Azure NVA Solutions for Highly Available Networks

Azure NVA Solutions offer a flexible and scalable way to extend the security and networking capabilities of your Azure infrastructure. They provide a centralized management plane for network functions.

Azure NVA Solutions can be deployed in a highly available configuration, ensuring that your network remains up and running even in the event of a failure. This is achieved through the use of Azure Load Balancer and Availability Zones.

Azure NVA Solutions support a wide range of network functions, including firewalls, intrusion detection and prevention systems, and VPN gateways. This allows you to choose the specific functions that meet your needs and deploy them in a highly available configuration.

In Azure NVA design, two Load Balancers are used to expose a cluster of NVAs to the rest of the network. An internal Load Balancer redirects internal traffic from Azure and on-premises to the NVAs, while a public Load Balancer exposes the NVAs to the Internet.

The internal Load Balancer is configured with HA Ports rules, which redirect every TCP/UDP port to the NVA instances. This setup supports both active/active and active/standby configurations, but for active/standby configurations, the NVA instances need to offer a TCP/UDP port or HTTP endpoint that doesn't respond to the Load Balancer health probes unless the instance is in the active role.

Traffic symmetry is guaranteed by the internal Azure Load Balancer when both directions of a traffic flow traverse the same Azure Load Balancer. This usually takes 10-15 seconds for the Azure Load Balancer to converge traffic to a different NVA instance in case of individual NVA outages.

High availability is crucial for any network architecture, and Azure offers several options to achieve this. Azure Load Balancer supports active/active, active/standby, and scale-out NVAs with very good convergence time.

Azure Route Server is another option that supports active/active and active/standby NVAs, but requires SNAT for traffic symmetry. Gateway Load Balancer offers guaranteed traffic symmetry without SNAT, and supports active/active, active/standby, and scale-out NVAs.

Here are the key differences between these options:

Each of these options has its own strengths and weaknesses, and the right choice will depend on the specific requirements of your network architecture.

In a Hub&Spoke network topology, traffic flow between Virtual Machines deployed in different workload segments connected to the same Tier-1 Gateway will not be impacted by the NVA insertion.

The traffic will only pass through the Tier-1 gateway, making it a straightforward and efficient setup.

To filter this kind of network traffic, you can rely on the NSX-T Distributed Firewall or Gateway Firewall capabilities.

However, if the workload segments are connected to different Tier-1 Gateways, the traffic flow will be impacted by the NVA insertion, routing via the NVA and the Tier-1 Gateways.

In this case, deploying a Tier-1 Gateway per workload segment is necessary to achieve the desired traffic flow configuration.

Here's a summary of the two possible scenarios:

To ensure the security of your Azure NVA, it's essential to configure it properly. This includes blocking ICMP redirects at the distributed firewall level and configuring the NVA to ignore and not send ICMP redirects.

To maintain a strong security posture, enforce the principle of least privilege for access controls, which means granting users only the minimum permissions necessary to perform their tasks. Regular security audits should also be conducted to identify and address vulnerabilities in your NVA configuration.

Here are some key security best practices to keep in mind:

Choosing the right Network Virtual Appliance (NVA) is crucial for ensuring your network's security and performance.

NVAs can be easily scaled up or down depending on demand, making them suitable for businesses of all sizes. This scalability is one of the key benefits of using NVAs in Azure.

To select the most suitable NVA, you need to evaluate several factors. Here are some key aspects to consider:

By considering these factors, you can choose an NVA that meets your specific needs and provides enhanced security, improved network performance, and easy network management.

To ensure your Network Virtual Appliance (NVA) isn't bypassed by traffic, it's recommended to block ICMP redirects at the distributed firewall level. This can be done by configuring the NVA to ignore ICMP redirects and not send them.

To prevent traffic from routing around your NVA, introduce new static routes with caution. Ensure a proper configuration of the static routes in your Tier-1 Gateways, as improper configuration can lead to traffic bypassing the NVA.

To keep your NVA secure, it's essential to update the software periodically to avoid vulnerabilities. This can be done using ARM templates to deploy in a consistent fashion.

Monitoring and alerts should be configured to monitor the performance and security of your NVA. This includes monitoring resource utilization and configuring alerts to notify you of potential security issues.

Here are some key security recommendations for your NVA:

When working with complex systems, it's essential to be aware of the known limitations that can impact their performance. A well-known limitation of this design topology is about HCX and the Mobility Optimized Network (MON) where the behavior can be hard to predict.

