Azure Network Cheatsheet

📐

Subnet Sizing by Service

Minimum subnet size required for each Azure service

⚠️

Azure reserves 5 IPs per subnet (.0, .1, .2, .3 and last). A /28 = 16 IPs, only 11 usable. A /26 = 64 IPs → 59 usable. Always plan larger since subnets cannot be resized once resources are deployed.
📄 Docs: Reserved IPs

Service	Subnet Name	Min CIDR	Usable IPs	Recommended	Notes	Docs
Azure VMware Solution	—	/22	1019	/22	For AVS clusters	📄
App Service Environment v3	—	/24	251	/24	Delegation required. Isolated PaaS hosting	📄
Azure Kubernetes Service (CNI)	—	/24	251	/21 to /16	1 IP per pod + 1 IP per node. Plan for scaling	📄
Azure Firewall	`AzureFirewallSubnet`	/26	59	/26	Name mandatory. One per VNet	📄
Azure Firewall Management	`AzureFirewallManagementSubnet`	/26	59	/26	Required for forced tunneling	📄
Azure Bastion	`AzureBastionSubnet`	/26	59	/26	Name mandatory. Secure RDP/SSH access	📄
Azure Databricks	public + private	/26 × 2	59 × 2	/26 × 2	Two subnets required for VNet injection	📄
VPN Gateway	`GatewaySubnet`	/27	27	/27	Name mandatory. No NSG. Shared with ExpressRoute GW	📄
ExpressRoute Gateway	`GatewaySubnet`	/27	27	/27	Same subnet as VPN Gateway	📄
Azure Route Server	`RouteServerSubnet`	/27	27	/27	Name mandatory. BGP route exchange	📄
SQL Managed Instance	—	/27	27	/26	Delegation required. Dedicated subnet	📄
Azure Cache for Redis (Premium)	—	/27	27	/27	2 IPs per shard + 1 LB	📄
API Management (VNet)	—	/27	27	/27	/29 possible for lightweight (stv2)	📄
Application Gateway	—	/28	11	/27 or /26	One AppGW per subnet. Plan for autoscaling	📄
Azure NetApp Files	—	/28	11	/28	Delegation required (Microsoft.NetApp/volumes)	📄
Azure Spring Apps	—	/28	11	/26	Two subnets: service runtime + apps	📄
Entra Domain Services	—	/28	11	/28	Managed AD in Azure	📄
Azure Dedicated HSM	—	/28	11	/28	Hardware Security Modules	📄
Private DNS Resolver (inbound)	—	/28	11	/28	Delegation required	📄
Private DNS Resolver (outbound)	—	/28	11	/28	Delegation required	📄
Azure Container Instances	—	/29	3	/27	Delegation required for container groups	📄
NAT Gateway	—	/29	3	—	Attaches to an existing subnet, no dedicated subnet needed	📄
Private Endpoint	—	/29	3	/27	1 IP per Private Endpoint. Plan based on PE count	📄

🏗️

Hub Subnet Layout — Best Practice

Reference architecture for a Hub VNet (/20 recommended)

💡

A Hub VNet of /20 (4,096 IPs) provides enough room for all shared services. Each Spoke VNet should be /22 or /24 depending on workload.
📄 Docs: Hub-spoke topology · 📄 Docs: Plan IP addressing

🔗 GatewaySubnet

/27

27 IPs — VPN + ExpressRoute GW

🔥 AzureFirewallSubnet

/26

59 IPs — Centralized firewall

🔥 AzureFWMgmtSubnet

/26

59 IPs — If forced tunneling

🖥️ AzureBastionSubnet

/26

59 IPs — Secure RDP/SSH access

🔄 RouteServerSubnet

/27

27 IPs — BGP route exchange

🌐 DNS Resolver Inbound

/28

11 IPs — Inbound DNS resolution

🌐 DNS Resolver Outbound

/28

11 IPs — Outbound DNS resolution

🔒 Private Endpoints

/26 to /24

59-251 IPs — Centralize PEs here

🛠️ Management / Shared

/26

59 IPs — Jump boxes, monitoring

📋

Subnet Delegation

Services that require a delegated subnet

⚠️

A delegated subnet is exclusive to its designated service — no other resources can be deployed in it.
List available delegations: az network vnet subnet list-available-delegations --location westeurope
📄 Docs: Subnet delegation overview

