Custom VNet and Subnet Configuration Guide

DSPM for SaaS — Azure Deployment

Overview

This guide walks you through creating a custom Azure Virtual Network (VNet) and subnets to support your DSPM for SaaS deployment. A properly configured VNet provides the network isolation and connectivity required for the DSPM scanning infrastructure to operate securely within your Azure environment.

The deployment requires one Virtual Network with six dedicated subnets, each serving a specific function in the DSPM scanning pipeline. By the end of this guide, your Azure environment will be fully prepared for DSPM onboarding.

Prerequisites

Before you begin, ensure you have the following:

An active Azure subscription with permissions to create networking resources
Azure CLI installed and authenticated (version 2.50 or later recommended)
Contributor role (or equivalent) on the target Resource Group
A Resource Group created in your preferred Azure region
Your onboarding ID (provided by Proofpoint after initial setup)

Configuration Flexibility

You have flexibility in naming and configuring your network resources. The following elements are customizable:

Element	Details
Resource Group	Use any existing or new Resource Group in your subscription.
VNet Name	Choose a name that aligns with your organization’s naming conventions.
Address Prefixes	Define custom CIDR ranges for the VNet and each subnet.
Subnet Sizing	Each subnet must provide at least 126 usable private IP addresses (minimum /25, recommended /24).

While you can customize names and address ranges, the subnet names listed in this guide are required by the DSPM platform. Do not rename the subnets unless specifically instructed by Proofpoint Support.

Step 1: Create the Virtual Network

Begin by creating a Virtual Network that will host all six subnets required for the DSPM deployment. The VNet provides the overarching network boundary for your scanning infrastructure.

Run the following Azure CLI command, replacing the placeholder values with your own:

az network vnet create \
  --resource-group "<your_resource_group_name>" \
  --name "<your_vnet_name>" \
  --address-prefixes "10.0.0.0/16"
                                            

Parameter	Description
`--resource-group`	Name of your Azure Resource Group.
`--name`	Your chosen name for the Virtual Network.
`--address-prefixes`	CIDR block for the VNet (e.g., 10.0.0.0/16 provides 65,536 addresses).

A /16 address space provides more than enough room for the six required subnets plus any future expansion. If you need to use a smaller range, ensure it can accommodate at least six /24 subnets.

If you are using a Custom VNet for both IaaS and SaaS deployments with the same Azure sidecar account, you must ensure that the private IP address ranges for each deployment do not overlap. Overlapping ranges will cause routing conflicts and connectivity failures. Plan your CIDR allocations carefully across both environments before proceeding.

Step 2: Create the Required Subnets

Create the following six subnets within your VNet. Five of the subnets require a delegation to Microsoft.App/environments to support Azure Container Apps. The sixth subnet (Private Endpoint) does not require delegation.

All subnets require the Microsoft.Storage.Global service endpoint for secure connectivity to Azure Storage.

Each subnet must be sized to provide at least 126 usable private IP addresses. A /24 CIDR block (256 addresses, 251 usable) is recommended.

Cloud Scan Subnet

This subnet hosts the cloud scanning workloads that discover and classify data across your SaaS environment.

az network vnet subnet create \
  --resource-group "<your_resource_group_name>" \
  --name "normalyze-saas-crawler-cloudscan-subnet" \
  --vnet-name "<your_vnet_name>" \
  --address-prefixes "10.0.1.0/24" \
  --delegations Microsoft.App/environments \
  --service-endpoints "Microsoft.Storage.Global"
                                            

Data Scan Subnet

This subnet supports detailed data scanning operations, including content inspection and sensitive data detection.

az network vnet subnet create \
  --resource-group "<your_resource_group_name>" \
  --name "normalyze-saas-crawler-datascan-subnet" \
  --vnet-name "<your_vnet_name>" \
  --address-prefixes "10.0.2.0/24" \
  --delegations Microsoft.App/environments \
  --service-endpoints "Microsoft.Storage.Global"
                                            

Apply Label Subnet

This subnet handles the application of sensitivity labels to classified data based on your configured policies.

az network vnet subnet create \
  --resource-group "<your_resource_group_name>" \
  --name "normalyze-saas-crawler-apply-label-subnet" \
  --vnet-name "<your_vnet_name>" \
  --address-prefixes "10.0.4.0/24" \
  --delegations Microsoft.App/environments \
  --service-endpoints "Microsoft.Storage.Global"
                                            