This unpredictability can lead to difficulties in troubleshooting and resolving issues. Mobility Optimized Network is not supported by Microsoft in AVS with a third party NVA setup.

To deploy an NVA in Azure, you'll need to select the right NVA from the Azure Marketplace that suits your requirements. This will be the foundation of your security solution, so take your time to evaluate the available options.

You'll also need to create a Virtual Network to host your NVA, which involves specifying a name, address space (IP address range), and any additional configuration settings.

Here are the basic steps to deploy an NVA in Azure:

To ensure a seamless deployment, test and verify that the VPN taps into the NVA and works as expected for connectivity and performance.

Static routes are a crucial part of routing traffic between different segments. They need to be configured in the Tier-1 Gateways to ensure seamless communication.

In a typical setup, you'll need to configure static routes in the Tier-1 Gateways, as shown in the table below.

The example shows that the Root Tier-1 Gateway needs to be configured to route traffic to workload segments via the NVA.

Changing PIP-UDR is a design that modifies the setup required without NVA redundancy in case the NVA suffers from downtime.

The active NVA's IP address is associated to an Azure Public IP address, and the User-Defined Routes in the spokes have the active NVA's IP address as next hop.

This design offers the worst convergence time of all the options, as the API calls to remap the public IP address and the spoke User-Defined Routes can take several minutes to be effective.

Only active/standby configurations are supported, which can lead to scalability problems if you need to increase the bandwidth supported by your NVAs.

To guarantee traffic symmetry, no Source Network Address Translation (SNAT) is required in this design, since there's only one NVA active at any given point in time.

When deploying Network Virtual Appliances (NVAs), it's essential to consider the topology that best suits your organization's needs. A well-designed topology can provide the necessary security, performance, and manageability for your network.

There are several common deployment topologies to choose from, each with its own advantages. One of the most straightforward topologies is Centralized Security Policies, which allows for easier management and centralized inspection.

A Mesh topology enables fast high availability and performance by establishing direct connections between multiple NVAs. This is particularly useful in environments where high availability is critical.

Another popular topology is the DMZ, which places NVAs in a demilitarized zone (DMZ) for external-facing applications. This adds an additional layer of security for sensitive data and applications.

Here are the common deployment topologies mentioned earlier:

Regular monitoring of your NVA's performance and health is crucial to identify potential issues before they impact your network. This can be achieved by leveraging Azure Monitor.

Automate maintenance scripts with Azure Automation to keep your NVAs up-to-date and secure. This proactive approach will save you time and effort in the long run.

To troubleshoot issues with your NVA, start by checking the basic configuration, NVA performance, and then move on to advanced network troubleshooting if needed.

Here are some key areas to focus on when troubleshooting with your NVA vendor:

Troubleshooting and Management is a crucial part of ensuring your network is running smoothly. To start, check the basic configuration, as it's often the first step in identifying the root of the issue.

Check the configuration of your Network Virtual Appliance (NVA) to ensure it's set up correctly. This includes checking the software updates for NVA VM software and service account setup and functionality.

When troubleshooting, it's essential to check NVA performance. This can be done using Azure Monitor to regularly monitor your NVA's performance and health.

Advanced network troubleshooting may be necessary if the issue persists. This involves checking whether the NVA and VMs are listening for expected traffic, as well as tracing on NVA NICs to verify receiving and sending network traffic.

If you're experiencing issues with packet forwarding, check the routing tables and rules within the NVA. Additionally, verify that there are no NSGs or UDRs interfering with the traffic flow.

Here are some key areas to focus on:

Analyzing traces can also be helpful in identifying the issue. If you don't see packets incoming to the backend VM trace, there may be an NSG or UDR interfering, or the NVA routing tables are incorrect.

To troubleshoot and manage network connections, understanding how to set up a Linux bridge is crucial. This involves creating a Linux bridge and attaching the eth0 interface to it.

You'll also need to set the bridge IP address to 10.0.0.1/24 and configure a DHCP server on the bridge. This allows devices on the network to obtain IP addresses automatically.

On each spoke device, you'll need to set the next hop for the target network to 10.0.0.1. This ensures that traffic is routed correctly through the network.

To complete the setup, you'll need to add a router entry on the Linux machine to 10.1.0.0/24 and 10.2.0.0/24 through the 10.0.0.1 IP address.

Here are the key steps to follow: