Microsoft.Network virtualNetworks/subnets 2020-11-01

The virtualNetworks/subnets resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Network/virtualNetworks/subnets resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Network/virtualNetworks/subnets@2020-11-01' = {
  name: 'string'
  properties: {
    addressPrefix: 'string'
    addressPrefixes: [ 'string' ]
    applicationGatewayIpConfigurations: [
      {
        id: 'string'
        name: 'string'
        properties: {
          subnet: {
            id: 'string'
          }
        }
      }
    ]
    delegations: [
      {
        id: 'string'
        name: 'string'
        properties: {
          serviceName: 'string'
        }
        type: 'string'
      }
    ]
    ipAllocations: [
      {
        id: 'string'
      }
    ]
    natGateway: {
      id: 'string'
    }
    networkSecurityGroup: {
      id: 'string'
      location: 'string'
      properties: {
        securityRules: [
          {
            id: 'string'
            name: 'string'
            properties: {
              access: 'string'
              description: 'string'
              destinationAddressPrefix: 'string'
              destinationAddressPrefixes: [ 'string' ]
              destinationApplicationSecurityGroups: [
                {
                  id: 'string'
                  location: 'string'
                  properties: {}
                  tags: {
                    tagName1: 'tagValue1'
                    tagName2: 'tagValue2'
                  }
                }
              ]
              destinationPortRange: 'string'
              destinationPortRanges: [ 'string' ]
              direction: 'string'
              priority: int
              protocol: 'string'
              sourceAddressPrefix: 'string'
              sourceAddressPrefixes: [ 'string' ]
              sourceApplicationSecurityGroups: [
                {
                  id: 'string'
                  location: 'string'
                  properties: {}
                  tags: {
                    tagName1: 'tagValue1'
                    tagName2: 'tagValue2'
                  }
                }
              ]
              sourcePortRange: 'string'
              sourcePortRanges: [ 'string' ]
            }
            type: 'string'
          }
        ]
      }
      tags: {
        tagName1: 'tagValue1'
        tagName2: 'tagValue2'
      }
    }
    privateEndpointNetworkPolicies: 'string'
    privateLinkServiceNetworkPolicies: 'string'
    routeTable: {
      id: 'string'
      location: 'string'
      properties: {
        disableBgpRoutePropagation: bool
        routes: [
          {
            id: 'string'
            name: 'string'
            properties: {
              addressPrefix: 'string'
              hasBgpOverride: bool
              nextHopIpAddress: 'string'
              nextHopType: 'string'
            }
            type: 'string'
          }
        ]
      }
      tags: {
        tagName1: 'tagValue1'
        tagName2: 'tagValue2'
      }
    }
    serviceEndpointPolicies: [
      {
        id: 'string'
        location: 'string'
        properties: {
          serviceEndpointPolicyDefinitions: [
            {
              id: 'string'
              name: 'string'
              properties: {
                description: 'string'
                service: 'string'
                serviceResources: [ 'string' ]
              }
            }
          ]
        }
        tags: {
          tagName1: 'tagValue1'
          tagName2: 'tagValue2'
        }
      }
    ]
    serviceEndpoints: [
      {
        locations: [ 'string' ]
        service: 'string'
      }
    ]
  }
}

Property values

virtualNetworks/subnets

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Network/virtualNetworks/subnets'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2020-11-01'
name The resource name

See how to set names and types for child resources in Bicep or JSON ARM templates.
string (required)
properties Properties of the subnet. SubnetPropertiesFormat

SubnetPropertiesFormat

Name Description Value
addressPrefix The address prefix for the subnet. string
addressPrefixes List of address prefixes for the subnet. string[]
applicationGatewayIpConfigurations Application gateway IP configurations of virtual network resource. ApplicationGatewayIPConfiguration[]
delegations An array of references to the delegations on the subnet. Delegation[]
ipAllocations Array of IpAllocation which reference this subnet. SubResource[]
natGateway Reference to another subresource. SubResource
networkSecurityGroup NetworkSecurityGroup resource. NetworkSecurityGroup
privateEndpointNetworkPolicies Enable or Disable apply network policies on private end point in the subnet. 'Disabled'
'Enabled'
privateLinkServiceNetworkPolicies Enable or Disable apply network policies on private link service in the subnet. 'Disabled'
'Enabled'
routeTable Route table resource. RouteTable
serviceEndpointPolicies An array of service endpoint policies. ServiceEndpointPolicy[]
serviceEndpoints An array of service endpoints. ServiceEndpointPropertiesFormat[]

ApplicationGatewayIPConfiguration

Name Description Value
id Resource ID. string
name Name of the IP configuration that is unique within an Application Gateway. string
properties Properties of IP configuration of an application gateway. ApplicationGatewayIPConfigurationPropertiesFormat

ApplicationGatewayIPConfigurationPropertiesFormat

Name Description Value
subnet Reference to another subresource. SubResource

SubResource

Name Description Value
id Resource ID. string

Delegation

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a subnet. This name can be used to access the resource. string
properties Properties of a service delegation. ServiceDelegationPropertiesFormat
type Resource type. string

