Subnets and Subnetting in Azure – Features and Use-cases

In Azure, subnets are an integral part of your Virtual Network (VNet) architecture.

Subnets allow you to partition a VNet's IP address space into smaller, more manageable segments.

Subnetting helps you organize and control the flow of network traffic, segment security policies, and ensure efficient resource management.

Subnetting also enables scalability and flexibility in cloud environments.

Let’s take a deep dive into features of subnets in Azure, followed by common use cases and best practices.

Features of Azure Subnets

1. IP Address Segmentation

A subnet is a segment of a larger IP address range (CIDR block) within a Virtual Network (VNet).

The range of IP addresses allocated to a subnet is typically a smaller portion of the VNet's IP address space.

For example, if a VNet has the address range 10.0.0.0/16, you can create subnets like 10.0.1.0/24, 10.0.2.0/24, etc.

Subnet size can vary, depending on the number of IP addresses required for the resources within it.

2. Subnet Security

Network Security Groups (NSGs) can be applied to subnets to control inbound and outbound traffic at the subnet level.

NSGs provide granular control over the traffic allowed or denied to and from the resources in the subnet.

Azure Firewall or third-party network virtual appliances can be deployed to monitor and secure the traffic across subnets.

3. Routing Control

Each subnet in a VNet is associated with a route table, which determines how traffic flows between the subnet and other subnets, VNets, or external networks.

Custom routes (User-Defined Routes or UDRs) can be created to manage traffic paths, enabling network appliances or VPN gateways to handle traffic for specific applications.

4. Private IP Address Allocation

Resources within a subnet, such as virtual machines (VMs) or Azure Kubernetes Service (AKS) nodes, are assigned private IP addresses that are used for communication within the VNet.

Static IPs can be assigned to resources for specific requirements, such as when you need a consistent address for a service.

Subnets are scalable, and you can add more subnets or resize them as your network grows.

5. Subnet and Service Integration

Service Endpoints extend your VNet's private address space to specific Azure services (such as Azure Storage or Azure SQL Database), ensuring that traffic remains within Azure’s backbone network, instead of traversing the public internet.

Private Link can be used to privately connect to PaaS services within Azure using a private IP address from a subnet, eliminating exposure to the public internet.

6. Subnets and Network Performance

Subnet size plays a role in network performance.

If a subnet is too small, you may run out of IP addresses quickly as you scale your resources.

Conversely, too large a subnet could lead to inefficient IP address usage.

Virtual Network Peering allows for resources in different VNets (in the same or different regions) to communicate with one another via private IP addresses, including across subnets in separate VNets.

7. High Availability and Redundancy

You can place subnets in Availability Zones for high availability.

Availability Zones are separate physical locations within a region, and placing your subnets in different zones helps ensure that your resources remain available even during a zone failure.

Azure supports Availability Sets to ensure VMs deployed in a subnet are distributed across multiple physical hosts for fault tolerance.

Use Cases for Subnets in Azure

1. Segmentation for Security and Compliance

Isolate Critical Resources

Subnets can be used to isolate critical resources like databases, back-end services, and internal communication services from the internet and other services.

For example, a subnet can be created specifically for databases that have tight access control and are not exposed to the internet.

Front-end and Back-end Segmentation

Common in multi-tier applications, where the front-end (e.g., web servers) resides in a public subnet that is exposed to the internet, while the back-end (e.g., application servers, databases) resides in a private subnet.

Compliance Needs

Regulatory compliance requirements, such as PCI-DSS, often necessitate that sensitive resources (like payment systems or personal data) be placed in isolated subnets with stricter security controls.

2. Scaling Applications

Microservices and Kubernetes

For scalable applications like Kubernetes clusters, subnets allow you to define specific ranges of IP addresses for AKS clusters and separate them from other resources.

Scalable Web Applications

When scaling a web application, multiple subnets can be used to organize and separate web tiers, application tiers, and data tiers, allowing easier management and scaling of each component.

3. Hybrid Connectivity

On-Premises Connectivity

Subnets are used to define the internal network topology of Azure when connecting to an on-premises network via VPN Gateway or ExpressRoute.

Traffic flows between on-premises systems and Azure resources can be routed through specific subnets in the VNet.

