Optimize Azure Landing Zone with Azure Virtual Network Manager IP Address Management

What you will learn from this blog

This blog covers Azure Landing Zone and IP Address Management (IPAM) Azure Virtual Network Manager works together to simplify IP address management. Azure Landing Zones provide a scalable environment for application deployment, while IPAM automates and simplifies IP planning and allocation across Azure, on-premises, and other clouds. By combining this, organizations can ensure efficient, conflict-free IP address usage, enhance security, and accelerate application deployment. The blog provides practical steps and examples for implementing this integrated solution to help you optimize your Azure network infrastructure.

IP address management (IPAM) in Azure Virtual Network Manager (AVNM)

Azure IP Address Management (IPAM) This is a function of Azure virtual network administrator This simplifies IP address management across Azure environments, on-premises settings, and other cloud providers. Helps you organize your IP addresses CIDR (classless interdomain routing) Allocate efficiently and set clear allocation rules. IPAM lets you automate the process of assigning IP addresses to virtual networks (VNets), eliminating the need for cumbersome spreadsheets or custom tools.

This automation speeds up the process of launching new applications or scaling existing applications by allowing you to quickly request, register, and allocate IP address space from your organization’s pools to your VNet within seconds. This improves overall provisioning time by eliminating the need for manual requests or tickets from the network team.

VNets are the foundation of private networking in Azure, allowing services such as Virtual Machines to communicate securely with each other, the Internet, or on-premises networks. When you set up a VNet, you define an IP address space that can include both public and private ranges (for example, the ranges defined below). RFC 1918 and RFC 6598).

Azure IPAM assists network administrators by ensuring that IP prefixes do not overlap and automating IP address allocation to Azure resources within these subnets.

Key components and features

IP address pool

IP address pools are the core of IPAM and act as logical containers that group IP address ranges. This allows you to efficiently and systematically manage your IP address space across your Azure resources.

• Creation and Organization: Network managers can create pools with defined address spaces and sizes to enable planned and organized IP address usage.
• hierarchy: Pools can be organized into hierarchies, allowing granular control by dividing larger pools into smaller, more manageable units.
• IPv4 and IPv6 support: IPAM can handle both IPv4 and IPv6 addresses to accommodate a variety of networking requirements.

allocation

• resource allocation: CIDRs from a specific pool can be assigned to Azure resources, such as virtual networks, making it easier to track address usage.
• Static CIDR allocation: Administrators can assign static CIDRs for IPs that are not currently used within Azure or for resources that are not yet supported by IPAM. This is useful for managing your IP space on-premises or in other cloud environments.
• CIDR release: When the related resource is deleted, the allocated CIDR is automatically released to the pool, allowing efficient use of IP space.

delegation

• Permission Management: Administrators can delegate authority for IPAM pool utilization to other users, democratizing pool allocation while allowing controlled access and management.
• Visibility and Tracking: Delegated permissions provide access to view usage statistics and resource lists for a specific pool, improving transparency and collaborative management.

AVNM’s IPAM leverages these capabilities to help organizations maintain a clear overview of IP address utilization, streamline the address allocation process, and efficiently use available IP space across their Azure network infrastructure.

Azure landing zone and IPAM

Azure landing zone It is a framework recommended by Azure. SEfficient management and expansion is possible for application migration and new development. This framework grants application teams (DevOps) appropriate role-based access control (RBAC) permissions to meet application requirements while ensuring security and compliance with regulations established by platform (Sec/NetOps) teams.

Azure network architecture often follows a “hub and spoke” model, featuring a central hub VNet for sharing. network Services and multi-spoke VNet where workloads are deployed. A VNet is created within an application landing zone subscription (usually one or more) with allocated IP address space to support application deployment. Overlapping IP spaces can lead to conflicts, so properly planning IP address allocation across these VNets is important to avoid duplication between on-premises locations and Azure regions. AVNM simplifies this process..

IPAM Proposal Various use casesHere’s how you can manage your organization’s IP plan: Start by creating a Virtual Network Manager instance with the scope set to the intermediate root management group, like Contoso in the example below. This setting enables democratization of subscriptions for application landing zone owners and teams by defining address pools across all virtual networks and subnets within the Azure landing zone hierarchy.

Network administrators can efficiently plan and configure IP address usage by defining pools with specific address spaces and sizes. These pools logically group CIDRs for various networking purposes. In Contoso’s example, the platform team and application team have separate responsibilities while maintaining separation of duties. These teams may vary from organization to organization, but they often share the same network infrastructure. IPAM is ideal for allowing two teams to manage parts of a network while providing visibility to authorized members and preventing IP duplication. These teams can simplify using IPAM. Allocate larger, contiguous IP blocks to specific workloads. It also makes it easy to identify where IP ranges are deployed, which helps with troubleshooting and planning.

Below we will guide you through setting up an Azure Landing Zone within a single Azure region and across multiple regions using IPAM.

Single region scenario

To demonstrate how to use IPAM to create an Azure Landing Zone in a single region setup, we start by creating a root pool using a /16 address space. From this root pool, assign /22 to the Platform pool, /18 to the Application pool, and assign required RBAC permissions, such as the “IPAM User” role, to each team. The NetOps/Platform team can then allocate /24 to the identity VNet and /23 to the connection VNet, and the application team can set up VNets for applications and special workloads (such as Databricks and AKS) from the assigned pool. You can.

Multi-region scenario

In advanced scenarios, you can use a multi-region setup to provide secondary regions for backup and recovery and ensure higher SLAs to avoid outages and data loss due to events that affect an entire region, such as a natural disaster.

Supernets (combining multiple contiguous CIDRs into one larger network represented by a single CIDR) allow IPAM to allocate consistent IP address ranges across regions and provide a single network that the platform team can manage and troubleshoot. It can provide a clear and efficient addressing scheme. .

For example, you can use IPAM to create a root pool with a /12 address space as a supernet. Here two regional pools are set up, each with a /16 allocation. This creates a platform and application pool in each regional pool, similar to the previous example, allowing each team to set up a VNet as shown in the diagram.

How to create an IPAM through the Azure portal

Here’s how to use IPAM through the Azure portal:

Create AVNM instance: Start by creating an Azure Virtual Network Manager instance at the intermediate root management group level, as described previously. Once the AVNM resource is created, navigate to the “IP Address Pools” blade.

Create an IP address pool: On the IP Address Pools page, click “Create” to set up a new pool.

Select parent pool: Selecting “None” when selecting a parent pool indicates that this will be the new root pool. Otherwise, the pool will become a child pool of the selected parent pool.

IP address space allocation: Defines the IP address space for the pool. If it is a child pool, its address space must be within the scope of the parent pool. You can allocate multiple IP address spaces to a single pool.

Assignment Management: Go to the pool page and select the “Assignments” section. From here you can:

• Create a subpool
• Associate resources with pools
• Static CIDR allocation

In the example of Azure Landing Zone After creation, we assigned a subpool to each Azure Landing Zone application as shown below.

I previously created a hub and spoke it as per recommendations. Cloud Adoption Framework (CAF) document Associate the resource to the parent pool as shown below.

By reserving static CIDRs for on-premises resources or other cloud IPs, you can ensure that these IPs remain unused in Azure and keep Contoso’s on-premises environment secure.

It is recommended to check the remaining IP address assignments as shown in the image below.

Automatic CIDR allocation: Instead of manually specifying CIDRs, you can select an IPAM pool and specify the size of the VNet to have IPAM automatically assign non-overlapping CIDRs.

To learn more about building an Azure Landing Zone using Azure Virtual Network Manager, see: Azure virtual network administrator in Azure Landing Zone.