top of page
Writer's pictureBrett Borschel

IP Address Planning for Your Azure Cloud Network

Updated: Feb 7, 2022

After spending a lifetime working in networking, I can tell you that IP addresses matter!


A well thought out IP plan you should tell you right away, what, where, and how important a resource is by looking at the 4 octets of its IP address.


Now I understand that network topologies are incredibly unique and there is no "one size fits all" IP address plan. This is just an example to help you think holistically about IP addressing plans for your cloud.


First, let's set the stage... In this example scenario we will imagine a mid-sized company with a requirement for a primary cloud presence in the West and a secondary cloud presence in the East.


The company estimates they will have approximately 200 endpoints per region. These end points will be divided up amongst Virtual Machines, Database Servers, App Services, and other assorted cloud resources.


Creating the framework...

The regional supernet should be a large block of IP addresses that we intend to reserve for an entire region. In this case we can use the second octet of the address to mark the region.


Going forward, when we see an IP address with a second octet of 100 we will automatically know that it is in the West and 200 in the East.


Acendri-Solutions West - 10.100.0.0/16

Acendri-Solutions East - 10.200.0.0/16


We need to look at our requirements and make choices based on how large our cloud footprint will be. How many different types of applications are in the DevOps lifecycle that we need to partition IP space for?


In this example, we will plan for a fairly standard 3 phase DevOps lifecycle:

Development -> Testing -> Production


With entire IP space from the Supernet framework available we can carve out large IP blocks for each infrastructure segment of our DevOps life cycle. We can use /18 CIDR subnet boundaries for each segment if we want even sized address ranges.


10.x.0.0/18 - Subnet 0 to 63 - Infrastructure Services

10.x.64.0/18 - Subnet 64 to 127 - Production Services

10.x.128.0/18 - Subnet 128 to 191 - Testing Services

10.x.192.0/18 - Subnet 192 to 254 - Development Services


Using this address plan, we can roughly estimate how important a resource is based on how low its address is.


For example, if I received an email alert late at night for a server outage with an address of 10.200.235.x, I would automatically know that the server is in our secondary data centers development range and go to bed without thinking twice about it. Conversely, an alert from the 10.100.1.x space would indicate a regional internet facing firewall outage in the primary cloud region.


I'll say it again, IP addresses matter!


Continuing further down this address scheme, let's begin by allocating the first block.


Creating the Hub network...


If you read my last article, Azure Hub-Spoke Virtual Network Design Best Practices you would know that a well built cloud network has separated virtual network spokes for almost all purposes. This forces the cloud into a zone based security architecture that routes all traffic to a centralized firewall in the hub for inspection before routing it back to the spokes.


The Hub network landing zone should be purpose built and small. In our example, the enterprise sized company plans to use third party NVA firewalls and load balancers.


Because of these requirements we will need between 8 and 15 subnets for the Hub network. Let's create virtual networks of /20 size.


EnterpriseHub-West-Vnet - 10.100.0.0/20

  1. Firewall-Untrust Subnet - 10.100.1.0/24

  2. Firewall-Trusted Subnet - 10.100.2.0/24

  3. LoadBalancer-Untrust Subnet - 10.100.3.0/24

  4. LoadBalancer-Trusted Subnet - 10.100.4.0/24

  5. RouteServerSubnet Subnet - 10.100.5.0/24

  6. GatewaySubnet Subnet - 10.100.6.0/24

  7. AzureBastionSubnet - 10.100.14.0/24

  8. NetworkManagement Subnet - 10.100.15.0/24

EnterpriseHub-East-Vnet - 10.200.0.0/20

  1. Firewall-Untrust Subnet - 10.200.1.0/24

  2. Firewall-Trusted Subnet - 10.200.2.0/24

  3. LoadBalancer-Untrust Subnet - 10.200.3.0/24

  4. LoadBalancer-Trusted Subnet - 10.200.4.0/24

  5. RouteServerSubnet Subnet - 10.200.5.0/24

  6. GatewaySubnet Subnet - 10.200.6.0/24

  7. AzureBastionSubnet - 10.200.14.0/24

  8. NetworkManagement Subnet - 10.200.15.0/24


Creating the Identity Subscription Network...


The Identity network should be small, with space for a subnet to contain domain controllers. If we only plan on using a single tier of domain controllers across the enterprise, we can keep the Identity network sized to a single subnet or two. However, if we want to run separate domain controllers per DevOps lifecycle, we can create a virtual network with room for 3 or more subnets. Let's create the Identity network with the next available block of the Infrastructure Services supernet.



Identity-West-Vnet - 10.100.16.0/22

  1. Production-DC-Subnet 10.100.16.0/24

  2. Testing-DC-Subnet 10.100.17.0/24

  3. Dev-DC-Subnet 10.100.18.0/24

Identity-East-Vnet - 10.200.16.0/22

  1. Production-DC-Subnet 10.200.16.0/24

  2. Testing-DC-Subnet 10.200.17.0/24

  3. Dev-DC-Subnet 10.200.18.0/24


Creating the Lifecycle Environment IP Address Plans...


The Production and Testing lifecycle environments should be identical copies of each other in as many ways as possible so that the applications deployed into the test environment will provide measurable results before the same code is deployed into production.


Development is an area where having an IP framework that is similar to production and testing is a good practice, it can also be a lot more fluid. Needing to be flexible and responsive to the needs of the development team.


In our example architecture, we will follow an IP format that goes like this:


10.x.(y+z).0/nn

x = Region / y = DevOps lifecycle / z = Virtual Network / nn = Network Mask Size


So for West US region Production environment virtual network segments, we will start with 10.100.64.0/24 and count up from there.


Network Purpose

10.100.64.0/24 App1Name-WebServer01-vnet

10.100.65.0/24 App1Name-MiddlewareServer01-vnet

10.100.66.0/24 App1Name-DatabaseServer01-vnet

10.100.67.0/24 App1Name-Storage01-vnet

10.100.68.0/24 App2Name-AppService01-vnet

10.100.69.0/24 App2Name-FunctionApp01-vnet

10.100.70.0/24 App2Name-AzureSQL01-vnet

10.100.71.0/24 ...


The size and complexity of these virtual networks will be different for every company.


In this example address plan, it is important to understand that we will have a limit of sixty-four /24 networks with 255 hosts per DevOps environment. This should suffice for a mid-sized company with requirements to support a few main applications. However, we may need to be more flexible for the large enterprise.


We can double or triple the capacity of this address plan by shrinking the subnet sizes but will need to be more conscious of the subnet mask and gateway address for our endpoints.


From here we can duplicate this IP scheme into Testing by increasing the third octet to 128.


Network Purpose

10.100.128.0/24 App1Name-WebServer01-vnet

10.100.129.0/24 App1Name-MiddlewareServer01-vnet

10.100.130.0/24 App1Name-DatabaseServer01-vnet

10.100.131.0/24 App1Name-Storage01-vnet

... etc



Okay Great... Got Any Other Bright Ideas?


Well, if we wanted to have larger IP space that is a more identical replicate of each other we could play with the second octet instead for our lifecycle environment supernets. The downside to this IP plan is that you would need to inject several /16 routes for connectivity to your on-prem network. However, this might not be that big of a problem if you are using ExpressRoute and dynamically inject the cloud advertised BGP routes into the on-prem routing tables.


Azure West - 10.100s

10.100.0.0/16 - Hub

10.110.0.0/16 - Prod

10.120.0.0/16 - Testing

10.130.0.0/16 - Dev


Azure East - 10.200s

10.200.0.0/16 - Hub

10.210.0.0/16 - Prod

10.220.0.0/16 - Testing

10.230.0.0/16 - Dev


However, if summarizing is of more importance to you, chop out your regional blocks from large CIDR subnet boundaries. This might be important for a large enterprise who needs to route hybrid cloud space into a large and diverse on-prem network.


Azure West - 10.128.0.0/12

10.128.0.0/16 - Hub

10.129.0.0/16 - Prod

10.130.0.0/16 - Testing

10.131.0.0/16 - Dev


Azure East - 10.224.0.0/12

10.224.0.0/16 - Hub

10.2250.0.0/16 - Prod

10.226.0.0/16 - Testing

10.227.0.0/16 - Dev


The Conclusion


In summary, there are many ways to chop up your cloud IP space. I hope this article was helpful in highlighting how holistic IP planning can help create networks that communicate to your IT staff where, and what something is by just looking at the IP.


Thanks for reading.



Further reading:







1 Comment


Jack Smith
Jack Smith
Jul 26, 2022

Why have you made the hubs subnets large when for example bastion uses a /27? is this to keep all subnets the same size and less complicated?

Like
Post: Blog2_Post
bottom of page