New Automation enhancements in AVS Landing Zone for Migration-Ready Infrastructure
Azure VMware Solution (AVS) Landing Zone offers PowerShell automation scripts that streamline deployment and management of key AVS components—jumpbox for secure access, HCX Connector for hybrid connectivity, and HCX Service Mesh for workload mobility—enabling consistent, repeatable setups that reduce manual effort, improve operational readiness, and accelerate migration timelines across multiple environments and regions.HCX 4.11.0 Upgrade and What it means for Current HCX Users
Overview Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. VMware HCX is the mobility and migration software used by the Azure VMware Solution to connect remote VMware vSphere environments to the Azure VMware Solution. These remote VMware vSphere environments can be on-premises, co-location or cloud-based instances. Figure 1 – Azure VMware Solution with VMware HCX Service Mesh Broadcom has announced the end-of-life (EOL) for VMware HCX version 4.10.x, effective July 27, 2025. To proactively address this change and ensure continued support, Microsoft will begin upgrading all Azure VMware Solution customers using HCX Manager to HCX version 4.11.0. What Changes are introduced as part of HCX 4.11.0? With the release of HCX 4.11.0, Broadcom has made significant changes to the way HCX will be available for download and upgrades. Local Mode From HCX 4.11.0 onwards, HCX will only be available in local mode. This means that HCX systems running 4.11.0 or later will no longer receive upgrade notifications under the System updates section from Broadcom. Once HCX systems are upgraded to 4.11.0 using the offline bundle they will operate in Local mode only. Connection to VMware & Hybridity Depot. As of 4.11.0 activation key-based licensing has been deprecated. Activation keys in HCX 4.11.0 will stop working 450 days after the upgrade to HCX 4.11.0 takes place. HCX systems running versions prior to 4.11.0 that are currently using the activation keys will stop working when connect.hcx.vmware.com is decommissioned later this year. Please note, the following HCX functionality is deprecated in HCX 4.11.0 and will be removed in a future release. HCX is 4.11.0 will no longer be supported as of December 24 th , 2025. Customers should plan to migrate to an alternative solution at the earliest if they use any of the following features. HCX V2T Migration HCX WAN Optimization HCX Disaster Recovery vCenter Server Plug-in for HCX HCX UI – Tracking page in Migration interface What actions will customers need to take? To ensure smooth migration, customers will be required to upgrade any paired HCX connectors and service mesh appliances to HCX 4.11.0. Furthermore, customers may be required to execute a resync operation on each HCX service mesh on both the source and connector sides to ensure that no errors have occurred due to the upgrade. All Azure VMware Solution customers have now been notified of their preliminary scheduled upgrade date. Customers have the option to reschedule using the Azure VMware Solution portal but must complete this upgrade during US work hours before July 31. Microsoft will only upgrade the HCX Cloud Manager, the on-prem HCX manager and service mesh appliances will need to be upgraded by the customer. Once upgraded, customers will find previous and current versions of the HCX connector bundles, including HCX 4.11.0, in their vSAN datastore for cluster-1, under a folder named “AVS_Official_HCX_Connector_Binaries” The HCX 4.11.0 bundle should be used by customers to upgrade their on-prem HCX connector. Summary Microsoft is working towards upgrading all Azure VMware Solution customers that are using HCX by the end of July 2025. Customers are currently being notified of when their upcoming HCX upgrade will take place. For additional information on VMware HCX 4.11, please review the following Knowledge base article from Broadcom. Upgrade Bundle Download from 443 UI will Fail in All HCX versions prior to 4.11 If you are interested in the Azure VMware Solution, please use these resources to learn more about the service. Homepage: Azure VMware Solution Learn: Run VMware resources on Azure VMware Solution Training Documentation: Azure VMware Solution Azure CLI: Azure Command-Line Interface (CLI) Overview PowerShell module: Az.VMware Module Terraform provider: azurerm_vmware_private_cloud Terraform Registry GitHub repository: Azure/azure-vmware-solution Cloud Adoption Framework: Introduction to the Azure VMware Solution adoption scenario Network connectivity scenarios: Enterprise-scale network topology and connectivity for Azure VMware Solution Enterprise Scale Landing Zone: Enterprise-scale for Microsoft Azure VMware Solution Enterprise Scale GitHub repository: Azure/Enterprise-Scale-for-AZURE VMWARE SOLUTIONS VMware homepage: VMware to Azure Migration Solutions VMware Ports and Protocols for HCX VMware HCX - VMware Ports and Protocols Author Bios Ricky Perez is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in solution architecture with experience in public cloud and core infrastructure services. Varun Hariharan is a Senior Product Manager on the Azure VMware Solution team at Microsoft, where he is focusing on observability and workload strategies for customers. His background is in Infrastructure as a Service (IaaS), log management, enterprise software, and DevOps.
Firewall integration in Azure VMware Solution
2020 has been a year like no other. In just a few months' time, businesses have transformed and have accelerated their efforts to migrate to the cloud. Following our announcement of Azure VMware Solution (AVS) last year, we have been helping customers accelerate this move to cloud by providing an easy lift and shift migration. Albeit customers love the same operational experience for VMware workloads and use familiar VMware technologies like vCenter, NSX Manager, HCX etc. in AVS, they also want to leverage security integrations that they have invested in for years. Below are a few common questions that we get from customers around this topic. How can they use the same firewalls/tools that they have been using for years? How do they maintain the same security posture? How can they use the same firewall for both Azure and VMware workloads in AVS? In this blog series, we plan to discuss native security options, 3 rd party firewall integration with AVS along with a deep dive into configuration details. First in the series, this blog would summarize the security options available at your disposal. Let’s start with the built-in security capabilities that you can leverage in AVS. Built-in security/firewall with VMware NSX-T - VMware NSX-T is the default networking stack in AVS and it provides out-of-box security features that you can use to protect your workloads. Following are the capabilities that you can leverage. Distributed Firewall (DFW) -A stateful L3-L7 firewall that powers micro-segmentation and runs on your ESXi hosts in your AVS private cloud. DFW rules are enforced on the vNIC level of a VM workload and what that means is that the traffic is either allowed or dropped on the vNIC level based on the rule you defined. So, there is no more hair-pinning that traffic through a centralized or perimeter firewall. From a feature standpoint, it's rich and allows you to define security rules using network or application constructs. You could group the workloads using static (IPSet/NSX constructs like Segment etc.) or dynamic membership (VM tags, guest OS etc.). Even when you have a perimeter firewall, you should secure your East-West traffic. Gateway Firewall - A L4-L7 aware stateful North-South firewall that can be configured on NSX-T Tier-1 Gateway in AVS. It can also be used as an Inter-tenant or Inter-zone firewall i.e. filtering traffic between different tenants of your organization each with a dedicated Tier-1 Gateway. Azure Firewall - A managed, stateful firewall with built-in HA and SLA of 99.99% (when deployed in two or more availability zones). Customers can configure L3-L7 policies to filter traffic and take advantage of threat intelligence-based filtering to alert and deny traffic from/to known malicious IP addresses and domains. Please refer to the Azure firewall feature set here. If you are already using Azure firewall capabilities deployed in Azure Virtual WAN to protect resources in VNETs, you can connect the same virtual WAN hub over an express route connection to AVS and route internet traffic from AVS to Azure firewall. Let's switch gears and talk about the 3rd party firewall integration with Azure VMware Solution. There is a strong desire from customers to continue using the same firewall in AVS that they have been using in an on-premises datacenter. Based on the use-case, you could deploy a 3rd party firewall NVA in AVS private cloud or SDDC or leverage a firewall from Azure marketplace. Let's double click on both options. 3rd Party firewall deployed as NVA in AVS private cloud or SDDC -Before we discuss this integration, it's important to understand NSX-T deployment in AVS private cloud. When you create a private cloud in AVS, a default NSX-T Tier-0 Gateway configured in Active/Active mode and a default NSX-T Tier-1 Gateway configured in Active/Standby mode is deployed for you. Users can connect segments (logical switches) and provide East-West and North-South connectivity to the workloads connected on these segments. A 3rd party firewall NVA can be connected southbound to the default NSX-T Tier-1 gateway and this firewall can act as a North-South firewall or East-West firewall depending upon your use case. This integration is supported in following topologies. Option 1: Workload segments are directly connected to the firewall and the gateway on workloads is 3 rd party firewall. This topology restricts the users with numerous segments as the vNICs on the NVA becomes a limiting factor. Option 2: Workload segments are connected to an isolated Tier-1 and this Tier-1 gateway provides northbound connectivity to a 3 rd party firewall. This topology solves the problem of limited number of vNICs on NVA as you connect 100s of workload segments to an isolated Tier-1 which connects to the firewall NVA northbound. In this topology, isolated Tier-1s simulate security zones and the firewall can provide East-West filtering between security zones and North-South filtering for all traffic. We will discuss routing and other configuration details for these topologies in next part of this blog series. 