Microsoft is headed to VMware Explore 2023 in Las Vegas
VMware Explore is back in Las Vegas for 2023! If you want to know about Azure, the work we are doing with VMware, or just have a great conversation, don’t be shy and reach out to say hello. We'd love to talk to you so stop by our booth! We may even have some cool stickers too. This year we will have a bunch of sessions with Microsoft employees on stage, so if you're building out your schedule check them out: Microsoft Keynote: Transform your VMware Workloads with Microsoft Azure Speakers: Brett Tanzer, VP of Product Management, Microsoft Jeff Woolsey, Principal PM Manager, Microsoft Date/Time: Wednesday, August 23 @ 9:00 AM – 9:45 AM PDT Brett and Jeff will share how customers can transform their on-prem VMware environments using Microsoft Azure. Keynote attendees will learn how to: Learn about everything that’s new in Windows Server 2022 and address end of support for Windows Server 2012 Use familiar VMware skills to migrate or extend your VMware environment to the cloud, including hybrid cloud options with Azure VMware Solution and Azure Arc Modernize hybrid work with Azure Virtual Desktop and Horizon Cloud Learn how Azure VMware Solution could be the ideal landing spot for those looking to migrate their SQL Server workloads to Azure, but still want to use Unlimited Virtualization In addition, here are some other Microsoft Azure-related sessions that we highly recommend for learning more about Azure + VMware: Day, Time, Topic Session Title Monday, August 21 1:30-3:00 PM Azure VMware Solution Azure VMware Solution: New Guidance for Networking and Security CEIT3041LVS Monday, August 21 4:30-4:50 PM Azure VMware Solution Integrate Azure VMware Solution with Azure Native Services, Workbooks CODE1933LV - VMware {code} Theater Tuesday, August 22 10:30-11:15 AM Azure Virtual Desktop & Windows 365 Horizon DaaS and Microsoft Virtualization Solutions: The Path to the Cloud EUSB2734LV Tuesday, August 22 10:30-11:15 AM Azure VMware Solution Modernize Hybrid Multi-Cloud Environments - NetApp Customer Case Studies CEIB2924LVS Tuesday, Aug 22 2:00-2:30 PM Azure VMware Solution Ask me anything about Azure VMware Solution CEIM3039LVS Wednesday, Aug 23 9:00-9:45 AM Microsoft Azure Microsoft Executive Keynote: Transform your VMware workloads with Azure CEIB3042LVS Wednesday, August 23 10:15-11:00 AM Azure VMware Solution Azure VMware Solution Lessons Learned: Designing, Migrating, and Operating EIB3043LVS Wednesday, August 23 10:15-10:30 AM Azure VMware Solution Embracing Hybrid Cloud: Azure VMware Solution for Innovation and Growth VMTN2829LV - VMTN TechTalk Wednesday, Aug 23 12:00-12:45 PM Windows Server & Azure Arc Pave the way to innovation with Azure, Azure Arc, Windows & SQL Server! EIB3044LVS Wednesday, August 23 2:00-2:20 PM Azure VMware Solution Availability and Resilience of Azure VMware Solution CEIB2540LV Wednesday, Aug 23 12:45-1:30 PM Azure Arc Bring Azure to your VMware vSphere environment on premises and in the cloud CEIB3045LVS Wednesday, Aug 23 12:45-1:30 PM Azure VMware Solution Speed Your Azure Migration with the Latest Azure VMware Solution Features CEIB2549LV Wednesday, August 23 1:15-2:00 PM Azure VMware Solution Migrate and Modernize with Cloud Solutions from Azure VMware Solution CEIB3038LVS Wednesday, August 23 1:15-2:00 PM Azure VMware Solution Accelerate Your Public Cloud Strategy with VMware Cloud CEIB2557LV Wednesday, August 23 2:00-2:45 PM Azure Virtual Desktop & Windows 365 Extending Windows in the Cloud with VMware Horizon EUSB3046LVS Wednesday, August 23 2:00-2:20 PM Azure VMware Solution Learn How to Leverage Automation and Azure VMware Solution CODE1932LV - VMware {code} Theater Wednesday, Aug 23 2:00-2:30 PM Azure VMware Solution Ask me anything about Azure VMware Solution CEIM3040LVS Thursday, August 24 12:30-1:15 PM Azure VMware Solution State of Alaska: Rapid Cloud Migration from the Last Frontier CEIB2447LV Thursday, August 24 12:30-1:15 PM Azure VMware Solution The Enterprise Playbook for Operational Readiness for Azure VMware Solution CEIB1433LVBroadcom VMware Licensing Changes: What Azure VMware Solution Customers Need to Know
Broadcom has announced changes are coming to its VMware licensing model on hyperscalers beginning in its new fiscal year on November 1, 2025. If you’re an Azure VMware Solution customer, here’s what you need to know about the new requirements and how they will affect your cloud deployments. What’s changing? Broadcom is changing its VMware licensing policies across all hyperscaler platforms to require customers to “bring your own” portable subscription for VMware Cloud Foundation (VCF). This means customers must purchase portable VCF subscriptions directly from Broadcom to use with cloud services in the future, including Azure VMware Solution. Azure VMware Solution already supports “bring your own” licensing model The good news is that Azure VMware Solution is ready for this change. The Azure VMware Solution VCF BYOL option is available in all 35 AVS regions worldwide, allowing customers to run AVS using their own VCF subscriptions. This BYOL solution is priced lower than AVS with bundled VCF subscription. No product changes to Azure VMware Solution These updates are about licensing only—there are no product changes to how Azure VMware Solution works. Microsoft will continue to deliver Azure VMware Solution as a fully managed VCF private cloud service on Azure. In practice, this means that Microsoft takes care of all infrastructure and VMware host level software management, patches and upgrades. You don’t need to worry about hardware maintenance or manual VMware host updates. Key dates and transition details Microsoft will stop selling Azure VMware Solution with VCF subscriptions included after October 15, 2025. After this date, new Azure VMware Solution node purchases will require you to provide a VCF subscription purchased from Broadcom. Microsoft will honor existing Reserved Instance commitments to Azure VMware Solution customers. If you purchase Azure VMware Solution Reserved Instances (RIs) on or before October 15, 2025, you can continue to use your Azure VMware Solution nodes without any licensing or product changes until your RI term ends. Azure VMware Solution with license included PayGo nodes can continue to operate without any licensing or product changes through October 31, 2026. Alternatively, customers can switch from Azure VMware Solution PayGo and purchase an Azure VMware Solution RI with license included by October 15, 2025. Helpful resources We’re committed to making this transition as smooth as possible for our customers and partners. Here are some helpful links with more details: How to use portable VCF subscriptions with Azure VMware Solution How to purchase an Azure VMware Solution RI Broadcom Blog announcing the VMware licensing change If you need to purchase VCF subscriptions and do not have a Broadcom contract, leverage one of the Broadcom channel partners here. We will be reaching out directly to current Azure VMware Solution customers with more details. If you have any questions, reach out to your Microsoft account representative so we can help you navigate this transition.Announcing more Azure VMware Solution enhancements
Announcing more Azure VMware Solution enhancements Greetings from Barcelona, where the Microsoft team is thrilled to be part of VMware Explore 2023. My team and I will be presenting and are eager to meet with customers and partners in person! Having been at Microsoft for over two decades, I have recently taken the helm of the Azure VMware Solution team and I am excited to hear about your thoughts and experiences using our product. Here is some of what I have already heard from customers about how Azure VMware Solution is helping their organizations: “As a public institution, we were very sensitive to the security implemented by Azure VMware Solution in terms of data protection. Our data is hosted in the European Union. On one hand, there is protection for the container that hosts our data, on the other hand, data transmission between SOLIDEO and the Microsoft servers. There's really a portability between the VMware-based SOLIDEO virtual machines, and the Azure cloud. It's a perfect match.” —Dominique Renard, Director of Information Systems Security, SOLIDEO “As a large, mature organization, we couldn’t undertake a greenfield implementation, but we were able to quickly migrate and stand up our environment in the cloud with Azure VMware Solution” and “Our migration to Azure VMware Solution extended compliance to workloads approaching end of service because of Microsoft support.” —Mark Wiltshire, IT Director, Kier Group These stories underscore the versatility and efficiency of Azure VMware Solution in addressing diverse organizational needs. We’re eager to hear your experiences too! Please stop by our booth and connect with me and the team. Check out what’s new in Azure VMware Solution I am also excited to share some of the recent updates we’ve made to Azure VMware Solution. Azure Elastic SAN, in preview, is a cloud-native managed SAN offering scalability, cost-efficiency, high performance, and security. It now supports snapshots, enhanced security, and integrates with Azure VMware Solution. Furthermore, as a VMware Certified datastore, Elastic SAN allows you to independently scale your storage and performance, optimizing your total cost of ownership and scalability. Learn more. Azure VMware Solution in Microsoft Azure Government was approved to be added as a service within the Azure Government Federal Risk and Authorization Management Program (FedRAMP) High Provisional Authorization to Operate (P-ATO). Azure VMware Solution is already available in Azure Commercial and included in the Azure Commercial FedRAMP High P-ATO. With this latest approval, customers and their partners who require the data sovereignty that Azure Government provides can now meet FedRAMP requirements with Azure VMware Solution in Azure Government. Learn more. Azure NetApp Files for Azure Government All Azure NetApp Files features available on Azure public cloud are also available on supported Azure Government regions. For Azure Government regions supported by Azure NetApp Files, see the Products Available by Region page. Azure Arc-enabled VMware vSphere is now available. Customers can start their onboarding with Azure Arc-enabled VMware vSphere, install agents at-scale, and enable Azure management, observability, and security solutions, while benefitting from the existing lifecycle management capabilities. Azure Arc-enabled VMware vSphere VMs will now show up alongside other Azure Arc-enabled servers under ‘Machines’ view in the Azure portal. Learn more. Five-year Reserved Instance promotion is available for Azure VMware Solution until March 31, 2024 for customers looking to lock-in their VMware costs for multiple years. Contact your sales representative for details. Visit our pricing page. vSphere 8.0 will be rolled out starting at the end of November. If you would like to stay up to date with the latest releases from Azure VMware Solution, please follow Azure updates. Learn more If you are here at VMware Explore Barcelona, check out all our Azure Breakout Sessions during the event, and stop by the Microsoft booth #303 for our hourly in-booth theater sessions. Later this month you can also attend Microsoft Ignite Online: November 15–16, 2023 Learn more. As always, you can visit the Azure VMware Solution website or documentation for more information.Azure VMware Solution - February 2023 - What's New Update
We are thrilled to announce the February 2023 updates for Azure VMware Solution. A variety of new and highly anticipated features such as Customer Managed Key, Azure NetApp Files and Stretched Clusters are now available. Read on to explore more. Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure.
Firewall integration in Azure VMware Solution
2020 has been a year like no other. In just a few months' time, businesses have transformed and have accelerated their efforts to migrate to the cloud. Following our announcement of Azure VMware Solution (AVS) last year, we have been helping customers accelerate this move to cloud by providing an easy lift and shift migration. Albeit customers love the same operational experience for VMware workloads and use familiar VMware technologies like vCenter, NSX Manager, HCX etc. in AVS, they also want to leverage security integrations that they have invested in for years. Below are a few common questions that we get from customers around this topic. How can they use the same firewalls/tools that they have been using for years? How do they maintain the same security posture? How can they use the same firewall for both Azure and VMware workloads in AVS? In this blog series, we plan to discuss native security options, 3 rd party firewall integration with AVS along with a deep dive into configuration details. First in the series, this blog would summarize the security options available at your disposal. Let’s start with the built-in security capabilities that you can leverage in AVS. Built-in security/firewall with VMware NSX-T - VMware NSX-T is the default networking stack in AVS and it provides out-of-box security features that you can use to protect your workloads. Following are the capabilities that you can leverage. Distributed Firewall (DFW) -A stateful L3-L7 firewall that powers micro-segmentation and runs on your ESXi hosts in your AVS private cloud. DFW rules are enforced on the vNIC level of a VM workload and what that means is that the traffic is either allowed or dropped on the vNIC level based on the rule you defined. So, there is no more hair-pinning that traffic through a centralized or perimeter firewall. From a feature standpoint, it's rich and allows you to define security rules using network or application constructs. You could group the workloads using static (IPSet/NSX constructs like Segment etc.) or dynamic membership (VM tags, guest OS etc.). Even when you have a perimeter firewall, you should secure your East-West traffic. Gateway Firewall - A L4-L7 aware stateful North-South firewall that can be configured on NSX-T Tier-1 Gateway in AVS. It can also be used as an Inter-tenant or Inter-zone firewall i.e. filtering traffic between different tenants of your organization each with a dedicated Tier-1 Gateway. Azure Firewall - A managed, stateful firewall with built-in HA and SLA of 99.99% (when deployed in two or more availability zones). Customers can configure L3-L7 policies to filter traffic and take advantage of threat intelligence-based filtering to alert and deny traffic from/to known malicious IP addresses and domains. Please refer to the Azure firewall feature set here. If you are already using Azure firewall capabilities deployed in Azure Virtual WAN to protect resources in VNETs, you can connect the same virtual WAN hub over an express route connection to AVS and route internet traffic from AVS to Azure firewall. Let's switch gears and talk about the 3rd party firewall integration with Azure VMware Solution. There is a strong desire from customers to continue using the same firewall in AVS that they have been using in an on-premises datacenter. Based on the use-case, you could deploy a 3rd party firewall NVA in AVS private cloud or SDDC or leverage a firewall from Azure marketplace. Let's double click on both options. 3rd Party firewall deployed as NVA in AVS private cloud or SDDC -Before we discuss this integration, it's important to understand NSX-T deployment in AVS private cloud. When you create a private cloud in AVS, a default NSX-T Tier-0 Gateway configured in Active/Active mode and a default NSX-T Tier-1 Gateway configured in Active/Standby mode is deployed for you. Users can connect segments (logical switches) and provide East-West and North-South connectivity to the workloads connected on these segments. A 3rd party firewall NVA can be connected southbound to the default NSX-T Tier-1 gateway and this firewall can act as a North-South firewall or East-West firewall depending upon your use case. This integration is supported in following topologies. Option 1: Workload segments are directly connected to the firewall and the gateway on workloads is 3 rd party firewall. This topology restricts the users with numerous segments as the vNICs on the NVA becomes a limiting factor. Option 2: Workload segments are connected to an isolated Tier-1 and this Tier-1 gateway provides northbound connectivity to a 3 rd party firewall. This topology solves the problem of limited number of vNICs on NVA as you connect 100s of workload segments to an isolated Tier-1 which connects to the firewall NVA northbound. In this topology, isolated Tier-1s simulate security zones and the firewall can provide East-West filtering between security zones and North-South filtering for all traffic. We will discuss routing and other configuration details for these topologies in next part of this blog series. 3rd Party firewall deployed in Azure VNET – Customers can also deploy a 3 rd party firewall in Azure VNET and route traffic from AVS to this firewall via Azure Virtual WAN hub. To redirect internet traffic from AVS VMs to the firewall NVA, you need to connect AVS to an express route gateway in Azure virtual WAN and propagate a default route. Next, you configure a default route in Azure Virtual WAN hub to direct internet bound traffic to a NVA in spoke VNET. We will go through the configuration details in greater detail in upcoming blogs. Stay tuned! Summary Azure VMware Solution customers have multiple security options available to protect their workloads. Some of these firewalling capabilities can be used out of the box to provide East-West and North-South firewalling. Along with the built-in security capabilities, customers can also leverage the 3 rd party firewalls or next-gen firewalls to provide additional security and maintain the same security posture as they have on-premises. Following are a few resources to learn more about Azure VMware Solution. Learn Azure VMware Solution Networking Try Azure VMware Solution Hands-on-labAzure VMware Solution Broadcom VMSA-2025-0004 Remediation
