This article describes the best practices for connectivity, traffic flows, and high availability of single-region Azure VMware Solution when using Azure Secure Virtual WAN with Routing Intent. You will learn the design details of using Secure Virtual WAN with Routing-Intent, when using Global Reach. This article breaks down Virtual WAN with Routing Intent topology from the perspective of an Azure VMware Solution private cloud, on-premises sites, and Azure native. The implementation and configuration of Secure Virtual WAN with Routing Intent are beyond the scope and aren’t discussed in this document.
Single-region with Secure Virtual WAN scenario
Secure Virtual WAN with Routing Intent is only supported with Virtual WAN Standard SKU. Secure Virtual WAN with Routing Intent provides the capability to send all Internet traffic and Private network traffic to a security solution like Azure Firewall, a third-party Network Virtual Appliance (NVA), or SaaS solution. In the scenario, we have a single region network. There’s a Virtual WAN with one hub. The hub has an Azure Firewall deployed, essentially making it a Secure Virtual WAN hub. Having a Secure Virtual WAN hub is a technical prerequisite to Routing Intent. The Secure Virtual WAN hub has Routing Intent enabled.
Note
When configuring Azure VMware Solution with Secure Virtual WAN Hubs, ensure optimal routing results on the hub by setting the Hub Routing Preference option to “AS Path.” – see Virtual hub routing preference
The single region consists of its own Azure VMware Solution Private Cloud and an Azure Virtual Network. Additionally, there’s an on-premises site connecting back to the hub. Furthermore, Global Reach connectivity exists within the environment. Global Reach establishes a direct logical link via the Microsoft backbone, connecting Azure VMware Solution to on-premises. As shown in the diagram, Global Reach connections don’t transit the Hub firewall. So, Global Reach traffic between on-premises and Azure VMware Solution, and vice versa, remains uninspected.
Note
When utilizing Global Reach, consider enhancing security between Global Reach sites by inspecting traffic within the Azure VMware Solution environment’s NSX-T or an on-premises firewall.
Understanding Topology Connectivity
Connection |
Description |
Connections (D) |
Azure VMware Solution private cloud managed ExpressRoute connection to the hub. |
Connection (A) |
Azure VMware Solution Global Reach connection back to on-premises. |
Connections (E) |
on-premises ExpressRoute connection to the hub. |
Single-region Secure Virtual WAN Traffic Flows
The following sections cover traffic flows and connectivity for Azure VMware Solution, on-premises, Azure Virtual Networks, and the Internet.
Azure VMware Solution connectivity & traffic flows
This section focuses only on the Azure VMware Solution Cloud’s perspective. Azure VMware Solution private cloud has an ExpressRoute connection to its hub (connection labeled as “D”).
The Azure VMware Solution Cloud Region establishes a connection to on-premises via ExpressRoute Global Reach, depicted as Global Reach (A) in the diagram. It’s important to note that traffic via Global Reach doesn’t transit the Hub firewall.
Ensure that you explicitly configure Global Reach (A). It’s imperative to do this step to prevent connectivity issues between on-premises and Azure VMware Solution. For more information, see traffic flow section.
The diagram illustrates traffic flows from the perspective of the Azure VMware Solution Private Cloud.
Traffic Flow Chart
Traffic Flow Number |
Source |
Direction |
Destination |
Traffic Inspected on Secure Virtual WAN Hub firewall? |
1 |
Azure VMware Solution Cloud |
→ |
Virtual Network |
Yes, traffic is inspected at the Hub firewall |
2 |
Azure VMware Solution Cloud |
→ |
on-premises |
No, traffic bypasses firewall and transits Global Reach (A) |
On-premises connectivity & traffic flow
This section focuses only on the on-premises site. As shown in the diagram, the on-premises site has an ExpressRoute connection to the hub (connections labeled as “E”). On-premises systems can communicate to Azure VMware Solution via connection Global Reach (A).
Ensure that you explicitly configure Global Reach (A). It’s imperative to do this step to prevent connectivity issues between on-premises and Azure VMware Solution. For more information, see traffic flow section.
The diagram illustrates traffic flows from an on-premises perspective.
Traffic Flow Chart
Traffic Flow Number |
Source |
Direction |
Destination |
Traffic Inspected on Secure Virtual WAN Hub firewall? |
3 |
on-premises |
→ |
Azure VMware Solution Cloud |
No, traffic bypasses firewall and transits Global Reach (A) |
4 |
on-premises |
→ |
Virtual Network |
Yes, traffic is inspected at the Hub firewall |
Azure Virtual Network connectivity & traffic flow
This section focuses only on connectivity from the Azure Virtual Network perspective. As depicted in the diagram, the Virtual Network is peering directly to the hub.
A Secure Hub with enabled Routing Intent always sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to peered Virtual Networks, plus any other prefixes that are added as “Private Traffic Prefixes” – see Routing Intent Private Address Prefixes. In our scenario, with Routing Intent enabled, all resources in the Virtual Network currently possess the default RFC 1918 addresses and use the Hub firewall as the next hop. All traffic ingressing and egressing the Virtual Network will always transit the Hub firewall. For more information, see traffic flow section.
Traffic Flow Chart
Traffic Flow Number |
Source |
Direction |
Destination |
Traffic Inspected on Secure Virtual WAN hub firewall? |
5 |
Virtual Network |
→ |
Azure VMware Solution Cloud |
Yes, traffic is inspected at the Hub firewall |
6 |
Virtual Network |
→ |
Azure VMware Solution Cloud |
Yes, traffic is inspected at the Hub firewall |
Internet connectivity
This section focuses only on how internet connectivity is provided for Azure native resources in the Virtual Network and the Azure VMware Solution Private Cloud. There are several options to provide internet connectivity to Azure VMware Solution. – see Internet Access Concepts for Azure VMware Solution
Option 1: Internet Service hosted in Azure
Option 2: VMware Solution Managed SNAT
Option 3: Azure Public IPv4 address to NSX-T Data Center Edge
Although you can use all three options with Single Region Secure Virtual WAN with Routing Intent, “Option 1: Internet Service hosted in Azure” is the best option when using Secure Virtual WAN with Routing Intent and is the option that is used to provide internet connectivity in the scenario. The reason why “Option 1” is considered the best option with Secure Virtual WAN is due to its ease of security inspection, deployment, and manageability.
With Routing Intent, you can choose to generate a default route from the hub firewall. This default route is advertised to your Virtual Network and to Azure VMware Solution. This section is broken into two sections, one that explains internet connectivity from an Azure VMware Solution perspective and another from the Virtual Network perspective.
Azure VMware Solution Internet Connectivity
When Routing Intent is enabled for internet traffic, the default behavior of the Secure Virtual WAN Hub is to not advertise the default route across ExpressRoute circuits. To ensure the default route is propagated to the Azure VMware Solution from the Azure Virtual WAN, you must enable default route propagation on your Azure VMware Solution ExpressRoute circuits – see To advertise default route 0.0.0.0/0 to endpoints. Once changes are complete, the default route 0.0.0.0/0 is then advertised via connection “D” from the hub. It’s important to note that this setting shouldn’t be enabled for on-premises ExpressRoute circuits. Even though connection “D” advertises the default route 0.0.0.0/0 to Azure VMware Solution, the default route is also advertised to on-premises via Global Reach (A). As a result, the recommendation is to implement a BGP Filter on your on-premises equipment to exclude learning the default route. This step ensures that on-premises internet connectivity isn’t impacted.
Virtual Network Internet Connectivity
When Routing Intent for internet access is enabled, the default route generated from the Secure VWAN Hub is automatically advertised to the hub-peered Virtual Network connections. You’ll notice under Effective Routes for the Virtual Machines’ NICs in the Virtual Network that the 0.0.0.0/0 next hop is the hub firewall.
For more information, see the traffic flow section.
Traffic Flow Chart
Traffic Flow Number |
Source |
Direction |
Destination |
Traffic Inspected on Secure Virtual WAN hub firewall? |
7 |
Azure VMware Solution Cloud |
→ |
Internet |
Yes, traffic is inspected at the Hub firewall |
8 |
Virtual Network |
→ |
Internet |
Yes, traffic is inspected at the Hub firewall |
ADVERTISEMENT
myURL = 'https://techcommunity.microsoft.com/t5/itops-talk-blog/single-region-deployment-using-secure-virtual-wan-hub-with/ba-p/4133849';
myData = {
'userId': userIdValue,
'currentPageURL': myURL
};
$.ajax({
type: 'post',
url: '/plugins/custom/microsoft/o365/fetch-user-profilecard?tid=-6751100974599517939',
dataType: 'json',
data: myData,
context: this,
beforeSend: function(xhr, opts) {
// abort cases
if (userIdValue <= 0) {
xhr.abort();
} else if ($('.contents .spinner', this).length == 0) {
// already loaded if no spinner
xhr.abort();
}
},
error: function () {
console.log('Unable to retrieve card data.');
},
success: function (data) {
if (data.status == 'success') {
// $('.contents', this).append(data.profile);
$('.contents', this).html(data.profile);
if ($('body').hasClass('learn')) {
var userBio = $('#' + userIdValue).html();
$('.bottom-half', this).html(userBio);
}
}
},
complete: function() {
$('.contents .spinner', this).empty().remove();
$(this).removeClass('loading');
}
});
}
});
$('#lia-body .lia-content').on('mouseenter mouseleave keydown click', '.UserAvatarWrapper', function (evt) {
// positions the card
// trigger event that fetches card data shows card
var adjustment;
var card = $('.user-profile-card', this);
var windowWidth = $(window).width();
var left = $(this).offset().left;
var cardWidth = card.outerWidth();
var win = $(window);
var viewport = {
// first check the top bottom edges for placement
top : win.scrollTop()
};
var avatarTop = $(this).offset().top;
var cardHeight = card.outerHeight();
viewport.bottom = viewport.top + win.height();
if ((left + cardWidth) > (windowWidth - 25)) {
// check the left right edges for placement
adjustment = (left + cardWidth) - (windowWidth + 25) + 50;
card.css('left', (-1 * adjustment) + 'px');
}
if ((avatarTop + cardHeight + 25) > (viewport.bottom)) {
var adjustment = -1 * (cardHeight);
card.css('top', adjustment + 'px');
} else {
card.css('top', '100%');
}
// existing design no cards for mobile
card.addClass('loading');
card.trigger('MSFT.fetchFollowStatus', [evt]);
});
// supergroup feeds: this event will close the cards when tabbed out of the card
$('.category-recent-conversations-wrapper').on('focus', '.subject-link, .message-subject-link, .user-login a' ,function () {
//$('.user-profile-card').hide().;
hideProfileCard();
});
// lounge and profile feeds : this event will close the cards when tabbed out of the card
$('.custom-message-feed-list-wrapper').on('focus', '.subject-link, .user-login', function (e) {
$('.user-profile-card').hide()
});
$('#lia-body .lia-content').on('MSFT.fetchFollowStatus', '.UserAvatarWrapper .user-profile-card', function (msftEvt, evt) {
var userIdValue;
var myURL;
var myData;
var profileCard = $(this);
var userAvatarAnchor = $(this).closest('.UserAvatarWrapper').find('a.UserAvatar')
var isDesktop = $(window).width() > 991;
if (!isNaN($(this).attr('data-user-id'))) {
userIdValue = parseInt($(this).attr('data-user-id'), 10);
if (evt.type === 'keydown' && (evt.keyCode === 40 || evt.keyCode === 38 || evt.keyCode === 32)) {
evt.preventDefault();
if (($(profileCard).is(':hidden'))) {
$(profileCard).show();
$(userAvatarAnchor).focus();
UTILITIES.accessibleAlert('pageLevel', 'Opened avatar dropdown menu');
} else {
$(profileCard).hide();
UTILITIES.accessibleAlert('pageLevel', 'Closed avatar dropdown');
$(userAvatarAnchor).focus();
}
} else if (evt.type === 'mouseenter' && isDesktop) {
evt.preventDefault();
$(profileCard).show();
$(userAvatarAnchor).focus();
} else if (evt.type === 'mouseleave' && isDesktop) {
evt.preventDefault();
$(profileCard).hide();
$(userAvatarAnchor).focus();
} else if (evt.type === 'click' && evt.target.tagName === 'IMG') {
// mobile and tablet get click event
if (!isDesktop) {
evt.preventDefault();
if (($(profileCard).is(':hidden'))) {
$(profileCard).show();
$(userAvatarAnchor).focus();
} else {
$(profileCard).hide();
$(userAvatarAnchor).focus();
}
} else {
$(profileCard).hide();
}
}
myURL = DOMPurify.sanitize('https://techcommunity.microsoft.com/t5/itops-talk-blog/single-region-deployment-using-secure-virtual-wan-hub-with/ba-p/4133849');
myData = {
'userId': userIdValue,
'currentPageURL': myURL
};
$.ajax({
type: 'post',
url: '/plugins/custom/microsoft/o365/fetch-user-profilecard?tid=-6751100974599517939',
dataType: 'json',
data: myData,
context: this,
beforeSend: function (xhr, opts) {
if (userIdValue <= 0) {
// alert user they didn't specify a user and abort
xhr.abort();
} else if ($('.contents .spinner', this).length == 0) {
// if the spinner is missing, we've already updated this card so just abort
xhr.abort();
}
},
error: function (err) {
console.log('Unable to retrieve card data.');
console.log(err);
},
success: function (data) {
if (data.status === 'success') {
// $('.contents', this).append(data.profile);
$('.contents', this).html(data.profile);
if ($('body').hasClass('learn')) {
var userBio = $('#' + userIdValue).html();
$('.bottom-half', this).html(userBio);
}
}
},
complete: function () {
var collection = $(this).find('a, button').not(':hidden');
var me = this;
$('.contents .spinner', this).empty().remove();
$(this).removeClass('loading');
for (i = 0; i < collection.length; i++) {
if (i === 0) {
$(collection[i]).addClass('first')
} else if (i === collection.length - 1) {
$(collection[i]).addClass('end')
}
}
$(collection).on('keydown', function (e) {
var card = me;
var self = this;
if ($(self).hasClass('first') && e.keyCode === 9 && e.shiftKey === true) {
// should always have a wrapper
$(card).closest('.UserAvatarWrapper').find('a.UserAvatar').eq(0).focus()
$(card).hide();
}
});
}
});
}
});
$('body').on('click', function(e) {
var elementClass = $(e.target).attr('class');
if (elementClass != null && elementClass.indexOf("lia-user-avatar-message") >= 0) {
var parentElements = $(e.target).closest(".lia-mentions-user-list");
if (parentElements.length > 0) {
e.preventDefault();
}
}
});
function hideProfileCard(){
var hasAvatarOpened = $('.user-profile-card').is(':visible');
$('.user-profile-card').hide();
if(hasAvatarOpened){
UTILITIES.accessibleAlert('pageLevel', 'Closed avatar dropdown');
}
}
});
})(LITHIUM.jQuery);
;(function($) {
$(document).ready(function () {
$('.custom-lia-search').click(function (e) {
if (!$(e.target).hasClass('lia-button-searchForm-action')) {
/* expanded search */
if ($('#community-menu-wrapper-menu:visible').length !== 0) {
e.preventDefault();
e.stopPropagation();
$('.community-header-component .lia-autocomplete-input:visible').focus();
//$('.notifications-overlay-mail').show();
$(this).addClass('expanded');
} else {
$(this).removeClass('expanded');
$('.notifications-overlay-mail').hide();
}
}
});
var isSuggestionTurnedOff;
window.onload = () => {
if($('.search-autocomplete-toggle-link').css('display') == 'block'){
$('.search-autocomplete-toggle-link').hide();
isSuggestionTurnedOff = true;
}
else{
isSuggestionTurnedOff = false;
}
};
$('.custom-lia-search .lia-search-input-wrapper .lia-autocomplete-container .lia-autocomplete-footer .lia-component-search-action-disable-auto-complete').click(function(){
isSuggestionTurnedOff = true;
});
$('.custom-lia-search .lia-search-form-wrapper .search-autocomplete-toggle-link .lia-component-search-action-enable-auto-complete ').click(function(){
isSuggestionTurnedOff = false;
});
$('.custom-lia-search').on('focusout',function (event){
$(document).on('click', function(event) {
if(event.target.className !== 'lia-form-type-text lia-autocomplete-input search-input lia-search-input-message')
{
$('.search-autocomplete-toggle-link').hide();
}
});
}).on('focusin',function (){
if(isSuggestionTurnedOff){
$('.search-autocomplete-toggle-link').show();
}
});
// add skip links navigation to several pages
const skipLinksDictionary = {
"upcoming_events": "Skip to Upcoming Events",
"registration": "Skip to Registration/Sign in",
"external_hubs": "Skip to External Community Hubs",
"popular_discussions": "Skip to Popular Discussions",
"member_stats": "Skip to Member Stats",
"footer": "Skip to Footer",
"primary_nav": "Skip to Primary Navigation",
"main_content": "Skip to Main Content",
"latest_blogs": "Skip to Latest Blog Posts",
"your_communities": "Skip to Your Communities",
"membership": "Skip to Membership",
"discussion": "Skip to Discussion Toolbar",
"sidebar": "Skip to Sidebar Content",
"latest_activity": "Skip to Latest Activity Feed",
"latest_blog_articles": "Skip to Latest Blog Articles",
"recent_blog_articles": "Skip to Recent Blog Articles",
"community_events": "Skip to Community Events",
"topic_message": "Skip to Topic Message",
"latest_ideas": "Skip to Latest Ideas"
};
UTILITIES.skipLinksNavigationInit(skipLinksDictionary);
UTILITIES2.ExternalLinkDisclaimer("External Link Prompt", "The link you just clicking will take you to a 3rd party owned site. If you click continue any data you share will be in accordance with that sites terms of use and privacy policies.");
$(window).resize(function () {
if ($('.community-header-component .custom-lia-search').hasClass('expanded')) {
$('.community-header-component .custom-lia-search').removeClass('expanded');
$('.notifications-overlay-mail').hide();
$('.lia-autocomplete-input').val('');
}
});
$('.lia-component-common-widget-slide-out-user-menu').click(function (e) {
var messageMarkup = 'Messages{1}';
var notificationMarkup = 'Notifications{0}';
var messagesCount = $('.notify-icon.notif-mail .lia-notifications-messages-aggregate').text().trim();
var notificationsCount = $('.notify-icon.notif-list .lia-notifications-messages-aggregate').text().trim();
var indicatorTemplate=" {0}";
var messagesTemplate="";
var notificationsTemplate="";
if (messagesCount) {
messagesTemplate = indicatorTemplate.replace('{0}', messagesCount);
}
if (notificationsCount) {
notificationsTemplate = indicatorTemplate.replace('{0}', notificationsCount);
}
if ($('.lia-slide-menu-overlay-open').length == 0 ) {
var markup = "";
if($(window).width() < 767) {
markup = notificationMarkup.replace('{0}', notificationsTemplate);
}
markup = markup + messageMarkup.replace('{1}', messagesTemplate);
$(markup).insertBefore('.lia-component-users-action-view-user-profile-modern')
}
})
$('.notifications-overlay-mail').click(function (e) {
e.preventDefault();
e.stopPropagation();
$('.notifications-overlay-mail').hide();
$('.lia-autocomplete-input').val('');
$('.custom-lia-search').removeClass('expanded')
})
$('#lia-body .lia-content').on('click', '.kudo-display-button', function(e) {
window.location.href="https://techcommunity.microsoft.com/plugins/common/feature/oauth2sso/sso_login_redirect?lang=en&referer=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fitops-talk-blog%2Fsingle-region-deployment-using-secure-virtual-wan-hub-with%2Fba-p%2F4133849";
});
});
function updateKudos(action, messageId) {
$.ajax({
type: 'post',
url: '/plugins/custom/microsoft/o365/custom-update-message-kudos?tid=-6751100974599517939',
dataType: 'html',
data: {messageId: messageId, action: action},
scope: {
action: action,
id: messageId
},
beforeSend: function (xhr, opts) {
var scope = this.scope;
// screen reader listens for change inside
// and messages should always create a change
var action = scope.action || '';
var actionObj = {
'add': 'Adding',
'remove': 'Removing'
};
UTILITIES.accessibleAlert('pageLevel', actionObj[action] || '');
},
error: function (err) {
console.log(err);
UTILITIES.accessibleAlert('pageLevel', 'There was error liking message.');
},
success: function (data) {
var scope = this.scope;
var actionObj = {
'add': 'You liked this post',
'remove': 'You unliked this post'
};
var message = actionObj[scope.action] || 'success';
UTILITIES.accessibleAlert('pageLevel', message);
},
complete: function() {}
});
}
if ($('.InfoMessage').length > 0) {
$('.InfoMessage').prepend('');
$('.close-info-message').click(function (e) {
e.preventDefault();
$(this).parent().remove();
})
}
})(LITHIUM.jQuery);
function storageAvailable(type) {
try {
var storage = window[type],
x = '__storage_test__';
storage.setItem(x, x);
storage.removeItem(x);
return true;
}
catch(e) {
return false;
}
}
function profileUserCardMe () {
/*
adds profile hovercards to current user with wrapper css class
allows for custom CSS styles
*/
var myId = -1;
var addCardTemplates = function (myId) {
var items = $('.lia-quilt-row-main .UserAvatarWrapper');
var item;
var len = items.length;
var i;
var authorId;
var hasHoverCardMarkup;
var templateMarkup = '
';
templateMarkup = templateMarkup.replace('{0}', myId)
for (i = 0; i < len; i++) {
item = items[i];
// authorId = item.children[0].children[0].href;
authorId = $(item).find('a').attr('href');
if (authorId) {
authorId = authorId.substring(authorId.lastIndexOf("https://techcommunity.microsoft.com/") + 1);
authorId = parseInt(authorId);
if (myId === authorId) {
$(item).addClass('my-profile-card');
if ($(item).find('.user-profile-card').length === 0) {
$(item).append(templateMarkup)
}
}
}
}
}
if ($('body').hasClass('lia-user-status-registered')) {
addCardTemplates(myId)
}
}
LITHIUM.PartialRenderProxy({"limuirsComponentRenderedEvent":"LITHIUM:limuirsComponentRendered","relayEvent":"LITHIUM:partialRenderProxyRelay","listenerEvent":"LITHIUM:partialRenderProxy"});
LITHIUM.AjaxSupport({"ajaxOptionsParam":{"event":"LITHIUM:partialRenderProxyRelay","parameters":{"javascript.ignore_combine_and_minify":"true"}},"tokenId":"ajax","elementSelector":document,"action":"partialRenderProxyRelay","feedbackSelector":false,"url":"https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.liabase.basebody.partialrenderproxy:partialrenderproxyrelay?t:ac=blog-id/ITOpsTalkBlog/article-id/2814","ajaxErrorEventName":"LITHIUM:ajaxError","token":"8ljzf5gNXHjqv64NGdSjKM9GCc1rBxOQ89Pco-eOaCQ."});
LITHIUM.Auth.API_URL = "/t5/util/authcheckpage";
LITHIUM.Auth.LOGIN_URL_TMPL = "/plugins/common/feature/oauth2sso/sso_login_redirect?lang=en&referer=https%3A%2F%2FREPLACE_TEXT";
LITHIUM.Auth.KEEP_ALIVE_URL = "/t5/status/blankpage?keepalive";
LITHIUM.Auth.KEEP_ALIVE_TIME = 270000;
LITHIUM.Auth.CHECK_SESSION_TOKEN = 'RGdoMrFFC3lA89YzkgSKbi0SJ_Agl_YdxchGOEvqFtk.';
LITHIUM.AjaxSupport.useTickets = false;
LITHIUM.Cache.CustomEvent.set([{"elementId":"link_5","stopTriggerEvent":false,"fireEvent":"LITHIUM:selectMessage","triggerEvent":"click","eventContext":{"message":4133849}}]);
LITHIUM.Loader.runJsAttached();
// -->
Visited 1 times, 1 visit(s) today