Microsoft.Network virtualNetworks/subnets template reference

Template format

To create a Microsoft.Network/virtualNetworks/subnets resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Network/virtualNetworks/subnets",
  "apiVersion": "2019-08-01",
  "properties": {
    "addressPrefix": "string",
    "addressPrefixes": [
      "string"
    ],
    "networkSecurityGroup": {
      "id": "string",
      "location": "string",
      "tags": {},
      "properties": {
        "securityRules": [
          {
            "id": "string",
            "properties": {
              "description": "string",
              "protocol": "string",
              "sourcePortRange": "string",
              "destinationPortRange": "string",
              "sourceAddressPrefix": "string",
              "sourceAddressPrefixes": [
                "string"
              ],
              "sourceApplicationSecurityGroups": [
                {
                  "id": "string",
                  "location": "string",
                  "tags": {},
                  "properties": {}
                }
              ],
              "destinationAddressPrefix": "string",
              "destinationAddressPrefixes": [
                "string"
              ],
              "destinationApplicationSecurityGroups": [
                {
                  "id": "string",
                  "location": "string",
                  "tags": {},
                  "properties": {}
                }
              ],
              "sourcePortRanges": [
                "string"
              ],
              "destinationPortRanges": [
                "string"
              ],
              "access": "string",
              "priority": "integer",
              "direction": "string"
            },
            "name": "string"
          }
        ],
        "defaultSecurityRules": [
          {
            "id": "string",
            "properties": {
              "description": "string",
              "protocol": "string",
              "sourcePortRange": "string",
              "destinationPortRange": "string",
              "sourceAddressPrefix": "string",
              "sourceAddressPrefixes": [
                "string"
              ],
              "sourceApplicationSecurityGroups": [
                {
                  "id": "string",
                  "location": "string",
                  "tags": {},
                  "properties": {}
                }
              ],
              "destinationAddressPrefix": "string",
              "destinationAddressPrefixes": [
                "string"
              ],
              "destinationApplicationSecurityGroups": [
                {
                  "id": "string",
                  "location": "string",
                  "tags": {},
                  "properties": {}
                }
              ],
              "sourcePortRanges": [
                "string"
              ],
              "destinationPortRanges": [
                "string"
              ],
              "access": "string",
              "priority": "integer",
              "direction": "string"
            },
            "name": "string"
          }
        ],
        "resourceGuid": "string"
      }
    },
    "routeTable": {
      "id": "string",
      "location": "string",
      "tags": {},
      "properties": {
        "routes": [
          {
            "id": "string",
            "properties": {
              "addressPrefix": "string",
              "nextHopType": "string",
              "nextHopIpAddress": "string"
            },
            "name": "string"
          }
        ],
        "disableBgpRoutePropagation": "boolean"
      }
    },
    "natGateway": {
      "id": "string"
    },
    "serviceEndpoints": [
      {
        "service": "string",
        "locations": [
          "string"
        ]
      }
    ],
    "serviceEndpointPolicies": [
      {
        "id": "string",
        "location": "string",
        "tags": {},
        "properties": {
          "serviceEndpointPolicyDefinitions": [
            {
              "id": "string",
              "properties": {
                "description": "string",
                "service": "string",
                "serviceResources": [
                  "string"
                ]
              },
              "name": "string"
            }
          ]
        }
      }
    ],
    "resourceNavigationLinks": [
      {
        "id": "string",
        "properties": {
          "linkedResourceType": "string",
          "link": "string"
        },
        "name": "string"
      }
    ],
    "serviceAssociationLinks": [
      {
        "id": "string",
        "properties": {
          "linkedResourceType": "string",
          "link": "string",
          "allowDelete": "boolean",
          "locations": [
            "string"
          ]
        },
        "name": "string",
        "type": "string"
      }
    ],
    "delegations": [
      {
        "id": "string",
        "properties": {
          "serviceName": "string",
          "actions": [
            "string"
          ]
        },
        "name": "string"
      }
    ],
    "privateEndpointNetworkPolicies": "string",
    "privateLinkServiceNetworkPolicies": "string"
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Network/virtualNetworks/subnets object

