Subnet Drift in Azure, AWS, and On-Premises

May 15, 2026 ·
ipamdrift-tracking

Your infrastructure documentation says development systems use 10.0.0.0/16. Someone needed a new subnet for a temporary project and created 10.0.50.0/24 without updating the documentation. A year later, the project ended. The subnet is still there. Someone else creates a new development subnet in the same range, causing a routing conflict. You spend two hours debugging a network problem that should never have happened.

This is subnet drift. Your actual infrastructure diverges from your documented allocation. The larger your infrastructure, the more drift accumulates.

Why Drift Happens

Drift happens because IP allocation is decentralized. Azure admins create subnets in Azure. AWS admins create subnets in AWS. On-premises teams manage their own networks. There is no single source of truth. When someone needs a subnet, they create it in the most convenient location. If documentation is not immediately available, they guess or ask a colleague who might also guess.

Drift also happens because documentation lags. A subnet is created and documented. Months later, it is repurposed or moved, but documentation is not updated. Documentation becomes unreliable. Teams stop trusting it. When documentation is unreliable, people stop updating it. Drift accelerates.

Large organizations use tools like Terraform to manage infrastructure, which helps with documentation. But Terraform tracks what you told it to deploy, not what actually exists. If someone manually creates a subnet outside Terraform, drift exists but Terraform does not see it. If a cloud provider adds an auto-created subnet, drift exists but Terraform does not know about it.

The Risks of Drift

Small drift feels harmless. One extra subnet that is not documented is not a big problem. But drift accumulates. Ten undocumented subnets. Fifty. Eventually, you cannot reason about your address space. Planning becomes impossible. Address overlaps become likely. Compliance audits ask for confirmation that your documented address allocation matches reality, and you cannot answer.

Drift also creates operational risk. If infrastructure is not documented, teams cannot understand it. Troubleshooting becomes harder. Planning for growth becomes impossible. Migrations become risky because you do not know what you are moving. Security becomes harder because you cannot verify that your security groups and rules match your intended topology.

Detecting Drift Requires Integration

To detect drift, you need to scan all your environments and compare actual subnets to documented allocations. In multi-cloud infrastructure, that requires integrations with Azure, AWS, and on-premises network systems. Different systems have different APIs. Scanning must happen continuously to catch drift quickly.

Most organizations do not have this capability. They spot drift accidentally when something breaks. By then, the drift has been hidden for weeks or months.

Spot IPAM Continuous Drift Detection

Spot IPAM scans your infrastructure continuously. It queries Azure for actual VNet subnets. It queries AWS for actual VPC CIDR allocations. It queries on-premises network management systems. It compares actual allocations to your documented IPAM plan. When drift is detected, you are alerted.

The scan is continuous, so drift is detected quickly. You can remediate in hours rather than weeks. You can decide whether to update documentation to match reality, or modify infrastructure to match documentation. Either way, you maintain consistency.

Conclusion

Drift is inevitable in large distributed infrastructure. The question is whether you detect it quickly or discover it when something breaks. Spot IPAM makes drift visible by continuously comparing actual infrastructure to documented plans.

← IPAM for Multi-Cloud and On-Premises Why Lease Tracking Matters for Infrastructure →