3rd Party firewall deployed in Azure VNET – Customers can also deploy a 3 rd party firewall in Azure VNET and route traffic from AVS to this firewall via Azure Virtual WAN hub. To redirect internet traffic from AVS VMs to the firewall NVA, you need to connect AVS to an express route gateway in Azure virtual WAN and propagate a default route. Next, you configure a default route in Azure Virtual WAN hub to direct internet bound traffic to a NVA in spoke VNET. We will go through the configuration details in greater detail in upcoming blogs. Stay tuned! Summary Azure VMware Solution customers have multiple security options available to protect their workloads. Some of these firewalling capabilities can be used out of the box to provide East-West and North-South firewalling. Along with the built-in security capabilities, customers can also leverage the 3 rd party firewalls or next-gen firewalls to provide additional security and maintain the same security posture as they have on-premises. Following are a few resources to learn more about Azure VMware Solution. Learn Azure VMware Solution Networking Try Azure VMware Solution Hands-on-labAzure VMware Solution now available in Korea Central
We are pleased to announce that Azure VMware Solution is now available in Korea Central. Now in 34 Azure regions, Azure VMware Solution empowers you to seamlessly extend or migrate existing VMware workloads to Azure without the cost, effort or risk of re-architecting applications or retooling operations. Azure VMware Solution supports: Rapid cloud migration of VMware-based workloads to Azure without refactoring. Datacenter exit while maintaining operational consistency for the VMware environment. Business continuity and disaster recovery for on-premises VMware environments. Attach Azure services and innovate applications at your own pace. Includes the VMware technology stack and lets you leverage existing Microsoft licenses for Windows Server and SQL Server. For updates on current and upcoming region availability, visit the product by region page here. Streamline migration with new offers and licensing benefits, including a 20% discount. We recently announced the VMware Rapid Migration Plan, where Microsoft provides a comprehensive set of licensing benefits and programs to give you price protection and savings as you migrate to Azure VMware Solution. Azure VMware Solution is a great first step to the cloud for VMware customers, and this plan can help you get there. Learn MoreEnhancing Disaster Recovery and Ransomware Protection with Azure VMware Solution and JetStream
Enhancing Disaster Recovery and Ransomware Protection with Azure VMware Solution and JetStream Software Disaster Recovery (DR) and ransomware protection are critical concerns for organizations today, as the frequency and cost of attacks continue to rise. Our customers demand comprehensive and cost-effective options to safeguard their critical workloads without compromising application performance. AVS collaborates with leading technology companies, such as JetStream Software, to deliver advanced DR solutions that offer both near-zero Recovery Point Objectives (RPO) and near-zero Recovery Time Objective (RTO) options. The JetStream DR and Ransomware solution implements Continuous Data Protection (CDP) by immediately replicating all data generated by protected VMs. It employs heuristic algorithms to detect data tampering by utilizing cost-effective and high-performance storage options like Azure Blob Storage, Azure NetApp Files (ANF), and ESAN-based solutions. Utilizing the VMware-certified VAIO APIs means that the JetStream solution is fully VMware Ready certified. This approach is unique compared to other market offerings that provide DR protection by creating intermittent snapshots. JetStream has also partnered with Microsoft to develop a unique feature that rehydrates VMs and their data from Azure Blob object storage, deploying them to AVS nodes provisioned on-demand, to a pilot light cluster in AVS. This ensures a rapid and cost-controlled recovery that minimizes downtime in the event of a disaster or ransomware attack. To learn more about the power of this integration, watch our sessions at VMware Explore 2024 in Las Vegas: “Future-Proof VMware Workloads with Azure VMware Solution” [Session ID: VCFB2530LVS] “Implementing a Robust BCDR Plan with Azure VMware Solution” [Session ID: VCFB2534LVS] “Discover the Partner Ecosystem for Azure VMware Solution” [Session ID: VCFB2532LVS]Microsoft is headed to VMware Explore 2024 in Barcelona!
