Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

Read through the FAQ archives, or send him your questions via email.

Q. When creating a subnet in an Azure Virtual Network do I have to use a full class c for each subnet?
Q. How can I change the DNS configuration of my virtual network in Azure with PowerShell?
Q. I need to ensure certain networks cannot talk to each other in Azure, how can I do this?

----------

Q. When creating a subnet in an Azure Virtual Network do I have to use a full class c for each subnet?

Dept - Azure

A. No. When creating a subnet you can configure the number of bits to be used for the subnet mask in CIDR format, e.g. <network>/<number of bits for the subnet mask>, e.g. 10.1.1.0/24 would be a subnet mask of 255.255.255.0 giving a full class C with 251 available IP addresses (remember Azure and standard networking takes a number of IP addresses). You could create subnets with a smaller number of bits for the host, for example setting /25 would create a subnet with 123 usable IPs, /26 would create a subnet with 59 usable IP addresses and so on. The smallest possible is a /29.

Note if you use smaller subnets then you can start the new subnets at smaller increments, for example:

  • 192.168.3.0/25
  • 192.168.3.128/26
  • 192.168.3.192/26

Note the smaller subnets means the network ID includes information from the forth octet.

Q. How can I change the DNS configuration of my virtual network in Azure with PowerShell?

Dept - Azure

A. To change the DNS servers or a virtual network using PowerShell use the following:

$vnet = Get-AzureRmVirtualNetwork -Name ($networkname) -ResourceGroupName $vnetRG
$vnet.DhcpOptions.DnsServers = "10.1.1.11"
$vnet.DhcpOptions.DnsServers += "10.1.1.12"
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

Q. I need to ensure certain networks cannot talk to each other in Azure, how can I do this?

Dept - Azure

A. Network Security Groups can be used to control the flow of traffic between groups of subnets however imagine you had a network made up of 4 subnets and another network made up of 7 subnets and they must not talk. This would require a very large number of rules to be created, especially if the subnets were not contiguous. I created some simple PowerShell to create all the necessary rules based on arrays with the two sets of subnets, in this case QA and Production. You would modify the PowerShell to apply to all the required subnets. Note in my case the QA/Prod subnets were not contiguous so each class C had to be listed. If they had been contiguous I would gave tried to combine them into one CIDR range, maybe a /22 etc which would reduce the number of rules required.

$QAVNets = "10.242.64.0/24","10.242.65.0/24","10.244.0.0/16","10.248.1.0/24","10.248.3.0/24","10.248.5.0/24","10.248.7.0/24"
$ProdVNets = "10.248.2.0/24","10.248.4.0/24","10.248.6.0/24","10.248.8.0/24"

$loc = 'EastUS'
$rgname = 'Net-RG'

#Create a new NSG with no rules
$NSG = New-AzureRmNetworkSecurityGroup -Name "StdNSG" -Location $loc -ResourceGroupName $rgname

$priority = 200

foreach($ProdVNet in $ProdVNets)
{
    foreach($QAVNet in $QAVNets)
    {
        Write-Output "Adding rule blocking from $QAVNet to $ProdVNet"

        $inboundrulename = "$($QAVNet)_to_$($ProdVNet)"
        $inboundrulename = $inboundrulename.Replace("/","-")
        $outboundrulename = "$($ProdVNet)_to_$($QAVNet)"
        $outboundrulename = $outboundrulename.Replace("/","-")

        Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $NSG -Name $inboundrulename `
            -Direction Inbound -Priority $priority `
            -Access Deny -SourceAddressPrefix "$QAVnet" -SourcePortRange '*' `
            -DestinationAddressPrefix "$ProdVNet" -DestinationPortRange '*' -Protocol '*'
        Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $NSG -Name $outboundrulename `
            -Direction Outbound -Priority $priority `
            -Access Deny -SourceAddressPrefix "$ProdVnet" -SourcePortRange '*' `
            -DestinationAddressPrefix "$QAVNet" -DestinationPortRange '*' -Protocol '*'
        $priority++
    }
}

Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $NSG #Apply the change to the in memory object