NEW AZURE REFERENCE ARCHITECTURE: Deploy highly available network virtual appliances - PIP-UDR NVAs without SNAT
How's that for a detailed title? Regardless, we have a new Reference Architecture (on the Azure Architecture Center) to announce from AzureCAT Keith Mayer. It was edited by Nanette Ray and Mike Wasson.
This architecture uses two Azure virtual machines to host the NVA firewall in an active-passive configuration that supports automated failover, but it does not require Source Network Address Translation (SNAT). 
The complete solution is available on GitHub:
The GitHub repo offers a JSON template, a PowerShell script, the prerequisites, and full deployment instructions.
This new architecture is one of five related architectures available in that Docs Reference Architecture article. Select the best architecture, based on your needs for resources and configurations:
| Solution | Benefits | Considerations |
|---|---|---|
| Ingress with layer 7 NVAs | All NVA nodes are active | Requires an NVA that can terminate connections and use SNATRequires a separate set of NVAs for traffic coming from the Internet and from AzureCan only be used for traffic originating outside Azure |
| Egress with layer 7 NVAs | All NVA nodes are active | Requires an NVA that can terminate connections and implements source network address translation (SNAT) |
| Ingress-Egress with layer 7 NVAs | All nodes are activeAble to handle traffic originated in Azure | Requires an NVA that can terminate connections and use SNATRequires a separate set of NVAs for traffic coming from the Internet and from Azure |
| PIP-UDR switch | Single set of NVAs for all trafficCan handle all traffic (no limit on port rules) | Active-passiveRequires a failover process |
| PIP-UDR without SNAT | Single set of NVAs for all trafficCan handle all traffic (no limit on port rules)Does not require configuring SNAT for inbound requests | Active-passiveRequires a failover processProbing and failover logic run outside the virtual network |
You can find a library of 20+ Reference Architectures on the Azure Architecture Center.
Learn more
- Virtual network traffic routing: Custom routes
- Tutorial: Route network traffic with a route table using the Azure portal
- Azure Functions documentation
- Azure Virtual Network Appliances
AzureCAT Guidance
"Hands-on solutions, with our heads in the Cloud!"