Use Network Virtual Appliances (NVAs) in Azure Virtual WAN Hubs

Deploy and manage third-party NVAs for advanced networking and security.

MSDN Documentation > Azure > Networking > Virtual WAN > How To Guides > Use NVAs in Hubs

Overview

Azure Virtual WAN provides a global networking infrastructure that connects your on-premises networks, branch offices, and other Azure virtual networks. For advanced routing, firewalling, and security services, you can deploy Network Virtual Appliances (NVAs) within your Virtual WAN hub. This allows you to leverage the capabilities of third-party vendors while benefiting from the scalability and manageability of Virtual WAN.

This guide walks you through the process of deploying and configuring NVAs in a Virtual WAN hub. We'll cover the architectural considerations, deployment steps, and common use cases.

When to Use NVAs in Virtual WAN Hubs

  • Advanced Firewalling: Implementing next-generation firewalls for deep packet inspection and threat prevention.
  • Intrusion Detection/Prevention Systems (IDPS): Enhancing security by detecting and blocking malicious network activity.
  • Unified Threat Management (UTM): Consolidating multiple security functions into a single appliance.
  • Custom Routing Logic: Implementing complex routing policies not natively supported by Azure.
  • VPN Concentrators: Providing advanced VPN termination and management capabilities.
  • Traffic Inspection and Logging: Gaining deeper insights into network traffic patterns and security events.

Architectural Considerations

Deploying NVAs in a Virtual WAN hub involves routing traffic through the NVA for inspection and policy enforcement before it reaches its destination. The typical architecture involves:

  • A Virtual WAN hub in Azure.
  • One or more NVA instances deployed within the hub's VNet.
  • Azure Route Server or custom routing to direct traffic to the NVA.
  • Connectivity from on-premises sites, other VNets, and the internet.
Note: It's crucial to deploy NVAs in a highly available configuration, typically using multiple instances and a load balancer, to ensure resilience and prevent single points of failure.

Deployment Steps

1. Deploy the NVA in the Virtual WAN Hub

This typically involves:

  1. Create a new VNet within the Virtual WAN hub's resource group, or use an existing VNet if preferred. This VNet will host your NVAs.
  2. Deploy the NVA instance(s) from the Azure Marketplace or using your vendor's templates. Ensure you select a suitable instance size and configuration.
  3. Configure the NVA's network interfaces (NICs) with appropriate IP addresses and subnets.

2. Configure Routing

You need to ensure that traffic destined for your connected networks (e.g., on-premises, other VNets) is routed through the NVA. This can be achieved using:

a) Azure Route Server

Azure Route Server simplifies NVA integration. It peers with your NVAs and advertises routes learned from them to your Virtual WAN hub and other connected resources.

  1. Enable Azure Route Server in your Virtual WAN hub.
  2. Configure BGP peering between your NVA instances and the Route Server.
  3. Configure the NVA to advertise routes for your connected networks and to route traffic back to the Route Server.

b) User-Defined Routes (UDRs)

Alternatively, you can use UDRs to explicitly route traffic. This requires more manual configuration but offers granular control.

  1. Create UDRs on the subnets within the NVA's VNet.
  2. Configure the NVA's routing tables to direct traffic appropriately.
  3. Configure the Virtual WAN hub's routing to send traffic to the NVA subnet.
Important: Ensure that the NVA itself has routes configured to send traffic back to the source network after processing. This is critical to avoid traffic blackholes.

3. Configure NVA Policies and Features

Once deployed and routed, configure your NVA according to your security and networking requirements. This includes:

  • Defining firewall rules.
  • Setting up VPN tunnels (if applicable).
  • Configuring NAT rules.
  • Enabling intrusion detection/prevention features.
  • Setting up logging and monitoring.

4. Test Connectivity and Security

Thoroughly test connectivity from all connected environments to ensure traffic flows correctly through the NVA. Verify that security policies are being applied and that logs are being generated.

Example Scenario: Firewalling Branch Office Traffic

In this scenario, traffic from branch offices connecting via Site-to-Site VPNs to Virtual WAN should first pass through a firewall NVA deployed in the hub for inspection.

  1. Branch VPNs connect to the Virtual WAN hub.
  2. Virtual WAN hub's routing directs traffic from branch VPNs to the NVA subnet.
  3. The NVA inspects the traffic, applies firewall rules, and if permitted, forwards it to the destination (e.g., an Azure VNet or the internet).
  4. Return traffic follows the same path in reverse.

Best Practices

  • High Availability: Deploy NVAs in an Availability Set or Availability Zones, and use a load balancer for failover.
  • Performance: Choose NVA instance sizes that meet your throughput and latency requirements.
  • Monitoring: Integrate NVA logs with Azure Monitor or your SIEM solution.
  • Updates: Keep your NVA software and configurations up-to-date.
  • Vendor Documentation: Always refer to the specific documentation provided by your NVA vendor for detailed configuration instructions.
Tip: Consider using Azure Firewall Manager for centralized policy management across multiple Virtual WAN hubs and VNets, especially if you are using Azure Firewall as your NVA.