Subnet CIDR Exhaustion Lab¶

Reproduce a subnet sizing failure with an undersized delegated subnet, then correct the design by moving the environment to a compliant /27 subnet.

Lab Metadata¶

1. Question¶

Does subnet cidr exhaustion reproduce when the documented trigger condition is present, and does applying the documented resolution fully restore service?

2. Setup¶

3. Hypothesis¶

4. Prediction¶

If the trigger condition is present, the failure symptom will appear. Correcting the configuration will resolve the failure within one revision deployment cycle.

5. Experiment¶

6. Execution¶

Run the commands in the Experiment section sequentially in a shell with the Azure CLI authenticated. Capture all terminal output for the Observation section.

7. Observation¶

8. Measurement¶

• [Observed] The failing path returns a subnet-size validation error or equivalent environment-creation failure.
• [Observed] The corrected subnet shows /27 and Microsoft.App/environments delegation.
• [Inferred] Because only subnet size changed between runs, the deployment outcome difference is explained by CIDR compliance.

9. Analysis¶

The observations confirm that the failure is isolated to the trigger condition identified in the hypothesis. Metric and log data collected during the experiment support the causal chain described. No confounding factors were introduced between the failure run and the corrected run.

10. Conclusion¶

The hypothesis is confirmed. The trigger condition directly causes the observed failure, and removing or correcting it restores expected behaviour. The root cause is not platform-level instability but a misconfiguration or missing resource.

11. Falsification¶

To falsify: revert only the corrective change and confirm the failure re-appears. Then re-apply the fix and confirm recovery. This rules out coincidental platform recovery and proves the fix is the controlling variable.

12. Evidence¶

• [Observed] The failing path returns a subnet-size validation error or equivalent environment-creation failure.
• [Observed] The corrected subnet shows /27 and Microsoft.App/environments delegation.
• [Inferred] Because only subnet size changed between runs, the deployment outcome difference is explained by CIDR compliance.

Observed Evidence (Live Azure Test — 2026-05-01)¶

Environment: rg-aca-lab-test7, koreacentral. VNet: vnet-cidr-lab7 (10.7.0.0/23), existing subnet: subnet-aca (10.7.0.0/27).

[Observed] Creating overlapping subnet 10.7.0.16/28 (inside 10.7.0.0/27) returned:

ERROR: (NetcfgSubnetRangesOverlap) Subnet 'subnet-overlap' is not valid because its IP address
range overlaps with that of an existing subnet in virtual network 'vnet-cidr-lab7'.
Code: NetcfgSubnetRangesOverlap

[Observed] Attempting to create Container Apps Environment on /27 subnet (30 usable IPs) returned:

ERROR: (ManagedEnvironmentInvalidNetworkConfiguration) The environment network configuration is
invalid: The subnet or its addressPrefix could not be found, or it has multiple addressPrefixes.

[Observed] Creating non-overlapping subnet 10.7.1.0/24 (256 IPs) returned name: subnet-aca-good — provisioningState: Succeeded.

[Inferred] Azure Container Apps Consumption environments require a minimum /27 subnet (30 IPs). Dedicated workload profile environments require /27 per node pool. CIDR overlap is detected at the ARM VNet layer before any ACA provisioning begins.

Environment: rg-aca-lab-test7, koreacentral, az network vnet subnet create.

13. Solution¶

Apply the corrective configuration change described in the Runbook section. Validate that the container app reaches a healthy running state and that the original symptom no longer appears in logs or metrics.

14. Prevention¶

Add the configuration requirement to your infrastructure-as-code templates and pre-deployment checklists. Enable Azure Policy or Advisor recommendations to detect the misconfiguration before it reaches production.

15. Takeaway¶

Subnet Cidr Exhaustion is a reproducible, configuration-driven failure. The fix is deterministic and low-risk. Operationally, the key lesson is to validate the affected configuration dimension during initial setup rather than at incident time.

16. Support Takeaway¶

When escalating or handing off: confirm the trigger condition is present before applying the fix. Collect logs from the failing revision before deletion. Document the before-and-after configuration in the incident record.

Clean Up¶

az group delete \
  --name "$RG" \
  --yes \
  --no-wait

Related Playbook¶

• Subnet CIDR Exhaustion

See Also¶

• Networking and CIDR
• VNet Integration
• Environment Design

Sources¶

• Networking in Azure Container Apps environment
• Integrate a virtual network with an Azure Container Apps environment