Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Currently, the IP address management (IPAM) feature in Azure Virtual Network Manager is in preview. It is available in the following regions during preview:
- China North 3
This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities.
Azure Virtual Network Manager helps you centrally manage virtual networks across your organization. While it provides governance for VNets, it doesn't automatically prevent overlapping address spaces during virtual network creation or updates. You can enforce nonoverlapping address spaces by combining Azure Policy with IP Address Management (IPAM) pools, ensuring network connectivity without IP conflicts in your environment.
The following sample Azure policy definition ensures that any virtual network (Microsoft.Network/virtualNetworks) in the scope of this policy definition must have one IPAM pool prefix allocation from one of the two specified pools. If a virtual network lacks an allocation from either pool, the policy denies the creation or update of a virtual network by enforcing the use of nonoverlapped classless inter-domain routing (CIDRs) addresses.
{
"mode": "All",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"not": {
"anyOf": [
{
"field": "Microsoft.Network/virtualnetworks/addressSpace.ipamPoolPrefixAllocations[*].pool.id",
"equals": "/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/networkManagers/network-manager/ipamPools/IPAM-pool-2"
},
{
"field": "Microsoft.Network/virtualnetworks/addressSpace.ipamPoolPrefixAllocations[*].pool.id",
"equals": "/subscriptions/subscriptionID/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/networkManagers/network-manager/ipamPools/IPAM-pool-3"
}
]
}
}
]
},
"then": {
"effect": "deny"
}
}
}
Included in the policy definition are the following actions:
- Resource Check - It applies only to virtual networks (
Microsoft.Network/virtualNetworks). - Pool Allocation Check - It verifies if the virtual network has an IPAM pool allocation from either:
IPAM-pool-2, orIPAM-pool-3.
- Enforcement - If neither allocation is present, the policy denies the action. And in order to have pool allocation, IP prefixes must be nonoverlapped within the pool, as such no VNets with overlapped prefixes can be created.
Resource Check: It applies only to virtual networks (
Microsoft.Network/virtualNetworks).
Implementation steps of the policy
With the policy definition, you can enforce nonoverlapping address spaces in your Azure environment. Follow these steps to implement the policy:
- Identify existing network manager and IPAM pools - Ensure you have an existing Azure Virtual Network Manager instance and at least two IPAM pools created. For more information, see Create a virtual network manager and Create an IPAM pool.
- Create an Azure Policy definition - Create a policy definition in Azure Policy using the JSON example. You can do this through the Azure portal, Azure CLI, or PowerShell. For more information, see Create and assign a policy definition.
- Assign the policy - Assign the policy to a specific scope (subscription or management group) where you want to enforce the nonoverlapping address space rule.
- Test the policy - Create or update a virtual network without an IPAM pool allocation from the specified pools. The operation should be denied if the policy is working correctly.