1.1 Design and Implement IP Addressing for Azure Resources
📘Microsoft Azure Networking Solutions (AZ-700)
Why Subnet Planning Is Important in Azure (Exam Focus)
In Azure, every service that connects to a Virtual Network (VNet) uses subnets.
If subnets are planned incorrectly:
- Services may fail to deploy
- IP addresses may run out
- Security rules may not work
- Azure services may not scale
For the AZ-700 exam, you must understand:
- Which Azure services require their own subnet
- Minimum subnet size requirements
- Subnet configuration rules
- How subnet planning affects security, routing, and scalability
Key Subnet Planning Rules (Must Know for Exam)
Before learning each service, remember these general rules:
- Each subnet belongs to only one VNet
- Subnets cannot overlap
- Subnet size cannot be changed easily after deployment
- Some Azure services require dedicated subnets
- Azure reserves 5 IP addresses in every subnet
- Subnet name and address range matter for certain services
Subnet Planning for Specific Azure Services
1. VNet Gateways (VPN Gateway / ExpressRoute Gateway)
Purpose
VNet Gateways provide:
- Site-to-Site VPN
- Point-to-Site VPN
- ExpressRoute connectivity
Subnet Requirement (Very Important)
- Must be deployed in a dedicated subnet
- Subnet name must be:
GatewaySubnet
(Exam question favorite)
Subnet Size Recommendation
- Minimum: /27
- Recommended: /26 or larger
Key Exam Points
- No other resources can be placed in
GatewaySubnet - GatewaySubnet must have enough IPs for scaling
- Do not associate NSGs with GatewaySubnet
2. Private Endpoints
Purpose
Private Endpoints allow Azure services (Storage, SQL, Web Apps) to be accessed privately using a private IP address from a VNet.
Subnet Behavior
- Private Endpoints are deployed inside a subnet
- Multiple private endpoints can share the same subnet
- Subnet must allow private endpoint network policies
Required Configuration
- Disable network policies for private endpoints on the subnet
Subnet Size Planning
- Depends on number of private endpoints
- Each private endpoint uses one IP address
Key Exam Points
- Private Endpoint uses private IP
- Subnet policies must be disabled
- Works with Private DNS Zones
3. Service Endpoints
Purpose
Service Endpoints allow Azure services to be accessed securely over the Azure backbone while still using public IPs.
Subnet Behavior
- Enabled at the subnet level
- No dedicated subnet required
- Works by extending subnet identity to Azure services
Key Differences from Private Endpoint (Exam Favorite)
| Feature | Service Endpoint | Private Endpoint |
|---|---|---|
| IP Type | Public IP | Private IP |
| Subnet Required | No | Yes |
| DNS Change | No | Yes |
| Access Scope | VNet/Subnet | Specific resource |
Key Exam Points
- Service endpoints are subnet-based
- Traffic stays on Microsoft backbone
- Less secure than private endpoints
4. Azure Firewall
Purpose
Azure Firewall provides centralized network security with:
- Application rules
- Network rules
- NAT rules
Subnet Requirement (Critical)
- Must be deployed in a dedicated subnet
- Subnet name must be:
AzureFirewallSubnet
Subnet Size Requirement
- Minimum: /26
Key Exam Points
- No other resources allowed in this subnet
- Azure Firewall requires multiple IPs for scaling
- UDRs commonly point traffic to Azure Firewall
5. Application Gateway
Purpose
Application Gateway is a Layer 7 load balancer for web traffic (HTTP/HTTPS).
Subnet Requirement
- Must be deployed in a dedicated subnet
- Subnet cannot contain other resource types
Subnet Size Recommendation
- Minimum: /27
- Larger subnets required for autoscaling
Key Exam Points
- Application Gateway subnet must be dedicated
- Subnet must not have NSGs blocking required ports
- Supports WAF (Web Application Firewall)
6. VNet-Integrated Platform Services
Examples
- Azure App Service (VNet Integration)
- Azure Functions
- Azure Logic Apps
- Azure Container Apps
Subnet Behavior
- Requires a dedicated subnet
- Subnet is delegated to the service
- Delegation prevents other resource types
Subnet Size Planning
- Depends on service scale
- App Service requires multiple IPs for scaling
Key Exam Points
- Subnet delegation is required
- Delegated subnet cannot host other resources
- Used for outbound connectivity from PaaS
7. Azure Bastion
Purpose
Azure Bastion allows secure RDP/SSH access to VMs without public IPs.
Subnet Requirement (Exam Favorite)
- Must be deployed in a subnet named:
AzureBastionSubnet
Subnet Size Requirement
- Minimum: /27
Key Exam Points
- Subnet must be dedicated
- No NSGs blocking Bastion ports
- Uses browser-based access
Common Exam Pitfalls to Avoid
❌ Using wrong subnet names
❌ Using small subnet sizes
❌ Placing multiple services in dedicated subnets
❌ Forgetting Azure reserved IPs
❌ Confusing Private Endpoints with Service Endpoints
Summary Table (Very Useful for Exam Revision)
| Service | Dedicated Subnet | Required Subnet Name | Minimum Size |
|---|---|---|---|
| VNet Gateway | Yes | GatewaySubnet | /27 |
| Azure Firewall | Yes | AzureFirewallSubnet | /26 |
| Azure Bastion | Yes | AzureBastionSubnet | /27 |
| Application Gateway | Yes | Any (Dedicated) | /27 |
| Private Endpoint | No | Any | Based on usage |
| Service Endpoint | No | Any | N/A |
| VNet Integration | Yes | Delegated Subnet | Varies |
Final Exam Tips
- Memorize required subnet names
- Understand why certain services need dedicated subnets
- Know minimum subnet sizes
- Be able to compare Private Endpoint vs Service Endpoint
- Plan subnets for future growth
