Merge pull request #309684 from ncheruvu-MSFT/docs-editor/inject-vnet-v2-1765999259

prmerger-automator[bot] · web-flow · commit 953ac9f319e8 · 2026-01-06T19:32:23.000Z
Update inject-vnet-v2.md
diff --git a/articles/api-management/inject-vnet-v2.md b/articles/api-management/inject-vnet-v2.md
@@ -54,6 +54,29 @@ If you want to enable *public* inbound access to an API Management instance in t
 * Minimum: /27 (32 addresses)
 * Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance
 
+### Examples
+
+The following table shows subnet sizing examples for API Management virtual network injection, illustrating how different CIDR blocks affect the number of scale-out units possible:
+
+| Subnet CIDR | Total IP addresses | Azure reserved IPs | API Management instance IPs | Internal load balancer IP | Remaining IPs for scale-out | Max scale-out units | Total max units |
+|-------------|---------------------|---------------------|------------------------------|----------------------------|-----------------------------|----------------------|------------------|
+| /27         | 32                  | 5                   | 2                            | 1                          | 24                          | 12                   | 13               |
+| /26         | 64                  | 5                   | 2                            | 1                          | 56                          | 28                   | 29               |
+| /25         | 128                 | 5                   | 2                            | 1                          | 120                         | 30*                  | 30*              |
+
+
+### Key Points
+
+- **Minimum subnet size**: /27 (provides 24 usable IP addresses for API Management)
+- **Azure reserved IPs**: 5 addresses per subnet (first and last for protocol conformance, plus 3 for Azure services)
+- **Scale-out requirement**: Each scale-out unit requires 2 IP addresses
+- **Internal load balancer**: Only required when API Management is deployed in internal virtual network mode
+- **Premium V2 limit**: * Currently supports up to 30 units maximum.
+
+> [!IMPORTANT]
+> API Management is a member of Azure Integration Services and is typically deployed as a pivotal service in enterprise architectures. It is prudent to err on the higher side of available IPs for the API Management subnet as changing it later can have far-reaching impact.
+> The private IP addresses of internal load balancer and API Management units are assigned dynamically. Therefore, it is impossible to anticipate the private IP of the API Management instance prior to its deployment. Additionally, changing to a different subnet and then returning might cause a change in the private IP address.
+
 ### Network security group
 
 [!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
@@ -76,8 +99,6 @@ You must have at least the following role-based access control permissions on th
 | Microsoft.Network/virtualNetworks/subnets/read | Read a virtual network subnet definition |
 | Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network |
 
-
-
 ## Inject API Management in a virtual network
 
 When you [create](get-started-create-service-instance.md) a Premium v2 instance using the Azure portal, you can optionally configure settings for virtual network injection. 
