Azure VMware Solution (AVS) is a VMware validated private cloud solution managed and maintained by Azure. It runs on dedicated bare-metal Azure infrastructure. AVS allows customers to manage and secure applications across VMware environments and Microsoft Azure with a consistent operating framework. It supports workload migration, VM deployment, and Azure service consumption.
As AVS private cloud runs on an isolated Azure environment, it is not accessible from Azure or the Internet by default. Users can use either ExpressRoute Global Reach (i.e., from on-prem) or a jump box (i.e., on an Azure VNet) to access AVS private cloud. This means AVS workload VMs are confined within AVS private cloud and not accessible from the Internet.
But what if customers want to make AVS Private Cloud resources, such as web servers, accessible from the Internet? In that case, Public IP needs to be deployed. There are couple of ways to do this: (1) Azure Application Gateway, and (2) Destination NAT or DNAT using Azure WAN Hub and Firewall. Azure Application Gateway is the recommended way to publish AVS private cloud resources (e.g., web servers). This article outlines how to publish AVS private cloud resources on the Internet via Azure Application Getaway.
Azure Application Gateway is a Layer 7 load balancer which enables traffic management for web applications. Application Gateway offers advanced capabilities such as cookie-based session affinity, URL-based routing, and Web Application Firewall (WAF). To learn more about Application Gateway features and capabilities, check this link.
What are some of the benefits of Application Gateway for AVS Private Cloud? Application Gateway:
- is a managed service with built in scale and redundancy.
- offers an on-demand/pay-as-you-go consumption model.
- ensures maximum throughput and minimum response time, and can cope with sudden traffic bursts.
- offers numerous advanced features, such as Web Application Firewall (WAF) with DDOS protection, autoscaling, zone redundancy, multi-site hosting support, URL–based routing, session affinity, and connection draining, SSL/TLS termination for AVS Private Cloud.
The following diagram demonstrates how Azure Application Gateway is used to protect and publish AVS private cloud resources as well as Azure VM scale sets and on-premises servers.
The following architecture diagram illustrates an Application Gateway deployed on a secure Azure Virtual WAN hub and a web server farm hosted in the Azure VMware Solution environment and configured with a RFC1918 private IP address. The web servers are accessible from the Internet via Azure Application Gateway, configured with a public IP as frontend. Web servers running on the AVS private cloud are configured as backend pool.
When a user from the Internet tries to access the public IP of the Application Gateway on port 443, the application gateway sends this request to one of the web servers. The webserver processes the request and replies to the Application Gateway. Finally, the Application Gateway responds back to the user. As a result, webservers running on the AVS private cloud are now accessible from the Internet. Additionally, customers can enable Azure DDoS Protection Standard for added security.
Note: Typically, multiple backend pools are configured with multiple web servers in a single pool.
The following sections provide details on deploying and configuring the Azure Application Gateway to make AVS private cloud resources accessible from the Internet.
Application Gateway is deployed on an Azure Virtual Network (VNet). VNet can be directly connected to AVS private cloud via ExpressRoute. VNet can also be connected to the Azure Virtual WAN Hub. A secure Virtual WAN Hub is deployed automatically once Public IP is enabled on the Azure VMware Private Cloud. Connectivity between AVS private cloud and Secure WAN Hub is enabled as well by ExpressRoute. This document uses Secure Virtual WAN Hub.
- An Azure account with an active subscription
- An Azure VMware Private Cloud deployed and running
- Public IP enabled on the Azure VMware Private Cloud
- An Azure VNet deployed and peered with Azure VMware Private Cloud Secure WAN Hub
Deployment and Configuration of Azure Application Gateway
Sign into the Azure portal and search for “Application gateway” to bring up the Application gateways menu. Then, click Add.
- Provide basic details as shown below and then select Next: Frontends>.
- Choose Public as the frontend IP address type. Select an existing public IP or create a new one and then select Next: Backends>.
- Click Add a backend pool to bring up the Add a backend pool menu.
- Type backend pool name and Azure VMware Solution Private Cloud VM (i.e., Web Server) as backend target and click Add.
- Click Next: Configuration and then select Add a routing rule.
- Provide Rule name and listener name, Frontend IP, Protocol and Port. Then select Backend targets.
- Select an existing Backend Pool or create a new one. To add a new HTTP setting, select Add new
- Provide a name for the HTTP settings and then click Add.
- Click Add on the “Add a routing rule” window.
- Click Next: Tags> and then Next: Review + create> to see if Validation passed. Click Create to deploy Application Gateway.
- Click Next: Review + create>.
- Click Create after validation is complete.
- It takes some time to deploy Application Gateway. “Your deployment is complete” appears on the screen after successful completion of the Application Gateway.
- The final step is to test and verify by location the Frontend public IP address of the Application Gateway and test it from the browser
AVS Private cloud resource (i.e., webserver with an IP address of 172.16.1.201) is now accessible from the Internet via public IP (i.e., 126.96.36.199), which is the frontend IP address of the Application Gateway as demonstrated in the following diagram.
Azure Application Gateway is a highly-scalable Layer 7 load balancer that offers advanced capabilities — for example, cookie-based session affinity, URL-based routing, and Web Application Firewall (WAF). Azure Application Gateway is the recommended way to publish and protect AVS private cloud resources on the Internet. This article demonstrates how AVS private cloud resources can be accessible from the Internet by using Azure Application Gateway.