Service	Delegation Name	Shared	Docs
App Service / Functions (VNet Integration)	`Microsoft.Web/serverFarms`	No	📄
App Service Environment v3	`Microsoft.Web/hostingEnvironments`	No	📄
SQL Managed Instance	`Microsoft.Sql/managedInstances`	No	📄
Azure Container Instances	`Microsoft.ContainerInstance/containerGroups`	No	📄
Azure NetApp Files	`Microsoft.NetApp/volumes`	No	📄
Azure Databricks	`Microsoft.Databricks/workspaces`	No	📄
API Management	`Microsoft.ApiManagement/service`	No	📄
Azure Kubernetes Service	`Microsoft.ContainerService/managedClusters`	No	📄
Container Apps Environment	`Microsoft.App/environments`	No	📄
Azure Cosmos DB (dedicated)	`Microsoft.AzureCosmosDB/clusters`	No	📄
Azure Batch	`Microsoft.Batch/batchAccounts`	No	📄
Private DNS Resolver (inbound)	`Microsoft.Network/dnsResolvers`	No	📄
Private DNS Resolver (outbound)	`Microsoft.Network/dnsResolvers`	No	📄
Azure Machine Learning	`Microsoft.MachineLearningServices/workspaces`	No	📄

🔒

Private Endpoint vs Service Endpoint

When to use which

Criteria	Service Endpoint	Private Endpoint
IP Type	Public IP of the service	Private IP in your VNet
Granularity	Subnet level	Resource level (NIC)
Isolation	Partial (need firewall rules too)	Complete — no internet exposure
DNS	Public DNS	Private DNS Zone required
On-Premises Access	No	Yes (via VPN/ExpressRoute)
Cross-Region	No	Yes
Cost	Free	~$7.30/month + data
Complexity	Simple	Medium (DNS, NSG config)
Recommendation	Dev/Test, non-critical workloads	Production, compliance, hybrid

📄 Private Endpoint overview · 📄 Service Endpoint overview

Per-Service Support

Azure Service	Service Endpoint	Private Endpoint	Private DNS Zone	Docs
Azure Storage (Blob/File/Queue/Table)	✓	✓	`privatelink.blob.core.windows.net`	📄
Azure SQL Database	✓	✓	`privatelink.database.windows.net`	📄
Azure Cosmos DB	✓	✓	`privatelink.documents.azure.com`	📄
Azure Key Vault	✓	✓	`privatelink.vaultcore.azure.net`	📄
Azure Container Registry	✓	✓	`privatelink.azurecr.io`	📄
Azure Event Hubs	✓	✓	`privatelink.servicebus.windows.net`	📄
Azure Service Bus	✓	✓	`privatelink.servicebus.windows.net`	📄
Azure App Service	✓	✓	`privatelink.azurewebsites.net`	📄
Azure Database for PostgreSQL	✓	✓	`privatelink.postgres.database.azure.com`	📄
Azure Database for MySQL	✓	✓	`privatelink.mysql.database.azure.com`	📄
Azure Synapse Analytics	✓	✓	`privatelink.sql.azuresynapse.net`	📄
Azure Monitor (Log Analytics)	✗	✓	`privatelink.monitor.azure.com`	📄
Azure Machine Learning	✗	✓	`privatelink.api.azureml.ms`	📄
Azure Data Factory	✗	✓	`privatelink.datafactory.azure.net`	📄
Azure OpenAI / Cognitive Services	✗	✓	`privatelink.cognitiveservices.azure.com`	📄
Azure Backup	✗	✓	`privatelink.{region}.backup.windowsazure.com`	📄

📄 Full list: Private Link availability by service

🛡️

NSG & UDR Compatibility by Service

Which services support NSGs and custom routes

Service / Subnet	NSG	UDR	Notes	Docs
`GatewaySubnet`	✗ Forbidden	⚠ Limited	No NSG. UDR without 0.0.0.0/0 route to NVA	📄
`AzureFirewallSubnet`	✗ Forbidden	✓	UDR only for management (forced tunneling)	📄
`AzureBastionSubnet`	✓	✓	NSG with specific rules required (see docs)	📄
`RouteServerSubnet`	✗ Forbidden	✗ Forbidden	No customization allowed	📄
Application Gateway	✓	⚠ Limited	NSG: allow GatewayManager ports. No UDR to 0.0.0.0/0	📄
API Management	✓	✓	NSG required with specific rules (ports 3443, etc.)	📄
AKS (Azure CNI)	✓	✓	UDR to force egress traffic through a firewall	📄
SQL Managed Instance	✓	✓	NSG auto-managed by the service. Don't remove the rules	📄
Private Endpoints	✓	✓	NSG and UDR supported since 2023	📄
App Service (VNet Integration)	✓	✓	Outbound traffic from the app goes through the subnet	📄
Azure NetApp Files	✗ Ignored	✗ Ignored	NSG and UDR are applied but ignored by ANF	📄

📊

Azure Network Limits & Quotas

The ceilings you need to know before hitting them in production

Resource	Default Limit	Max Limit	Scope	Docs
VNets per subscription	1,000	1,000	Per region	📄
Subnets per VNet	3,000	3,000	Per VNet	📄
Peerings per VNet	500	1,000 (with AVNM)	Per VNet	📄
Private IPs per VNet	65,536	65,536	Per VNet	📄
Public IPs (Standard) per sub	1,000	On request	Per region	📄
NSGs per subscription	5,000	5,000	Per region	📄
Rules per NSG	1,000	1,000	Inbound + outbound combined	📄
Routes per Route Table	400	400	Per table	📄
Route Tables per subscription	200	200	Per region	📄
BGP routes per gateway	1,000	1,000	Per BGP peer	📄
Private Endpoints per subscription	1,000	On request	Per region	📄
Private DNS Zones per sub	25,000	25,000	Per subscription	📄
VNet Links per Private DNS Zone	1,000	1,000	Per zone	📄
DNS records per Private DNS Zone	25,000	25,000	Per zone	📄
NICs per VM	Depends on SKU	8 (large VMs)	Per VM	📄
NAT Gateway — concurrent flows	50,000	50,000	Per public IP	📄
Load Balancer rules	300	1,000	Per LB	📄
Application Security Groups	3,000	3,000	Per subscription	📄

🔗

VPN Gateway — SKU Comparison

Since Nov 2025, only AZ (zone-redundant) SKUs can be created

SKU	Throughput	S2S Tunnels	P2S (IKEv2)	BGP	Zone-Redundant	Use Case
VpnGw1AZ	650 Mbps	30	250	✓	✓	Small business, dev/test
VpnGw2AZ	1.25 Gbps	30	500	✓	✓	SMB, moderate workloads
VpnGw3AZ	2.5 Gbps	30	1,000	✓	✓	Enterprise, multi-site
VpnGw4AZ	5 Gbps	100	5,000	✓	✓	Large scale, hybrid cloud
VpnGw5AZ	10 Gbps	100	10,000	✓	✓	Very large scale — otherwise use Virtual WAN

💡

Beyond 100 S2S tunnels, use Azure Virtual WAN instead. Throughput is aggregate across all connections — not guaranteed per tunnel.
📄 Docs: VPN Gateway SKUs · 📄 Docs: SKU consolidation (AZ migration)

🔥

Azure Firewall — SKU Comparison

Feature	Basic	Standard	Premium
Throughput	250 Mbps	30 Gbps	100 Gbps
Autoscaling	✗	✓	✓
Threat Intelligence	Alert	Alert/Deny	Alert/Deny
FQDN Filtering (L7)	✓	✓	✓
DNS Proxy	✗	✓	✓
Web Categories	✗	✓	✓
TLS/SSL Inspection	✗	✗	✓
IDPS	✗	✗	✓ (67k+ sigs)
URL Filtering (full path)	✗	✗	✓
Availability Zones	✓	✓	✓
Use Case	SMB, dev/test	Production, enterprise	Compliance (PCI, HIPAA)

⚠️

Enabling TLS Inspection + IDPS in "Deny" mode on Premium reduces effective throughput to ~10 Gbps per flow. The 100 Gbps figure is aggregate.
📄 Docs: Firewall performance · 📄 Docs: Choose the right SKU · 📄 Docs: Features by SKU

⚖️

Azure Load Balancer — Standard vs Gateway

⚠️

Basic Load Balancer was retired on September 30, 2025. Only Standard (and Gateway) SKUs are available.
📄 Docs: Upgrade guidance

Feature	Standard	Gateway
Backend pool	Up to 5,000 instances	Up to 300 instances
HA Ports	✓ (Internal LB)	✓
Availability Zones	✓	✓
Cross-Region	✓	✗
Security	Secure by default (NSG required)	Transparent to traffic
Outbound NAT Rules	✓	✗
SLA	99.99%	99.99%
Use Case	Web apps, APIs, services	NVA chaining (3rd-party firewalls)

📄 Docs: Load Balancer SKUs · 📄 Docs: Gateway LB overview

🌐

DNS — Best Practices

🔗 Centralized Private DNS Zones

Create Private DNS Zones in the Hub/Connectivity subscription and link them to Spoke VNets. Never duplicate zones across subscriptions.

📄 Docs: Private Link and DNS integration at scale

🔄 Conditional Forwarders

Use Azure Private DNS Resolver to resolve Azure names from on-premises, and on-premises names from Azure. No more custom DNS VMs needed.

📄 Docs: Private DNS Resolver overview

🏷️ Naming Convention

Private DNS Zones for Private Endpoints follow the format privatelink.{service}.{domain}. Don't change the names — Azure expects them exactly.