ServiceDelegationPropertiesFormat

Name Description Value
serviceName The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers). string

NetworkSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Network Security Group resource. NetworkSecurityGroupPropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

NetworkSecurityGroupPropertiesFormat

Name Description Value
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Security rule resource. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access Whether network traffic is allowed or denied. 'Allow'
'Deny'
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. 'Inbound'
'Outbound'
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int
protocol Network protocol this rule applies to. '*'
'Ah'
'Esp'
'Icmp'
'Tcp'
'Udp'
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Application security group properties. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

RouteTable

Name Description Value
id Resource ID. string
location Resource location. string
properties Route Table resource. RouteTablePropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

RouteTablePropertiesFormat

Name Description Value
disableBgpRoutePropagation Whether to disable the routes learned by BGP on that route table. True means disable. bool
routes Collection of routes contained within a route table. Route[]

Route

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Route resource. RoutePropertiesFormat
type The type of the resource. string

RoutePropertiesFormat

Name Description Value
addressPrefix The destination CIDR to which the route applies. string
hasBgpOverride A value indicating whether this route overrides overlapping BGP routes regardless of LPM. bool
nextHopIpAddress The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. string
nextHopType The type of Azure hop the packet should be sent to. 'Internet'
'None'
'VirtualAppliance'
'VirtualNetworkGateway'
'VnetLocal'

ServiceEndpointPolicy

Name Description Value
id Resource ID. string
location Resource location. string
properties Service Endpoint Policy resource. ServiceEndpointPolicyPropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

ServiceEndpointPolicyPropertiesFormat

Name Description Value
serviceEndpointPolicyDefinitions A collection of service endpoint policy definitions of the service endpoint policy. ServiceEndpointPolicyDefinition[]

ServiceEndpointPolicyDefinition

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Service Endpoint policy definition resource. ServiceEndpointPolicyDefinitionPropertiesFormat

ServiceEndpointPolicyDefinitionPropertiesFormat

Name Description Value
description A description for this rule. Restricted to 140 chars. string
service Service endpoint name. string
serviceResources A list of service resources. string[]

ServiceEndpointPropertiesFormat

Name Description Value
locations A list of locations. string[]
service The type of the endpoint service. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
VNS3 network appliance for cloud connectivity and security.

Deploy to Azure
VNS3 is a software only virtual appliance that provides the combined features and functions of a Security Appliance, Application Delivery Controller and Unified Threat Management device at the cloud application edge. Key benefits, On top of cloud networking, Always on end to end encryption, Federate data centres, cloud regions, cloud providers, and/or containers, creating one unified address space, Attestable control over encryption keys, Meshed network manageable at scale, Reliable HA in the Cloud, Isolate sensitive applications (fast low cost Network Segmentation), Segmentation within applications, Analysis of all data in motion in the cloud. Key network functions; virtual router, switch, firewall, vpn concentrator, multicast distributor, with plugins for WAF, NIDS, Caching, Proxy Load Balancers and other Layer 4 thru 7 network functions, VNS3 doesn't require new knowledge or training to implement, so you can integrate with existing network equipment.
VNS3 network appliance for cloud connectivity and security.

Deploy to Azure
VNS3 is a software only virtual appliance that provides the combined features and functions of a security appliance, application delivery controller and unified threat management device at the cloud application edge. Key benefits, on top of cloud networking, always on end to end encryption, federate data centres, cloud regions, cloud providers, and/or containers, creating one unified address space, attestable control over encryption keys, meshed network manageable at scale, reliable HA in the cloud, isolate sensitive applications (fast low cost Network Segmentation), segmentation within applications, Analysis of all data in motion in the cloud. Key network functions; virtual router, switch, firewall, vpn concentrator, multicast distributor, with plugins for WAF, NIDS, caching, proxy, load balancers and other layer 4 thru 7 network functions, VNS3 doesn't require new knowledge or training to implement, so you can integrate with existing network equipment.
JMeter environment for Elasticsearch

Deploy to Azure
This template will deploy a JMeter environment into an existing virtual network. One master node and multiple subordinate nodes are deployed into a new jmeter subnet. This template works in conjunction with the Elasticsearch quickstart template.
GPU Vm with OBS-Studio, Skype, MS-Teams for event streaming

Deploy to Azure
This template creates a GPU Vm with OBS-Studio, Skype, MS-Teams for event streaming. It creates the VM in a new vnet, storage account, nic, and public ip with the new compute stack. All installation process based on Chocolately package manager
SharePoint 2019 / 2016 / 2013 fully configured

Deploy to Azure
Create a SharePoint 2019 / 2016 / 2013 farm with a web application set with Windows and ADFS authentication, and some path based and host-named site collections. It also provisions User Profiles and Apps service applications and installs claims provider LDAPCP.
Azure Cloud Shell - VNet

Deploy to Azure
This template deploys Azure Cloud Shell resources into an Azure virtual network.
eShop Website with ILB ASE

