Azure Networking Enterprise Infrastructure Network Governance

AVNM + IPAM: Finally, Centralised Address Management without the Spreadsheet

Azure Virtual Network Manager’s built-in IPAM has officially arrived — here’s why that matters

If you’ve ever inherited a half-broken Excel workbook to manage IP ranges across dozens of VNets, you already know the pain. No validation, no automation, no mercy.

Well, grab your coffee, Azure Virtual Network Manager (AVNM) just got a serious upgrade: built-in IP Address Management (IPAM).

This feature rounds out AVNM as a first-party control plane for enterprise-scale networking. Let’s get into what it is, how it works, and why it’s a game-changer.

What is AVNM IPAM?

AVNM’s IP Address Management (IPAM) is a native Azure capability for centrally managing private IP address spaces across your Virtual Networks, without flogging spreadsheets or building DIY governance layers.

Common Uses

  • Automating IP address assignment at scale
  • Preventing overlapping CIDR allocations across business units
  • Standardising subnet ranges within environments (e.g., non-prod, prod)
  • Improving visibility for audit and growth planning

Key Features

  • Centrally manage IP spaces within an AVNM scope
  • Create and assign child IP prefixes to VNets and subnets
  • Enforce address allocation policies to avoid overlaps
  • Visualise and track IP usage across regions and subscriptions
  • Integrate directly with VNet creation and subnet allocation

Think of it as an address ledger with guardrails — and it’s built right into the same control plane you’re (hopefully) already using for network groupings and connectivity configurations.

Architecture View

graph TD AVNM[Azure Virtual Network Manager] IPAMPool[IPAM Pool] ParentPrefix["Parent Prefix (e.g., 10.1.0.0/16)"] ChildPrefix1["Child Prefix (10.1.1.0/24)"] ChildPrefix2["Child Prefix (10.1.2.0/24)"] VNet1[VNet A] VNet2[VNet B] AVNM --> IPAMPool IPAMPool --> ParentPrefix ParentPrefix --> ChildPrefix1 --> VNet1 ParentPrefix --> ChildPrefix2 --> VNet2

How It Works

  1. Create an IPAM Pool
    This acts as a container for your IP space hierarchy. You can have one or more per AVNM.

  2. Define Parent Prefixes
    These are top-level CIDR ranges you plan to carve up (e.g. 10.0.0.0/8). These must be non-overlapping per IPAM Pool.

  3. Allocate Child Prefixes
    Carve out smaller address blocks — like 10.0.1.0/24 — from your parent prefix. These can be assigned manually to VNets or automatically through deployment tools.

  4. Track IP Usage and Availability
    IPAM gives you visibility into what’s been used, what’s free, and what’s assigned where — all within the AVNM scope.

Real-World Impact

Before IPAM, Azure customers had a few not-so-great options:

  • Manual IP range tracking with spreadsheets (error-prone and unscalable)
  • Custom solutions using Tags, Policies, or scripts (hard to maintain)
  • Over-architecting with CIDR guesswork to avoid future conflicts

Now with IPAM baked into AVNM:

  • Network teams get full control over address planning and enforcement
  • App teams can consume space predictably without stepping on toes
  • Governance and growth are no longer mutually exclusive

Implementation Examples

Let’s walk through allocating a prefix to a new VNet using Azure Portal and Bicep.

Azure Portal

  1. Go to Azure Virtual Network Manager
  2. Select your AVNM scope
  3. Under IPAM, create an IPAM Pool
  4. Add a Parent Prefix — e.g., 10.1.0.0/16
  5. Allocate a Child Prefix — e.g., 10.1.1.0/24
  6. When creating a new VNet, select Use IPAM and bind it to your AVNM and specific prefix

Bicep Example: Hub & Spoke with IPAM

This example sets up a Network Manager and IPAM Pool, then creates a Hub and Spoke VNet pair — each allocated dynamically from the pool.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

@description('Location for all resources')
param location string = resourceGroup().location

@description('Name of the Network Manager')
param networkManagerName string = 'myNetworkManager'

// Create the Azure Virtual Network Manager (AVNM)
resource avnm 'Microsoft.Network/networkManagers@2024-07-01' = {
  name: networkManagerName
  location: location
  properties: {
    networkManagerScopeAccesses: ['Connectivity', 'SecurityAdmin']
    networkManagerScopes: {
      subscriptions: [subscription().id]
    }
  }
}

resource avnmIPAM 'Microsoft.Network/networkManagers/ipamPools@2024-07-01' = {
  name: 'IPAM-AUEast'
  parent: avnm
  location: location
  properties: {
    addressPrefixes: ['10.1.0.0/16']
    description: 'Parent prefix for Australia East VNets'
  }
}

// Create AU East Hub VNet and use IPAM Pool for prefix allocation
resource auEasthubVnet 'Microsoft.Network/virtualNetworks@2024-07-01' = {
  name: 'MyHubVNet-AUEast'
  location: location
  properties: {
    addressSpace: {
      ipamPoolPrefixAllocations: [
        {
          pool: {
            id: avnmIPAM.id
          }
          numberOfIpAddresses: 256 // requests a /24 prefix from the IPAM Pool. Azure will automatically assign a non-overlapping block of that size.
        }
      ]
    }
  }
  tags: {
    environment: 'HubNet'
    region: 'australiaeast'
  }
}

// Create AU East Spoke VNet and use IPAM Pool for prefix allocation
resource auEastspokeVnet01 'Microsoft.Network/virtualNetworks@2024-07-01' = {
  name: 'MySpokeVNet01-AUEast'
  location: location
  properties: {
    addressSpace: {
      ipamPoolPrefixAllocations: [
        {
          pool: {
            id: avnmIPAM.id
          }
          numberOfIpAddresses: 256 // requests a /24 prefix from the IPAM Pool. Azure will automatically assign a non-overlapping block of that size.
        }
      ]
    }
  }
  tags: {
    environment: 'production'
    region: 'australiaeast'
  }
}

Gotchas & Edge Cases

  • No retroactive allocations: You can only assign prefixes to VNets that opt-in to IPAM. Existing VNets without IPAM are left untouched.
  • Enforcement isn’t universal: IPAM doesn’t stop someone from manually typing in a bad address — yet. Policy integration is coming.
  • Doesn’t manage public IPs: This is strictly private address space for now.

Best Practices

  • Plan your hierarchy early: Define parent blocks at /16 or similar size for long-term flexibility.
  • One IPAM Group per environment or region: Keeps things clean and logically segmented.
  • Automate allocations: Use Bicep or Terraform to keep it consistent.
  • Enable IPAM with NetOps, not after: This isn’t a bolt-on; make it part of your standard network provisioning flow.
🍺
Brewed Insight: IPAM in AVNM isn’t flashy, but it solves a problem almost every serious Azure deployment hits eventually. The lack of centralised IP tracking was a blind spot – this fixes it, cleanly and natively. More importantly: it keeps networking out of Excel. That alone deserves a toast.

Learn More