🌐 Azure Delegated Subnet Complete Technical Guide

📚 Table of Contents

1. Overview of Delegated Subnets

Azure subnet delegation allows you to designate a specific subnet for a particular Azure service. When you delegate a subnet, you're essentially reserving that subnet exclusively for use by the specified service, enabling the service to inject service-specific resources directly into your virtual network.

Key Benefits:
  • Direct service integration with your VNet
  • Enhanced security through network isolation
  • Improved performance with reduced network hops
  • Service-specific network policies

2. Architecture Diagrams

2.1 High-Level Delegated Subnet Architecture

graph TB subgraph "Azure Subscription" subgraph "Resource Group" subgraph "Virtual Network (VNet)" subgraph "Regular Subnet" VM1[Virtual Machine] VM2[Virtual Machine] end subgraph "Delegated Subnet" DS[Delegated to Service] SI[Service Instances] end subgraph "Gateway Subnet" VGW[VPN Gateway] end end NSG[Network Security Group] RT[Route Table] end end Internet((Internet)) OnPrem[On-Premises Network] VM1 --> NSG VM2 --> NSG DS --> SI VGW --> OnPrem VGW --> Internet style DS fill:#e1f5fe style SI fill:#f3e5f5 style VGW fill:#fff3e0

Architecture Explanation:

This diagram shows the fundamental structure of an Azure Virtual Network with a delegated subnet. The delegated subnet is isolated from regular subnets and is exclusively used by the designated Azure service. The service can inject its own resources directly into this subnet, maintaining network isolation while providing seamless integration with your VNet infrastructure.

  • Regular Subnet: Contains standard Azure resources like VMs
  • Delegated Subnet: Reserved exclusively for the specified service
  • Gateway Subnet: Special subnet for VPN/ExpressRoute gateways
  • NSG & Route Tables: Can be applied to control traffic flow

2.2 Service-Specific Delegation Architecture

graph TD subgraph "Azure SQL Managed Instance Delegation" VNET1[Virtual Network] SUBNET1[Delegated Subnet] SQLMI[SQL Managed Instance] VNET1 --> SUBNET1 SUBNET1 --> SQLMI end subgraph "Azure Container Instances Delegation" VNET2[Virtual Network] SUBNET2[Delegated Subnet] ACI[Container Instances] VNET2 --> SUBNET2 SUBNET2 --> ACI end subgraph "Azure App Service Delegation" VNET3[Virtual Network] SUBNET3[Delegated Subnet] ASE[App Service Environment] VNET3 --> SUBNET3 SUBNET3 --> ASE end Client[Client Applications] Client --> SQLMI Client --> ACI Client --> ASE style SUBNET1 fill:#ffebee style SUBNET2 fill:#e8f5e8 style SUBNET3 fill:#fff3e0

Service-Specific Delegation Explanation:

Different Azure services require specific types of subnet delegation. Each service has unique requirements and capabilities when integrated into a delegated subnet:

  • SQL Managed Instance: Requires Microsoft.Sql/managedInstances delegation with specific subnet size requirements (/24 or larger)
  • Container Instances: Uses Microsoft.ContainerInstance/containerGroups delegation for serverless container deployment
  • App Service Environment: Requires Microsoft.Web/serverFarms delegation for isolated App Service hosting

3. Traffic Flow Analysis

3.1 Inbound Traffic Flow

sequenceDiagram participant Client participant LoadBalancer as Load Balancer participant NSG as Network Security Group participant DelegatedSubnet as Delegated Subnet participant Service as Azure Service Client->>LoadBalancer: 1. Inbound Request LoadBalancer->>NSG: 2. Traffic Filtering NSG->>DelegatedSubnet: 3. Allow/Deny Decision DelegatedSubnet->>Service: 4. Route to Service Instance Service->>DelegatedSubnet: 5. Process & Respond DelegatedSubnet->>NSG: 6. Return Path NSG->>LoadBalancer: 7. Response Traffic LoadBalancer->>Client: 8. Final Response

Inbound Traffic Flow Explanation:

This sequence diagram illustrates how inbound traffic flows through the delegated subnet architecture:

  1. Client Request: External client initiates connection
  2. Load Balancer: Distributes traffic if configured
  3. NSG Filtering: Network security rules are evaluated
  4. Subnet Routing: Traffic is routed to the delegated subnet
  5. Service Processing: Azure service processes the request
  6. Response Path: Response follows the reverse path

3.2 East-West Traffic Flow

graph LR subgraph "Virtual Network" subgraph "Subnet A" VM1[Virtual Machine] end subgraph "Delegated Subnet B" SERVICE[Azure Service] end subgraph "Subnet C" VM2[Virtual Machine] end end VM1 -->|1. Internal Request| SERVICE SERVICE -->|2. Response| VM1 VM2 -->|3. Cross-Subnet| SERVICE SERVICE -->|4. Response| VM2 subgraph "Traffic Controls" NSG1[NSG for Subnet A] NSG2[NSG for Delegated Subnet] NSG3[NSG for Subnet C] UDR[User Defined Routes] end VM1 -.->|Controlled by| NSG1 SERVICE -.->|Controlled by| NSG2 VM2 -.->|Controlled by| NSG3 style SERVICE fill:#f9f9f9 style NSG2 fill:#ffe6e6

East-West Traffic Flow Explanation:

East-West traffic refers to communication between resources within the same VNet. In delegated subnet scenarios:

  • Internal Communication: VMs can communicate with services in delegated subnets
  • Security Control: NSGs control traffic between subnets
  • Route Control: UDRs can influence traffic paths
  • Service Isolation: Delegated subnet provides service-specific isolation

3.3 Outbound Traffic Flow

graph TB subgraph "Delegated Subnet" SERVICE[Azure Service Instance] end subgraph "Network Controls" NSG[Network Security Group] UDR[User Defined Routes] NAT[NAT Gateway] end subgraph "Destinations" INTERNET[Internet] ONPREM[On-Premises] AZURE[Other Azure Services] end SERVICE --> NSG NSG --> UDR UDR --> NAT NAT --> INTERNET UDR --> ONPREM UDR --> AZURE style SERVICE fill:#e3f2fd style NAT fill:#f3e5f5

Outbound Traffic Flow Explanation:

Outbound traffic from delegated subnets can be controlled and routed through various mechanisms:

  • NSG Rules: Control what traffic is allowed outbound
  • User Defined Routes: Override default Azure routing
  • NAT Gateway: Provide predictable outbound IP addresses
  • Service Endpoints: Optimize routes to Azure services

4. Setup Command Sequence

4.1 Command Execution Order

graph TD A[1. Create Resource Group] --> B[2. Create Virtual Network] B --> C[3. Create Subnet] C --> D[4. Configure Subnet Delegation] D --> E[5. Create Network Security Group] E --> F[6. Associate NSG with Subnet] F --> G[7. Create Route Table] G --> H[8. Associate Route Table] H --> I[9. Deploy Service to Delegated Subnet] I --> J[10. Configure Service-Specific Settings] J --> K[11. Validate Configuration] K --> L[12. Test Connectivity] style A fill:#ffebee style D fill:#e8f5e8 style I fill:#fff3e0 style L fill:#f3e5f5

Command Sequence Explanation:

The setup must follow this specific order to ensure proper configuration:

  1. Resource Group: Foundation container for all resources
  2. Virtual Network: Network foundation with address space
  3. Subnet Creation: Define subnet within the VNet
  4. Delegation Configuration: Critical step - delegate subnet to service
  5. Security Configuration: NSG rules for traffic control
  6. Routing Configuration: Custom routes if needed
  7. Service Deployment: Deploy the actual service
  8. Validation: Verify all components work together

5. Detailed Azure CLI Commands

5.1 Resource Group Creation

az group create \ --name myResourceGroup \ --location eastus

Parameter Explanation:

  • --name: Name of the resource group (must be unique within subscription)
  • --location: Azure region where resources will be deployed

Alternative locations: westus, centralus, northeurope, southeastasia

Purpose: Creates a logical container for all related resources. This is the foundation step that must be completed first.

