How to Design Private IP Address for Azure vNET Subnets
I’ll show you how to design private IP addresses for your Azure virtual network subnets using simple steps in this guide.
Overview
When you design the IP addressing scheme for your Azure Virtual Network (vNET) subnets, it must meet the following:
- It cannot overlap with any other Azure vNET or the on-premises network.
- Plan for current capacity and future growth.
Remember that the first three IP addresses are reserved by default for all Azure subnets. Additionally, all subnets’ first and last IP addresses are also reserved for protocol conformance.
The first address of a subnet (for example, 192.168.10.0) is called the network address, while the last address (192.168.10.255) is called the broadcast address.
For example, consider the CIDR 192.168.10.0/24. The first IP address (192.168.10.0) is reserved for protocol conformance. Meanwhile, the next three IP addresses – 192.168.10.1, 192.168.10.2, and 192.168.10.3, are reserved for Azure.
Azure uses the .1 IP address as the subnet’s default gateway, while the .2 and .3 addresses are DNS addresses.
In the remaining sections of this guide, I will explain the basic steps to determining a CIDR’s subnet mask and number of available IP addresses.
The Basics of IP Address Subnet Calculation
An IP address has 4 octets, separated by periods. An octet represents 8 bits (11111111). So, 4 octets is:
11111111.11111111.11111111.11111111
Taking this to the next step, each octet equals 255. So, the above values are the same as:
255.255.255.255
Here is how we got the 255:
Counting from left to right, the first octet equals 27 (128), the second 26 (64), and so forth. The table below gives a full breakdown of the eight octets:
1 | 27 | 128 |
1 | 26 | 64 |
1 | 25 | 32 |
1 | 24 | 16 |
1 | 23 | 8 |
1 | 22 | 4 |
1 | 21 | 2 |
1 | 20 | 1 |
Total (32) | Total (128+64+32+16+8+4+2+1) | 255 |
Equally important, if you sum the 1s in the octets (the binary numbers), you get 32.
11111111.11111111.11111111.11111111
But what is the relationship between these numbers and an IP address? Let’s find out in the following sections.
Calculating Network and Host Address in a CIDR
Azure subnet IPv4 addresses, like on-premises subnets, are written in a Classless Inter-Domain Routing (CIDR) notation. In CIDR notation, a subnet is divided into 2 parts, separated by a “/”.
An example of a subnet written in CIDR notation is 192.168.10.0/24. The first part of the IP address (“192.168.10.0”) is the network address.
Meanwhile, the second part, “24,” indicates that the first 24 bits are part of the network address, which leaves 8 (32-24) bits for host addresses.
If you recall, in the last section, I explained that the total bits in the 4 octets of an IP address—11111111.11111111.11111111.11111111—equals 32.
This is how we arrived at 32-24 to give us 8.
This brings us to the next part of the calculation: determining the subnet mask and the number of IP addresses available to be assigned to hosts in the subnet.
Continuing with our 192.168.10.0/24 example, the octets will be written as shown below:
11111111.11111111.11111111.00000000
This is the same as 255.255.255.0, which is the subnet mask of 192.168.10.0/24.
Each 255 is computed using table 1.0 above.
The remaining 8 digits are used to compute the IP addresses available to be assigned to hosts using the formula:
2x - 2
where x is the number of digits left to compute the IP addresses. In the CIDR 192.168.10.0/24, it is 8.
So, the number of available IPs are:
28 - 2 = 256 - 2 = 254
As I mentioned earlier, the formula subtracts 2 because the first and last IP addresses are reserved.
So, for the subnet 192.168.10.0/24, the subnet mask is 255.255.255.0, and 254 addresses are available to hosts.
Remember that Azure keeps the first three IP addresses, so you have 254 – 3 (251) IP addresses that can be assigned to hosts in the Azure subnet.
In summary, here are the steps to determine the subnet mask and the number of available IPs in a subnet:
- Write down the CIDR in binary format using the octet notation. For example, 192.168.10.0/24 means that the first 24 bits will be 1, while the last 8 will be 0s.
11111111.11111111.11111111.00000000
- Compute the subnet mask by converting the network address octets into decimals using the table from the last section. Here is the table:
1 | 27 | 128 |
1 | 26 | 64 |
1 | 25 | 32 |
1 | 24 | 16 |
1 | 23 | 8 |
1 | 22 | 4 |
1 | 21 | 2 |
1 | 20 | 1 |
Total (128+64+32+16+8+4+2+1) | 255 |
Remember that the above table is computed from the left to right of the octets. So, if we convert 11111111.11111111.11111111.00000000 to decimals using the above table, we get 255.255.255.0.
We compute the value in places where we have 1, and we do not where we have a 0. So, the first, second, and third octets have 1s, which is 255.255.255.
However, the last octet has all 0s, which gives us 0. Combining 255.255.255. and .0, we get 255.255.255.0
- Computer the number of IP addresses available in the subnet using the formula 2x – 2, where x equals the octets remaining after removing the network address digits.