Name Type Required Value
name string Yes The name of the subnet.
type enum Yes subnets
-or-
Microsoft.Network/virtualNetworks/subnets

See Set name and type for child resources.
apiVersion enum Yes 2019-08-01
properties object Yes Properties of the subnet. - SubnetPropertiesFormat object

SubnetPropertiesFormat object

Name Type Required Value
addressPrefix string No The address prefix for the subnet.
addressPrefixes array No List of address prefixes for the subnet. - string
networkSecurityGroup object No The reference of the NetworkSecurityGroup resource. - NetworkSecurityGroup object
routeTable object No The reference of the RouteTable resource. - RouteTable object
natGateway object No Nat gateway associated with this subnet. - SubResource object
serviceEndpoints array No An array of service endpoints. - ServiceEndpointPropertiesFormat object
serviceEndpointPolicies array No An array of service endpoint policies. - ServiceEndpointPolicy object
resourceNavigationLinks array No An array of references to the external resources using subnet. - ResourceNavigationLink object
serviceAssociationLinks array No An array of references to services injecting into this subnet. - ServiceAssociationLink object
delegations array No An array of references to the delegations on the subnet. - Delegation object
privateEndpointNetworkPolicies string No Enable or Disable apply network policies on private end point in the subnet.
privateLinkServiceNetworkPolicies string No Enable or Disable apply network policies on private link service in the subnet.

NetworkSecurityGroup object

Name Type Required Value
id string No Resource ID.
location string Yes Resource location.
tags object No Resource tags.
properties object No Properties of the network security group. - NetworkSecurityGroupPropertiesFormat object

RouteTable object

Name Type Required Value
id string No Resource ID.
location string No Resource location.
tags object No Resource tags.
properties object No Properties of the route table. - RouteTablePropertiesFormat object

SubResource object

Name Type Required Value
id string No Resource ID.

ServiceEndpointPropertiesFormat object

Name Type Required Value
service string No The type of the endpoint service.
locations array No A list of locations. - string

ServiceEndpointPolicy object

Name Type Required Value
id string No Resource ID.
location string No Resource location.
tags object No Resource tags.
properties object No Properties of the service end point policy. - ServiceEndpointPolicyPropertiesFormat object

Name Type Required Value
id string No Resource ID.
properties object No Resource navigation link properties format. - ResourceNavigationLinkFormat object
name string No Name of the resource that is unique within a resource group. This name can be used to access the resource.

Name Type Required Value
id string No Resource ID.
properties object No Resource navigation link properties format. - ServiceAssociationLinkPropertiesFormat object
name string No Name of the resource that is unique within a resource group. This name can be used to access the resource.
type string No Resource type.

Delegation object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the subnet. - ServiceDelegationPropertiesFormat object
name string No The name of the resource that is unique within a subnet. This name can be used to access the resource.

NetworkSecurityGroupPropertiesFormat object

Name Type Required Value
securityRules array No A collection of security rules of the network security group. - SecurityRule object
defaultSecurityRules array No The default security rules of network security group. - SecurityRule object
resourceGuid string No The resource GUID property of the network security group resource.

RouteTablePropertiesFormat object

Name Type Required Value
routes array No Collection of routes contained within a route table. - Route object
disableBgpRoutePropagation boolean No Whether to disable the routes learned by BGP on that route table. True means disable.

ServiceEndpointPolicyPropertiesFormat object

Name Type Required Value
serviceEndpointPolicyDefinitions array No A collection of service endpoint policy definitions of the service endpoint policy. - ServiceEndpointPolicyDefinition object

ResourceNavigationLinkFormat object

Name Type Required Value
linkedResourceType string No Resource type of the linked resource.
link string No Link to the external resource.

ServiceAssociationLinkPropertiesFormat object

Name Type Required Value
linkedResourceType string No Resource type of the linked resource.
link string No Link to the external resource.
allowDelete boolean No If true, the resource can be deleted.
locations array No A list of locations. - string

ServiceDelegationPropertiesFormat object

Name Type Required Value
serviceName string No The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers).
actions array No Describes the actions permitted to the service upon delegation. - string

SecurityRule object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the security rule. - SecurityRulePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

Route object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the route. - RoutePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

ServiceEndpointPolicyDefinition object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the service endpoint policy definition. - ServiceEndpointPolicyDefinitionPropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

SecurityRulePropertiesFormat object

Name Type Required Value
description string No A description for this rule. Restricted to 140 chars.
protocol enum Yes Network protocol this rule applies to. - Tcp, Udp, Icmp, Esp, *, Ah
sourcePortRange string No The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.
destinationPortRange string No The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.
sourceAddressPrefix string No The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.
sourceAddressPrefixes array No The CIDR or source IP ranges. - string
sourceApplicationSecurityGroups array No The application security group specified as source. - ApplicationSecurityGroup object
destinationAddressPrefix string No The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.
destinationAddressPrefixes array No The destination address prefixes. CIDR or destination IP ranges. - string
destinationApplicationSecurityGroups array No The application security group specified as destination. - ApplicationSecurityGroup object
sourcePortRanges array No The source port ranges. - string
destinationPortRanges array No The destination port ranges. - string
access enum Yes The network traffic is allowed or denied. - Allow or Deny
priority integer No The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
direction enum Yes The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - Inbound or Outbound

RoutePropertiesFormat object

Name Type Required Value
addressPrefix string No The destination CIDR to which the route applies.
nextHopType enum Yes The type of Azure hop the packet should be sent to. - VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance, None
nextHopIpAddress string No The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance.

ServiceEndpointPolicyDefinitionPropertiesFormat object

Name Type Required Value
description string No A description for this rule. Restricted to 140 chars.
service string No Service endpoint name.
serviceResources array No A list of service resources. - string

ApplicationSecurityGroup object

Name Type Required Value
id string No Resource ID.
location string No Resource location.
tags object No Resource tags.
properties object No Properties of the application security group. - ApplicationSecurityGroupPropertiesFormat object

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Managed Azure Active Directory Domain Services

Deploy to Azure
This template deploys an Managed Azure Active Directory Domain Service with required VNet and NSG configurations.
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Migrate to Azure SQL database using Azure DMS

Deploy to Azure
The Azure Database Migration Service (DMS) is designed to streamline the process of migrating on-premises databases to Azure. DMS will simplify the migration of existing on-premises SQL Server and Oracle databases to Azure SQL Database, Azure SQL Managed Instance or Microsoft SQL Server in an Azure Virtual Machine. This template would deploy an instance of Azure Database Migration service, an Azure VM with SQL server installed on it which will act as a Source server with pre created database on it and a Target Azure SQL DB server which will have a pre-created schema of the database to be migrated from Source to Target server. The template will also deploy the required resources like NIC, vnet etc for supporting the Source VM, DMS service and Target server.
Deploy Azure Database Migration Service (DMS)

Deploy to Azure
Azure Database Migration Service is a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms with minimal downtime (online migrations).
Azure Cloud Shell - VNet

Deploy to Azure
This template deploys Azure Cloud Shell resources into an Azure virtual network.
Deploy a Hub and Spoke topology sandbox

Deploy to Azure
This template creates a basic hub-and-spoke topology setup. It creates a Hub VNet with subnets DMZ, Management, Shared and Gateway (optionally), with two Spoke VNets (development and production) containing a workload subnet each. It also deploys a Windows Jump-Host on the Management subnet of the HUB, and establishes VNet peerings between the Hub and the two spokes.
Deploy Azure Database for MariaDB with VNet

