Optimizing Your Azure VMware Solution Network: 8 Best Practices

Migrating your workloads to Azure VMware Solution unlocks the benefits of cloud agility and scalability while maintaining the familiarity and control of a VMware environment. However, establishing a secure and performant network foundation is crucial for maximizing the value of your Azure VMware Solution deployment. This article explores eight essential best practices to optimize network design and ensure seamless communication within your cloud environment.

Optimizing Your Azure VMware Solution Network: 8 Best Practices

To optimize your Azure VMware Solution network, follow these eight best practices.

Best Practice 1: Virtual WAN is recommended 

Here are key considerations for selecting the optimal connectivity approach for your Azure VMware Solution private cloud, focusing on two primary scenarios: 

1. Environments with S2S VPN

2. Traditional hub-spoke topologies.

Scenario 1: S2S VPN and Virtual WAN

If your on-premises environment doesn't utilize ExpressRoute for direct private connectivity to Azure, you likely rely on a Site-to-Site VPN (S2S VPN) connection. However, S2S VPN doesn't natively support transit routing, meaning traffic destined for Azure VMware Solution ExpressRoute is routed back on-premises and then out to Azure again. This can be inefficient and introduce additional latency.

Microsoft Virtual WAN is the recommended solution for this scenario. Virtual WAN offers a central hub that acts as a central point for managing and controlling network connectivity across your Azure environment. It facilitates transit routing, enabling traffic from your on-premises S2S VPN to seamlessly flow through the Virtual WAN hub and reach your Azure VMware Solution ExpressRoute connection. This eliminates the need for unnecessary traffic backhaul and improves overall performance.

Benefits of Virtual WAN with S2S VPN:

• Seamless Transit Routing: Virtual WAN eliminates the need for complex routing configurations and ensures efficient traffic flow between your on-premises environment and Azure VMware Solution.

• Centralized Management: Virtual WAN provides a central platform for managing and monitoring all your network connections, simplifying administration, and offering a holistic view of your network health.

• Security Enhancements: Virtual WAN offers additional security features like policy-based routing and branch firewall integration, potentially enhancing the overall security posture of your network.

Scenario 2: Traditional Hub-Spoke Topology and Azure Route Server

If you already have a traditional hub-spoke network topology established within your Azure environment, you might use an Azure Virtual Network as the central hub for connectivity. However, Azure Virtual Networks cannot natively perform transit routing for traffic outside the Azure environment (like your on-premises S2S VPN).

Microsoft Azure Route Server offers a solution for this scenario. Azure Route Server is a managed global routing service that can be deployed within your Azure Virtual Network hub. It provides advanced routing capabilities, including transit routing, allowing traffic from your on-premises S2S VPN to be routed through your Azure Virtual Network and onward to your Azure VMware Solution ExpressRoute connection.

Benefits of Azure Route Server with Hub-Spoke:

• Transit Routing Capabilities: Azure Route Server addresses the transit routing limitation of Azure Virtual Networks, enabling efficient traffic flow between your on-premises environment and Azure VMware Solution.

• Integration with Existing Infrastructure: If you already have a well-established hub-spoke network architecture within Azure, Azure Route Server can be integrated seamlessly without requiring significant changes to your existing infrastructure.

• Scalability and Flexibility: Azure Route Server offers scalability to handle large routing tables and complex network configurations, making it suitable for growing environments.

Choosing the Right Approach:

The optimal connectivity solution depends on your existing network infrastructure and desired functionalities:

• Virtual WAN: If you don't have ExpressRoute on-premises and rely on S2S VPN, Virtual WAN offers a centralized and secure solution with transit routing capabilities.

• Azure Route Server: If you already have a hub-spoke architecture with an Azure Virtual Network hub and require transit routing functionalities, Azure Route Server can be integrated into your existing infrastructure.

Best Practice 2: Plan and design private clouds and clusters in Advance

All clusters within a single Azure VMware Solution private cloud share a common /22 address space. This facilitates seamless communication between VMs across different clusters without requiring complex routing configurations.

Connectivity settings, including internet access, ExpressRoute configuration, HCX (Hybrid Cloud Extension) for disaster recovery, public IP allocation, and ExpressRoute Global Reach for private peering across regions, are applied consistently across all clusters within a private cloud. This ensures consistent network behavior for your workloads regardless of their cluster placement.

Application workloads can potentially share essential network settings like network segments, DHCP services, and DNS configuration. This simplifies management by allowing you to define these settings once and apply them to multiple workloads within the same private cloud.

