Understanding CIDR Notation when designing Azure Virtual Networks and Subnets

Developer Support

App Dev Manager Chris Tjoumas explains classless internet domain routing (CIDR) blocks.

When designing a system architecture in Azure, you will often need to connect Azure VMs (Virtual Network Peering if in the same region, or using VPN Gateway if not) to each other or to extend your on-prem network to the Azure cloud. Azure Virtual Networks are used to achieve this and provide a logical isolation of the Azure cloud, dedicated to your subscription. This isolation allows you to create separate Virtual Networks for development, test, and production. Each Virtual Network can be segmented into multiple subnets and the VMs can connect to each other by using Private IP addresses, even if they are in different subnets. Azure provides system routes between subnets, Virtual Networks, and on-prem networks. You can learn more about Virtual Networks here.

When creating a Virtual Network, specifying the address space is the most critical configuration. This is the IP range for the entire network that will be divided into subnets. When considering the address space, there are some address ranges which cannot be used for Virtual Networks:

  • /4 (Multicast)
  • /32 (Broadcast)
  • /8 (Loopback)
  • /16 (Link-Local)
  • /32 (Internal DNS)

As you create your Virtual Network, Azure will help to ensure you do not have your address range overlap with other Virtual Networks. In the portal, you’ll have to create a default subnet when you create your Virtual Network, but you can manage subnets by changing the address range of a subnet as well as adding additional subnets. As you create subnets, it’s important to understand some specifics to ensure we have the correct number of IPs for a given subnet.

The first thing to understand is that Azure holds 5 IP addresses for every subnet. The first and last IP in each subnet is reserved for the network identification and for broadcast, respectively. Azure also holds 3 additional addresses for internal use starting from the first address in the subnet.

The second, and most important, is that subnets are created using classless internet domain routing (CIDR) blocks of the address space that was designed for the Virtual Network. As an example, the smallest range you can specify for a subnet is /29, which provides eight IP addresses. As mentioned earlier, the Azure portal makes it easy to create Virtual Networks and subnets, and even tells you how many IP addresses a given CIDR block is. Give it a try – in the Azure portal, type in an address range box (either for the Virtual Network or the subnet). Notice at the bottom it gives you actual IP address range as well as the number of IP addresses.


In this case, it shows –, which is 8 addresses. However, remember that 5 are reserved so you effectively have 3 addresses in this range. But, how do you figure out what the /29 is doing so you can know exactly what you want rather than typing in a bunch of numbers to get to the address range and number of addresses that you need? (Hint: if you are going to take the Azure 70-533, Implementing Microsoft Azure Infrastructure Solutions, this is useful to know!). While it might look confusing, it’s fairly simple once you see what the CIDR notation actually means.

Let’s start our example with what we looked at earlier: First, what is the number after the slash? It represents the bit mask for the network, telling us how many bits are the same for each IP on the subnet and which bits are variable. In this example, the first 29 bits are all the same. You can visualize this by writing the binary representation of the IP address in octets.

For a quick refresher on how each bit is represented in binary, the values of each bit from left to right is: 128 64 32 16 8 4 2 1

So, we can represent as the following octet:

0000 1010 – 0000 0001 – 0000 0000 – 0000 0000

As mentioned earlier, the /29 means the first 29 bits of the octet are the same, which I’ve bolded for ease of reading: 0000 1010 – 0000 0001 – 0000 0000 – 0000 0000

This means, the last three bits can be 0 or 1. If we make them all 1s, we get the maximum IP value in the range:

0000 1010 – 0000 0001 – 0000 0000 – 0000 0111

This equates to, so we have our range as –, just as the screenshot above shows. This is an easy example to calculate by looking at the range, but for something a bit more complicated, you would just calculate the combination of bit options. So, if you have 3 bits which are variable as in this example, you have 2^3, or 8, IP addresses; if you have 10 variable bits, you have 2^10, or 1024, IP addresses.

Let’s look at one more example and use what we know to work backwards. Let’s say you know you want a Virtual Network with an address range of – How can we represent this in CIDR notation and enter that into the Create virtual network blade in Azure? Let’s start by representing the first and last IP address in that range in binary:

0000 1010 | 0000 0000 | 0000 0000 | 0000 0000

0000 1010 | 0011 1111 | 1111 1111 | 1111 1111

Starting with the left most octet, the bits that are the same are 0000 1010 | 00. So, we have 10 bits which are the same, making our CIDR notation This gives us 22 variable bits, which gives us 2^22, or 4,194,304 IPs.

Now that we know what CIDR notation is and how it can be easily deciphered to create subnets, we can create the right sized subnet on our first try. If any mistakes are made, or if a subnet needs to be updated, this is possible but can sometimes be a bit of a pain. The change is easy enough, but any changes to subnets and address ranges can only be made if there are no devices connected to the subnet. Additionally, subnets can only be deleted from Virtual Networks if they are empty.

This is a key piece of knowledge you will need when creating Virtual Networks, but there is a lot more to understand in order to successfully design your network. I encourage you to continue reading and learning about Virtual Networks as you start planning your network architecture.


Discussion is closed. Login to edit/delete existing comments.

  • Sameer Kumar 0

    Very well articulated and very helpful.

  • Sameer Kumar 0

    Binary of 63 is 0011 1110?

    • Reed RobisonMicrosoft employee 0

      Good catch Sameer. We’ll update the post. Thank you.

Feedback usabilla icon