Skip to main content
Version: Next

Task 01: Virtual Network & Subnets

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: Virtual network deployment PURPOSE: Create management VNet and subnets MASTER REFERENCE: Microsoft Learn - Virtual Networks

Status: Active

Overview

This task creates the management Virtual Network (VNet) and all required subnets for Azure Local infrastructure. This VNet hosts management VMs (Domain Controllers, Utility Server, NDM Server, Lighthouse Server) and provides connectivity to on-premises via VPN.

Task Classification

Execution Target: Azure-Only (control-plane API operation) Tab Profile: 3 tabs — Azure Portal · Azure CLI / PowerShell · Standalone Script

Terraform Reference

Module: azurelocal-toolkit File: network.tf Mode: Management

Components Created

ResourceName PatternPurpose
Virtual Networkvnet-azrl-{env}-{region}-01Management address space
GatewaySubnetGatewaySubnetVPN Gateway (required name)
Management Subnetsnet-azrl-{env}-{region}-01Management VMs
Bastion SubnetAzureBastionSubnetAzure Bastion (required name, /26 min)
Endpoints Subnetsnet-endpoints-{env}-{region}-01Private Endpoints

Default Subnet Layout

SubnetDefault CIDRNotes
GatewaySubnet10.x.x.0/27Required name, no NSG
snet-azrl-*10.x.x.32/27DCs, Utility, NDM, Lighthouse
AzureBastionSubnet10.x.x.64/26Required name, /26 minimum
snet-endpoints-*10.x.x.128/27Key Vault, Storage endpoints

Prerequisites

  • Phase 01: Landing Zones completed — subscription and resource groups exist
  • Phase 03: RBAC Permissions completed — deployment identity has Network Contributor role
  • Network IP address ranges documented and confirmed (no conflicts with on-prem)
  • Landing zone model confirmed (Single Subscription or CAF/WAF)

Variables from variables.yml

VariableConfig PathExample (IIC)
Subscription IDazure.subscriptions.<name>.id(per environment)
Resource Groupnetwork.azure_vnets.management.resource_grouprg-azrlmgmt-azl-eus-01
VNet Namenetwork.azure_vnets.management.namevnet-azrl-azl-eus-01
Locationnetwork.azure_vnets.management.locationeastus
Address Spacenetwork.azure_vnets.management.cidr10.250.1.0/24
GatewaySubnet CIDRnetwork.azure_vnets.management.subnets.gateway.cidr10.250.1.0/27
Management Subnet CIDRnetwork.azure_vnets.management.subnets.management.cidr10.250.1.32/27
Bastion Subnet CIDRnetwork.azure_vnets.management.subnets.bastion.cidr10.250.1.64/26
Endpoints Subnet CIDRnetwork.azure_vnets.management.subnets.endpoints.cidr10.250.1.128/27

Single Subscription Model

In the single subscription model, all management infrastructure is deployed to a single subscription under one resource group.

Landing Zone Placement

FieldValueConfig Path
SubscriptionCustomer subscriptionazure.subscriptions.<name>.id
Resource Grouprg-azrlmgmt-{env}-{region}-01network.azure_vnets.management.resource_group
VNet Namevnet-azrl-{env}-{region}-01network.azure_vnets.management.name
LocationAzure regionnetwork.azure_vnets.management.location
Address Space10.x.x.0/24network.azure_vnets.management.cidr

Execution Options

Azure Portal

When to use: Learning Azure Local, single deployment, prefer visual interface

Procedure

  1. Navigate to Virtual Networks:
  • In Azure Portal, search for Virtual networks
  • Click + Create

  1. Basics tab: | Field | Value | Source | |-------|-------|--------| | Subscription | Your subscription | azure.subscriptions.<name>.id | | Resource group | rg-azrlmgmt-{env}-{region}-01 | network.azure_vnets.management.resource_group | | Virtual network name | vnet-azrl-{env}-{region}-01 | network.azure_vnets.management.name | | Region | Your region | network.azure_vnets.management.location |

