Rediger

Del via


Reliability and Network Virtual Appliances (NVA)

Network Virtual Appliances (NVA) are typically used to control the flow of traffic between network segments classified with different security levels, for example between a perimeter network (also known as DMZ, demilitarized zone, and screened subnet) and the public internet.

Examples of NVAs include:

  • Network firewalls
  • Layer-4 reverse-proxies
  • Internet Protocol Security (IPsec) Virtual Private Network (VPN) endpoints
  • Web-based reverse-proxies
  • Internet proxies
  • Layer-7 load balancers

For more information about Network Virtual Appliances, reference Deploy highly available NVAs.

To understand how NVAs support a reliable workload, reference the following topics:

Checklist

Have you configured your Network Virtual Appliances (NVA) with reliability in mind?

  • NVAs should be deployed within a Landing Zone or solution-level Virtual Network.
  • For Virtual Wide Area Network (VWAN) topologies, deploy the NVAs to a separate Virtual Network (such as, NVA VNet). Connect the NVA to the regional Virtual WAN Hub and to the Landing Zones that require access to NVAs.
  • For non-Virtual Wide Are Network (WAN) topologies, deploy the third-party NVAs in the central Hub Virtual Network (VNet).

Configuration recommendations

Consider the following recommendations to optimize reliability when configuring your Network Virtual Appliances (NVA):

Recommendation Description
NVAs should be deployed within a Landing Zone or solution-level Virtual Network. If third-party NVAs are required for inbound HTTP/S connections, deploy NVAs together with the applications that they're protecting and exposing to the internet.
For Virtual Wide Area Network (VWAN) topologies, deploy the NVAs to a separate Virtual Network (such as, NVA VNet). Connect the NVA to the regional Virtual WAN Hub and to the Landing Zones that require access to NVAs. If third-party NVAs are required for east-west or south-north traffic protection and filtering, reference Scenario: Route traffic through an NVA.
For non-Virtual Wide Area Network (WAN) topologies, deploy the third-party NVAs in the central Hub Virtual Network (VNet). If third-party NVAs are required for east-west or south-north traffic protection and filtering, deploy the third-party NVAs in the central Hub Virtual Network.

Next step