Merge pull request #281123 from mbender-ms/avnm-IPAM

Virtual network manager - Public Preview - IPAM docs

Author: Jill Grant

articles/virtual-network-manager/TOC.yml

@@ -33,6 +33,8 @@
     href: concept-use-cases.md
   - name: limitations
     href: concept-limitations.md
+  - name: IP address management
+    href: concept-ip-address-management.md
   - name: Scope
     href: concept-network-manager-scope.md
   - name: Network groups
@@ -109,6 +111,8 @@
       href: how-to-configure-cross-tenant-portal.md
     - name: Configure cross-tenant connection - CLI
       href: how-to-configure-cross-tenant-cli.md
+  - Name: Manage IP addresses
+    href: how-to-manage-ip-addresses-network-manager.md
   - name: Monitoring
     items:
     - name: Configure Event Logs for Azure Virtual Network Manager

articles/virtual-network-manager/concept-ip-address-management.md

@@ -0,0 +1,84 @@
+---
+title: What is IP address management (IPAM) in Azure Virtual Network Manager?
+description: Learn about IP address management (IPAM) in Azure Virtual Network Manager and how it can help you manage IP addresses in your virtual networks.
+author: mbender-ms
+ms.author: mbender
+ms.service: azure-virtual-network-manager
+ms.topic: how-to
+ms.date: 10/2/2024
+ms.custom:  references_regions
+#customer intent: As a network administrator, I want to learn about IP address management (IPAM) in Azure Virtual Network Manager so that I can manage IP addresses in my virtual networks.
+---
+
+# What is IP address management (IPAM) in Azure Virtual Network Manager?
+
+[!INCLUDE [virtual-network-manager-ipam](../../includes/virtual-network-manager-ipam.md)]
+
+In this article, you learn about the IP address management (IPAM) feature in Azure Virtual Network Manager and how it can help you manage IP addresses in your virtual networks. With Azure Virtual Network Manager's IP Address Management (IPAM), you can create pools for IP address planning, automatically assign nonoverlapping classless inter-domain routing (CIDR) addresses to Azure resources, and prevent address space conflicts across on-premises and multicloud environments.
+
+## What is IP address management (IPAM)?
+
+In Azure Virtual Network Manager, IP address management (IPAM) helps you centrally manage IP addresses in your virtual networks using IP address pools. The following are some key features of IPAM in Azure Virtual Network Manager:
+
+- Create pools for IP address planning.
+
+- Automatically assign nonoverlapped CIDRs to Azure resources.
+
+- Reserve IPs for specific needs.
+
+- Prevent Azure address space from overlapping on-premises and cloud environments. 
+
+- Monitor IP/CIDR usages and allocations in a pool.
+
+- Support for IPv4 and IPv6 address pools.
+
+## How does IPAM work in Azure Virtual Network Manager?
+
+The IPAM feature in Azure Virtual Network Manager works through the following key components:
+- Managing IP Address Pools
+- Allocating IP addresses to Azure resources
+- Delegating IP address management permissions
+- Simplifying resource creation
+
+### Manage IP address pools
+
+IPAM allows network administrators to plan and organize IP address usage by creating pools with address spaces and respective sizes. These pools act as containers for groups of CIDRs, enabling logical grouping for specific networking purposes. You can create a structured hierarchy of pools, dividing a larger pool into smaller, more manageable pools, aiding in more granular control and organization of your network's IP address space. 
+
+There are two types of pools in IPAM:
+- Root pool: The first pool created in your instance is the root pool. This represents your entire IP address range.
+- Child pool: A child pool is a subset of the root pool or another child pool. You can create multiple child pools within a root pool or another child pool. You can have up to seven layers of pools
+
+### Allocating IP addresses to Azure resources
+
+When it comes to allocation, you can assign Azure resources with CIDRs, such as virtual networks, to a specific pool. This helps in identifying which CIDRs are currently in use. There's also the option to allocate static CIDRs to a pool, useful for occupying CIDRs that are either not currently in use within Azure or are part of Azure resources not yet supported by the IPAM service. Allocated CIDRs are released back to the pool if the associated resource is removed or deleted, ensuring efficient utilization and management of the IP space.
+
+### Delegating permissions for IP address management
+
+With IPAM, you can delegate permission to other users to utilize the IPAM pools, ensuring controlled access and management while democratizing pool allocation. These permissions allow users to see the pools they have access to, aiding in choosing the right pool for their needs.
+
+Delegating permissions also allows others to view usage statistics and lists of resources associated with the pool. Within your network manager, complete usage statistics are available including:
+    - The total number of IPs in pool.
+    - The percentage of allocated pool space.
+    
+Additionally, it shows details for pools and resources associated with pools, giving a complete overview of the IP usages and aiding in better resource management and planning.
+
+### Simplifying resource creation
+
+When creating CIDR-supporting resources like virtual networks, CIDRs are automatically allocated from the selected pool, simplifying the resource creation process. The system ensures that the automatically allocated CIDRs don't overlap within the pool, maintaining network integrity and preventing conflicts.
+
+## Permission requirements for IPAM in Azure Virtual Network Manager
+
+When using IP address management, the **IPAM Pool User** role alone is sufficient for delegation. During the public preview, you also need to grant **Network Manager Read** access to ensure full discoverability of IP address pools and virtual networks across the Network Manager's scope. Without this role, users with only the **IPAM Pool User** role won't be able to see available pools and virtual networks.
+
+Learn more about [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md).
+
+## Known issues
+
+- When virtual networks are associated with an IPAM pool, peering sync may show as out of sync, even though peering is functioning correctly.
+- When a VNet is moved to a different subscription, the references in IPAM are not updated, leading to inconsistent management status.
+- When multiple requests for the same VNet are made, it can result in duplicate allocations entries.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to manage IP addresses in Azure Virtual Network Manager](./how-to-manage-ip-addresses-network-manager.md)

articles/virtual-network-manager/how-to-manage-ip-addresses-network-manager.md

@@ -0,0 +1,173 @@
+---
+title: Manage IP addresses with Azure Virtual Network Manager
+description: Learn how to manage IP addresses with Azure Virtual Network Manager by creating and assigning IP address pools to your virtual networks.
+author: mbender-ms
+ms.author: mbender
+ms.service: azure-virtual-network-manager
+ms.topic: how-to
+ms.date: 10/2/2024
+ms.custom:  references_regions
+#customer intent: As a network administrator, I want to learn how to manage IP addresses with Azure Virtual Network Manager so that I can create and assign IP address pools to my virtual networks.
+---
+
+# Manage IP addresses with Azure Virtual Network Manager
+
+[!INCLUDE [virtual-network-manager-ipam](../../includes/virtual-network-manager-ipam.md)]
+
+Azure Virtual Network Manager allows you to manage IP addresses by creating and assigning IP address pools to your virtual networks. This article shows you how to create and assign IP address pools to your virtual networks with IP address management (IPAM) in Azure Virtual Network Manager.
+
+## Prerequisites
+
+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
+- An existing network manager instance. If you don't have a network manager instance, see [Create a network manager instance](create-virtual-network-manager-portal.md).
+- A virtual network that you want to associate with an IP address pool.
+- To manage IP addresses in your network manager, you have the **Network Contributor** role with [role-based access control](../role-based-access-control/quickstart-assign-role-user-portal.md) Classic Admin/legacy authorization isn't supported.
+
+## Create an IP address pool
+
+In this step, you create an IP address pool for your virtual network.
+
+1. In the Azure portal, search for and select **Network managers**.
+2. Select your network manager instance.
+3. In the left menu, select **IP address pools (Preview)** under **IP address management (Preview)**.
+4. Select **+ Create** or **Create** to create a new IP address pool.
+5. In the **Create an IP address pool** window, enter the following information:
+   
+    | Field | Description |
+    | --- | --- |
+    | **Name** | Enter a name for the IP address pool. |
+    | **Description** | Enter a description for the IP address pool. |
+    | **Parent pool** | For creating a **root pool**, leave default of **None**. For creating a **child pool**, select the parent pool. |
+
+    :::image type="content" source="media/how-to-manage-ip-addresses/create-root-pool.png" alt-text="Screenshot of Create an ip address pool settings for a root pool." :::   
+    
+6. Select **Next** or the **IP addresses** tab.
+7. Under **Starting address**, enter the IP address range for the pool.
+
+    :::image type="content" source="media/how-to-manage-ip-addresses/set-pool-ip-range-thumb.png" alt-text="Screenshot of IP address range settings for a root pool." lightbox="media/how-to-manage-ip-addresses/set-pool-ip-range.png"::: 
+
+8. Select **Review + create** and then **Create** to create the IP address pool.
+9. Repeat these steps for another root or child pool.
+
+## Associate a virtual network with an IP address pool
+
+In this step, you associate an existing virtual network with an IP address pool from the **Allocations** settings page in the IP address pool.  
+
+1. Browse to your network manager instance and select your IP address pool.
+2. From the left menu, select **Allocations** under **Settings** or select **Allocate**. 
+3. In the **Allocations** window, select **+ Create** > **Associate resources**. The **Associate resources** option allocates a CIDR to an existing virtual network.
+   
+    :::image type="content" source="media/how-to-manage-ip-addresses/pool-allocation-settings-associate-resource-thumb.png" alt-text="Screenshot of allocations page for associating resources." lightbox="media/how-to-manage-ip-addresses/pool-allocation-settings-associate-resource.png":::
+
+4. In the **Select resources** window, select the virtual networks you want to associate with the IP address pool and then choose **Select**.
+   
+   :::image type="content" source="media/how-to-manage-ip-addresses/associate-virtual-network-resources-thumb.png" alt-text="Screenshot of associate resources page with virtual networks selected." lightbox="media/how-to-manage-ip-addresses/associate-virtual-network-resources.png":::
+
+5. Verify the virtual network is listed.
+   
+   :::image type="content" source="media/how-to-manage-ip-addresses/ip-address-pool-allocation-statistics.png" alt-text="Screenshot of IP address pool allocations and statistics.":::
+
+> [!Note]
+> In addition to associating resources, you can allocate address spaces to a child pool or a static CIDR block from the a pool's Allocations page.
+
+## Create static CIDR blocks for a pool
+
+In this step, you create a static CIDR block for a pool. This is helpful for allocating a space that is outside of Azure or Azure resources not supported by IPAM. For example, you can allocate a CIDR in the pool to the address space in your on-premises environment. Likewise, you can also use this for a space that is used by a Virtual WAN hub or Azure VMware Private Cloud.
+
+1. Browse to your IP address pool.
+2. Select **Allocate** or **Allocations** under **Settings**.
+3. In the **Allocations** window, select **+ Create** > **Allocate static CIDRs**.
+4. In the **Allocate static CIDRs from pool** window, enter the following information:
+   
+    | Field | Description |
+    | --- | --- |
+    | **Name** | Enter a name for the static CIDR block.|
+    | **Description** | Enter a description for the static CIDR block. |
+    | **CIDR** | Enter the CIDR block. |
+
+    :::image type="content" source="media/how-to-manage-ip-addresses/create-static-cidr-reservation.png" alt-text="Screenshot of Allocate static CIDR from pool window with address range for CIDR reservation.":::
+    
+5. Select **Allocate**.
+
+## Review allocation usage
+
+In this step, you review the allocation usage of the IP address pool. This helps you understand how the CIDRs are being used in the pool, along with the percentage of the pool that is allocated and the compliance status of the pool.
+
+1. Browse to your IP address pool.
+2. Select **Allocations** under **Settings**.
+3. In the **Allocations** window, you can review all of the statistics for the address pool including:
+   
+    | Field | Description |
+    | --- | --- |
+    | **Pool address space** | The total address space that is allocated to the pool. |
+    | **Allocated address Space** | The address space that is allocated to the pool. |
+    | **Available address Space** | The address space that is available for allocation. |
+    | **Available address count** | The number of addresses that are allocated to the pool. |
+    | **IP allocation** | The set of IP addresses that are allocated from the pool for potential use. |
+
+    :::image type="content" source="media/how-to-manage-ip-addresses/review-ip-address-pool-allocations.png" alt-text="Screenshot of an IP address pool's allocations and statistics for the pool.":::
+
+4. For each allocation, you can review the following:
+   
+    | Field | Description |
+    | --- | --- |
+    | **Name** | The name of the allocation. |
+    | **Address space** | The address space that is allocated to the pool. |
+    | **Address count** | The number of addresses that are allocated to the pool. |
+    | **IP allocation** | The set of IP addresses that are allocated from the pool for potential use. |
+    | **Status** | The status of the allocation to the pool. |
+    
