Subnets

Last updated: May 16, 2025

Each VNet should contain at least one subnet, possibly more. Normally you would create the subnets inside the vnet resource but alternatively you can create them separately as well. Create a subnet with the code below:

resource "azurerm_subnet" "hub-subnet2" {
  name                 = "subnet2"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet-hub.name
  address_prefixes     = ["10.0.1.0/24"]
  depends_on = [
    azurerm_virtual_network.vnet-hub #link to your vnet
  ]
}

Adding service endpoints

If you need the connected resources of the subnet to communicate with other Azure services securely over private endpoints, you need to add service endpoints for that service. The example below, adds service endpoint for azure container registry to the subnet.

resource "azurerm_subnet" "hub-subnet2" {
  name                 = "subnet2"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet-hub.name
  address_prefixes     = ["10.0.1.0/24"]
  service_endpoints    = ["Microsoft.ContainerRegistry"]
  depends_on = [
    azurerm_virtual_network.vnet-hub #link to your vnet
  ]
}

Available service endpoints:

Azure Storage (Microsoft.Storage)
Azure Storage cross-region service endpoints (Microsoft.Storage.Global)
Azure SQL Database (Microsoft.Sql)
Azure Synapse Analytics (Microsoft.Sql)
Azure Database for MariaDB (Microsoft.Sql)
Azure Cosmos DB (Microsoft.AzureCosmosDB)
Azure Key Vault (Microsoft.KeyVault)
Azure Service Bus (Microsoft.ServiceBus)
Azure Event Hubs (Microsoft.EventHub)
Azure App Service (Microsoft.Web)
Azure Cognitive Services (Microsoft.CognitiveServices)
Azure Container Registry (Microsoft.ContainerRegistry)

Subnets with service delegation

In Azure, sometimes it is required to create subnets with a specific delegation. Some resources require a subnet to be delegated for only that type of resource. In such cases, be sure to calculate the size of the subnet as it cannot be used for other resources.

The example below shows how to create a subnet delegated to SQL Managed Instances.

resource "azurerm_subnet" "hub-sql-subnet" {
  name                 = "SQLSubnet"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet-hub.name
  address_prefixes     = ["10.0.2.0/24"]
  
  delegation {
    name = "Microsoft.Sql/managedInstances"
    service_delegation {
      name = "Microsoft.Sql/managedInstances"
    }
  }

  depends_on = [
    azurerm_virtual_network.vnet-hub
  ]
}

Valid list of delegations

Microsoft.Network/fpgaNetworkInterfaces
Microsoft.Web/serverFarms
Microsoft.ContainerInstance/containerGroups
Microsoft.Netapp/volumes
Microsoft.HardwareSecurityModules/dedicatedHSMs
Microsoft.ServiceFabricMesh/networks
Microsoft.Logic/integrationServiceEnvironments
Microsoft.Batch/batchAccounts
Microsoft.Sql/managedInstances
Microsoft.Sql/managedInstancesOnebox
Microsoft.Sql/managedInstancesTest
Microsoft.Sql/managedInstancesStage
Microsoft.Web/hostingEnvironments
Microsoft.BareMetal/CrayServers
Microsoft.BareMetal/MonitoringServers
Microsoft.Databricks/workspaces
Microsoft.BareMetal/AzureHostedService
Microsoft.BareMetal/AzureVMware
Microsoft.BareMetal/AzureHPC
Microsoft.BareMetal/AzurePaymentHSM
Microsoft.StreamAnalytics/streamingJobs
Microsoft.DBforPostgreSQL/serversv2
Microsoft.AzureCosmosDB/clusters
Microsoft.MachineLearningServices/workspaces
Microsoft.DBforPostgreSQL/singleServers
Microsoft.DBforPostgreSQL/flexibleServers
Microsoft.DBforMySQL/serversv2
Microsoft.DBforMySQL/flexibleServers
Microsoft.DBforMySQL/servers
Microsoft.ApiManagement/service
Microsoft.Synapse/workspaces
Microsoft.PowerPlatform/vnetaccesslinks
Microsoft.Network/dnsResolvers
Microsoft.Kusto/clusters
Microsoft.DelegatedNetwork/controller
Microsoft.ContainerService/managedClusters
Microsoft.PowerPlatform/enterprisePolicies
Microsoft.Network/virtualNetworkGateways
Microsoft.StoragePool/diskPools
Microsoft.DocumentDB/cassandraClusters
Microsoft.Apollo/npu
Microsoft.AVS/PrivateClouds
Microsoft.Orbital/orbitalGateways
Microsoft.Singularity/accounts/networks
Microsoft.Singularity/accounts/npu
Microsoft.ContainerService/TestClients
Microsoft.LabServices/labplans
Microsoft.Fidalgo/networkSettings
Microsoft.DevCenter/networkConnection
NGINX.NGINXPLUS/nginxDeployments
Microsoft.DevOpsInfrastructure/pools
Microsoft.CloudTest/pools
Microsoft.CloudTest/hostedpools
Microsoft.CloudTest/images
PaloAltoNetworks.Cloudngfw/firewalls
Qumulo.Storage/fileSystems
Microsoft.App/testClients
Microsoft.App/environments
Microsoft.ServiceNetworking/trafficControllers
GitHub.Network/networkSettings
Microsoft.Network/networkWatchers
Dell.Storage/fileSystems
Microsoft.Netapp/scaleVolumes
Oracle.Database/networkAttachments
Microsoft.SubnetDelegator/msfttestclients
Microsoft.SubnetDelegator/ametestclients
Microsoft.InternalVnetInjection/TestAppId
PureStorage.Block/storagePools
Informatica.DataManagement/organizations
Microsoft.AzureCommunicationsGateway/networkSettings
Microsoft.PowerAutomate/hostedRpa
Microsoft.MachineLearningServices/workspaceComputes