Networking Articles - Altaro DOJO | Microsoft Hyper-V blog https://www.altaro.com/hyper-v Hyper-V guides, how-tos, tips, and expert advice for system admins and IT professionals Fri, 27 Jan 2023 10:59:53 +0000 en-US hourly 1 Using Wireshark to Analyze and Troubleshoot Hyper-V Networking https://www.altaro.com/hyper-v/wireshark-hyper-v-networking/ https://www.altaro.com/hyper-v/wireshark-hyper-v-networking/#respond Fri, 27 Jan 2023 10:59:53 +0000 https://www.altaro.com/hyper-v/?p=24486 Networking problems frequently challenge administrators. We can use the popular Wireshark tool to analyze traffic and uncover problems.

The post Using Wireshark to Analyze and Troubleshoot Hyper-V Networking appeared first on Altaro DOJO | Hyper-V.

]]>

Networking problems frequently challenge administrators. Introducing a virtualized switch to the mix adds another layer of complexity and multiple failure points. We can use the popular Wireshark tool to analyze traffic and uncover problems.

Requirements for Success with Wireshark

First, you need the software. You can download Wireshark from Wireshark.org. The site includes substantial information and links to more. Due to the extensive depth of the tool, the value that you get from Wireshark depends directly on how well you’ve learned it. Ideally, you’d go through a guided course and practice on training captures. I understand that you might have more immediate needs. This article illustrates enough to get you started but expect to invest time in training and practice.

Second, you need a working knowledge of Ethernet frame structure. You do not need anything near expert level, but you won’t get far if you can’t make sense of what Wireshark reveals. We have an article series on basic networking that can get you started.

Remote Captures in Wireshark

Wireshark can capture information on remote systems. However, it includes more hints than details. I could not find any directions that I felt comfortable sharing. Fortunately, you have alternatives.

Wireshark will run on Windows Server. Because it relies on the Qt library for its graphical interface, you can run the entire program on a Core mode installation by manually starting “C:\Program Files\Wireshark\Wireshark.exe”. I have no objection to running Wireshark on a server. However, I do not like RDP or similar remote connections to servers. These technologies present a significant attack surface for malware and intruders. Use at your own risk.

During the Wireshark install, you can also select the TShark program, which gives you command-line access to captures. TShark works inside a PowerShell Remote session. That means that you can install TShark on a system that you want to capture “remotely”, output its capture to disk, and then import it into a management system. I will not spend much time on TShark in this article, but I will get you started.

TShark Fundamentals

First, install at least the TShark portion of Wireshark on the target server. That might require a remote desktop connection as Wireshark has no official support for remote or scripted installation. However, running “Wireshark-Win64-<VER>.exe /s” at a command prompt, (or via a script, or possibly even a remote session), should install the software with default options.

Second, open a remote PowerShell session to the server using credentials with administrative privileges on the target:

Connect-PSSession -ComputerName <SERVERNAME>

Alternatively, you can supply credentials at the point of entry:

Connect-PSSession -ComputerName <SERVERNAME> -Credential (Get-Credential)

Once you have your remote session, run Get-NetAdapter to retrieve a list of adapters on the remote server:

TShark Fundamentals

Locate the adapter(s) that host the Hyper-V virtual switch on the server and note the value(s) for ifIndex. In my case, I want interfaces 4 and 10. With that knowledge, initiate TShark. Tell it which interfaces to include in the capture and where to write an output file with the -i and -w switches, respectively. That looks something like this:

& ‘C:\Program Files\Wireshark\tshark.exe’ -i 4 -i 10 -w C:\Users\esadmin\Documents\cap.pcapng

You do need the leading ampersand. If you use tab completion for assistance in entering the path to TShark, PowerShell will insert it automatically.

Upon pressing [Enter], the capture starts and writes to the file. Most importantly, you need to know that pressing [CTRL]+[C] stops the capture. Because we did not specify a capture limit, it will run until we either cancel it or the remote system runs out of disk space. Less importantly, the TShark program does not generate all its console output in a way that PowerShell remote sessions can process. You will see some things that look like error messages and other things will not appear at all. Just remember how to start and stop the capture and you will get the expected capture file.

TShark allows you to restrict captures with limits and filters.

TShark allows you to restrict captures with limits and filters. I will leave learning about that to you. Start with tshark.exe –help. The instructions above will generate a capture file that, at worst, has more data than you want. Once you have that file, you can transfer it to your management workstation and use Wireshark to operate on it.

A Warning about Wireshark and Resources

Wireshark will write to capture files, but it defaults to keeping captured packets in memory unless told otherwise. When possible, only run captures for the time needed to gather the data relevant to the problem you want to solve. Take care to set limits on long-running captures to ensure that you do not consume all host memory or disk space. Remember that a full disk will cause any VMs on that disk to pause. Also, remember that Hyper-V prioritizes processes in the management operating system, so it will squeeze virtual machines as needed to provide CPU and memory resources to Wireshark.

Set capture limits from Wireshark’s main interface by clicking the Capture menu item on the menu bar and then clicking Options.

Wireshark will write to capture files

The Input tab allows you to select the adapters to watch and to define capture filters. The Output tab gives you options for writing to files. You can set finite capture limits on the Options tab that apply whether writing to memory or disk, along with some handy quality-of-life settings.

While we frequently want to capture all data so that we don’t miss environmental problems, you can greatly reduce capture size with capture filters. Unlike display filters, capture filters tell Wireshark to discard information without storing it. Use these cautiously; if you inadvertently throw out interesting frames, you’ll have to perform additional captures.

Finally, remember that 10GB and faster interfaces can already generate heavy CPU loads. Using Wireshark to capture and decipher frames costs that much more. Few systems drive their networking capabilities anywhere near their maximums but remain mindful.

Traffic Must Pass a Physical Adapter for Wireshark to Capture It

With the current way that the Hyper-V virtual switch projects into the management operating system, Wireshark cannot bind directly to it. Instead, we attach it to one or more physical adapters. This means that, at the management operating system level, Wireshark cannot intercept any traffic that never leaves the VMBus.

The VMBus limitation primarily impacts internal and private virtual switches. Without a physical adapter, you have few options. If you have an unused physical adapter, you could temporarily bind the virtual switch to it with Set-VMSwitch. If your host uses the older LBFO technology, you can add a team NIC in another VLAN and bind your virtual switch to that. Even with these alternatives, you will still miss anything that does not cross the bound adapter.

However, this should only present a problem in edge cases. Wireshark and TShark can operate just as well inside a virtual machine as they can in the management operating system. Wireshark does not distinguish between virtual and physical adapters. Set it to watch the virtual adapters involved in your communications chain, and you’ll see the traffic. If you can’t install either product inside a given virtual machine, you still have Hyper-V’s port mirroring feature.

Capturing All Virtual Switch Traffic

When you don’t know exactly what you’re looking for, which applies well when you don’t have much experience with network captures, just get everything. When you first open Wireshark, it will present all network adapters that it can operate with. Find the physical adapters that host your virtual switch and highlight them:

Capturing All Virtual Switch Traffic

Remember that choosing anything that says “vEthernet” in its name binds to that virtual adapter, not the virtual switch. For switch monitoring, you must choose the physical adapter(s).

You can either right-click your selection and click Start Capture or you can click the blue shark icon at the left of Wireshark’s icon menu. If you made a mistake in adapter selection or just want to change it after the capture has started, select Options from the Capture menu:

click Start Capture

Once the capture starts. you should see a rapidly scrolling screen like the one below. If you’re working on a problem, reproduce it while the trace runs.

Once the capture starts. you should see a rapidly scrolling screen

Once the trace has captured enough information, click the red square button on the toolbar to end it. Regardless of your intentions, I recommend saving the file. It’s better to have a capture file that you don’t need than the opposite.

You can scan through the capture to look for anything that seems out of place or just to acclimate yourself to a network capture. If you’ve never used Wireshark before, the topmost pane shows a list of captured frames with some basic information about each. The middle pane tries to break the selected frame down into its individual components. Click on the triangle icon to the left of any item to drill down further. Wireshark uses “dissectors” to interpret frame components. Anything that it doesn’t recognize goes into the generic “Data” portion. The third pane shows a binary dump of the frame. If you click any part of that, the dissector pane will shift focus to that location.

Listings such as this allow you to peruse the activity crossing your virtual switch. You can investigate whatever interests you.

Exercise 1: Capturing Virtual Switch Traffic by Port

Tracing traffic by port can help you locate breaks in communication. It helps you to discover if messages that you expect to arrive on a virtual machine ever make it to the virtual switch at all. You can ensure that servers on virtual machines respond to clients as expected. You can watch for traffic coming from unexpected (potentially malicious) sources.

In my example exercise, I want to verify that my “primary” domain controller properly receives and responds to authentication traffic. For the most basic trace, I can set a display filter on a previously captured file or on an active trace with this format: tcp.port == 389:

Capturing Virtual Switch Traffic by Port

For thoroughness, I want to look at all traffic that a domain controller would utilize for authentication traffic. I can filter to multiple ports like this: tcp.port == 88 or tcp.port == 389 or tcp.port == 636 or tcp.port == 3268 or tcp.port == 3269

domain controller would utilize for authentication traffic

Pressing [Enter] or the white arrow with the blue background at the end of the filter field will update the display to show only frames that match the filter:

blue background at the end of the filter field

Scanning the filtered view, I see frames that it clearly identifies as LDAP and others that it marks only as TCP. When Wireshark cannot identify a frame, look to the Info column. In the third row of the screenshot, we see that it has marked the frame as [ACK]. That tells us that the frame contains an acknowledgement of a previously received frame.

If I want to find out what the frame acknowledged, I can right-click on the line item, hover over Conversation Filter, and choose one of the offered items. In this case, I don’t want to miss anything, so I choose Ethernet as the least specific filter:

Conversation Filter

In response, Wireshark pares down the display to only the items that belong to that particular “conversation”. Also, notice that it updated the display filter:

display filter

I know that 192.168.5.1 belongs to the domain controller of interest. I also know that 192.168.5.2 belongs to my “secondary” domain controller. Therefore, before I even performed any of these tasks, I could have guessed that these frames carry requests or updates that keep domain information synchronized. To confirm, I select the first frame in the conversation in the top pane. In the second pane, I find the Lightweight Directory Access Protocol section that indicates a dissector has come into play. In the bottom frame, I locate the highlighted information (remember that this matches whatever I selected in the middle frame):

Lightweight Directory Access Protocol

The frame appears to have something to do with DNS settings. I look at the same portion of the second frame:

The frame appears to have something to do with DNS settings

We already know that the third and final frame in the conversation is an ACK. So, we can surmise that 192.168.5.2 asked 192.168.5.1 about SVDC02 as a DNS server, got a NO_OBJECT result, and acknowledged receipt of the result. It appears that I may have some DNS troubleshooting to do.

However, I was interested in authentication traffic. We learned that the tracked conversation dealt with DNS servers. I can return to my previous filtered view by clicking the drop-down arrow at the end of the filter line and choosing the filter that I want to see again:

We learned that the tracked conversation dealt with DNS servers

Exercise 2: Including or Excluding Virtual Switch Traffic by IP Address

To continue with the scenario set up in exercise 1, I still want to see all the authentication traffic to my “primary” domain controller, but I want to exclude anything between it and my “secondary” domain controller. The simplest display filter looks like this: ip.addr != 192.168.5.2. If I wanted to only see traffic on that IP, then I could use double equals (==) or eq instead of!=.

Of course, I don’t want non-authentication traffic. So, let’s modify the filter to ip.addr != 192.168.5.2 and (tcp.port == 88 or tcp.port == 389 or tcp.port == 636 or tcp.port == 3268 or tcp.port == 3269). Pay attention to the usage of parentheses. This grouping tells Wireshark that we want traffic where no frame includes IP address 192.168.5.2 but does contain any of the TCP ports inside the parentheses:

Including or Excluding Virtual Switch Traffic by IP Address

The remaining list tells us multiple things:

  • No non-domain controller except 192.168.10.1 talked to the domain controller during the capture (were we expecting traffic from someone else?)
  • We see the beginning of a conversation between the domain controller and 192.168.10.1 (indicated by the SYN packets)
  • 192.168.10.1 performed a bind and SASL operation
  • All traffic was on port 389
  • We see the end of a conversation (indicated by the RST, ACK packet followed by a FIN, ACK packet)

While not captured in the screenshot, the Info contents provide enough preview information for me to understand what the SASL conversation was about. However, I can click on the individual frames and use the other two panes to get a deeper look at the traffic.

Exercise 3: Determine the Physical Adapter(s) Used by a Virtual Machine

The Hyper-V virtual switch makes its own decisions when placing traffic on the members of a switch-embedded team. If you use the Hyper-V Port load balancing algorithm, it will affinitize each virtual adapter’s incoming traffic to a physical adapter. While it can dynamically change affinities in response to events, each virtual adapter will always receive on exactly one physical adapter. If you use the Dynamic load balancing algorithm instead, then Hyper-V can exploit Ethernet and TCP/IP characteristics to distribute physical adapter use down at the conversation level.

If you want to view its decisions in action, Wireshark can help. Get a capture of traffic on your switch’s physical adapters. Select any frame in the top pane. In the middle pane, expand the Frame group at the top, then the Interface item. Look at the Interface description field:

Determine the Physical Adapter

Skip around in a generic capture and look at the ways that it uses physical adapters. Notice how it freely distributes multicast and broadcast traffic as it sees fit. Notice how it picks an adapter for any given individual unicast conversation and keeps it there.

We will expand on thFrameis subject in the next two exercises.

Exercise 4: Determine the MAC Addresses Used by a Virtual Machine

This exercise may seem pointless because you can use PowerShell or the various graphical tools to find the MAC assigned to a Hyper-V virtual network adapter. Bear with me though, as you may see things that you don’t expect.

This exercise begins similarly to exercise 3. Pick a frame from the top pane and look in the center pane. The second section, after Frame, is Ethernet. It shows the MAC addresses involved in the frame, which probably aligns with what you see in your tools:

Determine the MAC Addresses Used by a Virtual Machine

 

Then again, it might not:

Ethernet

In fact, even though it includes the IP address of a virtual machine (192.168.127.3, visible in the third row), neither the source nor destination MAC belong to a Microsoft virtual adapter. For this reason, I counsel against filtering Hyper-V virtual switch traffic by any MAC owned by a virtual adapter unless you’re doing something like validating MAC address spoofing.

