A quick reference of Azure Virtual Network restrictions and recommendations.

Min/Max supported subnet sizing

  • Min IPv4 - /29
  • Max IPv4 - /2
  • IPv6 must be exactly /64

Ranges that can be used: - (10/8 prefix) - (172.16/12 prefix) - (192.168/16 prefix)

You cannot add the following address ranges: (Multicast) (Broadcast) (Loopback) (Link-local) (Internal DNS, DHCP, and Azure Load Balancer health probe)

IP address restrictions within a subnet

Azure reserves the first 4 and last IP address for a total of 5 IP addresses.


Using range of the below addresses would be reserved by Azure:

  • : Network address
  • : Reserved by Azure for the default gateway
  •, : Reserved by Azure to map the Azure DNS IPs to the VNet space
  • : Network broadcast address.

Dedicated subnet recommendations

  • GatewaySubnet (/27), Smallest subnet size /29. However, it’s recommended to use a /27 or larger.
  • AzureFirewallSubnet (/26)
  • AzureBastionSubnet (/26) see, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services

Application Gateway

  • Application Gateway (Standard or WAF) SKU can support up to 32 instances (32 instance IP addresses + 1 private front-end IP + 5 Azure reserved) – so a minimum subnet size of /26 is recommended
  • Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances (125 instance IP addresses + 1 private front-end IP + 5 Azure reserved). A minimum subnet size of /24 is recommended.

Note Although a /24 subnet is not required per Application Gateway v2 SKU deployment, it is highly recommended. This is to ensure that Application Gateway v2 has sufficient space for autoscaling expansion and maintenance upgrades. You should ensure that the Application Gateway v2 subnet has sufficient address space to accommodate the number of instances required to serve your maximum expected traffic. If you specify the maximum instance count, then the subnet should have capacity for at least that many addresses.

Gateway Transit (VNet Peering)

When you Allow Gateway Transit the virtual network can communicate to resources outside the peering. For example, the subnet gateway could:

  • Use a site-to-site VPN to connect to an on-premises network.
  • Use a VNet-to-VNet connection to another virtual network.
  • Use a point-to-site VPN to connect to a client.

In these scenarios, gateway transit allows peered virtual networks to share the gateway and get access to resources. This means you do not need to deploy a VPN gateway in the peer virtual network.