- Finally, subtract 3 IP addresses (reserved for Azure) to determine the final number of IP addresses available for hosts in the subnet.
So far, we have computed network addresses and host IP addresses from a CIDR. However, in some design scenarios, you may have how many IP addresses required and need to determine the CIDR.
For example, what will be the CIDR of 172.16.0.0 that will give me 1,000 host addresses?
Using the formula,
2x - 2 = 1000
We can compute the value of x (the host digits in the octet notation) with this formula:
x = ln(1000)/ln (2) = 9.97
Copying ln(1000)/ln (2) to an AI tool like ChatGPT, Copilot, or Gemini will compute it for you. Alternatively, open the calculator on your Windows computer and enable the scientific feature. Then, to computer ln(1000)/ln (2), enter 1000 and press ln. After that, press the division sign, then enter 2, and press ln. finally, press the equal sign to compute the result.
If you need a formula for this, it is:
host bits = ln(number of hosts)/ln (2)
Since the host digits have to be a whole number, we must approximate 9.97 to 10. So, the CIDR 172.16.0.0/22 will give us 210 – 2 = 1,022 hosts.
I got 22 by subtracting 10 from 32. 32 is the total number of digits in 11111111.11111111.11111111.11111111.
To compute the subnet address, convert the octet below to decimal:
11111111.11111111.11111100.00000000
The first 22 digits are for network addresses (from 172.16.0.0/22), while the last 10 digits are for host addresses. So, the first and second octets give us 255.255 (see Table 1.0).
Meanwhile, in the third octet, we have just the first 6 digits as 1s – which gives us 27 + 26 + 25 + 24 + 23 + 22 = 128 + 64 + 32 + 16 + 8 + 4 = 252.
Finally, the last octet is all 0s, so the subnet mask is 255.255.252.0. Therefore the CIDR is 172.16.0.0/255.255.252.0 or 172.16.0.0/22.
Azure vNET Subnet IP Address Design Examples
You plan to create an Azure vNET called CoreServicesVnet with two subnets in the 10.20.10.0 and 10.20.20.0 private IP addresses.
The 10.20.10.0 subnet will be called SharedServicesSubnet, while 10.20.20.0 will be called DatabaseSubnet.
You expect the SharedServicesSubnet subnet to have 500 VMs and DatabaseSubnet 700 VMs. Determine the network address and host sizes of the subnets.
Let’s start with the SharedServicesSubnet, where we expect to have 500 VMs. To determine the host bit size, use the formula:
host bits = ln(number of hosts)/ln (2)
So, for 500 hots, our host’s bit is:
host bits = ln(500)/ln (2) = 8.9 = 9 (aproximated)
If 9 is the host bit, the network address bit is 32-9 = 23. Thus, the subnet’s CIDR is 10.20.10.0/23.
Write the 23 bits in the octet notation to determine the subnet mask.
11111111.11111111.11111110.00000000
Based on the above octet representation, the first two octets are 255.255. Meanwhile, 7 digits are 1s, while the last digit is a 0 in the second octet.
7 digits of 1s equals 27 + 26 + 25 + 24 + 23 + 22 + 21 = 128 + 64 + 32 + 16 + 8 + 4 +2 = 254.
So, the subnet mask is 255.255.254.0 (all digits in the last octet are 0s). To determine the actual number of available IPs for hosts, use:
29 - 2 = 512 - 2 = 510
So, the CIDR, 10.20.10.0/23 allows for 510 IP addresses for hosts, which will be 507 hosts, considering that Azure reserves the first 3 IP addresses.
Specifically, the first available IP address is 10.20.10.4, and the last is 10.20.11.254.
For the DatabaseSubnet (10.20.20.0) that requires 700 IP addresses, the host bit is:
host bits = ln(700)/ln (2) = 9.45 = 10 (aproximated)
So, the network address bit is 32-10, which is 22. Writing this in octet notation, we get:
11111111.11111111.11111100.00000000
The subnet mask is 255.255.252.0
252 = 27 + 26 + 25 + 24 + 23 + 22 (11111100). So, the CIDR is 10.20.20.0/22 or 10.20.20.0/255.255.252.0.
The actual number of IP addresses for hosts is 210 – 2 = 1022. If we account for Azure reserved IPs, we will have 1019 IP addresses, which is enough for the 700 VMs we expect in this subnet.
The first IP address for an Azure VM will be 10.20.20.4, while the last will be 10.20.23.254.
To confirm that this works, here is a screenshot of the last stage of creating an Azure vNET with these two subnets.
Conclusion
Designing and planning private IP addressing for Azure vNET subnets is similar to doing the same task for your on-premissies network with a few differences.
The secret is learning how to compute the network and host subnet portions in CIDR notation. In this guide, I walked you through the simplified steps to complete these tasks and I hope you found it helpful.
Let me know your thoughts by responding to the “Was this page helpful?” feedback request below.