1.1 Design and Implement IP Addressing for Azure Resources
📘Microsoft Azure Networking Solutions (AZ-700)
What Is Subnet Delegation?
Subnet delegation is a feature in Azure where you assign a subnet to a specific Azure service, allowing that service to fully manage the subnet.
When a subnet is delegated:
- Azure knows which service will use the subnet
- That service can create and manage resources inside the subnet automatically
- You cannot use the subnet for other resource types
Think of subnet delegation as reserving a subnet exclusively for one Azure service.
Why Subnet Delegation Is Important
Subnet delegation is required because:
- Some Azure services need deep network control
- These services create resources inside your VNet
- Azure must ensure no conflicts with other resources
For the AZ-700 exam, remember:
Delegation allows certain PaaS services to be deployed into your VNet safely and correctly
Azure Services That Require Subnet Delegation
Not all services need delegation. Only specific platform services require it.
Common Delegated Services (Very Important for Exam)
| Azure Service | Delegation Required |
|---|---|
| Azure App Service (VNet Integration) | Yes |
| Azure Functions (Premium / App Service Plan) | Yes |
| Azure SQL Managed Instance | Yes |
| Azure Container Apps (Environment) | Yes |
| Azure NetApp Files | Yes |
| Azure Virtual Desktop (some scenarios) | Yes |
❗ Virtual Machines do NOT require subnet delegation
How Subnet Delegation Works (Concept)
- You create a VNet
- Inside the VNet, you create a subnet
- You delegate the subnet to a specific Azure service
- Azure locks that subnet for that service
- The service creates resources in that subnet automatically
Once delegated:
- You cannot deploy VMs in that subnet
- You cannot delegate it to another service
- The delegated service has priority control
Subnet Delegation vs Normal Subnet
| Feature | Normal Subnet | Delegated Subnet |
|---|---|---|
| Can host VMs | Yes | No |
| Can host delegated PaaS | No | Yes |
| Managed by Azure service | No | Yes |
| Flexible usage | High | Limited |
| Exam relevance | Medium | High |
Supported Delegation Types
When configuring delegation, you must select the correct service.
Examples:
Microsoft.Web/serverFarms→ App ServiceMicrosoft.Sql/managedInstances→ SQL Managed InstanceMicrosoft.ContainerInstance/containerGroups→ Container Instances
⚠️ Wrong delegation = service deployment fails
Subnet Size Planning (Exam Tip)
Delegated services often require large subnets.
Examples:
- Azure SQL Managed Instance → Minimum /27 subnet
- Azure App Service Environment → Large address space
Exam Rule:
Always check minimum subnet size before delegating
Can NSGs and Route Tables Be Used?
Yes, but with limitations.
Network Security Groups (NSGs)
- Supported for most delegated services
- Some inbound/outbound rules may be restricted
User Defined Routes (UDRs)
- Allowed only if supported by the service
- Some services block forced tunneling
📌 Exam Tip:
Delegation does NOT mean loss of security, but control is shared with Azure
Subnet Delegation and IP Addressing
Key points:
- Delegated subnets still use private IP addresses
- IP addresses are assigned by the Azure service
- You cannot manually assign IPs
Steps to Configure Subnet Delegation (Azure Portal)
- Go to Virtual Network
- Select Subnets
- Create a new subnet or edit an existing one
- Under Subnet delegation
- Choose the required Azure service
- Save the configuration
After saving:
- Subnet is locked to that service
- Cannot be reused for other workloads
Important Exam Rules to Remember
✔ Delegation is mandatory for some PaaS services
✔ One subnet = one delegated service
✔ Delegated subnets cannot host VMs
✔ Subnet size must meet minimum requirements
✔ Delegation helps integrate PaaS into VNets
✔ Wrong delegation causes deployment failure
Common Exam Traps
❌ Trying to deploy a VM into a delegated subnet
❌ Delegating a subnet after service deployment
❌ Using a subnet that is too small
❌ Assuming all services need delegation
❌ Forgetting that delegation limits subnet usage
Subnet Delegation vs Private Endpoint (Do Not Confuse)
| Feature | Subnet Delegation | Private Endpoint |
|---|---|---|
| Purpose | Give subnet control to service | Provide private access |
| Used by | Specific PaaS services | Almost all PaaS |
| Subnet required | Yes | Yes |
| Delegation required | Yes | No |
When to Use Subnet Delegation (Exam Scenario)
Use subnet delegation when:
- A PaaS service needs full subnet control
- Service documentation says delegation required
- You want secure VNet integration
Final Exam Summary
Subnet Delegation:
- Assigns a subnet to a specific Azure service
- Allows Azure services to manage network resources
- Is mandatory for many VNet-integrated PaaS services
- Limits subnet usage to one service only
- Requires careful IP planning
If you understand why delegation exists, which services need it, and its limitations, you will easily answer AZ-700 exam questions on this topic.
