This text describes one of the best practices for connectivity, site visitors flows, and excessive availability of dual-region Azure VMware Answer when utilizing Azure Safe Digital WAN with Routing Intent. You study the design particulars of utilizing Safe Digital WAN with Routing-Intent, with out International Attain. This text breaks down Digital WAN with Routing Intent topology from the attitude of Azure VMware Answer personal clouds, on-premises websites, and Azure native. The implementation and configuration of Safe Digital WAN with Routing Intent are past the scope and are not mentioned on this doc.
In areas with out International Attain help or with a safety requirement to examine site visitors between Azure VMware Answer and on-premises on the hub firewall, a help ticket have to be opened to allow ExpressRoute to ExpressRoute transitivity for each regional hubs. ExpressRoute to ExpressRoute transitivity is not supported by default with Digital WAN. – see Transit connectivity between ExpressRoute circuits with routing intent
Safe Digital WAN with Routing Intent is barely supported with Digital WAN Normal SKU. Safe Digital WAN with Routing Intent offers the aptitude to ship all Web site visitors and Non-public community site visitors to a safety answer like Azure Firewall, a third-party Community Digital Equipment (NVA), or SaaS answer. Within the state of affairs, now we have a community topology that spans two areas. There’s one Digital WAN with two Hubs, Hub1 and Hub2. Hub1 is in Area 1, and Hub2 is in Area 2. Every Hub has its personal occasion of Azure Firewall deployed(Hub 1 Firewall, Hub 2 Firewall), basically making them every Safe Digital WAN Hubs. Having Safe Digital WAN hubs is a technical prerequisite to Routing Intent. Safe Digital WAN Hub1 and Hub2 have Routing Intent enabled.
Every area additionally has an Azure VMware Answer Non-public Cloud and an Azure Digital Community. There’s additionally an on-premises website connecting to each areas, which we evaluate in additional element later on this doc.
Observe
For those who’re utilizing non-RFC1918 prefixes in your linked on-premises, Digital Networks or Azure VMware Answer, ensure you have specified these prefixes within the «Non-public Site visitors Prefixes» textual content field for Routing Intent. Remember that it is best to at all times enter summarized routes solely within the “Non-public Site visitors Prefixes” part to cowl your vary. Don’t enter the precise vary that’s being marketed to Digital WAN as this could result in routing points. For instance, if the ExpressRoute Circuit is promoting 40.0.0.0/24 from on-premises, put a /23 CIDR vary or bigger within the Non-public Site visitors Prefix textual content field (instance: 40.0.0.0/23). – see Configure routing intent and policies through Virtual WAN portal
Observe
When configuring Azure VMware Answer with Safe Digital WAN Hubs, guarantee optimum routing outcomes on the hub by setting the Hub Routing Desire choice to «AS Path.» – see Virtual hub routing preference
Understanding Topology Connectivity
Connection | Description |
---|---|
Connections (D) | Azure VMware Answer personal cloud connection to its native regional hub. |
Connections (E) | on-premises connectivity by way of ExpressRoute to each regional hubs. |
Inter-Hub | Inter-Hub logical connection between two hubs which can be deployed beneath the identical Digital WAN. |
The next sections cowl site visitors flows and connectivity for Azure VMware Answer, on-premises, Azure Digital Networks, and the Web.
This part focuses on solely the Azure VMware Answer personal clouds in each areas. Every Azure VMware Answer personal cloud has an ExpressRoute connection to the hub (connections labeled as «D»).
With ExpressRoute to ExpressRoute transitivity enabled on the Safe Hub and Routing-Intent enabled, the Safe Hub sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to each Azure VMware Answer personal clouds over connection «D». Along with the default RFC 1918 addresses, each Azure VMware Answer personal clouds study extra particular routes from Azure Digital Networks and Networks (S2S VPN, P2S VPN, SDWAN) which can be linked to each Hub 1 and Hub 2. Each Azure VMware Answer personal clouds do not study particular routes from on-premises networks. For routing site visitors again to on-premises networks, it makes use of the default RFC 1918 addresses that it discovered by way of connection «D» from its native regional hub. This site visitors transits by way of the native regional Hub firewall, as proven within the diagram. The Hub firewall has the precise routes for on-premises networks and routes site visitors towards the vacation spot over connection “E”. Site visitors from each Azure VMware Answer personal clouds, heading in the direction of Digital Networks, will transit the Hub firewall. For extra data, see the site visitors stream part.
