Share via

Connecting corporate network to Azure

thomascusi 1 Reputation point
2023-01-07T17:05:14.51+00:00

We have 15 offices running Velocloud Edges. The SD-WAN network connects offices to Hub (colocations) where we run VMware VMs (AD, DNS, File Shares, Print Servers,...).
Each Velocloud Edge runs a Palo Alto firewall for traffic inspection, URL filtering...
Colocations are connected to Prisma Access (connection from Colocation Palo Alto firewall to Prisma) so remote users can access colocation VMs. Colocations are also connected with edges to the SD-WAN network.

Eventually we want to get rid of colocation and move the remaining VMs to Azure.

Can someone help me what components would be required?

I am thinking setting 3 VPN gateways in each region and create VNETs in each region and have vnet peering so sites in EU can access VMs in all regions for instance. It happens that EU users needs to access ASIA or US VMs. Is VNET peering the correct solution?

I am also considering Azure WAN since Velocloud offers NVA but would that mean I need 3? That may be overkilled since the traffic would only be basic file shares, AD traffic, so not much gain with SD-WAN forseen.
I could still go with Azure WAN but without NVA, just using S2S VPNs? What about remote users what would be the best way to connect them?

Something like that:
277136-greenshot-2023-01-07-175843.png

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,795 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,772 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luke Murray 11,436 Reputation points MVP Volunteer Moderator
    2023-01-08T00:23:04.463+00:00

    I would go, with Azure Virtual WAN, link the VNETs up to the WAN and an Azure Point to Site connection for remote clients. Using the Azure Virtual WAN will help with keeping the network traffic within the Azure backbone.

    The branch office sites can just use an S2S connection to the WAN.

    Additional Links:
    https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-virtual-hub-routing
    https://learn.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology
    If you do need an NVA - https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-nva-hub
    https://github.com/adstuart/azure-vwan-anycast
    https://github.com/adstuart/azure-crossregion-private-lb
    https://github.com/dmauser/azure-virtualwan/tree/main/inter-region-azfw

    1 person found this answer helpful.
  2. JimmySalian-2011 42,496 Reputation points
    2023-01-07T17:30:53.69+00:00

    Hi,

    As this is high level design question I will try to provide you some points that you can explore, Azure Expressroute will be required, Azure Firewall, Azure VPN also check out Azure vWAN and VNET peering you are correct. Explore the Expressroute design and connectivity documentation expressroute-connectivity-models

    For remote users you can try Azure Virtual Desktop and this should help for roaming users connecting to local sites. virtual-wan-global-transit-network-architecture

    Also this one expressroute

    Hope this helps.
    JS

    ==
    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.