AVNM + IPAM: Finally, Centralised Address Management without the Spreadsheet

If you’ve ever inherited a half-broken Excel workbook to manage IP ranges across dozens of VNets, you already know the pain. No validation, no automation, no mercy.

Well, grab your coffee, Azure Virtual Network Manager (AVNM) just got a serious upgrade: built-in IP Address Management (IPAM).

This feature rounds out AVNM as a first-party control plane for enterprise-scale networking. Let’s get into what it is, how it works, and why it’s a game-changer.

What is AVNM IPAM?

AVNM’s IP Address Management (IPAM) is a native Azure capability for centrally managing private IP address spaces across your Virtual Networks, without flogging spreadsheets or building DIY governance layers.

Common Uses

Automating IP address assignment at scale
Preventing overlapping CIDR allocations across business units
Standardising subnet ranges within environments (e.g., non-prod, prod)
Improving visibility for audit and growth planning

Key Features

Centrally manage IP spaces within an AVNM scope
Create and assign child IP prefixes to VNets and subnets
Enforce address allocation policies to avoid overlaps
Visualise and track IP usage across regions and subscriptions
Integrate directly with VNet creation and subnet allocation

Think of it as an address ledger with guardrails — and it’s built right into the same control plane you’re (hopefully) already using for network groupings and connectivity configurations.

Architecture View

graph TD AVNM[Azure Virtual Network Manager] IPAMPool[IPAM Pool] ParentPrefix["Parent Prefix (e.g., 10.1.0.0/16)"] ChildPrefix1["Child Prefix (10.1.1.0/24)"] ChildPrefix2["Child Prefix (10.1.2.0/24)"] VNet1[VNet A] VNet2[VNet B] AVNM --> IPAMPool IPAMPool --> ParentPrefix ParentPrefix --> ChildPrefix1 --> VNet1 ParentPrefix --> ChildPrefix2 --> VNet2

How It Works

Create an IPAM Pool
This acts as a container for your IP space hierarchy. You can have one or more per AVNM.
Define Parent Prefixes
These are top-level CIDR ranges you plan to carve up (e.g. 10.0.0.0/8). These must be non-overlapping per IPAM Pool.
Allocate Child Prefixes
Carve out smaller address blocks — like 10.0.1.0/24 — from your parent prefix. These can be assigned manually to VNets or automatically through deployment tools.
Track IP Usage and Availability
IPAM gives you visibility into what’s been used, what’s free, and what’s assigned where — all within the AVNM scope.

Real-World Impact

Before IPAM, Azure customers had a few not-so-great options:

Manual IP range tracking with spreadsheets (error-prone and unscalable)
Custom solutions using Tags, Policies, or scripts (hard to maintain)
Over-architecting with CIDR guesswork to avoid future conflicts

Now with IPAM baked into AVNM:

Network teams get full control over address planning and enforcement
App teams can consume space predictably without stepping on toes
Governance and growth are no longer mutually exclusive

Implementation Examples

Let’s walk through allocating a prefix to a new VNet using Azure Portal and Bicep.

Azure Portal

Go to Azure Virtual Network Manager
Select your AVNM scope
Under IPAM, create an IPAM Pool
Add a Parent Prefix — e.g., 10.1.0.0/16
Allocate a Child Prefix — e.g., 10.1.1.0/24
When creating a new VNet, select Use IPAM and bind it to your AVNM and specific prefix

Bicep Example: Hub & Spoke with IPAM

This example sets up a Network Manager and IPAM Pool, then creates a Hub and Spoke VNet pair — each allocated dynamically from the pool.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71


@description('Location for all resources')
param location string = resourceGroup().location

@description('Name of the Network Manager')
param networkManagerName string = 'myNetworkManager'

// Create the Azure Virtual Network Manager (AVNM)
resource avnm 'Microsoft.Network/networkManagers@2024-07-01' = {
  name: networkManagerName
  location: location
  properties: {
    networkManagerScopeAccesses: ['Connectivity', 'SecurityAdmin']
    networkManagerScopes: {
      subscriptions: [subscription().id]
    }
  }
}

resource avnmIPAM 'Microsoft.Network/networkManagers/ipamPools@2024-07-01' = {
  name: 'IPAM-AUEast'
  parent: avnm
  location: location
  properties: {
    addressPrefixes: ['10.1.0.0/16']
    description: 'Parent prefix for Australia East VNets'
  }
}

// Create AU East Hub VNet and use IPAM Pool for prefix allocation
resource auEasthubVnet 'Microsoft.Network/virtualNetworks@2024-07-01' = {
  name: 'MyHubVNet-AUEast'
  location: location
  properties: {
    addressSpace: {
      ipamPoolPrefixAllocations: [
        {
          pool: {
            id: avnmIPAM.id
          }
          numberOfIpAddresses: 256 // requests a /24 prefix from the IPAM Pool. Azure will automatically assign a non-overlapping block of that size.
        }
      ]
    }
  }
  tags: {
    environment: 'HubNet'
    region: 'australiaeast'
  }
}

// Create AU East Spoke VNet and use IPAM Pool for prefix allocation
resource auEastspokeVnet01 'Microsoft.Network/virtualNetworks@2024-07-01' = {
  name: 'MySpokeVNet01-AUEast'
  location: location
  properties: {
    addressSpace: {
      ipamPoolPrefixAllocations: [
        {
          pool: {
            id: avnmIPAM.id
          }
          numberOfIpAddresses: 256 // requests a /24 prefix from the IPAM Pool. Azure will automatically assign a non-overlapping block of that size.
        }
      ]
    }
  }
  tags: {
    environment: 'production'
    region: 'australiaeast'
  }
}

Gotchas & Edge Cases

No retroactive allocations: You can only assign prefixes to VNets that opt-in to IPAM. Existing VNets without IPAM are left untouched.
Enforcement isn’t universal: IPAM doesn’t stop someone from manually typing in a bad address — yet. Policy integration is coming.
Doesn’t manage public IPs: This is strictly private address space for now.

Best Practices

Plan your hierarchy early: Define parent blocks at /16 or similar size for long-term flexibility.
One IPAM Group per environment or region: Keeps things clean and logically segmented.
Automate allocations: Use Bicep or Terraform to keep it consistent.
Enable IPAM with NetOps, not after: This isn’t a bolt-on; make it part of your standard network provisioning flow.

🍺

Brewed Insight: IPAM in AVNM isn’t flashy, but it solves a problem almost every serious Azure deployment hits eventually. The lack of centralised IP tracking was a blind spot – this fixes it, cleanly and natively. More importantly: it keeps networking out of Excel. That alone deserves a toast.

Learn More

IP Address Management with AVNM – Microsoft Docs
Official overview of IPAM features and capabilities inside Azure Virtual Network Manager
AVNM Overview
Starts from the top: what AVNM is, why it matters, and where IPAM fits in
Connectivity configurations in AVNM
Learn how to layer IPAM with custom connectivity across VNets
Bicep Templates for AVNM / IPAM
Full Bicep reference for deploying AVNM components