In a nutshell, Azure Virtual Network Manager is a management service that allows organizations to group, configure, deploy, and manage virtual networks globally across subscriptions. It allows you to logically group virtual networks and apply security configurations to all selected networks.

Key features

  • Managing policies across regions and subscriptions is centralized.
  • Service is highly scalable and globally redundant.
  • Override network security group rules with network security rules.
  • Reduce the complexity of managing mesh networks and enable direct connectivity between spokes.

How can be used

  • Define the roles of your Azure Virtual Network Manager, either through a list of subscriptions or management groups.
  • Manage Azure Virtual Network Manager via the Azure portal, Azure CLI, Azure PowerShell, or Terraform.
  • Create network groups as logical containers for networking resources to apply configurations efficiently.
  • Deploy configurations based on your network topology and security needs, establishing connectivity or security settings in any region.
  • Design complex topologies, such as mesh and hub-and-spoke configurations.
  • Implement security policies by applying administrative rules at the organizational level.

Azure Virtual Network Manager limitations

General Limitations

  • Virtual network groups with static membership support cross-tenancy.
  • You cannot add virtual networks to a networking group if the Azure Virtual Network Manager’s custom policy enforcement mode is Disabled.
  • Customers with more than 15,000 Azure subscriptions are restricted from applying an Azure Virtual Network Manager policy solely at the subscription and resource group levels. Management groups cannot surpass this threshold; therefore, assignments must be established at a lower-level management group with fewer than 15,000 subscriptions.
  • Azure Virtual Network Manager policies lack support for the standard policy compliance evaluation cycle.
  • Transferring the subscription that contains the Azure Virtual Network Manager instance to a different tenant is not allowed.

Microsoft reference link: https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-limitations#general-limitations

Limitations for peerings and connected groups

  • A virtual network can connect with up to 1000 other virtual networks using Azure Virtual Network Manager’s hub and spoke topology, allowing 1000 spokes to connect to one hub.
  • When a connected group’s VNet connects with an external VNet that has overlapping CIDR ranges, the group cannot reach those overlapping ranges. Traffic from the peered VNet heads to the external VNet instead of the overlapping CIDR, while other VNets in the group can’t reach that CIDR at all.
  • You can create virtual networks that have overlapping IP addresses in the same connected group. However, any communication sent to an overlapping IP address will be dropped.
  • The following Bare Metal Infrastructures are unsupported:
  • A connected group can have up to 250 virtual networks by default. This limit is soft, so you can bump it up to 1,000 virtual networks if you fill out this form.
  • A virtual network can belong to up to two connected groups by default. It can:
    • Be part of two mesh configurations.
    • Combine a mesh topology with a network group that has direct connectivity in a hub-and-spoke setup.
    • Join two network groups with direct connectivity in the same or different hub-and-spoke configurations.

You can change this soft limit by filling out this form to make a request.

Microsoft reference link: https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-limitations#limitations-for-peerings-and-connected-groups

Limitations for security admin rules

You can use a maximum of 1,000 IP prefixes across all security admin rules and up to 100 admin rules within a single Azure Virtual Network Manager level.

Please note that the service tags AzurePlatformDNS, AzurePlatformIMDS, and AzurePlatformLKM are not supported in security admin rules.

Microsoft reference link: https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-limitations#limitations-for-security-admin-rules

Example diagram

The diagram below depicts how the resources will appear after proceeding and deploying them according to the instructions provided below in the “Azure Network Manager via an example” section.

In other words, I will assign a management scope under the Management group (Test), which has assigned one Azure subscription and, within a subscription, 5 Virtual Networks that the Azure virtual network manager can manage.

Azure Network Manager via an example

Let’s say you are not sure how to set up VNets and Azure Network Manager, so we reach out to MS Copilot for some help. 😃

 

 

 

 

 

 

 

 

 

 

 

 

 

Following Copilot’s instructions I have created 5 VNet’s

My next step is to create an Auzre Network Manager, but before deploying it, I would like to give you some extra information that will help you fill in the create blade and then tap the Review + Create button to deploy.

To use your virtual network manager instance, you need the Network Contributor Role for the specified scope.

Instance details:

Enter a name and select a region to host your Network Manager.

Features:

Select the features you would like your Network Manager to support.

Management scope:

The management scope includes subscriptions and groups that define the boundaries for managing network resources.

Microsoft reference links: 

I hope you found this post useful. There will be more to follow, in which we will explore the Azure Virtual Network Manager service more deeply.

Share This