Common use cases for Azure Virtual Network Manager

Learn about use cases for Azure Virtual Network Manager including managing connectivity of virtual networks, and securing network traffic.


Azure Virtual Network Manager is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Creating topology and connectivity

Connectivity configuration allows you to create different network topologies based on your network needs. You create a connectivity configuration by adding new or existing virtual networks into network groups and creating a topology that meets your needs. The connectivity configuration offers three topology options: mesh, hub and spoke, or hub and spoke with direct connectivity between spoke virtual networks.

Mesh topology

When a mesh topology is deployed, all virtual networks have direct connectivity with each other. They don't need to go through other hops on the network to communicate. Mesh topology is useful when all the virtual networks need to communicate directly with each other.

Hub and spoke topology

Hub and spoke topology is recommended when you're deploying central infrastructure services in a hub virtual network that are shared by spoke virtual networks. This topology can be more efficient than having these common components in all spoke virtual networks.

Hub and spoke topology with direct connectivity

This topology combines the two above topologies. It's recommended when you have common central infrastructure in the hub, and you want direct communication between all spokes. Direct connectivity helps you reduce the latency caused by extra network hops when going through a hub.

Maintaining virtual network topology

AVNM automatically maintains the desired topology you defined in the connectivity configuration when changes are made to your infrastructure. For example, when you add new spoke to the topology, AVNM can handle the changes necessary to create the connectivity to the spoke and its virtual networks.


With Azure Virtual Network Manager, you create security admin rules to enforce security policies across virtual networks in your organization. Security admin rules take precedence over rules defined by network security groups, and they're applied first when analyzing traffic as seen in the following diagram: This diagram shows the order of network traffic evaluation when using network admin rules and network security group rules. Common uses include:

  • Create standard rules that must be applied and enforced on all existing VNets and newly created VNets.
  • Create security rules that can't be modified and enforce company/organizational level rules.
  • Enforce security protection to prevent users from opening high-risk ports.
  • Create default rules for everyone in the company/organization so that administrators can prevent security threats caused by NSG misconfiguration or forgetting to put necessary NSGs.
  • Create security boundaries using security admin rules as an administrator and let the owners of the virtual networks configure their NSGs so the NSGs won’t break company policies.
  • Force-allow the traffic from and to critical services so that other users can't accidentally block the necessary traffic, such as monitoring services and program updates.

For a walk-through of use cases, see Securing Your Virtual Networks with Azure Virtual Network Manager - Microsoft Tech Community.

Next steps