Azure Extended Network Just following Azure certification material mention of Extended networking, i've tried to follow the below and don't quite understand the below: Does this need a vpn on prem? Is this built of a Site to Site link? The Article from Lee below used pfsense. if i'm extending my Layer3 network/broadcast domain offcourse going over the internet to Azure sent via VXLANs. The on prem solution requires two HyperV switches - i'm not sure why a switch is being created. I don't understand the network topology in these situations. What does Gateway subnet refer to? What does NVA refer to in this instance - is this a term Extend your on-premises subnets into Azure using extended network for Azure | Microsoft Learn Azure Extended Networks – Lee Harrison's Technical Blog (hciharrison.com) Azure Extended Network - between #onpremise Palo Alto firewall and #azure (youtube.com)

Hello @Dalbir Singh , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. I understand that you would like to know more about Subnet extension in Azure. Extended network for Azure enables you to stretch an on-premises subnet into Azure to let on-premises virtual machines keep their original on-premises private IP addresses when migrating to Azure. Extended network for Azure should only be used for machines that cannot have their IP address changed when migrating to Azure. It is always better to change the IP address and connect it to a subnet that wholly exists in Azure, if that is an option. This subnet extension option in Azure is only for scenarios when you would like to connect your on-premises network to Azure but with overlapping IP addresses. By default, Azure doesn't allow overlapping IP addresses between Azure and on-premises connection. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#prerequisites Does this need a vpn on prem? Is this built of a Site to Site link? Yes, to connect Azure with your on-premises network, you either need a site-to-site VPN or Azure ExpressRoute connection. Refer: https://learn.microsoft.com/en-us/azure/virtual-network/subnet-extension#extend-your-subnet-to-azure The Article from Lee below used pfsense. Yes, to connect to Azure via Site-to-Site VPN, you would need a VPN device in your on-premises with which you would form a VPN tunnel. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices The on prem solution requires two HyperV switches - i'm not sure why a switch is being created. I don't understand the network topology in these situations. I'm not sure which Azure certification material you are following but as per the below extended network for Azure document, You need to create a Windows Server 2019 or 2022 VM on any hypervisor that supports nested virtualization. This is the on-premises virtual appliance. We recommend that you create this as a highly available VM in a cluster. Connect a virtual network adapter to the routable subnet and a second virtual network adapter to the extended subnet. Refer: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-extended-network#on-premises-configuration Hyper-V is a hypervisor that allows you to create and manage virtual machines. Hyper-V specifically provides hardware virtualization. That means each virtual machine runs on virtual hardware. Refer: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/ So, basically you are creating a Virtual machine on your on-premises machine to act as a virtual appliance for proper traffic routing. What does Gateway subnet refer to? GatewaySubnet is the dedicated subnet in an Azure Virtual Network where you can deploy an Azure VPN gateway. Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub What does NVA refer to in this instance - is this a term Yes, NVA refers to Network Virtual Appliance. An NVA is typically used to control the flow of traffic between network segments classified with different security levels, for example between a De-Militarized Zone (DMZ) Virtual Network and the public Internet. Refer: https://azure.microsoft.com/en-us/blog/best-practices-to-consider-before-deploying-a-network-virtual-appliance/ https://learn.microsoft.com/en-us/azure/architecture/networking/guide/nva-ha Kindly let us know if the above helps or you need further assistance on this issue. Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Azure Extended Network - Microsoft Q&A

Accepted answer

GitaraniSharma-MSFT 49,391 Reputation points Microsoft Employee

2024-04-01T13:35:45.48+00:00

Hello @Dalbir Singh ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know more about Subnet extension in Azure.

Extended network for Azure enables you to stretch an on-premises subnet into Azure to let on-premises virtual machines keep their original on-premises private IP addresses when migrating to Azure.

Extended network for Azure should only be used for machines that cannot have their IP address changed when migrating to Azure. It is always better to change the IP address and connect it to a subnet that wholly exists in Azure, if that is an option.

This subnet extension option in Azure is only for scenarios when you would like to connect your on-premises network to Azure but with overlapping IP addresses.

By default, Azure doesn't allow overlapping IP addresses between Azure and on-premises connection.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#prerequisites

Does this need a vpn on prem? Is this built of a Site to Site link?

Yes, to connect Azure with your on-premises network, you either need a site-to-site VPN or Azure ExpressRoute connection.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/subnet-extension#extend-your-subnet-to-azure

The Article from Lee below used pfsense.

Yes, to connect to Azure via Site-to-Site VPN, you would need a VPN device in your on-premises with which you would form a VPN tunnel.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

The on prem solution requires two HyperV switches - i'm not sure why a switch is being created. I don't understand the network topology in these situations.

I'm not sure which Azure certification material you are following but as per the below extended network for Azure document,

You need to create a Windows Server 2019 or 2022 VM on any hypervisor that supports nested virtualization. This is the on-premises virtual appliance. We recommend that you create this as a highly available VM in a cluster. Connect a virtual network adapter to the routable subnet and a second virtual network adapter to the extended subnet.

Refer: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-extended-network#on-premises-configuration

Hyper-V is a hypervisor that allows you to create and manage virtual machines. Hyper-V specifically provides hardware virtualization. That means each virtual machine runs on virtual hardware.

Refer: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/

So, basically you are creating a Virtual machine on your on-premises machine to act as a virtual appliance for proper traffic routing.

What does Gateway subnet refer to?

GatewaySubnet is the dedicated subnet in an Azure Virtual Network where you can deploy an Azure VPN gateway.

Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub

What does NVA refer to in this instance - is this a term

Yes, NVA refers to Network Virtual Appliance.

An NVA is typically used to control the flow of traffic between network segments classified with different security levels, for example between a De-Militarized Zone (DMZ) Virtual Network and the public Internet.

Refer: https://azure.microsoft.com/en-us/blog/best-practices-to-consider-before-deploying-a-network-virtual-appliance/

https://learn.microsoft.com/en-us/azure/architecture/networking/guide/nva-ha

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

1 person found this answer helpful.
Dalbir Singh 120 Reputation points

2024-04-01T15:16:15.95+00:00

Thanks Gitarani

Dalbir Singh 120 Reputation points

2024-04-01T16:16:03.7733333+00:00

Thanks Gitarani I really appreciate you coming back to me with this I’ve been stuck on this subject for a couple of days now.

It’s in relation to the AZ-800 course

Does NVA relate to the VPN which is acting as the VPN concentrator on prem? If I’m using PFSense to be the point that establishes the tunnel is that the nva?

is the nva acting instead like an informal router type of solution which is bridging the broadcast domain to establish a vxlan tunnel?

GitaraniSharma-MSFT 49,391 Reputation points Microsoft Employee

2024-04-02T11:56:47.8466667+00:00

Hello @Dalbir Singh ,

NVA is a software solution that can be installed on both cloud and on-premises.

However, wrt Azure terminologies, we consider NVAs are mostly part of cloud.

Does NVA relate to the VPN which is acting as the VPN concentrator on prem?

This could be a Router at OnPrem

or a Windows server running RRAS (while it can be called an NVA, we generally call this OnPrem Firewall Appliance). Refer: https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-top

Refer: https://github.com/gfarat/AzureExtendedNetwork --> In this article, an edge router is used for VPN connection and the NVAs are created to form a bidirectional VXLAN tunnel between Azure and on-prem.

If I’m using PFSense to be the point that establishes the tunnel is that the nva?

As mentioned above, we generally prefer to call this as On-prem device (either On-prem Firewall Device or On-prem VPN Device)

Is the nva acting instead like an informal router type of solution which is bridging the broadcast domain to establish a vxlan tunnel?

It can be

Or it can just provide your OnPrem servers with Firewall features not necessarily providing VPN Connections.

While one of the use cases of NVA can be VPN, it does not necessarily mean it must compulsorily provide VPN features.

It is software solution (or sometimes OS) that can be installed on a server (in case of OnPrem) or VM (in case of cloud). NVA is a software solution that can be installed on both cloud and on-prem.

I cannot comment on the 3rd party blog but in terms of the official Microsoft Azure Extended Network documentation, NVA relate to the Windows Server 2019 or 2022 VM on any hypervisor that supports traffic routing and traffic encapsulation.

The use of the virtual appliances (in Azure and on-premises) is to create a bidirectional VXLAN tunnel between them to perform encapsulation and decapsulation of packets. The VXLAN tunneling protocol encapsulates Layer 2 Ethernet frames in Layer 4 UDP packets, enabling you to create virtualized Layer 2 subnets that span physical Layer 3 networks.

Virtual networks are Layer 3 overlays. Azure does not support any Layer 2 semantics. So, we use these NVAs for VXLAN encapsulation to create overlay networks with the possibility of overlapping IP subnets between Azure and on-premises.

Refer: https://learn.microsoft.com/en-us/windows-server/networking/sdn/technologies/hyper-v-network-virtualization/hyperv-network-virtualization-technical-details-windows-server

https://learn.microsoft.com/en-us/windows-server/networking/sdn/manage/understanding-usage-of-virtual-networks-and-vlans

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#can-i-bring-my-vlans-to-azure-by-using-virtual-networks

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Gita

Dalbir Singh 120 Reputation points

2024-04-02T22:33:42.12+00:00

Thanks Gita another thing is when I’m trying to build the solution it says the azure gateway subnet is not valid.

im assuming this is because I don’t have the two virtual switches on the server. I’ve noticed in order to lab this out it requires the azure vm should be running higher than free tier b1, ds1_v2 in order to support nested virtualisation.

Ive been trying to utilise terraform to save time in doing the build.

it seems quite tricky to implement, I’m guessing the use case for a customer to bring their network into azure has a great overhead on the machines it maybe simplistic to utilise a new ip network or nats instead

Thanks for the explanation around the nva as I’ve been reading it has been quite confusing. My understanding is in terms of doing this on prem it may not be entirely safe to expose a vm with rras so using a firewall solution like Palo Alto checkpoint fortigate or pfsense (free open source) to have an IPsec tunnel.

im assuming therefore it’s the nva holding the tunnel across effectively.

GitaraniSharma-MSFT 49,391 Reputation points Microsoft Employee

2024-04-03T09:57:10.2533333+00:00

Hello @Dalbir Singh ,

When I’m trying to build the solution, it says the azure gateway subnet is not valid.

This GatewaySubnet should be created in your Azure Vnet and with the below points in mind:

While it's possible to create a gateway subnet as small as /29 (applicable to the Basic SKU only), all other SKUs require a gateway subnet of size /27 or larger (/27, /26, /25 etc.). You might want to create a gateway subnet larger than /27 so that the subnet has enough IP addresses to accommodate possible future configurations.

User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. Gateways with this configuration are blocked from being created. Gateways require access to the management controllers in order to function properly. BGP route propagation should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway. If BGP route propagation is set to disabled, the gateway won't function.

If any of the above requirements is not met, you might face an issue. And this has nothing to do with the virtual switches on the server. You can create a GatewaySubnet in an Azure Vnet without any issues as long as you are using a subnet of correct size which doesn't have a NSG or UDR with 0.0.0.0/0 route.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub

It seems quite tricky to implement, I’m guessing the use case for a customer to bring their network into azure has a great overhead on the machines it maybe simplistic to utilize a new IP network or NAT instead.

Yes, as already mentioned in the documents, you should not extend your subnets unless it is necessary. Extended network for Azure should only be used for machines that cannot have their IP address changed when migrating to Azure. It is always better to change the IP address and connect it to a subnet that wholly exists in Azure, if that is an option.

Refer: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-extended-network#overview

My understanding is in terms of doing this on prem it may not be entirely safe to expose a VM with RRAS so using a firewall solution like Palo Alto checkpoint FortiGate or pfSense (free open source) to have an IPsec tunnel.

Yes, even though you can build an IPsec site-to-site VPN connection tunnel to Azure from an on-premises VM using RRAS. it is generally recommended to use a Firewall solution or on-premises VPN device for better compatibility and ease of use.

Refer: https://learn.microsoft.com/en-us/archive/blogs/jletsch/lets-configure-azure-site-to-site-vpn-with-rras-in-azure-resource-manager

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#what-are-my-cross-premises-connection-options

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Regards,

Gita

Dalbir Singh 120 Reputation points

2024-04-03T13:20:10.6933333+00:00

Thanks Gita

Can this be implemented without implementing hyper v on the azure windows vm? And setting up 2 virtual switches via powershell?

I’m wondering if this can be done in free tier?

assumingly I would require setting up a local gateway and virtual network gateway.

additoonally can I do this all in one vnet and multiple subnets or will it require at least 2 vnets?

GitaraniSharma-MSFT 49,391 Reputation points Microsoft Employee

2024-04-04T16:15:12.33+00:00

Hello @Dalbir Singh ,

Can this be implemented without implementing hyper v on the azure windows VM? And setting up 2 virtual switches via PowerShell?

As per the official recommendation, Extended network for Azure requires Windows Server 2022 Azure Edition for the VM that is running in Azure. So, you will need an Azure Windows VM to implement Hyper-V.

Refer: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-extended-network#configuration-in-azure

https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization

I’m wondering if this can be done in free tier?

AFAIK, Azure's Free Tier does not include support for nested virtualization. The Azure Free Tier typically offers limited resources and capabilities. Only some tiers of services are available for free within certain quantities. The free account includes access to three types of VMs for free—the B1S, B2pts v2 (ARM-based), and B2ats v2 (AMD-based) burstable VMs that are usable for up to 750 hours per month.

Refer: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-free-services

But nested virtualization is available for VM sizes starting from Dv3 and Ev3.

Refer: https://azure.microsoft.com/en-us/blog/nested-virtualization-in-azure/

https://learn.microsoft.com/en-us/answers/questions/813416/how-do-i-know-what-size-azure-vm-supports-nested-v

https://learn.microsoft.com/en-us/azure/virtual-machines/dv3-dsv3-series

Additionally, can I do all this in one Vnet and multiple subnets or will it require at least 2 Vnets?

You can use a single Vnet with multiple subnets.

Regards,

Gita

GitaraniSharma-MSFT 49,391 Reputation points Microsoft Employee

2024-04-05T10:31:45.1033333+00:00

Hello @Dalbir Singh ,

Could you please provide an update on this post?

Kindly let us know if the above helps or you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Dalbir Singh 120 Reputation points

2024-04-05T15:26:52.54+00:00

I didn’t quite follow on the difference between a gateway subnet and normal one?

so does it use the same vnet? I’m thinking yes in order to get it to speak to the azure VM?

my assumption is even though I’m limited with free tier I can get so far in the wizard to learn the concept and for me to update my terraform code which I can test on non free tier then on at least getting it ready.

i will require a local gateway and vpn gateway item

KapilAnanth-MSFT 41,071 Reputation points Microsoft Employee

2024-04-10T11:50:15.95+00:00

Dalbir Singh,

GatewaySubnet is a naming convention required by Azure if you are planning to deploy a VNET Gateway.

i.e., you cannot deploy your VNET Gateway in any subnet of your choice.

The subnet should meet some requirements.

One such requirement being the subnet named as "GatewaySubnet"

See : Gateway subnet

Cheers,

Kapil

Taryel Kazimov 0 Reputation points

2024-07-20T06:11:17.6466667+00:00

Hi, at the moment today is 20/07/2024 I can confirm that this technology not working regarding to Azure code change. As I understand WAC extension not updated and can't parse Azure API requests to find Subnet inside vNet to extend. My question and research: hhttps://learn.microsoft.com/en-us/answers/questions/1823356/wac-not-detect-subnet-inside-vnet-when-configuring?orderby=helpful
Sign in to comment

Share via

Azure Extended Network

0 additional answers