| subcategory | layout | page_title | description |
|---|---|---|---|
Network |
azurerm |
Azure Resource Manager: azurerm_subnet |
Manages a subnet. Subnets represent network segments within the IP space defined by the virtual network. |
Manages a subnet. Subnets represent network segments within the IP space defined by the virtual network.
~> NOTE on Virtual Networks and Subnets: Terraform currently provides both a standalone Subnet resource, and allows for Subnets to be defined in-line within the Virtual Network resource. At this time you cannot use a Virtual Network with in-line Subnets in conjunction with any Subnet resources. Doing so will cause a conflict of Subnet configurations and will overwrite Subnets.
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-vnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.1.0/24"]
delegation {
name = "delegation"
service_delegation {
name = "Microsoft.ContainerInstance/containerGroups"
actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
}
}
}The following arguments are supported:
-
name- (Required) The name of the subnet. Changing this forces a new resource to be created. -
resource_group_name- (Required) The name of the resource group in which to create the subnet. This must be the resource group that the virtual network resides in. Changing this forces a new resource to be created. -
virtual_network_name- (Required) The name of the virtual network to which to attach the subnet. Changing this forces a new resource to be created. -
address_prefixes- (Required) The address prefixes to use for the subnet.
-> NOTE: Currently only a single address prefix can be set as the Multiple Subnet Address Prefixes Feature is not yet in public preview or general availability.
-
delegation- (Optional) One or moredelegationblocks as defined below. -
default_outbound_access_enabled- (Optional) Enable default outbound access to the internet for the subnet. Defaults totrue. -
private_endpoint_network_policies- (Optional) Enable or Disable network policies for the private endpoint on the subnet. Possible values areDisabled,Enabled,NetworkSecurityGroupEnabledandRouteTableEnabled. Defaults toDisabled.
-> NOTE: If you don't want to use network policies like user-defined Routes and Network Security Groups, you need to set private_endpoint_network_policies in the subnet to Disabled. This setting only applies to Private Endpoints in the Subnet and affects all Private Endpoints in the Subnet. For other resources in the Subnet, access is controlled based via the Network Security Group which can be configured using the azurerm_subnet_network_security_group_association resource.
-> NOTE: If you want to use network policies like user-defined Routes and Network Security Groups, you need to set the private_endpoint_network_policies in the Subnet to Enabled/NetworkSecurityGroupEnabled/RouteTableEnabled. This setting only applies to Private Endpoints in the Subnet and affects all Private Endpoints in the Subnet. For other resources in the Subnet, access is controlled based via the Network Security Group which can be configured using the azurerm_subnet_network_security_group_association resource.
-> NOTE: See more details from Manage network policies for Private Endpoints.
private_link_service_network_policies_enabled- (Optional) Enable or Disable network policies for the private link service on the subnet. Defaults totrue.
-> NOTE: When configuring Azure Private Link service, the explicit setting private_link_service_network_policies_enabled must be set to false in the subnet since Private Link Service does not support network policies like user-defined Routes and Network Security Groups. This setting only affects the Private Link service. For other resources in the subnet, access is controlled based on the Network Security Group which can be configured using the azurerm_subnet_network_security_group_association resource. See more details from Manage network policies for Private Link Services.
service_endpoints- (Optional) The list of Service endpoints to associate with the subnet. Possible values include:Microsoft.AzureActiveDirectory,Microsoft.AzureCosmosDB,Microsoft.ContainerRegistry,Microsoft.EventHub,Microsoft.KeyVault,Microsoft.ServiceBus,Microsoft.Sql,Microsoft.Storage,Microsoft.Storage.GlobalandMicrosoft.Web.
-> NOTE: In order to use Microsoft.Storage.Global service endpoint (which allows access to virtual networks in other regions), you must enable the AllowGlobalTagsForStorage feature in your subscription. This is currently a preview feature, please see the official documentation for more information.
service_endpoint_policy_ids- (Optional) The list of IDs of Service Endpoint Policies to associate with the subnet.
A delegation block supports the following:
-
name- (Required) A name for this delegation. -
service_delegation- (Required) Aservice_delegationblock as defined below.
A service_delegation block supports the following:
-> NOTE: Delegating to services may not be available in all regions. Check that the service you are delegating to is available in your region using the Azure CLI. Also, actions is specific to each service type. The exact list of actions needs to be retrieved using the aforementioned Azure CLI.
