Network topology

• Hub-Spoke
• Hub-Spoke with Azure Virtual WAN hub

Recommended subnet size

• AzureFirewallSubnet:
  • /26 (Azure Firewall doesn’t need a subnet bigger than /26)
  • https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#does-the-firewall-subnet-size-need-to-change-as-the-service-scales
• GatewaySubnet
  • /27 or larger
  • If you plan on connecting 16 ExpressRoute circuits to your gateway, you must create a gateway subnet of /26 or larger
  • https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gwsub
• ApplicationGatewaySubnet
  • /24
  • Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances (125 instance IP addresses + 1 private front-end IP + 5 Azure reserved). A minimum subnet size of /24 is recommended.
  • Although a /24 subnet is not required per Application Gateway v2 SKU deployment, it is highly recommended
  • https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#size-of-the-subnet

IP allocation

• In case of hybrid network, design VNet address spaces carfully to avoid IP conflict
• If peering is involved (i.e. Hub-Spoke topology), allocate IP address spaces for all VNets first

Network Address Space