As an Azure administrator you may already know how difficult it can be to manage virtual networks across various subscriptions, even if you initially deployed the resources using ARM templates to ensure common based configuration.
Well, good new, a new feature is now in preview – Azure Virtual Network Manager – which will allow you to manage all your virtual networks from a central location.
As this is a preview feature, you first need to register the resource provider AllowAzureNetworkManager.
From the Azure portal, access the subscription(s) you need to enable the provider to access the Preview features blade an search for AllowAzureNetworkManager.
If you want to use PowerShell, use the below command
Register-AzProviderFeature -FeatureName AllowAzureNetworkManager -ProviderNamespace Microsoft.Network
Once done, you may have to wait a little as it may take some time for the provider to be fully registered.
Then you can create the Azure Virtual Network Manager by searching for Network Managers.
NOTE during the preview, this feature is only available in the following regions – this means your networks need to be deployed within these regions:
- North Central US
- West US
- West US 2
- East US
- East US 2
- North Europe
- West Europe
- France Central
When you create your network manager you will have to define the scope, which defines the management group(s)/subscription(s) you want to be managed with the manager, as well as the features you plan to use with the manager (connectivity which restrict network management and/or security admin which allows you to manage security rules [this override NSG rules]).
NOTE ensure you properly define your scope and features as you can not change it after the creation. If you need to update the scope or feature, you will have to recreate a new manager. Maybe this will change when reaching general availability.
Then you can create a group of network by accessing the Network Groups blade; a network group can use either dynamic rules, static assignments or both.
When you use dynamic rules you can use the Preview button to validate your rules are correct.
Using a dynamic group is very useful to ensure any new virtual network created after the network manager will get the configuration(s) you have defined.
You can update the group membership rules after the creation. If you use dynamic rules, you will have access to only the advanced editor (probably a limitation of the preview for now).
Then you can create a configuration you want to get deployed across the networks part of the group you have created.
Depending of the features you have enabled you will be limited to either the connectivity or security admin.
The connectivity configuration allows you to define the network topology (mesh or hub and spoke) to be deployed.
The security admin configuration allows you to define the NSG rule to be deployed; this supports the use of service tags.
Finally you can deploy your configuration by accessing the Deployments blade.
Off course before deploying ensure your configurations contain all the settings/rules you need.
You can then view the deployment in progress and also have a look at the current active configuration.
Once the configurations are showing as succeeded you can access the Network manager blade on the targeted virtual networks to confirm the configuration(s) deployed to them.
