| title | titlesuffix | description | services | documentationcenter | author | ms.service | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.custom | ms.devlang |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Add or remove a subnet delegation in an Azure virtual network |
Azure Virtual Network |
Learn how to add or remove a delegated subnet for a service in Azure. |
virtual-network |
na |
mbender-ms |
virtual-network |
how-to |
na |
infrastructure-services |
11/06/2019 |
mbender |
devx-track-azurepowershell, devx-track-azurecli |
azurecli |
Subnet delegation gives explicit permissions to the service to create service-specific resources in the subnet using a unique identifier when deploying the service. This article describes how to add or remove a delegated subnet for an Azure service.
Sign in to the Azure portal at https://portal.azure.com.
In this section, you create a virtual network and the subnet that you'll later delegate to an Azure service.
-
On the upper-left side of the screen, select Create a resource > Networking > Virtual network.
-
In Create virtual network, enter or select this information:
Setting Value Name Enter MyVirtualNetwork. Address space Enter 10.0.0.0/16. Subscription Select your subscription. Resource group Select Create new, enter myResourceGroup, then select OK. Location Select EastUS. Subnet - Name Enter mySubnet. Subnet - Address range Enter 10.0.0.0/24. -
Leave the rest as default, and then select Create.
If you didn't create the subnet you would like to delegate to an Azure service, you need the following permission: Microsoft.Network/virtualNetworks/subnets/write.
The built-in Network Contributor role also contains the necessary permissions.
In this section, you delegate the subnet that you created in the preceding section to an Azure service.
- In the portal's search bar, enter myVirtualNetwork. When myVirtualNetwork appears in the search results, select it.
- Select Subnets, under SETTINGS, and then select mySubnet.
- On the mySubnet page, for the Subnet delegation list, select from the services listed under Delegate subnet to a service (for example, Microsoft.DBforPostgreSQL/serversv2).
- In the portal's search bar, enter myVirtualNetwork. When myVirtualNetwork appears in the search results, select it.
- Select Subnets, under SETTINGS, and then select mySubnet.
- In mySubnet page, for the Subnet delegation list, select None from the services listed under Delegate subnet to a service.
Prepare your environment for the Azure CLI.
[!INCLUDE azure-cli-prepare-your-environment-no-header.md]
- This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a resource group with az group create. An Azure resource group is a logical container into which Azure resources are deployed and managed.
The following example creates a resource group named myResourceGroup in the eastus location:
az group create \
--name myResourceGroup \
--location eastus
Create a virtual network named myVnet with a subnet named mySubnet in the myResourceGroup using az network vnet create.
az network vnet create \
--resource-group myResourceGroup \
--location eastus \
--name myVnet \
--address-prefix 10.0.0.0/16 \
--subnet-name mySubnet \
--subnet-prefix 10.0.0.0/24
If you didn't create the subnet you would like to delegate to an Azure service, you need the following permission: Microsoft.Network/virtualNetworks/subnets/write.
The built-in Network Contributor role also contains the necessary permissions.
In this section, you delegate the subnet that you created in the preceding section to an Azure service.
Use az network vnet subnet update to update the subnet named mySubnet with a delegation to an Azure service. In this example Microsoft.DBforPostgreSQL/serversv2 is used for the example delegation:
az network vnet subnet update \
--resource-group myResourceGroup \
--name mySubnet \
--vnet-name myVnet \
--delegations Microsoft.DBforPostgreSQL/serversv2
To verify the delegation was applied, use az network vnet subnet show. Verify the service is delegated to the subnet under the property serviceName:
az network vnet subnet show \
--resource-group myResourceGroup \
--name mySubnet \
--vnet-name myVnet \
--query delegations
[
{
"actions": [
"Microsoft.Network/virtualNetworks/subnets/join/action"
],
"etag": "W/\"8a8bf16a-38cf-409f-9434-fe3b5ab9ae54\"",
"id": "/subscriptions/3bf09329-ca61-4fee-88cb-7e30b9ee305b/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet/delegations/0",
"name": "0",
"provisioningState": "Succeeded",
"resourceGroup": "myResourceGroup",
"serviceName": "Microsoft.DBforPostgreSQL/serversv2",
"type": "Microsoft.Network/virtualNetworks/subnets/delegations"
}
]Use az network vnet subnet update to remove the delegation from the subnet named mySubnet:
az network vnet subnet update \
--resource-group myResourceGroup \
--name mySubnet \
--vnet-name myVnet \
--remove delegations
To verify the delegation was removed, use az network vnet subnet show. Verify the service is removed from the subnet under the property serviceName:
az network vnet subnet show \
--resource-group myResourceGroup \
--name mySubnet \
--vnet-name myVnet \
--query delegations
Output from command is a null bracket:
[][!INCLUDE updated-for-az]
Connect-AzAccount
Create a resource group with New-AzResourceGroup. An Azure resource group is a logical container into which Azure resources are deployed and managed.
The following example creates a resource group named myResourceGroup in the eastus location:
New-AzResourceGroup -Name myResourceGroup -Location eastus
Create a virtual network named myVnet with a subnet named mySubnet using New-AzVirtualNetworkSubnetConfig in the myResourceGroup using New-AzVirtualNetwork. The IP address space for the virtual network is 10.0.0.0/16. The subnet within the virtual network is 10.0.0.0/24.
$subnet = New-AzVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix "10.0.0.0/24"
New-AzVirtualNetwork -Name myVnet -ResourceGroupName myResourceGroup -Location eastus -AddressPrefix "10.0.0.0/16" -Subnet $subnet
If you didn't create the subnet you would like to delegate to an Azure service, you need the following permission: Microsoft.Network/virtualNetworks/subnets/write.
The built-in Network Contributor role also contains the necessary permissions.
In this section, you delegate the subnet that you created in the preceding section to an Azure service.
Use Add-AzDelegation to update the subnet named mySubnet with a delegation named myDelegation to an Azure service. In this example Microsoft.DBforPostgreSQL/serversv2 is used for the example delegation:
$vnet = Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup"
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "mySubnet" -VirtualNetwork $vnet
$subnet = Add-AzDelegation -Name "myDelegation" -ServiceName "Microsoft.DBforPostgreSQL/serversv2" -Subnet $subnet
Set-AzVirtualNetwork -VirtualNetwork $vnet
Use Get-AzDelegation to verify the delegation:
$subnet = Get-AzVirtualNetwork -Name "myVnet" -ResourceGroupName "myResourceGroup" | Get-AzVirtualNetworkSubnetConfig -Name "mySubnet"
Get-AzDelegation -Name "myDelegation" -Subnet $subnet
ProvisioningState : Succeeded
ServiceName : Microsoft.DBforPostgreSQL/serversv2
Actions : {Microsoft.Network/virtualNetworks/subnets/join/action}
Name : myDelegation
Etag : W/"9cba4b0e-2ceb-444b-b553-454f8da07d8a"
Id : /subscriptions/3bf09329-ca61-4fee-88cb-7e30b9ee305b/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet/delegations/myDelegation
Use Remove-AzDelegation to remove the delegation from the subnet named mySubnet:
$vnet = Get-AzVirtualNetwork -Name "myVnet" -ResourceGroupName "myResourceGroup"
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "mySubnet" -VirtualNetwork $vnet
$subnet = Remove-AzDelegation -Name "myDelegation" -Subnet $subnet
Set-AzVirtualNetwork -VirtualNetwork $vnet
Use Get-AzDelegation to verify the delegation was removed:
$subnet = Get-AzVirtualNetwork -Name "myVnet" -ResourceGroupName "myResourceGroup" | Get-AzVirtualNetworkSubnetConfig -Name "mySubnet"
Get-AzDelegation -Name "myDelegation" -Subnet $subnet
Get-AzDelegation: Sequence contains no matching element
- Learn how to manage subnets in Azure.