Quickstart: Create a mesh network topology with Azure Virtual Network Manager using the Azure portal
Get started with Azure Virtual Network Manager by using the Azure portal to manage connectivity for all your virtual networks.
In this quickstart, you'll deploy three virtual networks and use Azure Virtual Network Manager to create a mesh network topology. Then you'll verify if the connectivity configuration got applied.
- An Azure account with an active subscription. Create an account for free.
Create Virtual Network Manager
Deploy a network manager instance with the defined scope and access you need.
Sign in to the Azure portal.
Select + Create a resource and search for Network Manager. Then select Create to begin setting up Azure Virtual Network Manager.
On the Basics tab, enter or select the following information:
Setting Value Subscription Select the subscription you want to deploy Azure Virtual Network Manager to. Resource group Select or create a resource group to store Azure Virtual Network Manager. This example will use the myAVNMResourceGroup previously created. Name Enter a name for this Azure Virtual Network Manager instance. This example will use the name myAVNM. Region Select the region for this deployment. Azure Virtual Network Manager can manage virtual networks in any region. The region selected is for where the Virtual Network Manager instance will be deployed. Description (Optional) Provide a description about this Virtual Network Manager instance and the task it will be managing. Scope Define the scope for which Azure Virtual Network Manager can manage. This example will use a subscription-level scope. Features Select the features you want to enable for Azure Virtual Network Manager. Available features are Connectivity and SecurityAdmin. Connectivity - Enables the ability to create a full mesh or hub and spoke network topology between virtual networks within the scope. SecurityAdmin - Enables the ability to create global network security rules.
Select Review + create and then select Create once validation has passed.
Create virtual networks
Create five virtual networks using the portal. This example creates virtual networks named VNetA, VNetB, VNetC and VNetD in the West US location. Each virtual network will have a tag of networkType used for dynamic membership. If you have existing virtual networks for your mesh configuration, you'll need to add tags listed below to your virtual networks and skip to the next section.
From the Home screen, select + Create a resource and search for Virtual network. Then select Create to begin configuring the virtual network.
On the Basics tab, enter or select the following information.
Setting Value Subscription Select the subscription you want to deploy this virtual network into. Resource group Select or create a new resource group to store the virtual network. This quickstart will use new resource group named myAVNMResourceGroup. Name Enter a VNetA for the virtual network name. Region Select West US.
Select Next: IP Addresses > and configure the following network address spaces:
Setting Value IPv4 address space 10.0.0.0/16 Subnet name default Subnet address space 10.0.0.0/24
Select the Tags tab and enter the following values:
Setting Value Name Enter NetworkType Value Enter Prod.
Select Review + create and then select Create once validation has passed to deploy the virtual network.
Repeat steps 2-5 to create more virtual networks with the following information:
Setting Value Subscription Select the same subscription you selected in step 3. Resource group Select the myAVNMResourceGroup. Name Enter VNetB, VNetC, and VNetD for each of the three extra virtual networks. Region Region will be selected for you when you select the resource group. VNetB IP addresses IPv4 address space: 10.1.0.0/16 Subnet name: default Subnet address space: 10.1.0.0/24 VNetC IP addresses IPv4 address space: 10.2.0.0/16 Subnet name: default Subnet address space: 10.2.0.0/24 VNetD IP addresses IPv4 address space: 10.3.0.0/16 Subnet name: default Subnet address space: 10.3.0.0/24 VNetB NetworkType tag Enter Prod. VNetC NetworkType tag Enter Prod. VNetD NetworkType tag Enter Test.
Create a network group
Virtual Network Manager applies configurations to groups of VNets by placing them in network groups. Create a network group as follows:
Go to Azure Virtual Network Manager instance you created.
Select Network Groups under Settings, then select + Create.
On the Create a network group page, enter a Name for the network group. This example will use the name myNetworkGroup. Select Add to create the network group.
You'll see the new network group added to the Network Groups page.
Define membership for a mesh configuration
Azure Virtual Network manager allows you two methods for adding membership to a network group. You can manually add virtual networks or use Azure Policy to dynamically add virtual networks based on conditions. Choose the option below for your mesh membership configuration:
Manually add membership
In this task, you'll manually add three virtual networks for your Mesh configuration to your network group using the steps below:
From the list of network groups, select myNetworkGroup and select Add virtual networks under Manually add members on the myNetworkGroup page.
On the Manually add members page, select three virtual networks created previously (VNetA, VNetB, and VNetC). Then select Add to add the 3 virtual networks to the network group.
Create Azure Policy for dynamic membership
Using Azure Policy, you'll define a condition to dynamically add three virtual networks tagged as Prod to your network group using the steps below.
From the list of network groups, select myNetworkGroup and select Create Azure Policy under Create policy to dynamically add members.
On the Create Azure Policy page, select or enter the following information:
Setting Value Policy name Enter ProdVNets in the text box. Scope Select Select Scopes and choose your current subscription. Criteria Parameter Select Tags from the drop-down. Operator Select Exists from the drop-down. Condition Enter Prod to dynamically add the three previously created virtual networks into this network group.
Select Save to deploy the group membership. It can take up to one minute for the policy to take effect and be added to your network group.
On the Network Group page under Settings, select Group Members to view the membership of the group based on the conditions defined in Azure Policy.
Create a configuration
Now that the Network Group is created, and has the correct VNets, create a mesh network topology configuration. Replace <subscription_id> with your subscription and follow the steps below:
Select Configurations under Settings, then select + Create.
Select Connectivity configuration from the drop-down menu to begin creating a connectivity configuration.
On the Basics page, enter the following information, and select Next: Topology >.
Setting Value Name Enter a name for this connectivity configuration. Description (Optional) Provide a description about this connectivity configuration.
On the Topology tab, select the Mesh topology if not selected, and leave the Enable mesh connectivity across regions unchecked. Cross-region connectivity isn't required for this set up since all the virtual networks are in the same region.
Select + Add and then select the network group you created in the last section. Select Select to add the network group to the configuration.
Select Next: Review + Create > and Create to create the configuration.
Once the deployment completes, select Refresh, and you'll see the new connectivity configuration added to the Configurations page.
Deploy the connectivity configuration
To have your configurations applied to your environment, you'll need to commit the configuration by deployment. You'll need to deploy the configuration to the West US region where the virtual networks are deployed.
Select Deployments under Settings, then select Deploy configurations.
Select the following settings:
Setting Value Configurations Select the type of configuration you want to deploy. This example will select Include connectivity configurations in your goal state . Connectivity configurations Select the ConnectivityConfigA configuration created from the previous section. Regions Select the region to deploy this configuration to. For this example, choose the West US region since all the virtual networks were created in that region.
Select Next and then select Deploy to complete the deployment.
You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take several minutes to complete.
Verify configuration deployment
Use the Network Manager section for each virtual machine to verify whether configuration was deployed in the steps below:
Select Refresh on the Deployments page to see the updated status of the configuration that you committed.
Go to VNetA virtual network and select Network Manager under Settings. You'll see the configuration you deployed with Azure Virtual Network Manager associated to the virtual network.
You can also confirm the same for VNetB,VNetC, and VNetD.
Clean up resources
If you no longer need Azure Virtual Network Manager, you'll need to make sure all of following is true before you can delete the resource:
- There are no configurations deployed to any region.
- All configurations have been deleted.
- All network groups have been deleted.
To remove all configurations from a region, start in the virtual network manager and select Deploy configurations. Select the following settings:
Setting Value Configurations Select Include connectivity configurations in your goal state. Connectivity configurations Select the None - Remove existing connectivity configurations configuration. Regions Select West US as the deployed region.
Select Next and select Deploy to complete the deployment removal.
To delete a configuration, select Configurations under Settings from the left pane of Azure Virtual Network Manager. Select the checkbox next to the configuration you want to remove and then select Delete at the top of the resource page. Select Yes to confirm the configuration deletion.
To delete a network group, select Network Groups under Settings from the left pane of Azure Virtual Network Manager. Select the checkbox next to the network group you want to remove and then select Delete at the top of the resource page.
On the Delete a network group page, select the following options:
Setting Value Delete option Select Force delete the resource and all dependent resources. Confirm deletion Enter the name of the network group. In this example, it's myNetworkGroup.
Select Delete and Select Yes to confirm the network group deletion.
Once all network groups have been removed, select Overview from the left pane of Azure Virtual Network Manager and select Delete.
On the Delete a network manager page, select the following options and select Delete. Select Yes to confirm the deletion.
Setting Value Delete option Select Force delete the resource and all dependent resources. Confirm deletion Enter the name of the network manager. In this example, it's myAVNM.
To delete the resource group and virtual networks, locate the resource group and select the Delete resource group. Confirm that you want to delete by entering the name of the resource group, then select Delete
After you've created the Azure Virtual Network Manager, continue on to learn how to block network traffic by using a security admin configuration: