Azure VNet and address space - azure

Just started learning Azure Virtual Network. Following excerpt is about Address Space as defined here: VNet Address Space. Question: When you say a VNet has an address space 10.0.0.0/16, what does it mean? I have read an address space is a range of IP addresses for a Virtual Network and its subnets. What is 16 in 10.0.0.0/16 and when you assign IP address to a resource from this address space what role does 10.0.0.0/16 play? I assume you cannot just pick any four numbers and create an IP address xx.x.x.x (x's are numbers here) for a resource in the VNet with the above address space. I just read some online docs on the subject but, for a newbie in this subject, I found those to be bit overwhelming to understand. Can there be a simple explanation to start with?
Address space: When creating a VNet, you must specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. For example, if you deploy a VM in a VNet with address space, 10.0.0.0/16, the VM will be assigned a private IP like 10.0.0.4.

Think about the internet with 255.255.255.255 addresses.
Now think about your internal/private at home Router/Switch network and how it typically starts with 192.168.0.0.
In organisations you typically assign the private network with 10.0.0.0 addresses. NIC cards in PCs can communicate using the internal network as well as the public internet.
Question: When you say a VNet has an address space 10.0.0.0/16, what does it mean?
In order to define the size of the network (how many IP addresses) we use a CIDR range.
So a Network with 10.0.0.0/28, the calculation is 32 minus the CIDR, eg:
32 - 28 = 4
Then 2 to the power of the result:
2^4 = 2 * 2 * 2 * 2
16 addresses!
In real life you'd create VNet with more than 16 addresses. Because inside VNets you define Subnets which are smaller address ranges that fit inside the VNets address range.
Your example of 10.0.0.0/16 is more realistic VNet size for an organisation and equals 65536 addresses.
Ref: https://devblogs.microsoft.com/premier-developer/understanding-cidr-notation-when-designing-azure-virtual-networks-and-subnets/#:~:text=The%20second%2C%20and%20most%20important,which%20provides%20eight%20IP%20addresses.
Best to learn this particular topic VNets & Subnets with CIDR from online video's because it involves electronics with masking and binary it can confuse people when they look deeper beyond what I've just explained.

Related

One Azure vNET peering with multiple vnets that are using the same address space

I am a beginner with azure vnet peering, so please indulge me if this is such an obvious question.
I would like to vnet peer one vnet to multiple vnets. All those vnets however uses the same address space. Let me explain more with examples.
Let's say vnet_source is the one that will peer with some existing vnets.
vnet_source > 192.168.0.0/16 for example
vnet1> 10.0.0.0/16
vnet2> 10.0.0.0/16
vnet3> 10.0.0.0/16
Would this be possible? For one vnet (vnet_source) to peer with other vnets that are using the same address space, in this case (vnet 1,2, and 3)?
and if so is there a routing trick that can identify, that in this case 10.0.1.81 for example ip address belongs to vnet1 and not.
Any help would be highly appreciated!
Thank you so much.
I am still in the planning phase, so have not tested yet.
Unfortunately it is not possible to implement vnet peering between vnets with same address space.
There are likely to be address conflicts (same IP address used in both locations) and
Azure Route tables won't be able to decide where to send the traffic.(VM with IP 10.0.0.10 from vnet1, vnet2 or vnet3?)
https://community.cisco.com/t5/other-collaboration-subjects/the-best-way-to-connect-2-lan-s-with-the-same-ip-addresses/td-p/2724403
It is important to use unique IP address spaces for each virtual network used in Azure so that routing can occur between virtual networks.
If virtual networks have the same IP address space it would not be possible to route traffic between resources from different vnets.
https://superuser.com/questions/1661852/can-two-networks-connected-to-a-router-both-have-a-host-with-the-same-ip-address
L2 forwarding can solve this problem but Azure does not support it for peering.
https://blog.ipspace.net/2019/11/stretched-layer-2-subnets-in-azure.html

Azure Vnet Private IP Ranges

I've not from a networking background. I'm data platform solution architecture and data/ai engineer. Since distributed data processing and scale out using containers has come into my world I've decided to bite the bullet and learn IP fundamentals so I can build clusters.
I've been doing lots of training but have a simple and relatively dumb question but finding simple answers to simple questions seems quite hard on the topic networking!
I have 2 Azure VNets for example in my subscription on the same domain does it matter if a subnet on 1 vnet overlaps a subnet on other vnet? Presumably that would only be a problem when they're peered together. Does the vnet ring fence it's private ip ranges?
"I have 2 Azure VNets for example in my subscription on the same domain does it matter if a subnet on 1 vnet overlaps a subnet on other vnet? "*Presumably that would only be a problem when they're peered together."
To be exact the answer is "NO". It doesn't really matter as long as the particular subnet doesn't require to communicate with another subnet in a different VNET. If you have a plan to configure VNET peering at some point then there are certain best practices that you should have followed to avoid conflicts. However, following are the best practices to implement an enterprise network in Azure.
Start from scratch by documenting your subnets along with subnet mask in each VNET.
There shouldn't be overlapping IP address ranges if your network design contains VNET peering, custom routing, Azure firewall, Azure load balancer etc.
There shouldn't be overlapping IP address ranges if you are planning to implement Site to Site VPN between your azure tenant and on-premises network.
"Does the vnet ring fence it's private ip ranges?"
Yes, subenets within a VNET can communicate with each other without any custom routes with the help of default systems routes.
But subnets in VNET-A cannot communicate with subnets in VNET-B if there's no VNET peering configured between VNET-A and VNET-B.
Hope this answer cleared out the doubts.
"I have 2 Azure VNets for example in my subscription on the same domain does it matter if a subnet on 1 vnet overlaps a subnet on other vnet? "*Presumably that would only be a problem when they're peered together."
Correct. Your subnet address space can overlap on different networks (VNETS). But if you ever need them to talk to each other with out some pretty complex routing changes or redeploying your resources then creating unique address space per subnet is recommend - deploy unique address space.
Struggling to understand why you require the same address space in different VNETs , there is plenty of address space available to ensure they do not overlap even if using ARM templates i.e use variables to deploy.
"Does the vnet ring fence it's private ip ranges?"
Essentially yes, RFC 1918 “Address Allocation for Private Internets" defines that private address space does not route out of a private network. I am no expert to be fair, but really interesting link here
https://whatis.techtarget.com/definition/RFC-1918
RFC 1918
Request for Comment 1918 (RFC 1918), “Address Allocation for Private Internets,”is the Internet Engineering Task Force (IETF) memorandum on methods of assigning of private IP addresses on TCP/IP networks.
Along with NAT (network address tunneling), RFC 1918 facilitates expansion of the usable number of IP addresses available under IPV4, as a stopgap solution to prevent the exhaustion of public IPs available before the adoption of IPV6. It’s not necessary to register private IPs with a Regional Internet Registry (RIR), which simplifies setting up private networks.
RFC 1918 was used to create the standards by which networking equipment assigns IP addresses in a private network. A private network can use a single public IP address. The RFC reserves the following ranges of IP addresses that cannot be routed on the Internet:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
IP addresses within these ranges can be assigned within a private network; each address will be unique on that network but not outside of it. Private IP addresses can't be communicated with directly by external computers because they are not globally unique and, as such, not addressable on the public Internet.
Computers on the inside of the network can communicate with the Internet through NAT. NAT translates an IP address used within one network to a different IP address known within another network. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses.
no, its doesn't. But you won't be able to peer\vpn them together. So they are effectively isolated from each other forever (or at least until you fix that).

Azure VNet IP address charges

I have created a Virtual network with following CIDR. This address space has 256 total address.
CIDR 10.0.0.0/24
will i be billed for all available/reserved IP addresses? If we check Azure IP Address Price it says we need to pay for both reserved and used IP addresses. In this case if someone creates a vnet of say /16 or /8 his bill should sky rocket.
Azure has also create default subnet with CIDR /8 when i create kubernetes cluster without mentioning virtaul network with it. If they charge for reserved address space then this should have huge cost associated with.
Please confirm how azure charge for IP address range created using CIDR.
Azure only charges you for reserved PUBLIC IP addresses. Your VNET uses a private address space, so no costs for that will occur.

Queries related to utilization, distribution and pricing of IP addresses on Azure

I have queries related to utilization, distribution and pricing of IP addresses on Azure.
Taking an example, 10.0.0.0/27. It says, 10.0.0.0 - 10.0.0.31 (32 addresses).
After expanding I found as..
CIDR Range: 10.0.0.0/27
Netmask: 255.255.255.224
Wildcard Bits: 0.0.0.31
First IP: 10.0.0.0
Last IP: 10.0.0.31
Total Host: 32
I assigned 10.0.0.0/27 for both VNet and Subnet on Azure Portal.
After creating the virtual network, I see available address 27.
1) No virtual machine created yet, then why the available addresses are 27?
2) What is the IP range for 27 available addresses?
While creating Gateway Subnet, I see errors like...
The specified address space overlaps with subnet 'Subnet1' which has a range of '10.0.0.0/27'.
Your subnet is not contained within the address space for this virtual network: 10.0.0.0/27.
3) How to calculate and decide the available gateway subnet address space for a virtual network?
4) For using gateway subnet, is it mandatory or recommended to add another subnet before or after creating gateway subnet?
5) Why address space is required for creating a gateway subnet? Is gateway subnet not a fixed or static IP address for creating connection?
6) In case of virtual network, 10.0.0.0/27, is pricing done on the basis of utilized IP addresses only?
7) In case of virtual network, 10.0.0.0/27, if there are some un-utilized IP addresses, are they blocked to me or my subscription or un-utilized IP addresses can be used by someone else on his azure portal?
I sincerely request to clarify all seven queries.
Q1-Q3:
Read Azure VNet FAQ, Azure reserves 5 IP addresses within each subnet. These are x.x.x.0-x.x.x.3 and the last address of the subnet. So you have 27 available addresses for the address range 10.0.0.0/27. It's address range 10.0.0.4 - 10.0.0.30
Q4: It's not mandatory for creating Gateway subnet order, you only need to calculate the CIDR Range for each subnet including in your current virtual network address range.
Q5: If you need to configure a virtual network gateway. The gateway subnet contains the IP addresses that the virtual network gateway services use. All gateway subnets must be named GatewaySubnet to work properly. Read here. If you don't need a VPN gateway, you don't need to create Gateway subnet in this VNet.
Q6-Q7: Have a look at Azure VNet pricing and VPN gateway pricing.
Azure Virtual Network is free of charge. Every subscription is allowed
to create up to 50 virtual networks across all regions.
Public IP addresses, and reserved IP addresses used on services inside
a virtual network, are charged.
Network appliances such as VPN Gateway and Application Gateway that
are run inside a virtual network are also charged.
For the un-utilized IP addresses, It looks like unassigned private IP address in your on-premise network. They can continue to be assigned to the resources when you deployed some resources in the VNet or subnet.
For more details, you can read this blog: Understanding CIDR Notation when designing Azure Virtual Networks and Subnets
Azure reserves 5 IP addresses within each subnet. These are x.x.x.0-x.x.x.3 and the last address of the subnet.
x.x.x.0 and the last address of the subnet is reserved for protocol conformance.
x.x.x.1-x.x.x.3 is reserved in each subnet for Azure services.
Address space is the super set of subnets. So, your Address space needs to be bigger and should be able to accommodate the IPs which you are defining for the Subnets.
Basic Subnetting would help.
It is not recommended to deploy your workloads on Gateway subnet. So you need other subnets to deploy your workloads.
Gateways does have a Private IP address which it gets from the Gateway subnet. As I mentioned in Point 2, Address space is the super set of subnets.
Only Public IPs are charged. Private IP which you define in Azure VNET is not charged.
Since it is Private IP address, you can create another 10.0.0.0/27 VNET in the same region. VNET provides a isolation and the address which you define is isolated to that VNET.

Why Azure reserves first four IP address of a subnet

As the question says, I want to know, why Azure reserves first four and the last IP address of a subnet?
Yes. Azure reserves 5 IP addresses within each subnet. These are x.x.x.0-x.x.x.3 and the last address of the subnet. x.x.x.1-x.x.x.3 is reserved in each subnet for Azure services.
x.x.x.0: Network address
x.x.x.1: Reserved by Azure for the default gateway
x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
x.x.x.255: Network broadcast address
See the Azure faq
Azure reserves the first and last address in each subnet for protocol conformance. And three additional addresses are reserved for Azure service usage. Azure do not go into detail about the services that uses the reserved ip addresses, but we can say for sure that the default gateway is an Azure service that will use the reserved ip addresses

Resources