The diagram illustrates site visitors flows from the attitude of the Azure VMware Answer Non-public Cloud Area 1 and Azure VMware Answer Non-public Cloud Area 2.
Site visitors Circulate Chart
Site visitors Circulate Quantity | Supply | Course | Vacation spot | Site visitors Inspected on Safe Digital WAN Hub firewall? |
---|---|---|---|---|
1 | Azure VMware Answer Cloud Area 1 | → | Digital Community 1 | Sure, site visitors is inspected on the Hub 1 firewall |
2 | Azure VMware Answer Cloud Area 1 | → | On-premises | Sure, site visitors is inspected on the Hub 1 firewall |
3 | Azure VMware Answer Cloud Area 1 | → | Digital Community 2 | Sure, site visitors is inspected on the Hub 1 firewall, then Hub 2 firewall. |
4 | Azure VMware Answer Cloud Area 1 | → | Azure VMware Answer Cloud Area 2 | Sure, site visitors is inspected on the Hub 1 firewall, then Hub 2 firewall. |
5 | Azure VMware Answer Cloud Area 2 | → | Digital Community 1 | Sure, site visitors is inspected on the Hub 2 firewall, then Hub 1 firewall. |
6 | Azure VMware Answer Cloud Area 2 | → | Digital Community 2 | Sure, site visitors is inspected on the Hub 2 firewall. |
7 | Azure VMware Answer Cloud Area 2 | → | On-premises | Sure, site visitors is inspected on the Hub 2 firewall. |
This part focuses solely on the on-premises website. As proven within the diagram, the on-premises website has an ExpressRoute connection to each Hub 1 and Hub 2 (connection labeled as «E»).
With ExpressRoute to ExpressRoute transitivity enabled on each Safe Hubs and Routing-Intent enabled, every Safe Hub sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to on-premises over connection «E». Along with the default RFC 1918 addresses, on-premises learns extra particular routes from Azure Digital Networks and Department Networks (S2S VPN, P2S VPN, SDWAN) which can be linked to each Hub 1 and Hub 2.
By default, on-premises doesn’t study the precise routes for each Azure VMware Answer Non-public Clouds. As an alternative, it routes to each Azure VMware Answer Non-public Clouds utilizing the default RFC 1918 addresses it learns over connection “E”. On-premises will study the default RFC 1918 addresses from each Hub 1 and Hub 2 by way of connection “E”.
Observe
It’s extraordinarily essential so as to add particular routes on each hubs. For those who don’t add particular routes on the hubs, it results in suboptimal routing as a result of on-premises makes use of Equal Price multi-path (ECMP) between the «E» connections for site visitors destined to any Azure VMware Answer Non-public Cloud. Consequently, site visitors between on-premises and any Azure VMware Answer Non-public Cloud could expertise latency, efficiency points, or packet drops.
To promote a extra particular route all the way down to on-premises, it must be achieved from the «Non-public Site visitors Prefixes» field inside Routing Intent. – see Configure routing intent and policies through Virtual WAN portal. It’s essential add a summarized route that encompasses each your Azure VMware Answer /22 block and your Azure VMware Answer subnets. For those who add the identical precise prefix or a extra particular prefix as a substitute of a abstract route, you introduce routing points throughout the Azure atmosphere. Subsequently, it’s essential to keep in mind that any prefixes added to the «Non-public Site visitors Prefixes» field have to be summarized routes.
As illustrated within the diagram, Azure VMware Answer Non-public Cloud 1 contains workload subnets from 10.10.0.0/24 to 10.10.7.0/24. On Hub 1, the abstract route 10.10.0.0/21 is added to «Non-public Site visitors Prefixes» as a result of it encompasses all eight subnets. Moreover, on Hub 1, the abstract route 10.150.0.0/22 is added to «Non-public Site visitors Prefixes» to cowl the Azure VMware Answer administration block. Abstract routes 10.10.0.0/21 and 10.150.0.0/22 are then marketed all the way down to on-premises by way of connection «E», offering on-premises with a extra particular route than 10.0.0.0/8.
Azure VMware Answer Non-public Cloud 2 contains workload subnets from 10.20.0.0/24 to 10.20.7.0/24. On Hub 2, the abstract route 10.20.0.0/21 is added to «Non-public Site visitors Prefixes» as a result of it encompasses all eight subnets. Moreover, on Hub 2, the abstract route 10.250.0.0/22 is added to “Non-public Site visitors Prefixes.” This covers the Azure VMware Answer administration block. Abstract routes 10.20.0.0/21 and 10.250.0.0/22 are then marketed all the way down to on-premises by way of connection “E.” This offers on-premises with a extra particular route than 10.0.0.0/8.
There’s no problem in including your complete Azure VMware Answer Administration /22 block beneath “Non-public Site visitors Prefixes” as a result of Azure VMware Answer doesn’t promote the precise /22 block again to Azure; it at all times advertises extra particular routes.
As talked about earlier, if you allow ExpressRoute to ExpressRoute transitivity on the Hub, it sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to your on-premises community. Subsequently, you should not promote the precise RFC 1918 prefixes (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) again to Azure. Promoting the identical precise routes creates routing issues inside Azure. As an alternative, it is best to promote extra particular routes again to Azure to your on-premises networks.
Observe
For those who’re at the moment promoting the default RFC 1918 addresses from on-premises to Azure and want to proceed this apply, it’s essential to cut up every RFC 1918 vary into two equal sub-ranges and promote these sub-ranges again to Azure. The sub-ranges are 10.0.0.0/9, 10.128.0.0/9, 172.16.0.0/13, 172.24.0.0/13, 192.168.0.0/17, and 192.168.128.0/17.
The diagram illustrates site visitors flows from the attitude of on-premises.
Site visitors Circulate Chart
Site visitors Circulate Quantity | Supply | Course | Vacation spot | Site visitors Inspected on Safe Digital WAN Hub firewall? |
---|---|---|---|---|
2 | on-premises | → | Azure VMware Answer Cloud Area 1 | Sure, site visitors is inspected on the Hub 1 firewall |
7 | on-premises | → | Azure VMware Answer Cloud Area 2 | Sure, site visitors is inspected on the Hub 2 firewall |
8 | on-premises | → | Digital Community 1 | Sure, site visitors is inspected on the Hub 1 firewall |
9 | on-premises | → | Digital Community 2 | Sure, site visitors is inspected on the Hub 2 firewall |
This part focuses solely on connectivity from the Azure Digital Networks perspective. As depicted within the diagram, every Digital Community has a Digital Community peering on to its regional hub.
The diagram illustrates how all Azure native assets in each Digital Networks study routes beneath their «Efficient Routes». With Routing Intent enabled, Hub 1 and Hub 2 at all times ship the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to their peered Digital Networks. Azure native assets within the Digital Networks don’t study particular routes from exterior their Digital Community. With Routing Intent enabled, all assets within the Digital Community at the moment study the default RFC 1918 tackle and use their regional hub firewall as the following hop. Azure VMware Answer Non-public Clouds talk with one another by way of connection «D» to their native regional hub firewall. From there, they traverse the Digital WAN inter-hub and endure inspection on the cross-regional hub firewall. Moreover, Azure VMware Answer personal clouds talk with on-premises by way of connection «D» over their native regional hub firewall. All site visitors ingressing and egressing the Digital Networks will at all times transit their regional hub firewalls. For extra data, see the site visitors stream part.
The diagram illustrates site visitors flows from the Azure Digital Networks perspective.
Site visitors Circulate Chart
Site visitors Circulate Quantity | Supply | Course | Vacation spot | Site visitors Inspected on Safe Digital WAN Hub firewall? |
---|---|---|---|---|
1 | Digital Community 1 | → | Azure VMware Answer Cloud Area 1 | Sure, site visitors is inspected on the Hub 1 firewall |
3 | Digital Community 2 | → | Azure VMware Answer Cloud Area 1 | Sure, site visitors is inspected at Hub 2 firewall then Hub firewall 1 |
5 | Digital Community 1 | → | Azure VMware Answer Cloud Area 2 | Sure, site visitors is inspected at Hub 1 firewall then Hub firewall 2 |
6 | Digital Community 2 | → | Azure VMware Answer Cloud Area 2 | Sure, site visitors is inspected on the Hub 2 firewall |
8 | Digital Community 1 | → | On-premises | Sure, site visitors is inspected on the Hub 1 firewall |
9 | Digital Community 2 | → | On-premises | Sure, site visitors is inspected on the Hub 2 firewall |
10 | Digital Community 1 | → | Digital Community 2 | Sure, site visitors is inspected on the Hub 1 firewall then Hub 2 firewall |
10 | Digital Community 2 | → | Digital Community 1 | Sure, site visitors is inspected on the Hub 2 firewall then Hub 1 firewall |
This part focuses solely on how web connectivity is supplied for Azure native assets in Digital Networks and Azure VMware Answer Non-public Clouds with twin area. There are a number of choices to supply web connectivity to Azure VMware Answer. – see Internet Access Concepts for Azure VMware Solution
Possibility 1: Web Service hosted in Azure
Possibility 2: VMware Answer Managed SNAT
Possibility 3: Azure Public IPv4 tackle to NSX-T Knowledge Heart Edge
Though you should utilize all three choices with Twin Area Safe Digital WAN with Routing Intent, «Possibility 1: Web Service hosted in Azure» is the most suitable choice when utilizing Safe Digital WAN with Routing Intent and is the choice that’s used to supply web connectivity within the state of affairs. The rationale why «Possibility 1» is taken into account the most suitable choice with Safe Digital WAN is because of its ease of safety inspection, deployment, and manageability.
As talked about earlier, if you allow Routing Intent on each Safe Hubs, it advertises RFC 1918 to all immediately peered Digital Networks. Nevertheless, you can too promote a default route 0.0.0.0/0 for web connectivity to downstream assets. With Routing Intent, you’ll be able to select to generate a default route from each hub firewalls. This default route is marketed to its immediately peered Digital Networks and to its immediately linked Azure VMware Answer. This part is damaged into two sections, one which explains web connectivity from each regional Azure VMware Answer perspective and one other from the Digital Networks perspective.
When Routing Intent is enabled for web site visitors, the default conduct of the Safe Digital WAN Hub is to not promote the default route throughout ExpressRoute circuits. To make sure the default route is propagated to its immediately linked Azure VMware Answer from the Azure Digital WAN, you could allow default route propagation in your Azure VMware Answer ExpressRoute circuits – see To advertise default route 0.0.0.0/0 to endpoints. As soon as modifications are full, the default route 0.0.0.0/0 is then marketed by way of connection “D” from the hub. It’s essential to notice that this setting should not be enabled for on-premises ExpressRoute circuits. As a greatest apply, it’s really useful to implement a BGP Filter in your on-premises gear. A BGP Filter in place prevents the inadvertent studying of the default route, provides an additional layer of precaution, and ensures that on-premises web connectivity is not impacted.
While you allow Routing Intent for web entry, it robotically generates a default route from each regional hubs and advertises it to their hub-peered Digital Community connections. You will discover beneath Efficient Routes for the Digital Machines’ NICs within the Digital Community that the 0.0.0.0/0 subsequent hop is the regional hub firewall. The default route isn’t marketed throughout regional hubs over the ‘inter-hub’ hyperlink. Subsequently, Digital Networks use their native regional hub for web entry and don’t have any backup web connectivity to the cross-regional hub.
For extra data, see the site visitors stream part.
The diagram illustrates site visitors flows from the Digital Networks and Azure VMware Answer Non-public Clouds perspective.
Site visitors Circulate Chart
Site visitors Circulate Quantity | Supply | Course | Vacation spot | Site visitors Inspected on Safe Digital WAN hub firewall? |
---|---|---|---|---|
11 | Azure VMware Answer Cloud Area 1 | → | Web | Sure, site visitors is inspected on the Hub 1 firewall |
12 | Digital Community 2 | → | Web | Sure, site visitors is inspected on the Hub 2 firewall |
13 | Digital Community 1 | → | Web | Sure, site visitors is inspected on the Hub 1 firewall |
14 | Azure VMware Answer Cloud Area 2 | → | Web | Sure, site visitors is inspected on the Hub 2 firewall |
With Azure VMware Answer utilizing the Twin-Area with out International Attain design, you don’t have outbound web connectivity redundancy as a result of every Azure VMware Answer personal cloud learns the default route from each its native regional hub and isn’t immediately linked to its cross-regional hub. If a regional outage that impacts the native regional hub, you could have two choices with a view to obtain web redundancy which can be guide configurations.
Possibility 1: For Outbound Web Entry Solely
Throughout an area regional outage, in case you want outbound web entry to your Azure VMware Answer workload, you’ll be able to go for VMware Answer Managed SNAT. It’s a simple answer that shortly offers the entry you want. – see Turn on Managed SNAT for Azure VMware Solution workloads
Possibility 2: For Inbound and Outbound Web Entry
Throughout an area regional outage, in case you want each inbound and outbound web entry to your Azure VMware Answer cloud, begin by eradicating the “D” connection to your native regional hub. Take away the Authorization Key created for the “D” connection from the Azure VMware Answer blade within the Azure portal. Then, create a brand new connection to the cross-regional hub. For dealing with inbound site visitors, think about using Azure Entrance Door or Site visitors Supervisor to keep up regional excessive availability.
HCX Mobility Optimized Networking (MON) is an optionally available characteristic to allow when utilizing HCX Community Extensions (NE). Mobility Optimized Networking (MON) offers optimum site visitors routing beneath sure eventualities to forestall community tromboning between the on-premises-based and cloud-based assets on prolonged networks.
Enabling Mobility Optimized Networking (MON) for a selected prolonged community and a digital machine modifications the site visitors stream. For Mobility Optimized Networking (MON), egress site visitors from that digital machine would not trombone again to on-premises. As an alternative, it bypasses the Community Extensions (NE) IPSEC tunnel. Site visitors for that digital machine will now egress out of the Azure VMware Answer NSX-T Tier-1 Gateway> NSX-T Tier-0 Gateway>Azure Digital WAN.
Enabling Mobility Optimized Networking (MON) for a selected prolonged community and a digital machine leads to a change. From Azure VMware Answer NSX-T, it injects a /32 host route again to Azure Digital WAN. Azure Digital WAN advertises this /32 route again to on-premises, Digital Networks, and Department Networks (S2S VPN, P2S VPN, SDWAN). The aim of this /32 host route is to make sure that site visitors from on-premises, Digital Networks, and Department Networks (S2S VPN, P2S VPN, SDWAN) would not use the Community Extensions (NE) IPSEC tunnel when destined for the Mobility Optimized Networking (MON) enabled Digital Machine. Site visitors from supply networks is directed straight to the Mobility Optimized Networking (MON) enabled Digital Machine as a result of /32 route that’s discovered.
With ExpressRoute to ExpressRoute transitivity enabled on the Safe Hub and Routing-Intent enabled, the Safe Hub sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to each the on-premises and Azure VMware Answer. Along with the default RFC 1918 addresses, each on-premises and Azure VMware Answer study extra particular routes from Azure Digital Networks and Department Networks (S2S VPN, P2S VPN, SDWAN) which can be linked to the hub. Nevertheless, on-premises networks do not study any particular routes from the Azure VMware Answer, nor does the reverse happen. As an alternative, each environments depend on the default RFC 1918 addresses to facilitate routing again to 1 one other by way of their native regional Hub firewall. Because of this extra particular routes, reminiscent of HCX Mobility Optimized Networking (MON) Host Routes, aren’t marketed from the Azure VMware Answer ExpressRoute to the on-premises-based ExpressRoute circuit and vice-versa. The shortcoming to study particular routes introduces uneven site visitors flows. Site visitors egresses Azure VMware Answer by way of the NSX-T Tier-0 gateway, however returning site visitors from on-premises returns over the Community Extensions (NE) IPSEC tunnel.
To right any site visitors asymmetry, it’s essential to modify the HCX Mobility Optimized Networking (MON) Coverage Routes. Mobility Optimized Networking (MON) coverage routes decide which site visitors goes again to the on-premises Gateway by way of an L2 extension. Additionally they resolve which site visitors is routed by way of the Azure VMware Answer NSX Tier-0 Gateway.
If a vacation spot IP matches and is ready to «enable» within the Mobility Optimized Networking (MON) coverage configuration, then two actions happen. First, the packet is recognized. Second, its despatched to the on-premises gateway by way of the HCX Community Extension equipment.
If a vacation spot IP would not match or is ready to «deny» within the Mobility Optimized Networking (MON) coverage, the system sends the packet to the Azure VMware Answer Tier-0 for routing.
HCX Coverage Routes
Community | Redirect to Peer | Observe |
---|---|---|
Azure Digital Community Handle Area | Deny | Please guarantee to explicitly embrace the tackle ranges for all of your Digital Networks. Site visitors meant for Azure is directed out by way of the Azure VMware Answer and would not return to the on-premises community. |
Default RFC 1918 Handle Areas | Enable | Add within the default RFC 1918 addresses 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. This configuration ensures that any site visitors not matching the above standards is rerouted again to the on-premises community. In case your on-premises setup makes use of addresses that are not a part of RFC 1918, you could explicitly embrace these ranges. |
0.0.0.0/0 | Deny | For addresses that aren’t coated by RFC 1918, reminiscent of Web-routable IPs, or any site visitors that doesn’t match the desired entries above, exits immediately by way of the Azure VMware Answer and is not redirected again to the on-premises community. |