To ensure the security and networking of your Azure subnet, it's essential to follow best practices.
One key best practice is to use Network Security Groups (NSGs) to control inbound and outbound network traffic. NSGs can be applied to subnets, virtual networks, or individual network interfaces.
Using NSGs helps to prevent unauthorized access to your resources and ensures that only necessary traffic is allowed.
When creating a subnet, it's crucial to specify the correct IP address range and subnet mask to avoid any potential issues.
A valid IP address range should be specified in CIDR notation, such as 10.0.0.0/16.
Azure also recommends using Azure Firewall to provide an additional layer of security for your subnet.
Azure Subnet Basics
To create a subnet in Azure, you must specify a range of IPv4 addresses in the form of a CIDR block, such as 10.0.0.0/16. A CIDR block must not overlap with any existing CIDR block associated with your VNet.
You can add multiple subnets in each Availability Zone of your VNet's region. The CIDR block size of an IPv4 address is between a /16 netmask (65,536 IP addresses) and /29 netmask (8 IP addresses).
There are 5 reserved addresses in each CIDR block that are not available for use and cannot be assigned to any virtual machines.
Here are some key concepts to understand about Azure subnets:
A subnet is a range of IP addresses in your VNet, and you can launch Azure resources into a specified subnet. Network security groups can be used to protect the Azure resources in each subnet.
Azure Subnet Configuration
Azure Subnet Configuration is a crucial aspect of setting up a Virtual Network in Azure. You must specify a range of IPv4 addresses for the subnet in the form of a CIDR block, such as 10.0.0.0/16.
The CIDR block size of an IPv4 address is between a /16 netmask (65,536 IP addresses) and /29 netmask (8 IP addresses). This means you can have a maximum of 65,536 IP addresses in a single subnet.
To configure a subnet, you need to specify the address prefix, which is the range of IP addresses that will be used by the subnet. You can also configure network policies for the private endpoint and private link service on the subnet. The possible values for private endpoint network policies are Disabled, Enabled, NetworkSecurityGroupEnabled, and RouteTableEnabled. The possible values for private link service network policies are Disabled and Enabled.
Here are the possible values for service endpoints to associate with the subnet:
- Microsoft.AzureActiveDirectory
- Microsoft.AzureCosmosDB
- Microsoft.ContainerRegistry
- Microsoft.EventHub
- Microsoft.KeyVault
- Microsoft.ServiceBus
- Microsoft.Sql
- Microsoft.Storage
- Microsoft.Storage.Global
- Microsoft.Web
Note that the Multiple Subnet Address Prefixes Feature is not yet in public preview or general availability, so you can only set a single address prefix for the subnet.
Multiple Address Prefixes
Multiple address prefixes on a subnet is a feature that offers the ability to modify IP address spaces on a subnet. With this solution, customers using virtual machines and virtual machine scale sets can add and remove IP address prefixes to meet their scaling requirements.
Customers can only use a single customer address (CA) configuration per NIC. This means you can't have multiple CA configurations on the same network interface card.
You can use on VM and Virtual Machine Scale Sets subnets. Delegated subnets aren't supported with this feature.
Multiple address prefixes on a subnet is offered free of charge.
Note: This feature is currently in public preview. It's not recommended for production workloads.
To configure multiple address prefixes on a subnet, see Create multiple prefixes for a subnet.
There are two subnet properties for address space: AddressPrefix (string), and AddressPrefixes (list). The AddressPrefix property is used for scenarios with a single subnet prefix, while the AddressPrefixes property is used for dual-stack or multiple subnet prefixes.
Here's a summary of the two properties:
The AddressPrefixes property is the default property for subnet address space when a subnet is created via the Azure Portal. However, it's recommended to look for both properties in subnet wherever applicable.
Subnet Delegation Service Args
When configuring subnet delegation in Azure, it's essential to understand the service arguments involved. The SubnetDelegationServiceDelegation and SubnetDelegationServiceDelegationArgs are crucial components in this process.