Microsoft is headed to VMware Explore 2024 in Barcelona! If you want to know about running VCF Private Clouds in Azure, the work we are doing in partnership with VMware by Broadcom, or have a conversation about your VMware workloads, stop by our stand #403! This year Microsoft will have several sessions on a variety of migration related topics, so if you're building out your schedule check them out: Microsoft Keynote: Future-Proof VMware Workloads with Azure VMware Solution Speaker: James Forrester Sr. Dir. Specialist Management Azure Infra Sales, Microsoft Date/Time: Wednesday, 6 November @ 9:00 AM – 9:45 AM CET Join our keynote to discover how Microsoft can streamline your VMware workloads’ migration to the cloud. Learn how to maximize your existing on-premises investments and fast path your applications into an AI-innovation platform. We’ll reveal the quickest, least disruptive migration path, and share enticing offers that make this an easy decision. Learn how transitioning from on-premises to Azure will give your business a competitive edge. Microsoft Sessions - Register now to reserve your seat! In addition to the keynote, here are other deeper-level sessions on Microsoft Azure VMware Solution: Monday, 4 November 09:30-10:00 CET Meet the Expert Roundtable: Ask Me Anything About Azure VMware Solution VCFM1601BCNS Monday, 4 November 11:30-13:00 CET From Migration to Innovation: How Azure VMware Solution Unlocks Azure and AI VCFT1599BCNS Tuesday, 5 November 11:45 - 12:15 CET Azure VMware Solution: Harness the Power of Data With Azure Services and AI VCFB1600BCNS Tuesday, 5 November 15:00-15:20 CET What’s New in Windows Server 2025 & Azure VMware Solution EXPO1903BCNS Tuesday, 5 November 16:30-17:00 CET Meet the Expert Roundtable: Ask Me Anything About Azure VMware Solution VCFM1602BCNS Wednesday, 6 November 09:00-09:45 CET Microsoft Keynote: Azure VMware Solution-VCF Private Clouds with Azure Benefits VCFB1603BCNS Wednesday, 6 November 10:15-11:00 CET Building End-To-End Networking with Azure VMware Solution VCFB1604BCNS Wednesday, 6 November 11:30-12:15 CET Discover the Partner Ecosystem for Azure VMware Solution VCFB1605BCNS Wednesday, 6 November 12:45-13:30 CET Best Practices for Migration and Security with Azure VMware Solution VCFB1606BCNS Wednesday, 6 November 14:00-14:45 CET Implementing a Robust BCDR Plan with Azure VMware Solution VCFB1607BCNSAzure VMware Solution now available in the new AV48 node size in Japan East.
Today we're announcing the availability of the Azure VMware Solution AV48 SKU in Japan East. This SKU modernizes the CPU to the Intel Sapphire Rapids architecture and increases the deployed cores and memory per server to better accommodate today’s workloads. Key features of the new AV48 in Japan East: Dual Intel Xeon Gold 6442Y CPUs (Sapphire Rapids microarchitecture) with 24 cores/CPU @ 2.6 GHz / 3.3Ghz All Core Turbo / 4.0 GHz Max Turbo, Total 48 physical cores (96 logical cores with hyperthreading) 1TB of DRAM Memory 19.2TB storage capacity with all NVMe based SSDs 1.5TB of NVMe Cache For pricing reach out to your Microsoft Account Team, or visit the Azure Portal quota request page. Learn MoreForward Azure VMware Solution logs anywhere using Azure Logic Apps
Overview As enterprises scale their infrastructure in Microsoft Azure using Azure VMware Solution, gaining real-time visibility into the operational health of their private cloud environment becomes increasingly critical. Whether troubleshooting deployment issues, monitoring security events, or performing compliance audits, centralized logging is a must-have. Azure VMware Solution offers flexible options for exporting syslogs from vCenter Server, ESXi Hosts, and NSX components. While many customers already use Log Analytics or third-party log platforms for visibility, some have unique operational or compliance requirements that necessitate forwarding logs to specific destinations outside the Microsoft ecosystem. With the advent of VMware Cloud Foundation on Azure VMware Solution, customers can now have more choices and can leverage tools like VCF Operations for Logs to monitor, analyze, and troubleshoot their logs. In this post, we’ll show you how to use Azure Logic Apps, Microsoft’s low-code, serverless integration platform, to forward Azure VMware Solution private cloud logs to any log management tool of your choosing. With a newly released workflow template tailored for Azure VMware Solution, you can set this up in minutes—no custom code required. Figure 1. Architectural flow of syslog data from an Azure VMware Solution private cloud to a log management server via Azure Logic Apps Background The Azure VMware Solution and Azure Logic Apps product teams have partnered to deliver a built-in integration that allows Azure VMware Solution customers to forward logs to any syslog-compatible endpoint—whether in Azure, on-premises, or another cloud. This new Logic Apps template is purpose-built for Azure VMware Solution and dramatically simplifies log forwarding. Figure 2. Azure VMware Solution template in Azure Logic Apps template catalog Historically, forwarding logs from Azure VMware Solution required customers to develop custom code or deploy complex workarounds, often involving multiple services and significant manual configuration. These methods not only introduced operational overhead but also made it difficult for platform teams to standardize logging across environments. With this new