How many IP addresses does Azure reserve per subnet?

Azure reserves five IP addresses in every subnet: x.x.x.0 (network address), x.x.x.1 (default gateway), x.x.x.2 and x.x.x.3 (Azure DNS), and the last address (broadcast). A /28 subnet with 16 total addresses has only 11 usable IPs.

What is the minimum subnet size for common Azure services?

GatewaySubnet requires /27 minimum (32 addresses), AzureBastionSubnet requires /26 (64 addresses), Azure Firewall requires /26, and Application Gateway v2 requires /24 recommended. AKS subnets should be sized based on maximum pod count times node count.

Can I add more address spaces to an existing VNet?

Yes. Azure VNets support multiple address spaces, and you can add additional CIDR blocks to an existing VNet without downtime. The new address space cannot overlap with existing spaces or peered VNets. You can then create new subnets within the added address range.

Azure VNet CIDR Planner

NetworkingAzure

Plan Azure Virtual Network address spaces and subnet allocation with Azure-specific rules.

Last verified: April 2026

VNet Configuration

VNet Address Space

Add Subnet

Subnet Name

Size

Purpose

Quick Add Common Azure Subnets

Raw Output

Output will appear here...

See It in Action

You're designing a hub-and-spoke architecture across 3 Azure regions for a financial services company. Each region needs a hub VNet with Azure Firewall, VPN Gateway, and Bastion, plus 4 spoke VNets for different application tiers. Using the planner, you allocate 10.0.0.0/16 for the primary hub, carve out the mandatory service subnets first (/26 for Firewall, /27 for Gateway, /26 for Bastion), then allocate the remaining space across spoke VNets. The planner catches that your initial allocation leaves no room for a future AKS subnet in spoke-3 and suggests widening the spoke from /22 to /20.

What This Tool Does

The Azure VNet CIDR Planner helps you design Virtual Network address spaces and subnet allocations following Azure-specific networking rules. It accounts for Azure's reserved IP addresses per subnet, GatewaySubnet requirements, AzureBastionSubnet minimum sizing, and service delegation constraints. The tool visualizes address space utilization and identifies conflicts across VNets.

Technical Details

The planner takes a parent VNet address space and divides it into subnets using alignment-aware allocation. It validates that each subnet falls within the VNet address range, checks for overlaps between proposed subnets, accounts for Azure's 5 reserved IPs per subnet, and enforces minimum size requirements for special-purpose subnets (GatewaySubnet, AzureBastionSubnet, etc.). The output shows the full allocation map with usable IP counts and remaining free space.

Common Use Cases

1Planning address spaces for a hub-and-spoke VNet architecture with non-overlapping CIDR blocks.
2Sizing subnets for Azure services that have minimum prefix length requirements like GatewaySubnet (/27) and AzureBastionSubnet (/26).
3Allocating subnets for AKS clusters that need large IP ranges for pod networking.
4Designing a multi-region VNet strategy with globally unique address spaces for VNet peering.

Common Questions

How many IP addresses does Azure reserve per subnet?: Azure reserves five IP addresses in every subnet: x.x.x.0 (network address), x.x.x.1 (default gateway), x.x.x.2 and x.x.x.3 (Azure DNS), and the last address (broadcast). A /28 subnet with 16 total addresses has only 11 usable IPs.
What is the minimum subnet size for common Azure services?: GatewaySubnet requires /27 minimum (32 addresses), AzureBastionSubnet requires /26 (64 addresses), Azure Firewall requires /26, and Application Gateway v2 requires /24 recommended. AKS subnets should be sized based on maximum pod count times node count.
Can I add more address spaces to an existing VNet?: Yes. Azure VNets support multiple address spaces, and you can add additional CIDR blocks to an existing VNet without downtime. The new address space cannot overlap with existing spaces or peered VNets. You can then create new subnets within the added address range.

Expert Tips

TIP

Pre-allocate dedicated subnets for Azure services with fixed sizing requirements BEFORE planning general-purpose subnets. GatewaySubnet needs /27, AzureBastionSubnet needs /26, AzureFirewallSubnet needs /26, and Application Gateway needs /24 minimum. These eat into your address space fast and can't be resized without recreation.

TIP

When planning for AKS with Azure CNI networking, each pod gets a real VNet IP. Size your AKS subnets for (max_pods_per_node x max_nodes) + service_IPs. A 50-node cluster with 30 pods/node needs 1,500+ IPs — that's a /21 minimum. Teams that allocate a /24 run out of IPs when they try to scale past 8 nodes.

TIP

In hub-and-spoke topologies, all spokes must have non-overlapping address spaces with each other AND the hub. Plan your CIDR allocation across the entire organization upfront using a consistent scheme like 10.{region}.{spoke}.0/24. Retroactively re-addressing a peered VNet requires tearing down the peering, migrating resources, and re-establishing connectivity.

Featured In

CIDR Notation Explained: A Visual Guide for Cloud Engineers

Related Learning Guides

Virtual Network Architecture28 min read
Azure Networking Deep Dive30 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.