How to subnet in cloud network environments

Basic subnetting principles

Subnetting refers to the practice of dividing an address space into two or more smaller address spaces. To understand the intricacies of subnetting, it's necessary to know the basic principles of IP addresses and subnet masks.

IP address format

An IP address is the unique identifier that distinguishes devices on a network. These identifiers enable devices to connect and communicate with each other. The structure of an IP address differs for IPv4 or IPv6 addresses.

An IPv4 address is a 32-bit number that consists of four digits. These digits are known as octets, because each number is eight bits in length. Each number within an IP address can, theoretically, be between 0 and 255, though rules prohibit IP addresses from using certain numbers.

Each IP address is divided into two parts that collectively form the IP address: the network address and the host address. The network address conveys the identity of the network on which the host resides, and the host address uniquely identifies the machine on that network.

An IPv6 address is a 128-bit number that consists of eight groups of 16-bit segments. Each segment represents four hexadecimal digits.

Subnet mask format

A subnet mask determines where the network address ends and where the host address begins. It's a 32-bit number that identifies the network and host portions of an IPv4 address. Each subnet mask consists of four numbers, and each ranges between 0 and 255.

If a position within the subnet mask is assigned the number 255, then the corresponding position within the IP address is part of the network address. Similarly, if a position within the subnet address is assigned a value of 0, then the corresponding position within the IP address belongs to the host address.

For example, if a device has an IP address of 192.168.0.1 and a subnet mask of 255.255.255.0, this means the network address is 192.168.0 and the host address is 1. It's also possible to create subnets that use numbers other than 255 and 0 within the subnet mask.

IPv6 addresses use the prefix length to identify the network and host portions of an address, formatted in Classless Inter-Domain Routing (CIDR) notation, instead of subnet masks.

How does subnetting differ in cloud networks?

The process of creating and managing subnets in cloud networks is similar to creating subnets on premises. Both methods require admins to configure routers, define IP ranges and implement security, among other similarities. However, CSPs simplify the subnetting process with automated tools, while on-premises networks largely require manual configuration.

The process of creating subnets in on-premises networks is as follows:

1. Determine the number of hosts and subnets. Figure out network requirements to understand the number of hosts and subnets needed for the network configuration.
2. Calculate and assign the subnet mask or prefix. Determine the subnet mask or prefix number that accommodates these requirements and assign it to the network.
3. Configure routers. Configure routers to route traffic between subnets and external networks.
4. Configure devices and define the IP range. Assign IP addresses within the subnet's address range to each device in the subnet.
5. Ensure security. Implement the necessary security measures, such as firewalls and access control lists, to secure the subnet.

In cloud networks, CSPs offer the platform and tools for network administrators to subnet their networks in a virtualized environment. This virtualization enables administrators to have multiple virtual networks alongside each other. It also simplifies the subnet creation process.

Subnet configuration in cloud environments is simpler, as it requires a few clicks or commands in the CSP's platform. The process is a little different with each CSP, however.

AWS, for example, implements virtual networks as virtual private clouds. Admins can create as many VPCs as they want, and each functions as an independent virtual network. If they want to create the same subnet within two different VPCs, those subnets don't interfere with each other because the VPCs act as an isolation boundary. Azure uses a similar process, but Microsoft refers to its virtual networks as VNETs.

Cloud subnet creation process differs slightly depending on the provider, but the process typically follows these steps:

1. Find network management settings. Access the network settings in the CSP's console.
2. Select the network. Select the cloud network where you plan to create a new subnet.
3. Add the subnet. Click "Create subnet" to add a subnet.
4. Define the IP range. Define the CIDR block or IP address range to specify the scope of addresses the subnet can use.
5. Save the subnet. Click "Save subnet" to save or apply the subnet.

Some cloud providers might include other advanced options during the subnet creation process, such as associating routing tables, security groups and availability zones.

Subnet design and placement considerations

When you create cloud subnets, consider what you need to accomplish with them. Every subnet should serve a specific purpose. Network admins have several reasons for creating subnets in on-premises networks, and various use cases exist for cloud subnets as well.

For example, network administrators can create subnets in the cloud to act as an isolation boundary. Suppose you create several virtual servers within the cloud that need to communicate with one another. You might create a backbone virtual network segment between all those servers. This enables you to configure the segment with its own dedicated subnet to prevent server backbone traffic from leaving the backbone segment and traversing the general network. Similarly, you don't need to worry about general network traffic reaching the backbone segment.

Organizations commonly use similar approaches for network management, because they often use designated subnets to manage traffic. Although IT professionals can manage servers over the general network, the use of a dedicated subnet improves security because it prevents management traffic from traversing the general network where it could be prone to snooping.

If administrators confine management traffic to a dedicated subnet, they can have different firewall rules for the management network than for the general network. For example, they might choose to enable Remote Desktop Protocol traffic on the management subnet, but not on the general network.

Network administrators sometimes create subnets within the cloud to improve network performance or control traffic. For example, an organization might choose to subnet its network by function. This might mean creating a subnet for web servers, another for application servers and so on. Similarly, admins commonly place load balancers into their own subnet to effectively manage inbound traffic.

Finally, network administrators might create subnets specifically to integrate with cloud services. In Azure, for example, admins can use service endpoints to connect a subnet directly to an Azure service.

Brien Posey is a 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.