Azure virtual network management made easy - using Azure Virtual Network Manager

What is Azure Virtual Network Manager?

According to the official MS Docs (What is Azure Virtual Network Manager? | Microsoft Learn) Azure Virtual Network Manager is a management service that enables us to group, configure, deploy, and manage virtual networks globally across subscriptions. We can define network groups to identify and logically segment our virtual networks. Additionally, we can define security configurations that we want and apply them across all the selected virtual networks in network groups at once.

Creating an Azure Virtual Network Manager resource

The very first step we need to do is to create the Azure Virtual Network Manager resource.

Go to the Azure portal and search for 'Virtual Network Managers'. Click on the 'Create a network manager' button.

Fill in the details similar to the below image. Don't forget to check both connectivity and security admin under 'Features'.

Under 'Management scope' select your current subscription.

Finish the section by successfully creating the network manager instance.

Creating the Virtual Networks

In this section, we need to create two virtual networks that we will use in our mesh topology.

I won't go through the process of creating the virtual networks in this article, but just show you the final result. Note that in the first virtual network, I created a subnet named 'vmsubnet' in which we will deploy a virtual machine later for testing purposes.

Creating a Network Group

Virtual Network Manager applies configurations to groups of virtual networks by placing them in network groups. Let's now create a network group.

Open the network manager we created in one of the previous sections and go to 'Network groups'.

Click on '+ Create' to start creating a new network group.

Fill in the details similar to the image below:

Finish by successfully creating the network group.

Add membership for a connectivity configuration

Open the network group we created in the previous section and click on 'Add virtual networks'.

Choose the two virtual networks we created previously and click on 'Add'.

You should be able to see them under 'Group members'.

Creating a configuration

Now it's time to create our connectivity configuration. Go to the 'Configurations' page and click on '+ Create' button and choose connectivity configuration.

On the basics tab, just enter a name you'd like to use and optionally a description.

Go to the 'Topology' tab and choose 'Mesh'. You can also choose 'Hub and spoke' if you want to use that topology. Under 'Network groups' add the network group we created previously.

Finish this section by successfully creating the connectivity configuration.

Deploying the connectivity configuration

To apply the configurations to our environment, we need to commit the configuration by deployment.

Let's open the 'Deployments' page. Then, select 'Deploy configuration' and choose 'Connectivity configuration'.

From there select the connectivity configuration we created previously, and the target region of your choice.

Finish the section by successfully deploying the configuration.

Verify the configuration deployment

We can use the 'Network Manager' section for each virtual network to verify that our configuration was deployed.

Checking the first virtual network gives us the following result:

And checking the second virtual network confirms that the configuration was deployed successfully:

Next, let's take a look how we can use security admin configuration to block network traffic.

Creating a security admin configuration

Next, we will create a security admin rule to block inbound network traffic on RDP port 3389. After this, we will deploy a virtual machine that allows RDP on port 3389 and see that we won't be able to do the action.

Go to the network manager we created previously and open the 'Configurations' page. Select '+ Create' and choose security admin configuration.

Fill in the 'Basics' tab with a name and a description of your choice. On the 'Rule collections' tab click on 'Add'. Enter a name of your choice and choose the previously created network group under 'Target network groups'. Add a new deny RDP rule like the following:

Note that for action you can choose one of the following:

• Allow - allows traffic on the specific port, protocol, and source/destination IP prefixes in the specified direction
• Deny - blocks traffic on the specified port, protocol, and source/destination IP prefixes in the specified direction
• Always allow - regardless of other rules with lower priority or user-defined network security groups, allows traffic on the specified port, protocol, and source/destination IP prefixes in the specified direction

For example, in a scenario where we did not allow RDP on port 3389 using an NSG rule, if we chose the always allow action, we will still be able to RDP to our virtual machine.

Let's finish this section by deploying this configuration to apply it to virtual networks in the network group.

Verify the security admin rules

First let's create a virtual machine that we will use for the test. I won't go through the process of creating one, but just note that I am allowing RDP on port 3389 for the virtual machine.

Under 'Networking' add the virtual machine to the first virtual network and the 'vmsubnet'.

After the virtual machine is created, open the 'Network manager' page of the virtual machine. The virtual machine has the security admin rules applied by Azure Virtual Network Manager. We can observe that the rule we created is listed there.

Now, for our final test, let's try to connect to the virtual machine using RDP. We can see that we are unable to do so regardless of our NSG allowing us the action.

Next steps:

• No Credentials, No Problem - using Azure Managed Identity
• Hibernate your Azure virtual machines
• Prevent insecure implicit connectivity by using private subnets in Azure