AZURE GATEWAY SUBNET
The Azure gateway subnet is needed by Azure to host the two virtual machines of your Azure gateway. Specify an address space with at least a 29-bit prefix length (example: 192.168.15.248/29). A 28-bit or smaller prefix length is recommended, especially if you are planning to use ExpressRoute.
You might see there’s this gateway subnet option at the top in the subnet blade. Let me tell you a little bit about that. If you’re going to be creating a virtual private network, the virtual private network uses what’s called a network gateway to connect your own network, if you’re on your own corporation or in your own home, into Microsoft Azure but the gateway needs its own subnet. So, if I want to add a virtual private network to my virtual network, then I would have to start by adding a gateway subnet. There’s no really no options here other than choosing this range of address. It doesn’t need that much but /28 is fine. I could say, okay. I’ll do that and it will add a gateway subnet to my network and that way I can connect a private network to it.
The gateway subnet contains the IP addresses that the virtual network gateway services use. You need to create a gateway subnet for your VNet in order to configure a virtual network gateway. All gateway subnets must be named ‘GatewaySubnet’ to work properly. Don’t name your gateway subnet something else. And don’t deploy VMs or anything else to the gateway subnet.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway service. Some configurations require more IP addresses to be allocated to the gateway services than do others. You want to make sure your gateway subnet contains enough IP addresses to accommodate future growth and possible additional new connection configurations. So, while you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26, /25 etc.). Look at the requirements for the configuration that you want to create and verify that the gateway subnet you have will meet those requirements.
There’s a few prefixes we need to make sure to remember when dealing with Azure. Rather than memorize the entire CIDR tables, we can actually distill most of our decisions down to a handful of prefixes that we need to know:
- A /32 represents a single IP address. This value is often used for firewall rules.
- A /29 consists of 8 total addresses. This is the smallest subnet size supported by Azure, with 3 usable addresses.
- A /27 consists of 32 total addresses. This is the minimium size recommended for an Azure gateway subnet, allowing for 27 usable addresses (see the Azure VPN Gateway FAQ)
- A /24 consists of 256 total addresses. This is a Class C network.
- A /16 consists of 64K total addresses. This is a Class B network.
- A /8 consists of 16M total addresses. This is a Class A network and the largest size that Azure supports.
Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. Never deploy anything else (for example, additional VMs) to the gateway subnet. The gateway subnet must be named ‘GatewaySubnet’ to work properly. Naming the gateway subnet ‘GatewaySubnet’ lets Azure know that this is the subnet to deploy the virtual network gateway VMs and services to.
User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. Gateways created with this configuration will be blocked from creation. Gateways require access to the management controllers in order to function properly. BGP Route Propagation should be set to “Enabled” on the GatewaySubnet to ensure availability of the gateway. If this is set to disabled, the gateway will not function.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations require more IP addresses than others.
When you are planning your gateway subnet size, refer to the documentation for the configuration that you are planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. Additionally, you may want to make sure your gateway subnet contains enough IP addresses to accommodate possible future additional configurations. While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if you have the available address space to do so. This will accommodate most configurations.
The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.
Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27