Quickstart: Create a mesh network with Azure Virtual Network Manager using Azure PowerShell

Get started with Azure Virtual Network Manager by using the Azure PowerShell to manage connectivity for your virtual networks.

In this quickstart, you'll deploy three virtual networks and use Azure Virtual Network Manager to create a mesh network topology.

Important

Azure Virtual Network Manager is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Prerequisites

  • An Azure account with an active subscription. Create an account for free.
  • Make sure you have the latest PowerShell modules, or you can use Azure Cloud Shell in the portal.
  • If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Register subscription for public preview

Use the following command to register your Azure subscription for Public Preview of Azure Virtual Network Manager:

Register-AzProviderFeature -FeatureName AllowAzureNetworkManager -ProviderNamespace Microsoft.Network

Install Azure PowerShell module

Install the latest Az.Network Azure PowerShell module using this command:

Install-Module -Name Az.Network -AllowPrerelease

Create Virtual Network Manager

  1. Define the scope and access type this Azure Virtual Network Manager instance will have. You can choose to create the scope with subscriptions group or management group or a combination of both. Create the scope by using New-AzNetworkManagerScope.

    Import-Module -Name Az.Network -RequiredVersion "4.12.1"

[System.Collections.Generic.List[string]]$subGroup = @()  
$subGroup.Add("/subscriptions/abcdef12-3456-7890-abcd-ef1234567890")
[System.Collections.Generic.List[string]]$mgGroup = @()  
$mgGroup.Add("/managementGroups/abcdef12-3456-7890-abcd-ef1234567890")

[System.Collections.Generic.List[String]]$access = @()  
$access.Add("Connectivity");  
$access.Add("SecurityAdmin"); 

$scope = New-AzNetworkManagerScope -Subscription $subGroup  -ManagementGroup $mgGroup

  2. Create the Virtual Network Manager with New-AzNetworkManager. This example creates an Azure Virtual Network Manager named myAVNM in the West US location.

    $avnm = @{
    Name = 'myAVNM'
    ResourceGroupName = 'myAVNMResourceGroup'
    NetworkManagerScope = $scope
    NetworkManagerScopeAccess = $access
    Location = 'West US'
}
$networkmanager = New-AzNetworkManager @avnm

Create resource group and virtual networks

Create a resource group

Before you can create an Azure Virtual Network Manager, you have to create a resource group to host the Network Manager. Create a resource group with New-AzResourceGroup. This example creates a resource group named myAVNMResourceGroup in the WestUS location.

$rg = @{
    Name = 'myAVNMResourceGroup'
    Location = 'WestUS'
}
New-AzResourceGroup @rg

Create three virtual networks

Create three virtual networks with New-AzVirtualNetwork. This example creates virtual networks named VNetA, VNetB and VNetC in the West US location. If you already have virtual networks you want create a mesh network with, you can skip to the next section.

$vnetA = @{
    Name = 'VNetA'
    ResourceGroupName = 'myAVNMResourceGroup'
    Location = 'West US'
    AddressPrefix = '10.0.0.0/16'    
}
$virtualNetworkA = New-AzVirtualNetwork @vnetA

$vnetB = @{
    Name = 'VNetB'
    ResourceGroupName = 'myAVNMResourceGroup'
    Location = 'West US'
    AddressPrefix = '10.1.0.0/16'    
}
$virtualNetworkB = New-AzVirtualNetwork @vnetB

$vnetC = @{
    Name = 'VNetC'
    ResourceGroupName = 'myAVNMResourceGroup'
    Location = 'West US'
    AddressPrefix = '10.2.0.0/16'    
}
$virtualNetworkC = New-AzVirtualNetwork @vnetC

Add a subnet to each virtual network

To complete the configuration of the virtual networks add a /24 subnet to each one. Create a subnet configuration named default with Add-AzVirtualNetworkSubnetConfig.

$subnetA = @{
    Name = 'default'
    VirtualNetwork = $virtualNetworkA
    AddressPrefix = '10.0.0.0/24'
}
$subnetConfigA = Add-AzVirtualNetworkSubnetConfig @subnetA
$virtualnetworkA | Set-AzVirtualNetwork

$subnetB = @{
    Name = 'default'
    VirtualNetwork = $virtualNetworkB
    AddressPrefix = '10.0.0.0/24'
}
$subnetConfigC = Add-AzVirtualNetworkSubnetConfig @subnetB
$virtualnetworkB | Set-AzVirtualNetwork

$subnetC = @{
    Name = 'default'
    VirtualNetwork = $virtualNetworkC
    AddressPrefix = '10.0.0.0/24'
}
$subnetConfigC = Add-AzVirtualNetworkSubnetConfig @subnetC
$virtualnetworkC | Set-AzVirtualNetwork

