Ken Muse

Mastering Azure Network Addresses


If you’re working with Azure, you have to ensure you can make the most of the Azure networking infrastructure. Connecting resources – in the cloud or on-premise – relies on knowing the basics of how to address elements of the network. To do this, it’s important to understand CIDR, or classless inter-domain routing. It will always be represented using the format ###.###.###.###/##.

If you’re not familiar with CIDR, it is essentially a method for notating an IP network addresses and its routing details. The first part of the notation is the starting point for a network address. It contains 4 values, separated by dots. This is followed by a routing prefix, denoted with a ‘/’ and a number indicating the routing mask or “prefix”.

The network prefix is the number of bits which represent the particular subnet. A complete network address has 32 bits. Bits not used to represent the subnet are used to represent individual resources on the network. If we use 27 bits for the network prefix, we have 5 bits we can use for addressing (giving us 25 possible addresses).

Basic Addressing

A network address is represented in “dotted quads”, for example 192.168.15.21. Each quad represents one byte, or 8 bits. To represent it as a single IP address in CIDR notation, we would annotate this as 192.168.15.21/32. This indicates it is a standalone IP in its own subnet.

If we want to create a subnet with 256 available IPs, then we need 8 bits. To notate the range 192.168.15.0 - 192.168.15.255, we need a 24 bit prefix. This provides us with 8 bits remaining for addressing. The address portion represents the start of the range, so we would represent this value as 192.168.15.0/24.

What if we only need 128 addresses? For that, we need just 7 bits. The CIDR notation would be 192.168.15.0/25. This provides us the range 192.168.15.0 - 192.168.15.127. To create a second subnet of 128 addresses, we could use 192.168.15.128/25. This creates the range 192.168.15.128 - 192.168.15.255.

The Big Picture

It’s worth mentioning that adding a bit to the prefix cuts the network size in half. Similarly, removing a bit doubles the size of the network. We saw this example already – a /24 has 256 addresses. Splitting the subnet in half means using a /25, creating two subnets of 128 addresses.

On each subnet with a size of /30 and greater, two addresses are always reserved for protocol conformance. The first address in a range is used for addressing the subnet, while the last is used as a broadcast address for reaching all of the resources on the subnet. Consequently, a /24 does not have 256 usable addresses – it only has 254. Using our /25 example above:

CIDR NotationNetwork AddressBroadcast AddressFirst Usable AddressLast Usable Address
192.168.15.0/25192.168.15.0192.168.15.127192.168.15.1192.168.15.126
192.168.15.128/25192.186.15.128192.168.15.255192.168.15.129192.168.15.254

Azure has an additional cloud limitation that we need to know: the first three IP addresses in a network are used by Azure for its internal services. In our example above, 192.168.15.4 and 192.168.15.132 are the first usable addresses in our two cloud subnets. It’s worth knowing that these same rules apply to Amazon as well.

Mathmatically, this means a given Azure subnet will always have 2n-5 available addresses, where n is the number of addressable bits. As mentioned above, the number of addressible bits is 32 - the prefix size.

So far, we’ve only discussed IPv4. This isn’t accidental. At the moment, virtual networking support for Azure is limited to IPv4. We cannot currently use IPv6 VNETs.

Magic Ranges

There’s a few ranges we need to make sure to remember when dealing with Azure. Rather than memorize the entire CIDR tables, we can actually distill most of our decisions down to a handful of prefixes that we need to know.

  • A /32 network represents a single IP address. This value is often used for firewall rules.
  • A /31 network consists of a network address and broadcast address, making it unusable as a standard subnet. A common use for a /31 is point-to-point communications, utilizing both addresses as standard IPs.
  • A /29 consists of 8 total addresses. This is the smallest subnet size supported by Azure, with 3 usable addresses.
  • A /27 consists of 32 total addresses. This is the minimium size recommended for an Azure gateway subnet, allowing for 27 usable addresses (see the Azure VPN Gateway FAQ)
  • A /24 consists of 256 total addresses. This is a Class C network.
  • A /16 consists of 64K total addresses. This is a Class B network.
  • A /8 consists of 16M total addresses. This is a Class A network and the largest size that Azure supports.

Going Forward

So there you have it – the basics of understanding the networking and CIDR notation for Azure. Take some time to memorize the 7 common prefixes. This will make sure that you can quickly calculate any values that might arise on the or during a design session. Azure will help you, identifying all of the values for a given subnet. Take advantage of this assistance – but understand the principals behind it.