| title | description | author | ms.author | ms.service | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|---|---|---|
Limitations with Azure Virtual Network Manager |
Learn about current limitations when you're using Azure Virtual Network Manager to manage virtual networks. |
mbender-ms |
mbender |
virtual-network-manager |
conceptual |
07/18/2023 |
template-concept |
This article provides an overview of the current limitations when you're using Azure Virtual Network Manager to manage virtual networks. Understanding these limitations can help you properly deploy an Azure Virtual Network Manager instance in your environment. The article covers topics like the maximum number of virtual networks, overlapping IP spaces, and the evaluation cycle for policy compliance.
-
Cross-tenant support is available only when virtual networks are assigned to network groups with static membership.
-
Customers with more than 15,000 Azure subscriptions can apply an Azure Virtual Network Manager policy only at the subscription and resource group scopes. You can't apply management groups over the limit of 15,000 subscriptions. In this scenario, you would need to create assignments at a lower-level management group scope that have fewer than 15,000 subscriptions.
-
You can't add virtual networks to a network group when the Azure Virtual Network Manager custom policy
enforcementModeelement is set toDisabled. -
Azure Virtual Network Manager policies don't support the standard evaluation cycle for policy compliance. For more information, see Evaluation triggers.
-
The move of the subscription where the Azure Virtual Network Manager instance exists to another tenant is not supported.
-
A connected group can have up to 250 virtual networks. Virtual networks in a mesh topology are in a connected group, so a mesh configuration has a limit of 250 virtual networks.
-
Currently connected groups do not support BareMetal.
-
You can have network groups with or without direct connectivity enabled in the same hub-and-spoke configuration, as long as the total number of virtual networks peered to the hub doesn't exceed 500 virtual networks.
- If the network group peered to the hub has direct connectivity enabled, these virtual networks are in a connected group, so the network group has a limit of 250 virtual networks.
- If the network group peered to the hub doesn't have direct connectivity enabled, the network group can have up to the total limit for a hub-and-spoke topology.
-
A virtual network can be part of up to two connected groups. For example, a virtual network:
- Can be part of two mesh configurations.
- Can be part of a mesh topology and a network group that has direct connectivity enabled in a hub-and-spoke topology.
- Can be part of two network groups with direct connectivity enabled in the same or a different hub-and-spoke configuration.
-
You can have virtual networks with overlapping IP spaces in the same connected group. However, communication to an overlapped IP address is dropped.
-
The maximum number of IP prefixes in all security admin rules combined is 1,000.
-
The maximum number of admin rules in one level of Azure Virtual Network Manager is 100.