Create a network group

Static membership

  1. Create a static virtual network member with New-AzNetworkManagerGroupMembersItem.

    $member = New-AzNetworkManagerGroupMembersItem –ResourceId "/subscriptions/abcdef12-3456-7890-abcd-ef1234567890/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/virtualNetworks/VNetA"

  2. Add the static member to the static membership group with the following commands:

    [System.Collections.Generic.List[Microsoft.Azure.Commands.Network.Models.NetworkManager.PSNetworkManagerGroupMembersItem]]$groupMembers = @()  
$groupMembers.Add($member)

Dynamic membership

  1. Define the conditional statement and store it in a variable:

    $conditionalMembership = '{ 
    "allof":[ 
        { 
        "field": "name", 
        "contains": "VNet" 
        } 
    ] 
}'

  2. Create the network group using the conditional statement defined in the last step using New-AzNetworkManagerGroup.

    $ng = @{
    Name = 'myNetworkGroup'
    ResourceGroupName = 'myAVNMResourceGroup'
    GroupMember = $groupMembers
    ConditionalMembership = $conditionalMembership
    NetworkManagerName = 'myAVNM'
    MemberType = 'Microsoft.Network/VirtualNetwork'
}
$networkgroup = New-AzNetworkManagerGroup @ng

Create a configuration

  1. Create a connectivity group item to add a network group to with New-AzNetworkManagerConnectivityGroupItem.

    $gi = @{
    NetworkGroupId = $networkgroup.Id
}
$groupItem = New-AzNetworkManagerConnectivityGroupItem @gi

  2. Create a configuration group and add the group item from the previous step.

    [System.Collections.Generic.List[Microsoft.Azure.Commands.Network.Models.PSNetworkManagerConnectivityGroupItem]]$configGroup = @()
$configGroup.Add($groupItem)

  3. Create the connectivity configuration with New-AzNetworkManagerConnectivityConfiguration.

    $config = @{
    Name = 'connectivityconfig'
    ResourceGroupName = 'myAVNMResourceGroup'
    NetworkManagerName = 'myAVNM'
    ConnectivityTopology = 'Mesh'
    AppliesToGroup = $configGroup
}
$connectivityconfig = New-AzNetworkManagerConnectivityConfiguration @config

Commit deployment

Commit the configuration to the target regions with Deploy-AzNetworkManagerCommit.

[System.Collections.Generic.List[string]]$configIds = @()  
$configIds.add($connectivityconfig.id) 
[System.Collections.Generic.List[string]]$target = @()   
$target.Add("westus")     

$deployment = @{
    Name = 'myAVNM'
    ResourceGroupName = 'myAVNMResourceGroup'
    ConfigurationId = $configIds
    TargetLocation = $target
    CommitType = 'Connectivity'
}
Deploy-AzNetworkManagerCommit @deployment

Clean up resources

If you no longer need the Azure Virtual Network Manager, you'll need to make sure all of following is true before you can delete the resource:

  • There are no deployments of configurations to any region.
  • All configurations have been deleted.
  • All network groups have been deleted.

  1. Remove the connectivity deployment by deploying an empty configuration with Deploy-AzNetworkManagerCommit.

    [System.Collections.Generic.List[string]]$configIds = @()
[System.Collections.Generic.List[string]]$target = @()   
$target.Add("westus")     
$removedeployment = @{
    Name = 'myAVNM'
    ResourceGroupName = 'myAVNMResourceGroup'
    ConfigurationId = $configIds
    Target = $target
    CommitType = 'Connectivity'
}
Deploy-AzNetworkManagerCommit @removedeployment

  2. Remove the connectivity configuration with Remove-AzNetworkManagerConnectivityConfiguration

    $removeconfig = @{
    Name = 'connectivityconfig'
    ResourceGroupName = 'myAVNMResourceGroup'
    NetworkManagerName = 'myAVNM'
}
Remove-AzNetworkManagerConnectivityConfiguration @removeconfig

  3. Remove the network group with Remove-AzNetworkManagerGroup.

    $removegroup = @{
    Name = 'myNetworkGroup'
    ResourceGroupName = 'myAVNMResourceGroup'
    NetworkManagerName = 'myAVNM'
}
Remove-AzNetworkManagerGroup @removegroup

  4. Delete the network manager instance with Remove-AzNetworkManager.

    $removenetworkmanager = @{
    Name = 'myAVNM'
    ResourceGroupName = 'myAVNMResourceGroup'
}
Remove-AzNetworkManager @removenetworkmanager

  5. If you no longer need the resource created, delete the resource group with Remove-AzResourceGroup.

    Remove-AzResourceGroup -Name 'myAVNMResourceGroup'

Next steps

After you've created the Azure Virtual Network Manager, continue on to learn how to block network traffic by using the security admin configuration:

Block network traffic with security admin rules