When you’re planning to deploy a new Azure Virtual Network (VNet), you need to make sure the IP address space you want to use isn’t already in use somewhere else in your environment. Manually checking each VNet across subscriptions or management groups is tedious. Instead, you can use Azure Resource Graph with PowerShell to quickly search your environment and ensure VNet address space availability.

Simple example with Azure Resource Graph

Azure Resource Graph lets you query resources at scale across multiple subscriptions. It’s fast, efficient and perfect for tasks like validating whether an IP range is already in use.

You can get started quickly using the Azure portal:

1. Go to the Azure Portal and search for Resource Graph Explorer in the top search bar.
2. Open Resource Graph Explorer, this is the interface where you can run queries across your Azure resources.
3. Run a sample query by pasting in the following to list all virtual networks and their address spaces:

resources
| where type == "microsoft.network/virtualnetworks"
| project name, location, addressPrefixes=properties.addressSpace.addressPrefixes

You directly get results and get details of each resource, copy them, or export to CSV.

Use PowerShell to validate the availability of address spaces

This simple PowerShell cmdlet wraps the Azure Resource Graph query and utilizes the Search-AzGraph from the Az PowerShell module to execute the query. As we’ve seen in the query example above, it consequently checks for any existing VNets that are using or overlapping with a given address space.

When an address space is being used by another Virtual Network, the information about the Virtual Network is returned. However, when the cmdlet returns nothing, it indicates that the address space is still available in your Azure tenant.

function Get-VirtualNetworkAddressSpace {
    param (
        [Parameter(Mandatory = $true,
            HelpMessage = "Specifies the CIDR notation to check for free IP ranges.")]
        [ValidatePattern('^(\d{1,3}\.){3}\d{1,3}/\d{1,2}$', 
            ErrorMessage = "Value must be in CIDR notation (e.g., '192.168.1.0/24').")]
        [string]$CIDR,
        
        [Parameter(Mandatory = $false,
            HelpMessage = "Specifies the parent management group scope to search in.")]
        [string]$ParentScopeId = "357cc3a1-fb43-40f9-a4ab-2706991b77c6" # Set a default Management Group scope.
    )
    begin {
        # Prepare the KQL query to search virtual networks under a management group scope and combine subscription info.
        $kql = "resources
        | where type == 'microsoft.network/virtualnetworks'
        | join kind=inner ( resourcecontainers
        | where type == 'microsoft.resources/subscriptions'
        | where properties['managementGroupAncestorsChain'] has '$ParentScopeId'
        | project subscriptionName = name, subscriptionId) on subscriptionId
        | mv-expand addressPrefix = properties.addressSpace.addressPrefixes
        | extend addressSpace = tostring(addressPrefix)
        | extend result = ipv4_is_match(addressSpace, '$CIDR')
        | where result == 1
        | project subscriptionName, vnetName = name, addressSpace"
    }
    process {
        # Use the search cmdlet in combination with the query to look for a vnet with the given CIDR.
        try {
            [object]$virtualNetwork = Search-AzGraph -Query $kql
        }
        catch {
            throw $_
        }
    }
    end {
        # Returns a virtual network when CIDR is in the address space, returns nothing when CIDR is available.
        return $virtualNetwork
    }
}

To use the custom cmdlet for yourself, make sure to change the following items in the code:

• ParentScopeId: Be sure to add your own default Management Group scope. When the cmdlet is being used without this parameter, the query will search in this scope by default.

Conclusion

Azure Resource Graph with PowerShell can be used to quickly search for existing virtual networks (VNets) and avoid IP address conflicts when deploying a new VNet. A custom PowerShell cmdlet can validate the availability of a given address space by checking for overlapping VNets.

Key points discussed in this post:

• Purpose of Azure Resource Graph: To query resources at scale across multiple subscriptions, efficiently checking for IP address conflicts in VNets.
• Issue of IP Address overlap: Deploying a new VNet with an overlapping IP address space can cause networking issues, especially in hub-spoke or Virtual WAN setups.
• PowerShell solution: Using the Search-AzGraph cmdlet with an Azure Resource Graph query allows for quick validation of IP address availability for new VNets.