You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network-manager/concept-security-admin-rules-network-group.md
+9-23Lines changed: 9 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,43 +18,29 @@ In this article, you learn how to use network groups with security admin rules i
18
18
19
19
## Why use network groups with security admin rules?
20
20
21
-
Using network groups with security admin rules allows you to define the source and destination of the traffic for the security admin rule. This feature streamlines the process of securing your traffic across workloads and environments, as it removes the manual step of specifying individual CIDR ranges or resource IDs.
21
+
Using network groups with security admin rules allows you to define the source and destination of the traffic for the security admin rule. This feature streamlines the process of securing your traffic across workloads and environments by aggregating the CIDR ranges of the network groups to your virtual network manager instance. Aggregation to a virtual network manager removes the manual step of specifying individual CIDR ranges or resource IDs.
22
22
23
-
For example, you need to ensure traffic is denied between your production and nonproduction environments represented by two separate network groups. Create a security admin rule with an action type of **Deny**. Specify one of your network groups as the source. Specify the other network group as the destination. Select the direction of the traffic you want to deny. You can enforce the traffic between your grouped network resources without the need to specify individual CIDR ranges or resource IDs.
23
+
For example, you need to ensure traffic is denied between your production and nonproduction environments represented by two separate network groups. Create a security admin rule with an action type of
24
+
**Deny**.
25
+
Specify one network group as the target for your rule collection, these virtual networks will receive the configured rules. Then select the direction of the traffic you want to deny and use the other network group as the corresponding source / destination. You can enforce the traffic between your grouped network resources without the need to specify individual CIDR ranges or resource IDs.
24
26
25
27
## How do I deploy a security admin rule using network groups?
26
28
27
-
From the Azure portal, you can [deploy a security admin rule using network groups](./how-to-create-security-admin-rule-network-groups.md) in the Azure portal. To create a security admin rule, create a security admin configuration and add a security admin rule that utilizes network groups as source and destination. Finally, deploy the security admin configuration and the rules apply to the network group resources.
29
+
From the Azure portal, you can [deploy a security admin rule using network groups](./how-to-create-security-admin-rule-network-groups.md) in the Azure portal. To create a security admin rule, create a security admin configuration and add a security admin rule that utilizes network groups as source and destination. This is done by electing to use *Manual* for the **Network group address space aggregation option** setting in the configuration. Once elected, the virtual network manager instance will aggregate the CIDR ranges of the network groups referenced as the source and destination of the security admin rules in the configuration.
30
+
31
+
Finally, deploy the security admin configuration and the rules apply to the network group resources. With the *Manual* aggregation option, the CIDR ranges in the network group are aggregated only when you deploy the security admin configuration. This allows you to commit the CIDR ranges on your schedule.
28
32
29
33
If you change the resources in your network group or a network group's CIDR range changes, you need to redeploy the security configuration after the changes are made. After deployment, the new CIDR ranges will be applied across your network to all new and existing network group resources.
30
34
31
35
## Supported regions
32
36
33
-
During the public preview, network groups with security admin rules are supported in the following regions:
34
-
35
-
- Supported Regions:
36
-
37
-
- Central US EUAP
38
-
39
-
- East US
40
-
41
-
- East US 2
42
-
43
-
- East US 2 EUAP
44
-
45
-
- South Central US
46
-
47
-
- West US
48
-
49
-
- West US 2
50
-
51
-
- West US Central
37
+
During the public preview, network groups with security admin rules are supported in all regions where Azure Virtual Network Manager is available.
52
38
53
39
## Limitations of network groups with security admin rules
54
40
55
41
The following limitations apply when using network groups with security admin rules:
56
42
57
-
- Only supports manual aggregation of CIDRs in a network group. The CIDR range in a rule only changes upon the customer commit.
43
+
- Only supports manual aggregation of CIDRs in a network group. The CIDR range in a rule only changes upon the customer commit. This means The CIDR range within a rule remains unchanged until the customer commits.
58
44
59
45
- Supports 100 networking resources (virtual networks or subnets) in any one network group referenced in the security admin rule.
Copy file name to clipboardExpand all lines: articles/virtual-network-manager/how-to-create-security-admin-rule-network-group.md
+11-8Lines changed: 11 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,10 +12,10 @@ ms.custom: template-how-to
12
12
---
13
13
# Create a security admin rule using network groups in Azure Virtual Network Manager
14
14
15
-
In Azure Virtual Network Manager, you can deploy [security admin rules](./concept-security-admins.md) using [network groups](./concept-network-groups.md). Security admin rules and network groups allow you to define the source and destination of the traffic for the security admin rule.
16
-
17
15
In this article, you learn how to create a security admin rule using network groups in Azure Virtual Network Manager. You use the Azure portal to create a security admin configuration, add a security admin rule, and deploy the security admin configuration.
18
16
17
+
In Azure Virtual Network Manager, you can deploy [security admin rules](./concept-security-admins.md) using [network groups](./concept-network-groups.md). Security admin rules and network groups allow you to define the source and destination of the traffic for the security admin rule.
@@ -63,16 +63,19 @@ To create a security admin configuration, follow these steps:
63
63
64
64
:::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-configuration-with-aggregation-options.png" alt-text="Screenshot of create a security admin configuration deployment options selecting manual aggregation option.":::
65
65
66
-
1. Select **Rule collections** or **Next: Rule collections >**.
67
-
2. In the Rule collections tab, select **Add**.
68
-
3. In the **Add a rule collection** window, enter the following settings:
66
+
> [!NOTE]
67
+
> The **Network group address space aggregation option** setting allows you to reference network groups in your security admin rules. Once elected, the virtual network manager instance will aggregate the CIDR ranges of the network groups referenced as the source and destination of the security admin rules in the configuration. With the manual aggregation option, the CIDR ranges in the network group are aggregated only when you deploy the security admin configuration. This allows you to commit the CIDR ranges on your schedule.
68
+
69
+
2. Select **Rule collections** or **Next: Rule collections >**.
70
+
3. In the Rule collections tab, select **Add**.
71
+
4. In the **Add a rule collection** window, enter the following settings:
69
72
70
73
|**Setting**|**Value**|
71
74
| --- | --- |
72
75
| Name | Enter a name for the rule collection. |
73
76
| Target network groups | Select the network group that contains the source and destination of the traffic for the security admin rule. |
74
77
75
-
1. Select **Add** and enter the following settings in the **Add a rule** window:
78
+
5. Select **Add** and enter the following settings in the **Add a rule** window:
76
79
77
80
|**Setting**|**Value**|
78
81
| --- | --- |
@@ -92,9 +95,9 @@ To create a security admin configuration, follow these steps:
92
95
93
96
:::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-network-group-as-source-destination-rule.png" alt-text="Screenshot of add a rule window using network groups as source and destination in rule creation.":::
94
97
95
-
2. Select **Add** and **Add** again to add the security admin rule to the rule collection.
98
+
6. Select **Add** and **Add** again to add the security admin rule to the rule collection.
96
99
97
-
3. Select **Review + create** and then select **Create**.
100
+
7. Select **Review + create** and then select **Create**.
0 commit comments