1.1 Design and Implement IP Addressing for Azure Resources
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Is a Subnet in Azure?
A subnet is a smaller network created inside a Virtual Network (VNet).
- A VNet provides a large IP address range
- Subnets divide that range into smaller sections
- Azure resources are placed inside subnets
Each subnet:
- Uses a portion of the VNet’s IP address space
- Is isolated at the network level
- Can have its own security and routing rules
Subnets are mandatory. No Azure resource can exist directly in a VNet without a subnet.
2. What Does “Shared” and “Dedicated” Subnet Mean?
Shared Subnet
A shared subnet is a subnet that hosts multiple types of Azure resources together.
Example in an IT environment:
- Virtual machines
- Load balancers
- Application servers
all placed in the same subnet
Dedicated Subnet
A dedicated subnet is a subnet created only for one specific service or purpose.
Example in an IT environment:
- A subnet used only for Azure Firewall
- A subnet used only for Application Gateway
- A subnet used only for VPN Gateway
3. Why Planning Subnets Is Important for AZ-700
Subnet planning affects:
- Security
- Scalability
- Routing
- Service compatibility
- Exam success
Some Azure services require dedicated subnets. Using shared subnets incorrectly can:
- Break deployments
- Cause security risks
- Fail exam scenarios
4. Shared Subnets – Detailed Explanation
4.1 What Is a Shared Subnet Used For?
Shared subnets are commonly used when:
- Resources have similar security needs
- Simple architecture is required
- Cost and management need to stay low
4.2 Characteristics of Shared Subnets
- Multiple resource types share the same IP range
- Same Network Security Group (NSG) applies to all resources
- Same route table applies to all resources
4.3 Advantages of Shared Subnets
- Easy to design
- Fewer subnets to manage
- Efficient IP usage for small environments
4.4 Disadvantages of Shared Subnets
- Security rules apply to all resources
- Harder to isolate traffic
- Not suitable for sensitive or critical services
4.5 Exam Notes for Shared Subnets
For AZ-700:
- Shared subnets are acceptable for general workloads
- Avoid shared subnets for Azure-managed network services
- Expect questions asking when shared subnets are not recommended
5. Dedicated Subnets – Detailed Explanation
5.1 What Is a Dedicated Subnet?
A dedicated subnet is created for:
- One Azure service
- One specific role
- One security boundary
Only that service can be deployed in the subnet.
6. Azure Services That Require Dedicated Subnets (VERY IMPORTANT FOR EXAM)
These services must be deployed in their own dedicated subnet:
| Azure Service | Dedicated Subnet Requirement |
|---|---|
| Azure Firewall | Yes (Subnet name must be AzureFirewallSubnet) |
| Application Gateway | Yes |
| VPN Gateway | Yes (Subnet name must be GatewaySubnet) |
| ExpressRoute Gateway | Yes |
| Azure Bastion | Yes (AzureBastionSubnet) |
⚠️ Exam Tip:
If a question mentions one of these services, always choose a dedicated subnet.
7. Why Azure Requires Dedicated Subnets
Azure requires dedicated subnets because:
- The service manages its own IP addresses
- Azure applies internal system rules
- Traffic inspection or routing must be isolated
- Mixing resources could break the service
8. Security Benefits of Dedicated Subnets
Dedicated subnets allow:
- Separate Network Security Groups
- Separate route tables
- Strict traffic control
- Better isolation between workloads
This is important for:
- Firewalls
- Gateways
- Security inspection services
9. IP Address Planning for Shared vs Dedicated Subnets
9.1 IP Planning for Shared Subnets
- Can use smaller address ranges
- IPs shared across multiple resource types
- Risk of running out of IP addresses if not planned properly
9.2 IP Planning for Dedicated Subnets
- Must follow minimum subnet size requirements
- Example:
- Azure Firewall: at least
/26 - VPN Gateway: usually
/27or larger
- Azure Firewall: at least
⚠️ Exam Tip:
Azure services often consume more IP addresses than expected.
10. Network Security Groups (NSGs) and Subnet Type
Shared Subnet
- One NSG applies to all resources
- Rules must allow all required traffic
- Less granular security
Dedicated Subnet
- NSG designed for one service only
- Cleaner and simpler rules
- Strong security control
11. Route Tables and Subnet Type
Shared Subnet
- One route table for all resources
- Traffic rules must work for all workloads
Dedicated Subnet
- Route table optimized for the service
- Required for:
- Firewalls
- Gateways
- Traffic inspection scenarios
12. When to Use Shared Subnets (Exam Scenarios)
Use shared subnets when:
- Resources are closely related
- No Azure-managed network service is involved
- Simple architecture is acceptable
13. When to Use Dedicated Subnets (Exam Scenarios)
Use dedicated subnets when:
- Azure service requires it
- Strong isolation is needed
- Security or routing control is critical
14. Common Exam Mistakes to Avoid
❌ Placing Azure Firewall in a shared subnet
❌ Using wrong subnet name for GatewaySubnet
❌ Applying restrictive NSG rules to Azure-managed services
❌ Not allocating enough IP addresses
15. Key Exam Keywords to Remember
- Shared subnet
- Dedicated subnet
- Azure-managed service
- GatewaySubnet
- AzureFirewallSubnet
- IP address planning
- Network Security Group
- Route table
16. Quick Exam Summary
- Shared subnets = multiple resources together
- Dedicated subnets = one service only
- Some Azure services require dedicated subnets
- Dedicated subnets provide better security and control
- Always plan IP ranges carefully
