Azure Virtual Networks (VNets) work similarly to AWS VPCs. Let's look at how to subnet an Azure VNet properly.
Choosing Your VNet CIDR Block
Common Azure VNet CIDR blocks:
10.0.0.0/16 - Most common, classic RFC 1918 172.16.0.0/16 - If avoiding conflicts 192.168.0.0/24 - Only if very small
Recommendation: Use 10.0.0.0/16 or 172.16.0.0/16.
💡 Avoid conflicts: If you connect to on-premises, make sure your VNet doesn't overlap with your local network ranges.
Standard Azure Architecture
VNet: 10.0.0.0/16 GatewaySubnet: 10.0.0.0/27 (required for VPN/ExpressRoute) Azure Firewall: 10.0.1.0/26 Public LB: 10.0.2.0/27 Private LB: 10.0.3.0/27 App Subnet 1: 10.0.10.0/24 (web tier) App Subnet 2: 10.0.11.0/24 (API tier) Data Subnet: 10.0.20.0/24 (database) Management: 10.0.30.0/24 (bastion/admin)
Special Azure Subnets
GatewaySubnet
Always name it exactly "GatewaySubnet" Must be /27 or larger (use /27) Required for: VPN Gateway, ExpressRoute
AzureFirewallSubnet
Must be exactly /26 or larger Must be named exactly "AzureFirewallSubnet" Don't put VMs here - it's just for the firewall
Subnet Sizing Comparison
| Subnet | CIDR | Usable | When to Use |
|---|---|---|---|
| /29 | 6 | Point-to-point links | |
| /27 | 30 | Gateway, small subnets | |
| /26 | 62 | Firewall subnet | |
| /24 | 254 | Standard tier subnet |
Azure vs AWS: Key Differences
| Feature | AWS | Azure |
|---|---|---|
| Default size | /16 | /16 or /12 |
| Min subnet | /28 | /29 |
| Reserved IPs | 5 | 5 (same) |
| AZ per subnet | 1 required | 1 required |
Planning for Hybrid Cloud
If connecting on-premises:
On-premises: 192.168.0.0/16 Azure VNet: 10.0.0.0/16 (no overlap ✓)
Make sure there's NO overlap or VPN won't work!