Plan and implement network segmentation and address spaces

1.1 Design and Implement IP Addressing for Azure Resources

📘Microsoft Azure Networking Solutions (AZ-700)

1. What Is Network Segmentation in Azure?

Network segmentation means dividing a large network into smaller, isolated parts.
In Azure, segmentation is mainly done using:

  • Virtual Networks (VNets)
  • Subnets
  • Network Security Groups (NSGs)
  • Routing and isolation techniques

Why segmentation is important:

  • Improves security
  • Controls traffic flow
  • Makes networks easier to manage
  • Prevents unnecessary communication between workloads

For the AZ-700 exam, you must understand how Azure uses VNets and subnets to segment IP address spaces.

2. Understanding Address Spaces in Azure

What Is an Address Space?

An address space is a range of private IP addresses that Azure resources can use.

Azure uses CIDR notation, such as:

  • 10.0.0.0/16
  • 172.16.0.0/12
  • 192.168.0.0/16

These are private IP ranges, allowed inside Azure VNets.

3. Azure Virtual Network (VNet)

A Virtual Network (VNet) is the main network container in Azure.

Key points about VNets:

  • A VNet must have one or more address spaces
  • VNets provide network isolation
  • Resources inside the same VNet can communicate by default

Example (IT-focused):

  • One VNet may host:
    • Virtual Machines
    • Application services
    • Databases
  • All use IP addresses from the VNet address space

4. Subnets: The Core of Network Segmentation

A subnet is a smaller IP range inside a VNet.

Why subnets are used:

  • Separate workloads
  • Apply different security rules
  • Control traffic between components

Important rules for subnets:

  • Subnet address ranges must be inside the VNet address space
  • Subnets cannot overlap
  • Each subnet is used for specific resources

Example (IT-focused):

  • One subnet for application servers
  • One subnet for databases
  • One subnet for management resources

5. Planning Address Spaces (Very Important for the Exam)

Key planning principles:

1. Avoid Overlapping IP Ranges

  • Overlapping address spaces cause routing issues
  • Required when:
    • Using VNet peering
    • Connecting VNets to on-premises networks

2. Plan for Growth

  • Choose address spaces large enough for:
    • Future subnets
    • Additional resources
  • Azure does not allow shrinking subnets

3. Use Logical Grouping

  • Group resources by:
    • Function
    • Security level
    • Traffic type

6. Reserved IP Addresses in Azure Subnets

Azure reserves 5 IP addresses in every subnet.

These IPs are used by Azure internally for:

  • Network identification
  • Default gateway
  • DNS services

Exam note:

Always account for 5 reserved IPs when calculating subnet sizes.

7. Network Segmentation Using VNets vs Subnets

VNet Segmentation:

  • Provides strong isolation
  • Used when workloads must be completely separate
  • Common for environments with strict security needs

Subnet Segmentation:

  • Used inside the same VNet
  • Easier communication
  • Controlled using security rules

Exam tip:

  • Use VNets for isolation
  • Use subnets for organization and traffic control

8. Network Security Groups (NSGs) and Segmentation

NSGs control traffic to and from subnets or network interfaces.

How NSGs support segmentation:

  • Allow or deny traffic based on:
    • Source IP
    • Destination IP
    • Port
    • Protocol
  • Applied at:
    • Subnet level
    • Network Interface level

Exam focus:

  • NSGs are stateless filters
  • They do not route traffic
  • They help enforce segmentation policies

9. Service-Specific Subnet Requirements

Some Azure services require their own dedicated subnet.

Common examples:

  • Azure Bastion
  • Azure Firewall
  • Application Gateway
  • VPN Gateway

Exam rule:

  • These services cannot share subnets with other resources
  • Their subnet names are often predefined

10. VNet Peering and Address Space Design

VNet peering connects two VNets.

Important exam points:

  • Peered VNets must not have overlapping IP ranges
  • Peering allows:
    • Private IP communication
    • Low-latency traffic
  • Address space planning is critical before peering

11. Hub-and-Spoke Network Segmentation Model

Azure commonly uses the hub-and-spoke model.

Hub VNet:

  • Central VNet
  • Hosts shared services:
    • Firewalls
    • VPN gateways
    • DNS

Spoke VNets:

  • Separate application networks
  • Connected to the hub using VNet peering
  • Isolated from each other by default

Exam relevance:

  • This model improves security
  • Simplifies network management
  • Requires careful address space planning

12. Expanding Address Spaces

Azure allows:

  • Adding new address spaces to an existing VNet
  • Adding new subnets later

Azure does not allow:

  • Overlapping ranges
  • Reducing subnet sizes

Exam tip:

Always plan address spaces with future growth in mind.

13. Common Exam Mistakes to Avoid

  • Using overlapping CIDR ranges
  • Forgetting reserved IP addresses
  • Placing special Azure services in shared subnets
  • Not planning for future expansion
  • Confusing VNets with subnets

14. Key Exam Takeaways (Must Remember)

  • VNets define network boundaries
  • Subnets define network segmentation
  • Address spaces must be:
    • Non-overlapping
    • Large enough for growth
  • Azure reserves 5 IPs per subnet
  • NSGs enforce traffic control
  • Some services require dedicated subnets
  • Proper planning is critical before deployment
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by