5.2 Virtual Network Creation

az network vnet create \ --resource-group myResourceGroup \ --name myVNet \ --address-prefix 10.0.0.0/16 \ --location eastus

Parameter Explanation:

  • --resource-group: Reference to the resource group created in step 1
  • --name: Name for the virtual network
  • --address-prefix: CIDR block for the entire VNet (10.0.0.0/16 provides 65,536 IPs)
  • --location: Must match the resource group location

Alternative address spaces: 172.16.0.0/16, 192.168.0.0/16

Purpose: Creates the virtual network foundation. The address space must be large enough to accommodate all planned subnets.

5.3 Subnet Creation

az network vnet subnet create \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name myDelegatedSubnet \ --address-prefix 10.0.1.0/24

Parameter Explanation:

  • --resource-group: Resource group containing the VNet
  • --vnet-name: Name of the parent virtual network
  • --name: Name for the subnet that will be delegated
  • --address-prefix: CIDR block for the subnet (10.0.1.0/24 provides 254 usable IPs)

Subnet sizing considerations: Some services require specific minimum sizes (e.g., SQL MI needs /24 or larger)

Purpose: Creates the subnet that will be dedicated to the Azure service. This subnet will be isolated from other subnets.

5.4 Subnet Delegation Configuration

az network vnet subnet update \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name myDelegatedSubnet \ --delegations Microsoft.ContainerInstance/containerGroups

Parameter Explanation:

  • --resource-group: Resource group containing the subnet
  • --vnet-name: Parent virtual network name
  • --name: Subnet to be delegated
  • --delegations: Service delegation type

Common delegation types:

  • Microsoft.ContainerInstance/containerGroups - for Azure Container Instances
  • Microsoft.Sql/managedInstances - for SQL Managed Instance
  • Microsoft.Web/serverFarms - for App Service Environment
  • Microsoft.NetApp/volumes - for Azure NetApp Files

Purpose: This is the critical step that reserves the subnet exclusively for the specified service. Once delegated, only that service can deploy resources to this subnet.

5.5 Network Security Group Creation

az network nsg create \ --resource-group myResourceGroup \ --name myDelegatedSubnetNSG \ --location eastus

Parameter Explanation:

  • --resource-group: Resource group for the NSG
  • --name: Name for the network security group
  • --location: Azure region (must match other resources)

Purpose: Creates a network security group that will control traffic to/from the delegated subnet. NSGs act as a virtual firewall.

5.6 NSG Security Rules Configuration

az network nsg rule create \ --resource-group myResourceGroup \ --nsg-name myDelegatedSubnetNSG \ --name AllowHTTPS \ --protocol Tcp \ --priority 100 \ --direction Inbound \ --source-address-prefixes '*' \ --source-port-ranges '*' \ --destination-address-prefixes '*' \ --destination-port-ranges 443 \ --access Allow

Parameter Explanation:

  • --resource-group: Resource group containing the NSG
  • --nsg-name: Name of the network security group
  • --name: Name for this specific rule
  • --protocol: Network protocol (Tcp, Udp, or *)
  • --priority: Rule priority (100-4096, lower numbers processed first)
  • --direction: Traffic direction (Inbound or Outbound)
  • --source-address-prefixes: Source IP addresses or ranges
  • --destination-port-ranges: Destination ports to allow
  • --access: Allow or Deny the traffic

Common port ranges: 80 (HTTP), 443 (HTTPS), 22 (SSH), 3389 (RDP)

Purpose: Defines specific traffic rules for the delegated subnet. Each service may require different port configurations.

5.7 Associate NSG with Subnet

az network vnet subnet update \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name myDelegatedSubnet \ --network-security-group myDelegatedSubnetNSG

Parameter Explanation:

  • --resource-group: Resource group containing the subnet
  • --vnet-name: Parent virtual network
  • --name: Subnet to associate with NSG
  • --network-security-group: NSG to associate with the subnet

Purpose: Links the network security group to the delegated subnet, activating the firewall rules for all traffic to/from the subnet.

5.8 Route Table Creation

az network route-table create \ --resource-group myResourceGroup \ --name myDelegatedSubnetRouteTable \ --location eastus \ --disable-bgp-route-propagation false

Parameter Explanation:

  • --resource-group: Resource group for the route table
  • --name: Name for the route table
  • --location: Azure region
  • --disable-bgp-route-propagation: Whether to disable BGP route propagation

BGP Route Propagation: Set to false to allow ExpressRoute/VPN gateway routes, true to prevent them

Purpose: Creates a custom route table for controlling traffic flow from the delegated subnet.

