You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/virtual-network-manage-subnet.md
+10-7Lines changed: 10 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,12 +5,11 @@ description: Learn where to find information about virtual networks and how to a
5
5
services: virtual-network
6
6
documentationcenter: na
7
7
author: mbender-ms
8
-
manager: mtillman
9
8
ms.service: virtual-network
10
9
ms.topic: how-to
11
10
ms.tgt_pltfrm: na
12
11
ms.workload: infrastructure-services
13
-
ms.date: 03/20/2020
12
+
ms.date: 06/27/2022
14
13
ms.author: mbender
15
14
---
16
15
@@ -45,11 +44,14 @@ The account you sign in to, or connect to Azure with, must be assigned to the [N
45
44
| Setting | Description |
46
45
| --- | --- |
47
46
|**Name**| The name must be unique within the virtual network. For maximum compatibility with other Azure services, we recommend using a letter as the first character of the name. For example, Azure Application Gateway won't deploy into a subnet that has a name that starts with a number. |
48
-
| **Address range** | <p>The range must be unique within the address space for the virtual network. The range can't overlap with other subnet address ranges within the virtual network. The address space must be specified by using Classless Inter-Domain Routing (CIDR) notation.</p><p>For example, in a virtual network with address space *10.0.0.0/16*, you might define a subnet address space of *10.0.0.0/22*. The smallest range you can specify is */29*, which provides eight IP addresses for the subnet. Azure reserves the first and last address in each subnet for protocol conformance. Three additional addresses are reserved for Azure service usage. As a result, defining a subnet with a */29* address range results in three usable IP addresses in the subnet.</p><p>If you plan to connect a virtual network to a VPN gateway, you must create a gateway subnet. Learn more about [specific address range considerations for gateway subnets](../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md?toc=%2fazure%2fvirtual-network%2ftoc.json#gwsub). You can change the address range after the subnet is added, under specific conditions. To learn how to change a subnet address range, see [Change subnet settings](#change-subnet-settings).</p> |
47
+
| **Subnet address range** | <p>The range must be unique within the address space for the virtual network. The range can't overlap with other subnet address ranges within the virtual network. The address space must be specified by using Classless Inter-Domain Routing (CIDR) notation.</p><p>For example, in a virtual network with address space *10.0.0.0/16*, you might define a subnet address space of *10.0.0.0/22*. The smallest range you can specify is */29*, which provides eight IP addresses for the subnet. Azure reserves the first and last address in each subnet for protocol conformance. Three more addresses are reserved for Azure service usage. As a result, defining a subnet with a */29* address range results in three usable IP addresses in the subnet.</p><p>If you plan to connect a virtual network to a VPN gateway, you must create a gateway subnet. Learn more about [specific address range considerations for gateway subnets](../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md?toc=%2fazure%2fvirtual-network%2ftoc.json#gwsub). You can change the address range after the subnet is added, under specific conditions. To learn how to change a subnet address range, see [Change subnet settings](#change-subnet-settings).</p> |
48
+
|**Add IPv6 address space**| You can create a virtual network that's dual-stack (supports IPv4 and IPv6) by adding an existing IPv6 address space. You can also add IPv6 support later, after creating the virtual network. Currently, IPv6 isn't fully supported for all services in Azure. To learn more about IPv6 and its limitations, see [Overview of IPv6 for Azure Virtual Network](ip-services/ipv6-overview.md)|
49
+
| **NAT gateway** | To provide Network Address Translation (NAT) to resources on a subnet, you may associate an existing NAT gateway to a subnet. The NAT gateway must exist in the same subscription and location as the virtual network. Learn more about [Virtual Network NAT](./nat-gateway/nat-overview.md) and [how to create a NAT gateway](./nat-gateway/quickstart-create-nat-gateway-portal.md)
49
50
|**Network security group**| To filter inbound and outbound network traffic for the subnet, you may associate an existing network security group to a subnet. The network security group must exist in the same subscription and location as the virtual network. Learn more about [network security groups](./network-security-groups-overview.md) and [how to create a network security group](tutorial-filter-network-traffic.md). |
50
51
|**Route table**| To control network traffic routing to other networks, you may optionally associate an existing route table to a subnet. The route table must exist in the same subscription and location as the virtual network. Learn more about [Azure routing](virtual-networks-udr-overview.md) and [how to create a route table](tutorial-create-route-table-portal.md). |
51
52
| **Service endpoints** | <p>A subnet may optionally have one or more service endpoints enabled for it. To enable a service endpoint for a service, select the service or services that you want to enable service endpoints for from the **Services** list. Azure configures the location automatically for an endpoint. By default, Azure configures the service endpoints for the virtual network's region. To support regional failover scenarios, Azure automatically configures endpoints to [Azure paired regions](../availability-zones/cross-region-replication-azure.md?toc=%2fazure%2fvirtual-network%2ftoc.json) for Azure Storage.</p><p>To remove a service endpoint, unselect the service you want to remove the service endpoint for. To learn more about service endpoints, and the services they can be enabled for, see [Virtual network service endpoints](virtual-network-service-endpoints-overview.md). Once you enable a service endpoint for a service, you must also enable network access for the subnet for a resource created with the service. For example, if you enable the service endpoint for **Microsoft.Storage**, you must also enable network access to all Azure Storage accounts you want to grant network access to. To enable network access to subnets that a service endpoint is enabled for, see the documentation for the individual service you enabled the service endpoint for.</p><p>To validate that a service endpoint is enabled for a subnet, view the [effective routes](diagnose-network-routing-problem.md) for any network interface in the subnet. When you configure an endpoint, you see a *default* route with the address prefixes of the service, and a next hop type of **VirtualNetworkServiceEndpoint**. To learn more about routing, see [Virtual network traffic routing](virtual-networks-udr-overview.md).</p> |
52
53
|**Subnet delegation**| A subnet may optionally have one or more delegations enabled for it. Subnet delegation gives explicit permissions to the service to create service-specific resources in the subnet using a unique identifier during service deployment. To delegate for a service, select the service you want to delegate to from the **Services** list. |
54
+
|**Network policy for private endpoints**| To control traffic going to a private endpoint, you can use network security groups, application security groups, or user defined routes. Set the private endpoint network policy to *Enabled* to use these controls on a subnet. Once enabled, network policy applies to all private endpoints on the subnet. To learn more, see [Manage network policies for private endpoints](../private-link/disable-private-endpoint-network-policy.md). |
53
55
54
56
5. To add the subnet to the virtual network that you selected, select **OK**.
55
57
@@ -74,11 +76,12 @@ The account you sign in to, or connect to Azure with, must be assigned to the [N
74
76
75
77
| Setting | Description |
76
78
| --- | --- |
77
-
|**Address range**| If no resources are deployed within the subnet, you can change the address range. If any resources exist in the subnet, you must either move the resources to another subnet, or delete them from the subnet first. The steps you take to move or delete a resource vary depending on the resource. To learn how to move or delete resources that are in subnets, read the documentation for each of those resource types. See the constraints for **Address range** in step 4 of [Add a subnet](#add-a-subnet). |
78
-
|**Users**| You can control access to the subnet by using built-in roles or your own custom roles. Access **Mangage Users** by selecting the ellipse (...) to the right of the **Route table** column. To learn more about assigning roles and users to access the subnet, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json). |
79
-
|**Network security group** and **Route table**| See step 4 of [Add a subnet](#add-a-subnet). |
79
+
|**Subnet address range**| If no resources are deployed within the subnet, you can change the address range. If any resources exist in the subnet, you must either move the resources to another subnet, or delete them from the subnet first. The steps you take to move or delete a resource vary depending on the resource. To learn how to move or delete resources that are in subnets, read the documentation for each of those resource types. See the constraints for **Address range** in step 4 of [Add a subnet](#add-a-subnet). |
80
+
|**Users**| You can control access to the subnet by using built-in roles or your own custom roles. Access **Manage Users** by selecting the ellipse (...) to the right of the **Route table** column. To learn more about assigning roles and users to access the subnet, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json). |
81
+
|**Add IPv6 address space**, **NAT Gateway**, **Network security group**, and **Route table**| See step 4 of [Add a subnet](#add-a-subnet). |
80
82
|**Service endpoints**| <p>See service endpoints in step 4 of [Add a subnet](#add-a-subnet). When enabling a service endpoint for an existing subnet, ensure that no critical tasks are running on any resource in the subnet. Service endpoints switch routes on every network interface in the subnet. The service endpoints go from using the default route with the *0.0.0.0/0* address prefix and next hop type of *Internet*, to using a new route with the address prefixes of the service and a next hop type of *VirtualNetworkServiceEndpoint*.</p><p>During the switch, any open TCP connections may be terminated. The service endpoint isn't enabled until traffic flows to the service for all network interfaces are updated with the new route. To learn more about routing, see [Virtual network traffic routing](virtual-networks-udr-overview.md).</p> |
81
-
|**Subnet delegation**| See service endpoints in step 4 of [Add a subnet](#add-a-subnet). Subnet delegation can be modified to zero or multiple delegations enabled for it. If a resource for a service is already deployed in the subnet, subnet delegation can't be added or removed until all the resources for the service are removed. To delegate for a different service, select the service you want to delegate to from the **Services** list. |
83
+
|**Subnet delegation**| Subnet delegation can be modified to zero or multiple delegations enabled for it. If a resource for a service is already deployed in the subnet, subnet delegation can't be added or removed until all the resources for the service are removed. To delegate for a different service, select the service you want to delegate to from the **Services** list. |
84
+
|**Network policy for private endpoints**| See step 4 of [Add a subnet](#add-a-subnet). |
0 commit comments