The previous AZ-700 Study Guide blog posts covered Site-to-Site VPN, Point-to-Site VPN, and Azure ExpressRoute. In this post, we will explore private IP addressing in Azure Virtual Networks(vNets). The fundamental building block of private networking in Azure is based on vNets. This construct is a Layer 3 networking construct and has CIDR-block attached to it. This CIDR-block represents the private IP address space that network components can use on your Azure infrastructure. Proper design and implementation of this private IP addressing are crucial due to its effect on all other networking design decisions and deployment in Azure.
When you create an Azure vNet, it is recommended to assign an address space based on RFC 1918. This RFC, which outlines private, non-routable address ranges, refers to the following address spaces;
- 10.0.0.0 – 10.255.255.255 (10/8 prefix)
- 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
In addition to this, you should not use the following address ranges:
- 224.0.0.0/4 (Multicast)
- 255.255.255.255/32 (Broadcast)
- 127.0.0.0/8 (Loopback)
- 169.254.0.0/16 (Link-local)
- 168.63.129.16/32 (Internal DNS)
I usually assign a /16 CIDER and then sub-dive it with /24 subnets. The main important point is not to overlap with your on-prem or other public clouds consumption’s IP ranges. With this in mind, we can route IP traffic between our various environments. Every vNet can use a segmentation mechanism with the use of Subnets. As I pointed out, each subnet then has its unique IP range. There are also some services like VPN Gateway, Azure Bastion, and Azure Firewall.
When you create a subnet with a /24 IP CIDR range, you basically lose five IP addresses from that range. Based on IP addressing general rules, the first and last IP addresses are not usable. However, Microsoft Azure also reserves the first three usable IP addresses for default gateway and DNS purposes. Therefore, you can start with the fourth usable IP address in your specific range.
For example, if I assign 10.1.0.0/16 to the vNet, I can assign 10.1.1.0/24 on the first subnet in that vNet. The network address (10.1.1.0/24) and broadcast address (10.1.1.255/24) are not usable in the subnet. Azure also uses 10.1.1.1/24 for the default gateway of that subnet. Furthermore, 10.1.1.2 and 10.1.1.3 are reserved for Azure DNS. Due to this, the first assignable IP address is 10.1.1.4/24.
Virtual machines and services can communicate with each other inside a vNet. In contrast, as a communication boundary, each vNet works isolated from other vNets. Therefore, if you need to open a communication channel between vNets, you should configure vNet peering.
In the next blog post, we will discuss the Design and implement name resolution.
You can read further about the Azure Private IP addressing on the Microsoft official documentation page.
One thought on “Design and implement private IP addressing for VNets (AZ-700)”