Azure VMware Solution (AVS) is a VMware–validated private cloud solution, managed and maintained by Azure. It runs on dedicated, bare-metal Azure infrastructure. AVS allows customers to manage and secure applications across both VMware environments and Microsoft Azure resources with a consistent operating framework. It supports workload migration, VM deployment, and Azure service consumption.
As AVS private cloud runs on an isolated Azure environment, by default it is not accessible from Azure or the Internet. Users can use either ExpressRoute Global Reach (i.e., from on-prem) or a jump box (i.e., on an Azure VNet) to access AVS private cloud. This means AVS workload VMs are confined within AVS private cloud and not accessible from the Internet. If customers want to make AVS Private Cloud resources, such as web servers, accessible from the Internet, Public IP needs to be deployed. There are a couple of ways to do this: (1) Destination NAT or DNAT via Azure Virtual WAN/Azure Firewall; and (2) Azure Application Gateway. This article focuses on DNAT with Azure Virtual WAN/Azure Firewall.
Azure Firewall is required to configure DNAT. Azure Firewall with public IP as well as Virtual WAN, Virtual WAN Hub, and Public IPs are automatically deployed once public IP functionality is enabled in AVS private cloud. Enabling Public IP functionality also enables connectivity between Virtual WAN Hub AVS private cloud via ExpressRoute.
The following picture shows a reference architecture of DNAT with Azure Virtual WAN.
The architecture diagram illustrates a web server hosted in the Azure VMware Solution environment and configured with RFC1918 private IP addresses. The web server is accessible from the internet via Virtual WAN public IP functionality by using DNAT in Azure Firewall. DNAT is a firewall rule which translates public IP address requests to a private address. When the firewall receives user requests on public IP, it translates those requests to private IP using DNAT rules. The firewall looks up the NAT table, and if the request matches an entry, it forwards the traffic to the translated address and port in the AVS private cloud. The web server receives the request, processes it, and then replies to the firewall. Finally, the firewall forwards the information to the user on the public IP address.
How to Deploy Azure Virtual WAN in AVS Private Cloud
- Sign into the Azure portal and select Azure VMware Solution.
- Select Azure VMware Solution private cloud.
- Under Manage, select Connectivity.
- Select the Public IP tab and then click Configure.
- Accept default values or change them if necessary. Then provide a virtual hub address block, the number of the public IP, and then select Create.
Note: It can take about an hour to complete the deployment. Once deployment is done, we can verify the Public IP, Virtual WAN, WAN Hub, Azure Firewall, and then create firewall police and DNAT on the Azure Firewall.
How to Configure DNAT in Azure Firewall
- In the Azure portal, search for Firewall.
- Select the deployed firewall and then select Visit Azure Firewall Manager to configure and manage this firewall.
Note: Document the Public IP address of the firewall which is required to configure DNAT.
- Select Azure Firewall Policies and then Create Azure Firewall Policy.
- Under the Basic tab, provide the necessary details and select Next: DNS Settings.
- Under DNS Settings tab, accept default and then select the Rules
- Click Add a rule collection
- Provide the required info in the Add a rule collection pane and click Add.
- Click Review + create
- Click Create once Validation has been passed. It may take some time to complete the process.
Note: Final step is to associate firewall policy to the Azure Hub.
- From the Firewall manager, select Azure Firewall Policies.
- Select the appropriate firewall policy, click Manage associations, and then select Associate hubs.
- Select the appropriate Hub and then click Add.
The DNAT policy is now associated with the Azure Virtual Hub and is ready to use.
- Go to the Firewall Manager and check the DNAT Rules to verify DNAT configuration.
With this DNAT policy, the AVS workload VM (i.e., the webserver with an IP address of 172.16.1.201) is now accessible from the Internet via 184.108.40.206.
Public IPs are limited to a maximum of 100 for an AVS Private cloud.