Here's a quick cheat sheet on recommended subnet sizing for Azure. Items in bold are subnet names reserved by the platform for their corresponding service.
GatewaySubnet - /27 - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub
Point-to-Site (P2S) addressing (VPN or VWAN) - Requires a non-vnet address space – depends on how many P2S clients - https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#gwsku
AzureBastionSubnet - /26 (as of Nov, 2021; previously was /27) - https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal#createhost
Azure Virtual WAN Hub - /24 - https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#hub
AzureFirewallSubnet - /26 - https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal#create-a-vnet
AzureFirewallManagementSubnet - /26 - Azure Firewall forced tunneling | Microsoft Docs
RouteServerSubnet - /27 - Quickstart: Create and configure Route Server using Azure PowerShell | Microsoft Docs
Application Gateway - min /27 per deployment - https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview#size-of-the-subnet
Azure AD Domain Services (AADDS) - min /28 - Network planning and connections for Azure AD Domain Services | Microsoft Docs
Azure SQL Managed Instance (SQL MI) - min /27 - https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-determine-size-vnet-subnet
App Services (Web Apps, Functions, API Apps) - min /27 - https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
App Service Environment - /24 - https://docs.microsoft.com/en-us/azure/app-service/environment/network-info
Logic Apps integration service - /27 - https://docs.microsoft.com/en-us/azure/logic-apps/connect-virtual-network-vnet-isolated-environment#set-up-network-ports
API Management – min /29 - https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#--subnet-size-requirement
Azure Kubernetes Service (AKS) - depends on node count - https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster
Azure Container Instances (ACI) - /29 - https://docs.microsoft.com/en-us/azure/container-instances/container-instances-vnet
Azure Databricks - Requires 2 subnets (Public/Private) – min of two /26 - https://docs.azuredatabricks.net/administration-guide/cloud-configurations/azure/vnet-inject.html#virtual-network-requirements
Azure NetApp Files - /28 - https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-delegate-subnet
Azure Dedicated HSM - /28 - https://docs.microsoft.com/en-us/azure/dedicated-hsm/networking#subnets
Azure VMware Solutions - /22 - https://docs.microsoft.com/en-us/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations
Azure Spring Cloud - /28 - Deploy Azure Spring Cloud in a virtual network | Microsoft Docs
Notes
Microsoft has added a list of services that can be injected into Virtual Networks as well here: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network
The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see Azure Firewall FAQ. - per the documentation may want to update from /25
Thanks! I've updated the document.
Could you add this page as a reference? https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network
Added
Nice cheat sheet!
Besides AzureFirewallSubnet you can also need AzureFirewallManagementSubnet (minimum subnet size /26)
https://docs.microsoft.com/en-us/azure/firewall/forced-tunneling
Thanks! Added the reference to the list.