Ad slot — header (728x90)

Azure Subnet Planner

Last reviewed: May 2026

Azure VNet subnet planning involves more than basic CIDR math. Azure reserves 5 IP addresses in every subnet and requires dedicated, correctly sized subnets for managed services. Use the interactive planner below to generate a layout and export Bicep code.

Interactive Azure VNet Subnet Planner

Managed service subnets (fixed names required by Azure):

VPN/ER
FW
Bastion
App GW
FW Mgmt
Route Server

Workload subnets:

Subnet NameCIDRTypeAzure Usable IPsNotes
Plan your Azure VNet in SubnetSolver →

Azure IP Reservation Rule

Azure reserves 5 IP addresses in every subnet:
  1. .0 — Network address
  2. .1 — Default gateway
  3. .2 & .3 — Azure DNS mapping
  4. .255 — Broadcast address

Required Subnet Minimum Sizes

Azure enforces minimum subnet sizes for its managed services. Deploying into an undersized subnet will fail at provisioning time.

Subnet NameMinimum SizeTotal IPsUsable After ReservationNotes
GatewaySubnet/273227VPN & ExpressRoute gateways. /28 is deprecated.
AzureFirewallSubnet/266459Name must be exactly "AzureFirewallSubnet"
AzureFirewallManagementSubnet/266459Required when forced tunneling is enabled
AzureBastionSubnet/266459Name must be exactly "AzureBastionSubnet"
ApplicationGatewaySubnet/266459/24 recommended for autoscaling v2 SKU
RouteServerSubnet/273227Name must be exactly "RouteServerSubnet"
Naming matters: Azure validates exact subnet names for GatewaySubnet, AzureFirewallSubnet, and AzureBastionSubnet. Any typo means the managed service will refuse to deploy.
Open SubnetSolver to verify your Azure CIDRs →

Related Guides

Ad slot — footer (728x90)