Implement and manage virtual network connectivity using Azure Virtual Network Manager

1.3 Design and Implement VNet Connectivity and Routing

📘Microsoft Azure Networking Solutions (AZ-700)

1. What is Azure Virtual Network Manager (AVNM)?

Azure Virtual Network Manager (AVNM) is an Azure service that allows you to centrally manage networking configuration across multiple virtual networks (VNets), even when those VNets are in:

  • Different subscriptions
  • Different regions
  • Large enterprise environments

Without AVNM, you must configure VNet peering, routing, and security rules manually for each VNet. This becomes difficult and error-prone as the environment grows.

AVNM solves this problem by providing centralized, scalable, and consistent network management.

2. Why AVNM Is Important for the AZ-700 Exam

For the exam, you must understand that AVNM helps you:

  • Manage VNet connectivity at scale
  • Apply routing and security rules centrally
  • Reduce manual configuration
  • Ensure consistent network behavior

Microsoft focuses on enterprise-scale networking, and AVNM is designed exactly for that.

3. Key Components of Azure Virtual Network Manager

AVNM is built using four main components. You must understand all of them clearly.

3.1 Network Manager

A Network Manager is the main container for all AVNM configurations.

  • It defines what you want to manage
  • It operates at the management group or subscription level
  • It controls:
    • Connectivity
    • Security (Network Security Group rules)
    • Routing behavior

Think of the Network Manager as the central control point for multiple VNets.

3.2 Network Groups

A Network Group is a logical group of VNets.

Instead of managing VNets one by one, you group them together and apply rules to the entire group.

Key Points:

  • A VNet can belong to multiple network groups
  • Network groups can be:
    • Static (manually add VNets)
    • Dynamic (VNets added automatically using conditions)

Example (IT environment):

  • A network group for Production VNets
  • A network group for Development VNets
  • A network group for Shared Services VNets

3.3 Scope

The scope defines where AVNM can operate.

Scopes can be:

  • A management group
  • One or more subscriptions

This allows:

  • Central control across large Azure environments
  • Separation between different departments or teams

3.4 Configuration Types

AVNM uses configurations to apply rules to network groups.

There are two main configuration types you must know for AZ-700:

  1. Connectivity Configurations
  2. Security Admin Configurations

4. Connectivity Configurations (Very Important for Exam)

Connectivity configurations define how VNets connect to each other.

4.1 Types of Connectivity Topologies

AVNM supports three connectivity models:

4.1.1 Mesh Connectivity

  • Every VNet in the network group is connected to every other VNet
  • Uses VNet peering
  • Suitable for:
    • Small or medium environments
    • Full communication between workloads

Exam tip: Mesh connectivity increases the number of peerings as VNets grow.

4.1.2 Hub-and-Spoke Connectivity

  • One hub VNet
  • Multiple spoke VNets
  • Spokes communicate through the hub
  • The hub typically contains:
    • Firewalls
    • VPN gateways
    • ExpressRoute gateways
    • Shared services

This is the most common enterprise topology and highly tested in AZ-700.

AVNM can automatically:

  • Create peering between hub and spokes
  • Enable gateway transit if needed

4.1.3 Star (Direct Connectivity)

  • VNets connect directly to a central VNet
  • Less common than hub-and-spoke
  • Still managed centrally via AVNM

4.2 Managing VNet Peering with AVNM

AVNM automatically:

  • Creates VNet peerings
  • Maintains peering consistency
  • Reduces manual errors

You do not manually create peerings when using AVNM.

5. Security Admin Configurations

Security Admin Configurations allow you to centrally manage Network Security Group (NSG) rules.

Key Characteristics:

  • Applied before regular NSG rules
  • Have higher priority
  • Cannot be overridden by local NSG rules

This ensures mandatory security rules are enforced across all VNets.

Example (IT Environment):

  • Deny all inbound traffic from the internet
  • Allow only specific ports between application tiers
  • Enforce security rules for compliance

Exam Note:
Security Admin rules are evaluated before standard NSG rules.

6. Deployment and Configuration Process (Step-by-Step)

For the exam, understand the logical order of using AVNM.

Step 1: Create Azure Virtual Network Manager

  • Choose scope (management group or subscription)
  • Select features:
    • Connectivity
    • Security Admin

Step 2: Create Network Groups

  • Group VNets logically
  • Use static or dynamic membership

Step 3: Create Configurations

  • Connectivity configuration (mesh or hub-and-spoke)
  • Security admin configuration (mandatory NSG rules)

Step 4: Associate Configurations with Network Groups

  • Decide which groups receive which rules

Step 5: Deploy the Configuration

  • Configurations are not active until deployed
  • Deployment pushes changes to all VNets

Exam Tip:
Changes in AVNM require explicit deployment.

7. AVNM and Routing Considerations

AVNM focuses mainly on connectivity, but routing is indirectly affected.

Key Points:

  • Uses VNet peering, which supports:
    • System routes
    • User-defined routes (UDRs)
  • Hub-and-spoke designs often use:
    • Azure Firewall
    • Network virtual appliances (NVAs)
  • AVNM does not replace UDRs
  • AVNM works alongside existing routing configurations

8. Benefits of Using Azure Virtual Network Manager

You should be able to explain why AVNM is better than manual configuration:

  • Centralized network management
  • Reduced configuration errors
  • Scales easily to hundreds of VNets
  • Consistent security enforcement
  • Faster deployment of network changes

9. Limitations and Important Exam Notes

Key Limitations:

  • AVNM manages VNets only, not on-premises networks
  • Requires Azure Resource Manager
  • Configuration changes must be deployed
  • Some features depend on Azure region availability

10. Key Exam Keywords to Remember

Make sure your students remember these terms:

  • Azure Virtual Network Manager (AVNM)
  • Network Manager
  • Network Groups
  • Connectivity Configuration
  • Hub-and-Spoke topology
  • Mesh topology
  • Security Admin Configuration
  • Centralized NSG rules
  • Deployment required

11. Exam Summary (Quick Revision)

  • AVNM is used to centrally manage VNet connectivity
  • It simplifies large-scale Azure networking
  • Supports hub-and-spoke and mesh
  • Enforces mandatory security rules
  • Requires deployment to apply changes
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by