Merge pull request #271054 from mbender-ms/avnm-ng-src-dest-v2

virtual network manager - New Article - Network Groups as Source and Destination

Author: American-Dipper

articles/virtual-network-manager/TOC.yml

@@ -53,6 +53,8 @@
         href: concept-security-admins.md
       - name: Security admin rule enforcement
         href: concept-enforcement.md
+      - name: Network groups as source and destination
+        href: concept-security-admin-rules-network-group.md
   - name: Deployments
     href: concept-deployments.md
   - name: Remove or update components
@@ -71,8 +73,10 @@
       href: resource-manager-template-samples.md
 - name: How-to guides
   items:
-  - name: Secure network traffic
+  - name: Secure network traffic with security admin rules
     items:
+    - name: Using network groups as source and destination
+      href: how-to-create-security-admin-rule-network-group.md
     - name: Block network traffic - Portal
       href: how-to-block-network-traffic-portal.md
     - name: Block network traffic -PowerShell
@@ -93,8 +97,6 @@
         href: how-to-create-mesh-network.md
       - name: Azure PowerShell
         href: how-to-create-mesh-network-powershell.md
-  - Name: Security admin rules
-    items:
   - name: Cross-tenant connection support
     items:
     - name: Configure cross-tenant connection - Portal

articles/virtual-network-manager/concept-security-admin-rules-network-group.md

@@ -0,0 +1,59 @@
+---
+title: 'Using network groups with security admin rules'
+titleSuffix: Azure Virtual Network Manager
+description: Learn how a network administrator can deploy security admin rules using network groups as the source and destination in Azure Virtual Network Manager.
+author: mbender-ms
+ms.author: mbender
+ms.service: virtual-network-manager
+ms.topic: conceptual
+ms.date: 04/15/2024
+ms.custom: template-concept, engagement-fy23, references_regions
+#customer intent: As a network administrator, I want to deploy security admin rules in Azure Virtual Network Manager. When creating security admin rules, I want to define network groups as the source and destination of traffic.
+---
+
+# Using network groups with security admin rules
+
+In this article, you learn how to use network groups with security admin rules in Azure Virtual Network Manager (AVNM). Network groups allow you to create logical groups of virtual networks and subnets that have common attributes, such as environment, region, service type, and more. You can then specify your network groups as the source and/or destination of your security admin rules so that you can enforce the traffic among your grouped network resources. This feature streamlines the process of securing your traffic across workloads and environments, as it removes the manual step of specifying individual Classless Inter-Domain Routing (CIDR) ranges or resource IDs.
+
+[!INCLUDE [virtual-network-manager-network-groups-source-destination-preview](../../includes/virtual-network-manager-network-groups-source-destination-preview.md)]
+
+## Why use network groups with security admin rules?
+
+Using network groups with security admin rules allows you to define the source and destination of the traffic for the security admin rule. This feature streamlines the process of securing your traffic across workloads and environments by aggregating the CIDR ranges of the network groups to your virtual network manager instance. Aggregation to a virtual network manager removes the manual step of specifying individual CIDR ranges or resource IDs. 
+
+For example, you need to ensure traffic is denied between your production and nonproduction environments represented by two separate network groups. Create a security admin rule with an action type of
+**Deny**.
+Specify one network group as the target for your rule collection, these virtual networks will receive the configured rules. Then select the direction of the traffic you want to deny and use the other network group as the corresponding source / destination. You can enforce the traffic between your grouped network resources without the need to specify individual CIDR ranges or resource IDs.
+
+## How do I deploy a security admin rule using network groups?
+
+From the Azure portal, you can [deploy a security admin rule using network groups](./how-to-create-security-admin-rule-network-groups.md) in the Azure portal. To create a security admin rule, create a security admin configuration and add a security admin rule that utilizes network groups as source and destination. This is done by electing to use *Manual* for the **Network group address space aggregation option** setting in the configuration. Once elected, the virtual network manager instance will aggregate the CIDR ranges of the network groups referenced as the source and destination of the security admin rules in the configuration.
+
+Finally, deploy the security admin configuration and the rules apply to the network group resources. With the *Manual* aggregation option, the CIDR ranges in the network group are aggregated only when you deploy the security admin configuration. This allows you to commit the CIDR ranges on your schedule.
+
+If you change the resources in your network group or a network group's CIDR range changes, you need to redeploy the security configuration after the changes are made. After deployment, the new CIDR ranges will be applied across your network to all new and existing network group resources.
+
+## Supported regions
+
+During the public preview, network groups with security admin rules are supported in all regions where Azure Virtual Network Manager is available.
+
+## Limitations of network groups with security admin rules
+
+The following limitations apply when using network groups with security admin rules:
+
+- Only supports manual aggregation of CIDRs in a network group. The CIDR range in a rule only changes upon the customer commit. This means The CIDR range within a rule remains unchanged until the customer commits.
+
+- Supports 100 networking resources (virtual networks or subnets) in any one network group referenced in the security admin rule.
+
+- CIDR ranges for network groups members can be either Ipv4 or Ipv6 CIDRs, but not both in the same group. If Ipv4 and Ipv6 ranges are present in the same group, your virtual network manager only uses the IPv4 ranges.
+
+- Role-based access control ownership is inferred from the `Microsoft.Network/networkManagers/securityAdminConfigurations/rulecollections/rules/write` permission only.
+
+- Network groups must have the same member-types. Virtual networks and subnets are supported but must be in separate network groups.
+
+- Force-delete of any network group used as the source and/or destination in a security admin rule isn't currently supported. Usage causes an error.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Create a security admin rule using network groups](./how-to-create-security-admin-rule-network-groups.md)

articles/virtual-network-manager/how-to-create-security-admin-rule-network-group.md

@@ -0,0 +1,118 @@
+---
+title: Create a security admin rule using network groups
+titleSuffix: Azure Virtual Network Manager
+description: Learn how to deploy security admin rules using network groups as the source and destination in Azure Virtual Network Manager.
+author: mbender-ms
+ms.author: mbender
+ms.service: virtual-network-manager
+ms.topic: how-to 
+ms.date: 04/17/2024
+ms.custom: template-how-to, references_regions
+#Customer intent: As a network administrator, I want to deploy security admin rules using network groups in Azure Virtual Network Manager so that I can define the source and destination of the traffic for the security admin rule.
+---
+# Create a security admin rule using network groups in Azure Virtual Network Manager
+
+In this article, you learn how to create a security admin rule using network groups in Azure Virtual Network Manager. You use the Azure portal to create a security admin configuration, add a security admin rule, and deploy the security admin configuration.
+
+In Azure Virtual Network Manager, you can deploy [security admin rules](./concept-security-admins.md) using [network groups](./concept-network-groups.md). Security admin rules and network groups allow you to define the source and destination of the traffic for the security admin rule.    
+
+[!INCLUDE [virtual-network-manager-preview](../../includes/virtual-network-manager-network-groups-source-destination-preview.md)]
+
+## Prerequisites
+
+To complete this article, you need the following resources:
+
+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
+
+- An Azure Virtual Network Manager instance. If you don't have an instance, see [Create an Azure Virtual Network Manager instance](create-virtual-network-manager-portal.md).
+
+- A network group. If you don't have a network group, see [Create a network group](create-virtual-network-manager-portal.md#create-a-network-group).
+
+## Create a security admin configuration
+
+To create a security admin configuration, follow these steps:
+
+1. In the **Azure portal**, search for and select **Virtual Network Manager**.
+
+1. Select **Network Managers** under **Virtual network manager** on the left side of the portal window.
+
+1. In the **Virtual Network Manager | Network managers** window, select your network manager instance.
+
+1. Select **Configuration** under **Settings** on the left side of the portal window.
+
+1. In the **Configurations** window, select the **Create security admin configuration** button or **+ Create > Security admin configuration** from the drop-down menu.
+
+    :::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-security-admin-configuration.png" alt-text="Screenshot of creation of security admin configuration in Configurations of a network manager.":::
+
+1. In the **Basics** tab of the **Create security admin configuration** windows, enter the following settings:
+  
+    | **Setting** | **Value** |
+    | --- | --- |
+    | Name | Enter a name for the security admin rule. |
+    | Description | Enter a description for the security admin rule. |
+    
+
+1. Select the **Deployment Options** tab or **Next: Deployment Options >** and enter the following settings:
+
+    | **Setting** | **Value** |
+    | --- | --- |
+    | **Deployment option for NIP virtual networks** | |
+    | Deployment option | Select **None**. |
+    | **Option to use network group as source and destination** | |
+    | Network group address space aggregation option | Select **Manual**. |
+
+    :::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-configuration-with-aggregation-options.png" alt-text="Screenshot of create a security admin configuration deployment options selecting manual aggregation option.":::
+
+    > [!NOTE]
+    > The **Network group address space aggregation option** setting allows you to reference network groups in your security admin rules. Once elected, the virtual network manager instance will aggregate the CIDR ranges of the network groups referenced as the source and destination of the security admin rules in the configuration. With the manual aggregation option, the CIDR ranges in the network group are aggregated only when you deploy the security admin configuration. This allows you to commit the CIDR ranges on your schedule.
+
+2. Select **Rule collections** or **Next: Rule collections >**.
+3. In the Rule collections tab, select **Add**.
+4. In the **Add a rule collection** window, enter the following settings:
+
+    | **Setting** | **Value** |
+    | --- | --- |
+    | Name | Enter a name for the rule collection. |
+    | Target network groups | Select the network group that contains the source and destination of the traffic for the security admin rule. |
+
+5. Select **Add** and enter the following settings in the **Add a rule** window:
+
+    | **Setting** | **Value** |
+    | --- | --- |
+    | Name | Enter a name for the security admin rule. |
+    | Description | Enter a description for the security admin rule. |
+    | Priority | Enter a priority for the security admin rule. |
+    | Action | Select the action type for the security admin rule. |
+    | Direction | Select the direction for the security admin rule. |
+    | Protocol | Select the protocol for the security admin rule. |
+    | **Source** |  |
+    | Source type | Select **Network group**. |
+    | Source port | Enter the source port for the security admin rule. |
+    | **Destination** |  |
+    | Destination type | Select **Network Group**. |
+    | Network Group | Select the network group ID that you wish to use for dynamically establishing IP address ranges. |
+    | Destination port | Enter the destination port for the security admin rule. |
+
+    :::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-network-group-as-source-destination-rule.png" alt-text="Screenshot of add a rule window using network groups as source and destination in rule creation.":::
+
+6. Select **Add** and **Add** again to add the security admin rule to the rule collection.
+
+7. Select **Review + create** and then select **Create**.
+
+## Deploy the security admin configuration
+
+Use the following steps to deploy the security admin configuration:
+
+1. Return to the **Configurations** window and select the security admin configuration you created.
+
+1. Select your security admin configuration and then select **Deploy**.
+
+1. In **Deploy security admin configuration**, select the target Azure regions for security admin configuration and select **Next > Deploy**.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [View configurations applied by Azure Virtual Network Manager](how-to-view-applied-configurations.md)
+
+
+