Route advertisement in vwan
Hi,
We have a transit Vnet with Palo Alto firewall and f5 LTM hosting internet and intr?
Azure Virtual WAN
Azure Virtual Network
-
GitaraniSharma-MSFT 49,401 Reputation points • Microsoft Employee
2023-08-29T10:44:24.18+00:00 Hello @Sharad Pandey ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Do you want to connect a Vnet to your existing Azure Virtual WAN setup?
If yes, then you can just connect your transit Vnet to your Virtual WAN hub by referring the below doc:
https://learn.microsoft.com/en-us/azure/virtual-wan/howto-connect-vnet-hub
In case, your transit Vnet is in another tenant, then you can connect it your Virtual WAN hub by referring the below doc:
https://learn.microsoft.com/en-us/azure/virtual-wan/cross-tenant-vnet
And then associate the route tables to allow the traffic.
Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing#association
Additional information about NVA setup and routing in Azure Virtual WAN:
https://learn.microsoft.com/en-us/azure/virtual-wan/about-nva-hub
https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva
https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom
If your requirement is different, could you please share more details?
Regards,
Gita
-
Sharad Pandey 0 Reputation points
2023-08-29T11:38:35.4066667+00:00 Thanks Gita, the links solved the process challenge.
Is it worth deploying VWAN when traffic anyway has to go out of VWAN to transit Vnet hosted f5 and come back inside VWAN to go to spoke VNets? should we use traditional hub and spoke architecture instead of using Vwan? Traffic will look like this, pleas follow orange line:
Branch Site>Fortinet SDWAN NVA>VWAN HUB>Transit VNET> F5 LTM>Azure Firewall>VWAN HUB>Spoke Application VNET.
We are going to deploy Azure firewall as Application gateway, can we put it inside Azure VWAN and then all Vnet traffic from f5 to it?
-
GitaraniSharma-MSFT 49,401 Reputation points • Microsoft Employee
2023-08-29T13:30:35.8366667+00:00 Hello @Sharad Pandey ,
I'm not sure I understand this question "Is it worth deploying VWAN when traffic anyway has to go out of VWAN to transit Vnet hosted f5 and come back inside VWAN to go to spoke VNets?"
Could you please share a network diagram of your current architecture, if possible?
Are you using an Azure Virtual WAN? If yes, do you have a hub-to-hub connectivity as below:
I'm asking because you mentioned the traffic flow as:
Branch Site>Fortinet SDWAN NVA>VWAN HUB>Transit VNET> F5 LTM>Azure Firewall>VWAN HUB>Spoke Application VNET.
Which shows that you have 2 Virtual WAN hubs configured already.
Where is the Fortinet SDWAN NVA configured? Is it in an Azure Vnet separated from Virtual WAN?
If yes, then your requirement looks more like the below:
https://learn.microsoft.com/en-us/azure/virtual-wan/sd-wan-connectivity-architecture#indirect
In this case, you could use BGP peering with Virtual hub as mentioned in the below doc to enable transit Vnet connectivity:
https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-bgp-peering-hub
Regards,
Gita
-
Sharad Pandey 0 Reputation points
2023-08-29T14:37:26.3166667+00:00 We are planning to deploy just 1 hub which will host sdwan nva, while all other appliances including azure fw, palo alto and f5 are outside of vwan in transit Vnet. Kindly refer attached picture and follow the orange line.
-
GitaraniSharma-MSFT 49,401 Reputation points • Microsoft Employee
2023-08-30T16:04:14.5733333+00:00 @Sharad Pandey , where is the Fortinet SDWAN NVA configured? I believe this is not in Azure, correct?
This is in the SDWAN Cloud as shown in the above diagram?
-
Sharad Pandey 0 Reputation points
2023-08-30T16:06:16.5433333+00:00 Fortinet SDWAN NVA will be placed in Azure Vwan only.
-
GitaraniSharma-MSFT 49,401 Reputation points • Microsoft Employee
2023-08-31T14:23:46.7466667+00:00 Thank you for the update, @Sharad Pandey .
Your requirement still doesn't seem very clear.
Azure Firewall should be integrated in the Azure Virtual WAN hub, not sure why you would want to deploy it in the transit Vnet.
The transit Vnet and Azure Virtual WAN can be connected using BGP peering or Vnet connections.
But the traffic flow that you mentioned using one Virtual hub could be difficult to achieve as traffic symmetry needs to be maintained.
If it is a transit Vnet to hub-to-hub traffic flow, then it is easier to achieve.
Since your requirement is not regular and seems to involve various 3rd party appliances, it would be better to engage the support team to take a closer look.
So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
In case you need help with a one-time free technical support, I would request you to send an email with subject line "ATTN gishar | Route advertisement in and out of VWAN to transit Vnet f5 and Palo Alto firewall" to AzCommunity[at]Microsoft[dot]com with the following details, I will follow-up with you.
- Reference this Q&A thread
- Your Azure Subscription ID
Note: Do not share any PII data as a public comment.
We will post a summarized answer once the issue is resolved.
Regards,
Gita
-
GitaraniSharma-MSFT 49,401 Reputation points • Microsoft Employee
2023-09-07T15:32:19.99+00:00 Hello @Sharad Pandey , could you please provide an update on this post? In case you need help with a one-time free technical support, please send us an email as requested above.
Sign in to comment