Thank you for reaching out.
I understand you are looking for ways to define connection rules in Virtual Networks/Subnets/security Zones for different applications to communicate with each other using specific attributes such as source, destination, service, protocol, etc. on a large scale.
Based on my understanding above I think you can explore the option of using Azure Virtual Network manager. Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions. With Virtual Network Manager, you can define network groups to identify and logically segment your virtual networks. Then you can determine the connectivity and security configurations you want and apply them across all the selected virtual networks in network groups at once.
Below are some of the key benefits of AVNM:
- Centrally manage connectivity and security policies globally across regions and subscriptions.
- Enable direct connectivity between spokes in a hub-and-spoke configuration without the complexity of managing a mesh network.
- Highly scalable and highly available service with redundancy and replication across the globe.
- Ability to create network security rules that override network security group rules.
- Low latency and high bandwidth between resources in different virtual networks using virtual network peering.
- Roll out network changes through a specific region sequence and frequency of your choosing.
Given in your scenario above, you can use AVNM to create different network groups to meet the security requirements of your environment and its functions. For example, you can create network groups for your Production and Test environments to manage their connectivity and security rules at scale. For security rules, you'd create a security admin configuration with two security admin rule collections, each targeted on your Production and Test network groups, respectively. Once deployed, this configuration would enforce one set of security rules for network resources in your Production environment, and one set for Test environment.
Another service I think which you can explore in Azure Firewall manager. Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters. Azure Firewall allows you to create Hierarchical policies to centrally manage Azure Firewall policies across multiple secured virtual hubs. You can deploy firewall policies based on teams in your organization as shown below.
Additional references:
https://zcusa.951200.xyz/en-us/azure/firewall-manager/rule-hierarchy
https://zcusa.951200.xyz/en-us/azure/firewall-manager/policy-overview
https://zcusa.951200.xyz/en-us/azure/firewall-manager/fqdn-filtering-network-rules
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.