With continuous monitoring and security intelligence gathering, Microsoft ensures proactive identification and mitigation of security threats. By leveraging advanced analytics, Microsoft is able to detect vulnerabilities early, empowering organizations to stay ahead of potential risks and safeguard their digital assets effectively. Recently, Microsoft discovered a critical ESXi vulnerability and has been collaborating with Broadcom to develop and qualify a secure patch to address this issue. With Microsoft’s commitment to the security of our platform and our improved lifecycle management process, we were able to quickly assemble a global team to work on the acceleration and validation of the ESXi 8.0 U2d Build 24585300 security patch. We have successfully qualified the security patch that will mitigate VMSA-2025-0004 across our fleet. As a result, with the public release of this vulnerability we are ready to patch your existing Azure VMware Solution infrastructure. We are committing to completing the remediation within 30-days. Microsoft will communicate the scheduled date of patching over the next three weeks. Any Azure VMware Solution private cloud deployed after March 4, 2025 will be provisioned with the patch already applied to the environment. Microsoft takes an in-depth approach to vulnerability and risk management. With our new and improved partnership with Broadcom, this allows us to enhance our overall security and quickly address vulnerabilities in VMware solutions. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region Known Issues: Azure VMware Solution Software Versions: Azure VMware Solution Security Advisories: Broadcom Release Notes: ESXi 8.0 U2d Build 24585300 Author Bios Ricky Perez is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in solution architecture with experience in public cloud and core infrastructure services. Chastidy Harris is a Senior Program Manager in the Azure VMware Solution product group at Microsoft. Rahi Patel is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud & service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert.What's new in Azure Migrate?
Introduction The journey to the cloud is an essential step for modern enterprises looking to leverage the benefits of scalability, flexibility, and cost-efficiency. A crucial part of this transformation is understanding the current state of your IT infrastructure, including workloads, applications, and their interdependencies. Often, organizations aim to set their migration goals based on the applications they want to move to the cloud, rather than focusing on individual servers or databases in isolation. I am thrilled to share that Azure Migrate is evolving to both simplify and enrich your cloud adoption journey. We are introducing new capabilities in Azure Migrate to help you achieve your goals. Introducing Application awareness in Azure Migrate [limited preview] A key step in any cloud transformation plan is a current state analysis of the entire IT estate covering workloads and applications, and relationships/ dependencies among them. I am excited to announce the limited preview of application aware experiences in Azure Migrate – across every phase of the migration journey. This allows you to gain insights into the total cost of ownership, identify suitable IaaS and PaaS targets, and receive tailored migration and modernization guidance. To get started with Azure Migrate, simply create an Azure Migrate project on Azure portal, and leverage Azure Migrate’s wide-ranging discovery capabilities, including the Azure Migrate appliance or importing inventory via RVTools to discover your environment. This allows you to explore inventory across Infra-Data-Web tiers and use the updated dependency analysis to identify application boundaries. As part of the application aware experiences, we are introducing the concept of tags within Azure Migrate. So once dependencies are identified, you can group the dependent workloads comprising an application via tags. Then, Azure Migrate can be used to create application-specific business cases to identify savings and ROI, assess ideal migration strategies, and get recommendations for Azure services, SKUs, resource costs, and migration/modernization tools. Further, as part of executing the migration and onboarding to Azure, customers can use the recommended tools to modernize via re-platform and refactor (out of band) techniques or use the integrated rehost migration experience to rehost to Azure VM. Complemented with a refreshed user experience As part of delivering application awareness and sustainability insights, Azure Migrate will also feature a refreshed user interface. The new experience is designed to help customers across every step of the migration journey – across Decide, Plan and Execute phases. The experience provides you with a new intuitive table of contents and overview page to allow easy navigation. You can explore discovered workloads and their relationships through effective search, sort, and seamless transition from Azure Migrate to other specialized migration tools, depending on your specific goals and requirements. Finally, you can quickly create and visualize different migration and modernization strategies side-by-side. Expanded support for workloads and platforms In addition to the capabilities described above, Azure Migrate continues to evolve to support capabilities provided by Azure for customers to evaluate and execute as part of their cloud adoption journey. As part of this effort, I am pleased to announce public preview of the following capabilities. These capabilities are available for customers, partners and sellers to try today! ROI/TCO of Azure Arc in Azure Migrate Business Case [public preview] We understand that customers are looking to understand the best path as they evaluate the cloud. This includes continuing to stay on-premises in their current environment while benefiting from Azure services such as Azure Arc. Knowing the varying needs of every customer and with the goal to meet customers where they are, we are introducing the envisioning of ROI for Azure Arc in Azure Migrate Business Case. This includes - Azure Migrate business case to help you compare the Total Cost of Ownership (TCO) for on-premises estates versus Azure, including year-on-year cash flow analysis. With this new capability, the Azure Migrate Business Case now includes the added value of Azure Arc for resources remaining on-premises during the customer’s migration journey. You can now visualize cost savings and other benefits of using Azure security and management tools via Azure Arc for your on-premises servers and see licensing benefits such as Extended Security Updates and SQL Pay-As-You-Go. In addition to visualizing the business case for Arc, customers can identify and at-scale onboard machines that are not yet Arc-enabled directly from the Azure Migrate portal. Additional details and step by step instructions can be found here. Support for migrations to Azure Stack HCI [public preview] Azure Stack HCI enables customers to run workloads in the private cloud or edge and offers an ideal platform for modernizing workloads with enhanced performance, scalability, simplified management, and cost efficiency. To support this modernization, we have introduced the ability to migrate virtual machines from Hyper-V and VMware environments to Azure Stack HCI using Azure Migrate: Server Migrations. Like Azure migrations, you can leverage Azure Migrate to discover virtual machines from VMware and Hyper-V environments at scale, without needing prior agent installation. After discovery, you can migrate virtual machines to Azure Stack HCI through an easy-to-use Azure Migrate portal experience, ensuring zero data loss and minimal downtime. This migration keeps data flow locally from on-premises to Azure Stack HCI. Learn more about this capability here. Expanded OSS Support in Azure Migrate [public preview] Azure Migrate has been diligently expanding its capabilities to better support customers using Linux. We are thrilled to highlight three significant updates that enhance your migration experience: Support for newer Linux Distributions [public preview] Azure Migrate now supports a range of newer Linux distributions, including Rocky Linux, Alma Linux, SLES 15, RHEL 9, and Ubuntu 22.04. This enhancement ensures a broader compatibility for Linux workloads, allowing you to migrate seamlessly, whether using agentless or agent-based migrations. Azure Hybrid Benefit (AHB) for Enterprise Linux [public preview] We've integrated Azure Hybrid Benefit (AHB) for Enterprise Linux (RHEL and SLES) into the migration process. Customers can visualize the savings from AHB directly in Azure Migrate business case assessments, maximizing their return on investment. To leverage AHB, you can directly enable the appropriate licenses for migrating Enterprise Linux machines within Azure Migrate. This integration eliminates the need for manual installation of the AHB extension post migrations, streamlining the migration workflow and ensuring compliance. Discovery and Assessment of MySQL Databases [public preview] In our endeavor to increase coverage of OSS workloads in Azure Migrate, we are announcing discovery and modernization assessment of MySQL databases running on Linux servers. Customers previously had limited visibility in their MySQL workloads and often received generalized VM lift-and-shift recommendations. With this new capability, you can now accurately identify the MySQL workloads and assess them for right-sizing into Azure Database for MySQL: Flexible Server. CSV Import powered discovery for SQL Servers [limited preview] We understand that deploying an appliance may not be the quickest way to generate migration assessments to enable planning. Further, many times customers can’t provide credentials for SQL Server instances, to allow Azure Migrate to capture relevant details and provide accurate readiness and right-sized recommendations. Hence, we are now adding the ability to import SQL Server details which can then be used to discover SQL Server instances and databases and generate accurate assessment reports. Use existing repositories such as SQL Server Dynamic Management Views, SCOM etc. to populate the CSV schema required to discover SQL Server. Interested in trying the limited preview experience? The capabilities described above are currently in limited preview. To take advantage of these capabilities for your environment, please share your interest here. Conclusion The enhancements in Azure Migrate underscore our commitment to providing comprehensive, user-friendly, and efficient migration solutions. Stay tuned for more updates and join us at Ignite 2024 for a detailed demo of these exciting new features. Curious to learn more? Here is a sneak peek of what we plan to announce at Ignite - https://youtu.be/aquRVLvau7cVMware HCX Troubleshooting with Azure VMware Solution
Overview VMware HCX is one of the Azure VMware Solution components that generates a large number of service requests from our customers. The Azure VMware Solution product group has worked to cover the most common troubleshooting considerations that you should know about when using VMware HCX with the Azure VMware Solution. Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. VMware HCX is the mobility and migration software used by the Azure VMware Solution to connect remote VMware vSphere environments to the Azure VMware Solution. These remote VMware vSphere environments can be on-premises, co-location or cloud-based instances. Figure 1 – Azure VMware Solution with VMware HCX Service Mesh In the next section, I will introduce the architectural components of the Azure VMware Solution. Architectural Components The diagram below describes the architectural components of the Azure VMware Solution. Figure 2 – Azure VMware Solution Architectural Components Each Azure VMware Solution architectural component has the following function: Azure Subscription: Used to provide controlled access, budget and quota management for the Azure VMware Solution. Azure Region: Physical locations around the world where we group data centers into Availability Zones (AZs) and then group AZs into regions. Azure Resource Group: Container used to place Azure services and resources into logical groups. Azure VMware Solution Private Cloud: Uses VMware software, including vCenter Server, NSX software-defined networking, vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. Azure VMware Solution Resource Cluster: Uses VMware software, including vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources for customer workloads by scaling out the Azure VMware Solution private cloud. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. VMware HCX: Provides mobility, migration, and network extension services. VMware Site Recovery: Provides Disaster Recovery automation, and storage replication services with VMware vSphere Replication. Third party Disaster Recovery solutions Zerto DR and JetStream DR are also supported. Dedicated Microsoft Enterprise Edge (D-MSEE): Router that provides connectivity between Azure cloud and the Azure VMware Solution private cloud instance. Azure Virtual Network (VNet): Private network used to connect Azure services and resources together. Azure Route Server: Enables network appliances to exchange dynamic route information with Azure networks. Azure Virtual Network Gateway: Cross premises gateway for connecting Azure services and resources to other private networks using IPSec VPN, ExpressRoute, and VNet to VNet. Azure ExpressRoute: Provides high-speed private connections between Azure data centers and on-premises or colocation infrastructure. Azure Virtual WAN (vWAN): Aggregates networking, security, and routing functions together into a single unified Wide Area Network (WAN). In the next section, I will describe the troubleshooting steps you should follow for VMware HCX when used with the Azure VMware Solution. Troubleshooting Considerations Before opening a ticket with Microsoft support, please use the following steps as a checklist to ensure you are not impacted by the most common VMware HCX issues. Troubleshooting Step 1: Download the VMware HCX Connector. Once VMware HCX is deployed on the Azure VMware Solution side, the download for the VMware HCX Connector OVA is in the VMware HCX UI plugin. Under the Administration there is a Request Download Link. The OVA can be copied locally or a download link for the OVA can be selected. Figure 3 – VMware HCX Connector OVA Download Troubleshooting Step 2: Upgrade to HCX Enterprise. Azure VMware Solution comes with an Enterprise license key for VMware HCX. If you have a pre-existing VMware HCX Connector on-prem that is licensed for VMware HCX Advanced, please be sure to upgrade the connector to the Enterprise version. To upgrade VMware HCX navigate to the HCX Connector at https://<hcx_connector_fqdn>:9443, under the Configuration section select Licensing and Activation, edit the current license and enter the VMware HCX enterprise license key obtained from the Azure VMware Solution portal. Verify that the License is showing Enterprise. Figure 4 – VMware HCX Connector License Key Once you have updated the VMware HCX Connector, be sure to update/edit the VMware HCX Compute Profile and Service Mesh to include the updated VMware HCX services that you would like to take advantage of, such as Replicated Assisted vMotion and OS Assisted Migration. OS Assisted Migration is used for migrating and converting Microsoft Hyper-V and RedHat KVM workloads into Azure VMware Solution. Figure 5 – VMware HCX Connector Compute Profile Service Activation Troubleshooting Step 3: Only use the key from the Azure VMware Solution private cloud you are connecting to. When deploying the VMware HCX Connector on-premises, the activation key should come from the Azure VMware Solution you are migrating to. In the Azure portal, an activation Key can be obtained in the Add-Ons section. Simply request an activation key, provide it with a friendly name and map that activation key to the on-premises VMware HCX connector. Figure 6 – VMware HCX Connector License Key Troubleshooting Step 4: Do not use an IPSec VPN. If possible, avoid using an IPSec VPN connection to Azure VMware Solution when migrations with VMware HCX will happen. Migrating with VMware HCX over VPN has been known to cause issues and multiple failures around migrations. Although utilizing VMware HCX via VPN is supported, it is not the recommended way to migrate virtual machines to Azure VMware Solution. One of the biggest caveats of migrating VMs with VMware HCX over VPN is that a separate uplink network profile is needed on-premises. The management network cannot be used as an uplink profile, as the MTU of the uplink profile needs to be adjusted to 1300 to accommodate the IPSec overhead. Note that VMware HCX uses IPSec VPN natively as part of the VMware HCX Service Mesh. Troubleshooting Step 5: Check MTU size within your Network Profile. Be sure to verify the MTU setting on the Network Profiles setup. Within VMware HCX, navigate to the Interconnect section, select Network Profiles and be sure to verify the correct MTU size is being used for each Profile. Be sure to verify this on both ends of the VMware HCX site pair. Figure 7 – VMware HCX MTU size in Network Profile Use this guide of recommended MTU sizes for the Network Profiles in the table below when connecting to Azure VMware Solution. Connectivity Method Management Uplink Replication vMotion Azure ExpressRoute 1500 1500 1500 or 9000 1500 or 9000 VMware HCX over IPSec VPN 1500 1300 1500 or 9000 1500 or 9000 Table 1 – VMware HCX Network Profile MTU Sizes Troubleshooting Step 6: Always keep your VMware HCX versions updated (Connectors, Cloud Manager and Service Meshes). Before you upgrade VMware HCX, check the VMware product interoperability matrix to ensure the integrated versions of on-premises VMware solution software are supported by the new version of VMware HCX you are going to upgrade to. Updates to VMware HCX are released regularly by VMware. It is the responsibility of the customer to upgrade and maintain VMware HCX on both sides of the Service Mesh (on-premises and Azure