It’s going to be a big big ease and relief for the sys admins and network admins that soon there will be a service which essentially can help in managing Vnets across subscriptions. In the recent announcement at Microsoft ignite one of the announcement was for Azure Virtual Network Manager which is a PaaS service, essentially aim to provide connectivity management and security at a subscription group level or at a management group level.
Instead of managing each created Vnet separately, Network Manager allows you to group and manage individual network resources and configure the scope accordingly.
The service is in public preview at the time of writing which means that AllowAzureNetwowrkManager needs to be registered first in the portal. You can find the AllowAzureNetwowrkManager in the preview feature when you access the subscription from portal.
Otherwise a very handy Powershell can help you register:
Register-AzProviderFeature -FeatureName AllowAzureNetworkManager -ProviderNamespace Microsoft.Network
Allright, its registered!! believe me – deploying Azure Virtual Network manager is fairly straight forward.
Its simply a 4 step process -:
- Deploy the Virtual Network Manager instance
- Create a network group
- Create connectivity configuration or security configuration based on your need and requirements.
- A connectivity configuration enables you to create a mesh or a hub-and-spoke network topology.
- A security configuration allows you to define a collection of rules that you can apply to one or more network groups at the global level
- Deploy the connectivity configuration
Things to keep in mind while we start deploying:
The service was available in the following regions at the time of public preview, ensure you would be choosing the right region while deploying.
- North Central US
- West US
- West US 2
- East US
- East US 2
- North Europe
- West Europe
- France Central
Ok, Why you should use Azure Virtual Network Manager?
- Global management of virtual network resources across regions and subscriptions
- Automated management of complex virtual network topologies such as hub and spoke and mesh
- Organization-level security rule enforcement at scale
- Simple deployment of configurations to test in specific regions
Lets get into some action!!
I am going to deploy 2 vNets real quick in the background before I start with Network Manager
Deploy Virtual network manager :
Search for Network Manager in the search bar and click on Network Managers.
In the create blade, provide the information as requested
Choose your scope as appropriate. Scope is a set of resources where features can be applied to.
Azure Virtual Network Manager currently has two features listed, Connectivity and SecurityAdmin. You can enable one or both the feature at the same time. I have selected both.
Once everything looks ok and you are satisfied with your selection, click review and create.
Wait for the validation to pass. Click Create
Azure Virtual network manager is ready for further configuration. This is an overview of network manager console.
Now that we have deployed the Network manager, the next task would be creating a network group
In the network manager console window, select network group under settings tab and provide the name and description of the network group
A network group can use dynamic and static group assignments.
So!! Dynamic membership vs Static membership – what’s the difference? when to choose what?
Dynamic membership is useful when you have hundreds or thousands of virtual networks in one or more subscriptions and need to select a handful either by name, IDs, or tags. Each condition gets processed in the order listed and configurations are applied to virtual networks to meet those conditions.
Static membership allows you to add virtual networks to a group by manually selecting individual virtual networks from a provided list. This method is useful when you have a few virtual networks you want to add to the network group. Updates to configurations containing static members will need to be deployed again to have the new changes applied.
My configurations are updated and available under configuration blade, the next step is to create the configuration
For that we’ll choose configurations tab and click on ‘create a configurations‘ drop down
Clicking on the drop down will bring 2 choices – Connectivity configuration and security Admin configuration. In this post – I am going with connectivity configuration which allows us to define and deploy the network topology as mesh or either Hub and spoke.
Click on connectivity configuration
Enter the name and select the topology per your requirement. I am selecting Hub and Spoke for this demo.
After filling the necessary details of your configuration, click on “select a hub” and choose a vNet you would like to act as a Hub.
Click Add network group and select the network group created earlier. All of my vNets are in the same region so I am opting direct connectivity, however if your vNets span across different regions, than you can tick global mesh.
This is my connectivity configuration successfully added to configuration console. Lets move to deploy.
Click Add
Now my configuration package is ready to be deployed.
- Click on the deployment tab under settings head and choose deploy a configuration from Deployment blade
Choose the details as appropriate according to your configuration. West Europe would be my preferred choice as all my services are located in this region
Click Deploy and select ok to give your consent for overwriting the existing configuration.
To view the current progress click refresh button, and once the deployment is showing as succeeded, go to the selected vNet(s) and then network manager to confirm that the deployment is successful.
