A comprehensive Terraform lab environment that demonstrates Azure Virtual Network Manager (AVNM) with advanced IP Address Management (IPAM) capabilities. This lab showcases modern cloud networking patterns including hub-spoke topology, dynamic subnet allocation, and centralized network management.

This lab deploys a simplified 2-module architecture that creates a complete hub-spoke network topology with automatic IP address management:

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   Spoke VNet 1  │    │   Hub VNet      │    │   Spoke VNet 2  │
│  (Dynamic IPs)  │◄──►│  Azure Firewall │◄──►│  (Dynamic IPs)  │
│                 │    │  10.1.0.0/16    │    │                 │
└─────────────────┘    └─────────────────┘    └─────────────────┘
                                │
                       ┌─────────────────┐
                       │   Spoke VNet 3  │
                       │  (Dynamic IPs)  │
                       └─────────────────┘

• ✅ Hub-Spoke Topology with Azure Virtual Network Manager
• ✅ Dynamic IP Allocation from centralized IPAM pool (10.0.0.0/14)
• ✅ Automatic Subnet Management - no manual IP planning required
• ✅ Azure Firewall with routing and security rules
• ✅ Network Security Groups and route tables
• ✅ Conflict Prevention through AVNM IPAM
• ✅ Scalable Design - easily add more spokes
• ✅ Infrastructure as Code with Terraform

• GitHub account
• Azure subscription with Contributor access
• Basic understanding of Azure networking concepts

Navigate to this repository and create a new Codespace:

# Click "Code" → "Codespaces" → "Create codespace on main"

Login to your Azure account:

az login
# If you have issues, try:
az login --use-device-code

Update the answers.json file with your Azure details:

{
  "subscriptionId": "your-subscription-id-here",
  "location": "eastus2",
  "resourceGroupName": "rg-avnm-lab"
}

⚠️ Important: After updating the answers.json file, make sure to save the file by pressing Ctrl+S (Windows/Linux) or Cmd+S (Mac) before proceeding to the next step. The deployment scripts rely on the saved values in this file.

Run the automated deployment script:

./deploy.ps1

Deployment Process:

1. Module 1: Deploys complete networking + AVNM + IPAM (5-10 minutes)
2. Module 2: Deploys virtual machines and compute resources (3-5 minutes)

Check the allocated IP address ranges:

cd Modules/1-hub-spoke-lz
terraform output spoke_subnet_allocated_prefixes

The lab uses Azure Virtual Network Manager's IPAM capabilities for complete dynamic allocation:

• Pool Range: 10.0.0.0/14 (262,144 total IP addresses)
• Hub VNet Allocation: 65,536 IPs (effectively /16 VNet)
• Spoke VNet Allocation: 256 IPs per spoke VNet (effectively /24 VNets)
• Firewall Subnet Allocation: 256 IPs (effectively /24 subnet)
• Spoke Subnet Allocation: 32 IPs per spoke subnet (effectively /27 subnets)
• Automatic Assignment: No manual IP planning required
• Conflict Prevention: AVNM ensures no overlapping ranges

• Hub VNet: Dynamically allocated from IPAM pool (gets /16 range)
  • Azure Firewall Subnet: Dynamically allocated (gets /24 range)
• Spoke VNets: Dynamically allocated from IPAM pool
  • Spoke 1: Automatically assigned /24 VNet
  • Spoke 2: Automatically assigned /24 VNet
  • Spoke 3: Automatically assigned /24 VNet
• Spoke Subnets: Dynamically allocated within their VNets
  • Each subnet gets automatically assigned /27 subnet

• Network Security Groups: Applied to all spoke subnets
• Route Tables: Force all traffic through Azure Firewall
• Firewall Rules: Allow inter-spoke communication and internet access

# View hub VNet allocation
terraform output hub_vnet_allocated_prefixes

# View spoke VNet allocations
terraform output spoke_vnet_allocated_prefixes

# View firewall subnet allocation
terraform output firewall_subnet_allocated_prefixes

# View spoke subnet allocations
terraform output spoke_subnet_allocated_prefixes

terraform output network_manager_id
terraform output connectivity_configuration_id

1. Navigate to Network Manager in Azure Portal
2. Check IP Address Management → IP Address Pools
3. View Configurations → Connectivity configurations
4. Monitor Deployments status

When finished with the lab, run the destroy script:

./destroy.ps1

Destruction Order:

1. Compute resources (VMs, NICs)
2. Networking infrastructure (VNets, AVNM, Firewall)

• Username: azureadmin
• Password: AzureAdmin123!

• Access spoke VMs through the hub network
• All traffic is routed through Azure Firewall

To add additional spoke networks, update the terraform.tfvars file:

vnet_name_spokes = [
  "vnet-avnm-spoke1", 
  "vnet-avnm-spoke2", 
  "vnet-avnm-spoke3",
  "vnet-avnm-spoke4"  # Add new spoke
]

The IPAM pool will automatically allocate VNet and subnet ranges for new spokes.

Modify IP allocation in terraform.tfvars:

hub_vnet_ip_count = "131072"        # Allocates /15 hub VNet instead of /16
vnet_ip_count = "512"               # Allocates /23 spoke VNets instead of /24
firewall_subnet_ip_count = "512"    # Allocates /23 firewall subnet instead of /24
subnet_ip_count = "64"              # Allocates /26 spoke subnets instead of /27

After completing this lab, you will understand:

• ✅ Azure Virtual Network Manager concepts and capabilities
• ✅ IP Address Management (IPAM) and dynamic allocation
• ✅ Hub-spoke network topology design patterns
• ✅ Azure Firewall configuration and routing
• ✅ Network Security Groups and traffic control
• ✅ Infrastructure as Code best practices with Terraform
• ✅ Automated deployment and destruction workflows

• Region Support: Ensure AVNM is available in your chosen region (recommended: eastus2)
• Permissions: Requires Contributor access to create Network Manager resources
• VM SKUs: Default VM size is suitable for most regions, modify if needed
• Cost Management: Remember to destroy resources when not in use

Feel free to submit issues, fork the repository, and create pull requests for improvements.

This project is licensed under the MIT License - see the LICENSE file for details.

Happy Networking! 🎉

This lab demonstrates modern Azure networking capabilities with Infrastructure as Code best practices.