Deploy to Azure
This template provides a easy way to deploy Azure database for MariaDB with VNet integration
Deploy Azure Database for MySQL with VNet

Deploy to Azure
This template provides a easy way to deploy Azure database for MySQL with VNet integration
Deploy Azure Database for PostgreSQL with VNet

Deploy to Azure
This template provides a easy way to deploy Azure database for PostgreSQL with VNet integration
Virtual Network NAT

Deploy to Azure
Deploy a NAT gateway and virtual machine
Virtual Network NAT

Deploy to Azure
Deploy a NAT gateway and virtual network
Azure private DNS domain hosting example

Deploy to Azure
This template shows how to create a private DNS zone and optionally enable VM registration
Private Endpoint example

Deploy to Azure
This template shows how to create a private endpoint pointing to Azure SQL Server
Web App with Private Endpoint

Deploy to Azure
This template allows you to create a Web App and expose it through Private Endpoint
Add a subnet to an existing VNET

Deploy to Azure
This template allows you to add a subnet to an existing VNET. Deploy into the resource group of the existing VNET
Create a Virtual Network with two Subnets

Deploy to Azure
This template allows you to create a Virtual Network with two subnets.
Web App with VNet Injection and Private Endpoint.

Deploy to Azure
This template allows you to create a secure end to end solution with two web apps, front end and back end, front end will consume securely the back through VNet injection and Private Endpoint
Integration Service Environment Template

Deploy to Azure
Template that creates a virtual network, 4 subnets, and then an Integration Service Environment (ISE), including non-native connectors. Use as a base for templates that require a Logic Apps ISE.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
Add an NSG with Redis security rules to an existing subnet

Deploy to Azure
This template allows you to add an NSG with preconfigured Azure Redis Cache security rules to an existing subnet within a VNET. Deploy into the resource group of the existing VNET.
VNS3 network appliance for cloud connectivity and security.

Deploy to Azure
VNS3 is a software only virtual appliance that provides the combined features and functions of a Security Appliance, Application Delivery Controller and Unified Threat Management device at the cloud application edge. Key benefits, On top of cloud networking, Always on end to end encryption, Federate data centres, cloud regions, cloud providers, and/or containers, creating one unified address space, Attestable control over encryption keys, Meshed network manageable at scale, Reliable HA in the Cloud, Isolate sensitive applications (fast low cost Network Segmentation), Segmentation within applications, Analysis of all data in motion in the cloud. Key network functions; virtual router, switch, firewall, vpn concentrator, multicast distributor, with plugins for WAF, NIDS, Caching, Proxy Load Balancers and other Layer 4 thru 7 network functions, VNS3 doesn't require new knowledge or training to implement, so you can integrate with existing network equipment.
JMeter environment for Elasticsearch

Deploy to Azure
This template will deploy a JMeter environment into an existing virtual network. One master node and multiple subordinate nodes are deployed into a new jmeter subnet. This template works in conjunction with the Elasticsearch quickstart template.
eShop Website with ILB ASE

Deploy to Azure
An App Service Environment is a Premium service plan option of Azure App Service that provides a fully isolated and dedicated environment for securely running Azure App Service apps at high scale, including Web Apps, Mobile Apps, and API Apps.
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
GPU Vm with OBS-Studio, Skype, MS-Teams for event streaming

Deploy to Azure
This template creates a GPU Vm with OBS-Studio, Skype, MS-Teams for event streaming. It creates the VM in a new vnet, storage account, nic, and public ip with the new compute stack. All installation process based on Chocolately package manager
SharePoint 2019, 2016 and 2013 configured with ADFS

Deploy to Azure
This template deploys SharePoint with 1 web application configured with Windows and ADFS authentication, and a couple of path based / host-named site collections are created. User Profiles Application and Apps (add-ins) services are configured. Claims provider LDAPCP is installed and configured.