Site-to-Site and Point-to-Site VPN

For hybrid environments, subnets help segregate internal Azure resources (e.g., private VMs, storage) and public-facing resources (e.g., VPN Gateway) to ensure secure and managed traffic routing.

4. High Availability and Disaster Recovery

Multi-zone Deployment

For applications requiring high availability, deploying subnets across Availability Zones can ensure that your application continues to operate even if one zone becomes unavailable.

Disaster Recovery

Use subnets in different regions or availability zones to implement a disaster recovery strategy.

This could include replicating databases or VM instances across subnets in different zones or regions to provide backup services in the event of failure.

5. VNet Peering and Cross-Region Architecture

VNet Peering

If you need resources in different regions to communicate with each other, VNet peering across subnets allows traffic to flow seamlessly.

For example, subnets in VNet A (East US) can securely communicate with subnets in VNet B (West Europe) via private IP addresses.

Resource Segmentation

If your organization has multiple departments or environments (e.g., dev, test, production), you can use subnets to segment resources by environment, application, or department, ensuring traffic flows only where needed.

6. Service Integration

Azure PaaS Services

Subnets are used when connecting to Azure Platform-as-a-Service (PaaS) offerings through Private Link.

For instance, Azure SQL Database or Azure Storage can be accessed privately from a subnet, eliminating exposure to the public internet.

Azure App Services

For tighter integration and network isolation, subnets are used to integrate Azure App Services with a VNet for securely accessing private resources.

7. Demilitarized Zones (DMZ) and Perimeter Security

Web Application Firewalls (*WAF*)

In enterprise setups, you can place subnets in a DMZ to isolate web-facing services (e.g., load balancers, firewalls, reverse proxies) from internal resources.

This provides an additional layer of security by controlling access and monitoring traffic between the internet and your internal network.

Public Subnets for Internet-Facing Services

Subnets exposed to the internet (e.g., hosting web servers, load balancers, API gateways) are considered public subnets.

These should be tightly controlled to ensure minimal attack surface, with security measures such as NSGs and Azure Firewall.

8. Cost and Resource Optimization

Cost Efficiency

Subnetting helps you segment workloads based on their specific needs.

For example, placing high-traffic applications in one subnet and low-traffic applications in another ensures that your resources are more efficiently used, potentially reducing costs associated with over-provisioning network capacity or network security rules.

Performance Optimization

By separating workloads based on their communication patterns, you can optimize the performance and reduce network congestion.

Subnetting can improve traffic flow, reduce latency, and minimize cross-subnet traffic when each subnet is properly sized.

Best Practices for Subnets in Azure

1. Subnet Size Management:

Ensure that each subnet is sized appropriately based on expected usage.

Over-provisioning can waste IP addresses, while under-provisioning can lead to IP address exhaustion as your resources scale.

Avoid too many small subnets in large-scale deployments, as it may lead to inefficient IP address utilization.

2. Use NSGs Effectively:

Apply Network Security Groups (NSGs) to control traffic flow at the subnet level.

NSGs should be tailored to each subnet's role — e.g., more restrictive rules for private subnets and looser rules for public-facing subnets.

Consider applying NSGs both at the subnet level (for all resources within the subnet) and at the network interface level (for specific resources).

3. Plan for High Availability:

Utilize Availability Zones to spread subnets across multiple physical locations for redundancy.

Use Azure Load Balancer or Azure Application Gateway for distributing traffic across multiple VMs or services in different subnets.

4. Implement Route Tables:

Make sure to use custom route tables where necessary, especially if you need to route traffic to a specific network appliance, VPN gateway, or another subnet.

5. Monitor and Audit:

Continuously monitor the traffic patterns and access control policies in your subnets to identify and resolve performance bottlenecks or security vulnerabilities.

Tools like Azure Network Watcher and Azure Monitor can help track the health and performance of your network infrastructure.

Conclusion

Subnets in Azure are a critical component for network segmentation, security, and traffic management.

With the ability to segment workloads, apply security policies, and manage routing more effectively, subnets allow Azure users to build secure, scalable, and optimized cloud infrastructures.

Understanding how to leverage subnets for security, performance, scalability, and high availability is essential for any organization using Azure to deploy enterprise-level applications.

By adhering to best practices and proper planning, you can ensure that your Azure network architecture is both efficient and secure.