Merge pull request #270825 from MicrosoftDocs/release-pp-avnm-ng-snd

Release pp avnm ng snd--scheduled release at 10am of 4/02

Author: huypub

articles/virtual-network-manager/TOC.yml

@@ -53,6 +53,8 @@
         href: concept-security-admins.md
       - name: Security admin rule enforcement
         href: concept-enforcement.md
+      - name: Network groups as source and destination
+        href: concept-security-admin-rules-network-groups.md
   - name: Deployments
     href: concept-deployments.md
   - name: Remove or update components
@@ -95,6 +97,10 @@
         href: how-to-create-mesh-network.md
       - name: Azure PowerShell
         href: how-to-create-mesh-network-powershell.md
+  - Name: Security admin rules
+    items:
+    - name: Using network groups as source and destination
+      href: how-to-create-security-admin-rule-network-groups.md
   - name: Cross-tenant connection support
     items:
     - name: Configure cross-tenant connection - Portal

articles/virtual-network-manager/concept-security-admin-rules-network-groups.md

@@ -0,0 +1,71 @@
+---
+title: 'Using network groups with security admin rules'
+description: Learn how a network administrator can deploy security admin rules using network groups as the source and destination in Azure Virtual Network Manager.
+author: mbender-ms
+ms.author: mbender
+ms.service: virtual-network-manager
+ms.topic: conceptual
+ms.date: 04/01/2024
+ms.custom: template-concept, engagement-fy23, references_regions
+#customer intent: As a network administrator, I want to deploy security admin rules in Azure Virtual Network Manager. When creating security admin rules, I want to define network groups as the source and destination of traffic.
+---
+
+# Using network groups with security admin rules
+
+In this article, you learn how to use network groups with security admin rules in Azure Virtual Network Manager (AVNM). Network groups allow you to create logical groups of virtual networks and subnets that have common attributes, such as environment, region, service type, and more. You can then specify your network groups as the source and/or destination of your security admin rules so that you can enforce the traffic among your grouped network resources. This feature streamlines the process of securing your traffic across workloads and environments, as it removes the manual step of specifying individual Classless Inter-Domain Routing (CIDR) ranges or resource IDs.
+
+[!INCLUDE [virtual-network-manager-network-groups-source-destination-preview](../../includes/virtual-network-manager-network-groups-source-destination-preview.md)]
+
+## Why use network groups with security admin rules?
+
+Using network groups with security admin rules allows you to define the source and destination of the traffic for the security admin rule. This feature streamlines the process of securing your traffic across workloads and environments, as it removes the manual step of specifying individual CIDR ranges or resource IDs.
+
+For example, you need to ensure traffic is denied between your production and nonproduction environments represented by two separate network groups. Create a security admin rule with an action type of **Deny**. Specify one of your network groups as the source. Specify the other network group as the destination. Select the direction of the traffic you want to deny. You can enforce the traffic between your grouped network resources without the need to specify individual CIDR ranges or resource IDs.
+
+## How do I deploy a security admin rule using network groups?
+
+Once you have access to the public preview, you can deploy a security admin rule using network groups in the Azure portal. To create a security admin role, create a security admin configuration and add a security admin rule. Finally, deploy the security admin configuration. For more information, see [Create a security admin rule using network groups](./how-to-create-security-admin-rule-network-groups.md).
+
+## Supported regions
+
+During the public preview, network groups with security admin rules are supported in the following regions:
+
+- Supported Regions:
+    
+    - Central US EUAP
+    
+    - East US
+    
+    - East US 2
+    
+    - East US 2 EUAP
+    
+    - South Central US
+    
+    - West US
+    
+    - West US 2
+    
+    - West US Central
+
+## Limitations of network groups with security admin rules
+
+The following limitations apply when using network groups with security admin rules:
+
+- Only supports manual aggregation of CIDRs in a network group. The CIDR range in a rule only changes upon the customer commit.
+
+- Supports 100 networking resources (virtual networks or subnets) in any one network group referenced in the security admin rule.
+
+- Only supports IPv4 address prefixes in the network group members.
+
+- Role-based access control ownership is inferred from the `Microsoft.Network/networkManagers/securityAdminConfigurations/rulecollections/rules/write` permission only.
+
+- There's no scope enforcement on the network group members when using clients other than the Azure portal.
+
+- Network groups must have the same member-types. Virtual networks and subnets are supported but must be in separate network groups.
+
+- Only supports aggregating members in the same tenant as the network manager.
+
+- Azure Virtual Filtering Platform (VFP) programming for AVNM-managed virtual networks isn't optimized.
+
+- Force-delete of any network group used as the source and/or destination in a security admin rule isn't currently supported. Usage causes an error.

articles/virtual-network-manager/how-to-create-security-admin-rule-network-groups.md

