Top / Microsoft Azure / Azure Network / Subnet

Azure Network Subnet

This page shows how to write Terraform and Azure Resource Manager for Network Subnet and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_subnet (Terraform)

The Subnet in Network can be configured in Terraform with the resource name azurerm_subnet. The following sections describe 8 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L26
resource "azurerm_subnet" "hubsub1" {
  name                 = "hubsub1"
  resource_group_name = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.hub.name
  address_prefixes     = ["10.1.10.0/24"]
}
networking.tf#L12
resource "azurerm_subnet" "web-api" {
  name                 = var.subnet_web_api
  virtual_network_name = azurerm_virtual_network.main.name
  resource_group_name  = azurerm_resource_group.main.name
  address_prefixes     = ["10.0.1.0/24"]
}
main.tf#L16
resource "azurerm_subnet" "subnet1" {
  name                 = "subnet1"
  resource_group_name  = azurerm_resource_group.tamops.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefix       = "192.168.1.0/24"
}
networking.tf#L26
resource "azurerm_subnet" "we-project1" {
  name                 = "project1"
  resource_group_name  = azurerm_resource_group.net.name
  virtual_network_name = azurerm_virtual_network.we.name
  address_prefixes     = ["10.0.1.0/24"]
}
03_subnet.tf#L2
resource "azurerm_subnet" "jinwoo-subnet-01" {
  name                 = "subnet01"
  resource_group_name  = azurerm_resource_group.jinwoo-rg.name
  virtual_network_name = azurerm_virtual_network.jinwoo-vnet.name
  address_prefixes     = ["10.0.1.0/24"]
}
main.tf#L16
resource "azurerm_subnet" "subnet1" {
  name                 = "subnet1"
  resource_group_name  = azurerm_resource_group.tamops.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefix       = "192.168.1.0/24"
}
main.tf#L8
resource "azurerm_subnet" "web-subnet" {
  name                 = "web-subnet"
  virtual_network_name = azurerm_virtual_network.vnet01.name
  resource_group_name  = var.resource_group
  address_prefix       = var.websubnetcidr
}
subnets.tf#L1
resource "azurerm_subnet" "External_subnet"  {
    name           = "External"
    resource_group_name  = azurerm_resource_group.rg.name
    virtual_network_name = azurerm_virtual_network.vnet.name
    address_prefix = "10.99.0.0/24"
  }

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages a subnet. Subnets represent network segments within the IP space defined by the virtual network.

NOTE on Virtual Networks and Subnet's: Terraform currently provides both a standalone Subnet resource, and allows for Subnets to be defined in-line within the Virtual Network resource. At this time you cannot use a Virtual Network with in-line Subnets in conjunction with any Subnet resources. Doing so will cause a conflict of Subnet configurations and will overwrite Subnet's.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Network Resources

In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_network_security_group

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

azurerm_network_security_rule

Ensure to set a more restrictive CIDR range for ingress from the internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

risk-label

azurerm_network_watcher_flow_log

Ensure to enable Retention policy for flow logs and set it to enough duration

It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.

Review your Azure Network settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Network/virtualNetworks/subnets (Azure Resource Manager)

The virtualNetworks/subnets in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/virtualNetworks/subnets. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

main.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "functions": [],
  "variables": {
main.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
VirtualNetwork.json
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "networkSecurityGroupName": {

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • properties required
      • addressPrefix required - string

        The address prefix for the subnet.

      • addressPrefixes optional - array

        List of address prefixes for the subnet.

      • networkSecurityGroup optional
          • id required - string

            Resource ID.

      • routeTable optional
          • id required - string

            Resource ID.

      • natGateway optional
          • id required - string

            Resource ID.

      • serviceEndpoints optional array
          • service optional - string

            The type of the endpoint service.

          • locations optional - array

            A list of locations.

      • serviceEndpointPolicies optional array
          • id required - string

            Resource ID.

      • ipAllocations optional array
          • id required - string

            Resource ID.

      • delegations optional array
          • properties optional
              • serviceName optional - string

                The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers).

          • name required - string

            The name of the resource that is unique within a subnet. This name can be used to access the resource.

      • privateEndpointNetworkPolicies optional - string

        Enable or Disable apply network policies on private end point in the subnet.

      • privateLinkServiceNetworkPolicies optional - string

        Enable or Disable apply network policies on private link service in the subnet.

>> from Azure Resource Manager Documentation

The Other Related Azure Network Resources

Frequently asked questions

What is Azure Network Subnet?

Azure Network Subnet is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Network Subnet?

For Terraform, the larryclaman/vpnscaffolds, llgjermeni/terraform-project and thomast1906/thomasthorntoncloud-examples source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the INGourav/bicep, INGourav/bicep and ruchipalchopra/AzureDevopsSelfHostedAgents source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents