LAB Overview:

AVS (Azure VMware Solution) is a Microsoft Azure service that enables organizations to run VMware workloads natively on Azure infrastructure. It provides a seamless and fully managed platform to migrate, extend, or modernize VMware-based environments while taking advantage of Azure's scalability, global reach, and integrated services.

AVS can be integrated to your on-premises and azure native environments. Here in this lab, I am going to show how AVS can be connected with Azure Virtual WAN (Hub and spoke topology).

Pre-requisite

Set up azure native component which needed to be integrated with AVS.

Here I have deployed an Azure Virtual WAN (Hub and spoke topology) which has the components below.

1. Virtual WAN – Standard SKU
2. A Hub
3. Virtual Network connection to Jump Server VNet
4. Point to Site VPN in hub (Connected to personal laptop represents on-premise connectivity)
5. Express route gateway in hub
6. A hub firewall deployed in hub

 

LAB Topology

 

Components Deployed in Azure Virtual WAN HUB

 

Create AVS Private cloud

Goto Azure Portal and Navigate to Azure VMware solution and provide details as below:

AVS Deployment: Azure Portal

 

Wait around 5 hours and your private cloud will be ready. Once ready navigate to overview page and see the CIDR subnet distribution as shown below

 

 

 

Create Express route connectivity to azure native environment

Go to your AVS-->Manage-->Connectivity-->ExpressRoute

Generate Authentication Key

Note the express route auth key and ID, which needed to be provided while connecting express route circuit with express gateway deployed in Azure Infrastructure.

 

 

Go to Express route deployed in VWAN and Redeem the auth key

 

 

 

 

 

 

Login to jump server and check connectivity. You should be able to reach vcenter and nsx URL from both vpn and azure vnet environments.

 

 

 

VCenter Login from Jump Server

 

 

NSX Login from jump server

Deploy DHCP, Network segments and VM

Got to AVS-->Workload Networking-->DHCP

Add DHCP and provide IP and save

 

 

Got to AVS-->Workload Networking-->Segments

Add segment by providing name and gateway IP

 

 

Now deploy a test vm in VMware, there are multiple way to deploy VM

I have deployed a Linux VM using OVF deployment option. You can choose any method to deploy VM.

 

After that login to test VM

 

 

Your VM must be assigned with an IP address from the range you have defined for your segment. But if you try to reach out to internet you won’t be able to do it as we did not provide internet connectivity.

 

Route Traffic to Azure Hub Firewall in Virtual WAN

There are three primary patterns to create outbound access to the Internet from Azure VMware Solution and to enable inbound Internet access to resources on your Azure VMware Solution private cloud.

• Internet Service hosted in Azure
• Azure VMware Solution Managed SNAT
• Azure Public IPv4 address to NSX Data Center Edge

Your requirements for security controls, visibility, capacity, and operations drive the selection of the appropriate method for delivery of Internet access to the Azure VMware Solution private cloud.

I am sending internet traffic to azure hub firewall (Internet Service hosted in Azure) as some times this would be a use case. Other methods are easy to deploy and routing internet traffic to azure is having more process. That is the reason I am showing it in demo.

In order to send traffic to hub firewall, follow below process

Define default route in hub (0.0.0.0-->Firewall). This can be done by either defining the route manually or using below option

 

vWAN-->hub1-->Routing-->Routing Intent and Routing Policies

You can see and edit the associated and propagated connection by looking into default route table settings.

 

vWAN-->hub1-->Routing-->Route Tables

Then verify whether routes are showing properly in route table

 

vWAN-->hub1-->Routing-->Effective Routes

 

Now you need to do a very important step, by default express route doesn’t propagate default route. you need to explicitly change the below setting so that express route can propagate default route.

 

 

 

Now you can see default routes are propagated to T0 gateway in AVS. Use below path to download routing and forwarding table of T0 gateway.

 

 

Now you will be able to reach out internet

 

 

Note

Deploying AVS and integrating it with Azure and on-premises environment involves multiple steps and routing complexities. You should be very careful with routing as integrating hybrid and cloud environments together bring additional complexity to routing. There could be chance of unnecessary route propagation which can be restricted using route filters. 

 

Thank you!!