Azure Virtual Edge Deployment Guide VMware SD-WAN 4.3

(1)

Azure Virtual Edge

Deployment Guide

2020

VMware SD-WAN 4.3

(2)

You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

Azure Virtual Edge Deployment Guide

(3)

1

Azure Virtual Edge Deployment Guide 4

Azure Virtual Edge Deployment Overview 4 Azure Resource Manager Template Overview 5 Deploying Virtual Edge with ARM Template 6

(4)

Azure Virtual Edge Deployment

Guide ₁

This document provides step-by-step instructions for the Azure Virtual Edge Deployment Guide. This chapter includes the following topics:

n Azure Virtual Edge Deployment Overview

n Azure Resource Manager Template Overview

n Deploying Virtual Edge with ARM Template

Azure Virtual Edge Deployment Overview

The Azure Vritual Edge Deployment Guide focuses on how to deploy a Virtual Edge in Azure leveraging the convenience of an Azure Resource Manager (ARM) Template.

More customers are moving workload to Public Cloud infrastructure and expect to extend SD- WAN from remote sites to public cloud to guarantee SLA. There are multiple options offered by VMware SD-WAN, leveraging distributed VMware SD-WAN Gateways to establish IPsec towards public cloud private network or deploy the Virtual Edge directly in Azure.

For small branch deployment that demand throughput less than 1G, single virtual edge can be deployed in the private network (Azure vNets). For larger data center deployments that demand multi-gig throughput, hub clustering can be deployed.

Note In the VMware SD-WAN Hub clustering design, we leverage a Layer 3 Instance on the LAN side to run BGP between hubs in the cluster and the Layer 3 Instance for route distribution in LAN. Since the Azure UDR does not support dynamic routing protocol, a third-party virtual router is required in the Azure infrastructure.

Prerequisites

The following prerequisites are required before you begin:

n An Azure account and login information.

n Familiarity with Azure Virtual Network concepts. (For more information, go to: https:// docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview)

n RSA Public Key (For more information, go to: https://docs.microsoft.com/en-us/azure/virtual- machines/linux/mac-create-ssh-keys

(5)

n VMware ARM Template (download the template here: https://code.vmware.com/samples? id=6437

n SD-WAN Orchestratortarget and admin account to login.

Azure Resource Manager Template Overview

This section provides an important overview of the Azure Resource Manger (ARM) template and a link where you can download the template.

CAUTION: Make sure to review and understand the template before deploying. This is intended as a reference and may need to be altered to accommodate specific environments.

Download the ARM template here: VMware SD-WAN By VeloCloud Azure Resource Manager Template

The default template is built to achieve a common deployment within Azure representative of the basic topology illustrated in the next section. The ARM Template takes care of creating

necessary resources, collecting the SD-WAN Orchestrator target and activation key to push via CLOUD-INIT. Below are the default values represented in the template.

n Instance Type: Standard_DS3_v2

n Attach Interfaces to VMware Instance (GE1 – eth0 / GE2 – eth1 / GE3 – eth2)

n Allocate Public IP and attach to GE2

n Security Groups – Allowed Ports:

n UDP 2426 – VMware Multipath Protocol

n TCP 22 – SSH Access (for Support Access)

n UDP 161 – SNMP

n Public Route Table (UDR): 0.0.0.0/0 to Internet Gateway

n Private Route Table (UDR): 0.0.0.0/0 to Virtual Appliance (SD-WAN Edge GE3)

n Enable IP Forwarding on all interfaces

(6)

The template is built to accommodate either a “NEW” Virtual Network or “EXISTING” Virtual Network. If using “EXISTING,” the vNET, subnets, and route tables are not created. Ensure vNET name, subnet name and IP scheme reflect accurately with the existing environment.

While this template will activate a Virtual Edge the simplicity of the topology will not accommodate all environments. It is up to the individual user to edit for their environment accordingly. For better understanding of ARM Template structure and syntax see:https:// docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates

Deploying Virtual Edge with ARM Template

This section describes how to deploy a Virtual Edge with an Azure Resource Manager (ARM) template.

Basic Topology

In this example, the Azure Virtual Network (vNET 172.16.0.0/16) is divided into a Public subnet (172.16.0.x/24) and a Private subnet (172.16.1.x/24). The Virtual Edge routes between the two subnets. The Public User-Defined Routes (UDR) will forward all offnet traffic to the Internet Gateway. The UDR in the Private subnet will forward all traffic to the LAN facing interface on the Virtual Edge (type Virtual Appliance). In this example, a default route is used to forward “ALL”

(7)

traffic from the workloads but is not necessary. RFC1918 summarization or specific branch/hub prefixes can be used to narrow what is sent to the Virtual Edge. For example, if the workloads in the Private Subnet still need to be accessible via SSH from publicly sourced IPs then the UDR could be configured to point the default route (0.0.0.0/0) to Internet Gateway and RFC1918 summarization to the Virtual Edge.

Azure

Public Route Table Internet <-- 0.0.0.0/0

Internet (Public IP)

GE2 (eth1) 0.4 WAN Overlay

172.16.0.x/24 (WAN)

Public Subnet 172.16.1.x/24 (LAN)

Private Subnet GE3 (eth2) 1.4

LAN Interface

Private Route Table Virtual Appliance <-- 0.0.0.0/0

(VCE [GE3] 172.16.1.4) ^VM

1.200

VM

1.201

VM

1.202 VNET:172.16.0.0/16

<...>

UDR UDR

VCE

Procedure:

1 Add the Virtual Edge to the SD-WAN Orchestrator: First step is to add the Virtual Edge to the Enterprise. This requires a login credential for the SD-WAN Orchestrator.

a From the SD-WAN Orchestrator, go to Configure > Edges and click the New Edge button, as shown in the image below.

The Provision New Edge dialog box displays. b In the Provision New Edge dialog:

(8)

The Edge will be provisioned with an activation key, as show in the image below. Make a note of this activation key.

2 Add VLAN IP.

The VLAN configuration must have an IP address assigned to it in order to save the Device Settings, but the IP address will not be used.

a For the Virtual Edge that was just created, click the Device tab on the SD-WAN Orchestrator.

b Scroll down to the Configure VLAN section, and click the Add VLAN button. The VLAN dialog box displays.

c In the VLAN dialog, make sure to adhere to the following:

1 Check the Enable Edge Override checkbox in the top, right corner of the dialog.

(9)

2 For the Edge LAN IP Address, use: 169.254.0.1 3 For the Cidr Prefix, use: 24

4 Leave the Advertise checkbox, unchecked.

5 In the DHCP area, check the Enable Edge Override checkbox 6 In the DHCP area, click Disabled.

3 Configure Virtual Edge Interfaces.

CAUTION: The SD-WAN Orchestrator needs the Device Settings configured first before activation. If this step is missed, the Virtual Edge activates but then goes offline a few minutes later.

a Navigate to the Virtual Edge’s Device Settings, as shown in the image below.

(10)

2 In the GE3 interface, disable WAN overlay as this interface will be used for the LAN- side gateway. Also, disable NAT Direct Traffic.

4 Launch Virtual Edge via ARM Template.

Note If this is first deployment of Virtual Edge you may need to “Subscribe” to the Edge version in the Azure Marketplace before deploying from ARM Template.

a Navigate to Azure Templates as shown in the image below.

b Enter the Name and Description of the Template or Deployment. (See image below).

c Cut and paste the template in the ARM Template area.

(11)

d When ready click Deploy, as shown in the image below.

e Complete the template form.

(12)

f Agree to Terms and click the Purchase button.

(13)

At this point, Azure will begin the deployment which can take a few minutes to complete. To follow the progress, click Deployment in Progress… and refresh.

Once the Virtual Edge deployment is complete, the Virtual Edge will boot up and reach out to the SD-WAN Orchestrator with its activation key to complete Virtual Edge activation.

(14)