Share via

Confusion in the Subnets creation with the multi-region Azure projects

Rajoli Hari Krishna 781 Reputation points
2025-04-19T13:33:44.1266667+00:00

We have provisioned Azure Infrastructure within Landing Zone Subscriptions.

Our project resources (web apps, function apps, logic apps, storage accounts, SQL servers, OpenAI) are located in the UK South region, utilizing a virtual network with a 256 IP range allocation.

Resource Count: 12

This VNet includes three subnets, each with a /27 IP range:

  • Subnet 1: Used for creating private endpoints to Azure resources.
  • Subnet 2: Used for outbound integration with web apps and function apps.
  • Subnet 3: Used for outbound integration with logic apps, as the logic apps standard tier requires a dedicated subnet with /27 IP availability.

I understand that multiple subnets cannot be integrated for outbound VNet integration.

For the same project resources, if staff from different countries need access, we create private endpoints (e.g., East US).

To create private endpoints for the East US region, we provisioned a VNet with a 256 IP range.

Question: For the East US VNet, is a single subnet sufficient for creating private endpoints for the resources accessible to East US staff? Or do we need subnets 2 and 3 similar to the UK South region configuration?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,729 questions
0 comments
Accepted answer
  1. Marcin Policht 46,190 Reputation points MVP Moderator
    2025-04-19T14:46:26.5366667+00:00

    That's an interesting question. Since you're only trying to allow East US staff to access Azure resources privately (via Private Endpoints), the East US VNet serves a different purpose compared to the UK South VNet that hosts your core services and integration requirements.

    In short, for the East US VNet, a single subnet is sufficient if its only purpose is to host private endpoints for accessing resources hosted in the UK South region.

    Private endpoints:

    • Are deployed in a subnet of your choice.
    • Create a NIC in that subnet that connects privately to the resource’s Private Link endpoint in another region (in your case, UK South).
    • Do not require outbound VNet integration, so there's no need for separate subnets like you have in UK South (e.g., for web apps or logic apps).

    You would only need additional subnets if you plan to:

    • Host web apps, function apps, or logic apps in East US and want VNet outbound integration.
    • Require NSGs or UDRs that you want to scope differently for different types of endpoints or apps.
    • Use private DNS zones with specific resolution boundaries (less common, but possible in complex setups).

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.