@@ -0,0 +1,115 @@
+---
+title: Create a security admin rule using network groups
+titleSuffix: Azure Virtual Network Manager
+description: Learn how to deploy security admin rules using network groups as the source and destination in Azure Virtual Network Manager.
+author: mbender-ms
+ms.author: mbender
+ms.service: virtual-network-manager
+ms.topic: how-to 
+ms.date: 04/01/2024
+ms.custom: template-how-to
+#Customer intent: As a network administrator, I want to deploy security admin rules using network groups in Azure Virtual Network Manager so that I can define the source and destination of the traffic for the security admin rule.
+---
+# Create a security admin rule using network groups in Azure Virtual Network Manager
+
+In Azure Virtual Network Manager, you can deploy [security admin rules](./concept-security-admins.md) using [network groups](./concept-network-groups.md). Security admin rules and network groups allow you to define the source and destination of the traffic for the security admin rule.    
+
+In this article, you learn how to create a security admin rule using network groups in Azure Virtual Network Manager. You use the Azure portal to create a security admin configuration, add a security admin rule, and deploy the security admin configuration.
+
+[!INCLUDE [virtual-network-manager-preview](../../includes/virtual-network-manager-network-groups-source-destination-preview.md)]
+
+## Prerequisites
+
+To complete this article, you need the following resources:
+
+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
+
+- An Azure Virtual Network Manager instance. If you don't have an instance, see [Create an Azure Virtual Network Manager instance](create-virtual-network-manager-portal.md).
+
+- A network group. If you don't have a network group, see [Create a network group](create-virtual-network-manager-portal.md#create-a-network-group).
+
+## Create a security admin configuration
+
+To create a security admin configuration, follow these steps:
+
+1. In the **Azure portal**, search for and select **Virtual Network Manager**.
+
+1. Select **Network Managers** under **Virtual network manager** on the left side of the portal window.
+
+1. In the **Virtual Network Manager | Network managers** window, select your network manager instance.
+
+1. Select **Configuration** under **Settings** on the left side of the portal window.
+
+1. In the **Configurations** window, select the **Create security admin configuration** button or **+ Create > Security admin configuration** from the drop-down menu.
+
+    :::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-security-admin-configuration.png" alt-text="Screenshot of creation of security admin configuration in Configurations of a network manager.":::
+
+1. In the **Basics** tab of the **Create security admin configuration** windows, enter the following settings:
+  
+    | **Setting** | **Value** |
+    | --- | --- |
+    | Name | Enter a name for the security admin rule. |
+    | Description | Enter a description for the security admin rule. |
+    
+
+1. Select the **Deployment Options** tab or **Next: Deployment Options >** and enter the following settings:
+
+    | **Setting** | **Value** |
+    | --- | --- |
+    | **Deployment option for NIP virtual networks** | |
+    | Deployment option | Select **None**. |
+    | **Option to use network group as source and destination** | |
+    | Network group address space aggregation option | Select **Manual**. |
+
+    :::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-configuration-with-aggregation-options.png" alt-text="Screenshot of create a security admin configuration deployment options selecting manual aggregation option.":::
+
+1. Select **Rule collections** or **Next: Rule collections >**.
+2. In the Rule collections tab, select **Add**.
+3. In the **Add a rule collection** window, enter the following settings:
+
+    | **Setting** | **Value** |
+    | --- | --- |
+    | Name | Enter a name for the rule collection. |
+    | Target network groups | Select the network group that contains the source and destination of the traffic for the security admin rule. |
+
+1. Select **Add** and enter the following settings in the **Add a rule** window:
+
+    | **Setting** | **Value** |
+    | --- | --- |
+    | Name | Enter a name for the security admin rule. |
+    | Description | Enter a description for the security admin rule. |
+    | Priority | Enter a priority for the security admin rule. |
+    | Action | Select the action type for the security admin rule. |
+    | Direction | Select the direction for the security admin rule. |
+    | Protocol | Select the protocol for the security admin rule. |
+    | **Source** |  |
+    | Source type | Select **Network group**. |
+    | Source port | Enter the source port for the security admin rule. |
+    | **Destination** |  |
+    | Destination type | Select **Network Group**. |
+    | Network Group | Select the network group ID that you wish to use for dynamically establishing IP address ranges. |
+    | Destination port | Enter the destination port for the security admin rule. |
+
+    :::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-network-group-as-source-destination-rule.png" alt-text="Screenshot of add a rule window using network groups as source and destination in rule creation.":::
+
+2. Select **Add** and **Add** again to add the security admin rule to the rule collection.
+
+3. Select **Review + create** and then select **Create**.
+
+## Deploy the security admin configuration
+
+Use the following steps to deploy the security admin configuration:
+
+1. Return to the **Configurations** window and select the security admin configuration you created.
+
+1. Select your security admin configuration and then select **Deploy**.
+
+1. In **Deploy security admin configuration**, select the target Azure regions for security admin configuration and select **Next > Deploy**.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [View configurations applied by Azure Virtual Network Manager](how-to-view-applied-configurations.md)
+
+
+

articles/virtual-network-manager/media/how-to-create-security-admin-rules-network-groups/create-configuration-with-aggregation-options.png

@@ -0,0 +1,16 @@
+---
+title: include file
+description: include file
+services: virtual-network-manager
+author: mbender
+ms.service: virtual-network-manager
+ms.topic: include
+ms.date: 04/01/2024
+ms.author: mbender-ms
+ms.custom: include-file
+---
+
+> [!IMPORTANT]
+> The creation of security admin rules with network groups as source and destination in Azure Virtual Network Manager is in public preview. Public previews are made available to you on the condition that you agree to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some features might not be supported or might have constrained capabilities. This preview version is provided without a service level agreement, and it's not recommended for production workloads. 
+
+[!INCLUDE [virtual-network-manager-preview](virtual-network-manager-preview.md)]