This is Part 2 of a two-part series on Connectivity for Azure VMware Solution (AVS). 

In this article, we’ll review Network Extensions with HCX and managing AVS networking with NSX.

Read more about AVS, its use cases, and benefits in my previous blog article – Azure VMWare Solution: What is it?

VMware HCX Network Extension

Although HCX has a few different capabilities, today we are going to focus on Network Extension. Network extension allows a Layer 2 network that exists in a vSphere distributed switch, NSX segment, or NSXv logical switch to be extended to AVS. Once the extension is in place, traffic is tunneled so that virtual machines in both the source and AVS environment are on the same Layer 2 network and utilize the network gateway at the source to traverse to other networks.

An important note: Matching segments are automatically created in NSX once networks are extended to AVS. But when unextending a network, the segment in NSX is not automatically removed.

Appliance Deployment

When a Service Mesh is configured in HCX, multiple appliances are deployed to facilitate the specific functionality that has been enabled. For each appliance deployed at the source, a partner appliance is deployed in AVS.

As part of the service mesh configuration, you’ll set the number of network extension appliances required. Each appliance for Network Extension can support up 8 extended networks. Network Extension does support high availability for the appliances, so if needed, set the number of appliances to twice the required amount needed to support the number of networks being extended.

The appliances cannot have extended networks associated with them when enabling HA, so be sure to configure HA first. The HA setup process automatically selects an unused appliance to be the second member of the active/standby HA group.  Networks to be extended will then be associated with the group instead of a specific appliance. 

Mobility Optimized Networking (MON)

The traffic flow for VMs in AVS on extended networks may be undesirable since all traffic is traversing the on-premises gateway. This is especially true when workloads are micro segmented and multiple parts exist in AVS, but on different networks.

Mobility Optimized Networking (MON) can be enabled in HCX to improve network traffic flow. With MON enabled, traffic can route to different networks within AVS without flowing through the on-premises gateway. In addition, MON policy routes can be created to define traffic that will flow through the cloud gateway for things outside of AVS like Azure services, and internet egress. 

Figure 1 demonstrates how communication between two virtual machines on separate networks in AVS would behave with and without MON enabled. As you can see enabling MON optimizes the flow so that communication between the two virtual machines remains local to AVS.

Figure 1: Traffic flow with and without Mobility Optimized Networking.

VMware NSX

NSX is included in the Azure VMware Solution deployment and is utilized to manage the networking within the VMware private cloud environment. Networks within the environment are referred to as segments. Segments define the subnet, gateway, and DHCP settings.

NSX can be configured to run a DHCP server or relay if a DHCP server already exists. If relaying to a DHCP server across a network extension, the traffic must be allowed since all DHCP requests are blocked by default. This can be completed by creating a segment profile and assigning it to the segment where the DHCP server exists.

NSX Gateways

The default deployment of NSX in AVS includes a Tier-0 gateway in active/active mode which connects to the edge to provide North/South connectivity. The Tier-0 gateway is managed by Microsoft and should not be altered.

Connected to the Tier-0 gateway is a Tier-1 gateway in active/standby mode which provides East/West connectivity and is where segments for your virtual machines will be added.  Additional Tier-1 gateways can be created if desired to further segment traffic.  Multiple Tier-1 gateways can be connected to a single Tier-0 gateway.

There are two management options available for the default Tier-1 gateway. Azure provides a simplified interface in the Azure portal for creating segments, configuring DHCP, setting up DNS forwarding, and configuring port mirroring. Alternatively, NSX has its own interface that can be used to manage all aspects of the platform. If additional Tier-1 gateways were added, they can only be managed via the NSX interface and are not available in the Azure portal.

Figure 2 displays a high-level layout of connectivity from the NSX gateways to external networks.

Figure 2: NSX Gateway Connectivity

Interested in taking Azure VMware Solution for a test drive?

Take part in a Proof-of-Concept (POC) to learn more about Azure VMware Solution and how it functions. Undoubtedly, you’ll quickly learn that functionality isn’t much different from what you use every day in your own datacenter, just with less management overhead. A POC is the perfect opportunity to not only validate the solution, but also get familiar with tools included in AVS that may be new to your organization such as VMware NSX for networking and HCX for inter-site connectivity and migrations.

Our dedicated Microsoft Azure practice can get you started. Our team of Azure experts will lead you through a Proof-of-Concept deployment to validate the solution in your environment. Through Perficient’s extensive Microsoft partnership, there may be funding available to cover part of the cost of the POC.

This is Part 1 of a two-part series on Connectivity for Azure VMware Solution (AVS). 

In this article, we’ll review network connections for integrating AVS into other Azure services and systems outside of Azure. We’ll also cover how to provide AVS virtual machines access to the internet. 

Read more about AVS, its use cases, and benefits in my previous blog article – Azure VMware Solution: What is it?

Connectivity to Azure Resource

The Azure VMware Solution deployment includes an ExpressRoute Circuit which is used to connect to entities external to AVS. A gateway of type ExpressRoute is required to connect the AVS circuit to Azure and is not included in the AVS deployment. Since AVS supports both, the gateway can be deployed in either a Hub & Spoke topology or Virtual WAN. Once you obtain the resource ID and authorization key from the AVS Private Cloud Connectivity page in the Azure portal, the circuit can be connected to the newly created gateway. 

Although AVS supports connectivity via Virtual WAN, leveraging it for connectivity from AVS to Azure NetApp Files (ANF) is not yet fully supported by Microsoft.  Even though ANF connectivity through Virtual WAN will function, it will have reduced performance and increased latency. This is due to the lack of FastPath support in Virtual WAN for partner ExpressRoutes.  If you want to use Azure NetApp Files as additional storage for AVS, the connectivity will require a Virtual Network Gateway to be deployed to the same VNET as ANF. A gateway SKU of either Ultra Performance or ErGW3AZ should be used so that FastPath can be enabled on the AVS circuit connection. In addition, be sure to place ANF volumes and the Gateway in the same availability zone as AVS when deploying to a region with availability zone support.

Figure 1 includes a sample architecture using Virtual WAN.  Connectivity is established between AVS and the Virtual WAN by connecting the AVS ExpressRoute circuit to the Gateway in the Virtual Hub.

Figure 1: Connectivity into an Azure Virtual WAN.

Connectivity to Remote Locations

Connections to locations outside of Azure can be established with either an existing ExpressRoute circuit or VPN Connection. To connect to an existing circuit, enable Global Reach between the AVS circuit and the existing circuit. Global Reach should be enabled on the AVS side where the non-AVS circuit resource ID and authorization key are provided. Global Reach is required since Gateways are not transitive, which means that the traffic cannot travel into the gateway on one circuit and exit back out the same gateway for a different circuit. 

While VPN connections do not support Global Reach, they are functional since a VPN gateway and ExpressRoute gateway are two different resources. This means that the traffic can flow from AVS through the ExpressRoute Gateway and back out the VPN Gateway.

BGP is used to distribute routes in and out of AVS and requires 4-byte ASN support. A default route (0.0.0.0/0) can be advertised from on-premises or other Azure environments into AVS for virtual machine routing. Management systems within the AVS environment will not honor the 0.0.0.0/0 route.  Consequently, more specific routes such as RFC1918 network summaries should be advertised into AVS to allow external systems management access. In addition to management access, routes will need to be included for networks that contain other systems that are intended to be integrated with AVS for things like backups or monitoring.

The diagram below expands on Figure 1 to add on-premises connectivity via global reach.  Global Reach is enabled between the ExpressRoute circuits that connect to the on-premises datacenters and the AVS circuit.

Figure 2: Connectivity to On-premises with Global Reach.

Connectivity to the Internet

There are three different options for establishing internet connectivity, each of which have their own capabilities. Some may be more desirable over others depending on internal security requirements, and infrastructure already in place.

AVS Managed SNAT Service.

The SNAT service can be quickly and easily setup to provide outbound access to the internet by setting a radio button in the AVS Internet Connectivity page in the Azure portal. However, the simplicity results in no control over SNAT rules, no visibility into connection logs, and no inbound DNAT capabilities.  Two public IPs are associated with the service which provide a max of 128k simultaneous connections.

Default Route Advertisement.

A default route can direct traffic to an internet egress located in Azure or on-premises. Cloud native services like Azure Firewall or another device of your choosing can be leveraged to provide SNAT, DNAT, and security services. Internet access could be centrally managed for all resources across AVS, Azure native, and on-premises.

NSX Data Center Edge with an Azure Public IP.

Azure Public IP addresses can be consumed by NSX Edge and leveraged for NSX services like SNAT, DNAT, or Load Balancing.  In addition, the IP addresses can be associated with an NVA or virtual machine. This option is very flexible and scalable supporting thousands of public IP addresses.

Interested in taking Azure VMware Solution for a test drive?

Take part in a Proof-of-Concept (POC) to learn more about Azure VMware Solution and how it functions. Undoubtedly, you’ll quickly learn that functionality isn’t much different from what you use every day in your own datacenter, just with less management overhead. A POC is the perfect opportunity to not only validate the solution, but also get familiar with tools included in AVS that may be new to your organization such as VMware NSX for networking and HCX for inter-site connectivity and migrations.

Our dedicated Microsoft Azure practice can get you started. Our team of Azure experts will lead you through a Proof-of-Concept deployment to validate the solution in your environment. Through Perficient’s extensive Microsoft partnership, there may be funding available to cover part of the cost of the POC.

Hybrid connectivity is rapidly becoming a critical aspect of modern cloud adoption. It allows for seamless communication between end users, on-premises data centers, and public cloud infrastructure. However, navigating the complexities of hybrid connectivity can be a daunting task for even the most seasoned IT professionals. While our ‘IT Leader’s Guide to Multicloud Readiness‘ provides a comprehensive exploration of this topic, this blog post is an informative Q&A to explore the benefits of hybrid connectivity, the risks of not using a reliable connectivity provider, and the essential factors to consider when choosing a provider.

What is hybrid connectivity, and what are its benefits?

Hybrid connectivity is a networking approach that combines private and public cloud resources to create a unified infrastructure. By using a combination of on-premises data centers, private connections, and public cloud services, businesses can improve performance, security, and reliability while reducing costs. Typically, hybrid connectivity is established by implementing VPN connections or building out private circuits.

Benefits of hybrid connectivity include:

• Flexibility: Hybrid connectivity allows businesses to choose the best location for their workload whether its on-premises, private cloud, or public cloud.
• Scalability: Businesses can scale their infrastructure up or down as needed without worrying about capacity constraints by leveraging public cloud resources when on-premises systems are unable to support the demand.
• Security: Instead of accessing cloud services over the internet, hybrid connectivity provides a more secure way to connect on-premises data centers to public cloud services, reducing the risk of data breaches and cyber-attacks.
• Cost Savings: By using a combination of private and public cloud services, businesses can reduce their infrastructure costs while still enjoying the benefits of cloud computing. Public cloud offers features and functionality that are difficult to obtain without large investments in technology and staff.

What challenges do businesses face when implementing hybrid connectivity, and how can they address them?

Some common challenges that businesses may face when implementing hybrid connectivity include network complexity, integration issues, security concerns, and vendor lock-in. To address these challenges, businesses should consider working with an experienced connectivity provider and developing a comprehensive hybrid connectivity strategy that takes their specific needs and requirements into account. They should also ensure that they have the necessary resources and expertise in place to manage their hybrid infrastructure effectively.

How can a connectivity provider help?

Connectivity providers offer Software Defined Cloud Interconnect (SDCI) products that enable virtual connections to public clouds and other services.

Advantages include:

• Speed: New virtual connections can be provisioned in minutes instead of months when building out physical circuits.
• Cost: The overall cost is reduced when compared to physical circuits which have a high monthly cost and long-term commitments. Without a connectivity provider, circuits would need to be provisioned for each public cloud.
• Multicloud: Connections to multiple cloud providers can easily be established, enabling communication between clouds in addition to on-premises.
• Reach: Many connectivity providers have global footprints with connections available for a multitude of service providers.

What factors should businesses consider when choosing a connectivity provider for hybrid connectivity?

When choosing a connectivity provider for hybrid connectivity, businesses should consider the following factors:

• Network Reach: The provider should have a broad network reach to ensure connectivity to all desired cloud services.
• Reliability: The provider should offer redundant circuits and failover options to ensure maximum uptime and minimize the risk of service disruptions.
• Security: The provider should offer robust security features, such as encryption and firewalls, to ensure the protection of data and applications. Ensure the provider complies with industry standards that are required by the business.
• Scalability: The provider should be able to scale their services to meet the changing needs of the business.
• Cost: The provider should offer competitive pricing that fits within the business’s budget.

Can you recommend any connectivity providers for hybrid connectivity?

Equinix and Megaport are two well-regarded connectivity providers that offer hybrid connectivity solutions. Both providers offer a broad network reach, robust security features, and scalability options. They also offer redundant circuits and failover options to minimize the risk of service disruptions. Most businesses already have an established relationship with an Internet Service Provider (ISP) and that ISP may offer a similar service. Before proceeding with the existing ISP, carefully review the capabilities and features offered to ensure they are as robust as Equinix and Megaport, and are able to meet the business’s needs now and in the future.

Next Steps

Hybrid connectivity can provide businesses with the flexibility, scalability, security, and cost savings they need to thrive in today’s cloud-centric landscape. However, it’s essential to choose the right connectivity provider to ensure maximum uptime, security, and reliability. As a trusted partner of some of the world’s biggest brands, Perficient has successfully completed cloud transformations for hundreds of organizations over the past twenty years. Our comprehensive Cloud Transformation Framework can help you navigate the complexities of the cloud journey from start to finish, providing the expertise and resources you need to succeed.

If you’re interested in learning more about how to navigate the complexities of the cloud journey, consider exploring our guide called the ‘IT Leader’s Guide to Multicloud Readiness‘ where we provide best practices and proven methodologies to guarantee success in your cloud transformation journey.

When company’s make large investments in a particular technology like VMware, it can be difficult to pivot to something new. This can lead to slow adoption of the public cloud and missing out on the benefits that come with it.  Azure VMware Solution (AVS) bridges the gap between on-premises virtualization and cloud-native IaaS or PaaS services by allowing you to move or extend on-premises VMware environments to Azure.

What is Azure VMware Solution?

Azure VMware Solution provides a private cloud that is VMware validated and built on dedicated, fully-managed, bare-metal Azure hardware. The private cloud is comprised of VMware vCenter Server, VMware vSAN, VMware vSphere, and VMware NSX (previously known as NSX-T Data Center). VMware HCX is an optional component that can be enabled during the provisioning process.  

What are some common use cases?

• Migration: Jump start your cloud journey by performing Lift and Shift migrations to Azure. Migrating to AVS allows you to integrate existing VMs with Azure Native resources and cloud-native VMs without any change requirements. Leverage HCX to perform system migrations via vMotion, offline bulk migrations, or multiple other options.
• Reduce Hardware Footprint: If you have a goal to “Get out of the datacenter business” or its time for a hardware refresh, leverage Azure’s hardware instead.  AVS can be scaled as needed without long term commitments or large capital expenses. The initial cluster deployment takes 3-4 hours, but any additional host can be available in about 30 minutes.
• Business Continuity / Disaster Recovery: Leverage Azure as a recovery site by utilizing native VMware or 3rd party tooling for virtual machine replication and backup. Activate systems in the cloud without requiring any changes to make them work. Even IP addresses can remain the same by leveraging VMware HCX to extend layer 2 networks into AVS.
• Modernization: Move systems to Azure VMware Solution that need to be close to workloads that have been modernized. Azure VMware Solution can integrate with cloud native resources to provide monitoring, security, and networking capabilities. By taking advantage of Azure tools and services, you can provide a path to modernize applications.
• Extended Support: Windows Server operating systems that have reached the end of Extended Support can qualify for the Extended Security Update (ESU) program which provides Security Updates for an additional period.  If the server resides in Azure, which includes the Azure VMware Solution, then ESU is provided for free. Additionally, the ESU period for 2008 has expired for systems hosted outside of Azure. However, if the system is hosted inside of Azure the ESU program is still active until January 9, 2024.

What other benefits are there?

• Simplified Licensing: All VMware licensing for products included in the AVS private cloud are included in the host consumption cost, so there are no VMware contracts or renewals to manage. Previously HCX Advanced was available, but now HCX Enterprise is included on all new deployments.
• Single Support Entity: Microsoft manages the support for the Azure VMware Solution, so there is only one vendor to contact if issues occur.  If needed, Microsoft will engage VMware support for issue resolution.
• Reduced Burden: Through the public cloud shared responsibility model, Microsoft is responsible for the lifecycle management of the VMware software and hardware it runs on, thus reducing the burden on internal staff.
• Options: There are currently three host hardware SKUs available for scaling the AVS environment, although not all SKUs are available in every Azure region. Besides the built-in storage on the host, Azure NetApp Files can be attached as AVS datastores. This allows for scaling storage without requiring additional hosts.

Interested in taking Azure VMware Solution for a test drive?

Take part in a Proof-of-Concept (POC) to learn more about Azure VMware Solution and how it functions. Undoubtedly, you’ll quickly learn that functionality isn’t much different from what you use every day in your own datacenter, just with less management overhead. A POC is the perfect opportunity to not only validate the solution, but also get familiar with tools included in AVS that may be new to your organization such as VMware NSX for networking and HCX for inter-site connectivity and migrations.

Our dedicated Microsoft Azure practice can get you started.  Our team of Azure experts will lead you through a Proof-of-Concept deployment to validate the solution in your environment. Through Perficient’s extensive Microsoft partnership, there may be funding available to cover part of the cost of the POC.