Azure VNet Subnet Planning
When you create a subnet inside an Azure Virtual Network (VNet), Azure reserves 5 IP addresses in every subnet. This matches the AWS reservation count but the reserved purposes differ slightly.
Azure Reserved IPs
For any subnet, Azure reserves these addresses:
| Address | Purpose |
|---|---|
| Network + 0 | Network address |
| Network + 1 | Default gateway |
| Network + 2 | DNS mapping (primary) |
| Network + 3 | DNS mapping (secondary) |
| Last address | Broadcast address |
Example: In a 10.1.0.0/24 subnet:
- 10.1.0.0 is the network address
- 10.1.0.1 is the default gateway
- 10.1.0.2 is DNS (primary)
- 10.1.0.3 is DNS (secondary)
- 10.1.0.255 is the broadcast address
- Usable range: 10.1.0.4 through 10.1.0.254 = 251 hosts
Minimum Subnet Size
The smallest subnet Azure allows is /29 (8 addresses, 3 usable). This is one step smaller than AWS, which enforces /28. A /29 in Azure provides only 3 usable IPs after reservations, so it is only practical for very small utility subnets like Azure Firewall management.
Recommended VNet Layout
A common production VNet uses a /16 address space with /24 subnets for workloads and specialized smaller subnets for Azure services:
VNet: 10.1.0.0/16 (65,536 addresses)
+----- Web Tier
| +--- 10.1.1.0/24 (251 hosts)
| +--- 10.1.2.0/24 (251 hosts)
+----- App Tier
| +--- 10.1.10.0/24 (251 hosts)
| +--- 10.1.11.0/24 (251 hosts)
+----- Data Tier
| +--- 10.1.20.0/24 (251 hosts)
| +--- 10.1.21.0/24 (251 hosts)
+----- Azure Services
| +--- 10.1.100.0/26 AzureBastionSubnet (59 hosts)
| +--- 10.1.101.0/26 AzureFirewallSubnet (59 hosts)
| +--- 10.1.102.0/27 GatewaySubnet (27 hosts)
+----- Spare: 10.1.103.0 through 10.1.255.255Special Subnet Names
Azure requires specific names for certain service subnets. These names are mandatory and case-sensitive:
| Subnet Name | Purpose | Recommended Size |
|---|---|---|
| GatewaySubnet | VPN/ExpressRoute gateway | /27 |
| AzureBastionSubnet | Azure Bastion (secure RDP/SSH) | /26 or larger |
| AzureFirewallSubnet | Azure Firewall | /26 |
| AzureFirewallManagementSubnet | Firewall forced tunneling | /26 |
| RouteServerSubnet | Azure Route Server | /27 |
These subnets cannot have NSGs applied (Network Security Groups are blocked on some of them by Azure itself).
Sizing Tips
| Scenario | Recommended CIDR | Usable (Azure) |
|---|---|---|
| Small utility subnet | /29 | 3 |
| VPN Gateway | /27 | 27 |
| Azure Bastion | /26 | 59 |
| Standard workload | /24 | 251 |
| AKS node pool | /23 or /22 | 507 or 1,019 |
| Large AKS cluster (Azure CNI) | /20 or larger | 4,091+ |
AKS consideration: With Azure CNI networking, each pod gets a VNet IP. A cluster of 50 nodes with 30 pods each needs 1,500+ IPs. A /21 (2,043 usable) gives comfortable headroom.
Hub-and-Spoke Architecture
The most common Azure networking pattern for production:
- Hub VNet contains shared services: VPN gateway, Azure Firewall, Azure Bastion, DNS.
- Spoke VNets contain workloads, peered to the hub.
- Each spoke uses its own CIDR range from a planned IPAM allocation.
- Route tables on spoke subnets send internet-bound traffic through the hub firewall.
Allocate the hub VNet a /22 or /21 to fit all service subnets. Allocate each spoke a /20 or /16 depending on workload size.
Common Mistakes
- Starting with a /24 VNet. You cannot expand a VNet’s address space without downtime risk. Start with /16 or /20 at minimum.
- Forgetting the 5 reserved IPs. A /28 has 16 addresses but only 11 usable in Azure.
- Overlapping CIDR ranges between VNets. VNet peering requires non-overlapping address spaces.
- Using wrong names for service subnets. GatewaySubnet must be named exactly “GatewaySubnet” (case-sensitive).
- Undersizing AKS subnets. Azure CNI assigns one IP per pod. Plan for peak pod count plus 20% growth.
Tools
Use our subnet calculator with Azure VNet mode to see correct host counts with 5 reserved IPs. The VLSM planner can help plan a hub-and-spoke layout with correctly-sized subnets for each service.