integration, customers who previously spent days in frustration trying to get their private cloud logs have now done so in under an hour, a massive improvement in both speed and simplicity. This new capability is particularly timely given recent industry changes. Following VMware’s announcement to discontinue the SaaS versions of Aria Operations, including Aria Operations for Logs, many customers have begun exploring alternative solutions for their log management needs. For those looking to use the on-premises alternative of Aria Operations for Logs, the ability to send Azure VMware Solution logs directly from Azure to their self-managed VCF Operations for Logs servers is now possible—with zero custom code. Using Azure Logic Apps, customers can seamlessly bridge their hybrid cloud monitoring environments and avoid gaps in visibility or compliance. This solution empowers Azure VMware Solution customers with more flexibility, shorter time-to-value, and a consistent logging strategy across both legacy and modernized environments. Why Azure Logic Apps? Azure Logic Apps is a powerful, low-code integration platform that enables IT administrators and platform teams to automate workflows and connect services—without having to manage any infrastructure. With over 1,400 connectors to Azure services, popular SaaS applications, and on-premises APIs, and more, Logic Apps provides a flexible and reliable foundation for routing log data across infrastructure environments. For Azure VMware Solution users, this means you can now easily forward logs from your Azure VMware Solution private cloud to any log management solution—on-premises or in the cloud—without writing custom code. Logic Apps acts as a dynamic “translator” or “dispatcher” in your architecture, listening for logs streamed to Event Hubs and securely forwarding them to your target syslog endpoint with the required formatting, headers, and authentication. This new capability not only accelerates time-to-value for log forwarding but also gives Azure VMware Solution customers the freedom to integrate with the logging platform of their choice—improving visibility, operational efficiency, and compliance in hybrid cloud environments. Future iterations of this integration will include support with Azure Blob Storage as well, another common method Azure VMware Solution customers use to retain and forward their logs. How to get started In addition to this blog, check out the links below to learn more about this integration, understand how Azure Logic Apps work, and use the pricing calculator to cost and size Azure Logic Apps. With large enterprise solutions for strategic and major customers, an Azure VMware Solution Architect from Azure, Broadcom, or a Broadcom Partner should be engaged to ensure the solution is correctly sized to deliver business value with the minimum of risk. If you are interested in using Logic Apps with Azure VMware Solution, please use the resources to learn more about the service: Detailed instructions on sending logs via Logic Apps: Send VMware syslogs to log management server using Azure Logic Apps - Azure VMware Solution | Microsoft Learn An overview of Logic Apps: Overview - Azure Logic Apps | Microsoft Learn Pricing calculator: Pricing - Logic Apps | Microsoft Azure -- Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. Author Bio Varun Hariharan is a Senior Product Manager on the Azure VMware Solution team at Microsoft, where he is focusing on observability and workload strategies for customers. His background is in Infrastructure as a Service (IaaS), log management, enterprise software, and DevOps. Kent Weare is a Principal PM Manager on the Azure Logic Apps team at Microsoft, where he is focusing on providing enterprise integration and automation capabilities for customers.Azure VMware Solution Availability Design Considerations
Azure VMware Solution Design Series Availability Design Considerations Recoverability Design Considerations Performance Design Considerations Security Design Considerations VMware HCX Design with Azure VMware Solution Overview A global enterprise wants to migrate thousands of VMware vSphere virtual machines (VMs) to Microsoft Azure as part of their application modernization strategy. The first step is to exit their on-premises data centers and rapidly relocate their legacy application VMs to the Azure VMware Solution as a staging area for the first phase of their modernization strategy. What should the Azure VMware Solution look like? Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. In this post, I will introduce the typical customer workload availability requirements, describe the Azure VMware Solution architectural components, and describe the availability design considerations for Azure VMware Solution private clouds. In the next section, I will introduce the typical availability requirements of a customer’s workload. Customer Workload Requirements A typical customer has multiple application tiers that have specific Service Level Agreement (SLA) requirements that need to be met. These SLAs are normally named by a tiering system such as Platinum, Gold, Silver, and Bronze or Mission-Critical, Business-Critical, Production, and Test/Dev. Each SLA will have different availability, recoverability, performance, manageability, and security requirements that need to be met. For the availability design quality, customers will normally have an uptime percentage requirement with an availability zone (AZ) or region requirement that defines each SLA level. For example: SLA Name Uptime AZ/Region Gold 99.999% (5.26 min downtime/year) Dual Regions Silver 99.99% (52.6 min downtime/year) Dual AZs Bronze 99.9% (8.76 hrs downtime/year) Single AZ Table 1 – Typical Customer SLA requirements for Availability A typical legacy business-critical application will have the following application architecture: Load Balancer layer: Uses load balancers to distribute traffic across multiple web servers in the web layer to improve application availability. Web layer: Uses web servers to process client requests made via the secure Hypertext Transfer Protocol (HTTPS). Receives traffic from the load balancer layer and forwards to the application layer. Application layer: Uses application servers to run software that delivers a business application through a communication protocol. Receives traffic from the web layer and uses the database layer to access stored data. Database layer: Uses a relational database management service (RDMS) cluster to store data and provide database services to the application layer. Depending upon the availability requirements for the service, the application components could be many and spread across multiple sites and regions to meet the customer SLA. Figure 1 – Typical Legacy Business-Critical Application Architecture In the next section, I will introduce the architectural components of the Azure VMware Solution. Architectural Components The diagram below describes the architectural components of the Azure VMware Solution. Figure 2 – Azure VMware Solution Architectural Components Each Azure VMware Solution architectural component has the following function: Azure Subscription: Used to provide controlled access, budget and quota management for the Azure VMware Solution. Azure Region: Physical locations around the world where we group data centers into Availability Zones (AZs) and then group AZs into regions. Azure Resource Group: Container used to place Azure services and resources into logical groups. Azure VMware Solution Private Cloud: Uses VMware software, including vCenter Server, NSX software-defined networking, vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. Azure VMware Solution Resource Cluster: Uses VMware software, including vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources for customer workloads by scaling out the Azure VMware Solution private cloud. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. VMware HCX: Provides mobility, migration, and network extension services. VMware Site Recovery: Provides Disaster Recovery automation, and storage replication services with VMware vSphere Replication. Third party Disaster Recovery solutions Zerto DR and JetStream DR are also supported. Dedicated Microsoft Enterprise Edge (D-MSEE): Router that provides connectivity between Azure cloud and the Azure VMware Solution private cloud instance. Azure Virtual Network (VNet): Private network used to connect Azure services and resources together. Azure Route Server: Enables network appliances to exchange dynamic route information with Azure networks. Azure Virtual Network Gateway: Cross premises gateway for connecting Azure services and resources to other private networks using IPSec VPN, ExpressRoute, and VNet to VNet. Azure ExpressRoute: Provides high-speed private connections between Azure data centers and on-premises or colocation infrastructure. Azure Virtual WAN (vWAN): Aggregates networking, security, and routing functions together into a single unified Wide Area Network (WAN). In the next section, I will describe the availability design considerations for the Azure VMware Solution. Availability Design Considerations The architectural design process takes the business problem to be solved and the business goals to be achieved and distills these into customer requirements, design constraints and assumptions. Design constraints can be characterized by the following three categories: Laws of the Land – data and application sovereignty, governance, regulatory, compliance, etc. Laws of Physics – data and machine gravity, network latency, etc. Laws of Economics – owning versus renting, total cost of ownership (TCO), return on investment (ROI), capital expenditure, operational expenditure, earnings before interest, taxes, depreciation, and amortization (EBITDA), etc. Each design consideration will be a trade-off between the availability, recoverability, performance, manageability, and security design qualities. The desired result is to deliver business value with the minimum of risk by working backwards from the customer problem. Design Consideration 1 – Azure Region and AZs: Azure VMware Solution is available in 30 Azure Regions around the world (US Government has 2 additional Azure Regions). Select the relevant Azure Regions and AZs that meet your geographic requirements. These locations will typically be driven by your design constraints. Design Consideration 2 – Deployment topology: Select the Azure VMware Solution topology that best matches the uptime and geographic requirements of your SLAs. For very large deployments, it may make sense to have separate private clouds dedicated to each SLA for cost efficiency. The Azure VMware Solution supports a maximum of 12 clusters per private cloud. Each cluster supports a minimum of 3 hosts and a maximum of 16 hosts per cluster. Each private cloud supports a maximum of 96 hosts. VMware vSphere HA provides protection against ESXi host failures and VMware vSphere DRS provides distributed resource management. VMware vSphere Fault Tolerance is not supported by the Azure VMware Solution. These features are preconfigured as part of the managed service and cannot be changed by the customer. VMware vCenter Server, VMware HCX Manager, VMware SRM and VMware vSphere Replication Manager are individual appliances and are protected by vSphere HA. VMware NSX Manager is a cluster of 3 unified appliances that have a VM-VM anti-affinity placement policy to spread them across the hosts of the cluster. The VMware NSX Edge cluster is a pair of appliances that also use a VM-VM anti-affinity placement policy. Topology 1 – Standard: The Azure VMware Solution standard private cloud is deployed within a single AZ in an Azure Region, which delivers an infrastructure SLA of 99.9%. Figure 3 – Azure VMware Solution Private Cloud Standard Topology Topology 2 – Multi-AZ: Azure VMware Solution private clouds in separate AZs per Azure Region. VMware HCX is used to connect private clouds across AZs. Application clustering is required to provide the multi-AZ availability mechanism. The customer is responsible for ensuring their application clustering solution is within the limits of bandwidth and latency between private clouds. This topology will deliver an SLA of greater than 99.9%, however it will be dependent upon the application clustering solution used by the customer. The Azure VMware Solution does not support AZ selection during provisioning. This is mitigated by having separate Azure Subscriptions with quota in each separate AZ. You can open a ticket with Microsoft to configure a Special Placement Policy to deploy your Azure VMware Solution private cloud to a particular AZ per subscription. Figure 4 – Azure VMware Solution Private Cloud Multi-AZ Topology Topology 3 – Stretched: The Azure VMware Solution stretched clusters private cloud is deployed across dual AZs in an Azure Region, which delivers a 99.99% infrastructure SLA. This also includes a third AZ for the Azure VMware Solution witness site. Stretched clusters support policy-based synchronous replication to deliver a recovery point objective (RPO) of zero. It is possible to use placement policies and storage policies to mix SLA levels within stretched clusters, by pinning lower SLA workloads to a particular AZ, which will experience downtime during an AZ failure. This feature is GA and is currently only available in Australia East, West Europe, UK South and Germany West Central Azure Regions. Figure 5 – Azure VMware Solution Private Cloud with Stretched Clusters Topology Topology 4 – Multi-Region: Azure VMware Solution private clouds across Azure regions. VMware HCX is used to connect private clouds across Azure Regions. Application clustering is required to provide the multi-region availability mechanism. The customer is responsible for ensuring their application clustering solution is within the limits of bandwidth and latency between private clouds. This topology will deliver an SLA of greater than 99.9%, however it will be dependent upon the application clustering solution used by the customer. An additional enhancement could be using Azure VMware Solution stretched clusters in one or both Azure Regions. Figure 6 – Azure VMware Solution Private Cloud Multi-Region Topology Design Decision 3 – Shared Services or Separate Services Model: The management and control plane cluster (Cluster-1) can be shared with customer workload VMs or be a dedicated cluster for management and control, including customer enterprise services, such as Active Directory, DNS, and DHCP. Additional resource clusters can be added to support customer workload demand. This also includes the option of using separate clusters for each customer SLA. Figure 7 – Azure VMware Solution Shared Services Model Figure 8 – Azure VMware Solution Separate Services Model Design Consideration 4 – SKU type: Three SKU types can be selected for provisioning an Azure VMware Solution private cloud. The smaller AV36 SKU can be used to minimize the impact radius of a failed node. The larger AV36P and AV52 SKUs can be used to run more workloads with less nodes which increases the impact radius of a failed node. The AV36 SKU is widely available in most Azure regions and the AV36P and AV52 SKUs are limited to certain Azure regions. Azure VMware Solution does not support mixing different SKU types within a private cloud (AV64 SKU is the exception). You can check Azure VMware Solution SKU availability by Azure Region here. The AV64 SKU is currently only available for mixed SKU deployments in certain regions. Figure 9 – AV64 Mixed SKU Topology Design Consideration 5 – Placement Policies: Placement policies are used to increase the availability of a service by separating the VMs in an application availability layer across ESXi hosts. When an ESXi failure occurs, it would only impact one VM of a multi-part application layer, which would then restart on another ESXi host through vSphere HA. Placement policies support VM-VM and VM-Host affinity and anti-affinity rules. The vSphere Distributed Resource Scheduler (DRS) is responsible for migrating VMs to enforce the placement policies. To increase the availability of an application cluster, a placement policy with VM-VM anti-affinity rules for each of the web, application and database service layers can be used. Alternatively, VM-Host affinity rules can be used to segment the web, application, and database components to dedicated groups of hosts. The placement policies for stretched clusters can use VM-Host affinity rules to pin workloads to the preferred and secondary sites, if needed. Figure 10 – Azure VMware Solution Placement Policies – VM-VM Anti-Affinity Figure 11 – Azure VMware Solution Placement Policies – VM-Host Affinity Design Consideration 6 – Storage Policies: Table 2 lists the pre-defined VM Storage Policies available for use with VMware vSAN. The appropriate redundant array of independent disks (RAID) and failures to tolerate (FTT) settings per policy need to be considered to match the customer workload SLAs. Each policy has a trade-off between availability, performance, capacity, and cost that needs to be considered. The storage policies for stretched clusters include a designation for the dual site (synchronous replication), preferred site and secondary site policies that need to be considered. To comply with the Azure VMware Solution SLA, you are responsible for using an FTT=2 storage policy when the cluster has 6 or more nodes in a standard cluster. You must also retain a minimum slack space of 25% for backend vSAN operations. Deployment Type Policy Name RAID Failures to Tolerate (FTT) Site Standard RAID-1 FTT-1 1 1 N/A Standard RAID-1 FTT-2 1 2 N/A Standard RAID-1 FTT-3 1 3 N/A Standard RAID-5 FTT-1 5 1 N/A Standard RAID-6 FTT-2 6 2 N/A Standard VMware Horizon 1 1 N/A Stretched RAID-1 FTT-1 Dual Site 1 1 Site mirroring Stretched RAID-1 FTT-1 Preferred 1 1 Preferred Stretched RAID-1 FTT-1 Secondary 1 1 Secondary Stretched RAID-1 FTT-2 Dual Site 1 2 Site mirroring Stretched RAID-1 FTT-2 Preferred 1 2 Preferred Stretched RAID-1 FTT-2 Secondary 1 2 Secondary Stretched RAID-1 FTT-3 Dual Site 1 3 Site mirroring Stretched RAID-1 FTT-3 Preferred 1 3 Preferred Stretched RAID-1 FTT-3 Secondary 1 3 Secondary Stretched RAID-5 FTT-1 Dual Site 5 1 Site mirroring Stretched RAID-5 FTT-1 Preferred 5 1 Preferred Stretched RAID-5 FTT-1 Secondary 5 1 Secondary Stretched RAID-6 FTT-2 Dual Site 6 2 Site mirroring Stretched RAID-6 FTT-2 Preferred 6 2 Preferred Stretched RAID-6 FTT-2 Secondary 6 2 Secondary Stretched VMware Horizon 1 1 Site mirroring Table 2 – VMware vSAN Storage Policies Design Consideration 7 – Network Connectivity: Azure VMware Solution private clouds can be connected using IPSec VPN and Azure ExpressRoute circuits, including a variety of Azure Virtual Networking topologies such as Hub-Spoke and Azure Virtual WAN with Azure Firewall and third-party Network Virtualization Appliances. Multiple Azure ExpressRoute circuits can be used to provide redundant connectivity. VMware HCX also supports redundant Network Extension appliances to provide high availability for Layer-2 network extensions. For more information, refer to the Azure VMware Solution networking and interconnectivity concepts. The Azure VMware Solution Cloud Adoption Framework also has example network scenarios that can be considered. And, if you are interested in Azure ExpressRoute design: Understanding ExpressRoute private peering to address ExpressRoute resiliency ExpressRoute MSEE hairpin design considerations In the following section, I will describe the next steps that would need to be made to progress this high-level design estimate towards a validated detailed design. Next Steps The Azure VMware Solution sizing estimate should be assessed using Azure Migrate. With large enterprise solutions for strategic and major customers, an Azure VMware Solution Solutions Architect from Azure, VMware, or a VMware Partner should be engaged to ensure the solution is correctly sized to deliver business value with the minimum of risk. This should also include an application dependency assessment to understand the mapping between application groups and identify areas of data gravity, application network traffic flows, and network latency dependencies. Summary In this post, we took a closer look at the typical availability requirements of a customer workload, the architectural building blocks, and the availability design considerations for the Azure VMware Solution. We also discussed the next steps to continue an Azure VMware Solution design. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region Service Limits: Azure VMware Solution subscription limits and quotas Stretched Clusters: Deploy vSAN stretched clusters SKU types: Introduction Placement policies: Create placement policy Storage policies: Configure storage policy VMware HCX: Configuration & Best Practices GitHub repository: Azure/azure-vmware-solution Well-Architected Framework: Azure VMware Solution workloads Cloud Adoption Framework: Introduction to the Azure VMware Solution adoption scenario Network connectivity scenarios: Enterprise-scale network topology and connectivity for Azure VMware Solution Enterprise Scale Landing Zone: Enterprise-scale for Microsoft Azure VMware Solution Enterprise Scale GitHub repository: Azure/Enterprise-Scale-for-AVS Azure CLI: Azure Command-Line Interface (CLI) Overview PowerShell module: Az.VMware Module Azure Resource Manager: Microsoft.AVS/privateClouds REST API: Azure VMware Solution REST API Terraform provider: azurerm_vmware_private_cloud Terraform Registry Author Bio René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud, and service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert. Link to PPTX Diagrams: azure-vmware-solution/azure-vmware-master-diagrams
