What is IP address management (IPAM) in Azure Virtual Network Manager?
Important
Currently, the IP address management (IPAM) feature in Azure Virtual Network Manager is in preview. It is available in the following regions during preview:
- Australia Central
- Australia Central 2
- Australia East
- Australia Southeast
- Brazil South
- Brazil Southeast
- Canada Central
- Canada East
- Central India
- Central US
- Central US EUAP
- East Asia
- East US
- East US 2
- East US 2 EUAP
- France Central
- France South
- Germany North
- Germany West Central
- Israel Central
- Italy North
- Japan East
- Japan West
- Korea Central
- Korea South
- Malaysia South
- Mexico Central
- North Central US
- North Europe
- Norway East
- Norway West
- Poland Central
- South Africa North
- South Central US
- South India
- Southeast Asia
- Spain Central
- Sweden Central
- Sweden South
- Switzerland North
- Switzerland West
- Taiwan Northwest
- UAE Central
- UAE North
- UK South
- UK West
- West Europe
- West US
- West US 2
This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
In this article, you learn about the IP address management (IPAM) feature in Azure Virtual Network Manager and how it can help you manage IP addresses in your virtual networks. With Azure Virtual Network Manager's IP address management, you can create pools for IP address planning, automatically assign nonoverlapping classless inter-domain routing (CIDR) addresses to Azure resources, and prevent address space conflicts across on-premises and multicloud environments.
What is IP address management (IPAM)?
In Azure Virtual Network Manager, IP address management (IPAM) helps you centrally manage IP addresses in your virtual networks using IP address pools. The following are some key features of IPAM in Azure Virtual Network Manager:
Create pools for IP address planning.
Automatically assign nonoverlapped CIDRs to Azure resources.
Reserve IPs for specific needs.
Prevent Azure address space from overlapping on-premises and cloud environments.
Monitor IP/CIDR usages and allocations in a pool.
Support for IPv4 and IPv6 address pools.
How does IPAM work in Azure Virtual Network Manager?
The IPAM feature in Azure Virtual Network Manager works through the following key components:
- Managing IP Address Pools
- Allocating IP addresses to Azure resources
- Delegating IPAM permissions
- Simplifying resource creation
Manage IP address pools
IPAM allows network administrators to plan and organize IP address usage by creating pools with address spaces and respective sizes. These pools act as containers for groups of CIDRs, enabling logical grouping for specific networking purposes. You can create a structured hierarchy of pools, dividing a larger pool into smaller, more manageable pools, aiding in more granular control and organization of your network's IP address space.
There are two types of pools in IPAM:
- Root pool: The first pool created in your instance is the root pool. This represents your entire IP address range.
- Child pool: A child pool is a subset of the root pool or another child pool. You can create multiple child pools within a root pool or another child pool. You can have up to seven layers of pools
Allocating IP addresses to Azure resources
When it comes to allocation, you can assign Azure resources with CIDRs, such as virtual networks, to a specific pool. This helps in identifying which CIDRs are currently in use. There's also the option to allocate static CIDRs to a pool, useful for occupying CIDRs that are either not currently in use within Azure or are part of Azure resources not yet supported by the IPAM service. Allocated CIDRs are released back to the pool if the associated resource is removed or deleted, ensuring efficient utilization and management of the IP space.
Delegating permissions for IPAM
With IPAM, you can delegate permission to other users to utilize the IP address pools, ensuring controlled access and management while democratizing pool allocation. These permissions allow users to see the pools they have access to, aiding in choosing the right pool for their needs.
Delegating permissions also allows others to view usage statistics and lists of resources associated with the pool. Within your network manager, complete usage statistics are available including: - The total number of IPs in pool. - The percentage of allocated pool space.
Additionally, it shows details for pools and resources associated with pools, giving a complete overview of the IP usages and aiding in better resource management and planning.
Simplifying resource creation
When creating CIDR-supporting resources like virtual networks, CIDRs are automatically allocated from the selected pool, simplifying the resource creation process. The system ensures that the automatically allocated CIDRs don't overlap within the pool, maintaining network integrity and preventing conflicts.
Permission requirements for IPAM in Azure Virtual Network Manager
When using IPAM, the IPAM Pool User role alone is sufficient for delegation. During the public preview, you also need to grant Network Manager Read access to ensure full discoverability of IP address pools and virtual networks across the Network Manager's scope. Without this role, users with only the IPAM Pool User role won't see available pools and virtual networks.
Learn more about Azure role-based access control (Azure RBAC).
Known issues
- When virtual networks are associated with an IP address management pool, peering sync can show as out of sync, even though peering is functioning correctly.
- When a virtual network is moved to a different subscription, the references in IPAM aren't updated, leading to inconsistent management status.
- When multiple requests for the same virtual network are made, it can result in duplicate allocations entries.
- When entering an IP address space, the address space entered must be a valid address range (valid starting address and valid size), else a failure is encountered when sending a request. Currently, the portal doesn't validate CIDR input prior to sending requests.