Scaling Azure Network Management and Security with AVNM

Scaling Azure Network Management and Security with AVNM

 

Effective management and configuration of your Azure network resources is crucial for minimizing costs, reducing operational overhead, and ensuring proper connectivity and security in the cloud. We're excited to announce the general availability of Azure Virtual Network Manager (AVNM), your all-in-one solution for managing network connectivity and security at scale.

What is Azure Virtual Network Manager?

AVNM simplifies network management through three core processes: group, configure, and deploy. First, group your network resources across subscriptions, regions, and tenants. Next, configure the connectivity and security settings for those resources. Finally, deploy those configurations to your network groups, across any number of regions you choose.

Common Use Cases

AVNM addresses several common network scenarios by enabling you to apply connectivity and security configurations to your defined network groups:

• Interconnected Virtual Networks (VNets): Direct communication between VNets.
• Centralized Infrastructure in a Hub VNet: Shared infrastructure services in a central hub VNet accessed by multiple VNets.
• Direct Connectivity Between Spoke VNets: Reducing latency by connecting spoke VNets directly.
• Automatic Connectivity Maintenance: Ensuring continued connectivity as new network resources are added.
• Enforced Security Standards: Ensuring consistent security policies across new and existing VNets.
• Flexible Network Security: Allowing VNet owners to fine-tune security via Network Security Groups (NSGs) when necessary.
• Organization-wide Security Rules: Mitigating misconfiguration and security risks by applying default security settings across the organization.
• Allowing Service Traffic: Ensuring traffic from essential services (e.g., monitoring, software updates) is never blocked.

Connectivity Configuration

Hub and Spoke Topology

In cases where you have shared services (like an Azure Firewall or ExpressRoute) in a hub VNet, you'll need to connect other VNets (spokes) to the hub. AVNM automates this process by enabling you to group VNets and automatically establish connectivity between the hub and the selected spoke VNets. Any new VNets that meet your defined criteria can be automatically added to the hub-spoke topology, reducing the need for manual adjustments.

Note: Direct connectivity between VNets within a spoke network group is still in preview and will be generally available at a later date.

Mesh Topology

For full communication between VNets—either regionally or globally—you can create a mesh topology. AVNM automatically establishes connectivity between all VNets in your selected network groups, simplifying the process of interconnecting your networks. This mesh configuration is still in preview and will be generally available in the future.

Implementing Connectivity with Existing Environments

If you already have a cross-region hub-and-spoke setup, you can automate the process with AVNM. Here's how to integrate AVNM into your existing setup:

1. Create a Network Manager.
2. Group VNets: Use Azure Policy definitions to group VNets by parameters like subscription, VNet tag, or name.
3. Configure Connectivity: Select the hub and spoke option, choose your hub VNet, and define your network groups as spokes.
4. Optional Cleanup: AVNM can automatically clean up existing peerings, or you can manually remove them later.
5. Deploy: Deploy the configuration across your chosen regions.

This approach ensures that new VNets matching your conditions are automatically added to the topology without manual intervention, with no downtime for existing connectivity.

Security Features

AVNM also enables you to enforce security at scale through Security Admin configurations. These rules take precedence over NSG rules, providing high-priority security policies for your network resources. This feature is currently in preview and will be generally available soon.

Security Admin Rules vs. NSGs

While NSGs provide granular control at the subnet and network interface level, Security Admin rules offer centralized security governance with higher precedence. This ensures you can enforce security standards across your organization while still allowing flexibility for individual teams.

Feature	Security Admin Rules	NSG Rules
Target Audience	Network admins, central governance team	Individual teams
Applied On	Virtual networks	Subnets, NICs
Evaluation Order	Higher priority	Lower priority (after security admin rules)
Action Types	Allow, Deny, Always Allow	Allow, Deny
Parameters	Priority, protocol, action, source, destination	-

A key difference is that Security Admin rules can enforce "Always Allow" or "Deny" actions, stopping further evaluation by NSGs for specific traffic.

Key Scenarios for Security Admin Rules

Providing Exceptions

Security Admin rules enable exceptions. For instance, if you block high-risk ports across your organization but need to allow SSH traffic for a specific application team, you can create a rule to allow SSH traffic for that team, while still blocking it for the rest of the organization.

Force-Allowing Traffic for Critical Services

You can also use Security Admin rules to guarantee critical traffic flows, such as allowing software update traffic, even if NSG rules mistakenly block it.

Implementing Security Admin Configurations in Existing Environments

To enforce security standards across your existing NSG-based model:

1. Create a Network Manager.
2. Group VNets: Use Azure Policy to define groups by subscription, VNet tag, or name.
3. Create a Security Admin Configuration: Define security rules across network groups to enforce organization-wide standards.
4. Deploy: Apply the configuration across your regions.

This approach enables centralized enforcement of security rules while maintaining the flexibility for teams to manage their specific security needs.

By leveraging AVNM, you can efficiently manage network connectivity and security, ensuring consistency across your organization while still allowing for the flexibility needed for individual teams.

 

Azure Virtual Network Manager (AVNM) simplifies network management and security at scale in Azure. It enables easy grouping, configuration, and deployment of network resources across multiple regions. AVNM centralizes security enforcement while allowing flexibility for individual teams.