5.9 Custom Route Creation

az network route-table route create \ --resource-group myResourceGroup \ --route-table-name myDelegatedSubnetRouteTable \ --name DefaultRoute \ --next-hop-type VirtualAppliance \ --address-prefix 0.0.0.0/0 \ --next-hop-ip-address 10.0.2.4

Parameter Explanation:

  • --resource-group: Resource group containing the route table
  • --route-table-name: Name of the route table
  • --name: Name for this specific route
  • --next-hop-type: Type of next hop (VirtualAppliance, VirtualNetworkGateway, Internet, None)
  • --address-prefix: Destination address prefix (0.0.0.0/0 means all traffic)
  • --next-hop-ip-address: IP address of the next hop (required for VirtualAppliance)

Next hop types:

  • VirtualAppliance - Route to a firewall or NVA
  • VirtualNetworkGateway - Route to VPN/ExpressRoute gateway
  • Internet - Route directly to internet
  • None - Drop the traffic

Purpose: Defines custom routing behavior for traffic from the delegated subnet. This example routes all traffic through a network virtual appliance.

5.10 Associate Route Table with Subnet

az network vnet subnet update \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name myDelegatedSubnet \ --route-table myDelegatedSubnetRouteTable

Parameter Explanation:

  • --resource-group: Resource group containing the subnet
  • --vnet-name: Parent virtual network
  • --name: Subnet to associate with route table
  • --route-table: Route table to associate

Purpose: Links the route table to the delegated subnet, activating the custom routing rules for all traffic from the subnet.

6. Configuration Stanzas

6.1 Service Endpoint Configuration

az network vnet subnet update \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name myDelegatedSubnet \ --service-endpoints Microsoft.Storage Microsoft.Sql

Service Endpoints Configuration:

  • --service-endpoints: List of Azure services to enable direct connectivity
  • Available endpoints: Microsoft.Storage, Microsoft.Sql, Microsoft.KeyVault, Microsoft.AzureActiveDirectory

Purpose: Enables direct, secure connectivity from the delegated subnet to Azure services without going through the public internet. This improves security and performance.

When to use: When your delegated service needs to access Azure Storage, SQL Database, or other Azure services securely.

6.2 Private Endpoint Configuration

az network private-endpoint create \ --resource-group myResourceGroup \ --name myPrivateEndpoint \ --vnet-name myVNet \ --subnet myDelegatedSubnet \ --private-connection-resource-id /subscriptions/subscription-id/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount \ --group-ids blob \ --connection-name myPrivateConnection

Private Endpoint Configuration:

  • --name: Name for the private endpoint
  • --vnet-name: Virtual network containing the subnet
  • --subnet: Subnet where the private endpoint will be created
  • --private-connection-resource-id: Full resource ID of the target Azure service
  • --group-ids: Sub-resource of the target service (blob, file, queue for Storage)
  • --connection-name: Name for the private connection

Purpose: Creates a private endpoint that brings Azure services directly into your VNet, providing private IP connectivity.

When to use: When you need private connectivity to Azure services without using service endpoints or public internet.

6.3 NAT Gateway Configuration

az network nat gateway create \ --resource-group myResourceGroup \ --name myNATGateway \ --location eastus \ --idle-timeout 4 \ --public-ip-addresses myPublicIP

NAT Gateway Configuration:

  • --name: Name for the NAT gateway
  • --location: Azure region
  • --idle-timeout: Idle timeout in minutes (4-120)
  • --public-ip-addresses: Public IP addresses to use for outbound connectivity

Purpose: Provides predictable outbound internet connectivity for resources in the delegated subnet.

When to use: When you need consistent outbound IP addresses for services in the delegated subnet.

az network vnet subnet update \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name myDelegatedSubnet \ --nat-gateway myNATGateway

Associate NAT Gateway with Subnet:

Purpose: Links the NAT gateway to the delegated subnet, enabling all outbound traffic from the subnet to use the NAT gateway's public IP addresses.