  2. IP Addresses tab:

  • Set IPv4 address space to value from network.azure_vnets.management.cidr
  • Add subnets:
Subnet NameAddress RangeSource
GatewaySubnet/27 rangenetwork.azure_vnets.management.subnets.gateway.cidr
Management subnet/27 rangenetwork.azure_vnets.management.subnets.management.cidr
AzureBastionSubnet/26 rangenetwork.azure_vnets.management.subnets.bastion.cidr
Endpoints subnet/27 rangenetwork.azure_vnets.management.subnets.privateendpoints.cidr

  1. Security tab: Leave defaults (no Bastion/Firewall/DDoS at this stage)

  2. Tags tab: Apply standard tags per tags.* config paths

  3. Review + create: Verify settings → Click Create

Validation

  • VNet created successfully in the correct resource group
  • All four subnets visible under the VNet
  • Address space matches network.azure_vnets.management.cidr
  • GatewaySubnet has no NSG attached

Validation

  • VNet created in the correct resource group
  • All four subnets present with correct CIDRs
  • GatewaySubnet has no NSG attached
  • Address space does not conflict with on-premises networks

CAF/WAF Landing Zone Model

In the CAF/WAF model, networking resources are deployed to the Connectivity subscription under the Connectivity management group, separate from management and identity resources.

Landing Zone Placement

FieldValueConfig Path
SubscriptionConnectivity subscriptionazure.subscriptions.connectivity.id
Resource Grouprg-azrlconn-{env}-{region}-01network.azure_vnets.management.resource_group
VNet Namevnet-azrl-{env}-{region}-01network.azure_vnets.management.name
LocationAzure regionnetwork.azure_vnets.management.location
Address Space10.x.x.0/24network.azure_vnets.management.cidr
Different Subscription Target

In CAF/WAF, this VNet is created in the Connectivity subscription — not the same subscription as management VMs. VNet peering or cross-subscription subnet references may be required for VM NICs.

Execution Options

Azure Portal

When to use: Learning Azure Local, single deployment, prefer visual interface

Procedure

  1. Navigate to Virtual Networks:
  • In Azure Portal, search for Virtual networks
  • Click + Create

  1. Basics tab: | Field | Value | Source | |-------|-------|--------| | Subscription | Connectivity subscription | azure.subscriptions.connectivity.id | | Resource group | rg-azrlconn-{env}-{region}-01 | network.azure_vnets.management.resource_group | | Virtual network name | vnet-azrl-{env}-{region}-01 | network.azure_vnets.management.name | | Region | Your region | network.azure_vnets.management.location |

  2. IP Addresses tab:

  • Set IPv4 address space to value from network.azure_vnets.management.cidr
  • Add subnets identical to Single Subscription model (same names, same CIDRs)

  1. Security tab: Leave defaults

  2. Tags tab: Apply standard tags per tags.* config paths

  3. Review + create: Verify settings → Click Create

Validation

  • VNet created in the Connectivity subscription and resource group
  • All four subnets visible under the VNet
  • Address space matches config
  • GatewaySubnet has no NSG attached

Validation

  • VNet created in the Connectivity subscription resource group
  • All four subnets present with correct CIDRs
  • Address space does not conflict with on-premises or other VNets
  • GatewaySubnet has no NSG attached

Troubleshooting

IssueRoot CauseRemediation
Address space overlapsConflict with existing VNet or on-prem rangeChoose non-overlapping CIDR from Planning & Discovery
Subnet creation failsAddress prefix outside VNet address spaceVerify subnet CIDRs fit within VNet CIDR
GatewaySubnet too smallLess than /27Use /27 minimum for VPN Gateway
AzureBastionSubnet too smallLess than /26Use /26 minimum for Azure Bastion
Permission deniedMissing Network Contributor roleVerify RBAC from Phase 03
PreviousUpNext
Manual Deployment IndexManual Deployment IndexTask 02: VPN Gateway

Version Control

  • Created: 2025-09-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-03 by Hybrid Cloud Solutions
  • Version: 4.0.0
  • Tags: azure-local, virtual-network, subnets, networking, management-infrastructure
  • Keywords: virtual network, VNet, subnets, GatewaySubnet, AzureBastionSubnet, IP addressing
  • Author: Hybrid Cloud Solutions