Private endpoint subnet sizing

Question

Hello,

we are building an iPaaS environment consisting of API-M, service bus, logic apps ,function apps and storage account. As a best practice, planning to enable private endpoint for all of the services. As part of subnet sizing, need some clarity.

Some document mentions about for secure outbound connectivity one requires vnet integration, which requires separate subnet, is this true?
If function app needs to talk to logic app which is enabled with private endpoint, does it require separate subnet for outbound vnet integration? or can it talk to logic app with its private IP?

Also, if a PasS service enabled with autoscaling , and has a pvt IP configured. Do we need to consider sizing of pvt endpoint subnet as well? kindly help with these basic questions.
thank you.

Answer 1

for PaaS services you need to distinguish between traffic from the network to the PaaS service (inbound for the PaaS service) and traffic from the PaaS service to the network (outbound for the PaaS service).

For inbound traffic, the PaaS service needs a private endpoint, which takes up 1 IP Address in the subnet
For outbound traffic, the PaaS service needs a complete subnet which it can use to talk to the rest of the network. Sizing of this subnet is usually not documented. I have never run into issues with a /24 subnet, but that might be a huge overkill. Please keep in mind that not all PaaS services allow outbound traffic to the network though. Fortunately, functions and logic apps (running on app service plans) can use this functionality, if you are not using the free version: https://azure.microsoft.com/en-us/pricing/details/app-service/linux/