Dedicated subnets

Manchukonda Kranthi Kumar 131 Reputation points
2023-01-18T14:53:56.2633333+00:00

Are there any resources in the azure which requires dedicated subnet other than these:- Bastion,Firewall,Application Gateway,Active directory domain services. And why they require dedicated subnet? since because of autoscaling feature in them? If so, why not virtual machine scale sets(uniform/flex) wont ask a dedicated subnet?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,380 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
566 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
242 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,140 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
957 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 47,416 Reputation points Microsoft Employee
    2023-01-18T15:33:02.0833333+00:00

    Hello @Manchukonda Kranthi Kumar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know which resources in Azure requires dedicated subnets and why. And if it is due to the autoscaling feature, then why virtual machine scale sets(uniform/flex) don't ask for a dedicated subnet.

    'Dedicated' implies that only service specific resources can be deployed in this subnet and can't be combined with customer VM/VMSSs.

    It is not due to auto-scaling. Auto-scaling is only considered for the subnet size and not if the subnet must be dedicated.

    When you deploy a VPN gateway/Application gateway/Bastion/Firewall etc., gateway VMs, VMSS instances and specific services are deployed to their respective subnet. These gateway VMs/VMSS instances/services facilitating connectivity to the respective services are not exposed to the customer and are managed internally by Microsoft. And to avoid any conflict with these internal instances/services, these products impose a restriction on their subnet or requires a dedicated subnet.

    You can see the below doc with a list of products/services which needs a dedicated subnet:

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,256 Reputation points Microsoft Employee
    2023-01-18T16:24:12.1666667+00:00

    Hi,Few services needs you to have a dedicated subnet because those products are built in such a way in the backend where deploying any other services on that subnet might break things. So, it's when you deploy any resource in the vnet, read through the doc and see if it requires a dedicated subnet, so you can plan accordingly. Yes, you are right, the services which you mentioned needs a dedicated subnet, but there are more than 1000 services in Azure and there might be many services which requires this config. Please read through the respective product doc and deploy accordingly.

    0 comments