VMware Solution). When updating VMware HCX, the VMware HCX Cloud Managers should be updated first. It is recommended to create a back-up to the VMware HCX Connector before updating. Backups to the VMware HCX Connector can be done through the VMware HCX manager UI at https://<hcx_connector_fqdn>:9443 with the admin password created at the time of VMware HCX Connector deployment. Under the Administration section head to the Backups and restore section. Backups can be taken here and scheduled to be taken as well. Optionally, you can take a vSphere snapshot of the VMware HCX Connector on-premises as well. Figure 8 – VMware HCX Connector Backup & Restore Updates for the VMware HCX Cloud Managers can be found in the administration section, select your current version, and hit the ‘Check for Updates’ button. If a new version is available, you will be able to download and update to the newest version. Backups of the VMware HCX Cloud Manager are taken automatically each day. Figure 9 – VMware HCX Upgrades It should be noted that VMware HCX Service Meshes are updated independently of the VMware HCX Cloud Managers and Connectors. Upon completion of the VMware HCX Cloud Manager and Connector updates, Service Meshes should be updated next. VMware HCX Cloud Managers and Service Meshes should be upgraded in order and together as to not cause an issue with mixed mode versions of Managers and Service Meshes. Running mixed mode versions of VMware HCX Cloud Managers, Connectors, and Service Meshes in production is highly discouraged. You can lose certain features and it often creates issues within the environment. Figure 10 – VMware HCX Manager Service Mesh Update During the Service Mesh update process, if Network Extension appliances are deployed a temporary loss of connectivity will occur while the appliances update. For Network Extension in an HA pair, down time is approximately a few seconds. Network Extension appliances not in an HA pair will incur downtime of approximately one minute. Troubleshooting Step 7: On-Premises Network Connectivity and Firewalls. For VMware HCX to be activated and receive updates, your on-premises firewalls need to allow outbound traffic to port 443 for the following websites: https://connect.hcx.vmware.com https://hybridity-depot.vmware.com https://hcx.<guid>.<region>.avs.azure.com Your on-premises firewalls will also need to allow outbound traffic to UDP port 4500. Within VMware HCX UDP port 4500 serves a specific purpose, it allows IPSec VPN communication between VMware HCX components across environments and is essential for communication and data transfer between environments to work. When configuring VMware HCX, you need to ensure that this port is open between your on-premises VMware HCX Connector uplink network profile and the Azure VMware Solution HCX Cloud Manager uplink network profile. Another common issue we see within VMware HCX, is that your on-premises VMware HCX Connector is unable to reach the VMware HCX activation and entitlement website. A simple way to verify your on-premises environment has access to the activation and entitlement website is as follows. SSH into the on-premises VMware HCX Connector and run the below curl commands to verify connectivity: Curl -k -v https://connect.hcx.vmware.com Curl -k -v https://hyridity-depot.vmware.com A successful connection to the above website will look like the figure below. Figure 11 – VMware HCX Connector SSH CURL connectivity test Troubleshooting Step 8: Diagnostics page on the Service Mesh. Built into the VMware HCX Service Mesh there is an option to run a diagnostics check on the Service Mesh appliances. This is an effective way to verify the health of your Service Mesh and pinpoint any specific issues the appliances may have. In the VMware HCX Connect user interface, under the Interconnect section, select the Service Mesh you want to run the diagnostics on. Under the “More” link, select Run Diagnostics to perform a health check on the appliances. Figure 12 – VMware HCX Service Mesh Run Diagnostics Once the Diagnostics test is completed, if there are any issues, a red banner will appear under the Service Mesh name. You can drill down to the specific issues by clicking on the red alert (!) icon. Figure 13 – VMware HCX Service Mesh Alert Troubleshooting Step 9: If you are having issues with the source side interface reboot the VMware HCX Connector. VMware HCX Connectors may have issues over time. It is recommended to reboot the VMware HCX Connector if it has been up and running for an extended period without a reboot. On the Azure VMware Solution side, we do have the option for customers to reboot the VMware HCX Cloud Manager within Azure VMware Solution through a Run Command in the Azure portal. The option to Force or Hard Reboot the VMware HCX Cloud Manager is also an option that is offered. Please use this with caution as it does not check for any active migrations or replications that may be occurring. Figure 14 – Azure VMware Solution Run Command Restart-HCXManager Troubleshooting Step 10: Logging into the VMware HCX Cloud Manager directly You have the ability to log into the VMware HCX Cloud Manager directly. At times the VMware HCX plugin through your Azure VMware Solution vSphere Client will not be available or fail to open. You can obtain the IP address of the VMware HCX Cloud Manager in the Azure portal when you are in the Azure VMware Solution resource. In the Add-ons section under the “Migration using VMware HCX”, the IP address of the VMware HCX Cloud manager will be listed. It is part of the /22 network you provided when deploying Azure VMware Solution. Access the manager directly at https://<x.x.x.9>:443 or https://hcx.<guid>.<region>.avs.azure.com. The VMware HCX Cloud Manager will always end with a .9 octet. Figure 15 – VMware HCX Cloud Manager Login Troubleshooting Step 11: Network Extensions are for temporary migration phases, not for permanent use. At its core VMware HCX is a migration tool. When using Network Extensions in VMware HCX, it is important to understand that these Network Extensions should be a temporary solution used during the migration process to migrate VMs into Azure VMware Solution with no downtime during the migration. It is best practice to remove the network extensions as soon as the migration waves are completed. Leaving network extensions in place for extended periods of time can cause issues and outages in your environment. Use Network Extensions with caution. Figure 16 – VMware HCX Network Extension Troubleshooting Step 12: If you have Mobility Optimized Networking (MON) enabled, ensure you have the router location set to the correct side. When configuring MON, verify where the default gateway resides. The default gateway will always be located on the source side of the network extension. Primarily, it will reside in the on-premises data center when connecting to Azure VMware Solution. Figure 17 – VMware HCX Mobility Optimized Network (MON) Troubleshooting Step 13: OS Assisted Migration -Sentinel Gateway Appliances. When using VMware HCX OS Assisted Migration, it is important to maintain and manage the VMware HCX Sentinel Gateway Appliance (SGW) at the source site (On-premises). The Sentinel Gateway Appliance is responsible for establishing a forwarding connection with the VMware HCX Sentinel Data Receiver (SDR) on the destination site. Managing and maintaining the Sentinel Gateway appliance’s resources, CPU and memory configuration, is the responsibility of the customer. Next Steps If this has not resolved the VMware HCX issue in your Azure VMware Solution private cloud, please open a Service Request with Microsoft to continue the resolution process. Summary In this post, we described helpful troubleshooting tips when facing some of the most common VMware HCX service issues our customers have with the Azure VMware Solution. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region VMware Ports and Protocols for HCX VMware HCX - VMware Ports and Protocols VMware Interoperability Matrix Product Interoperability Matrix (vmware.com) VMware HCX: Configuration & Best Practices Design: Availability Design Considerations Design: Recoverability Design Considerations Design: Performance Design Considerations Design: Security Design Considerations GitHub repository: Azure/azure-vmware-solution Well-Architected Framework: Azure VMware Solution workloads Cloud Adoption Framework: Introduction to the Azure VMware Solution adoption scenario Network connectivity scenarios: Enterprise-scale network topology and connectivity for Azure VMware Solution Enterprise Scale Landing Zone: Enterprise-scale for Microsoft Azure VMware Solution Enterprise Scale GitHub repository: Azure/Enterprise-Scale-for-AVS Azure CLI: Azure Command-Line Interface (CLI) Overview PowerShell module: Az.VMware Module Azure Resource Manager: Microsoft.AVS/privateClouds REST API: Azure VMware Solution REST API Terraform provider: azurerm_vmware_private_cloud Terraform Registry Author Bios Ricky Perez is a Senior Cloud Solution Architect in the international Customer Success Unit (iCSU) at Microsoft. His background is in solution architecture with experience in public cloud and core infrastructure services. Jason Trammell is a Senior Software Engineer in the Azure VMware Solution engineering group at Microsoft. Kenyon Hensler is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in system engineering with experience across all facets of enterprise networking and compute stacks. René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud & service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert.Azure VMware Solution Security Design Considerations
