Azure Virtual Network Manager on Microsoft Azure
Azure Virtual Network Manager is a centralized management service for virtual networks in Azure. The service enables defining and enforcing network topologies, connectivity, and security policies across subscriptions, management groups, and regions.
Unlike individual VNet management, Virtual Network Manager offers policy-based configuration with automatic application to network groups. Connectivity Configurations and Security Admin Rules can be centrally defined and rolled out across hundreds of VNets.
Azure Virtual Network Manager is available in all Azure regions and meets enterprise requirements for governance, compliance, and network security.
Typical Use Cases
Multi-subscription networks: Centralized management of VNets across different subscriptions and business units with unified policies and automatic compliance enforcement.
Hub-and-spoke topologies: Automatic setup and management of hub-and-spoke architectures with mesh connectivity between spokes without manual peering configuration.
Network segmentation: Grouping of VNets based on business logic (e.g., Production, Development) and application of specific security policies per group.
Security policy enforcement: Central definition of Security Admin Rules (high priority) that override local NSG rules to enforce enterprise-wide security standards.
Frequently Asked Questions about Azure Virtual Network Manager
What is the difference to classic VNet Peering?
Classic peering must be manually configured between each VNet pair. Virtual Network Manager enables declarative Connectivity Configurations (hub-and-spoke, mesh) that are automatically applied to Network Groups without managing individual peerings.
How do Network Groups work?
Network Groups are logical containers for VNets, defined via subscriptions, tags, or manual selection. Connectivity and Security Configs are applied to groups and automatically propagated to all member VNets.
Can Security Admin Rules override local NSGs?
Yes, Security Admin Rules have higher priority than NSG rules. This allows enforcing central security policies (e.g., “Deny All RDP from Internet”) that local teams cannot bypass.
How is Virtual Network Manager billed?
Costs are based on number of managed VNets per month: approximately €3.00 per VNet/month. Connectivity configurations (peerings) incur additional peering charges as with manual peering.
Can I migrate existing VNets?
Yes, existing VNets can be added to Network Groups. Existing manual peerings remain and can be gradually replaced by Virtual Network Manager connectivity.
Does Virtual Network Manager support hybrid scenarios?
Virtual Network Manager only manages Azure VNets. For hybrid connectivity to on-premises, VPN Gateway, ExpressRoute, or vWAN continue to be used but can be combined with VNet Manager topologies.
How are changes deployed?
Configurations are not automatically applied. After changes, an explicit “Deployment” must be performed in selected regions, enabling controlled rollouts.
Alternatives
alternatives:
- provider: “aws” product: “network-manager”
- provider: “gcp” product: “network-connectivity-center”
Integration with innFactory
As a Microsoft Solutions Partner, innFactory supports you in implementing Azure Virtual Network Manager for enterprise networks. We help with topology design, migration from existing peering, and automation of network governance.
Contact us for a non-binding consultation on Azure Virtual Network Manager.
