“Have you ever thought about having a Private Subnet in Azure VNET? Let me tell you all about it. Trust me, you would want to take advantage of its benefits. We must use Azure Private Subnet to ensure the highest level of security and privacy for our network.”
Background of Azure VNET and Subnet and Internet access
To grasp the basic principles of Azure Virtual Network (VNET), it is essential to understand the significance of subnets first. Azure VNET is a logical network that facilitates communication between Azure resources and on-premises networks. Subnets segregate and organise network resources within a VNET.
Azure Virtual Network (VNET) allows you to create subnets, a range of IP addresses assigned to virtual machines, network interfaces, and other resources. By dividing the VNET into subnets, you can manage and control traffic flow and apply security policies to specific groups of resources.
Azure VNET allows outbound internet access by default. However, to restrict internet access, you can configure a Network Security Group (NSG) to allow outbound traffic to specific IP addresses or ranges or configure a user-defined route to redirect traffic to a specific network device or firewall appliance.
When using virtual machines in a virtual network that doesn’t have outbound connectivity, it’s important to note that these machines are assigned a public IP address. However, this public IP address can change without notice unlike typical IP addresses. This can present a challenge when troubleshooting network issues, as the IP address you previously used may need to be validated. It’s essential to keep this in mind and be aware of the potential for this issue when working with virtual machines in a virtual network without outbound connectivity. This method is not secure by default and will no longer be available after September 2025.
Private Subnet
The private subnet feature is a security measure that prevents any insecure implicit connectivity in newly created subnets. Turn off the “default outbound access” parameter to prevent unauthorised internet access. Resources in private subnets cannot communicate with the public internet. Resources in a private subnet can use the NAT Gateway or firewall appliance to communicate to the internet using user-defined routes. After configuration, you can choose your preferred method for explicit outbound connectivity to the internet.
This feature ensures that all newly created subnets prioritise secure connectivity, giving you peace of mind that your network is always protected. Set the “Private subnet” parameter only during subnet creation.
You can create a private subnet in Azure through the portal, CLI, or ARM Template. Please note that the private subnet feature is currently in preview and does not have a defined service level agreement. Therefore, Azure recommends not using the preview feature for production workloads.
The benefits of a Private subnet are:
- Secure by default – aligning to the zero trust network security principle by design.
- Control of explicit outbound access – explicit connectivity methods instead of implicit when granting access to resources in your virtual network.
Organisations can significantly benefit from Azure’s private subnet as its robust security feature ensures top-notch data protection.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.