Virtual Networks & Subnets
Every Azure resource that needs to communicate privately needs a Virtual Network. Learn how to create VNets, design address spaces with CIDR notation, segment with subnets, and assign public IP addresses β the networking foundation for everything else.
What is an Azure Virtual Network?
A Virtual Network (VNet) is your own private office building network β but in the cloud.
On-prem, you had switches, routers, and VLANs to create isolated networks. In Azure, a VNet does the same job. Itβs a logically isolated network where your VMs, databases, and other resources can talk to each other privately β just like devices on a LAN.
Subnets are like floors in the building. You put web servers on one floor, databases on another, and control who can move between floors. The buildingβs street address is your public IP β itβs how the outside world reaches you.
Address spaces and CIDR notation
Every VNet needs an address space β the range of private IP addresses available to your resources. Azure uses CIDR (Classless Inter-Domain Routing) notation:
| CIDR Block | Usable IPs (approx.) | Typical Use |
|---|---|---|
| /16 | 65,531 | Large VNet for production (e.g., 10.0.0.0/16) |
| /20 | 4,091 | Medium environment |
| /24 | 251 | Single subnet for a small workload |
| /27 | 27 | Small subnet for a handful of resources |
Private IP ranges you can use:
- 10.0.0.0 β 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 β 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 β 192.168.255.255 (192.168.0.0/16)
A VNet can have multiple address spaces (e.g., 10.0.0.0/16 AND 172.16.0.0/16), and you can add more after creation.
Exam tip: 5 reserved IPs per subnet
Azure reserves 5 IP addresses in every subnet. For a /24 subnet (256 addresses), only 251 are usable:
- .0 β Network address
- .1 β Default gateway
- .2 and .3 β Azure DNS mapping
- .255 β Broadcast address
This means the smallest useful subnet is /29 (8 addresses, 3 usable). If a question asks βhow many usable IPs in a /24?β β the answer is 251, not 254.
Subnets: Segmenting your VNet
Subnets divide your VNet into smaller network segments. Each subnet gets a portion of the VNetβs address space.
Why use subnets?
- Security: Apply different NSG rules to different subnets (web tier vs database tier)
- Organisation: Group related resources logically
- Service requirements: Some Azure services require dedicated subnets (e.g., AzureBastionSubnet, GatewaySubnet)
Real-world: TechCorp's subnet design
TechCorp Solutions designs their production VNet (10.0.0.0/16) with these subnets:
- 10.0.1.0/24 β Web tier (App Service VNet Integration, front-end VMs)
- 10.0.2.0/24 β App tier (application VMs, container instances)
- 10.0.3.0/24 β Database tier (SQL Managed Instance, private endpoints)
- 10.0.4.0/27 β AzureBastionSubnet (for secure management access)
- 10.0.5.0/27 β GatewaySubnet (for VPN to on-prem)
Alex applies strict NSGs: the database subnet only accepts traffic from the app tier, never from the web tier directly. Classic three-tier security.
Public IP addresses
A public IP address allows resources to communicate with the internet and public-facing Azure services.
| Feature | Basic SKU | Standard SKU |
|---|---|---|
| Allocation | Dynamic or Static | Static only |
| Availability zones | Not supported | Zone-redundant by default |
| Security | Open by default (NSG optional) | Secure by default (NSG required) |
| Load balancer | Basic LB only | Standard LB only |
| Routing preference | Microsoft network only | Microsoft network or Internet |
| Price | Free (while attached) | Small hourly charge |
Key points:
- Dynamic IP can change when the resource is stopped/deallocated; Static stays the same
- Standard SKU is the default for new public IPs and is zone-redundant
- Basic SKU is being retired β use Standard for all new deployments
- You can associate a public IP with VMs, load balancers, VPN gateways, and application gateways
Exam tip: Standard Public IP defaults
Standard SKU public IPs are static by default and zone-redundant. They are also secure by default β inbound traffic is blocked until you create an NSG rule to allow it. This is the opposite of Basic SKU, which allows all inbound traffic unless you add an NSG.
If a question says βthe VM has a Standard public IP but canβt be reachedβ β check the NSG rules first.
Private IP addresses
Every resource connected to a VNet automatically gets a private IP from the subnetβs address range.
- Dynamic (default): Azure assigns the next available IP from the subnet; may change on restart
- Static: You choose the exact IP from the subnet range; never changes
Static private IPs are useful for DNS servers, domain controllers, or any resource that other resources reference by IP address.
Knowledge check
CloudFirst Labs creates a VNet with address space 10.0.0.0/16 and a subnet 10.0.1.0/24. How many IP addresses are usable for resources in the subnet?
Alex assigns a Standard SKU public IP to a VM but cannot connect to it via RDP. The VM is running and the OS firewall allows RDP. What is the most likely cause?
Meridian Financial needs to deploy an Azure SQL Managed Instance, which requires a dedicated subnet. The subnet must have at least 32 IP addresses. What is the minimum CIDR prefix they should use?
π¬ Video coming soon