Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
2.1.2. Subnet Design Patterns
Subnets segment your VNet for organization, security, and service requirements. Some Azure services require dedicated subnets with specific names.
Required Dedicated Subnets:
| Subnet Name | Purpose | Minimum Size |
|---|---|---|
| GatewaySubnet | VPN/ExpressRoute gateways | /27 (recommend /26) |
| AzureFirewallSubnet | Azure Firewall | /26 |
| AzureFirewallManagementSubnet | Firewall forced tunneling | /26 |
| AzureBastionSubnet | Azure Bastion | /26 |
| RouteServerSubnet | Azure Route Server | /27 |
Subnet Design Decision Tree:
Subnet Delegation: Some PaaS services require subnet delegation, which grants the service permission to inject resources into your subnet.
| Service | Delegation Required | What It Does |
|---|---|---|
| Azure Container Instances | Yes | Injects containers |
| Azure App Service | Yes | VNet integration |
| Azure SQL Managed Instance | Yes | Deploys managed instance |
| Azure NetApp Files | Yes | Storage injection |
Written byAlvin Varughese
Founder•15 professional certifications