Planning for Network Efficiency:

• Pre-define Address Spaces: Plan and define the number of private clouds you require upfront. Each private cloud necessitates a unique /22 address space for management traffic and a separate IP address segment for VM workloads. Defining these address spaces before deployment ensures efficient allocation and avoids potential conflicts later.

• Collaboration is Key: Effective communication and collaboration between your VMware and network teams are crucial for optimal network design. Work together to strategize the segmentation of your private cloud network. This involves dividing the network into logical subnets based on workload type, security requirements, and traffic flow. Plan the clusters and network segments across your private clouds to optimize performance and resource utilization.

Benefits of Proactive Planning:

• Simplified Management: Pre-defining address spaces and collaborating on network segmentation streamline network configuration and ongoing management within your Azure VMware Solution environment.

• Scalability: Proactive planning allows you to cater to future growth by reserving sufficient address space and designing your network with scalability.

• Security Optimization: Strategic network segmentation enhances security by isolating workloads and minimizing the attack surface within your private clouds.

• Performance Optimization: Optimized network design with appropriate placement of clusters and network segments can improve overall application performance by minimizing network latency.

Best Practice 3: Configure DNS and DHCP

There are two primary approaches for managing DHCP within your Azure VMware Solution private cloud:

• NSX-T Data Center DHCP: Leverage the built-in DHCP service offered by NSX-T Data Center. This is an option as it requires minimal configuration and integrates seamlessly with your existing NSX-T environment.

• Local DHCP Server: Deploy a dedicated DHCP server within your private cloud. This approach might be preferable if you have specific requirements beyond the capabilities of NSX-T's DHCP service or desire greater granular control over DHCP configuration.

Avoid routing broadcast DHCP traffic over the Wide Area Network (WAN). This can lead to unnecessary network overhead and potential performance bottlenecks. Configure your DHCP service to provide IP addresses within the private cloud's designated address range.

DNS Configuration Strategies:

The optimal approach for DNS configuration depends on your specific deployment scenario:

• Azure VMware Solution-only Environment: If your environment solely consists of Azure VMware Solution, you can deploy a new, dedicated DNS infrastructure within your private cloud. This controls your DNS configuration but requires additional setup and management overhead.

• Connecting to On-premises Environment: When integrating Azure VMware Solution with an existing on-premises environment, leverage well-established DNS infrastructure. This avoids duplicate functionality and ensures consistent DNS resolution across your combined environment. If necessary, deploy DNS forwarders within your Azure VMware Solution private cloud to extend the reach of your on-premises DNS servers. Configure these forwarders to point to internal DNS servers within Azure VMware Solution rather than routing traffic to your on-premises network.

• Combined On-premises, Azure, and Azure VMware Solution: For complex environments encompassing on-premises infrastructure, Azure resources, and Azure VMware Solution, consider utilizing existing DNS servers or forwarders in the Azure hub virtual network (if available). This approach leverages existing infrastructure for centralized DNS management. Alternatively, you can extend your on-premises DNS infrastructure to the Azure hub virtual network, providing a familiar DNS solution for all your resources.

Choosing the Right DNS Strategy:

The most suitable DNS configuration depends on your existing infrastructure, desired level of control, and the complexity of your overall environment:

• Centralized Management: Utilizing existing DNS infrastructure within your on-premises or Azure hub virtual network offers centralized management and a consistent DNS experience.

• Minimal Overhead: Leveraging the built-in NSX-T Data Center DHCP service and existing DNS infrastructure minimizes additional configuration and management overhead.

• Complete Control: Deploying a dedicated DHCP server and separate DNS infrastructure within your private cloud provides the highest degree of control over your network configuration.

Best Practice 4: Strategizing Internet Access and Security for Azure VMware Solution

Various options are available for providing internet access and implementing security measures for your Azure VMware Solution private cloud. It explores both outbound and inbound traffic considerations.

Outbound Traffic: Accessing the Internet

There are several approaches to configure internet access for outbound traffic originating from your Azure VMware Solution workloads:

• Azure Virtual Network, NVA, and Azure Route Server: This approach involves connecting your Azure VMware Solution private cloud to an Azure Virtual Network. A Network Virtual Appliance (NVA) deployed within the Virtual Network acts as a secure gateway, inspecting and filtering outbound traffic before it reaches the internet via Azure internet access. Azure Route Server can be used for additional routing control within the Virtual Network.

• On-premises Default Route: If your on-premises environment has existing internet access, you can leverage the on-premises default route for outbound traffic from your Azure VMware Solution workloads. This approach assumes a direct connection between your on-premises network and Azure VMware Solution, potentially bypassing security controls within your Azure environment.

• Virtual WAN Secured Hub:  Microsoft's Virtual WAN service allows for centralized management and control of network connectivity. You can configure a secure hub within your Virtual WAN environment, utilizing Azure Firewall or a third-party NVA for traffic inspection and filtering. This outbound traffic then utilizes Azure internet access.

Choosing the Right Outbound Option:

The optimal approach depends on your existing network infrastructure, security requirements, and desired level of control. Here are some factors to consider:

• Security: If robust security controls are paramount, consider using an NVA or Azure Firewall within your Azure Virtual Network or Virtual WAN secured hub for comprehensive traffic inspection and filtering.

• Centralized Management: Virtual WAN offers centralized management for network connectivity across your Azure environment, including internet access for your Azure VMware Solution workloads.

• Existing Infrastructure: If you have a well-established on-premises internet access solution, leveraging the on-premises default route might be a simpler option. However, be mindful of potential security implications by bypassing Azure security controls.

Inbound Traffic: Delivering Content and Applications

For inbound traffic originating from the internet and reaching your Azure VMware Solution workloads, several options exist:

• Azure Application Gateway: This Azure service provides advanced capabilities for delivering content and applications. It offers features like Layer 7 (L7) traffic inspection, SSL termination, and Web Application Firewall (WAF) protection, enhancing the security and performance of inbound traffic.

• DNAT and Load Balancer from On-premises: This approach utilizes a DNAT (Destination Network Address Translation) service and a load balancer deployed within your on-premises environment. DNAT redirects incoming internet traffic to the appropriate VM within your Azure VMware Solution private cloud, while the load balancer distributes traffic across available VMs for optimal performance.

• Azure Virtual Network, NVA, and Azure Route Server: Similar to the outbound scenario, you can leverage a combination of Azure Virtual Network, NVA, and Azure Route Server for inbound traffic. The NVA inspects and filters inbound traffic before it reaches your Azure VMware Solution workloads.

• Virtual WAN Secured Hub:  Similar to outbound traffic, you can configure a Virtual WAN secured hub with Azure Firewall or an NVA for inbound traffic inspection and filtering. This approach allows for centralized management and control within your Azure environment.

Selecting the Best Inbound Option:

The most suitable option depends on your specific application requirements and security considerations:

• Advanced Security: Azure Application Gateway offers comprehensive security features like L7 inspection, SSL termination, and WAF, making it ideal for protecting sensitive applications exposed to the internet.

• On-premises Integration: If your existing infrastructure leverages DNAT and load-balancing services, you can extend those functionalities to manage inbound traffic for your Azure VMware Solution workloads.

• Centralized Management: Virtual WAN offers a centralized platform for managing inbound traffic security alongside your outbound internet access configuration.

You can establish a secure and reliable internet access strategy for your Azure VMware Solution environment by carefully evaluating these outbound and inbound options. Remember to prioritize security best practices and choose a configuration that aligns with your needs and existing infrastructure.

Best Practice 5: Use ExpressRoute for Optimal Connectivity in Azure VMware Solution

A significant advantage of deploying Azure VMware Solution is the inclusion of a free 10 Gbps ExpressRoute circuit by default. This pre-provisioned circuit automatically connects your private cloud to the Azure D-MSEE (Direct Microsoft Service Endpoint). This dedicated connection bypasses the public internet, offering several benefits:

• Enhanced Security: By eliminating the public internet as a transit point, you minimize the risk of unauthorized access to your sensitive workloads running within the Azure VMware Solution private cloud.

• Improved Performance: ExpressRoute provides a dedicated connection with predictable latency and high bandwidth, leading to faster and more reliable communication between your on-premises environment and Azure VMware Solution resources.

• Reduced Costs: ExpressRoute can lower data transfer costs, especially for high-bandwidth workloads than relying solely on internet connectivity.

Consider deploying your Azure VMware Solution private cloud in Azure-paired regions for optimal performance and disaster recovery capabilities. Paired regions are geographically separated locations within Azure that offer high availability and fault tolerance. Here's how this strategy benefits your ExpressRoute connectivity:

• Reduced Latency: You minimize network latency by deploying your Azure VMware Solution private cloud closer to your on-premises data centers (ideally within the same paired region). This translates to faster data transfer speeds and improved application responsiveness.

• Enhanced Disaster Recovery: Utilizing paired regions for Azure VMware Solution and your on-premises data center facilitates a robust disaster recovery strategy. In an outage region, you can seamlessly failover your workloads to the paired region, minimizing downtime and data loss.

While the free 10 Gbps ExpressRoute circuit is a valuable starting point, it's crucial to consider your future bandwidth requirements. As your workloads grow and data transfer demands increase, you might need to upgrade to a higher bandwidth ExpressRoute tier. Carefully assess your workload needs and plan for potential scaling to ensure sufficient bandwidth allocation in the future.

Additional Resources:

The provided article on dual-region network topologies for Azure VMware Solution can offer further insights on optimizing your network design for high availability and performance. Refer to this resource for detailed recommendations on leveraging paired regions for disaster recovery scenarios.

Best Practice 6: Azure VMware Solution Connectivity with Global Reach

Global Reach is critical for establishing secure and private connectivity between your Azure VMware Solution private cloud and various network destinations.

Global Reach is an add-on service for Azure ExpressRoute that facilitates private peering between ExpressRoute circuits across different Azure regions or geographical locations. It essentially extends the capabilities of a single ExpressRoute circuit, enabling communication with:

• On-premises Data Centers: Connect your Azure VMware Solution private cloud directly to your on-premises data centers using existing ExpressRoute circuits.

• Azure Virtual Network: Establish private connectivity between your Azure VMware Solution workloads and resources within your Azure Virtual Network.

• Virtual WAN: Integrate your Azure VMware Solution private cloud into a Virtual WAN environment for centralized connectivity management and policy enforcement.

While Global Reach simplifies connectivity, it's not always mandatory. Here's a breakdown of scenarios:

• Mandatory Use Case: If you already leverage ExpressRoute for on-premises connectivity and want to connect your Azure VMware Solution private cloud to those same on-premises data centers or Azure Virtual Networks, then Global Reach becomes essential.

• Alternative Approach: If you don't currently use ExpressRoute, you can design your network connectivity with Azure Route Server. This alternative routing service can achieve similar communication paths.

Benefits of Using Global Reach:

1. Cost-Effective Peering: Peering ExpressRoute circuits with Global Reach incurs no additional charges. This makes it a cost-efficient solution for establishing private connections across regions.

2. Supported Peering Options: Global Reach offers flexibility by supporting peering with various ExpressRoute configurations:

• ExpressRoute Private Peering through ISP: Connect your Azure VMware Solution private cloud to on-premises data centers or other Azure resources through your existing ISP network.

• ExpressRoute Direct: Utilize dedicated Microsoft connections for ExpressRoute peering, offering potentially higher performance and reliability than ISP peering.

Limitations of Global Reach:

1. ExpressRoute Local Incompatibility: Global Reach is not currently supported for ExpressRoute Local circuits. These circuits are designed for private peering within the same Azure region. If using ExpressRoute Local, you'll need to leverage transit routing via third-party Network Virtual Appliances (NVAs) deployed in an Azure virtual network to connect your Azure VMware Solution private cloud to on-premises data centers.

2. Regional Availability: While Global Reach is a valuable tool, it's essential to note that it has limited regional availability. Not all Azure regions might support Global Reach peering. Always refer to Microsoft's documentation for up-to-date information on supported regions.

Best Practice 7: Optimize Bandwidth for Azure VMware Solution with Azure Virtual Network

The virtual network gateway is the connection between your Azure VMware Solution private cloud and the Azure Virtual Network. Its SKU (Standard or Basic) directly impacts the maximum bandwidth available for data transfer.

Choosing the Right SKU: To ensure optimal bandwidth for your workloads, select an appropriate virtual network gateway SKU. Here's a general guideline:

• Standard SKU: Ideal for scenarios requiring high-bandwidth communication between Azure VMware Solution and Azure Virtual Network. Standard SKUs offer significantly higher bandwidth compared to Basic SKUs.

• Basic SKU: Suitable for low-bandwidth workloads or testing purposes. Basic SKUs offer lower bandwidth but come at a lower cost.

Factors Affecting Bandwidth:

• Workload Types: Different workloads have varying bandwidth requirements. Network-intensive applications like video streaming or large file transfers will demand more bandwidth compared to applications with smaller data exchanges.

• Number of VMs: The overall number of virtual machines (VMs) communicating between Azure VMware Solution and Azure Virtual Network can impact bandwidth consumption. More VMs translate to potentially more concurrent data transfers.

• Data Transfer Size: The size of individual data packets being transferred also plays a role. Large data files will require more bandwidth compared to smaller ones.

• Network Protocols: The network protocols used for communication can influence bandwidth usage. Some protocols, like TCP, have overhead associated with them, which can slightly increase bandwidth consumption.

Bandwidth Limitations:

• ExpressRoute Circuits: While the document mentions a maximum of four ExpressRoute circuits to an ExpressRoute gateway in a single region, it's important to note that this doesn't directly translate to bandwidth limitations. Each ExpressRoute circuit can have its bandwidth configuration, and the combined bandwidth of all connected circuits determines the overall capacity.

• Virtual Network Gateway Throughput: The virtual network gateway SKU you choose dictates the maximum throughput it can handle, regardless of the combined bandwidth of your ExpressRoute circuits.

Recommendations:

• Analyze Bandwidth Requirements: Carefully assess the bandwidth needs of your workloads that will be transferred between Azure VMware Solution and Azure Virtual Network. This will help you determine the appropriate virtual network gateway SKU.

• Consider Future Growth: When selecting a SKU, factor in potential growth in your bandwidth requirements. Opting for a higher tier SKU initially can provide flexibility for future scaling.

• Monitor Bandwidth Usage: Once deployed, monitor your virtual network gateway's bandwidth usage to ensure it's meeting your needs. If you consistently reach close to capacity, it might be time to consider upgrading to a higher-tier SKU.

Best Practice 8: Network Security

Network security involves implementing mechanisms to inspect and potentially filter network traffic flowing within your Azure VMware Solution environment. This helps to identify and mitigate potential security threats. Common techniques include:

• Traffic Inspection: Examining the content of network traffic packets to identify malicious activity or unauthorized communication attempts.

• Port Mirroring: Duplicating network traffic on a specific port and sending it to a designated monitoring device for analysis. This allows for comprehensive observation of network activity without directly interfering with the original traffic flow.

East-West Traffic Inspection:

Traffic flowing within your Azure VMware Solution private cloud, also known as east-west traffic, can be inspected using the following solutions:

• NSX-T Data Center:  Leverage the built-in security capabilities of NSX-T Data Center, a network virtualization platform included with Azure VMware Solution. NSX-T offers features like firewalls and micro-segmentation, enabling you to define granular security policies for east-west traffic within your Software Defined Data Center (SDDC).

• Network Virtual Appliances (NVAs): Deploy third-party security appliances as NVAs within your Azure Virtual Network. These NVAs can perform advanced traffic inspection and filtering functions within your east-west traffic flow.

North-South Traffic Inspection:

Traffic flowing between your Azure VMware Solution private cloud and external environments (typically your on-premises data center or the internet), known as north-south traffic, requires separate inspection considerations. Here are your options:

• Third-party Firewall NVA and Azure Route Server: Deploy a third-party NVA firewall within your Azure Virtual Network to inspect north-south traffic. Additionally, utilize Azure Route Server for advanced routing capabilities. This combination allows centralized management and granular control over your north-south traffic security. Traffic inspection is performed within the Azure environment before routing to the internet via Azure internet access.

• On-premises Default Route: If your on-premises environment has a well-established internet access solution, you can leverage the on-premises default route for north-south traffic. However, this approach bypasses security controls within your Azure environment, potentially introducing security risks.

• Azure Firewall and Virtual WAN: Utilize Microsoft's Azure Firewall service deployed within a Virtual WAN environment. This offers a cloud-native solution for inspecting and filtering north-south traffic. Virtual WAN provides centralized management for all your network connectivity, including internet access. Traffic inspection occurs within the Azure environment before routing to the internet via Azure internet access.

• NSX-T Data Center within SDDC over Azure VMware Solution Internet: This option involves leveraging NSX-T Data Center's security functionalities within your SDDC to inspect north-south traffic. However, this approach routes traffic through the Azure VMware Solution internet access, which might not offer the same control and security features other than Azure Firewall or a third-party NVA deployed within your Azure Virtual Network.

Choosing the Right Security Approach:

The selection of your north-south traffic inspection solution depends on several factors:

• Desired Security Control:  Azure Firewall and third-party NVA firewalls offer advanced security features like deep packet inspection and threat intelligence, potentially providing a more robust security posture.

• Centralized Management: Virtual WAN with Azure Firewall provides centralized management for your network connectivity and north-south traffic security.

• Existing Infrastructure: If you have a strong on-premises internet security solution, utilizing the on-premises default route might be a simpler option (but be mindful of potential security risks).

Conclusion

By following the eight best practices outlined in this guide, you can establish a secure, performant, and scalable network foundation for your Azure VMware Solution deployment. These practices encompass strategic use of ExpressRoute for private connectivity, effective internet access and security measures, optimized DNS and DHCP configuration, well-planned private cloud and cluster design, and robust network security with traffic inspection techniques.