Elestio Now Supports Custom Azure VNet and Subnet Selection
If you've ever deployed infrastructure on Azure and thought "I really wish I could keep everything inside my own network," you're not alone. One of the most requested features from our Azure users just landed: you can now select your own Resource Group, Virtual Network (VNet), and Subnet when deploying services on Elestio with your Azure account.
AWS users have had this for a while. Now Azure gets the same treatment.
Why This Matters
Here's the thing about deploying managed services in the cloud. Most platforms spin up resources in their own isolated environment. That works fine until your security team asks where exactly your data lives, or your compliance requirements demand that services run inside a specific network boundary.
With BYO Azure on Elestio, you're not handing over the keys. You connect your own Azure account, and now you get to pick exactly where things land:
- Resource Group: Keep your Elestio-deployed services organized alongside your existing Azure resources
- VNet: Deploy into your pre-configured Virtual Network with your own firewall rules, peering connections, and routing tables already in place
- Subnet: Place services in the exact subnet you want, with your own Network Security Groups (NSGs) controlling traffic
This isn't just a convenience feature. It's a compliance and security feature. If your organization requires services to stay within a defined network perimeter, this is how you do it without sacrificing managed infrastructure.
How It Works
The setup is straightforward. During the Elestio deployment flow, you'll now see a Network Configuration step (step 6) when using your Azure account. Three dropdown menus appear:
- Resource Group - Select from your existing Azure resource groups
- VPC (Virtual Network) - Pick the VNet you want to deploy into, complete with CIDR range visibility (e.g., 10.0.0.0/16)
- Subnet - Choose the specific subnet within that VNet (e.g., 10.0.0.0/24)
That's it. Select your options, hit deploy, and Elestio provisions your service directly inside your Azure network. No manual VM setup, no SSH key juggling, no Docker Compose files to write. You still get automated backups, TLS certificates, monitoring, and updates. The only difference is where the service lives.
What You Get with BYO Azure
Everything that makes Elestio useful still applies when you bring your own Azure account:
| Feature | Included |
|---|---|
| Automated backups | Yes |
| TLS/SSL certificates | Yes |
| 24/7 monitoring | Yes |
| Automatic updates | Yes |
| Firewall management | Yes |
| 400+ service catalog | Yes |
| Custom domain support | Yes |
| SOC 2 compliance | Yes |
The pricing for BYO Azure follows the standard BYOVM model:
| Resource | Cost |
|---|---|
| CPU | $5/core/month |
| RAM | $2.50/GB/month |
| Disk | $0.025/GB/month |
You pay Azure directly for the infrastructure and Elestio for the management layer. No license fees for the open-source software you deploy.
When Should You Use This?
Not every deployment needs custom network placement. If you're spinning up a quick dev environment or testing a new tool, Elestio's managed providers (Netcup, Hetzner, DigitalOcean, and others) are simpler and often cheaper.
But BYO Azure makes sense when:
- Compliance requires it: Your organization mandates that workloads stay within specific Azure subscriptions and network boundaries
- You need VNet peering: Your services need to communicate with existing Azure resources through private network connections
- Security policies are strict: NSGs, route tables, and Azure Firewall rules are already configured and you don't want to replicate them
- Data residency matters: You need services deployed in specific Azure regions within your own subscription
- Hybrid setups: You're running some workloads on Azure directly and want Elestio-managed services alongside them in the same network
Quick Comparison: BYO Azure vs BYO AWS
Both options now support custom network configuration. Here's how they compare:
| Feature | BYO Azure | BYO AWS |
|---|---|---|
| Custom network selection | Resource Group + VNet + Subnet | VPC + Subnet |
| Resource organization | Azure Resource Groups | AWS Tags / Accounts |
| Network isolation | NSGs + Azure Firewall | Security Groups + NACLs |
| Private connectivity | VNet Peering | VPC Peering |
| Managed services included | 400+ | 400+ |
| Pricing model | Same BYOVM rates | Same BYOVM rates |
The experience is nearly identical. If you're already using BYO AWS, BYO Azure works the same way with Azure-native terminology.
Getting Started
- Head to elest.io and select any service from the catalog (or visit the Bring Your Own VM page)
- Choose BYO Azure as your provider
- Connect your Azure account (if you haven't already)
- At step 6, select your Resource Group, VNet, and Subnet
- Pick your VM size and click Deploy
Your service will be provisioned inside your Azure network within minutes. If you prefer automating deployments, you can also use Elestio's AI agent integrations to deploy and manage services through natural language commands. For custom domain setup with automated SSL, follow the official Elestio documentation.
Troubleshooting
"I don't see my VNets in the dropdown" Make sure the Azure account connected to Elestio has the right permissions. The service principal needs at least Network Contributor and Virtual Machine Contributor roles on the target subscription.
"Deployment fails after selecting a subnet" Check that your subnet has enough available IP addresses. Elestio needs at least one free IP in the selected subnet. Also verify that no subnet delegation conflicts exist.
"My service can't reach the internet" If your VNet doesn't have a NAT Gateway or public IP associated with the subnet, outbound traffic may be blocked. Azure retired default outbound access for new VNets in March 2026, so make sure you've configured explicit outbound connectivity.
"I want to switch an existing service to my own VNet" Currently, network configuration is set at deployment time. To move a service into your VNet, you'll need to redeploy it with the new network settings. Elestio's backup system makes this painless since you can restore your data on the new instance.
Wrapping Up
Custom network configuration on Azure is one of those features that sounds simple but unlocks a lot. It means you can use Elestio's managed services without compromising on your network architecture or compliance requirements.
If you've been using BYOVM with Azure and wished for more control over where your services land, this is exactly that.
Thanks for reading ❤️ See you in the next one 👋