Quickstart: Create a mesh network topology with Azure Virtual Network Manager - Azure portal

Get started with Azure Virtual Network Manager by using the Azure portal to manage connectivity for all your virtual networks.

In this quickstart, you deploy three virtual networks and use Azure Virtual Network Manager to create a mesh network topology. Then you verify that the connectivity configuration was applied.

Diagram of resources deployed for a mesh virtual network topology with Azure virtual network manager.

Prerequisites

Create a Virtual Network Manager instance

Deploy a Virtual Network Manager instance with the defined scope and access that you need. You can create a Virtual Network Manager instance by using the Azure portal, Azure PowerShell, or Azure CLI. This article shows you how to create a Virtual Network Manager instance by using the Azure portal.

  1. Sign in to the Azure portal.

  2. Select + Create a resource and search for Network Manager. Then select Network Manager > Create to begin setting up Virtual Network Manager.

  3. On the Basics tab, enter or select the following information, and then select Review + create.

    Screenshot of basic information for creating a network manager.

    Setting Value
    Subscription Select the subscription where you want to deploy Virtual Network Manager.
    Resource group Select Create new and enter rg-learn-eastus-001.
    Name Enter vnm-learn-eastus-001.
    Region Enter eastus or a region of your choosing. Virtual Network Manager can manage virtual networks in any region. The selected region is where the Virtual Network Manager instance will be deployed.
    Description (Optional) Provide a description about this Virtual Network Manager instance and the task it's managing.
    Scope Choose Select scopes and then select your subscription.
    Select Add to selected scope > Select.
    Scope information defines the resources that Virtual Network Manager can manage. You can choose subscriptions and management groups.
    Features Select Connectivity and Security Admin from the dropdown list.
    Connectivity enables the creation of a full mesh or hub-and-spoke network topology between virtual networks within the scope.
    Security Admin enables the creation of global network security rules.
  4. Select Create after your configuration passes validation.

Create virtual networks

Create three virtual networks by using the portal. Each virtual network has a networkType tag that's used for dynamic membership. If you have existing virtual networks for your mesh configuration, add the tags listed in the table to your virtual networks and skip to the next section.

  1. From the Home screen, select + Create a resource and search for Virtual networks. Then select Create to begin configuring a virtual network.

  2. On the Basics tab, enter or select the following information.

    Screenshot of basic information for creating a virtual network.

    Setting Value
    Subscription Select the subscription where you want to deploy this virtual network.
    Resource group Select rg-learn-eastus-001.
    Virtual network name Enter vnet-learn-prod-eastus-001.
    Region Select (US) East US.
  3. Select Next or the IP addresses tab, configure the following network address spaces, and then select Review + create.

    Screenshot of IP address information for creating a virtual network.

    Setting Value
    IPv4 address space 10.0.0.0/16
    Subnet name default
    Subnet address space 10.0.0.0/24
  4. After your configuration passes validation, select Create to deploy the virtual network.

  5. Repeat the preceding steps to create more virtual networks with the following information:

    Setting Value
    Subscription Select the same subscription that you selected in step 2.
    Resource group Select rg-learn-eastus-001.
    Name Enter vnet-learn-prod-eastus-002 and vnet-learn-test-eastus-003 for each additional virtual network.
    Region Select (US) East US.
    vnet-learn-prod-eastus-002 IP addresses IPv4 address space: 10.1.0.0/16
    Subnet name: default
    Subnet address space: 10.1.0.0/24
    vnet-learn-test-eastus-003 IP addresses IPv4 address space: 10.2.0.0/16
    Subnet name: default
    Subnet address space: 10.2.0.0/24

Create a network group

Virtual Network Manager applies configurations to groups of virtual networks by placing them in network groups. To create a network group:

  1. Browse to the rg-learn-eastus-001 resource group, and select the vnm-learn-eastus-001 Virtual Network Manager instance.

  2. Under Settings, select Network groups. Then select Create.

    Screenshot of an empty list of network groups and the button for creating a network group.

  3. On the Create a network group pane, enter ng-learn-prod-eastus-001 and select Create.

    Screenshot of the pane for creating a network group.

  4. Confirm that the new network group is now listed on the Network groups pane.

    Screenshot of a newly created network group on the pane that list network groups.

Define membership for a connectivity configuration

After you create your network group, you add virtual networks as members. Choose one of the following options for your mesh membership configuration.

Add a membership manually

In this task, you manually add two virtual networks for your mesh configuration to your network group:

  1. From the list of network groups, select ng-learn-prod-eastus-001. On the ng-learn-prod-eastus-001 pane, under Manually add members, select Add virtual networks.

    Screenshot of add a virtual network f.

  2. On the Manually add members pane, select vnet-learn-prod-eastus-001 and vnet-learn-prod-eastus-002, and then select Add.

    Screenshot of selecting virtual networks on the pane for manually adding members.

  3. On the Network Group pane, under Settings, select Group Members. Confirm the membership of the group that you manually selected.

    Screenshot that shows a list of group members.

Create a configuration

Now that you've created the network group and given it the correct virtual networks, create a mesh network topology configuration. Replace <subscription_id> with your subscription.

  1. Under Settings, select Configurations. Then select Create.

  2. Select Connectivity configuration from the dropdown menu to begin creating a connectivity configuration.

    Screenshot of the configuration dropdown menu.

  3. On the Basics tab, enter the following information, and then select Next: Topology.

    Screenshot of the pane for adding a connectivity configuration.

    Setting Value
    Name Enter cc-learn-prod-eastus-001.
    Description (Optional) Provide a description about this connectivity configuration.
  4. On the Topology tab, select the Mesh topology if it's not selected, and leave the Enable mesh connectivity across regions checkbox cleared. Cross-region connectivity isn't required for this setup, because all the virtual networks are in the same region. When you're ready, select Add > Add network group.

    Screenshot of topology selection for network group connectivity configuration.

  5. Under Network groups, select ng-learn-prod-eastus-001. Then choose Select to add the network group to the configuration.

    Screenshot of adding a network group to a connectivity configuration.

  6. Select the Visualization tab to view the topology of the configuration. This tab shows a visual representation of the network group that you added to the configuration.

    Screenshot of previewing a topology for network group connectivity configuration.

  7. Select Next: Review + Create > Create to create the configuration.

    Screenshot of the tab for reviewing and creating a connectivity configuration.

  8. After the deployment finishes, select Refresh. The new connectivity configuration appears on the Configurations pane.

    Screenshot of a connectivity configuration list.

Deploy the connectivity configuration

To apply your configurations to your environment, you need to commit the configuration by deployment. Deploy the configuration to the East US region where the virtual networks are deployed:

  1. Under Settings, select Deployments. Then select Deploy configurations.

    Screenshot of the pane for deployments in Virtual Network Manager.

  2. Select the following settings, and then select Next.

    Screenshot of the tab for configuring a goal state for network resources.

    Setting Value
    Configurations Select Include connectivity configurations in your goal state.
    Connectivity configurations Select cc-learn-prod-eastus-001.
    Target regions Select East US as the deployment region.
  3. Select Deploy to complete the deployment.

    Screenshot of the tab for reviewing a deployment.

  4. Confirm that the deployment appears in the list for the selected region. The deployment of the configuration can take a few minutes to finish.

    Screenshot of a configuration deployment that shows a status of succeeded.

Verify configuration deployment

Use the Network Manager section for each virtual network to verify that you deployed your configuration:

  1. Go to the vnet-learn-prod-eastus-001 virtual network.

  2. Under Settings, select Network Manager.

  3. On the Connectivity Configurations tab, verify that cc-learn-prod-eastus-001 appears in the list.

    Screenshot of a connectivity configuration listed for a virtual network.

  4. Repeat the previous steps on vnet-learn-prod-eastus-002.

Clean up resources

If you no longer need Azure Virtual Network Manager, you can remove it after you remove all configurations, deployments, and network groups:

  1. To remove all configurations from a region, start in Virtual Network Manager and select Deploy configurations. Select the following settings, and then select Next.

    Screenshot of the tab for configuring a goal state for network resources, with the option for removing existing connectivity configurations selected.

    Setting Value
    Configurations Select Include connectivity configurations in your goal state.
    Connectivity configurations Select None - Remove existing connectivity configurations.
    Target regions Select East US as the deployed region.
  2. Select Deploy to complete the deployment removal.

  3. To delete a configuration, go to the left pane of Virtual Network Manager. Under Settings, select Configurations. Select the checkbox next to the configuration that you want to remove, and then select Delete at the top of the resource pane.

  4. On the Delete a configuration pane, select the following options, and then select Delete.

    Screenshot of the pane for deleting a configuration.

    Setting Value
    Delete option Select Force delete the resource and all dependent resources.
    Confirm deletion Enter the name of the configuration. In this example, it's cc-learn-prod-eastus-001.
  5. To delete a network group, go to the left pane of Virtual Network Manager. Under Settings, select Network groups. Select the checkbox next to the network group that you want to remove, and then select Delete at the top of the resource pane.

  6. On the Delete a network group pane, select the following options, and then select Delete.

    Screenshot of Network group to be deleted option selection.

    Setting Value
    Delete option Select Force delete the resource and all dependent resources.
    Confirm deletion Enter the name of the network group. In this example, it's ng-learn-prod-eastus-001.
  7. Select Yes to confirm the network group deletion.

  8. After you remove all network groups, go to the left pane of Virtual Network Manager. Select Overview, and then select Delete.

  9. On the Delete a network manager pane, select the following options, and then select Delete.

    Screenshot of the pane for deleting a network manager.

    Setting Value
    Delete option Select Force delete the resource and all dependent resources.
    Confirm deletion Enter the name of the Virtual Network Manager instance. In this example, it's vnm-learn-eastus-001.
  10. Select Yes to confirm the deletion.

  11. To delete the resource group and virtual networks, locate rg-learn-eastus-001 and select Delete resource group. Confirm that you want to delete by entering rg-learn-eastus-001 in the text box, and then select Delete.

Next steps

Now that you've created an Azure Virtual Network Manager instance, learn how to block network traffic by using a security admin configuration: