IntermediateLesson 3 of 10

Subnets and IP Addressing

Designing subnets and allocating IPs correctly prevents outages, simplifies security policy, and keeps your Azure network scalable.

What Is It? (Simple Explanation)

Subnets split a larger network into smaller zones. Each zone gets its own address range and policies.

Why Do We Need It?

Security segmentation between web, app, and data tiers.
Operational separation for different teams and workloads.
Predictable IP growth planning for future scale.

Real-world Analogy

A hotel has one street address but multiple floors and room ranges. Subnets are those floors, with access rules per floor.

How It Works (Technical)

Subnet size is chosen with CIDR based on expected host count.
Azure reserves 5 IPs in each subnet, so usable count is lower than raw total.
Private IPs are used for east-west traffic inside VNets.
Public IPs are used only for controlled ingress or specific egress designs.

Subnet Design Guidance

Design Rule	Reason
Keep data tier in dedicated subnet	Tighter NSG and route controls
Do not mix unrelated apps in one subnet	Policy blast radius reduction
Leave spare address space	Avoid painful renumbering later
Use separate subnet for private endpoints	Cleaner governance and monitoring

Visual Representation

Tiered Subnet Layout

VNet: 10.30.0.0/16

Shared routing domain

Web: 10.30.1.0/24

Public entry only

App: 10.30.2.0/24

Business APIs

Data: 10.30.3.0/24

DB and private endpoints

Hands-on Commands

Azure CLI

# Add subnets to existing VNet
az network vnet subnet create -g rg-net --vnet-name vnet-prod -n snet-web --address-prefixes 10.30.1.0/24
az network vnet subnet create -g rg-net --vnet-name vnet-prod -n snet-app --address-prefixes 10.30.2.0/24
az network vnet subnet create -g rg-net --vnet-name vnet-prod -n snet-data --address-prefixes 10.30.3.0/24

# Show used subnet ranges
az network vnet subnet list -g rg-net --vnet-name vnet-prod --query "[].{name:name,prefix:addressPrefix}" --output table

Real-world Use Case

A payment application isolates card-processing components into a tightly restricted subnet while keeping front-end web resources separate, reducing compliance scope and attack surface.

Debugging Scenario

Issue: New VM deployment fails with IP allocation error.

Check subnet has free addresses.
Check if subnet too small for autoscaling targets.
Verify delegated subnet requirements are not conflicting.
Consider subnet expansion via larger pre-planned address block.

Interview Questions

Beginner

Why create multiple subnets?

To segment workloads, apply different policies, and improve security boundaries.

Intermediate

How many usable IPs exist in a /24 subnet in Azure?

251 usable addresses because Azure reserves 5 addresses in each subnet.

Scenario-based

Your AKS node pool cannot scale due to subnet exhaustion.

Move to a larger dedicated subnet or redesign with larger CIDR planning and controlled IP consumption strategy.

Summary

Good subnet and IP planning is architecture work, not an afterthought. It directly affects security, scalability, and operational reliability.

PreviousVirtual Networks (VNet)NextNetwork Security