Azure Virtual Network Manager (VNM) is a new network service with management capabilities that was recently announced at Microsoft Ignite. VNM allows us to manage multiple virtual networks and implement well-known network topologies, such as hub-and-spoke or mesh, in target subscriptions without having to configure the network resources individually. It also enables us to manage virtual networks using logical network groups and to apply security or connectivity configurations to these groups. In this post, we will focus on connectivity configurations on the Azure Virtual Network Manager.

Prerequisites ^

As the VNM is still in preview, we first need to register the preview feature, called AllowAzureNetworkManager, either in Azure Portal or via PowerShell.

Preview feature called AllowAzureNetworkManager needs to be registered first

Preview feature called AllowAzureNetworkManager needs to be registered first

Registering the feature via PowerShell

Registering the feature via PowerShell

To create and manage VNM using PowerShell, we need to install the prerelease version of the Az.Network module.

Installing the prerelease version of Az.Network via PowerShell

Installing the prerelease version of Az.Network via PowerShell

Create the VNM in Azure Portal ^

There are two important settings during the creation process: Scope and Features.

Scope represents management groups and subscriptions. Therefore, we can simply select multiple targets where the VNM will manage the VNets.

For the Features setting, there are two options: Connectivity and Security. This is where we specify which VNM feature will be used.

Scope and Features can be selected in the Azure Network Manager creation wizard

Scope and Features can be selected in the Azure Network Manager creation wizard

Multiple management groups or subscriptions can be selected as scopes

Multiple management groups or subscriptions can be selected as scopes

Once the VNM is created, we can start managing virtual networks and deploying connectivity or security configurations.

First, a network group needs to be created so that we can use it as the target group when preparing and deploying the configs.

Azure Network Manager components

Azure Network Manager components

Create the VNM using PowerShell ^

The VNM can be created using the following PowerShell commands:

[System.Collections.Generic.List[string]]$VnetManagerMgmtGroups = @()  
$VnetManagerMgmtGroups.Add("/providers/Microsoft.Management/managementGroups/Root")
[System.Collections.Generic.List[String]]$VnetManagerAccess = @()  
$VnetManagerAccess.Add("Connectivity")
$VnetManagerAccess.Add("SecurityAdmin")
$VnetManagerScope = New-AzNetworkManagerScope -ManagementGroup $VnetManagerMgmtGroups

$VnetManagerConfig = @{
    Name = 'VirtualNetworkManager01'
    ResourceGroupName = 'hub-network'
    NetworkManagerScope = $VnetManagerScope
    NetworkManagerScopeAccess = $VnetManagerAccess
    Location = 'West Europe'
}
$VirtualNetworkManager = New-AzNetworkManager @VnetManagerConfig
Creating Azure Network Manager via PowerShell

Creating Azure Network Manager via PowerShell

Creating network groups in the Azure Portal

There are two types of network groups in the VNM.

  1. Groups with static group membership, where the members are added manually
  2. Groups with dynamic group membership where the members are added automatically based on the criteria we specify
VNets can be added dynamically to network groups

VNets can be added dynamically to network groups

Therefore, in the above example, if the name of a new or existing VNet contains "test," it will be added automatically to the network group. Alternatively, static members can be defined by adding the VNets to the group manually.

Creating network groups using PowerShell

Dynamic network groups can be created using the below commands. As you can see, we first define the conditions for membership to dynamically add the VNets to the group.

$conditionalMembership = '{ 
    "allof":[ 
        { 
        "field": "name", 
        "contains": "test" 
        } 
    ] 
}'


$VirtualNetworkManagerGroupConfig = @{
    Name = 'VirtualNetworkManagerMembers'
    ResourceGroupName = 'hub-network'
    ConditionalMembership = $conditionalMembership
    NetworkManagerName = 'VirtualNetworkManager01'
    MemberType = 'Microsoft.Network/VirtualNetwork'
}
$VirtualNetworkManagerGroup = New-AzNetworkManagerGroup @VirtualNetworkManagerGroupConfig

To create a network with static VNets only, you can use the following instead:

$member = New-AzNetworkManagerGroupMembersItem –ResourceId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/hub-network/providers/Microsoft.Network/virtualNetworks/test202100013"
[System.Collections.Generic.List[Microsoft.Azure.Commands.Network.Models.NetworkManager.PSNetworkManagerGroupMembersItem]]$staticGroupMembers = @()  
$staticGroupMembers.Add($member)