-
name- (Required) The name of service to delegate to. Possible values areGitHub.Network/networkSettings,Informatica.DataManagement/organizations,Microsoft.ApiManagement/service,Microsoft.Apollo/npu,Microsoft.App/environments,Microsoft.App/testClients,Microsoft.AVS/PrivateClouds,Microsoft.AzureCosmosDB/clusters,Microsoft.BareMetal/AzureHostedService,Microsoft.BareMetal/AzureHPC,Microsoft.BareMetal/AzurePaymentHSM,Microsoft.BareMetal/AzureVMware,Microsoft.BareMetal/CrayServers,Microsoft.BareMetal/MonitoringServers,Microsoft.Batch/batchAccounts,Microsoft.CloudTest/hostedpools,Microsoft.CloudTest/images,Microsoft.CloudTest/pools,Microsoft.Codespaces/plans,Microsoft.ContainerInstance/containerGroups,Microsoft.ContainerService/managedClusters,Microsoft.ContainerService/TestClients,Microsoft.Databricks/workspaces,Microsoft.DBforMySQL/flexibleServers,Microsoft.DBforMySQL/servers,Microsoft.DBforMySQL/serversv2,Microsoft.DBforPostgreSQL/flexibleServers,Microsoft.DBforPostgreSQL/serversv2,Microsoft.DBforPostgreSQL/singleServers,Microsoft.DelegatedNetwork/controller,Microsoft.DevCenter/networkConnection,Microsoft.DevOpsInfrastructure/pools,Microsoft.DocumentDB/cassandraClusters,Microsoft.Fidalgo/networkSettings,Microsoft.HardwareSecurityModules/dedicatedHSMs,Microsoft.Kusto/clusters,Microsoft.LabServices/labplans,Microsoft.Logic/integrationServiceEnvironments,Microsoft.MachineLearningServices/workspaces,Microsoft.Netapp/volumes,Microsoft.Network/dnsResolvers,Microsoft.Network/managedResolvers,Microsoft.Network/fpgaNetworkInterfaces,Microsoft.Network/networkWatchers.,Microsoft.Network/virtualNetworkGateways,Microsoft.Orbital/orbitalGateways,Microsoft.PowerPlatform/enterprisePolicies,Microsoft.PowerPlatform/vnetaccesslinks,Microsoft.ServiceFabricMesh/networks,Microsoft.ServiceNetworking/trafficControllers,Microsoft.Singularity/accounts/networks,Microsoft.Singularity/accounts/npu,Microsoft.Sql/managedInstances,Microsoft.Sql/managedInstancesOnebox,Microsoft.Sql/managedInstancesStage,Microsoft.Sql/managedInstancesTest,Microsoft.Sql/servers,Microsoft.StoragePool/diskPools,Microsoft.StreamAnalytics/streamingJobs,Microsoft.Synapse/workspaces,Microsoft.Web/hostingEnvironments,Microsoft.Web/serverFarms,NGINX.NGINXPLUS/nginxDeployments,PaloAltoNetworks.Cloudngfw/firewalls,Qumulo.Storage/fileSystems, andOracle.Database/networkAttachments. -
actions- (Optional) A list of Actions which should be delegated. This list is specific to the service to delegate to. Possible values areMicrosoft.Network/networkinterfaces/*,Microsoft.Network/publicIPAddresses/join/action,Microsoft.Network/publicIPAddresses/read,Microsoft.Network/virtualNetworks/read,Microsoft.Network/virtualNetworks/subnets/action,Microsoft.Network/virtualNetworks/subnets/join/action,Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action, andMicrosoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action.
-> NOTE: Azure may add default actions depending on the service delegation name and they can't be changed.
In addition to the Arguments listed above - the following Attributes are exported:
id- The subnet ID.name- (Required) The name of the subnet. Changing this forces a new resource to be created.resource_group_name- (Required) The name of the resource group in which the subnet is created in.virtual_network_name- (Required) The name of the virtual network in which the subnet is created in. Changing this forces a new resource to be created.address_prefixes- (Required) The address prefixes for the subnet
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Subnet.update- (Defaults to 30 minutes) Used when updating the Subnet.read- (Defaults to 5 minutes) Used when retrieving the Subnet.delete- (Defaults to 30 minutes) Used when deleting the Subnet.
Subnets can be imported using the resource id, e.g.
terraform import azurerm_subnet.exampleSubnet /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/virtualNetworks/myvnet1/subnets/mysubnet1