Azure VMware Solution Design Series Availability Design Considerations Recoverability Design Considerations Performance Design Considerations Security Design Considerations VMware HCX Design with Azure VMware Solution Overview A global enterprise wants to migrate thousands of VMware vSphere virtual machines (VMs) to Microsoft Azure as part of their application modernization strategy. The first step is to exit their on-premises data centers and rapidly relocate their legacy application VMs to the Azure VMware Solution as a staging area for the first phase of their modernization strategy. What should the Azure VMware Solution look like? Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. In this post, I will introduce the typical customer workload security requirements, describe the Azure VMware Solution architectural components, describe the zero trust security model, and describe the security design considerations for Azure VMware Solution private clouds. In the next section, I will introduce the typical security requirements of a customer’s workload. Customer Workload Requirements A typical customer has multiple application tiers that have specific Service Level Agreement (SLA) requirements that need to be met. These SLAs are normally named by a tiering system such as Platinum, Gold, Silver, and Bronze or Mission-Critical, Business-Critical, Production, and Test/Dev. Each SLA will have different availability, recoverability, performance, manageability, and security requirements that need to be met. For the security design quality, customers will normally have governance, regulatory, and compliance requirements. This is normally documented for each application and then aggregated into the information security policy requirements for each SLA or line of business. For example: Line of Business Governance, Regulatory, & Compliance Finance ISO/IEC 27001:2022, GLBA, PCI DSS 4.0 US Government NIST Cybersecurity Framework, FISMA, FedRAMP Health Care ISO/IEC 27001:2022, HIPAA, PCI DSS 4.0 Table 1 – Typical Customer requirements for Information Security The security concepts introduced in Table 1 have the following definitions: Governance: The process of making and enforcing decisions within an IT organization or system. It encompasses decision-making, rule-setting, and enforcement mechanisms to guide the functioning of IT in alignment with the business goals and strategies. Regulatory: The set of laws, regulations, and guidelines that govern the collection, storage, processing, and sharing of sensitive information. These regulations are designed to ensure that organizations protect sensitive information from unauthorized access, use, disclosure, and destruction. Compliance with these regulations is mandatory and non-compliance can result in legal penalties, fines, and reputational damage. Compliance: The act or process of following the rules, regulations, and standards that apply to the IT organization or system. It can also refer to the ability of an IT system to adapt to changing requirements or demands. A typical legacy business-critical application will have the following application architecture: Load Balancer layer: Uses load balancers to distribute traffic across multiple web servers in the web layer to improve application availability. Web layer: Uses web servers to process client requests made via the secure Hypertext Transfer Protocol (HTTPS). Receives traffic from the load balancer layer and forwards to the application layer. Application layer: Uses application servers to run software that delivers a business application through a communication protocol. Receives traffic from the web layer and uses the database layer to access stored data. Database layer: Uses a relational database management service (RDMS) cluster to store data and provide database services to the application layer. Depending upon the security requirements for each service, infrastructure design could be a mix of technologies used to meet the different security policies with cost efficiency. Figure 1 – Typical Legacy Business-Critical Application Architecture In the next section, I will introduce the architectural components of the Azure VMware Solution. Architectural Components The diagram below describes the architectural components of the Azure VMware Solution. Figure 2 – Azure VMware Solution Architectural Components Each Azure VMware Solution architectural component has the following function: Azure Subscription: Used to provide controlled access, budget, and quota management for the Azure VMware Solution. Azure Region: Physical locations around the world where we group data centers into Availability Zones (AZs) and then group AZs into regions. Azure Resource Group: Container used to place Azure services and resources into logical groups. Azure VMware Solution Private Cloud: Uses VMware software, including vCenter Server, NSX software-defined networking, vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. Azure VMware Solution Resource Cluster: Uses VMware software, including vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources for customer workloads by scaling out the Azure VMware Solution private cloud. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. VMware HCX: Provides mobility, migration, and network extension services. VMware Site Recovery: Provides Disaster Recovery automation and storage replication services with VMware vSphere Replication. Third party Disaster Recovery solutions Zerto Disaster Recovery and JetStream Software Disaster Recovery are also supported. Dedicated Microsoft Enterprise Edge (D-MSEE): Router that provides connectivity between Azure cloud and the Azure VMware Solution private cloud instance. Azure Virtual Network (VNet): Private network used to connect Azure services and resources together. Azure Route Server: Enables network appliances to exchange dynamic route information with Azure networks. Azure Virtual Network Gateway: Cross premises gateway for connecting Azure services and resources to other private networks using IPSec VPN, ExpressRoute, and VNet to VNet. Azure ExpressRoute: Provides high-speed private connections between Azure data centers and on-premises or colocation infrastructure. Azure Virtual WAN (vWAN): Aggregates networking, security, and routing functions together into a single unified Wide Area Network (WAN). In the next section, I will introduce the Zero Trust Security Model which should be used as the framework for securing your Azure cloud resources. Zero Trust Security Model A holistic approach to Zero Trust should extend to your entire digital estate: inclusive of identities, endpoints, network, data, apps, and infrastructure. Zero Trust architecture serves as a comprehensive end-to-end strategy and requires integration across the elements. The foundation of Zero Trust security is identities. Both human and non-human identities need strong authorization, connecting from either personal or corporate endpoints with compliant devices, requesting access based on strong policies grounded in Zero Trust principles of explicit verification, least-privilege access, and assumed breach. As a unified policy enforcement, the Zero Trust policy intercepts the request, explicitly verifies signals from all six foundational elements based upon policy configuration and enforces least-privilege access. Signals include the role of the user, location, device compliance, data sensitivity, and application sensitivity. In addition to telemetry and state information, the risk assessment from threat protection feeds into the policy engine to automatically respond to threats in real time. Policy is enforced at the time of access and continuously evaluated throughout the session. This policy is further enhanced by policy optimization. Governance and compliance are critical to a strong Zero Trust implementation. Security posture assessment and productivity optimization are necessary to measure the telemetry throughout the services and systems. Telemetry and analytics feeds into the threat protection system. Large amounts of telemetry and analytics enriched by threat intelligence generate high-quality risk assessments that can be either manually investigated or automated. Attacks happen at cloud speed and, because humans can’t react quickly enough or sift through all the risks, your defense systems must also act at cloud speed. The risk assessment feeds into the policy engine for real-time automated threat protection and additional manual investigation if needed. Traffic filtering and segmentation is applied to the evaluation