Revoke Access Subnet

This subnet manages access revocation workflows when policy violations or unauthorized access patterns are detected.

az network vnet subnet create \
  --resource-group "<your_resource_group_name>" \
  --name "normalyze-saas-crawler-revoke-access-subnet" \
  --vnet-name "<your_vnet_name>" \
  --address-prefixes "10.0.5.0/24" \
  --delegations Microsoft.App/environments \
  --service-endpoints "Microsoft.Storage.Global"
                                            

Sync Labels Subnet

This subnet synchronizes sensitivity labels across your SaaS applications to maintain consistent classification.

az network vnet subnet create \
  --resource-group "<your_resource_group_name>" \
  --name "normalyze-saas-crawler-sync-labels-subnet" \
  --vnet-name "<your_vnet_name>" \
  --address-prefixes "10.0.6.0/24" \
  --delegations Microsoft.App/environments \
  --service-endpoints "Microsoft.Storage.Global"
                                            

Private Endpoint Subnet (No Delegation)

This subnet hosts private endpoints for secure, private connectivity to Azure services. Unlike the other subnets, this one does not require a delegation.

az network vnet subnet create \
  --resource-group "<your_resource_group_name>" \
  --name "normalyze-saas-crawler-pe-subnet" \
  --vnet-name "<your_vnet_name>" \
  --address-prefixes "10.0.3.0/24" \
  --service-endpoints "Microsoft.Storage.Global"
                                            

Notice that this command does not include the --delegations flag. Private endpoint subnets must not have delegations assigned.

Step 3: Update Tags After Onboarding

Once your DSPM onboarding is complete, apply identification tags to your VNet and Resource Group. These tags enable the DSPM platform to identify and manage your network resources.

Replace <onboardingId>, <SubscriptionId> and <ResourceGroupName> with the values provided by Proofpoint during onboarding.

Tag the Virtual Network

az network vnet update \
  --resource-group "<your_resource_group_name>" \
  --name "<your_vnet_name>" \
  --tags used_by_saas=saas-normalyze-<onboardingId>
                                            

Tag the Resource Group

az tag update \
  --resource-id /subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName> \
  --operation Merge \
  --tags used_by_saas=saas-normalyze-<onboardingId>
                                            

The --operation Merge flag ensures existing tags on the Resource Group are preserved. Only the used_by_saas tag will be added or updated.

Subnet Reference Summary

The following table provides a quick reference of all required subnets, their example address prefixes, and configuration details.

Subnet Name	Address	Delegation	Service Endpoint	Purpose
`normalyze-saas-crawler-cloudscan-subnet`	10.0.1.0/24	Microsoft.App/ environments	Microsoft.Storage .Global	Cloud scanning
`normalyze-saas-crawler-datascan-subnet`	10.0.2.0/24	Microsoft.App/ environments	Microsoft.Storage .Global	Data scanning
`normalyze-saas-crawler-pe-subnet`	10.0.3.0/24	None	Microsoft.Storage .Global	Private endpoints
`normalyze-saas-crawler-apply-label-subnet`	10.0.4.0/24	Microsoft.App/ environments	Microsoft.Storage .Global	Label application
`normalyze-saas-crawler-revoke-access-subnet`	10.0.5.0/24	Microsoft.App/ environments	Microsoft.Storage .Global	Access revocation
`normalyze-saas-crawler-sync-labels-subnet`	10.0.6.0/24	Microsoft.App/ environments	Microsoft.Storage .Global	Label sync

Troubleshooting

If you encounter issues during the configuration process, review the following common scenarios.

Issue	Resolution
Subnet creation fails with address overlap	Ensure each subnet uses a unique, non-overlapping CIDR range within the VNet address space.
Delegation error	Verify that the Microsoft.App resource provider is registered in your subscription. Run: `az provider register --namespace Microsoft.App`
Insufficient permissions	Confirm you have Contributor role or equivalent on the Resource Group. Contact your Azure administrator if needed.
Service endpoint not available	Ensure the `Microsoft.Storage.Global` service endpoint is available in your region. Some sovereign clouds may have different endpoint names.
Tag update fails	Verify you are using the correct Subscription ID and Resource Group name. Ensure the resource exists before applying tags.

Support

If you need further assistance with your VNet configuration or DSPM onboarding, contact Proofpoint Support through your designated support channel. When reaching out, please have the following information ready:

Your Azure Subscription ID
Resource Group name
VNet name and address configuration
Your Proofpoint onboarding ID
Any error messages or screenshots from failed commands