cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Azure Landing Zone Accelerator for AVS - Using a Central Hub in Azure
By
AmyColyer
Published Jun 22 2023 05:00 AM 9,232 Views
AmyColyer
Microsoft
‎Jun 22 2023 05:00 AM

Azure Landing Zone Accelerator for AVS - Using a Central Hub in Azure

‎Jun 22 2023 05:00 AM

Options for network connectivity with AVS

 

There are many options for network connectivity when it comes to Azure VMware Solution.  This post reviews utilizing a central hub network in Azure.

 

Network Architecture

AmyColyer_0-1687363164092.png

  • Use ExpressRoute for maximum bandwidth from on-premises. VPN is also available when not limited by bandwidth constraints.
  • Use ExpressRoute to enable Global Reach for route exchange between on-premises and AVS.
  • Create an Azure Route Server and peer it to BGP-capable firewall(s).
  • Enable ExpressRoute FastPath to bypass the gateway port speed for improved data path performance.

 

In the Hub VNet, create a User-Defined Route (UDR) to workloads in the Spoke VNet(s) with a next-hop of the NVA in the gateway subnet. Next, the destination traffic needs to get securely back to the source. The native behavior with Azure VNet peering will bypass the firewall.  Disabling BGP route propagation will prevent routes from being learned dynamically via BGP from the gateway, ensuring that traffic doesn't go directly to the gateway of the peered network. From there, creating a default UDR with a next-hop of the NVA will send the return traffic back through the firewall.

 

When to use Secured Hub vWAN with Traditional Hub & Spoke

 

Azure VWAN can be used instead of a Traditional Hub VNET or alongside it to provide transit from AVS to Azure and back to on-premises. Azure VWAN is a solid option for using Azure Firewall or large-scale, multisite/multi-regional deployments with several or more ExpressRoute and VPN connections. In a separate Hub Virtual Network, other operations can take place, such as using a 3rd party network appliance to route or filter traffic securely. The Hub VNet can also facilitate Layer-7 operations through Traffic Manager, Application Gateway, or enabling DDOS protection with WAF.

 

sablair_0-1687444791447.png

 

  • Azure VWAN is a managed service meaning transitivity for ExpressRoute, VPN, and WAN to AVS is built in, so there is no need for Azure Route Server.
  • Natively, a user can use Azure Firewall for a Secured vWAN hub.

*Note: If you are in a location where Global Reach is unavailable, VWAN with route intent may be used as an alternative for secure transit over the ExpressRoutes between two secured hubs using Azure Firewall. For more information, please see  How to configure Virtual WAN Hub routing policies - Azure Virtual WAN 

 

 

In this video, Sabine Blair - Sr Cloud Solution Architect at Microsoft, will cover these scenarios and more.

 

What you will learn from this video:

  • Connecting to AVS from on-premises when using a WAN, VPN, or ExpressRoute circuit.
  • How to exchange routes between a VPN and an ExpressRoute Gateway.
  • Centralizing routes and inspecting traffic using a network appliance.
  • Reducing the number of User Defined Static Routes with Azure Route Server.

 

 

Stay tuned for more Azure VMware Solution network scenarios.

 

Special thanks to Sabine Blair for taking the time to explain the scenario.

 

As always, please leave feedback so we can continue to improve and help you!

Amy Colyer 

 

Resources:

 

Co-Authors
Version history
Last update:
‎Jun 22 2023 08:23 AM
Updated by:
Labels