and enforcement from the Zero Trust policy before access is granted to any public or private network. Data classification, labeling, and encryption should be applied to emails, documents, and structured data. Access to apps should be adaptive, whether SaaS or on-premises. Runtime control is applied to infrastructure with serverless, containers, IaaS, PaaS, and internal sites with just-in-time (JIT) and version controls actively engaged. Finally, telemetry, analytics, and assessment from the network, data, apps, and infrastructure are fed back into the policy optimization and threat protection systems. Figure 3 – Zero Trust Security Model Many legacy monolithic application stacks may use the older defense in depth security model, however, we introduced the zero trust security model here for consideration. For more information, refer to the Microsoft Security Adoption Framework, and the Microsoft Cybersecurity Reference Architectures. In the next section, I will describe the security design considerations for the Azure VMware Solution. Security Design Considerations The architectural design process takes the business problem to be solved and the business goals to be achieved and distills these into customer requirements, design constraints and assumptions. Design constraints can be characterized by the following three categories: Laws of the Land – data and application sovereignty, governance, regulatory, compliance, etc. Laws of Physics – data and machine gravity, network latency, etc. Laws of Economics – owning versus renting, total cost of ownership (TCO), return on investment (ROI), capital expenditure, operational expenditure, earnings before interest, taxes, depreciation, and amortization (EBITDA), etc. Each design consideration will be a trade-off between availability, recoverability, performance, manageability, and security design qualities. The desired result is to deliver business value with the minimum of risk by working backwards from the customer problem. Design Consideration 1 – Governance, Regulatory, & Compliance: Learn how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization with these certifications, regulations, and standards. Also included are reports, whitepapers, artifacts, and industry/regional resources. You can also use the Microsoft cloud security benchmark to address the common challenges customers have when securing their Azure infrastructure. For more information visit Security, governance, and compliance disciplines for Azure VMware Solution. Design Consideration 2 – Azure Region: Select the relevant Azure Regions that meet your governance, regulatory, and compliance requirements. Azure VMware Solution is available in 30 Azure Regions around the world. Azure VMware Solution is also available in two Azure Government regions and in scope for FedRAMP HIGH authorization. Azure VMware Solution in Azure Government is currently pending authorization for DoD IL4/IL5. Design Consideration 3 – Identity & Access Management: Use role-based access control to provide secure access to the Azure VMware Solution. Use Microsoft Entra Privileged Identity Management to allow time-bound access to the Azure portal and control pane operations. Use privileged identity management audit history to track operations that highly privileged accounts perform. For more information refer to Security considerations for Azure VMware Solution workloads and Enterprise-scale identity and access management. Design Consideration 4 – LDAPS Integration: Select an external identity source for your Azure VMware Solution. The local cloud administrator user accounts for vCenter Server and NSX Manager should be used as emergency access accounts for "break glass" scenarios in your private cloud. It's not intended to be used for daily administrative activities or for integration with other services. Use an external identity source to give your administrators and operators access to the Azure VMware Solution. This allows them to use their corporate credentials when accessing the Azure VMware Solution. For more information refer to Identity and access. This MTC blog post also provides a detailed procedure to Configure LDAPS within Azure VMware Solution. Design Consideration 5 – SIEM Logging: Select the Azure VMware Solution Diagnostic setting to stream platform logs and metrics to your Security Information & Event Management (SIEM) solution. Azure VMware Solution supports Azure Log Analytics, Azure Event Hub, and Azure Blob Storage as logging targets. The log stream contains the following: vCenter Server logs ESXi logs vSAN logs NSX Manager logs NSX Data Center Distributed Firewall logs NSX Data Center Gateway Firewall logs NSX Data Center Edge Appliance logs The Azure VMware Solution does not currently support Syslog Forwarding to a customer Syslog server, however you can use this Syslog Forwarding function instead. For more information refer to Configure VMware syslogs for Azure VMware Solution. Figure 4 – Azure VMware Solution Logging Options Design Consideration 6 – VMware vSAN Encryption: Use a Customer Managed Key to augment the Azure VMware Solution vSAN encryption process. Customer-managed keys give you control over the encrypted vSAN data on Azure VMware Solution. You can use Azure Key Vault to generate customer managed keys and centralize the key management process. For more information refer to Configure customer-managed key encryption at rest in Azure VMware Solution. Figure 5 – Customer Managed Keys with Azure VMware Solution Design Consideration 7 – VM Security: Use Trusted Launch with Azure VMware Solution to increase the security of your Virtual Machines. Trusted Launch comprises of Secure Boot, Virtual Trusted Platform Module (vTPM), and Virtualization-based Security (VBS) to provide a formidable defense against modern cyber threats. Trusted Launch is a requirement for Windows 11 compatibility. For more information refer to Trusted Launch for Azure VMware Solution virtual machines. Design Consideration 8 – Firewall Placement: Select the placement locations of network security firewalls within the Azure VMware Solution or Azure native services, including the zones of trust topology to meet your traffic flow requirements. Zones of trust refer to the concept of segmenting a network into different areas based upon the level of trust assigned to the devices and users within that area. This is used as part of the Zero Trust security model, where access to resources is granted on a need-to-know basis and is strictly enforced through continuous authentication and authorization. Traffic flows refer to the movement of data between different zones of trust in a network. Understanding traffic flows is important for network design, capacity planning, and information security. For Azure VMware Solution, the zones of trust need to account for the Azure VMware Solution private clouds, Azure native services, the internet, and other non-Azure locations. Figure 6 – Zones of Trust There are four options in the Azure Cloud Adoption Framework that describe different ways to secure and manage the network traffic between the Azure VMware Solution and other Azure resources, on-premises, and the internet: Option 1: Use a Secured Virtual WAN hub with default route propagation to route all traffic through an Azure Firewall or a third-party security provider. Option 2: Use Network Virtual Appliances in Azure Virtual Network to inspect all network traffic and apply firewall rules or policies. Option 3: Egress from Azure VMware Solution with or without NSX or NVA to control the outbound traffic from Azure VMware Solution to other destinations. Option 4: Use third-party firewall solutions in a hub virtual network with Azure Route Server to enable dynamic routing between Azure VMware Solution and the firewall appliances. Each option has its own benefits and trade-offs depending upon your requirements and preferences. In addition, we have VMware NSX features that can be used to secure north-south and east-west traffic, including the optional use of host-based endpoint solutions. Figure 7 – Azure Firewall and 3 rd party NVA options Option 1 – Secured Virtual WAN hub: Use a Secured Virtual WAN hub with default route propagation to route all traffic through an Azure Firewall or a third-party security provider. This solution doesn't work for on-premises filtering and Global Reach bypasses the Virtual WAN hubs. For more information refer to Azure Cloud Adoption Framework. Figure 8 – Option 1: Secured Virtual WAN hub Option 2 – Third-party Firewalls for all traffic: Use Network Virtual Appliances in Azure Virtual Network to inspect all network traffic and apply firewall rules or policies. Choose this option if you want to use your existing NVA and centralize all traffic inspection in your hub virtual network. For more information refer to Azure Cloud Adoption Framework. Figure 9 – Option 2: Third-party Firewalls for all traffic The diagram below provides an example of how FortiNet FortiGate NVAs can be used to build Scenario 2. For more information refer to Azure routing and network interfaces. Figure 10 – Example