Blogpost: Central network management in Azure

With Azure Virtual Network Manager, you can define

• network groups
• apply connectivity and security configurations at scale
• ensure compliance with organizational policies
• manage IP addresses
• create User-Defined Routes

Whether you’re managing a simple hub-and-spoke topology or a complex mesh network, AVNM provides the tools and capabilities to maintain a secure and efficient network infrastructure. By centralizing network management, Azure Virtual Network Manager helps organizations achieve greater control, visibility, and efficiency in their cloud networking operations

Here’s a closer look at how it operates:

• Defining the Scope:
  • When you create an AVNM instance, you start by defining the scope of what it will manage. This scope can be set directly on a list of subscriptions or, preferably, using management groups for hierarchical organization. This ensures that AVNM only has delegated access within the specified boundaries.
• Creating Network Groups:
  • Network groups are logical containers for your virtual networks. You can add virtual networks to these groups either manually (static membership) or dynamically using Azure Policy (dynamic membership). This allows for flexible and scalable network management
• Configuring Connectivity and Security:
  • Connectivity Configuration: AVNM enables you to create various network topologies, such as mesh, hub-and-spoke, or hub-and-spoke with direct connectivity between spokes. This configuration ensures efficient and low-latency communication between your virtual networks
  • Security Configuration: You can define security admin rules that take precedence over network security group (NSG) rules. These rules are applied globally across your network groups, ensuring consistent security policies
• User-Defined Routing (UDR):
  • Routing Configuration: AVNM now supports user-defined routes (UDRs), allowing you to describe and automate your desired routing behavior. You can create routing configurations with rule collections that specify route rules for your network groups. This simplifies the management of routing behaviors and ensures that your network traffic follows the desired paths
  • Automation and Simplification: By automating the creation and maintenance of UDRs, AVNM reduces the complexity and potential for errors associated with manual routing configuration
• Deployment and Management:
  • Once your network groups and configurations are set up, you can deploy them to any region of your choice. AVNM supports deployment and management through multiple tools, including the Azure portal, Azure CLI, Azure PowerShell, and Terraform

• Management Groups and Subscriptions: When creating an AVNM instance, you can define the scope at the management group or subscription level. Using management groups is recommended as it provides hierarchical organization and simplifies management. It’ possible to change the Scope later on.

AVNM supports cross-tenant management, allowing you to manage virtual networks across different Azure tenants. This is particularly useful for organizations with multiple tenants due to mergers, acquisitions, or managed service provider scenarios

• Setting Up Cross-Tenant Connections
  • Create a Scope Connection: Start by creating a scope connection in the central management tenant where the AVNM instance is deployed. This involves specifying the target tenant and the scope of resources to be managed
  • Create a Network Manager Connection: In the target managed tenant, create a network manager connection to establish a two-way connection. This ensures that both tenants consent to the cross-tenant management

Configuration at the source tenant.

The cross tenant configuration is in the source as well in the destination tenant required.

A network group is a global container that includes a set of virtual network resources from any region. Configurations are applied to the network group, which then applies these configurations to all members of the group.

The following Group membership types are available:

• Static Membership: This allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks. This method is useful when you have a few virtual networks to manage
• Dynamic Membership: This uses Azure Policy to define conditions that govern group membership dynamically. This method is ideal for scenarios where you have a large number of virtual networks or when membership is dictated by specific conditions. IMPORTANT, that functionality is only available with the Member type “Virtual network”

Once created, you can view and manage network groups through the Azure portal, Azure CLI, or Azure PowerShell. This includes adding or removing virtual networks, updating group configurations, and monitoring group membership.

Azure Virtual Network Manager (AVNM) allows you to create connectivity configurations to define how your virtual networks communicate with each other. There are two primary topologies you can set up:

• Mesh Network Topology:
  • Description: In a mesh network topology, all virtual networks in the network group are connected to each other. This setup allows for bi-directional traffic between all virtual networks, reducing latency by avoiding routing through a central hub
  • Use Case: Ideal for scenarios where direct communication between virtual networks is required without the need for a central hub
• Hub-and-Spoke Topology:
  • Description: In a hub-and-spoke topology, a central hub virtual network connects to multiple spoke virtual networks. This setup centralizes common services in the hub, which can be shared by the spokes
  • Use Case: Suitable for centralizing common infrastructure services in a hub virtual network, shared by multiple spoke networks

Security configurations in AVNM allow you to enforce consistent security policies across your virtual networks:

• Security Admin Rules:
  • Description: Security admin rules are global network security rules that enforce security policies across all virtual networks within a network group. These rules can allow, always allow, or deny traffic based on specified conditions
  • Key Features:
    • Priority: Define the priority of the rule to determine its order of application.
    • Action: Specify the action to be taken (allow, deny, or always allow).
    • Direction: Define the direction of traffic (inbound or outbound).
    • Protocol: Specify the protocol to be used (e.g., TCP, UDP)
  • Use Case: Enforce compliance requirements, protect sensitive data, and ensure network segmentation

Routing configurations in AVNM allow you to define custom routing paths for your network traffic:

• User-Defined Routes (UDRs):
  • Description: UDRs allow you to describe your desired routing behavior. AVNM orchestrates UDRs to create and maintain that behavior, ensuring that network traffic follows the specified paths
  • Key Features:
    • Route Rules: Define route rules that specify the next hop for traffic based on destination IP prefixes.
    • Automation: Automate the creation and maintenance of UDRs, reducing the complexity and potential for errors
  • Use Case: Optimize network performance and ensure traffic follows the desired routes

The deployment manager in Azure Virtual Network Manager (AVNM) is responsible for applying your connectivity, security, and routing configurations to the specified regions and network groups. Here’s how it works:

• Initiating Deployment: Navigate to the AVNM resource in the Azure portal.
• Deployment Scope: The deployment manager ensures that the configurations are applied only within the defined scope of the AVNM instance. This includes the specified management groups, subscriptions, and network groups.

Monitoring and Validation:

• Deployment Status: You can monitor the status of your deployments in the Azure portal. The deployment manager provides real-time updates on the progress and any issues encountered during the deployment.
• Validation: The deployment manager validates the configurations before applying them to ensure they are correct and do not conflict with existing settings.

Updating Configurations:

• Modifying Configurations: If you need to update your configurations, you can do so through the AVNM resource. The deployment manager will automatically apply the updated configurations to the relevant network groups and regions.
• Reevaluation: Any changes to the scope or configurations trigger an automatic reevaluation, ensuring that the latest settings are applied consistently.

To validate the configuration at service level, you have the following options:

Network and security deployment at virtual network level

You have the same settings at to virtual machine level.

Microsoft always improve their services, also Azure Virtual Network Manager. Since last year, we have the following preview feature in place:

• IP address pools (Manage IP addresses with Azure Virtual Network Manager)
• Virtual network verifier

IP Address Management (IPAM) is a new preview feature in Azure Virtual Network Manager (AVNM) designed to help you manage and monitor IP address usage across your Azure environment. Here are some key insights into this feature:

• Purpose: IPAM provides centralized management of IP address spaces, helping you avoid IP address conflicts, optimize IP address utilization, and ensure efficient allocation of IP addresses across your virtual networks.
• Scope: The feature is integrated into AVNM, allowing you to manage IP addresses across multiple subscriptions and regions from a single interface.

The key features for IPAM are the following:

• IP Address Inventory: IPAM maintains an inventory of all IP addresses in use across your virtual networks. This inventory includes details such as IP address ranges, subnets, and individual IP addresses.
• IP Address Allocation: The feature helps you allocate IP address ranges to different virtual networks and subnets, ensuring that IP addresses are used efficiently and without conflicts.
• IP Address Monitoring: IPAM provides monitoring capabilities to track IP address usage and detect potential issues, such as IP address exhaustion or conflicts.
• Reporting and Analytics: The feature includes reporting tools that provide insights into IP address utilization, helping you make informed decisions about IP address management.

The Virtual Network Verifier is a new preview feature in Azure Virtual Network Manager (AVNM) designed to help you validate and ensure the correctness of your virtual network configurations. Here are some key insights into this feature:

• Purpose: The Virtual Network Verifier helps you verify the configuration and connectivity of your virtual networks, ensuring that they meet your intended design and security requirements.
• Scope: This feature is integrated into AVNM, allowing you to validate virtual network configurations across multiple subscriptions and regions from a centralized interface.

The key features for IPAM are the following:

• Configuration Validation: The verifier checks your virtual network configurations against best practices and predefined rules to identify potential misconfigurations or issues.
• Connectivity Checks: It performs connectivity tests to ensure that virtual networks and their associated resources can communicate as intended. This includes verifying VNet peering, VPN gateways, and other connectivity components.
• Security Compliance: The verifier assesses your network security configurations, such as Network Security Groups (NSGs) and security admin rules, to ensure they comply with your organization’s security policies.
• Automated Diagnostics: The feature provides automated diagnostics and recommendations to help you resolve any identified issues quickly and efficiently.

Azure Virtual Network Manager (AVNM) is a powerful and versatile tool that significantly enhances the management of your Azure network infrastructure. By centralizing the management of connectivity, security, and routing configurations, AVNM simplifies the complexities of network administration across multiple subscriptions and regions.

Key Benefits:

• Centralized Management: AVNM provides a single interface to manage all your network configurations, reducing operational overhead and ensuring consistency.
• Scalability: The service is designed to scale with your organization’s needs, making it suitable for both small and large deployments.
• Enhanced Security: With features like security admin rules and the Virtual Network Verifier, AVNM helps maintain a secure network environment by enforcing consistent security policies and validating configurations.
• Efficiency: Automated tools and features, such as IP Address Management (IPAM) and User-Defined Routes (UDRs), streamline network operations and reduce the potential for errors.

Innovative Features:

• IP Address Management (IPAM): This feature helps you manage and monitor IP address usage, preventing conflicts and optimizing utilization.
• Virtual Network Verifier: Ensures the correctness of your network configurations and connectivity, providing automated diagnostics and recommendations.

Conclusion: Azure Virtual Network Manager is an essential tool for any organization looking to optimize their Azure network infrastructure. By providing centralized management, enhanced security, and innovative features, AVNM empowers you to maintain a robust, efficient, and secure network environment. Whether you’re managing a simple network topology or a complex multi-region setup, AVNM offers the tools and capabilities to meet your needs.