Execution order: This command must be run after creating the NAT gateway and public IP addresses.

7. Advanced Scenarios

7.1 Multi-Service Delegation Architecture

graph TB subgraph "Virtual Network - 10.0.0.0/16" subgraph "SQL MI Subnet - 10.0.1.0/24" SQLMI[SQL Managed Instance] end subgraph "ACI Subnet - 10.0.2.0/24" ACI[Container Instances] end subgraph "App Service Subnet - 10.0.3.0/24" ASE[App Service Environment] end subgraph "Shared Services Subnet - 10.0.4.0/24" VM[Virtual Machines] LB[Load Balancer] end end subgraph "Security & Routing" NSG1[NSG for SQL MI] NSG2[NSG for ACI] NSG3[NSG for ASE] UDR1[Custom Routes] end Client[External Clients] Client --> LB LB --> ASE ASE --> ACI ACI --> SQLMI SQLMI -.-> NSG1 ACI -.-> NSG2 ASE -.-> NSG3 style SQLMI fill:#ffebee style ACI fill:#e8f5e8 style ASE fill:#fff3e0

Multi-Service Delegation Explanation:

This advanced scenario shows multiple delegated subnets within the same VNet, each serving different Azure services. Key considerations:

  • Subnet Sizing: Each service has different minimum subnet size requirements
  • Network Security: Each delegated subnet should have its own NSG with service-specific rules
  • Service Communication: Inter-service communication flows through the VNet infrastructure
  • Shared Services: Common resources like load balancers can be placed in non-delegated subnets

7.2 Hybrid Connectivity with Delegated Subnets

graph TB subgraph "On-Premises Network" ONPREM[On-Premises Resources] VPNDEV[VPN Device] end subgraph "Azure Virtual Network" subgraph "Gateway Subnet" VGW[VPN Gateway] end subgraph "Delegated Subnet" SERVICE[Azure Service] end subgraph "VM Subnet" VM[Virtual Machines] end end subgraph "Routing Control" UDR[User Defined Routes] BGP[BGP Route Propagation] end VPNDEV -.->|VPN Tunnel| VGW VGW --> SERVICE VGW --> VM ONPREM --> VPNDEV SERVICE -.-> UDR VGW -.-> BGP style SERVICE fill:#e1f5fe style VGW fill:#fff3e0

Hybrid Connectivity Explanation:

This scenario demonstrates how delegated subnets integrate with hybrid connectivity solutions:

  • VPN Gateway: Provides secure connection to on-premises networks
  • Route Propagation: BGP can automatically propagate routes between on-premises and Azure
  • Custom Routing: UDRs may be needed to control traffic flow to/from delegated subnets
  • Security Considerations: NSGs should account for on-premises traffic patterns

8. Troubleshooting

8.1 Common Issues and Solutions

Issue 1: Subnet Delegation Failure

Symptom: "Subnet cannot be delegated because it contains existing resources"

Solution: Remove all existing resources from the subnet before attempting delegation

# Check for existing resources in subnet az network vnet subnet show \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name mySubnet \ --query "ipConfigurations"

Issue 2: Service Deployment Failure

Symptom: Service fails to deploy to delegated subnet

Solution: Verify delegation type matches service requirement and subnet size is adequate

# Verify delegation configuration az network vnet subnet show \ --resource-group myResourceGroup \ --vnet-name myVNet \ --name mySubnet \ --query "delegations"

8.2 Validation Commands

# Validate VNet configuration az network vnet show \ --resource-group myResourceGroup \ --name myVNet \ --query "{name:name,addressSpace:addressSpace,subnets:subnets[].{name:name,addressPrefix:addressPrefix,delegations:delegations[].serviceName}}"
# Check effective routes az network nic show-effective-route-table \ --resource-group myResourceGroup \ --name myNIC
# Verify NSG associations az network nsg show \ --resource-group myResourceGroup \ --name myNSG \ --query "subnets[].id"

📋 Summary

This comprehensive guide covers all aspects of Azure subnet delegation, from basic concepts to advanced scenarios. The key to successful implementation is following the correct sequence of commands and understanding the specific requirements of each Azure service you're integrating.

Remember: Always validate your configuration at each step and test connectivity before deploying production workloads.