter · Subnet sizing and planning · Private IP addresses — dynamic vs static · Public IP addresses — Basic vs Standard SKU · Public IP prefixes · Service-dedicated subnets (Bastion, Gateway, Firewall) · Subnet delegation · Creating subnets via CLI
Table of Contents
  1. What Are Subnets?
  2. Subnet Sizing
  3. Private IP Addresses
  4. Public IP Addresses
  5. Public IP Prefixes
  6. Service-Dedicated Subnets
  7. Subnet Delegation
  8. Creating and Managing Subnets
  9. Subnet Design Patterns
  10. Practice Questions

What Are Subnets?

A subnet is a range of IP addresses within a VNet. You deploy resources into subnets — every VM NIC, every PaaS service that integrates with a VNet, must go into a subnet. Subnets serve two purposes:

  • Organisation — Group related resources (web tier, app tier, data tier) into separate subnets
  • Security — Apply NSGs to control traffic between subnets
ℹ️
Subnets Must Be Contiguous Each subnet's address range must be within the VNet's address space and cannot overlap with other subnets. If your VNet is 10.0.0.0/16, valid subnets include 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, etc.

Subnet Sizing

Remember Azure reserves 5 IPs per subnet. Here's a quick guide for common subnet sizes:

CIDRTotal IPsUsable IPsSuitable For
/24256251General-purpose subnet, most workloads
/25128123Medium workload subnet
/266459Small subnet, Azure Bastion minimum
/273227Very small subnet
/281611Minimal subnet — VPN Gateway minimum
/2983Extremely limited — avoid
💡
Size Generously Always size subnets larger than you think you need. You cannot expand a subnet while resources are in it (without redeployment). A /24 costs nothing extra and gives you room to grow.

Private IP Addresses

Every resource in a subnet gets a private IP from the subnet's address range. Private IPs are used for communication within the VNet (and connected networks).

Dynamic vs Static Private IPs

DynamicStatic
AssignmentAzure assigns next available IPYou specify the IP address
Changes on restart?No — stays the same (but not guaranteed forever)Never changes
Changes on delete/recreate?May changeMust be reassigned
Best forMost VMs and resourcesDNS servers, domain controllers, load balancers
Azure CLI Create a VM NIC with static private IP 
# Create NIC with static private IP
az network nic create \
  --resource-group myRG \
  --name myNIC \
  --vnet-name myVNet \
  --subnet web-subnet \
  --private-ip-address 10.0.1.10

Public IP Addresses

Resources that need to be reachable from the internet require a public IP. Public IPs are separate resources that are attached to NICs, load balancers, or gateways.

Basic SKUStandard SKU
AssignmentDynamic or staticStatic only
SecurityOpen by defaultClosed by default — NSG required
Zone supportNoYes — zone-redundant or zonal
Load Balancer supportBasic LB onlyStandard LB only
Recommended?Legacy — avoid for newYes — always use Standard
⚠️
Always Use Standard SKU Basic public IPs are being retired. Always create Standard SKU public IPs for new resources. Standard IPs are closed by default (more secure) and support Availability Zones.
Azure CLI Create a Standard public IP (static) 
# Create a Standard SKU static public IP
az network public-ip create \
  --resource-group myRG \
  --name myPublicIP \
  --sku Standard \
  --allocation-method Static \
  --zone 1 2 3 \
  --location centralindia

Public IP Prefixes

A Public IP Prefix is a reserved contiguous block of Standard public IP addresses. Useful when you need multiple public IPs from the same range (for whitelisting in firewalls).

Service-Dedicated Subnets

Some Azure services require their own dedicated subnet with a specific name:

ServiceRequired Subnet NameMinimum Size
Azure BastionAzureBastionSubnet/26
VPN GatewayGatewaySubnet/27 (recommend /26)
Azure FirewallAzureFirewallSubnet/26
Azure Firewall ManagementAzureFirewallManagementSubnet/26
App Gateway v2Any name/24 recommended
Azure Route ServerRouteServerSubnet/27
⚠️
Reserve These Subnets Early If you ever plan to add Bastion, VPN Gateway, or Azure Firewall to a VNet, pre-create their subnets immediately — even if you don't deploy the service yet. It's much easier than trying to carve out space later when the VNet is already populated.

Subnet Delegation

Subnet delegation allows you to designate a subnet for a specific Azure service — allowing that service to create resources in the subnet and manage certain configurations. Common delegated services:

  • Azure App Service (for VNet Integration)
  • Azure Kubernetes Service (for AKS node pools)
  • Azure NetApp Files
  • Azure SQL Managed Instance
ℹ️
Delegation is Exclusive A delegated subnet can only contain resources from the delegated service — you cannot mix regular VMs with a delegated subnet's resources.

Creating and Managing Subnets

Azure CLI Common subnet management commands 
# Add a subnet
az network vnet subnet create \
  --name data-subnet \
  --resource-group myRG \
  --vnet-name myVNet \
  --address-prefix 10.0.3.0/24

# List subnets
az network vnet subnet list \
  --resource-group myRG \
  --vnet-name myVNet \
  --output table

# Show subnet details
az network vnet subnet show \
  --resource-group myRG \
  --vnet-name myVNet \
  --name data-subnet

# Update subnet (e.g., add NSG)
az network vnet subnet update \
  --resource-group myRG \
  --vnet-name myVNet \
  --name data-subnet \
  --network-security-group myNSG

Subnet Design Patterns

A typical 3-tier application subnet layout:

SubnetCIDRResourcesNSG
AzureBastionSubnet10.0.0.0/26Azure BastionBastion NSG
GatewaySubnet10.0.0.64/27VPN GatewayNone (required)
web-subnet10.0.1.0/24Web VMs, App GatewayAllow 80/443 inbound
app-subnet10.0.2.0/24Application VMsAllow only from web-subnet
data-subnet10.0.3.0/24SQL, databasesAllow only from app-subnet
💡
AZ-104 Exam Tip Know the required subnet names for Bastion (AzureBastionSubnet /26), VPN Gateway (GatewaySubnet /27+), and Azure Firewall (AzureFirewallSubnet /26). Know the difference between Basic and Standard SKU public IPs. Know that Azure reserves 5 IPs per subnet.
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. What is the minimum subnet size required for Azure Bastion?
A /28
B /27
C /26
D /24
Q2. What is the key difference between Basic and Standard SKU public IP addresses?
A Basic supports static only; Standard supports both dynamic and static
B Standard is closed by default (more secure) and zone-redundant; Basic is open and no zone support
C Only Standard supports static assignment
D Basic is regional; Standard is global
Q3. What is the required subnet name for a VPN Gateway?
A AzureBastionSubnet
B GatewaySubnet
C AzureFirewallSubnet
D VPNGatewaySubnet
Q4. A VM has a dynamic private IP. What happens to this IP when the VM is stopped and deallocated?
A The IP is released and a different IP may be assigned on restart
B The IP is retained — dynamic private IPs persist through stop/start cycles
C The IP is automatically converted to static
D The IP is permanently deleted
Q5. What is subnet delegation used for?
A Assigning administrative permissions to manage a subnet
B Designating a subnet for exclusive use by a specific Azure service
C Allowing public internet traffic into a private subnet
D Enabling cross-VNet routing between subnets
Related Topics
Azure Networking Virtual Networks (VNet) Azure Networking Network Security Groups Azure Networking Azure VPN Gateway
← Previous Virtual Networks (VNet)
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.