Enterprise-scale administration and configuration of your community sources in Azure are key to protecting prices down, lowering operational overhead, and correctly connecting and securing your community presence within the cloud. We are completely satisfied to announce Azure Virtual Network Manager (AVNM), your one-stop store for managing the connectivity and safety of your community sources at scale, is usually accessible.
What is Azure Virtual Network Manager?
AVNM works by way of a fundamental technique of group, configure, and deploy. You’ll group your community sources throughout subscriptions, areas, and even tenants; configure the type of connectivity and safety you need amongst your grouped community sources; and eventually, deploy these configurations onto these community teams in whichever and nonetheless many areas you’d like.
Common use circumstances
Common use circumstances for AVNM embody the next and might be addressed by deploying AVNM’s connectivity and safety admin configurations onto your outlined community teams:
- Interconnected digital networks (VNets) that talk instantly with one another.
- Central infrastructure companies in a hub VNet which can be shared by different VNets.
- Establishing direct connectivity between spoke VNets to cut back latency.
- Automatic upkeep of connectivity at scale, even with the addition of recent community sources.
- Enforced commonplace safety guidelines on all current and new VNets with out danger of change.
- Keeping flexibility for VNet house owners to configure community safety teams (NSGs) as wanted for extra particular site visitors dictation.
- Application of default safety guidelines throughout a complete group to mitigate the chance of misconfiguration and safety holes.
- Force-allowance of companies’ site visitors, resembling monitoring companies and program updates, to stop unintended blocking by way of safety guidelines.
Connectivity configuration
Hub and spoke topology
When you’ve gotten some companies in a hub VNet, resembling an Azure Firewall or ExpressRoute, and it is advisable to join a number of different VNets to that hub to share these companies, meaning you’ll have to determine connectivity between every of these spoke VNets and the hub. In the long run, in case you provision new VNets, you’ll additionally want to ensure these new VNets are appropriately related to the hub VNet.
With AVNM, you may create teams of VNets and choose these teams to be related to your required hub VNet, and AVNM will set up all the mandatory connectivity between your hub VNet and every VNet in your chosen teams behind the scenes. On prime of the simplicity of making a hub and spoke topology, new VNets that match your required situations might be mechanically added to this topology, lowering guide interference out of your half.
For the time being, establishing direct connectivity between the VNets inside a spoke community group continues to be in preview and can develop into usually accessible (GA) at a later date.
Mesh
If you need your whole VNets to have the ability to talk with one another regionally or globally, you may construct a mesh topology with AVNM’s connectivity configuration. You’ll choose your required community teams and AVNM will set up connectivity between each VNet that is part of your chosen community teams. The mesh connectivity configuration characteristic continues to be in preview and can develop into usually accessible at a later date.
How to implement connectivity configurations with current environments
Let’s say you’ve gotten a cross-region hub and spoke topology in Azure that you just’ve arrange by way of guide peerings. Your hub VNet has an ExpressRoute gateway and your dozens of spoke VNets are owned by varied utility groups.
Here are the steps you’d take to implement and automate this topology utilizing AVNM:
- Create your community supervisor.
- Create a community group for every utility group’s respective VNets utilizing Azure Policy definitions that may be conditionally primarily based on parameters together with (however not restricted to) subscription, VNet tag, and VNet identify.
- Create a connectivity configuration with hub and spoke chosen. Select your required hub VNet and your community teams because the spokes.
- By default, all connectivity established with AVNM is additive after the connectivity configuration’s deployment. If you’d like AVNM to wash up current peerings for you, that is an choice you may choose; in any other case, current connectivity might be manually cleaned up later if desired.
- Deploy your hub and spoke connectivity configuration to your required areas.
In only a few clicks, you’ve arrange a hub and spoke topology amongst dozens of VNets from all utility groups globally by way of AVNM. By defining the situations of VNet membership to your community teams representing every utility group, you’ve ensured that any newly created VNet matching these situations will mechanically be added to the corresponding community group and obtain the identical connectivity configuration utilized onto it. Whether you select to have AVNM delete current peerings or not, there isn’t any downtime to connectivity between your spoke VNets and hub VNet.
Security characteristic
AVNM presently offers you with the power to guard your VNets at scale with safety admin configurations. This sort of configuration consists of safety admin guidelines, that are high-priority safety guidelines outlined equally to, however with priority over NSG guidelines.
The safety admin configuration characteristic continues to be in preview and can GA at a later date.
Enforcement and adaptability
With NSGs alone, widespread enforcement on VNets throughout a number of functions, groups, and even whole organizations might be tough. Often there’s a balancing act between makes an attempt at centralized enforcement throughout a company and handing over granular, versatile management to groups. The price of arduous enforcement is greater operational overhead as admins must handle an rising variety of NSGs. The price of particular person groups tailoring their very own safety guidelines is the chance of vulnerability as misconfiguration or opened unsafe ports is feasible. Security admin guidelines goal to eradicate this sliding scale of selecting between enforcement and adaptability altogether by offering central governance groups with the power to determine guardrails, whereas deliberately permitting site visitors for particular person groups to flexibly pinpoint safety as wanted by way of NSG guidelines.