How did this happen? Short answer: Hyper-V silently utilizes the MAC addresses of physical adapters when load balancing traffic from a single virtual adapter. If that seems strange, understand that physical switches do the same thing. Knowing the MAC address that Hyper-V assigned to a virtual adapter does not guarantee that the virtual switch will only use that MAC in conversations involving that adapter. The only Ethernet segment that absolutely must have the correct MAC for an adapter is its direct switch connection. In Hyper-V’s case, that connection only exists on VMBus which, as we discussed earlier, cannot be seen in Wireshark. If you want a longer explanation, I wrote an article that talks about how this very thing can cause problems when using a dynamic-mode Hyper-V virtual switch in conjunction with load balancers.

You can see the MAC-to-adapter matching by comparing the MAC to the interface ID or description (as shown in exercise 3). You can use this information to filter a virtual machine’s traffic by adapter as shown in the next exercise.

Exercise 5: Find Traffic for a Virtual Machine that Uses a Specific Virtual Adapter

We’ll combine what we learned in the previous two exercises to answer a specific question: how do I filter the traffic from a specific virtual adapter that crosses a specific physical adapter? In case you skipped the previous sections, this question only makes sense when your Hyper-V virtual switch involves a physical adapter team.

The part of the virtual machine that does not change is its IP address, so I will filter by that first. Next, I will have Wireshark look at the frame object. As you type the filter, it will make suggestions. I begin my filter with ip.addr == 192.168.127.3 and frame.. Note that this is an incomplete query, and it includes a period at the end of frame:

Find Traffic for a Virtual Machine

You can see that Wireshark makes suggestions to help us out. The subcomponent of frame that interests us is the interface, so start typing that to shorten the suggestion list:

The subcomponent of frame that interests us is the interface

If you recall the Wireshark-assigned interface ID from previous exercises, then you can select the interface_id subcomponent and that number. I like repeatable, memorable things, so I will use the interface_description with the name that I gave the adapter in Windows: ip.addr == 192.168.127.3 and frame.interface_description == PTL. You do not need quotes around the name:

interface_id

My display now contains traffic for that virtual machine that uses the designated physical adapter, even though none of it includes the virtual machine’s “correct” MAC address:

My display now contains traffic for that virtual machine

Expect to see many frames marked “TCP Spurious Retransmission” on the physical adapter(s) that substitute their own MAC in place of the virtual adapter’s. Network load balancing does not come free.

Expand on these Lessons

This article only scratched the surface of Wireshark’s capabilities. Most importantly, it empowers you to see below the layer 3 and higher pieces that the virtual adapters deliver into the guest operating systems. You can now see the data that enters and leaves your virtual switch and use that knowledge to find the truth behind those vague “it must be something wrong with the network” excuses.

The post Using Wireshark to Analyze and Troubleshoot Hyper-V Networking appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/wireshark-hyper-v-networking/feed/ 0
Improvements for SDN in Windows Server 2019 with WAC 1808 https://www.altaro.com/hyper-v/sdn-windows-server-wac-1808/ https://www.altaro.com/hyper-v/sdn-windows-server-wac-1808/#respond Fri, 25 Mar 2022 11:26:04 +0000 https://www.altaro.com/hyper-v/?p=24010 This article explains the basics of Software-Defined Networking and the SDN improvements in Windows Server 2019 and 2022

The post Improvements for SDN in Windows Server 2019 with WAC 1808 appeared first on Altaro DOJO | Hyper-V.

]]>

In Windows Server 2012, Microsoft released the first version of SDN (Software Defined Networking) to address the challenges with non-centralized infrastructure management. This was based on their own interpretation of a standard protocol, NVGRE. Later, in Windows Server 2016, they introduced SDNv2, which was inspired by Azure and based on VMware’s VXLAN protocol.

This article will walk you through SDN and improvements in Windows Server 2019 and 2022, as it’s still part of Windows Server.

What is Software-Defined Networking (SDN)?

The goal of SDN, in general, is to provide you with a method and UI to centrally configure and manage physical and virtual devices in your data center, including compute, routers, switches, gateways, etc. That helps to reduce overall infrastructure costs. Isn’t that what we all are looking for?

If you’re an old hand at networking you might bring up VLANs, after all, that’s how we’ve been dividing up networks on-premises for 20+ years. VLANs don’t work well in today’s software-defined world, each physical switch needs to be configured whenever you add or change one, the benefit of SDN is that it’s all handled in software, making reconfiguration quick and easy.

When it comes to Microsoft SDN, you can control the following networking components; virtual switching and routing, firewalling with micro-segmentation, third-party appliances, and load balancing. One common question is whether Microsoft SDN works on top of the existing network infrastructure or not!? It does. Every application has a different set of resource requirements and intertwined network dependencies. With SDN, we can reduce the complexity by creating a virtualization layer on top of the physical network. This makes your applications run more reliably and more securely.

The release of SDNv2 in Windows Server 2016 was a huge step, but it wasn’t easy to configure and manage it. You could deploy and manage SDN using PowerShell (SDN Express PowerShell module) or System Center Virtual Machine (SCVMM). If you ever installed and configured Microsoft SDN, you know it provides value to your data center, but it is challenging to work with it. And Microsoft was aware of that.

Windows Server 2016 SDN Stack

Title: Windows Server 2016 SDN Stack

What’s New in Windows Server 2019 and 2022 SDN

Things got better in Windows Server 2019. Microsoft improved the SDN by releasing a new UI and supporting Windows Admin Center. Windows Admin Center is one of the most important and powerful tools in a system administrator’s toolbox. We at Altaro Software published an eBook about Windows Admin Center. You can download your free copy on this link How to Get the Most Out of Windows Admin Center.

Besides the Windows Admin Center support, Microsoft implemented a few other features into Windows Server 2019 and 2022. That includes the following:

Encrypted networks provide network traffic encryption between virtual machines that communicate within the same subnets. Furthermore, it utilizes DTLS (Datagram Transport Layer Security) to protect against malicious access.

Virtual network peering supports peering two virtual networks together. In other words, two connected virtual networks appear as one network.

Firewall auditing allows recording processed flows within the SDN infrastructure. You need to enable it.

Egress metering lets you keep an eye on usage meters for outbound data transfers.

High-performance gateways. In Windows Server 2016 the single connection throughput for IPsec was about 300 Mbps and for GRE about 2.5 Gbps. These numbers are increased in Windows Server 2019 and 2022 to 1.8 Gbps and 15 Gbps. Check here for more details on how to enable it.

How to Deploy Microsoft SDN

In order to deploy Microsoft SDN, you need to run Windows Server 2016, 2019, or 2022 Datacenter edition installed. Windows Servers Standard is not supported.

You don’t install it using standard procedure via Server Manager (installing roles or features). You execute the script and then configure it using Windows Admin Center or System Center Virtual Machine Manager (VMM). The procedure is equally applicable to Windows Server 2016, Windows Server 2019, Windows Server 2022, and Azure Stack HCI, versions 21H2 and 20H2.

There are two steps involved, planning and deploying. Let’s see what’s involved in each of them.

Step 1: Plan a Microsoft SDN infrastructure

In the first part, you need to plan SDN infrastructure properly. That includes preparing your data center, your compute resources, planning for physical and logical network configuration, network hardware, routing, gateways, etc. There is a huge list of preparation tasks you need to do. We’ll give just a brief overview and guide you through the Microsoft documentation.

Firstly you must perform some prerequisite configuration steps in your network. That includes the following:

    • Allocate a block of static IP addresses from your management subnet for each Network Controller, Mux, and Gateway VM to be created.
    • Allocate a subnet and VLAN for Hyper-V Network Virtualization Provider Addresses (HNV PA)
    • Allocate a set of subnets for Private and public and GRE VIPs. Do not configure these on a VLAN, instead enable them to be advertised by SDN through BGP.
    • Configure HNV PA network’s routers for BGP, with a 16-bit ASN for the router and one for SDN. SDN should peer with the loopback address of each router.

Physical switch configuration examples are available on Github.

You also need to provide the following:

    • A set of Hyper-V hosts configured with a virtual switch.
    • A virtual hard disk containing Windows Server 2016,2019 and 2022 Datacenter edition.
    • An Active Directory domain to join and credentials with Domain join permission.
    • Domain credentials with DNS update and host administrator privileges.

The Hyper-V hosts should be equipped with at least 4-Core 2.66 GHz CPU, 32 GB of RAM, 300 GB of Disk Space, 1 Gb/s (or faster) physical network adapter. The Hyper-V hosts need to run an appropriate operating system and virtual switch at least one physical network card connected to the management network. You can use any storage type (local or shared).

SDN consists of a few components: network controller, Software Load Balancer (SLB)/multiplexer (MUX), RAS gateway, and BGP. Each of them runs as a VM and needs the following resources.

 

Role vCPU requirements Memory requirements Disk requirements
Network Controller (three nodes) 4 vCPUs 4 GB minimum

(8 GB recommended)

75 GB for operating system drive
SLB/MUX (three nodes) 8 vCPUs 8 GB recommended 75 GB for operating system drive
RAS Gateway

(single pool of three nodes

gateways, two active, one passive)

8 vCPUs 8 GB recommended 75 GB for operating system drive
RAS Gateway BGP router

for SLB/MUX peering

(alternatively use ToR switch

as BGP Router)

2 vCPUs 2 GB 75 GB for operating system drive

 

If you want to use System Center Virtual Machine Manager (VMM), you need to create and assign resources to that dedicated VM. You can read the details HERE.

As already mentioned, there is a huge list of preparation tasks you need to consider. I would recommend you check the details in official Microsoft documentation.

Step 2: Deploy an SDN Infrastructure

Once you are ready, you can proceed with the second step and deploy a SDN. The initial way presented in Windows Server 2016 and that still works in the newer version, is to use scripts. You can download scripts on Microsoft’s GitHub. You don’t have to deploy all SDN components. The script supports phased deployment, which means you can deploy a single component (e.g., Network Controller). Once you run the SDNExpress.ps1, it will guide you the rest of the way.

SDN Express deployment wizard

Title: SDN Express deployment wizard

The actual deployment takes from 30 – 60 minutes depending on the performance of your system and network. Once your SND is ready, you can configure and manage it using Windows Admin Center or System Center Virtual Machine Manager (VMM). Please note a hyper-converged cluster is required to use the SDN extension for the Windows Admin Center.

Windows Admin Center
Title: Windows Admin Center

Microsoft documented the complete procedure of configuring and managing SDN using Windows Admin Center.

Related reading:

I hope you enjoyed reading this article. I welcome you to visit my own blog TechwithJasmin.com, and I’m looking forward to connecting with you via LinkedIn.

Note: To be able to create this article, I run my workloads on a powerful mini PC – Intel NUC powered with the CPU i7, the latest generation, 64 GB RAM DDR4, 256 M.2 SSD. Intel® NUC Mini PCs are fully complete and ready to work out of the box. You can learn more here Intel® NUC Products.

The post Improvements for SDN in Windows Server 2019 with WAC 1808 appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/sdn-windows-server-wac-1808/feed/ 0
How to Use Virtual Private Networks (VPNs) on Azure https://www.altaro.com/hyper-v/virtual-private-networks-azure/ https://www.altaro.com/hyper-v/virtual-private-networks-azure/#respond Fri, 14 Jan 2022 11:02:13 +0000 https://www.altaro.com/hyper-v/?p=23741 Everything you need to know about VPNs on Azure - Virtual WAN, Virtual Network Gateway, Network Virtual Appliance, Deployment, config, & more!

The post How to Use Virtual Private Networks (VPNs) on Azure appeared first on Altaro DOJO | Hyper-V.

]]>

In this article, we’re going to look at Virtual Private Networks in Azure and how you can use them. As you may know, a Virtual Private Network or VPN is an encrypted tunnel over the Internet or other shared networks, for example, a telco provider network.

VPNs use different technologies to encrypt the traffic, the most common ones are IPSec and OpenVPN SSL.

VPNs can connect branches (“sites”), and/or clients devices to a corporate network. Branch and Site VPN connections are most called Site-to-Site or S2S VPNs and are generally permanently connected. User and Device VPN tunnels are called Point-to-Site or P2S VPNs and are normally initiated by the user or automatically by an application but are disconnected after they’re no longer in use.

In Azure, you can have and use both types of VPNs but depending on the solution of choice it can be a different setup.

Let us first explore the VPN Service and Device Options you have in Azure.

VPN Services and Devices

In Azure there are three different options to build VPNs:

    • Using Virtual Network Gateways
    • Using Azure Virtual WAN
    • Using Network Virtual Appliances

All of them are capable of both Point-to-Site and Site-to-Site connections but they have different infrastructures underneath each of them.

Virtual Network Gateway

Virtual Network Gateways are a classic approach, that many network architects are familiar with. You deploy one VPN Virtual Network Gateway Service within a Virtual Network. That service combines Point-to-Site and Site-to-Site Gateways and can be deployed in different sizes.

Here’s a list of different VPN Gateway SKUs:

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No
Generation1 VpnGw1 Max. 30* Max. 128 Max. 250 650 Mbps Supported No
Generation1 VpnGw2 Max. 30* Max. 128 Max. 500 1 Gbps Supported No
Generation1 VpnGw3 Max. 30* Max. 128 Max. 1000 1.25 Gbps Supported No
Generation1 VpnGw1AZ Max. 30* Max. 128 Max. 250 650 Mbps Supported Yes
Generation1 VpnGw2AZ Max. 30* Max. 128 Max. 500 1 Gbps Supported Yes
Generation1 VpnGw3AZ Max. 30* Max. 128 Max. 1000 1.25 Gbps Supported Yes
Generation2 VpnGw2 Max. 30* Max. 128 Max. 500 1.25 Gbps Supported No
Generation2 VpnGw3 Max. 30* Max. 128 Max. 1000 2.5 Gbps Supported No
Generation2 VpnGw4 Max. 30* Max. 128 Max. 5000 5 Gbps Supported No
Generation2 VpnGw5 Max. 30* Max. 128 Max. 10000 10 Gbps Supported No
Generation2 VpnGw2AZ Max. 30* Max. 128 Max. 500 1.25 Gbps Supported Yes
Generation2 VpnGw3AZ Max. 30* Max. 128 Max. 1000 2.5 Gbps Supported Yes
Generation2 VpnGw4AZ Max. 30* Max. 128 Max. 5000 5 Gbps Supported Yes
Generation2 VpnGw5AZ Max. 30* Max. 128 Max. 10000 10 Gbps Supported Yes

As you can see, picking the right size depends on several factors, including the expected number of connected users/sites as well as your aggregate bandwidth internet connections.

Depending on the SKU, gateways are deployed with different sets of features. Normally Virtual Network Gateways are deployed in a pair, in an active/standby configuration without using Availability Zones in Azure. To use Availability Zones, you need to use a SKU with AZ at the end. If you want to switch from one SKU to another, that will require a 45-minute downtime. A switch from non-Availability Zone to Availability Zone will require a complete redeployment of the Virtual Network Gateway, which can take up to 2 hours.

Azure Virtual Network Gateway supports the following encryption standards for Site-to-Site tunnels.

IPsec/IKE policy for S2S VPN & VNet-to-VNet connections: PowerShell – Azure VPN Gateway | Microsoft Docs

If you want to use Point-to-Site it supports OpenVPN (SSL/TLS-based), Secure Sockets Tunneling Protocol (SSTP) or IKEv2 VPN, more information is available here:

About Azure Point-to-Site VPN connections – Azure VPN Gateway | Microsoft Docs

Azure Virtual Network Gateways are a traditional and proven way to deploy VPN solutions Azure, but they are not as flexible as other solutions.

Virtual WAN

In comparison to Azure Virtual Network Gateways, Virtual WAN Gateways work differently. The first major difference is that Virtual WAN makes a distinction between Point-to-Site Gateways and Site-to-Site Gateways. While in Azure Virtual Network Gateways both Gateways are one service, in Virtual WAN you have different Gateways for each use case.

Virtual WAN

Another major difference is that Azure Virtual WAN Gateways are deployed in scale units. These units can be scaled up and down on-demand, without any service interruption.

Edit VPN Gateway

 

Edit VPN Gateway

Another great feature is, that Virtual WAN Network Gateways are always deployed as highly available as possible. These Gateways are deployed in Virtual Machine Scale Sets and are by default deployed in Availability Zones if the Azure Region supports them. If an Azure Region does not yet support Azure Availability Zones, the Virtual Network Gateways are deployed in Availability Sets and as soon as the region supports Availability Zones, the backend is updated automatically.

Azure Virtual WAN Site-to-Site Gateways supports the following IPSec encryption standards.

Virtual WAN Site-to-site IPsec policies – Azure Virtual WAN | Microsoft Docs

Virtual WAN Site-to-Site Gateway can scale up to 20 Gbps throughput and 1.25 Gbps encryption capacity per VPN tunnel.

Point-to-Site Virtual WAN Gateways support IPSec and OpenVPN as listed below.

Virtual WAN Point-to-site IPsec policies – Azure Virtual WAN | Microsoft Docs

You can have up to 200 Scale units supporting 100,000 clients. The payment model for Virtual WAN Point-to-Site Clients is by connected users per minute. So, it’s completely paid as you go per connected user plus the amount of Gateway Scale Units.

With Virtual WAN, there is another very important point, routing between Site-to-Site VPN, Point-to-Site VPN and ExpressRoute Gateways is enabled by default without any additional efforts by the customer. You can get more details via the link below.

Architecture: Global transit network architecture – Azure Virtual WAN | Microsoft Docs

Network Virtual Appliances

Network Virtual Appliances are Virtual Machines running in a classical Virtual Network or Azure Virtual WAN. Those Appliances are third party and are available via the Microsoft Azure Marketplace.

Azure Virtual WAN: About Network Virtual Appliance in the hub | Microsoft Docs

Deploy highly available NVAs – Azure Architecture Center | Microsoft Docs

Those appliances are harder to integrate and make highly available. The configuration is completely the responsibility of the customer, but for certain scenarios, they can offer major benefits for customers. One major selling point is if your organization has already standardized on a particular vendor/appliance, using the same one in Azure will ensure consistency and lower the learning curve for your network engineers.

Those appliances are mostly supporting additional features like Quality of Service, special encryption protocols or VPN Client tunnel optimization. For example, Barracuda Networks uses its own VPN Tunnel and encryption protocol TINA between their appliances and devices.

TINA VPN Tunnels | Barracuda Campus

Then there are appliance partners who offer great VPN clients with additional features like filtering, split tunnelling by service or traffic optimization. Examples are Palo Alto Global Protect or FortiGate FortiClient.

GlobalProtect App for Windows (paloaltonetworks.com)

Product Downloads | Fortinet Product Downloads | Support

Those appliances are much harder to integrate into a classic hub and spoke environment, with Virtual WAN the process of deployment is more automated. If you use those NVAs, you also have additional license costs for the appliances, which must be paid to the OEM.

As already mentioned, feature sets of those Network Virtual Appliances are often much richer than with bare Azure Virtual Network Gateways and Virtual WAN Gateways.

How to Deploy a VPN

Let me guide you on how to deploy a VPN Tunnel with the different service offerings. As the nature of the three solutions is completely different, I will split them up into three separate parts.

Virtual Network Gateway

As there is already a lot of deployment documentation out there, I will not create a new one. Let me just point you to the right resources, so that you can start and deploy according to Microsoft best practices.

Tutorial – Create and manage a VPN gateway: Azure portal – Azure VPN Gateway | Microsoft Docs

Tutorial – Connect on-premises network to virtual network: Azure portal – Azure VPN Gateway | Microsoft Docs

Configure an Always-On VPN user tunnel – Azure VPN Gateway | Microsoft Docs

Configure an Always-On VPN tunnel – Azure VPN Gateway | Microsoft Docs

Additional documentation is available here.

VPN Gateway documentation | Microsoft Docs

Virtual WAN

With Virtual WAN, you also have a bunch of great documentation which goes into more detail. You can find the necessary documentation linked below.

Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs

Tutorial: Use Azure Virtual WAN to create a Point-to-Site connection to Azure | Microsoft Docs

Additional configurations for Point-to-Site in Virtual WAN can be found here.

Configure a P2S User VPN connection using Azure Active Directory authentication – Azure Virtual WAN | Microsoft Docs

Azure AD tenant for User VPN connections: Azure AD authentication – Azure Virtual WAN | Microsoft Docs

Configure an Always-On VPN user tunnel – Azure Virtual WAN | Microsoft Docs

Configure an Always-On VPN tunnel – Azure Virtual WAN | Microsoft Docs

I would also encourage you to take an additional look at the guides already available here on the DOJO.

What is Azure Virtual WAN? (altaro.com)

Azure Virtual WAN vs. Azure Route Server (altaro.com)

Deploy Azure virtual WAN in 2,5 Hours (altaro.com)

How to configure Azure virtual WAN VPN Site-2-Site with unmanaged VPN device (altaro.com)

As an additional option, you can pick a Network Virtual Appliance, if the Appliance of your choice is available in Virtual WAN. I would encourage you to make use of the more PaaS like the approach of Azure Virtual WAN.

Azure Virtual WAN: Create a Network Virtual Appliance (NVA) in the hub | Microsoft Docs

The SysAdmin's Guide to Azure IaaS SE ebook - download your free copy

 

Network Virtual Appliance

The deployment of VPN Connections with Network Virtual Appliances is pretty diverse and depends on the vendor itself. Before I can point you to some example documentation, start with the documentation on how to deploy NVAs.

This documentation describes how to deploy an NVA in Azure.

Deploy highly available NVAs – Azure Architecture Center | Microsoft Docs

You should follow that guide to ensure that the NVA is deployed according to supported standards. As there are a lot of partners out there, please contact the vendor of your choice to get additional guidance.

Palo Alto

The first vendor with very good documentation on the deployment is Palo Alto. You can find their guides below.

Site-to-Site VPN – Set Up Site-to-Site VPN (paloaltonetworks.com)

Point-to-Site VPN – GlobalProtect (paloaltonetworks.com)

FortiNet

Another good NVA partner is FortiNet. You can find their docs below

Site-to-Site VPN – Administration Guide | FortiGate / FortiOS 7.0.1 | Fortinet Documentation Library

Point-to-Site VPN – Administration Guide | FortiGate / FortiOS 7.0.1 | Fortinet Documentation Library

Barracuda Networks

Barracuda is not that common among enterprise customers in Europe but offers a great portfolio of features including their own tunnelling protocol. Please find their docs below.

Site-to-Site VPN – Site-to-Site VPN | Barracuda Campus

Point-to-Site VPN – Client-to-Site VPN | Barracuda Campus

Troubleshooting Azure VPN

Within the Troubleshooting part, I will only concentrate on the troubleshooting guides for Azure Services, as the troubleshooting on NVA is extremely specific to the vendor.

For Azure Virtual Network Gateways, there are two good troubleshooting guides available in Microsoft’s Documentation.

One focuses on connections to Azure Virtual Network Gateways dropping or being unable to connect.

Troubleshoot an Azure site-to-site VPN connection that cannot connect – Azure VPN Gateway | Microsoft Docs

The other guide looks into the stability issues of a VPN tunnel.

Troubleshoot Azure Site-to-Site VPN disconnects intermittently – Azure VPN Gateway | Microsoft Docs

When looking into Azure Virtual WAN is more difficult, as you may not have access to the Monitoring and Troubleshooting logs. So, if you have the need for deeper troubleshooting, it makes sense to engage with Microsoft Support. In any case, you should have good monitoring in place according to documentation.

Monitoring Azure Virtual WAN | Microsoft Docs

Monitoring Virtual WAN using Azure Monitor Insights | Microsoft Docs

VPN Compared to other Microsoft Solutions

Sometimes Customers can confuse Azure VPN with other services available. Most commonly customers confuse Virtual Network Peering and Azure ExpressRoute with VPN Solutions.

Virtual Network Peering

Azure Virtual Network Peering is “only” a peering connection via the Microsoft Global Network between two Virtual Networks in Azure. It uses Software Defined Network technologies to connect the two networks and there is no Virtual Gateway necessary to do so. Virtual Network Peering is only used for interconnecting Virtual Networks within Azure and there is no option to use Virtual Network Peering to connect to the world outside of Microsoft Azure.

To learn more about peering, please visit the documentation below.

Azure Virtual Network peering | Microsoft Docs

Azure ExpressRoute

Microsoft Azure ExpressRoute is like VPN a connection to networks outside of the Microsoft Global Network. Its build to connect Customer Networks with the Microsoft PaaS Network via Peering or the Customer Private IaaS infrastructure using peering and private gateways.

The difference between Azure ExpressRoute and VPN is the fact that ExpressRoute is not leveraging internet connections or shared networks. With ExpressRoute you get a private end to end connection from your on-premises location to the Microsoft Global Network.

Those connections are more expensive but can offer more bandwidth or better Service Level Agreements, depending on your location and network service provider. ExpressRoute is not always better than VPN, always check your use case and your needs.

To be honest, Network Providers like to sell ExpressRoute due to better margins than with premium Internet connections. If you are interested in more information about that topic, you can visit some other articles here on the DOJO.

Microsoft Azure Peering Services Explained (altaro.com)

How to Use Azure ExpressRoute Global Reach to Interconnect Datacenters (altaro.com)

How to use Microsoft Global Network with Oracle, Google or AWS (altaro.com)

To learn more about Microsoft Azure ExpressRoute, you should also consult Microsoft Documentation on ExpressRoute.

ExpressRoute documentation | Microsoft Docs

Decision Tree

As is often the case with Microsoft’s service offerings there are several ways to achieve the same goal, here’s a flowchart I use when talking to customers about this.

Microsoft customer flowchart

That chart should help, at least for the initial discussion and understanding, which solution is best for your situation.

Conclusion

The “right” solution depends on what you want to achieve with your architecture. Often, it’s a decision driven by costs and features. Please also take complexity and maybe newer security requirements and approaches into account.

For example, if you’re searching for RADIUS integration, and the only solution might be costly, maybe it’s better to reconsider the requirement and check if you can achieve the same security requirements with Azure Active Directory Authentication instead.

Enable MFA for VPN users: Azure AD authentication – Azure VPN Gateway | Microsoft Docs

Try to stay open-minded and don’t do things because that’s how it’s been done for years. Always prove requirements against our changing IT world.

The post How to Use Virtual Private Networks (VPNs) on Azure appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/virtual-private-networks-azure/feed/ 0
The Microsoft Azure Network Partner Ecosystem Explained https://www.altaro.com/hyper-v/network-virtual-appliance/ https://www.altaro.com/hyper-v/network-virtual-appliance/#respond Fri, 03 Dec 2021 12:28:57 +0000 https://www.altaro.com/hyper-v/?p=23408 Learn the differences between Network Virtual Appliances in Virtual Networks, Azure Virtual WAN and Azure Firewall Network Security Providers

The post The Microsoft Azure Network Partner Ecosystem Explained appeared first on Altaro DOJO | Hyper-V.

]]>

The purpose of this blog post is to help build some clarification around Microsoft Network Virtual Appliances and other Network Security Partners.

If you are working with the Partner Ecosystem of Microsoft, especially around Network Virtual Appliances and Security Partners, you will often see the same names for different solutions.

That can be very confusing. Today, I want to help you understand the different solutions and partners.

We will speak about the following Partner Solutions:

    • Customer Managed Network Virtual Appliances in Virtual Networks
    • Network Virtual Appliances with Azure Virtual WAN
    • Azure Firewall Network Security Providers
    • Other Partner Solutions

Customer Managed Network Virtual Appliances

A customer-managed Network Virtual Appliance is traditionally deployed into a classic hub and spoke environment. They are available and deployed from the Azure Marketplace, as shown in the example below.

Azure Marketplace

 

These appliances are deployed in different deployment models like active standby, active active, or single Virtual Machine. They are mostly deployed through templates or deployment guides from the vendors.

Therefore, Microsoft provides different deployment options like linked below.

Deploy highly available NVAs – Azure Architecture Center | Microsoft Docs

Not every Vendor supports every deployment and high availability model. So, you need to check the provided template or have a discussion with your Network Virtual Appliance Vendor.

Most customers are using Network Virtual Appliances for the following use cases:

    • As routers between Virtual Networks in a Hub and Spoke environment
    • As an Internal and/or Internet Facing Firewall, Web Application Firewall, Load Balancer or Reverse Proxy
    • SDWAN or VPN Device

As with every Infrastructure Virtual Machine Service, these Appliances have their upsides and downsides.

Upsides are:

    • A large offering of Network Virtual Appliances and Partners within the Azure Marketplace
    • Relatively easy onboarding for Partners into the Marketplace
    • No special support agreements needed with Microsoft

Downsides:

    • Totally customer-managed, and the customer needs to configure routing and high availability on his own
    • A lot of room for configuration mistakes on the customer’s side
    • Hard to support when having any issue, as there are always three parties, Microsoft Support, Vendor Support, and the Customer and often an additional configuration or managed service partner

Network Virtual Appliances are a very common and proven solution but not cloud-native. Most of these appliances are also only migrated into a Virtual Machine Image without additional changes to integrate with cloud services backends.

For example, most appliances in Azure are not able to leverage Accelerated Network, which can boost Virtual Machine Network performance up to 20 GBE per NIC.

Create an Azure VM with Accelerated Networking using Azure CLI | Microsoft Docs

Some of them are not even able to provide you with proper high availability, as they need either Layer 2 Link available to their cluster peer or broadcast available. Both options are not possible within the Azure Software Defined Network.

They are still very flexible, but you should choose wisely which Vendor you use and mostly the traditional Network Vendors were not able to pass the BRIDGE to reach the cloud age. Some of them even hit the cloud solution WALL harder than Sonic the hedgehog with the robots of Dr Eggman.

Network Virtual Appliances with Azure Virtual WAN

Within Virtual WAN Network Virtual Appliances and Partners can become a bit more confusing. With Virtual WAN you have two kinds of Partners, Managed CPE Partners and Azure Virtual WAN integrated Network Virtual Appliances.

I will explain both within the next part of the post.

Azure Virtual WAN managed CPE Partners

Together with these Partners Azure Virtual WAN provides optimized and automated branch-to-branch connectivity through the Microsoft Global Network. With Azure Virtual WAN Managed CPEs, also called Customer-premises equipment, can be configured to automatically connect, and build a network to and through Azure Virtual WAN. A configuration can either be done manually or automated through the appliances or Vendor out of band management like Palo Alto Panorama or FortiNet FortiManager. As soon as these devices are connected and automated, customers no longer need to update, add, or delete routes manually. These routes will be updated for all branch devices and Network Virtual Appliances through the out of band management and Azure Virtual WAN.

Let me visualize the relationship in the schematic drawing below.

Azure Virtual WAN

As you can see in the schema, a managed CPE is not directly running on Azure but the Vendor of the CPE build a solution together with Microsoft to build a hybrid Network as a Service solution based on on-premises hardware or virtual appliances combined with Azure Services.

To see a full list of partners, please see the documentation below.

Azure Virtual WAN partners and locations | Microsoft Docs

Virtual WAN Managed Network Virtual Appliance

Now to make it even more confusing, Microsoft is working with several Partners to provide their appliances as a managed infrastructure in Virtual WAN.

With these managed Network Virtual Appliances, Azure Virtual WAN can deploy them like its own managed services. This means they are deployed highly available as a Virtual Machine Scale Set and within Availability Zones, if available within the Azure Region.

These appliances are also integrated and peered with the Azure Virtual WAN Route Service, which makes static routing for branches obsolete and resolves the struggles around support and deployment you would have with classic Network Virtual Appliance deployments in Azure.

Azure Virtual WAN: About Network Virtual Appliance in the hub | Microsoft Docs

Depending on the partner, these appliances are deployed through a managed application from the Azure Marketplace or via a different image. Afterwards, the Network Virtual Appliances need to connect to an out of band management because customers cannot access the appliances themselves. Those appliances are deployed within a Microsoft managed subscription and secure environment. This environment is only made accessible for Microsoft Support during support cases.

Let me again try to visualize the deployment for you.

Azure Virtual WAN Deployment

In comparison to a self-managed Network Virtual Appliances, where customers are handling conversation between Microsoft and the Network Virtual Appliances Partners, with a Virtual WAN integrated appliances Microsoft and the Appliance Partner join forces during the support case. They will fix the issue together. So, the customer does not need a proxy.

With that kind of deployment and the integrated support between Microsoft and the Partner, these appliances become more or less a Platform Services or Network Device as a Service.

Currently, Microsoft has agreements with three partners and more partners in the pipeline for the next twelve months. Keep an eye on the Ignite Announcements. 😊

Azure Virtual WAN partners and locations | Microsoft Docs

Azure Firewall Network Security Providers

Another confusion comes up if you want to Azure Firewall together with a partner solution. In addition to Network Virtual Appliances, there are a few Partners who offer extensions to Azure Firewall for additional security and cloud proxy capabilities.

These partners are called security partner providers. The three partners who are currently working with the Azure Firewall Team and providing their solutions are:

    • zScaler
    • CheckPoint
    • iBoss

What are Azure Firewall Manager security partner providers? | Microsoft Docs

If you deploy these Partner Solutions, they are deployed as managed services in the responsible Azure Region and will be managed by Azure. You can see that when adding these sites to zScaler management.

After the partner provider environment was deployed in a secure Microsoft managed environment, the Azure Firewall builds a tunnel for the managed service and changes the internal routing from the Azure Firewall.

Those partner solutions are deployed as full software service solutions. They may also have a limited feature set compared to what you know from the non-integrated solution.

You can find some examples of how to deploy such a solution here.

Secure Azure virtual hubs using Check Point Cloudguard Connect | Microsoft Docs

Other Partner Solutions

In addition to Network Virtual Appliances and the Network Partner Solutions, you also have a lot of other Solutions from Partners available via the Microsoft Azure Marketplace.

As an example, I posted the offering in the screenshot below.

Network Virtual Appliances

There are also other offerings of Microsoft Partners, which are not directly visible with the Azure Marketplace but still are Partner Solutions for Azure Services or Hybrid Services like Azure Stack HCI. I linked the example for Altaro Backup below.

Utility applications for Azure Stack HCI – Azure Stack HCI | Microsoft Docs

As you can see Altaro is one of the preferred partners of Microsoft when it comes to backup and replication of Azure Stack HCI and Windows Server Hyper-V.

Closing Words

This article should give some clarification on the different Microsoft Appliance and Services Partner Solutions. To be honest, even within Microsoft, the different partners are often confused. If you would like me to clarify anything, drop me a message in the comments below!

The post The Microsoft Azure Network Partner Ecosystem Explained appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/network-virtual-appliance/feed/ 0
Azure Virtual Network Manager: Next-Gen vNet Management https://www.altaro.com/hyper-v/azure-virtual-network-manager/ https://www.altaro.com/hyper-v/azure-virtual-network-manager/#respond Wed, 03 Nov 2021 09:59:13 +0000 https://www.altaro.com/hyper-v/?p=23587 Azure Virtual Network Manager (AVNM) is now in public preview. Learn what it is, how to use it, and what the future holds for vNets management

The post Azure Virtual Network Manager: Next-Gen vNet Management appeared first on Altaro DOJO | Hyper-V.

]]>

Something that Microsoft has always tried to do, and sometimes succeeded spectacularly well in (looking at you – Small Business Server 2011) and sometimes not so much (looking at you – Control Panel / Settings in Windows) is simplifying complex configuration and deployment steps to make it more approachable for a non-expert.

This is particularly evident in Azure networking. The basic building block is a virtual network (vNet) and larger deployments often opt for a hub-and-spoke model where the hub contains shared services, network connectivity to on-premises (Site to Site VPN or ExpressRoute), and firewall services. Add branch offices and their connectivity and you can see how this gets complex very quickly. A few years ago, you had to build such a deployment piece by piece, and then came Azure Virtual WAN (Azure VWAN) which lets you deploy a managed version of the above where Microsoft manages connectivity and security based on your configuration.

If you have a large number of vNets you still have to manage their connectivity and likely filter traffic using Network Security Groups (NSGs) manually, again configuring each piece as you go.

This changes with the recent release of Azure Virtual Network Manager (AVNM) to public preview. In this article, I’ll explain what AVNM is, what you can use it for today, how to configure it, and speculate about what features might be added as it matures during the public preview.

Network Manager UI

Network Manager UI

Network Manager UI

What is Azure Virtual Network Manager

Azure Virtual Network Manager (AVNM) lets you centrally manage routing, security policy, and connectivity globally across regions and subscriptions. It lets you define a scope for each AVNM which can be based on subscriptions or management groups and then you add vNets to an AVNM, either statically by assigning them or dynamically by defining conditions that will automatically include vNets in a network group. The conditions are name, ID, tags, subscription name/ID/tags, or Resource Group name/ID/tags with several operators to include exactly the vNets you want to add.

It’s also scalable, rather than you having to establish peering between each of the vNets you simply group them together and define the type of connectivity you want (mesh or hub-and-spoke) and AVNM takes care of it behind the scenes. Your network security team will also rejoice, for the first time they can define global security rules that’ll apply to all the resources in the AVNM scope, for instance, a rule to block high-risk protocols ports from the internet which will be added to all the NSGs in scope, and which resource owners can’t remove.

AVNM is a platform service, highly available and scalable with redundancy and replication across the globe. It enables centralized control across an entire enterprise Azure network deployment with monitoring (today you can view your topology end to end, flow logging between any source and destination is coming) and you can roll out changes to the configuration in a staged manner with the ability to “un-deploy” configuration changes if rollback is required.

Setting up Azure Virtual Network Manager

To test this out I searched for Network Managers in the Azure Portal and clicked +Create to make one.

Creating a new Network Manager

Creating a new Network Manager

I scoped this one to a subscription but picking a management group instead is easy. You also need to choose which features the AVNM is going to support, Connectivity, SecurityAdmin rules, or both. That’s really all there is to creating one, the next step is defining a network group to include the vNets that you want to manage.

vNets

In my testing I included two vNets statically but as mentioned the dynamic membership rules are going to be very useful in large environments. Remember, at this point, the AVNM isn’t doing anything, it’s not until you define configurations and deploy them that anything changes so including/excluding vNets is harmless.

Each AVNM can have multiple groups of vNets and you can have different configurations apply to different groups, furthermore, each vNet can be part of several AVNMs.

Adding vnets to a network group

Adding vnets to a network group

Next comes creating configurations. Let’s start with a connectivity configuration, here you define the topology: Mesh where every vNet is connected to every other vNet, or Hub and Spoke where each vNet is connected to a central hub. Optionally you can pick for this mesh connectivity to extend across regions but as always be aware of potential egress network charges, depending on the amount of data that flows between resources in your vNets.

In the hub and spoke you can also optionally configure transitivity connectivity so that each vNet is connected to each other as well as the hub. AVNM uses Azure vNet peering for the hub connectivity but connected group connectivity for the vNet-to-vNet connectivity. This is a new connectivity construct which like peering has no extra hops in the traffic, in fact, if you look in the effective routes section, ConnectedGroup is listed as the Next Hop Type.

Note that none of this gets around the basic premise of routing, none of the connected vNets in any connectivity type can have overlapping IP Subnets.

As a practical example, say you’ve got five Production vNets and five Test vNets connected to a hub, you could group the Production vNets together with Hub-And-Spoke and enable transitivity, while the group that contains the five Test vNets (for example dynamically based on a tag so that any new Test networks are automatically included in the group) doesn’t have transitivity enabled.

If you have existing vNets that you’re importing into AVNM and they already have peering configured you can optionally override/delete the existing relationships with AVNM to bring them into centralized management.

Connectivity Configurations

Adding a connectivity configuration

Adding a connectivity configuration

Next, you can create what’s called a security admin configuration, a collection of rules that apply to each of the groups of networks in the AVNM. Each rule has a name, and a priority between 0 and 99, where lower wins over higher numbers. You can also define the direction of the traffic (inbound/outbound), the protocol (TCP, UDP, ICMP, ESP, AH, and Any), source/destination IP v4/v6 address (individual, a list of addresses, CIDR ranges), source/destination port (individual, lists, ranges) and source/destination type (IP address or service tag). The action for each rule can allow traffic, deny (block) traffic, or Always Allow even if a local NSG or a lower priority security admin rule blocks the traffic.

Creating a security admin rule

Creating a security admin rule

Once you have configured a connectivity or security admin rule you need to deploy it, picking the type and target region(s).

Deploy a configuration

Deploy a configuration

It can take between 15-20 minutes to roll out a configuration to all the vNets in scope. Note that each deployment is automatic so that if you deployed configuration 1 yesterday and today you want to deploy configuration 2 unless you pick both 1 & 2, you’ll replace configuration 1 with 2. This is also how you un-deploy or roll back a configuration, by selecting None in the configuration to deploy.

What Azure Virtual Network Manager Means for System Admins

AVNM is a crucial (and one might argue, well overdue) addition to Azure. It’s fine to do most things manually in small test deployments and to scale up using ARM templates and automation as the number of networks and resources grow but a centralized view and policy management has been lacking for large infrastructures. There are definitely some limitations in the preview such as the lack of PowerShell / CLI support, cross-tenant support and max number of security admin rules (100 per AVNM), max IP prefixes (1000) in all admin security rules, and 500 peering connections per vNet and 500 spokes for a single hub. I would assume most of these will be addressed during the preview or shortly thereafter. Regardless, I think that AVNM is going to be the best way to build new enterprise Azure deployments going forward. It’ll also be interesting to see how easy it’ll be to “upgrade” existing deployments into AVNM.

The post Azure Virtual Network Manager: Next-Gen vNet Management appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/azure-virtual-network-manager/feed/ 0
Migrating to Azure Virtual WAN – The Optimal Process Explained https://www.altaro.com/hyper-v/migrating-azure-virtual-wan/ https://www.altaro.com/hyper-v/migrating-azure-virtual-wan/#respond Fri, 01 Oct 2021 07:24:30 +0000 https://www.altaro.com/hyper-v/?p=23357 Real-world Azure Virtual WAN migrations and advice, dos and don’ts, mitigating downtimes, and useful interim solutions for IT admins

The post Migrating to Azure Virtual WAN – The Optimal Process Explained appeared first on Altaro DOJO | Hyper-V.