📄 Docs: Private Endpoint DNS configuration

⚠️ Auto-registration

DNS auto-registration only works for VMs. Only one VNet can be linked with auto-registration per zone. Use it in the Hub for shared VMs.

📄 Docs: Auto-registration feature

🌍 Split-Brain DNS

When you enable a Private Endpoint, public resolution still works for clients not connected to the VNet. The Private DNS Zone only overrides for clients within the linked VNet.

📄 Docs: DNS for on-premises workloads

📊 Key Zones to Know

privatelink.blob.core.windows.net
privatelink.database.windows.net
privatelink.vaultcore.azure.net
privatelink.azurewebsites.net
privatelink.azurecr.io

📄 Docs: Full DNS zone list

💡

Best Practices — Azure Network Architecture

🏗️ Hub-and-Spoke as Foundation

Centralize shared services (Firewall, Gateway, Bastion, DNS) in a Hub VNet. Isolate workloads in Spoke VNets peered to the Hub. This is the pattern recommended by the Cloud Adoption Framework.

📄 Docs: Hub-spoke network topology

📐 Size Large from Day One

Use /20 for the Hub, /22 for Spokes. Subnets cannot be resized with resources deployed. Always plan 2x your initial need.

📄 Docs: Plan for IP addressing

🚫 No CIDR Overlap

Plan your address space before creating the first VNet. Consider on-premises and other clouds. Overlapping CIDRs block peering and routing.

📄 Docs: VNet FAQ (overlapping)

🔥 Force Traffic Through Firewall

Create a UDR 0.0.0.0/0 → Azure Firewall on each Spoke subnet. Associate the route table to the subnet — not the VNet. Without this, traffic goes straight to the internet.

📄 Docs: Create a default route

🔒 NSG on Every Subnet

Even with a firewall, apply NSGs to all subnets (except GatewaySubnet and FirewallSubnet). Defense in depth principle. Use Application Security Groups to simplify rules.

📄 Docs: NSG overview

🔗 Peering ≠ Transitive

If Spoke A is peered to Hub and Spoke B too, A and B cannot communicate directly. Traffic must flow through an NVA/Firewall in the Hub with proper UDRs. Or use Azure Virtual WAN.

📄 Docs: VNet peering connectivity

🌐 Private Endpoints in Production

Use Private Endpoints (not Service Endpoints) for all PaaS services in production. It's the only way to guarantee 100% private traffic, including from on-premises.

📄 Docs: Azure Private Link

📡 Accelerated Networking

Enable Accelerated Networking on all VMs that support it. It's free and reduces latency by 50%+. Nearly all SKUs with ≥ 2 vCPUs support it.

📄 Docs: Accelerated Networking

🔄 NAT Gateway for Egress

Prefer NAT Gateway over individual public IPs for outbound traffic. Provides a stable outbound IP, more SNAT ports, and avoids Load Balancer SNAT port exhaustion.

📄 Docs: NAT Gateway overview

📊 Enable Network Watcher

Enable Network Watcher in every used region. Configure VNet Flow Logs (successor to NSG Flow Logs) to a Storage Account + Log Analytics for auditing and troubleshooting.

📄 Docs: Network Watcher overview

🏷️ Naming Convention

Follow the CAF: vnet-{workload}-{region}-{env}, snet-{purpose}, nsg-{subnet}, rt-{subnet}. Consistent naming prevents production mistakes.

📄 Docs: Naming conventions

🔐 MTU & Fragmentation

Azure MTU is 1,500 bytes for inter-VNet/peering traffic. Don't rely on jumbo frames cross-VNet. Ensure firewalls don't block ICMP "Fragmentation Needed" messages.

📄 Docs: VM MTU configuration

☁️ Azure Network Cheatsheet

Subnet Sizing by Service

Hub Subnet Layout — Best Practice

Subnet Delegation

Private Endpoint vs Service Endpoint

Per-Service Support

NSG & UDR Compatibility by Service

Azure Network Limits & Quotas

VPN Gateway — SKU Comparison

Azure Firewall — SKU Comparison

Azure Load Balancer — Standard vs Gateway

DNS — Best Practices

🔗 Centralized Private DNS Zones

🔄 Conditional Forwarders

🏷️ Naming Convention

⚠️ Auto-registration

🌍 Split-Brain DNS

📊 Key Zones to Know

Best Practices — Azure Network Architecture

🏗️ Hub-and-Spoke as Foundation

📐 Size Large from Day One

🚫 No CIDR Overlap

🔥 Force Traffic Through Firewall

🔒 NSG on Every Subnet

🔗 Peering ≠ Transitive

🌐 Private Endpoints in Production

📡 Accelerated Networking

🔄 NAT Gateway for Egress

📊 Enable Network Watcher

🏷️ Naming Convention

🔐 MTU & Fragmentation