Just started learning Azure Virtual Network. Following excerpt is about Address Space as defined here: VNet Address Space. Question: When you say a VNet has an address space 10.0.0.0/16, what does it mean? I have read an address space is a range of IP addresses for a Virtual Network and its subnets. What is 16 in 10.0.0.0/16 and when you assign IP address to a resource from this address space what role does 10.0.0.0/16 play? I assume you cannot just pick any four numbers and create an IP address xx.x.x.x (x's are numbers here) for a resource in the VNet with the above address space. I just read some online docs on the subject but, for a newbie in this subject, I found those to be bit overwhelming to understand. Can there be a simple explanation to start with?

Address space: When creating a VNet, you must specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. For example, if you deploy a VM in a VNet with address space, 10.0.0.0/16, the VM will be assigned a private IP like 10.0.0.4.

For a newbie in this subject, I found those to be bit overwhelming to understand. Can there be a simple explanation to start with?

Internal Networks & the Internet

Think about the public internet network with 255.255.255.255 addresses.

Now think about your private/internal network with your Router/Switch at home and how it usually starts with 192.168.0.0.

In organizations you typically assign the private network starting with 10.0.0.0 addresses and you see this practice has carried over from company infrastructure to the Cloud.

The missing link: NIC cards in PCs can communicate using the internal network as well as the public internet.

To demonstrate when you do an ipconfig /all to look up the IP Address of your phone connected to your PC its an internal network address, eg 192.168.1.4:

Versus doing a nslookup on a publicly listed website.

Internal Network sizes with CIDRs

Question: When you say a VNet has an address space 10.0.0.0/16, what does it mean?

In order to define the size of the private network (how many IP addresses) we use a CIDR range, the value after the slash.

So a Network with 10.0.0.0/28, the calculation is 32 minus the CIDR, eg:

32 - 28 = 4

Then 2 to the power of the result:

2^4 = 2 * 2 * 2 * 2 

16 addresses!

In real life you'd create VNet with more than 16 addresses because thats not going to accommodate many device IP Addresses and 4 or 5 of the addresses in VNets are reserved by Azure (same with AWS).

Your example of 10.0.0.0/16 is more realistic VNet size and equals 65536 addresses.

Ref: https://devblogs.microsoft.com/premier-developer/understanding-cidr-notation-when-designing-azure-virtual-networks-and-subnets/#:~:text=The%20second%2C%20and%20most%20important,which%20provides%20eight%20IP%20addresses.

That's all you need to know about CIDR ranges and you can see the Code Snippet how it involves electronics with masking and binary. It can confuse people when they look deeper beyond what I've explained. The good stuff now is what we can do with this knowledge.

Live Snippet CIDR Network Address Calculator

  function calculateAddresses() {
            const cidrInput = document.getElementById('cidrInput').value.trim();
            const resultElement = document.getElementById('result');

            // Validate the CIDR input
            const cidrPattern = /^(\d{1,3}\.){3}\d{1,3}\/(\d|[12]\d|3[0-2])$/;
            if (!cidrPattern.test(cidrInput)) {
                resultElement.textContent = 'Invalid CIDR range. Please enter a valid CIDR notation (e.g., 192.168.1.0/24).';
                return;
            }

            // Extract the subnet mask from the CIDR notation
            const [_, subnetMask] = cidrInput.split('/');
            const maskBits = parseInt(subnetMask);

            // Calculate the number of IP addresses
            const numberOfAddresses = Math.pow(2, 32 - maskBits);

            resultElement.textContent = `Number of IP addresses in ${cidrInput}: ${numberOfAddresses}`;
        }

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>CIDR Range Calculator</title>
</head>
<body>
    <h2>CIDR Range Calculator</h2>
    <p>Enter a CIDR range (e.g., 10.10.0.0/24):</p>
    <input type="text" id="cidrInput" placeholder="Enter CIDR range (e.g., 10.10.0.0/24)" value="10.10.0.0/21">
    <button onclick="calculateAddresses()">Calculate</button>

    <p id="result"></p>

</body>
</html>

Cloud Network Topology

VNets/VPCs & Subnets with Azure & AWS

Both cloud providers limit VNets per region (VNets aka VPCs in AWS). You cannot have a VNet/VPC that covers multiple regions and that's where VNet/VPC Peering or Azure Virtual Wide-Area-Network (VWAN) / AWS VPC Transit Gateway come in.

Inside VNets you can define Subnets which are smaller address ranges that fit inside the VNets address range. This is another reason why a VNet with 16 addresses is too small if you want to use multiple Subnets; each needs more than half a dozen or so addresses.

A key difference between Azure and AWS is that AWS limits Subnets to Availability Zones (AZs) for practical reasons. Whereas in Azure you can configure Subnets across AZ boundaries.

AWS is a good example of why VNets/VPCs have Subnets, they split them up by AZ for redundancy, you can see Azure allows for other breakdowns as well as by AZ, eg:

Public vs Private Subnets

We often refer to Subnets as either Private or Public. Public Subnets are connected to the Internet, this is done via a Route Table allowing the Subnet to communicate in/out of 0.0.0.0/0 (an address which means everything).

This diagram shows a Public Subnet at the top connected to the Internet through the 0.0.0.0 entry (aka the Internet Gateway). The bottom Subnet is a Private Subnet that can only be reached via the Public Subnet using the Route Table and a Network Security Group or from a VPN connection to the Office using Azure Express Route or AWS Connect Direct:

Private Subnets do not allow access to or from the public internet.

As mentioned for traffic coming into a Private Subnet you either allow a VPN Connection from work. Or setup access to the internet via a Public Subnet that you allow to tunnel through to a Private Subnet using the Route Table & a Network Security Group. The diagram shows Database connections from the Public to the Private Subnet allowing communication on a port, eg 5432, 1521 or 1433.

Communicating out of a Private Subnet to the internet for example to download a patch or update has to be done via a NAT gateway or a VM/EC2 configured to act as a NAT gateway (aka a NAT instance). Alternatively you can connect to the office via VPN connection.

I assume you cannot just pick any four numbers and create an IP address xx.x.x.x (x's are numbers here) for a resource in the VNet with the above address space.

In this diagram we see the Subnet addresses start with 10.0.0.0 and have CIDR ranges of /24 which fit inside the VNets/VPCs CIDR range of /16. Also note that a CIDR value of 24 is a range of 256 addresses, 0 - 255. That's why the Public Subnet shown here is assigned IP Addresses in the range of 10.0.0.0-255 and the Private Subnet has the 10.0.1.0-255 range.