A list of Actions which should be delegated is specific to the service to delegate to. Possible values are Microsoft.Network/networkinterfaces/*, Microsoft.Network/publicIPAddresses/join/action, Microsoft.Network/publicIPAddresses/read, Microsoft.Network/virtualNetworks/read, Microsoft.Network/virtualNetworks/subnets/action, Microsoft.Network/virtualNetworks/subnets/join/action, Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action, and Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action.
Azure may add default actions depending on the service delegation name, and these can't be changed. It's essential to note that these default actions may vary depending on the service delegation name.
Here are some possible values for service delegation:
Understanding these possible values will help you configure subnet delegation effectively in Azure.
Bicep Resource Definition
To create a Microsoft.Network/virtualNetworks/subnets resource, you can use Bicep. The virtualNetworks/subnets resource type can be deployed with operations that target: virtual networks and subnets.
You can create a Microsoft.Network/virtualNetworks/subnets resource by adding the following Bicep to your template: "Resource format / To create a Microsoft.Network/virtualNetworks/subnets resource, add the following Bicep to your template."
The Bicep resource definition for a Microsoft.Network/virtualNetworks/subnets resource includes the following properties: apiVersion, name, properties, and type. The apiVersion is set to '2024-03-01'.
Here are the properties of the Bicep resource definition for a Microsoft.Network/virtualNetworks/subnets resource:
Inputs
When configuring an Azure Subnet, you'll need to specify the address prefixes to use for the subnet. Currently, only a single address prefix can be set.
The Subnet resource accepts a property called private_endpoint_network_policies, which can be set to Disabled, Enabled, NetworkSecurityGroupEnabled, or RouteTableEnabled. The default value is Disabled.
If you don't want to use network policies like user-defined Routes and Network Security Groups, you'll need to set private_endpoint_network_policies to Disabled. This setting only applies to Private Endpoints in the Subnet.
If you want to use network policies like user-defined Routes and Network Security Groups, you'll need to set private_endpoint_network_policies to Enabled, NetworkSecurityGroupEnabled, or RouteTableEnabled. This setting only applies to Private Endpoints in the Subnet.
The Subnet resource also accepts a property called private_link_service_network_policies_enabled, which must be set to false when configuring Azure Private Link service. This setting only affects the Private Link service.
You can associate a list of Service endpoints with the subnet, including Microsoft.AzureActiveDirectory, Microsoft.AzureCosmosDB, and Microsoft.ContainerRegistry. However, to use Microsoft.Storage.Global service endpoint, you must enable the AllowGlobalTagsForStorage feature in your subscription.
Azure Subnet Resources
You can deploy Azure subnet resources with operations that target virtualNetworks/subnets. This includes creating, updating, and deleting subnets.
The Bicep resource definition for a subnet includes properties such as addressPrefix, addressPrefixes, and applicationGatewayIPConfigurations. These properties allow you to configure the subnet's address range, IP configurations, and application gateway settings.
To create a Microsoft.Network/virtualNetworks/subnets resource, you can use the Bicep resource format. This format includes the virtualNetworks/subnets resource type and properties such as defaultOutboundAccess, delegations, and networkSecurityGroup.
The SubnetPropertiesFormat defines the properties of a subnet, including addressPrefix, addressPrefixes, and applicationGatewayIPConfigurations. This format is used in Bicep, ARM template, and Terraform resource definitions.
Here's a summary of the SubnetPropertiesFormat properties:
'Enabled'
'NetworkSecurityGroupEnabled'
'RouteTableEnabled'privateLinkServiceNetworkPoliciesEnable or Disable apply network policies on private link service in the subnet.'Disabled'
'Enabled'routeTableThe reference to the RouteTable resource.RouteTableserviceEndpointPoliciesAn array of service endpoint policies.ServiceEndpointPolicy[]serviceEndpointsAn array of service endpoints.ServiceEndpointPropertiesFormat[]sharingScopeSet this property to Tenant to allow sharing subnet with other subscriptions in your AAD tenant.'DelegatedServices'
'Tenant'
The ARM template resource definition for a subnet includes properties such as apiVersion, name, and properties. The properties are defined using the SubnetPropertiesFormat.