+    :::image type="content" source="media/how-to-manage-ip-addresses/review-ip-address-pool-allocations-by-resource.png" alt-text="Screenshot of ip address pool allocations highlighting individual resource information.":::
+
+## Delegating permissions for IP address management
+
+In this step, you delegate permissions to other users to manage IP address pools in your network manager using [Azure role-based access control (RBAC)](../role-based-access-control/check-access.md). This allows you to control access to the IP address pools and ensure that only authorized users can manage the pools.
+
+1. Browse to your IP address pool.
+2. In the left menu, select **Access control (IAM)**.
+3. In the **Access control (IAM)** window, select **+ Add**>**Add role assignment**.
+4. Under **Role**, select **IPAM Pool User** through the search bar under the **Job function roles** tab, and then select **Next**.
+5. On the **Members** tab, select how you wish to assign access to the role. You can assign access to a user, group, or service principal, or you can use a managed identity.
+
+    :::image type="content" source="media/how-to-manage-ip-addresses/delegate-ip-address-pool-permissions.png" alt-text="Screenshot of the Add role assignment window with IPAM Pool User selected.":::
+
+6. Choose **+ Select members** and then **Select** the user, group, service principal, or managed identity that you want to assign the role to.
+7. Select **Review + assign** and then **Assign** to delegate permissions to the user.
+
+
+## Create a virtual network with a nonoverlapping CIDR range
+
+In this step, you create a virtual network with a nonoverlapping CIDR range by allowing IPAM to automatically provide a nonoverlapping CIDR.
+
+1. In the Azure portal, search for and select **Virtual networks**.
+2. Select **+ Create**.
+3. On the **Basics** tab, enter the following information:
+   
+    | Field | Description |
+    | --- | --- |
+    | **Subscription** | Select the subscription managed by a Network Manager management scope. |
+    | **Resource group** | Select the resource group for the virtual network. |
+    | **Name** | Enter a name for the virtual network. |
+    | **Region** | Select the region for the virtual network. IP address pools must be in the same region as your virtual network in order to be associated.|
+ 
+4. Select the **IP addresses** tab or **Next** > **Next**.
+5. On the **IP addresses** tab, select **Allocate using IP address pools** checkbox.
+   
+   :::image type="content" source="media/how-to-manage-ip-addresses/create-virtual-network-ip-address-pool.png" alt-text="Screenshot of create virtual network window with Allocate using IP address setting.":::
+
+6. In the **Select an IP address pool** window, select the IP address pool that you want to associate with the virtual network and then choose **Save**. You can select at most one IPv4 pool and one IPv6 pool for association to a single virtual network.
+   
+    :::image type="content" source="media/how-to-manage-ip-addresses/virtual-network-create-select-ip-address-pool-thumb.png" alt-text="Screenshot of Select an IP address pool with IP address pool selected." lightbox="media/how-to-manage-ip-addresses/virtual-network-create-select-ip-address-pool.png":::
+
+7. From the dropdown menu next to your IP address pool, select the size for the virtual network.
+   
+    :::image type="content" source="media/how-to-manage-ip-addresses/virtual-network-create-select-address-space-size.png" alt-text="Screenshot of Create virtual network window with IP address size selection.":::
+
+8. Optionally create subnets referring to the selected pool.
+9.  Select **Review + create** and then **Create** to create the virtual network.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [What is IP address management in Azure Virtual Network Manager](./concept-ip-address-management.md)
+