From 871da8cc760c67a8920e118525d6aa1a5ea086a2 Mon Sep 17 00:00:00 2001
From: Fernando Antivero <v-feanti@microsoft.com>
Date: Wed, 13 May 2026 13:20:11 -0300
Subject: [PATCH 1/2] fix Bastion subnet size to minimum /26

Azure Bastion requires a minimum subnet size of /26. The azure-network
template used /29 and mock-onprem used /27, both too small.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../nestedtemplates/azure-network-azuredeploy.bicep             | 2 +-
 .../nestedtemplates/azure-network-azuredeploy.json              | 2 +-
 .../nestedtemplates/mock-onprem-azuredeploy.bicep               | 2 +-
 .../nestedtemplates/mock-onprem-azuredeploy.json                | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
index 27e2448f..197c3118 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
@@ -27,7 +27,7 @@ param vpnGateway object = {
 param bastionHost object = {
   name: 'AzureBastionHost'
   subnetName: 'AzureBastionSubnet'
-  subnetPrefix: '10.0.1.0/29'
+  subnetPrefix: '10.0.1.0/26'
   publicIPAddressName: 'pip-bastion'
   nsgName: 'nsg-hub-bastion'
 }
diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
index 6acc540d..23680d0a 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
@@ -55,7 +55,7 @@
             "defaultValue": {
                 "name": "AzureBastionHost",
                 "subnetName": "AzureBastionSubnet",
-                "subnetPrefix": "10.0.1.0/29",
+                "subnetPrefix": "10.0.1.0/26",
                 "publicIPAddressName": "pip-bastion",
                 "nsgName": "nsg-hub-bastion"
             }
diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep
index 4c74e592..7088762e 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep
+++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep
@@ -17,7 +17,7 @@ param mocOnpremGateway object = {
 param bastionHost object = {
   name: 'AzureBastionHost'
   subnetName: 'AzureBastionSubnet'
-  subnetPrefix: '192.168.254.0/27'
+  subnetPrefix: '192.168.254.0/26'
   publicIPAddressName: 'pip-bastion'
   nsgName: 'nsg-hub-bastion'
 }
diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json
index 8adc0187..6099673d 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json
+++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json
@@ -31,7 +31,7 @@
             "defaultValue": {
                 "name": "AzureBastionHost",
                 "subnetName": "AzureBastionSubnet",
-                "subnetPrefix": "192.168.254.0/27",
+                "subnetPrefix": "192.168.254.0/26",
                 "publicIPAddressName": "pip-bastion",
                 "nsgName": "nsg-hub-bastion"
             }

From 5e601c1f5725e1c5db3e3ae0b4e74a87becbafc9 Mon Sep 17 00:00:00 2001
From: Fernando Antivero <v-feanti@microsoft.com>
Date: Wed, 13 May 2026 13:30:42 -0300
Subject: [PATCH 2/2] reduce spoke subnet from /16 to /24

The spoke subnet previously consumed the entire VNet address space
(/16), leaving no room for additional subnets. Shrink to /24 to
allow future subnet additions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../nestedtemplates/azure-network-azuredeploy.bicep             | 2 +-
 .../nestedtemplates/azure-network-azuredeploy.json              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
index 197c3118..d630330e 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
@@ -15,7 +15,7 @@ param spokeNetwork object = {
   name: 'vnet-spoke'
   addressPrefix: '10.100.0.0/16'
   subnetName: 'snet-spoke-resources'
-  subnetPrefix: '10.100.0.0/16'
+  subnetPrefix: '10.100.0.0/24'
   subnetNsgName: 'nsg-spoke-resources'
 }
 param vpnGateway object = {
diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
index 23680d0a..bf2082da 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
@@ -37,7 +37,7 @@
                 "name": "vnet-spoke",
                 "addressPrefix": "10.100.0.0/16",
                 "subnetName": "snet-spoke-resources",
-                "subnetPrefix": "10.100.0.0/16",
+                "subnetPrefix": "10.100.0.0/24",
                 "subnetNsgName": "nsg-spoke-resources"
             }
         },