Azure Subnet Security
Network Security Groups (NSGs) control the traffic flow to and from subnets and to and from VMs, allowing you to create security boundaries between subnets.
Each NSG contains a list of Access Control List (ACL) rules that allow or deny network traffic to subnets, NICs, or both. These rules have properties such as protocol, source and destination port ranges, address prefixes, direction of traffic, priority, and access type.
You can associate an NSG to a NIC, and the network access rules in the NSG are applied only to that NIC. If an NSG is applied to a single NIC on a multi-NIC VM, it doesn't affect traffic to the other NICs. You can associate different NSGs to a NIC (or VM, depending on the deployment model) and the subnet that a NIC or VM is bound to.
Security
Network Security Groups (NSGs) are a crucial part of Azure subnet security, controlling inbound and outbound traffic of Azure resources. They can be associated with either subnets or individual NICs connected to a subnet.
NSGs contain two sets of rules, inbound and outbound, each with a unique priority. The priority for a rule must be unique within each set, and the lower the priority number, the higher the priority of the rule.
You can use service tags on network security rules to minimize the complexity of frequent updates. This feature allows you to create a single rule with multiple source and destination IPs.
Augmented security rules enable you to create a single rule with multiple source and destination IPs, making it easier to manage complex network traffic.
Here are some key features of NSGs:
IP flow verify of Azure Network Watcher can be used to check which network security rule allows or denies the traffic. This feature helps you troubleshoot network issues and ensure that your NSGs are configured correctly.
VNet service endpoint policy allows you to filter the egress VNet traffic to Azure Storage. This feature helps you control the traffic flow to and from your virtual network.
Delegation
Delegation is a crucial aspect of Azure Subnet Security, allowing you to grant access to specific services within your subnet. This can be done by delegating actions to a service, such as Microsoft.Network/networkinterfaces/*.
The delegated actions are specific to the service being delegated to, and possible values include Microsoft.Network/publicIPAddresses/join/action, Microsoft.Network/publicIPAddresses/read, and Microsoft.Network/virtualNetworks/read.
You can specify the actions to be delegated in a list, such as SubnetDelegationServiceDelegation, SubnetDelegationServiceDelegationArgs. This list is specific to the service being delegated to.
The name of the resource being delegated is unique within a subnet, and can be used to access the resource. This name is stored in the name property of the resource.
The properties of the subnet being delegated are stored in the properties property of the resource. These properties include the serviceName of the service being delegated to, such as Microsoft.Sql/servers.
Here's a breakdown of the properties of the subnet being delegated:
The ServiceDelegationPropertiesFormat includes the serviceName of the service being delegated to, which is a string value.
Frequently Asked Questions
What is the difference between VNet and subnet?
A VNet is a virtual network that contains a range of IP addresses, while a subnet is a smaller range of IP addresses within that VNet, allowing for more specific network organization and resource placement. Think of a VNet as the overall network and a subnet as a specific section within it.
What is the difference between subnet and gateway subnet in Azure?
A subnet is a logical division of a network, while a gateway subnet is a specific subnet created for a virtual network gateway, containing VMs that manage routing and gateway services. The key difference lies in their purpose and configuration.
What is subnetting in Azure?
Subnetting in Azure allows you to divide a virtual network into smaller, isolated segments called subnets, each with its own unique address space. This helps you organize and manage your Azure resources more efficiently.
Can two subnets talk to each other Azure?
Yes, by default, subnets in the same Virtual Network (VNet) can communicate with each other in Azure. However, if you're experiencing issues, it's possible that it's an Azure-side problem.
Why does Azure reserve a 5 IP address in subnet?
Azure reserves 5 IP addresses in each subnet to ensure availability and prevent IP address conflicts. This is especially important for Azure services that require dedicated subnets, such as Azure Firewall and Azure VPN Gateway.
Sources
- https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
- https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks/subnets
- https://www.pulumi.com/registry/packages/azure/api-docs/network/subnet/
- https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_subnet_info_module.html
- https://tutorialsdojo.com/azure-virtual-network-vnet/
Featured Images: pexels.com