Example: choose
10.1.0.0/16 for a VNet, then split it into subnets like 10.1.1.0/24, 10.1.2.0/24, etc.
Azure platform reservations and minimum subnet size
Azure reserves five addresses in every subnet: the first four addresses and the last address. For instance, a /24 (256 addresses) has 251 usable IPs after reservation. The smallest supported subnet is /29 (8 addresses), which yields 3 usable IPs after the platform reservation—plan your subnet sizes accordingly.
Azure reserves the first four and the last IP address in every subnet (5 addresses total). A
/24 subnet leaves 251 usable IPs. The smallest supported subnet is /29 (8 addresses), which provides 3 usable IPs after reservations.- Loopback:
127.0.0.0/8 - Link-local:
169.254.0.0/16 - Multicast:
224.0.0.0/4 - Azure platform IP:
168.63.129.16(used for DNS, DHCP, and health probes)
Do not assign or block the Azure platform IP
168.63.129.16. It is required for DNS, DHCP, and health probes and must remain reachable by the platform. See the Azure documentation for details: https://learn.microsoft.com/en-us/azure/virtual-network/what-is-168-63-129-16- A private, cloud-only network boundary for your Azure resources.
- Secure hybrid connectivity to on-premises datacenters using VPN Gateway or ExpressRoute.
- A central hub to peer or connect other VNets and external networks for hub-and-spoke or mesh topologies.

10.1.0.0/16, you might create:
10.1.1.0/24— web tier (subnet-web)10.1.2.0/24— database tier (subnet-db)10.1.3.0/28— management/monitoring tools
Use Network Security Groups (NSGs) and Application Security Groups (ASGs) to apply granular security controls at the subnet or workload level. Never allow overlapping address ranges between VNets or subnets—overlap breaks routing and prevents communication.

- Dynamic (default): Azure auto-assigns the next available IP when the resource is created—suitable for most workloads.
- Static: Manually assign a fixed IP from the subnet range for services that require a stable address (e.g., internal databases or appliances).

Summary
- Choose a suitable RFC 1918 address space for your VNet (
10/8,172.16/12, or192.168/16). - Divide the space into non-overlapping subnets for separation and policy enforcement.
- Azure reserves the first four and the last IP in each subnet (5 addresses total).
- Avoid special-use ranges and never assign or block the platform IP
168.63.129.16. - Use dynamic private IP allocation by default; assign static IPs where stable addressing is needed.
10.1.0.0/16 and add the following subnets:
10.1.1.0/24— web10.1.2.0/24— db10.1.3.0/28— tools
- RFC 1918 — https://datatracker.ietf.org/doc/html/rfc1918
- Azure platform IP
168.63.129.16— https://learn.microsoft.com/en-us/azure/virtual-network/what-is-168-63-129-16 - Azure Virtual Network documentation — https://learn.microsoft.com/en-us/azure/virtual-network/