Analysis of the Azure Virtual Network Manager.

Overview:

Azure has recently announced the general availability of their highly anticipated Virtual Network Manager (AVNM) services this month. The AVNM services are a promising addition to the Azure platform, allowing users to manage and configure networking configurations across all Azure networks consistently. In this blog post, let us analyse the Azure Virtual Network Manager in-depth. This analysis will thoroughly understand the virtual network manager’s core features and capabilities.

Why do we need Azure Virtual Network Manager?

It is crucial to understand the need to use Azure Virtual Network Manager (AVNM) before exploring its functions. When a business has multiple virtual networks across various subscriptions, keeping all configuration settings consistent can be challenging, leading to a significant management overhead for larger enterprise customers. This issue can cause inconsistencies in the VNET connectivity and security rules configurations, harming an organisation’s overall network security posture.

AVNM is a solution that can overcome the challenges faced by administrators in managing virtual networks. It provides a centralised management platform that enables administrators to configure and manage multiple virtual networks from a single interface. This makes it easier to ensure that all configurations are consistent across all virtual networks. AVNM offers many capabilities, like creating the Hub and spoke or Mesh (fully connected) network connectivity models and configuring security admin rules on the same tenant and cross-tenant network resources. Cross-tenant support allows organisations to use a central network manager to manage virtual networks across tenants and subscriptions. Its capabilities to ensure consistency in configuration settings, monitor traffic, diagnose issues, and automate tasks make it an excellent solution for network administrators.

How does Azure Virtual Network Manager work?

Azure Virtual Network Manager is a management service that allows you to easily organise, set up, deploy, and oversee virtual networks globally across subscriptions and cross-tenant. Using the Virtual Network Manager, you can create groups of networks that are categorised and logically divided for better management. Once you have created these groups, you can simultaneously apply connectivity and security settings to all the networks that belong to the group. For example, you can create a network group like dev, prod, etc., and consistently apply the security admin rules across the virtual network. These rules are not the Network Security Group (NSG). Security admin rules hold more authority as they are evaluated before NSG policies and can be enforced at a higher level than NSG rules.

During the creation of Azure Virtual Network Manager (AVNM), network and security configurations are applied to the boundary scope. This scope is created during the AVNM creation process and is essentially the Azure subscriptions or management groups. The AVNM has only delegated access to this scope. It is important to note that Microsoft recommends keeping management groups for best practice purposes.

There are two configuration types in AVNM: 

• Connectivity: enables the creation of a mesh or a hub-and-spoke network topology. 
• Security: allows you to define a collection of rules that you can apply to one or more network groups at the global level. 

Once you have deployed the Virtual Network Manager instance, you can create a network group to hold your networking resources. This network group will act as a logical container, allowing you to apply configurations at scale. You can manually add individual virtual networks to your network group, known as static membership. Alternatively, you can use Azure Policy to define conditions that will dynamically govern your group membership, known as dynamic membership.

After defining the scope, you deploy configuration types, including Connectivity and the SecurityAdmin rules for your Virtual Network via AVNM. Once you’ve created your desired network groups and configurations, you can deploy the configurations to any region of your choosing.

Connectivity:

• The connectivity configuration allows you to create different network topologies for your Azure virtual networks per your design. This setting offers a few options: Hub, spoke, mesh topology and Hub &spoke direct connectivity.
• With mesh topology, each network has direct connectivity to each other networks and no other hops to communicate.
• Hub and Spoke are Microsoft-recommended ways to use central infrastructure services in the hub network and other virtual networks connected to Hub. 
• If you have a common central infrastructure in the hub and you want direct communication between all spokes, you can use the hub and spoke topology with direct connectivity. This topology is a combination of the two topologies recommended in such situations. Direct connectivity helps reduce the latency caused by extra network hops when going through a hub.

Security

• Azure Virtual Network Manager allows you to establish security admin rules that can help you enforce security policies across virtual networks in your organization.
• These rules take priority over the rules that network security groups define.
• Create security rules that cannot be modified across the tenant or enterprise level, which are applied and enforced on all Azure VNETs and newly created VNETs in future, too.
• These rules are When analyzing network traffic, the security admin rules are applied first, as illustrated in the diagram below:

Tutorial: How do you create Azure policy for dynamic network groups and apply configuration?

I have used two tags in my environment to create dynamic network groups to organise virtual networks. I intend to select virtual networks whose tag has a key-value pair of env equal to prod or dev and resourcename equal to vent. The steps are :

• Sign in to the Azure portal with your credentials.
• Choose Network Manager and click Create. Enter the required name and choose the resource group and region.
• Select the features that you want. I selected both connectivity and security admin.

• Click next. In the scope page, click Add and select the scope of AVNM. I would recommend selecting the management group that has your desired virtual networks.  You can choose subscriptions and management groups.
• Select Create after your configuration passes validation.

Create the network group and dynamic group membership

• To create the network scope. Select the Virtual Network Manager instance we created in the above steps.
• Under Settings of Virtual Network Manager, select Network Groups. Then select Create.
• Provide the name of network groups, demo-dev and select create.

• Go to your Azure Virtual Network Manager instance and select Network Groups under Settings. Click on the newly created network groups.
• As mentioned, we have two options to add virtual networks into network groups. One manually adds them, and the other defines the Azure policy to add them to network groups.

• Click Add virtual network from network groups to add and select the required virtual networks manually.

• For dynamic groups, we can use Azure policy to define the appropriate networks added to network groups. From the desired network groups, click Create Azure policy.
• Provide the Azure policy name and select the scope of AVNM. Add the tags used in the virtual network. In my case, I use env and resource-name tags to group virtual networks.

• To verify the Azure policy with a tag, click on preview resources (refer to the above picture). This provides the desired virtual network, confirming the policy rules match what we wanted.

• Click save.

Create the configuration:

• On Virtual Network Manager, click on Configurations. Select “Create connectivity configuration.”
• Enter the name for the connectivity configuration. Click the next, under the topology tab and select hub and spoke topology.
• Select the hub Virtual network from the existing one.
• Click Add and select the network groups.

• There is an option to view the network topology with visualization. Once you are happy with the configuration, click review+ create.
• Select Create after your configuration passes validation.

Apply the configuration:

To apply this configuration to your environment, you must deploy it in the regions where your chosen virtual networks exist.

• On Virtual Network Manager, click on deployment. Select “Deploy a configuration”.

• Select the connectivity configurations created in the above steps and the target region on the Deploy a Configuration page.
• Select Next and then select Deploy to complete the deployment.
• Once the configuration is applied successfully, the hub and spoke topology will be implemented for all the virtual networks from the network group. Additionally, we can apply the security admin rules across all virtual networks.

The AVNM services, designed with user-friendliness in mind, offer a range of highly beneficial features for businesses looking to improve their networking capabilities. With the available AVNM services, businesses can easily harness these features to create a more consistent and efficient network infrastructure.

I hope you gained a better understanding of Azure virtual network management. If you have any questions, please feel free to leave a comment.

Please refer to the MS link for the limitations of this service.