Blog Post

Azure Migration and Modernization Blog
2 MIN READ

Connect to Azure VMware Solution (AVS) using VPN

CarlosV's avatar
CarlosV
Icon for Microsoft rankMicrosoft
Sep 15, 2020

By: Trevor Davis tredavis and Carlos Villuendas CarlosV 

 

Challenge

 

ExpressRoute is the preferred method to connect the customer's on-premises environment to Azure VMware Solution (AVS), but what happens if you do not have access to ExpressRoute?

 

Solution

 

Connect your on-premises site to AVS using VPN and Azure Virtual WAN.

 

Azure Virtual WAN allows transit connectivity between VPN and ExpressRoute. This implies that VPN-connected sites can communicate with ExpressRoute-connected sites.

Reference: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#transit-er

 

NOTE: Azure VMware Solution (AVS) is connected to the Azure backbone via an ExpressRoute.

 

Architecture

 

 

Important points

 

  • VMware HCX is not supported by VMware over VPN. If the customer intends to migrate workloads from on-premises to Azure VMware Solution (AVS), another migration tool needs to be used.
  • This configuration requires the standard Azure Virtual WAN type. Check this article for more details. 
  • When connecting Azure Virtual WAN to a virtual network, make sure that the virtual network does not have any virtual network gateways. This is very important when planning the connection to an existing Azure environment. More details here.

 

Installation

 

After Azure VMware Solution is deployed, you can connect your on-premises environment to Azure VMware Solution (AVS) using VPN and Azure Virtual WAN following these steps.

 

  1. Create an Azure Virtual WAN.
  2. Create a hub.
  3. Create a site.
  4. Connect a VPN site to a hub.
  5. Connect a Vnet to a hub (if needed)
  6. Connect the ExpressRoute circuit to a hub.

 

Steps 1 to 5 are covered in this article: Create a Site-to-Site connection using Azure Virtual WAN

Step 6 is covered in this article: Create an ExpressRoute association using Azure Virtual WAN

 

Installation notes:

 

  • Format the VPN configuration file to make it more readable.

To configure your on-premises VPN device, you will need to download the VPN configuration from the Azure portal, instructions here. The configuration file will look like the following image. Use VS Code to format the configuration file to look like the example in this article.

 

 

  • You can connect multiple virtual networks to the virtual WAN hub, even virtual networks from different Azure subscriptions.  

 

 

 

 

 

 

 

 

Updated Sep 15, 2020
Version 1.0
infrastructure

4 Comments

  • Jack_Chen1780's avatar
    Jack_Chen1780
    Brass Contributor
    Nov 12, 2022

    andreshidalgomora666 

     

    Based on https://learn.microsoft.com/en-us/azure/route-server/vmware-solution-default-route , VPN connection can work with a NVA.

     

    Note: the connection between AVS and VNET is still ExpressRoute, just the connection between OnPremises to VNET can be S2S VPN. I am wondering if there is cost for the ExpressRoute network gateway and the ExpressRoute circuit between AVS and VNET? hopefully at least the circuit should be free? 

  • Jack_Chen1780's avatar
    Jack_Chen1780
    Brass Contributor
    Nov 11, 2022

    Current official document https://learn.microsoft.com/en-us/azure/azure-vmware/plan-private-cloud-deployment stated "Azure VMware Solution requires an Azure Virtual Network and an ExpressRoute circuit. " .

     

    Microsoft should update the official document to make it clear VPN is a supported option for HCX connection.  I have a potential customer asking us to provide a plan to migrate on-premises Vmware to Cloud Vmware ( Azure or AWS). They are in a south America country, and Express Route or Direct Connect is not available from their country. If we follow official doc, then we have to go with AWS, since AWS HCX connection is based on public Internet. 

     

    CarlosV  , I am wondering if you can confirm virtual Wan is must in this use case? Can we just use standard virtual network Gateway with custom routing? or Can we use a NVA like Fortigate ? 

     

    Thanks,