Deploy to Azure
An App Service Environment is a Premium service plan option of Azure App Service that provides a fully isolated and dedicated environment for securely running Azure App Service apps at high scale, including Web Apps, Mobile Apps, and API Apps.
Deploy a Hub and Spoke topology sandbox

Deploy to Azure
This template creates a basic hub-and-spoke topology setup. It creates a Hub VNet with subnets DMZ, Management, Shared and Gateway (optionally), with two Spoke VNets (development and production) containing a workload subnet each. It also deploys a Windows Jump-Host on the Management subnet of the HUB, and establishes VNet peerings between the Hub and the two spokes.
Multi VM Template with Managed Disk

Deploy to Azure
This template will create N number of VM's with managed disks, public IPs and network interfaces. It will create the VMs in a single Availability Set. They will be provisioned in a Virtual Network which will also be created as part of the deployment
Deploy a simple Ubuntu Linux VM 18.04-LTS.

Deploy to Azure
This template deploy a Ubuntu Server with a few options for the VM. You can provide the VM Name, OS Version, VM size, admin username and password. As default the VM size is Standard_B2s and O.S. Version is 18.04-LTS.
Deploy a simple Windows VM

Deploy to Azure
This template allows you to deploy a simple Windows VM using a few different options for the Windows version, using the latest patched version. This will deploy an A2 size VM in the resource group location and return the FQDN of the VM.
Migrate to Azure SQL database using Azure DMS

Deploy to Azure
The Azure Database Migration Service (DMS) is designed to streamline the process of migrating on-premises databases to Azure. DMS will simplify the migration of existing on-premises SQL Server and Oracle databases to Azure SQL Database, Azure SQL Managed Instance or Microsoft SQL Server in an Azure Virtual Machine. This template would deploy an instance of Azure Database Migration service, an Azure VM with SQL server installed on it which will act as a Source server with pre created database on it and a Target Azure SQL DB server which will have a pre-created schema of the database to be migrated from Source to Target server. The template will also deploy the required resources like NIC, vnet etc for supporting the Source VM, DMS service and Target server.
Deploy Azure Database Migration Service (DMS)

Deploy to Azure
Azure Database Migration Service is a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms with minimal downtime (online migrations).
Deploy Azure Database for MariaDB with VNet

Deploy to Azure
This template provides a way to deploy an Azure database for MariaDB with VNet integration.
Deploy Azure Database for MySQL with VNet

Deploy to Azure
This template provides a way to deploy an Azure database for MySQL with VNet integration.
Deploy Azure Database for PostgreSQL with VNet

Deploy to Azure
This template provides a way to deploy an Azure database for PostgreSQL with VNet integration.
Integration Service Environment Template

Deploy to Azure
Template that creates a virtual network, 4 subnets, and then an Integration Service Environment (ISE), including non-native connectors. Use as a base for templates that require a Logic Apps ISE.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
Create new ANF resource with SMB volume

Deploy to Azure
This template allows you to create a new Azure NetApp Files resource with a single Capacity pool and single volume configured with SMB protocol.
Managed Azure Active Directory Domain Services

Deploy to Azure
This template deploys an Managed Azure Active Directory Domain Service with required VNet and NSG configurations.
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
Create a cross-region load balancer

Deploy to Azure
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Standard Load Balancer with Backend Pool by IP Addresses

Deploy to Azure
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document.
Create a standard load-balancer

Deploy to Azure
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.
Virtual Network NAT

Deploy to Azure
Deploy a NAT gateway and virtual machine
Virtual Network NAT

Deploy to Azure
Deploy a NAT gateway and virtual network
Azure private DNS domain hosting example

Deploy to Azure
This template shows how to create a private DNS zone and optionally enable VM registration
Create a Route Server in a New Subnet

Deploy to Azure
This template deploys a Route Server into a subnet named routeserversubnet.
Add a subnet to an existing VNET

Deploy to Azure
This template allows you to add a subnet to an existing VNET. Deploy into the resource group of the existing VNET
Add an NSG with Redis security rules to an existing subnet

Deploy to Azure
This template allows you to add an NSG with preconfigured Azure Redis Cache security rules to an existing subnet within a VNET. Deploy into the resource group of the existing VNET.
Create a BGP VNET to VNET connection

Deploy to Azure
This template allows you to connect two VNETs using Virtual Network Gateways and BGP
Create a Virtual Network with two Subnets

Deploy to Azure
This template allows you to create a Virtual Network with two subnets.
Create a Service Bus namespace Virtual Network rule

Deploy to Azure
This template enables you to deploy a Service Bus Premium namespace with Virtual Network rule
Private Endpoint example

Deploy to Azure
This template shows how to create a private endpoint pointing to Azure SQL Server
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
Web App with Private Endpoint

Deploy to Azure
This template allows you to create a Web App and expose it through Private Endpoint
Web App with VNet Injection and Private Endpoint.

Deploy to Azure
This template allows you to create a secure end to end solution with two web apps, front end and back end, front end will consume securely the back through VNet injection and Private Endpoint