Difference from NSGs
Security admin guidelines are much like NSG guidelines in construction and enter parameters, however they don’t seem to be the very same assemble. Let’s boil down these variations and similarities:
|
|
Target viewers |
Applied on |
Evaluation order |
Action sorts |
Parameters |
|---|---|---|---|---|---|
|
Security admin guidelines |
Network admins, central governance group |
Virtual networks |
Higher precedence |
Allow, Deny, Always Allow |
Priority, protocol, motion, supply, vacation spot |
|
NSG guidelines |
Individual groups |
Subnets, NICs |
Lower precedence, after safety admin guidelines |
Allow, Deny |
One key distinction is the safety admin rule’s Allow sort. Unlike its different motion varieties of Deny and Always Allow, in case you create a safety admin rule to Allow a sure sort of site visitors, then that site visitors shall be additional evaluated by NSG guidelines matching that site visitors. However, Deny and Always Allow safety admin guidelines will cease the analysis of site visitors, that means NSGs down the road is not going to see or deal with this site visitors. As a end result, no matter NSG presence, directors can use safety admin guidelines to guard a company by default.
Key Scenarios
Providing exceptions
Being in a position to implement safety guidelines all through a company is helpful, to say the least. But one of many advantages of safety admin guidelines that we’ve talked about is its allowance for flexibility by groups throughout the group to deal with site visitors in a different way as wanted. Let’s say you’re a community administrator and also you’ve enforced safety admin guidelines to dam all high-risk ports throughout your whole group, however an utility group 1 wants SSH site visitors for a couple of of their sources and has requested an exception for his or her VNets. You’d create a community group particularly for utility group 1’s VNets and create a safety admin rule assortment focusing on solely that community group—inside that rule assortment, you’d create a safety admin rule of motion sort Allow for inbound SSH site visitors (port 22). The precedence of this rule would must be greater than the unique rule you created that blocked this port throughout your whole group’s sources. Effectively, you’ve now established an exception to the blocking of SSH site visitors only for utility group 1’s VNets, whereas nonetheless defending your group from that site visitors by default.
Force-allowing site visitors to and from monitoring companies or area controllers
Security admin guidelines are useful for blocking dangerous site visitors throughout your group, however they’re additionally helpful for force-allowing site visitors wanted for sure companies to proceed operating as anticipated. If that your utility groups want software program updates for his or her digital machines, then you may create a rule assortment focusing on the suitable community teams consisting of Always Allow safety admin guidelines for the ports the place the updates come by way of. This means, even when an utility group misconfigures an NSG to disclaim site visitors on a port essential for updates, the safety admin rule will make sure the site visitors is delivered and doesn’t hit that conflicting NSG.
How to implement safety admin configurations with current environments
Let’s say you’ve gotten an NSG-based safety mannequin consisting of tons of of NSGs which can be modifiable by each the central governance group and particular person utility groups. Your group carried out this mannequin initially to permit for flexibility, however there have been safety vulnerabilities resulting from lacking safety guidelines and fixed NSG modification.
Here are the steps you’d take to implement and implement organization-wide safety utilizing AVNM:
- Create your community supervisor.
- Create a community group for every utility group’s respective VNets utilizing Azure Policy definitions that may be conditionally primarily based on parameters together with (however not restricted to) subscription, VNet tag, and VNet identify.
- Create a safety admin configuration with a rule assortment focusing on all community teams. This rule assortment represents the usual safety guidelines that you just’re imposing throughout your whole group.
- Create safety admin guidelines blocking high-risk ports. These safety admin guidelines take priority over NSG guidelines, so Deny safety admin guidelines don’t have any chance of battle with current NSGs. Redundant or now-circumvented NSGs might be manually cleaned up if desired.
- Deploy your safety admin configuration to your required areas.
You’ve now arrange an organization-wide set of safety guardrails amongst your whole utility groups’ VNets globally by way of AVNM. You’ve established enforcement with out sacrificing flexibility, as you’re in a position to create exceptions for any utility group’s set of VNets. Your previous NSGs nonetheless exist, however all site visitors will hit your safety admin guidelines first. You can clear up redundant or averted NSGs, and your community sources are nonetheless protected by your safety admin guidelines, so there isn’t any downtime from a safety standpoint.
Learn extra about Azure Virtual Network Manager
Check out the AVNM overview, learn extra about AVNM in our public documentation set, and deep-dive into AVNM’s safety providing by way of our safety weblog.