Integrate a Virtual WAN hub with third-party NVAs

2.4 Azure Virtual WAN

📘Microsoft Azure Networking Solutions (AZ-700)

Overview

Before we dive into integrating NVAs, let’s quickly recap what a Virtual WAN (vWAN) is:

  • Azure Virtual WAN is a networking service that simplifies connectivity between multiple branch offices, virtual networks, and on-premises networks.
  • It uses Virtual WAN hubs, which are central points in an Azure region that manage network traffic and routing.
  • Hubs can connect to VPNs, ExpressRoute circuits, and other virtual networks, making traffic management easier at scale.

What are NVAs?

  • NVA (Network Virtual Appliance) is a virtualized network device that runs in Azure.
  • Examples: firewalls, routers, or WAN optimizers.
  • Third-party NVAs are built by vendors like Cisco, Palo Alto Networks, Fortinet, etc.
  • NVAs handle advanced traffic processing that Azure’s built-in routing/firewall cannot do, such as:
    • Deep packet inspection
    • Advanced security filtering
    • Custom routing policies
    • VPN termination for specialized protocols

Why integrate NVAs with Virtual WAN?

  • Enhanced security: NVAs can inspect or filter traffic before it reaches Azure workloads.
  • Custom routing: NVAs allow complex traffic routing between branches, on-prem, and cloud.
  • Compliance: Some organizations require traffic to pass through a firewall or inspection appliance.

Integration Approaches

There are two main ways to integrate third-party NVAs with a Virtual WAN hub:

1. Hub Route Table + NVA

  • Each Virtual WAN hub has a route table that determines where network traffic goes.
  • Steps:
    1. Deploy a third-party NVA in a virtual network connected to the Virtual WAN hub.
    2. Update the Virtual WAN hub route table to send specific traffic to the NVA.
      • Example: send all internet-bound traffic through the firewall NVA.
    3. The NVA processes traffic and sends it to the next hop (another network, internet, or back to Azure).
  • Key points for exam:
    • Hub route tables are region-specific.
    • You can have multiple route tables for different types of traffic.
    • Use propagated routes from NVAs carefully to avoid routing loops.

2. NVA in Hub Virtual Network (Hub-Spoke Model)

  • You can place the NVA directly in a hub virtual network, making it a central inspection point.
  • Steps:
    1. Deploy an NVA in a subnet of the hub VN.
    2. Configure the hub to forward all or selected traffic to the NVA subnet.
    3. Connect spoke VN traffic to the hub as usual.
  • Advantages:
    • Centralized management of network traffic.
    • Easy scaling with multiple NVAs in active-active mode.
  • Exam tip: Microsoft recommends using NVA in a hub VN for predictable routing and easier monitoring.

Routing and Traffic Flow Considerations

  • Propagated vs. Static Routes:
    • Propagated: Automatically learned from connected networks or NVAs.
    • Static: Manually defined to control specific paths.
  • Forced Tunneling:
    • Use NVAs to enforce forced tunneling for internet traffic.
    • All internet traffic can be sent through the NVA for inspection before leaving Azure.
  • Next hop configuration:
    • In route tables, the next hop for certain prefixes can point to the NVA.
    • Example: 0.0.0.0/0 → NVA IP for all outbound internet traffic.

High Availability & Scalability

  • NVAs should be highly available: deploy active-active pairs in separate subnets or availability zones.
  • Virtual WAN hubs are automatically scalable, but NVA traffic must be load-balanced if you have multiple NVAs.
  • Use Azure Load Balancer or vendor-specific solutions for distributing traffic.

Monitoring and Management

  • Azure provides tools to monitor NVA integration:
    • Azure Network Watcher: checks routing paths and packet flow.
    • NVA vendor tools: firewall logs, VPN session monitoring.
  • Alerting: Set up alerts for dropped traffic or NVA failures to avoid downtime.

Exam Tips

  1. Know the two integration methods: Hub route table + NVA and NVA in Hub VN.
  2. Remember traffic flow: traffic from spokes → hub → NVA → destination.
  3. Understand route table propagation: misconfigured routes can break connectivity.
  4. High availability: NVAs must be redundant; hubs are automatically redundant.
  5. Third-party NVA scenarios: firewalls, VPN termination, WAN optimization.

Summary Diagram (conceptual)

[On-Prem VPN/ExpressRoute]
           |
           v
     [Virtual WAN Hub] ----> Route Table ----> [NVA] ----> Internet/Spoke VN
           |
           v
       [Spoke VN]
  • All traffic can be sent to the NVA using hub route tables.
  • NVAs process traffic according to security and routing policies.
  • Virtual WAN hub manages the rest automatically.

In short: Integrating a third-party NVA with Azure Virtual WAN allows organizations to inspect, secure, and route traffic with advanced features. It is done via hub route tables or placing NVAs in the hub virtual network. Always plan routes carefully and ensure HA for the NVAs.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by