design of Option 2 with FortiNet FortiGate NVAs Option 3 – Egress from Azure VMware Solution: Egress from Azure VMware Solution with or without NSX or an NVA to control the outbound traffic from Azure VMware Solution to other destinations. Choose this option if you need to inspect traffic from two or more Azure VMware Solution private clouds. This option lets you use NSX native features. You can also combine this option with NVAs running on Azure VMware Solution between Tier-0 and Tier-1 Gateways. For more information refer to Azure Cloud Adoption Framework. Figure 11 – Option 3: Egress from Azure VMware Solution Option 4 – Third-party Firewall for internet traffic: Use a third-party firewall solution in a hub virtual network with Azure Route Server to enable dynamic routing between Azure VMware Solution and the firewall appliances. Choose this option to advertise the default route from an NVA in your Azure hub virtual network to an Azure VMware Solution. For more information refer to Azure Cloud Adoption Framework. Figure 12 – Option 4: Third-party Firewall for internet traffic Option 5 – NSX Gateways: Use NSX Gateways to secure North-South network traffic. You can use the network filtering capabilities of the Tier-0 and Tier-1 Gateways in NSX to provide North-South traffic filtering. For more information refer to Azure VMware Solution Network Security. Figure 13 – VMware NSX Gateway Firewall policies for North-South traffic Option 6 – Micro segmentation with DFW: Use NSX Distributed Firewall to secure East-West network traffic. You can use the Distributed Firewall in NSX to provide East-West micro segmentation of traffic flows. For more information refer to Azure VMware Solution Network Security. Figure 14 – VMware NSX Micro-segmentation (DFW) for East-West traffic Option 7 – Microsoft Defender for Cloud: Use a Microsoft Defender for Cloud or a third-party host-based security solution to secure your traffic from the guest operating system. Microsoft Defender for Cloud provides advanced threat protection across your Azure VMware Solution and on-premises virtual machines (VMs). It assesses the vulnerability of Azure VMware Solution VMs and raises alerts as needed. These security alerts can be forwarded to Azure Monitor for resolution. You can define security policies in Microsoft Defender for Cloud. For more information refer to Integrate Microsoft Defender for Cloud with Azure VMware Solution. Figure 15 – Microsoft Defender for Cloud with Azure VMware Solution Design Consideration 9 – Internet Access: Azure VMware Solution has three options within each private cloud instance that can be configured. These are explicitly described separate from the firewall scenarios in Design Consideration 8 even though they overlap. Option 1 – Internet Disabled: Use Azure native networking to provide internet access. There are multiple ways to generate a default route in Azure and send it towards your Azure VMware Solution private cloud or on-premises. The options are as follows: An Azure firewall in a Virtual WAN Hub. A third-party Network Virtual Appliance in a Virtual WAN Hub Spoke Virtual Network. A third-party Network Virtual Appliance in a Native Azure Virtual Network using Azure Route Server. A default route from on-premises transferred to Azure VMware Solution over Global Reach. For more information refer to Internet connectivity design considerations. Figure 16 – Azure VMware Solution Internet Disabled Option 2 – Managed SNAT: Managed SNAT service provides a simple method for outbound internet access from an Azure VMware Solution private cloud. Features of Managed SNAT include the following: Easily enabled. No control over SNAT rules, all sources that reach the SNAT service are allowed. No visibility of connection logs. Two Public IPs are used and rotated to support up to 128k simultaneous outbound connections. No inbound DNAT capability is available. For more information refer to Internet connectivity design considerations. Figure 17 – Azure VMware Solution Managed SNAT Internet Access Option 3 – Public IP Address (PIP): Use an allocated Azure Public IPv4 address directly with the NSX Edge for consumption. PIP allows the Azure VMware Solution private cloud to directly consume and apply public network addresses in NSX as required. These addresses are used for the following types of connections: Outbound SNAT Inbound DNAT Load balancing using VMware NSX Advanced Load Balancer and other third-party Network Virtual Appliances Applications directly connected to a workload VM interface. This option also lets you configure the public address on a third-party Network Virtual Appliance to create a DMZ within the Azure VMware Solution private cloud. The Azure Public IP addresses are customer owned and are not actively scanned by Microsoft. Microsoft Defender for Cloud or a suitable 3 rd party solution should be used fully secure the internet connection. These options are discussed in Design Consideration 8. For more information refer to Internet connectivity design considerations. Figure 18 – Azure VMware Solution VMware NSX Public IP Address (PIP) The use of a “T1 Sandwich” with a third-party NVA, allows you to scale beyond the 10 vNIC limitation for VMware vSphere virtual machine hardware. The result is an increase in the number of networks you can protect with an NVA. The diagram below provides an example of how a CheckPoint NVA can be used with a T1 Sandwich topology. Figure 19 – VMware NSX T1 Gateway Sandwich with CheckPoint In the following section, I will describe the next steps that need to be made to progress this high-level design estimate towards a validated detailed design. Next Steps The Azure VMware Solution sizing estimate should be assessed using Azure Migrate. With large enterprise solutions for strategic and major customers, an Azure VMware Solution Solutions Architect from Azure, VMware, or a trusted VMware Partner should be engaged to ensure the solution is correctly sized to deliver business value with the minimum of risk. This should also include an application dependency assessment to understand the mapping between application groups and identify areas of data gravity, application network traffic flows, and network latency dependencies. Summary In this post, we took a closer look at the typical security requirements of a customer workload, the architectural building blocks, the zero trust security model, and the security design considerations for the Azure VMware Solution. We also discussed the next steps to continue an Azure VMware Solution design. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region Security Fundamentals: Azure security fundamentals Zero Trust Model: Zero Trust Model - Modern Security Architecture Zero Trust Security Framework: Zero Trust security in Azure Microsoft Cybersecurity: Microsoft Cybersecurity Reference Architectures Adoption Framework: Microsoft Security Adoption Framework Microsoft cloud: Learn how Microsoft cloud services protect your data Benchmark: Microsoft cloud security benchmark Azure VMware Solution: Security, governance, and compliance disciplines Vulnerabilities: Concepts - How Azure VMware Solution Addresses Vulnerabilities Security Recommendations: Concepts - Security recommendations for Azure VMware Solution Security Baseline: Azure security baseline for Azure VMware Solution Defense in Depth: Microsoft Azure's defense in depth approach to cloud vulnerabilities Azure Compliance: Azure compliance documentation WAF: Security considerations for Azure VMware Solution workloads Identity & Access Management: Enterprise-scale identity and access management Configure LDAPS: Configure LDAPS within Azure VMware Solution Syslog: Configure VMware syslogs for Azure VMware Solution Syslog Forwarding: Syslog Forwarding function Customer-managed keys: Configure customer-managed key encryption at rest Trusted Launch: Trusted Launch for Azure VMware Solution virtual machines Network connectivity scenarios: Enterprise-scale network topology and connectivity for Azure VMware Solution Network Security: Azure VMware Solution Network Security Defender for Cloud: Integrate Microsoft Defender for Cloud with Azure VMware Solution Internet Connectivity: Internet connectivity design considerations Service Limits: Azure VMware Solution subscription limits and quotas GitHub repository: Azure/azure-vmware-solution Well-Architected Framework: Azure VMware Solution workloads Cloud Adoption Framework: Introduction to the Azure VMware Solution adoption scenario Enterprise Scale Landing Zone: Enterprise-scale for Microsoft Azure VMware Solution Enterprise Scale GitHub repository: Azure/Enterprise-Scale-for-AVS Azure CLI: Azure Command-Line Interface (CLI) Overview PowerShell module: Az.VMware Module Azure Resource Manager: Microsoft.AVS/privateClouds REST API: Azure VMware Solution REST API Terraform provider: azurerm_vmware_private_cloud Terraform Registry Author Bio René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud & service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert. Link to PPTX Diagrams: azure-vmware-solution/azure-vmware-master-diagrams
