Options for network connectivity with AVS
There are many options for network connectivity when it comes to Azure VMware Solution. This post reviews utilizing an NVA to inspect all AVS traffic.
Network Architecture
This scenario is ideal if:
- You need to use your third-party firewall NVAs in a hub virtual network to inspect all traffic, and you can't use Global Reach for geopolitical or other reasons.
- You are between on-premises datacenters and Azure VMware Solution.
- You are between Azure Virtual Network and Azure VMware Solution.
- You need internet ingress from Azure VMware Solution.
- You need internet egress to Azure VMware Solution.
- You need fine-grained control over firewalls outside the Azure VMware Solution private cloud.
- You need multiple public IP addresses for inbound services and need a block of predefined IP addresses in Azure. In this scenario, you don't own the public IP addresses.
*Note: You must disable ExpressRoute Global Reach in this scenario. The third-party NVAs are responsible for providing outbound internet to Azure VMware Solution.
This scenario assumes you have ExpressRoute connectivity between on-premises datacenters and Azure. You must disable ExpressRoute Global Reach in this scenario. The third-party NVAs are responsible for providing outbound internet to Azure VMware Solution.
Implement this scenario with:
- Third-party firewall NVAs hosted in a virtual network for traffic inspection and other networking functions.
- Azure Route Server, to route traffic between Azure VMware Solution, on-premises datacenters, and virtual networks.
- Application Gateway to provide L7 HTTP/S load balancing.
Considerations
- Never configure ExpressRoute Global Reach for this scenario, because it lets Azure VMware Solution traffic flow directly between Microsoft Enterprise Edge (MSEE) ExpressRoute routers, skipping the hub virtual network.
- Azure Route Server must be deployed in your hub VNet and BGP-peered with the NVAs in the transit VNet. Configure Azure Route Server to allow branch-to-branch connectivity.
- Custom route tables and user-defined routes are used to route traffic to/from Azure VMware Solution to the third-party firewall NVAs' load balancer. All HA modes (active/active and active/standby) are supported, with guaranteed routing symmetry.
- If you need high availability for NVAs, consult your NVA vendor documentation and deploy highly available NVAs.
In this video, Jason Medina - Sr Customer Engineer at Microsoft, will cover these scenarios and more.
What you will learn from this video:
- Why customers use this network topology.
- A breakdown of all architectural components needed to be deployed.
- Best practices to follow when deploying this scenario.
Stay tuned for more Azure VMware Solution network scenarios.
Special thanks to Jason Medina for taking the time to explain the scenario.
As always, please leave feedback so we can continue to improve and help you!
Amy Colyer
Resources:
- Scenario Reference: Enterprise-scale example architectures connectivity to Azure VMware Solution
- Reference Architecture: https://aka.ms/avsaccelerator
- Reference Implementation: https://aka.ms/avsenterprisescalerepo\
- Product page: Concepts - Network design considerations - Azure VMware Solution | Microsoft Learn
- Step-by-Step Guides:
- https://aka.ms/avs-nva - Uses example with a Cisco 8K NVA
- https://aka.ms/avs-er-nogr - Uses example with a Linux VM running Quagga