$VirtualNetworkManagerGroupConfig = @{
    Name = 'VirtualNetworkManagerMembers'
    ResourceGroupName = 'hub-network'
    GroupMember = $groupMembers
    NetworkManagerName = 'VirtualNetworkManager01'
    MemberType = 'Microsoft.Network/VirtualNetwork'
}
$VirtualNetworkManagerGroup = New-AzNetworkManagerGroup @VirtualNetworkManagerGroupConfig

You can get the dynamic members of the group with this command:

Get-AzNetworkManagerEffectiveVirtualNetworkByNetworkGroupList `
    -NetworkGroupName VirtualNetworkManagerMembers `
    -NetworkManagerName VirtualNetworkManager01 `
    -ResourceGroupName hub-network
Listing dynamic members of a network group

Listing dynamic members of a network group

We now have a network group that has multiple VNets. Therefore, we can now create a connectivity configuration and deploy it to this newly created network group.

Creating a connectivity configuration in Azure Portal

In the portal, it's fairly straightforward to create a connectivity config. We just select the topology that we want to use, specify the hub VNet to form a hub-and-spoke topology, and then select the network group that we created earlier as the group of spoke VNets.

Adding a new connectivity configuration for a hub and spoke topology

Adding a new connectivity configuration for a hub and spoke topology

Creating a connectivity configuration using PowerShell ^

A connectivity config for a hub-and-spoke topology can be created with the following code:

$VirtualNetworkManagerGroup  = (Get-AzNetworkManagerGroup -Name VirtualNetworkManagerMembers -NetworkManagerName VirtualNetworkManager01 -ResourceGroupName hub-network)
$spokesGroupItem = @{
    NetworkGroupId = $VirtualNetworkManagerGroup.id
}
$spokesNetworkGroup = New-AzNetworkManagerConnectivityGroupItem @spokesGroupItem -UseHubGateway -GroupConnectivity 'None'

[System.Collections.Generic.List[Microsoft.Azure.Commands.Network.Models.NetworkManager.PSNetworkManagerConnectivityGroupItem]]$configurationGroup = @()
$configurationGroup.Add($spokesNetworkGroup)

[System.Collections.Generic.List[Microsoft.Azure.Commands.Network.Models.NetworkManager.PSNetworkManagerHub]]$hubList = @()

$hub = @{
    ResourceId = '/subscriptions/ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /resourceGroups/hub-network/providers/Microsoft.Network/virtualNetworks/hub-vnet'
    ResourceType = 'Microsoft.Network/virtualNetworks'
} 
$hubvnet = New-AzNetworkManagerHub @hub

$hubList.Add($hubvnet)

$HubAndSpokeConfig = @{
    Name = 'HubAndSpokeTopologyConfig'
    ResourceGroupName = 'hub-network'
    NetworkManagerName = 'VirtualNetworkManager01'
    ConnectivityTopology = 'HubAndSpoke'
    Hub = $hubList
    AppliesToGroup = $spokesNetworkGroup
}
$connectivityconfig = New-AzNetworkManagerConnectivityConfiguration @HubAndSpokeConfig -DeleteExistingPeering -IsGlobal

Deploying a configuration in Azure Portal

Once the desired connectivity configuration is in place, we can carry out the deployment to implement the topology. When we deploy a configuration, we are asked to specify the regions to which the config will be deployed.

Deploying a preconfigured connectivity configuration in Azure Portal

Deploying a preconfigured connectivity configuration in Azure Portal

Once deployment starts, we can see the progress in the selected regions.

The statuses of virtual networks can be checked through the deployments

The statuses of virtual networks can be checked through the deployments

It is also possible to check the peerings on individual VNets to confirm the topology.

VNet peerings are automatically created and configured by Azure Network Manager

VNet peerings are automatically created and configured by Azure Network Manager

Deploying a configuration with PowerShell

An existing configuration can be deployed via PowerShell using the following commands:

Subscribe to 4sysops newsletter!

[System.Collections.Generic.List[string]]$configurationIds = @()  
$configurationIds.add($connectivityconfig.id) 
[System.Collections.Generic.List[string]]$regions = @()   
$regions.Add("westeurope")     

$deployment = @{
    Name = 'VirtualNetworkManager01'
    ResourceGroupName = 'hub-network'
    ConfigurationId = $configurationIds
    TargetLocation = $regions
    CommitType = 'Connectivity'
}
Deploy-AzNetworkManagerCommit @deployment

Conclusion ^

Azure VNM is an easy yet powerful service that can save us a lot of time when we need to configure hundreds of virtual networks across multiple subscriptions. Also, configuring and deploying well-known network topologies such as mesh and hub-and-spoke with a couple of clicks is a big plus, not to mention full PowerShell support at any stage of the configuration.

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account