![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 0%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Azure VMware Solution
An Azure service that runs native VMware workloads on Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 96%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
To publish internet-facing applications running on Azure VMware Solution (AVS), you need to ensure that these applications are reachable over public IP addresses. This is achieved through a combination of network devices and Azure services that facilitate inbound internet connectivity.
Key Considerations for Inbound Internet Connectivity:
- Network Virtual Appliances (NVAs): You can use NVAs, such as firewalls and application delivery controllers, either hosted in an Azure virtual network or directly on the AVS. These devices help secure and manage traffic to your applications.
- Azure Firewall: This is the preferred option for exposing generic TCP or UDP endpoints. To publish an application through Azure Firewall, you need to configure a Destination Network Address Translation (DNAT) rule that maps the firewall's public IP to the private IP of the AVS application. Azure Firewall will translate the source IP addresses of incoming traffic to its own private IP, ensuring that the AVS VMs receive traffic from the firewall's IP.
- Azure Application Gateway: This service is ideal for HTTP(S) applications. It acts as a reverse proxy and can route HTTP requests to the appropriate backend pools in your AVS. When using Application Gateway, the source IP of the client can be preserved in HTTP headers, allowing your application to access this information if needed.
- Public IP on NSX-T Data Center Edge: If you're using third-party NVAs deployed on AVS, you need to enable Public IP on the NSX-T Data Center Edge. This associates Azure Public IPs with your private cloud and configures routing for internet traffic to reach your NVAs.
Architecture Example:
In your architecture, where you have an On-prem-Site-to-Site VPN connected to a Hub VNet, followed by Azure Firewall and then to AVS, you would:
- Configure the Azure Firewall with DNAT rules to map public IPs to the private IPs of your AVS applications.
- Ensure that the Azure Firewall is correctly set up to handle incoming traffic and that it routes this traffic to the appropriate NVAs or directly to the AVS applications.
By following these guidelines, you can effectively expose your applications running on Azure VMware Solution to the internet via public IP addresses, ensuring they are reachable as needed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 6%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)