Azure Landing Zone Accelerator for AVS – Public IP at the NSX Edge
Published May 01 2024 02:38 PM 1,153 Views

Egress/Ingress natively from Azure VMware Solution via NSX-T or an NVA


This option enables Azure VMware Solution private cloud to directly consume and apply public network addresses in NSX-T Data Center for various connections:

  • Outbound SNAT
  • Inbound DNAT
  • Load balancing using VMware NSX Advanced Load Balancer and other third-party Network Virtual Appliances.
  • Terminate VPN connections directly in NSX.


Network Architecture 




This scenario is ideal if:

  • You must use the native NSX-T Data Center platform, so you need a PaaS deployment for Azure VMware Solution.
  • You need a bring-your-own-license (BYOL) NVA within Azure VMware Solution for traffic inspection.
  • You might or might not already have ExpressRoute connectivity between on-premises datacenters and Azure.
  • You need inbound HTTP/S or L4 services.

Note: Traffic from Azure VMware Solution to Azure Virtual Network, to the internet, and to on-premises data centers is routed through the NSX-T Data Center Tier-0/Tier-1 gateways or through Network Virtual Appliances (NVAs).


Azure VMware Solution Components


Tier-0 Gateway

  • Deployed during AVS deployment.
  • Establishes a BGP connection with the physical data center switches.
  • No need for additional configuration or modifications. 


Tier-1 Gateway

  • One Tier-1 gateway is deployed alongside AVS.
  • It has a logical connection back to the Tier-0 gateway.
  • Public IP addresses are assigned here.
  • Can function as a North/South firewall. 

Third-Party Firewall

  • Can replace the Tier-1 gateway as the North/South firewall.
  • Licensing is not included with AVS and appliance lifecycle are the customer’s responsibility.
  • Public IPs remain on the Tier-1 gateways.
  • Introduces additional complexity to the design.

East-West Firewall

  • Whether using Tier-1 or a third-party NVA, the NSX Distributed Firewall can still be used for East/West traffic.





Implement this scenario with: 

  • An NSX distributed firewall (DFW), or an NVA behind tier-1 in Azure VMware Solution.
  • Application Gateway to provide L7 load balancing.
  • L4 DNAT using Azure Firewall.
  • Internet breakout from Azure VMware Solution.



To enable internet access via the Azure portal, note that an outbound IP address may vary and is not fixed. Public IP addresses are external to the Network Virtual Appliance (NVA). Within the Azure VMware Solution, the NVA retains private IP addresses and does not assign the outbound public IP address.





What you will learn from this video:

  • Internet traffic for AVS workloads will natively egress out of AVS.
  • Native Azure resources maintain a separate connection to the internet egress, and do not use AVS for internet connectivity.
  • Terminate VPNs directly to AVS
  • You can choose either a Tier-1 Gateway or a third-party NVA as your North/South firewall.
  • Regardless of whether you use a third-party NVA, your Public IP addresses will reside on the Tier-1 Gateway.
  • For East/West traffic, utilize the NSX Distributed Firewall.
  • For your AVS workload, you have the option to use third-party load balancers or the NSX Advanced Load Balancer for handling ingress traffic.

In this video, Jason Medina - Sr Customer Engineer at Microsoft, will cover this scenario.



Stay tuned for more Azure VMware Solution network scenarios!


Special thanks to Jason Medina for taking the time to explain the scenario.  As always, please leave feedback so we can continue to improve and help you!

Amy Colyer 



Version history
Last update:
‎May 01 2024 02:38 PM
Updated by: