Azure Landing Zone Accelerator for AVS – Using a Central Hub in Azure

This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.

Options for network connectivity with AVS

 

There are many options for network connectivity when it comes to Azure VMware Solution.  This post reviews utilizing a central hub network in Azure.

 

Network Architecture

AmyColyer_0-1687363164092.png

  • Use ExpressRoute for maximum bandwidth from on-premises. VPN is also available when not limited by bandwidth constraints.
  • Use ExpressRoute to enable Global Reach for route exchange between on-premises and AVS.
  • Create an Azure Route Server and peer it to BGP-capable firewall(s).
  • Enable ExpressRoute FastPath to bypass the gateway port speed for improved data path performance.

 

In the Hub VNet, create a User Defined Route (UDR) to workloads in the Spoke VNet(s) with a next-hop of the NVA in the gateway subnet. Next, the destination traffic needs to get securely back to the source. The native behavior with Azure VNet peering will bypass the firewall.  Disabling BGP route propagation ensures traffic goes directly to the gateway of the peered network. From there, creating a default UDR with a next-hop of the NVA will send the return traffic back through the firewall.

 

When to use Secured Hub vWAN with Traditional Hub & Spoke

 

Azure VWAN can be used instead of Traditional Hub VNET or alongside it to provide transit from AVS to Azure and back to on-premises. Azure VWAN is a solid option for using Azure Firewall or large-scale, multisite/multi-regional deployments with several or more ExpressRoute and VPN connections. In a separate Hub Virtual Network, other operations can take place, such as using a 3rd party network appliance to route or filter traffic securely. The Hub VNet can also facilitate Layer-7 operations through Traffic Manager, Application Gateway, or enabling DDOS protection.

 

sablair_0-1687444791447.png

 

  • Azure vWAN is a managed service meaning transitivity for ExpressRoute, VPN, WAN to AVS is built in so there is no need for Azure Route Server.
  • Natively, a user can use Azure Firewall for a Secured vWAN hub.

*Note: If you are in a location where Global Reach is not available, vWAN hub with route intent may be used as an alternative for secure transit over the ExpressRoutes between two secured hubs that are using Azure Firewall. For more information, please see  How to configure Virtual WAN Hub routing policies - Azure Virtual WAN 

 

 

In this video, Sabine Blair - Sr Cloud Solution Architect at Microsoft, will cover these scenarios and more.

 

What you will learn from this video:

  • How to connect to AVS from on-premises when using a WAN, VPN or ExpressRoute circuit.
  • How to exchange routes between a VPN and an ExpressRoute Gateway.
  • Centralizing routes and inspecting traffic using a network appliance.
  • Reducing the number of User Defined Static Routes with Azure Route Server.

 

 

Stay tuned for more Azure VMware Solution network scenarios.

 

Special thanks to Sabine Blair for taking the time to explain the scenario.

 

As always, please leave feedback so we can continue to improve and help you!

Amy Colyer 

 

Resources:

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.