]]>

Microsoft already provides a good guide on how to migrate to Azure Virtual WAN, however, there are several frequently asked questions not covered there which streamline the migration process and save you a few headaches along the way. This article will focus on real-world migrations and advice covering:

    • Dos and don’ts
    • Mitigating downtimes
    • Interims solutions

Getting Started with Azure Virtual WAN

Normally you are coming from a hub and spoke architecture with a shared services hub. Microsoft describes that architecture within the architecture design center.

Hub-spoke network topology in Azure – Azure Reference Architectures | Microsoft Docs

Your target architecture would be a plain and simple Azure virtual WAN like shown here

Hub-spoke network topology with Azure Virtual WAN – Azure Architecture Center | Microsoft Docs

Or you could deploy a virtual WAN with shared Services

Scenario: Route to shared services VNets – Azure Virtual WAN | Microsoft Docs

Step 1 – Deploy your Virtual WAN Hub

In the first step, you should create your virtual WAN with VPN and or ExpressRoute Gateways and connect it to your on-premises infrastructure.

Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs

Very important side note: the requirement for the IP range of a virtual WAN hub changed. Microsoft Virtual Product Group now engages customers to use a /23 CIDR address range for every hub. That’s a necessary change due to the enhanced capabilities of the Azure Virtual WAN Hub.

The next step is testing. Connect your on-premises location to Azure and deploy a Virtual Network with a virtual machine in it.

Quickstart – Create a Windows VM in the Azure portal – Azure Virtual Machines | Microsoft Docs

Then connect the Virtual Network to your virtual WAN hub. Afterwards, test if you can reach the virtual Machine using its private IP.

If you can connect to the Virtual Machine, you know connectivity is working correctly.

Step 2 – Setting up Network Security

Before you migrate to Virtual WAN, you need to decide how to implement network security. Currently, you have three options.

    1. Using Network Security Groups in a Virtual Network for basic security.
    2. Use Azure Virtual WAN Secured Hub with Azure Firewall.
    3. Use a Network Virtual Appliance in a Spoke Virtual Network as a security device.

Network Security Groups

With Network Security Groups you have basic network security and control but they are hard to manage at scale. Network Security Groups (NSGs) offer all the necessary configuration options for network security, but the sheer amount of NSGs to manage with individual rules per subnet or server can become a tough challenge.

Many Microsoft customers are asking for a Network Security Group management tool or interface. Currently, there is no Microsoft announcement on a solution to this. An example of such a tool by a third party is Aviatrix. Schedule a Demo – Aviatrix

To be honest, most smaller customers should be fine using NSGs instead of large appliances or Azure Firewall.

Below you can find a guide to create Network Security Groups.

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

With Network Security Groups, you have no restrictions on routing scenarios. With the other two Network Security solutions, you might face some restrictions.

We can dive deeper within another blog post, please leave a comment if you would like to learn more about Network Security Groups and their use.

Azure Virtual WAN Secure Hub

Azure Virtual WAN Secured Hub is an addition to a regular Azure Virtual WAN. When securing an Azure Virtual WAN hub, you introduce a Managed Azure Firewall into the Virtual WAN Hub.

In contrast to a traditional hub and spoke architecture with custom routing, where customers need to manage the route integration themselves, a secured Hub integration will connect Azure Firewall directly into the routing of your Azure Virtual WAN Hub.

Customers can easily change routing behaviour and force traffic from Site 2 Site, Point 2 Site, ExpressRoute or Virtual Network Connection through the Azure Firewall. You only need to change it within the Azure Firewall Manager Interface.

Azure Firewall Manager deployment overview | Microsoft Docs

Currently, all routing flows are supported with Azure Virtual WAN Secure Hub except routing between two secured hubs. At the time of writing, the Secure Hub to Secure Hub route flow is currently in limited private preview for 3 weeks.

It may be the case that route flow may see it as a supported flow when you’re reading this.

If it’s still in private preview, please contact me via LinkedIn and I will help you onboard to the private preview.

Florian Fox | LinkedIn

You can find more documentation about the routing via the links below.

Scenario: Azure Firewall custom routing for Virtual WAN – Azure Virtual WAN | Microsoft Docs

Network Security Appliance in a spoke

The third option you can choose is to put a Network Virtual Appliance into a spoke Virtual Network which is connected to an Azure Virtual WAN Hub.

Here you would either use static routes or the new BGP Peering integration with virtual WAN.

Both configurations are described below.

Scenario: Route traffic through a Network Virtual Appliance (NVA) – Azure Virtual WAN | Microsoft Docs

Route traffic through NVAs by using custom settings – Azure Virtual WAN | Microsoft Docs

About BGP peering with a virtual hub – Azure Virtual WAN | Microsoft Docs

Currently, there is only one limitation in the NVA scenario. The route flow from Virtual Network to Virtual Network via Virtual WAN Hub and Network Virtual Appliance is not supported.

If you want to secure Virtual Network to Virtual Network Traffic through a Network Virtual Appliance, you need to use a so-called Hub – Hub – Spoke architecture.

Scenario: Route traffic through a Network Virtual Appliance (NVA) – Azure Virtual WAN | Microsoft Docs

Conclusion

Depending on your current architecture, you should always choose the simplest method. During migration to Virtual WAN you should not overly complicate the migration itself. If you are already using Network Virtual Appliances in your current hub and spoke architecture, the easiest way to migrate is to use the “Network Security Appliance in a Spoke” scenario.

If you are using Azure Firewall in a spoke, the secure hub would be the solution of your choice because you can just migrate the rules and policies to the hub.

If you didn’t use Network Virtual Appliances and Azure Firewall, you can go with plain Network Security Groups.

Now that you know the network security options currently available, you should also be aware of other scenarios with Virtual WAN on the horizon where you can use Network Virtual Appliances within the Virtual WAN Hub, so stay tuned and follow the Virtual WAN updates.

Azure Virtual WAN: About Network Virtual Appliance in the hub | Microsoft Docs

Now let’s discuss what happens to a classic hub after the Migration to virtual WAN.

Step 3 – What happens to my old hub after the Migration?

When you migrate away from a classic hub and spoke, you normally have fragments of the old environment remaining. Normally, you had your central hub Virtual Network which homed the virtual Network Gateways, Network Virtual Appliances and Shared Services like Domain Controllers, DNS or other shared services.

With Virtual WAN at least the Gateways are obsolete and will move into Virtual WAN. You will still need some of the Shared Services like the Domain Controllers and DNS.

In the end, the old hub will be transformed into a connected Virtual Network.

How to Prepare and Test your Migration

Before you start a migration, you should always set up a test or at least a pre-staging environment. It helps you learn the procedures and will optimize your migration steps.

Step 1 – Prepare your Test Environment and test all route flows

You should have already prepared a virtual WAN Hub and a spoke with at least one Virtual Machine in it.

Spoke Vnet

If you are migrating to the Hub – Hub Spoke with Network virtual Appliance, you should have a second hub with at least a Router Virtual Machine in. That could be a Linux VM acting as a router at that time. Later it would be your Network Virtual Appliance.

VWan NVA VNet Hub

Don’t build or test scenarios and architectures which are too far away from your planned target architecture. Always stay as near as possible, otherwise, you could find yourself in trouble while migrating.

Step 2 – Prepare your classic Hub and Virtual WAN interconnect

As your old hub is the last part you would touch in the migration, you need to prepare it for the migration. Otherwise, you will encounter longer downtimes or issues during the migration.

If you are migrating to the Hub – Hub Spoke, you can skip the following part and move directly to the migration chapter of this article.

Old environment to the new virtual WAN Hub environment

To establish complete communication between both environments during the whole migration process, I suggest establishing a connection directly between both the old hub and the new virtual WAN hub.

If you are using Azure ExpressRoute, you can just create the ExpressRoute Gateway in Virtual WAN. Afterwards, you connect the old Virtual Network Gateway from the old Hub and the new ExpressRoute Gateway from the new Virtual WAN hub to the ExpressRoute Circuit. That will enable routing of the traffic via the Microsoft Enterprise Edge and Microsoft backbone

Important note: please remove any default routes (0.0.0.0/0) or forced tunnel configurations to on-premises before you connect the ExpressRoute to Azure Virtual WAN. That could break the hub routing. If your provider is advertising such a route, please let the provider remove it.

Tutorial: Create ExpressRoute connections using Azure Virtual WAN | Microsoft Docs

If you are using an IPSec VPN Connection, create a VPN tunnel between the Classic Virtual Network Gateway and the Azure Virtual WAN VPN Gateway.

Connect a virtual network gateway to an Azure Virtual WAN | Microsoft Docs

The connection either via ExpressRoute or VPN will ensure that your spokes have access to your spoke at any time during the migration. If you remove the peering from the old spoke and switch it over to the new hub, it will then be announced through the temporary VPN or ExpressRoute peering.

There is a third option to stay connected during the whole migration, but it carries some risk. You can also keep the old peering from the spoke to the hub, but you need to remove the “use remote gateway/route server” option in the old peering. That option will be provided by the Azure Virtual WAN Virtual Network Connection.

Remote VNet to Hub Peering

I personally would recommend the VPN or ExpressRoute connection, it carries with it some costs but reduces the downtime, time to clean up and the chance of mistakes.

Step 3 – Test the connectivity

As you now have the connection established it is important to test it and ensure you stay connected during the whole migration.

Test old to new interconnect

Connect to your test Virtual Machine connected to the new virtual WAN hub and check if you can reach the following Virtual Machines on the old Hub environment.

    • Check if you can reach another Virtual Machine on the other Hub environment
    • Check if you can reach DNS and Domain Controllers

On the old hub please ensure that you can reach the Test Virtual Machine in the new Virtual WAN environment.

If you can reach both ends, the connection is fine and established.

Please also ensure that both environments can still reach your on-premises environment.

Test Migration of a spoke

If you want to ensure that you can migrate a spoke, you can create a new Virtual Network connected to the old spoke and deploy a Virtual Machine into the spoke. Afterwards, you can perform one of the migration paths described below.

Connect your Branches

Before you migrate, one necessary step is to connect your VPN branches to Virtual WAN before you start the migration. Otherwise, your branches will no longer be able to connect to your Azure environment.

Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs

I would highly recommend using a managed CPE provider to simplify the whole configuration and integration or even use a Network Virtual Appliance in Virtual WAN Hub Partner and use a managed appliance Partner.

Azure Virtual WAN: Create a Network Virtual Appliance (NVA) in the hub | Microsoft Docs

Azure Virtual WAN: About Network Virtual Appliance in the hub | Microsoft Docs

Create a BGP peering with virtual hub(Preview) – Azure portal – Azure Virtual WAN | Microsoft Docs

Prepare your Point to Site VPN

If you use Point to Site VPN with the old environment, you need to prepare your user VPN and clients as well.

Configure an Always-On VPN tunnel – Azure Virtual WAN | Microsoft Docs

Configure an Always-On VPN user tunnel – Azure Virtual WAN | Microsoft Docs

VPN Gateway: VPN client for OpenVPN protocol P2S connections: Azure AD authentication | Microsoft Docs

Create an Intune profile for User VPN clients – Azure Virtual WAN | Microsoft Docs

Download Azure Virtual WAN global or hub-based VPN profiles | Microsoft Docs

For the profiles you should use, I would highly recommend the global profile. In addition to the global profile, you can also use Azure Traffic Manager in front of the Virtual WAN Point to Site Gateways to optimize global load balancing and customize according to your needs, for example, if you want to use a custom DNS Name for the VPN Dial-In.

Azure Traffic Manager | Microsoft Docs

How to Perform Your Migration

Now as your hub is ready, connected and tested, we can start with the actual migration. Depending on the migration scenario, you should plan a maintenance window accordingly.

Step 1 – Migrate your Spokes to virtual WAN

As we have three different target scenarios, I will split the next part of the guide into three parts. One per scenario.

Step 1a – Migrate to Network Virtual Appliance in the Spoke Scenario

When you are targeting that architecture, the migration is rather simple. You can follow the steps below:

    1. Remove the connection between Local Network Gateway and Virtual Network Gateway of the old hub. Note: never delete the Local Network Gateway Configuration.
    2. Remove the Classic Virtual Network Gateway for the old hub Delete a virtual network gateway: portal – Azure VPN Gateway | Microsoft Docs.
    3. Peer your old hub to the new Azure Virtual WAN Hub Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs.
    4. If you are not using BGP on your on-premises VPN and Routing devices, know the point where you would switch your routes on-premises to the new Virtual WAN for your Azure Virtual Networks.
    5. Configure the Virtual WAN Hub routing so that the default route or the route that specific IP ranges points to the Network Virtual Appliance.

How to configure virtual hub routing – Azure Virtual WAN | Microsoft Docs

Scenario: Route traffic through a Network Virtual Appliance (NVA) – Azure Virtual WAN | Microsoft Docs.

6. Test if you can reach all Virtual Machines and your route flows work as expected.

If everything works as expected, you can start with the cleanup process. The cleanup can be done rather quickly. Delete the User Defined Route that is associated with the Gateway Subnet, if you had one, and afterwards delete the Gateway Subnet itself. Never ever delete the Gateway Subnet and the User Defined Route before you are sure everything works as expected. After that is done, you can delete the Local Network Gateway configuration.

The cleanup process should take no longer than 25 minutes.

Please don’t forget to delete the out-of-date configurations from your on-premises VPN and Router Devices, but like with the Local Network Gateway, please leave it untouched until you can confirm that everything works smoothly.

Normally you can expect the following time during the migration process.

Removing the Virtual Network Gateway 30 to 55 minutes
Peering between Virtual Network and Virtual WAN Hub 15 to 20 minutes per Virtual Network
Changing on-premises routing 20 to 40 minutes
Routing Configurations in Virtual WAN to NVA 20 to 30 minutes

 

Normally you would plan a Maintenance Window from about four hours with a point of no return after three hours. If you somehow encounter issues that are not fixable until the third hour, you should start a rollback. The rollback includes the following steps:

    1. Delete the Peering to the Virtual WAN Hub
    2. Recreate the Virtual Network Gateway
    3. Reconnect the Virtual Network Gateway to the Local Network Gateway
    4. Change back your on-premises routing

If everything goes according to plan, you should now run your environment based on Azure Virtual WAN. In the case of that scenario, there is no additional clean process to do, as your old hub is now becoming a shared services hub.

Step 1b – Migrate to Secured Hub Scenario

The migration to a secure hub scenario is the most complex and time-consuming migration. Before you can start the actual migration, you need to upgrade your Virtual WAN Hub and transform it into a Secured Virtual Hub.

What is a secured virtual hub? | Microsoft Docs

Important note: please be aware, at the time of writing, the feature of securing routing between two or more Secured Virtual WAN Hubs is still in preview.

During the migration, I would not recommend using any firewall rules, but you should test your rules and the security options prior to the migration. Analyze your current firewall ruleset and translate it to Azure Firewall Rules.

Azure Firewall Manager policy overview | Microsoft Docs

After upgrading your Virtual WAN Hub and implementing your ruleset, you can start with the migration.

In that configuration, you will have a router within your hub environment. That router is no longer needed for Virtual WAN. To migrate to Virtual WAN you need to perform the following steps.

    1. If you are not using BGP on your on-premises VPN and routing devices, now is the point where you would switch your routes on-premises to the new Virtual WAN for your Azure Virtual Networks.
    2. Remove all user defined routes from the spoke you want to migrate to Virtual WAN.
    3. Remove the peering from the current Hub and recreate the peering to the new Virtual WAN hub Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs.
    4. Repeat the step for all your spokes.
    5. After you’ve migrated all your spokes, remove the user-defined routes from the old hub.
    6. Remove the connection between Local Network Gateway and Virtual Network Gateway of the old hub. Note: never delete the Local Network Gateway Configuration.
    7. Remove the Classic Virtual Network Gateway for the old hub Delete a virtual network gateway: portal – Azure VPN Gateway | Microsoft Docs.
    8. Peer your old hub to the new Azure Virtual WAN Hub Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs.
    9. Now start to secure the Virtual Network Connections with Azure Firewall. Do that one step at a time, so that you can revert changes that break service availability. How to configure Virtual WAN Hub routing policies – Azure Virtual WAN | Microsoft Docs.

If everything works as expected, you can start with the cleanup process. The cleanup can be done rather quickly. Delete User Defined Routes that are associated with the Gateway Subnet, if you had one, and afterwards delete the Gateway Subnet itself. Never ever delete the Gateway Subnet and the User Defined Route before you are sure everything works as expected. After that is done, you can delete the Local Network Gateway configuration. Delete your Router Virtual Machine and keep the backup for another few days to be on the safe side.

Removing the Virtual Network Gateway 30 to 55 minutes
Peering between Virtual Network and Virtual WAN Hub 15 to 20 minutes per Virtual Network
Changing on-premises routing 20 to 40 minutes
Removing the User Defined Routes from the old hub 10 to 15 minutes
Securing Virtual Network and other connections 10 to 15 minutes per connection

For a Secured Hub migration, you should at least plan for an 8-hour migration window with 6 hours of migration and 2 hours to reverse if anything goes wrong. Your point of no return for any migration is around hour 6. Afterwards, you do not have any time to reverse back all changes.

    1. Delete the peering to the Virtual WAN Hub for every Virtual Network including the old hub and peer all spokes back the old hub.
    2. Reconnect the spoke User Defined Routes of the spoke and the hub.
    3. Recreate the Virtual Network Gateway.
    4. Reconnect the Virtual Network Gateway to the Local Network Gateway.
    5. Change back your on-premises routing.

If everything works as expected, you can start with the cleanup process. Delete User Defined Routes that are associated with the Gateway Subnet, if you had one, and afterwards delete the Gateway Subnet itself. Never ever delete the Gateway Subnet and the User Defined Route before you are sure everything works as expected. After that is done, you can delete the Local Network Gateway configuration. Delete your Router Virtual Machine and keep the backup for another few days to be on the safe side.

The cleanup process will again take about 40 Minutes.

Please don’t forget to delete the outdated configurations from your on-premises VPN and Router Devices but like with the Local Network Gateway, please leave it untouched until you can confirm that everything works smoothly.

After all  the steps are done, you will operate on the shared services VNet architecture. Scenario: Route to shared services VNets – Azure Virtual WAN | Microsoft Docs

Step 1c – Migrate to Network Security Group Scenario

A Migration to the Network Security Group based scenario is very simple but implies some clean up afterwards.

In that configuration, you will have a Router within your hub environment. That Router is no longer needed for Virtual WAN. To migrate to Virtual WAN you need to perform the following steps.

    1. If you are not using BGP on your on-premises VPN and Routing devices, now is the point where you would switch your routes on-premises to the new Virtual WAN for your Azure Virtual Networks.
    2. Remove all User Defined Routes from the Spoke you want to migrate to Virtual WAN.
    3. Remove the Peering from the current Hub and recreate the peering to the new Virtual WAN hub Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs.
    4. Repeat the step for all your spokes.
    5. After you migrated all your spokes, remove the User Defined Routes from the old hub.
    6. Remove the connection between Local Network Gateway and Virtual Network Gateway of the old hub. Never delete the Local Network Gateway Configuration.
    7. Remove the Classic Virtual Network Gateway for the old hub Delete a virtual network gateway: portal – Azure VPN Gateway | Microsoft Docs.
    8. Peer your old hub to the new Azure Virtual WAN Hub Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections | Microsoft Docs.

If everything works as expected, you can start with the cleanup process. The cleanup can be done rather quickly. Delete the User Defined Route that is associated with the Gateway Subnet, if you had one, and afterwards delete the Gateway Subnet itself. Never ever delete the Gateway Subnet and the User Defined Route before you are sure everything works as expected. After that is done, you can delete the Local Network Gateway configuration. Delete your Router Virtual Machine and keep the backup for another few days to be on the safe side.

The Clean-Up Process will again take about 40 minutes.

Please don’t forget to delete the outdated configurations from your on-premises VPN and Router Devices but like with the Local Network Gateway, please leave it untouched until you can confirm that everything works smoothly.

Removing the Virtual Network Gateway 30 to 55 minutes
Peering between Virtual Network and Virtual WAN Hub 15 to 20 minutes per Virtual Network
Changing on-premises routing 20 to 40 minutes
Removing the User Defined Routes from the old hub 10 to 15 minutes

Normally you should plan a maintenance window from about 3 hours with a point of no return after 2 hours depending on the number of spokes you need to migrate. If you somehow encounter issues that are not fixable until the end of hour 2, you need to start the rollback. The rollback includes the following steps.

    1. Delete the Peering to the Virtual WAN Hub for every Virtual Network including the old hub and peer all spokes back the old hub
    2. Reconnect the spoke User Defined Routes of the spoke and the hub
    3. Recreate the Virtual Network Gateway
    4. Reconnect the Virtual Network Gateway to the Local Network Gateway
    5. Change back your on-premises routing

If everything went according to plan, you should now run your environment based on Azure Virtual WAN. As we already removed the Gateways and other components during migration and cleanup, your old hub is now a shared services spoke according to the architecture below.

Scenario: Route to shared services VNets – Azure Virtual WAN | Microsoft Docs

Useful Resources

Before we finish this blog post, I would like to recommend a few articles to read while preparing your migration.

Deployment

New Features

Additional Configurations

Troubleshooting and Monitoring

Closing Thoughts

First, thank you for reading this guide! My job is to help people troubleshoot their Microsoft problems, so I hope this guide helps you avoid the most common complications encountered when migrating to Azure Virtual WAN. If there’s anything I’ve missed, please contact me via LinkedIn or leave a comment below and I’ll get straight back to you!

The post Migrating to Azure Virtual WAN – The Optimal Process Explained appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/migrating-azure-virtual-wan/feed/ 0
Deploy Azure virtual WAN in 2,5 Hours https://www.altaro.com/hyper-v/deploy-azure-virtual-wan/ https://www.altaro.com/hyper-v/deploy-azure-virtual-wan/#respond Fri, 13 Aug 2021 07:49:48 +0000 https://www.altaro.com/hyper-v/?p=23011 This blogpost contains a detailed and easy to follow guide on how to deploy Azure Virtual WAN in the shortest time possible.

The post Deploy Azure virtual WAN in 2,5 Hours appeared first on Altaro DOJO | Hyper-V.

]]>

With Azure virtual WAN at the current point of maturity, I noticed more and more landing zone deployments based on virtual WAN are coming up. Both in the greenfield and for migration.

Currently, I do around one to two landing zone deployments. That brought me in the position to be very efficient and I’m able to deploy the landing zone in around 2,5 hours.😊 Let’s go together through the process and see how you can do it too. 

Target landing zone

First, let’s discuss the landing zone I deployed with my customers. It is a very simple one for PoC and testing purposes, but it can scale out for more productional use cases.

The landing zone consists of:

    • One Resource Group for the virtual WAN Components
    • Two Resource Group for Virtual Machines and their connected resources incl. Virtual Network for the spoke, one per region
    • One Virtual Network Hub Resource
    • Two Virtual WAN Hubs in two regions
    • One VPN Site 2 Site Gateway and one Point to Site Gateway per hub
    • Point to Site VPN profile with Azure Active Directory Authentication
    • Two virtual Networks, one per region
    • One VM per region in the spoke VNet

From an architectural perspective, it would look like shown below.

WAN Target landing zone

WAN Target landing zone

After the deployment, you can enhance the architecture in the following way.

    • You can now add DNS and Active Directory Services to the VMs
    • You can enhance the Network Security Groups in the Spoke to improve network security

For testing purpose, you can then test the following scenarios.

    • Connect from a User / Point to Site VPN tunnel to:
      • On-Premises via VPN
      • Access the Azure VM in Spoke Region one and Region two
    • From Site to Site VPN
      • Access the Azure VM in Spoke Region one and Region two
    • From Azure VMs
      • Access to the VM in the other Spoke
      • Reach Resources and Services On-Premises via VPN

Creating the same environment with classic hub and spoke takes around one week and I would need to have at least one Network Virtual Appliance or Router VM in the hub network.

Deployment of the landing zone

The next steps are exactly what you need to do to deploy the landing zone:

    • Create the Resource Groups
    • Deploy the virtual WAN Hub resource
    • Integrate the Azure VPN Client into Azure Active Directory
    • Create the Point to Site VPN Profile
    • Create the Virtual WAN Hubs
    • Create the Site to Site configuration
    • Create the Spoke virtual Networks
    • Create the Test VMs in both spokes
    • Connect the Spokes to the Hubs
    • Connect the VPN Site to the Hub

I would suggest opening at least three tabs with Azure Portal to switch back and forth during the deployment, for a smooth experience. 

Azure Portal Deployment

Azure Portal Deployment

 

Create the Resource Groups and deploy the Virtual WAN Resource

As already mentioned, the first step is to deploy the resource groups for our virtual WAN landing zone. I personally prefer to have a dedicated Resource Group for virtual Wan because there are many hidden resources added to that resource group and I don’t like to mix up virtual WAN infrastructure with other services and components.

I will also add two resource groups for my landing zone virtual Network and the connected VMs. There will be one resource group per region holding the resources for the virtual machine and virtual network, as well as the network security group.

In MS Docs you can find a guide on how to deploy a resource group in Azure

After you deployed the resource groups, it should look like the screenshot below.

Microsoft Azure Resource Groups

Microsoft Azure Resource Groups

After the resource group was deployed, we will deploy the virtual WAN Resource to our virtual WAN Resource Group. Here’s MS’s documentation on using azure virtual wan to create site-to-site connections

When you deploy the virtual WAN Hub Resource there are a few things to know.

Create Wan

Create Wan

 

Aside from using the right Subscription and Resource Group, you need to select the Resource Location.

In virtual WAN you can deploy virtual WAN resources everywhere in the Microsoft Azure Regions, but the resource file is only located in one region at the time being. If that region goes down, your virtual WAN will still be operational, but you cannot change its configuration.

As a result, you deploy the virtual WAN Resource in a larger region like West Europe, North Europe, Southeast Asia, West US etc. Avoid small local regions like France Central, Korea etc.

Then, you have the Type of Virtual WAN where you can decide between Basic and Standard. Basic is a highly available and highly scalable VPN Gateway in a Hub and Spoke architecture but does not provide features like ExpressRoute Gateway, Hub to Hub transit, Point to Site Gateway, VNet to VNet transit, Azure Firewall or NVA in the Hub.

Virtual WAN type Hub type Available configurations
Basic Basic Site-to-site VPN only
Standard Standard ExpressRoute
User VPN (P2S)
VPN (site-to-site)
Inter-hub and VNet-to-VNet transiting through the virtual hub
Azure FirewallNetwork Virtual Appliances

The virtual WAN Hub Resource deployment can take up to 10 minutes. We can change the browser tab or windows and move on with the next step of our deployment in the meanwhile.

Integrate the Azure VPN Client to Azure Active Directory and create the Point to Site Profile in Virtual WAN

The next step is to integrate the Azure VPN client to Azure Active Directory to prepare your Point to Site profile integration. We will later use Azure AD VPN authorization with Azure AD. That makes it easy for users to log on and use their Azure Single Sign-On Credentials. Have a read through the MS documentation about VPN Gateway: Azure AD tenant for P2S VPN connections: Azure AD authentication and Configuring Azure AD authentication for User VPN connection: Virtual WAN.

First, we need to get the Azure VPN Enterprise App into our Azure Tenant. Use the registration link.  Azure Public uses the following linkAfter you registered the Azure VPN Client you should be able to find it in the Azure AD.

Integrate the Azure VPN Client to Azure Active Directory

Integrate the Azure VPN Client to Azure Active Directory

 

Now we need to copy two things for the next step. First is the application ID of the Azure VPN Enterprise App. Copy it to an editor of your choice. You will need it later.

Azure VPN Overview

Azure VPN Overview

Add a group, or users to the Azure VPN App, so that they can access the Point to Site later. In production environments, you should use groups and conditional access to improve remote security.

With Azure Active Directory Free, you need to apply single users to the VPN Enterprise app. With a higher Azure Active Directory SKU like P1 or P2, you should create a Group for VPN users, add that group and only manage users through that group. Check out Microsoft’s guides to create or edit a dynamic group and get status – Azure AD and create a basic group and add members – Azure Active Directory.

Azure VPN users and groups

Azure VPN users and groups

 

The second thing you need is the Tenant ID of your Azure AD. You can find it on the overview page of Azure AD. Copy it to the editor too.

Tenant ID Azure AD

Tenant ID Azure AD

 

Now go back to your virtual WAN Resource. It should be deployed.

Create the Virtual WAN Hubs

Now we will create our hubs. Here I normally suggest a /23 CIDR or slightly larger subnet. A /23 will allow you to deploy all current resources with all scale units and give you enough space for what comes in the next releases. Check out this Tutorial: Use Azure Virtual WAN to Create Site-to-Site connections.

Within the virtual WAN hub, we will deploy the following components:

    • VPN Gateway for Site 2 Site
    • VPN Gateway for Point 2 Site

I will only deploy the minimum available scale units. In your case, please deploy whatever bandwidth or user VPN amount is necessary.

Create the Virtual WAN Hubs

Create the Virtual WAN Hubs

First the basic settings. Select the Azure Region where the hub should be deployed to. Always try to choose the nearest region to your offices. If you have a wide footprint, I personally recommend deploying several smaller hubs instead of a single large hub.

Create Virtual Hub

Create Virtual Hub

 

Select the appropriate Site 2 Site VPN scale units for your workload in that region.

Site 2 Site VPN scale units

Site 2 Site VPN scale units

Now move on to the Point to Site blade. Select the number of scale units, decided by the number of users connected at one time. Add an address pool for the clients and the DNS server which the clients should use. You can either use a DNS Server located in Azure or on-prem. It is recommended to use a DNS Server located in Azure. Those DNS servers must be reachable from the virtual WAN hub.

Virtual Hub IP

Virtual Hub IP

 

Next, we need to create a Point to Site Configuration. Please click create new like shown in the picture.

Create a Point to Site Configuration.

Create a Point to Site Configuration.

If you have one already, you can just select it from the drop-down menu. The “create new User VPN configuration” blade will open. You can have only one configuration per hub. I personally prefer Azure AD Authentication. For the Azure AD authentication please select Tunnel Type “OpenVPN”.

New User VPN Configuration

New User VPN Configuration

 

Switch to Azure Active Directory blade. Here we need to add a few things.

New User VPN Configuration

New User VPN Configuration

In the Audience field, add the application ID. For the Issuer and AAD Tenant we need to create two links.

The Issue should look like this https://sts.windows.net/<AAD -Tenant-ID>/ and the AAD Tenant should look like https://login.microsoftonline.com/< AAD -Tenant-ID>

NEVER add “/” at the end of the AAD Tenant link and don’t use the Tenant ID without the links created. That will result in a deployment failure.

You can add ExpressRoute Gateways, if necessary, too.

Add ExpressRoute Gateways

Add ExpressRoute Gateways

You can also add tags if needed. After you completed all the steps, please click “review and create”.

Review and Create virtual Hub

Review and Create virtual Hub

The deployment will take around 45 minutes per hub, we will now use the time to deploy our spoke network and VMs.

The hub deployment is completed if you can see following indications in the Hub Blade.

Hub Status = Succeeded (means the underlaying VNet is deployed)

Routing Status = Provisioned (the virtual Router was deployed in the hub)

Gateway provisioning status = succeeded (gateway scale units were deployed and peered with the hub router)

Gateway provisioning status

Gateway provisioning status

Create the spoke network and virtual machines

Creating a spoke Virtual Network and a Virtual Machine is common, and we will repeat the steps within that guide. Again, you should decide on an IP Mask, I would suggest a size /25 CIDR or above. A /26 CIDR per service would be necessary if you want to add services like Azure Bastion, Azure Service Endpoint or Azure Private Link.

As for my VMs, I will choose B-Series VM to save some budget. If you want to deploy applications, domain controller etc. on to the VMs, please follow the recommendations for these applications.

Here you can find an example for Microsoft Windows Server Active Directory Domain Services. You can find video guides on how to create a virtual network – Azure portal – Azure Virtual Network and how to create a Windows VM in the Azure portal.

Now the Virtual Machines should deploy for around 30 minutes depending on the size and operating system.

Create the Site to Site VPN configuration

The next step would be to deploy the first VPN Site configuration. Here‘s a guide in MS docs about that.

Virtual WAN has a nice feature called IPSec over FQDN. It is not necessary to have a static IP for your VPN Site, you can just use a dynamic DNS service or create your own on Azure. I found a great guide from Cirrius Tech to create one.

After the VPN Site was created, you normally have 15 minutes biological break to refill your coffee or get a snack.

Connect the Spokes to the Hubs and connect the VPN Site

In the meantime, our hubs and VMs should be deployed. To ensure, please check the hub status. As shown in the screenshot below, your hub components should have the following status:

    • Hub Status: Succeeded
    • Routing Status: Provisioned
    • VPN (Site to Site) Gateway: Succeeded
    • VPN (Point to Site) Gateway: Succeeded

Connect the Spokes to the Hubs and connect the VPN Site

As soon as your hub has succeeded deployment, you can start connecting your spokes. Here’s an MS tutorial about using Azure Virtual WAN to Create Site-to-Site connections.

If you want to connect to a spoke within another tenant, you need to do that via CLI. It is not possible to do it via GUI now. Here’s a MS guide on how to connect cross-tenant VNets to a hub:PowerShell – Azure Virtual WAN.

After 5 minutes, you can check the virtual NIC of the Virtual Machines in Azure and there you should see all routes and networks connected to the hub.

virtual NIC of the Virtual Machines in Azure

After you connect the spokes, you can connect your VPN Site to the Hub. Here you can find an MS tutorial on it. 

When configuring a remote site you have different options, you can have a managed device like with FortiNet or Pala Alto. They can automate their deployments. I will link some of the guides below.

If you have a vWAN unmanaged device, like a Ubiquiti Dream Machine or Security Gateway please refer to my older blog post.

Now you should have a landing zone in place and proceed with testing.

How to test?

After you deployed the Landing Zone you should establish a circle of tests to ensure your deployment works as expected.

The first test would be to connect from a client to your virtual WAN hub using Point to Site VPN. From the hub, you connect to both virtual machines in Azure and to a system on-prem to test the connectivity.

After a successful Point to Site test, you log on to a virtual machine on-prem and try to reach both virtual machines in Azure.

With that test done, you log into both Azure virtual machines and try to reach several on-premises systems.

When all tests are successful, you have a well connected and working basic landing zone to build on top.

Do you prefer scripting?

To be honest, I’m not a good scripter and virtual WAN itself is primarily UI and Portal focused but luckily my colleagues from FastTrack, Igor Pagliai and Ben Hummerstone from Azure created a basic Bicep script to deploy a similar landing zone.

There are also different Azure Resource Manager Templates for the deployment of Virtual WAN.

Any to any routing ARM template can be found here Quickstart: Create an Any-to-any configuration using an ARM template – Azure Virtual WAN.

An ARM template for a shared service hub infrastructure can be found here Quickstart: Route to shared services using an ARM template – Azure Virtual WAN.

On GitHub:

azure-quickstart-templates/201-virtual-wan-with-all-gateways at master · Azure/azure-quickstart-templates (github.com)

azure-quickstart-templates/301-virtual-wan-with-route-tables at master · Azure/azure-quickstart-templates (github.com)

Some good practices before you leave

After a successful deployment, you should do some cleaning and you should enhance your configuration.

Configure basic network security

You should not run without proper network security. The most basic security is to deploy a Network Security Group per Subnet. Create, change, or delete an Azure network security group

Deploy DNS and Directory Services

To establish a proper DNS and Directory Services infrastructure, you should now use or deploy virtual machines to host DNS/BIND and LDAP or Active Directory.

After you deployed the DNS service, you need to configure the DNS Servers into the virtual Network configuration like shown below.

Deploy DNS and Directory Services

Deploy DNS and Directory Services

You would also need to add the DNS Servers to the Point to Site client configuration.

DNS Servers to the Point to Site client configuration

Establish Azure Monitor and Security

To not be blind sighted on what is going on in your environment, you should start to onboard yourself and your environment to Azure Monitor and Security Center.

That would enable you to establish proper monitoring and be aware of security risks and optimizations.

Monitoring Virtual WAN – Logs and metrics – Azure Virtual WAN | Microsoft Docs

Monitoring Azure Networks – Azure Monitor Network Insights – Azure Monitor | Microsoft Docs

Monitoring Azure in general – Azure Monitor documentation – Azure Monitor | Microsoft Docs

Azure Security Center – What is Azure Security Center? | Microsoft Docs

With these small little addons, you now have a proper landing zone for your migration.

Securing Point to Site connection

To secure point so site VPN connections, you should not only rely on username and password. Define conditional access policy for your VPN client devices as soon as you can. A good practice is to check if the client is compliant with your Mobil Device Management policies and if for example cooperate certificates are installed on the system. That helps you lock out users who are not fulfilling your minimum-security standards.

You can learn more about access following this link What is Conditional Access in Azure Active Directory? | Microsoft Docs

Conclusion

As I already wrote in the introduction, I wanted to give you a guide to deploying a virtual WAN landing zone within 2,5 hours. I hope that worked out and you can use the landing zone for your Azure migrations.

If I missed something, you have questions or if you want to have more of those guides, please leave me a comment.

The post Deploy Azure virtual WAN in 2,5 Hours appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/deploy-azure-virtual-wan/feed/ 0
Azure Virtual WAN vs. Azure Route Server  https://www.altaro.com/hyper-v/azure-vwan-route-server/ https://www.altaro.com/hyper-v/azure-vwan-route-server/#comments Fri, 21 May 2021 14:33:12 +0000 https://www.altaro.com/hyper-v/?p=19781 Let's a have look at Azure vWAN and Azure Route Server and understand the differences between them, and when to use each.

The post Azure Virtual WAN vs. Azure Route Server  appeared first on Altaro DOJO | Hyper-V.

]]>

During the spring Microsoft Ignite 2021, as you might have seen, Microsoft announced a new service called Azure Route Server in public preview.

When looking at the new service, you may see some similarities. Route Server is Virtual WAN Routing-lite with BGP only option brought to Virtual Networks. Virtual WAN also provides custom routing, route table association and propagation abilities, transit connectivity between VNETs through the Virtual Hub Router as well as any-to-any routing enabling zero touch fully mesh capabilities.

Within this blogpost I don’t want to discuss the service itself there is enough great documentation already, in Microsoft docs here. There’s also this comprehensive blog post abut azure virtual wan, if you’d like to give it a read before continuing.

In this article, I want to focus on a comparison to make clear the difference between Azure Route Server and Azure Virtual WAN.

Managed Virtual WAN vs. unmanaged Virtual Network with Azure Route Server

When looking on the approach of virtual WAN you will see a Microsoft Managed Network Service, build to interconnect, secure, automate, route and transport traffic. Virtual WAN comes with built-in high availability for all components within the hub. That means all Gateways, every Network Virtual Appliance, Azure Firewall and the Virtual Hub Router a build redundant already. It allows you to manage connectivity to Partner CPEs automatically instead of manual configuration of VPN tunnels.

Virtual WAN allows a customer to up and down scale gateways on demand without down time like with a redeployment of gateways like in a classic Virtual Network environment. That reduces the downtime that will happen during those changes to zero.

From a management perspective it looks more like a PaaS or SaaS Service. You enter your configuration in one of the management GUI or via CLI and the Virtual WAN Service will apply these changes to all required and involved components down the road.

Looking on the management interfaces, now there are two main interfaces to manage the Microsoft components in the hub and additional components when you use a Network Virtual Appliance.

  • Virtual WAN: managed through the Azure Portal Experience and/or CLI
  • Azure Firewall in Virtual WAN: managed through Azure Firewall Manager and/or CLI
  • NVA in Virtual WAN: managed through the NVA Vendor provided management interface and CLI

Virtual WAN Boundaries

To keep myself honest here, managed services like Virtual WAN come with boundaries. My list below will show the main limitations for Virtual WAN.

  • You cannot deploy virtual machines e.g. Domain Controllers in a vWAN Hub. It requires a shared services VNet. However, this is by design to ensure that support challenges of shared services which Virtual WAN doesn’t control is separate from Virtual WAN managed resources for which the service is accountable in all regards. So this may not be a limitation.
  • You can think of Virtual WAN like a Microsoft managed transit gateway where you can attach resources like Network Virtual Appliances, Gateways to overcome issues with classic Network Virtual Appliance models which are primarily challenging in provisioning, configuration, UDR configuration, patching/upgrade, supportability. That makes Virtual WAN into a grey box where you don’t own or manage every piece but it increases the supportability and mid to long term resiliency.
  • You need to migrate from a classic Hub and Spoke to Virtual WAN, there is no easy switch from a button.

Route Server Boundaries

Now looking on Azure Route Server. Azure Route Server is another component of an Azure Virtual Network that you can add on demand if you require a BGP Endpoint. For a Virtual Network, it removes the common issues and inconveniences like:

  • Manually updating of route tables in Network Virtual Appliances in the Virtual Network
  • You no longer need UDRs in the Virtual Network to manage routing to Network Virtual Appliances or Gateways
  • Azure Route Server removes complexity and the need for load balancers in front of Network Virtual Appliances, which reduces also management overhead.
  • You can add Azure Route Server to any new or existing Virtual Network if you have an empty IP Subnet left, to deploy the service in.
  • There is no longer a need to infuse IP networks, that are for example connected via VPN to a Network Virtual Appliance, via an unsupported shadow Virtual Network.

To use these advantages, your Network Virtual Appliance MUST support BGP. To compare apples with apples we now need to discuss the downsides.

Azure Route Service is just another service in a Virtual Network, which means, has its own management interface, user experience and integration. When you setup a Hub Virtual Network comparable to Virtual WAN, you would need to add following additional components.

  • Virtual Network with Virtual Network Peering
  • Azure Firewall
  • Network Security Groups
  • Azure Route Service
  • NAT Gateway
  • Virtual Network Gateway for VPN
  • Virtual Network Gateway for ExpressRoute
  • Network Virtual Appliance

Every of these components comes with its own configuration interface, which you need to know, understand, configure and master. Changes you do on one or the other maybe not reflected between each other.

Components in an unmanaged Virtual Network have also additional downsides, that you do not have in Virtual WAN. One major downside is the scalability of Virtual Network Gateways. The change of an SKU of a Virtual Network Gateway requires a redeployment of the Gateway and comes with a 30 minute down time. It is also very complex to build a coexistence between Azure ExpressRoute and VPN in an unmanaged Virtual Network. Redundancy from non-Microsoft components like Network Virtual Appliances need to manage by the customer. That requires a high amount of knowledge on the Network Virtual Appliances and on Azure.

But there are benefits too. A Virtual Network can home Virtual Machines and does not require a shared service spoke architecture in Virtual WAN, so if you prefer a single Virtual Network over Hub and Spoke, that would still be the way to go. You have also the option to build out possible use cases which are not directly supported not implemented in Virtual WAN yet.

General Architecture and Integration

Let me try to explain it with a drawing too. I will focus on a traditional landing zone with a pair of NVA, Gateways and Routing Services aka Azure Route Server and Virtual WAN Hub Router. The blue boxed parts represent the managed services and the red box represents the unmanaged part.

When look on virtual WAN, currently every aspect is managed excluding the NVA in a virtual WAN Hub Service. We currently only have three Partner offering NVA in virtual WAN. So it is not representative for our comparison.

In virtual WAN Microsoft handles following components and aspects:

  • CPE Partner Device:
    • virtual WAN Manages VPN Tunnel and routing configuration
    • Deployment and changes after managed device is connected
  • Virtual WAN Gateways:
    • High Availability of the Gateways
    • Routing integration
    • Scaling
    • Monitoring
  • Routing Configuration:
    • Virtual WAN manages the routing configuration and monitors the route flow
    • Virtual WAN ensures that every connected device receives the new routing config
    • Virtual WAN integrates and check routing configuration done by customer
  • Hub Router:
    • Virtual WAN manages High Availability and Performance of the Hub Router
    • Virtual WAN monitors the Hub Router
    • Virtual WAN fixes issue with hub router e.g. VM failure
  • Transitive Peering between Spokes:
    • Virtual WAN managed and configures transit routing between spokes
    • Virtual WAN manages the peering config between hub and spokes and guarantee functionality

An unmanaged aspect of virtual WAN is still, not considering NVA in the Hub solutions, when you use NVA appliances in the spoke as e.g. Network Security devices. A customer still needs to configure and manage High Availability and routing for these NVAs.

With the unmanaged Virtual Network Hub and Spoke architecture you can more or less achieve a semi automated configuration. As shown in the drawing there are some more aspects that need to be configured and known by customers.

 

In a classic hub and spoke, Microsoft Azure Services can offer following managed aspects of a service.

  • Gateways: 
    • High Availability and Monitoring of Gateways is done by the Azure Platform
    • Gateways can be scaled up and down but need to be redeployed with a 45 minute downtime
  • Routing integration with Route Server:
    • Route Integration with Route Server is done by the VNet as a Service
  • Route Server:
    • High Availability and Monitoring is provided as a part of the service
    • Route Integration to the VNet is part of the service

As already discussed there are also some unmanaged aspects as well.

  • CPE Device: 
    • Classic Hub and Spoke Gateways cannot manage or update
    • CPEs can be managed through the NVA Management tool e.g. FortiManager or Palo Alto Panorama
  • VPN Config:
    • Because the CPEs are not managed the VPN config can also not be managed by the Gateway. That needs to be done trough 3rd party too
  • Peer integration with NVA for Route Server:
    • Peer Integration must be done manually
  • Network Virtual Appliance: 
    • High Availability and Monitoring must be done by customer
    • Route Server Integration must be done by customer
    • Backup must be done by customer
  • Transitive Routing:
    • Transit Routing between spokes must be configured manually and needs a Route Server or NVA to act as central routing device
  • VNet Peering configuration:
    • The configuration between the hub and the spokes must be done by customer
    • Config must be validated and tested by customer depending on the use case

Compared and combined in one sentence you can say. Virtual WAN maybe only covers ninety percent of all use cases at the current services status but reduces a high amount of management overhead and simplifies the network hub management. A DIY hub with Route Server gives you some more flexibility to cover additional ten percent of network scenarios but it is much harder to managed and complex. It requires much more components to be comparable to Virtual WAN and the more classic hub components lack scalability and built-in high availability. With virtual WAN evolving as a service, the better bet would be Virtual WAN on a long run.

Conclusion

If a customer would ask me when to use which service, I would answer them as follows. If I start from a greenfield or want to ease and simplify my network management, I will decide for Azure Virtual WAN. If my setup requires a classic hub and spoke architecture e.g. I have an unsupported configuration for Virtual WAN and I want to use Network Virtual Appliances which do not support active / active and easy scaling, I would use Route Server.

As Azure Networking becomes and is already rather complex, together with my customers, we enjoy the managed approach from Virtual WAN. In most scenarios it keeps simplicity even in larger global scaling, those are normally only manageable with 3rd party tools. Management trough every single service, at it would be with classic Hub and Spoke is adding a lot of overhead and opens opportunities for mistakes and misconfiguration.

 

 

The post Azure Virtual WAN vs. Azure Route Server  appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/azure-vwan-route-server/feed/ 1
What is Azure Virtual WAN? https://www.altaro.com/hyper-v/azure-virtual-wan/ https://www.altaro.com/hyper-v/azure-virtual-wan/#respond Thu, 13 May 2021 07:50:35 +0000 https://www.altaro.com/hyper-v/?p=19115 Azure Virtual WAN is a managed networking service which brings together networking, connectivity, security, monitoring and routing features. Read more to find out about this umbrella of services.

The post What is Azure Virtual WAN? appeared first on Altaro DOJO | Hyper-V.

]]>

As you might have seen from other posts, I’m currently writing more articles around Azure Virtual WAN and today I want to have an in depth look at what Azure vWAN is.

To start off, I’d like to mention that I’m a huge fan of virtual WAN and I do a lot of projects with customers and virtual WAN. But to be honest, there is no straightforward yes or no answer when it comes to choosing Azure vWAN over other tech, such as Azure Network Landing Zone.

Within today’s post, I will share some of my knowledge and opinions around Virtual WAN and discuss the most often mentioned questions by customers:

  • What is Azure Virtual WAN?
  • What is the difference between Virtual WAN and SDWAN?
  • When should I swap from Classic Hub and Spoke to Virtual WAN?
  • What are the benefits and downsides of Virtual WAN?

I work with Virtual WAN customers on a daily bases, so I will try to keep the explanations as short as possible and will try to give you some more real-life examples and opinions.

What is Azure Virtual WAN?

Many people think Virtual WAN is like another connectivity method from Azure like Azure ExpressRoute (direct) or VPN but you can think of virtual WAN like an umbrella which includes lots of services including connections to Azure ExpressRoute and VPN. Azure Virtual WAN is a managed networking service which brings together networking, connectivity, security, monitoring and routing features. Virtual WAN has and will also improve the single point of management for all these features. With Virtual WAN you have a single management interface for these services.

Virtual WAN includes connectivity solutions like ExpressRoute, VPN for Site to Site and Point to Site connection, as well as the integration of SD-WAN and VPN CPE Partners. I will give you some more background Partner CPE solutions later in the post. Virtual WAN can also make use of Azure Firewall and with that you can encrypt private connections or establish a centralized internet breakout from the Azure backbone and leverage the Microsoft Edge and Peering environment to other providers.

Many people think of virtual WAN as “I need to take all” solutions but virtual WAN scales on demand. That means you can start small and only use virtual WAN as a single VPN hub and later on add the other features on demand. You can also scale down if you no longer need features or different hubs.

When deploying virtual WAN it always consists of the following resources.

-> The virtual WAN Management resource

The virtual WAN Management resource

Currently, the Virtual WAN Management resource is bound to a region and it is not replicated to another. That resource only holds the configuration itself and represents the virtual WAN infrastructure. Active components will get separate resources deployed.

Virtual WAN Management Essentials

If the region where you have deployed the virtual WAN resource becomes unavailable for some reason, the virtual WAN hub goes into read-only mode. Which means you still have a working backbone and solutions but you cannot do changes. So my suggestion, always deploy your hub resource in larger regions like North / West Europe etc.

–> The Virtual WAN Hub

The Virtual WAN Hub

Beneath the Virtual WAN Management resource, you deploy the virtual WAN hubs. These hubs are region-bound and are deployed to the Azure Region which you choose for the deployment. It will also leverage the local resources like IPs or VM capacity. Normally you can deploy Azure virtual WAN in every Azure Region globally but there are two small limitation with sovereign regions like Azure China or satellite regions like Azure Germany North (Berlin) or Azure France South (Marseille).

  • Azure Sovereign Regions
    • As you may know, sovereign regions are completely disconnected from the Microsoft Global Network and Active Directory. For virtual WAN they are handled like any other VPN or ExpressRoute site like datacenters or branches. To connect to a global virtual WAN hub, you would need to configure a virtual WAN in a sovereign region and Azure global and connect them like every other remote site.
  • Azure Satellite Regions
    • A Satellite Region is part of the Microsoft Global Network and Active Directory but by default not accessible for customer deployment. They are only build for in-country redundancy if customer is requiring any. To deploy into these regions, you need to whitelist your subscription via an Azure Support Ticket. After your subscription is whitelisted, you can deploy to that region.

Create Microsoft Virtual Hub

—> Virtual WAN Gateways, Firewalls and Appliances 

Virtual WAN Gateways, Firewalls and Appliances

Within the hub you than deploy the resources needed, like your gateways and other resources.

Virtual WAN architecture is always a hub and spoke architecture. That means virtual WAN will be the interconnect and security hub with built-in branch and user connectivity which includes automated performance and scalability. The spokes are connected via virtual networks or branches. Those virtual network spokes can be regular application spokes or special shared services spoke. Especially the shared service spokes are a necessary compromise in virtual WAN because there is no option to deploy for example Domain Controller or Management Servers in a Virtual WAN hub. These services must be deployed into a spoke. Here you can find more details on the shared services spoke architecture. Scenario: Route to Shared Services VNets – Azure Virtual WAN | Microsoft Docs

Talking about architecture, a very important point of the Virtual WAN architecture is the global transit capability. That ability allows customers to transit traffic through the Microsoft Backbone globally without the use of a 3rd Party Backbone provider like AT&T, British Telecom, TaTa or others. In my opinion, that’s an awesome opportunity to reduce costs and improve performance because you can always choose the locally best provider and do not need take care of peerings between providers or have high-priced contracts with a central connectivity provider.

Such an architecture could look like below.

Virtual WAN architecture

If you want to learn more about the global transit network architecture and the Microsoft Global Network, please follow the links below.

What is the difference between Virtual WAN and SDWAN?

When you look at Virtual WAN itself, it is a Software-Defined WAN (SD-WAN). Virtual WAN is designed to enable seamless, scalable and unbreakable backbone network to interconnect with other on-premises SD-WAN devices, services and technology.

There are many services in the field provided by Solution Partners and Azure Networking Managed Services Partners in the Microsoft Azure Virtual WAN ecosystem.

So to shortly answer the question, virtual WAN is based on SDWAN but cannot be a full last-mile solution for SDWAN. It builds more like a SDWAN aggregation point and backbone extension. So it would be a great addition to a Software Defined WAN ecosystem.

To learn more about Azure virtual WAN and Software-Defined WAN, you can read a great article by Dr. Reshmi Yandapalli, Principal PM at Microsoft Azure Networking.

Virtual WAN managed CPE Partner

First, let’s learn what a CPE is. CPE means, customer premises equipment. Basically we are talking about a Firewall, Router or SDWAN Edge device which connects the customer on-premises to the Internet or a Private Network.

Azure Virtual WAN is working with a list of those CPE Partners. The list below shows you a reference of the currently available partners.

Partners Configuration/How-to/Deployment Guide
Barracuda Networks Barracuda CloudGen Firewall: Azure Virtual WAN
Check Point Check Point for the Microsoft Azure Virtual WAN Quick Start Guide
Cisco Meraki Azure Virtual WAN Cisco Meraki Deployment Guide
Citrix Using Citrix SD-WAN to connect to Microsoft Azure Virtual WAN
Cloudgenix CloudGenix Azure Virtual WAN CloudBlade Deployment Guide
Fortinet FortiGate and Microsoft Azure Virtual WAN Integration deployment guide,Routing Scenario Blog
HPE Aruba Aruba SD-WAN and Microsoft Azure Virtual WAN Deployment Guide
NetFoundry Netfoundry Support Hub: Azure Virtual WAN
Nuage/Nokia Nuage and Azure Virtual WAN Deployment Guide
Open Systems Open Systems and Azure Virtual WAN Deployment Guide
Palo Alto Networks Palo Alto Networks Azure Virtual WAN Deployment Guide
Riverbed Technology *
Silver-Peak EdgeConnect and Microsoft Azure Virtual WAN Integration Guide
Velocloud-VMWare Azure Virtual WAN Velocloud Deployment Guide
Versa Configuring Versa SD-WAN and Microsoft Azure vWAN (Available for registered customers)

Source: Microsoft Docs

With supported devices from those partners, you have the option to configure zero-touch CPE deployments. That means you can preconfigure an environment where a new CPE (out of the box), can connect to. Those devices than directly connect to a management service from their vendor and get the connectivity details to connect to a customer virtual WAN.

After they are connected to virtual WAN, virtual WAN will start to manage the connections to other Branches, virtual WAN or other connected services.

Such a workflow could look like:

  1. An employee on-premises unboxes the CPE and connects it to the Internet
  2. Employee gives the serial number and access code from the box to a service engineer
  3. The service engineer logs into the CPE Partner service portal and authorizes the CPE and pushes the configuration on the device
  4. CPE connects to virtual WAN and is adding itself to the branches
  5. CPE receives configuration and routes to other branches, Azure, and other connected infrastructure
  6. Virtual WAN receives network changes and distributes them automatically to all connected CPEs

You can also use unmanaged CPEs as shown in one of my previous articles.

In that case, you would need to manage every single device and routing. You could make it a bit simpler by using BGP for routing optimization but you would still need to add the VPN Sites and on-premises device configuration manually. Depending on your infrastructure, that can be very complicated and time-consuming.

I personally use currently the unmanaged options because I only have three sites in my test environment but it is already annoying to manage.

Virtual WAN Upgrades

Virtual WAN as a managed service has two SKUs and different additional upgrade and integration with other products.

The lowest level of SKU which is available with virtual WAN is basic. In Basic mode, you can only connect VPN Site to Site connection and connect to virtual Networks. It somewhat replaces a traditional Azure VPN GW and prepares your environment to become a global backbone solution.

With a simple “click” like shown in this documentation, you can upgrade a basic virtual WAN hub to a standard one.

With a standard virtual WAN hub you get the opportunity to add Azure ExpressRoute and Point to Site VPN Gateways. In addition, you can also connect with other virtual WAN Hubs around the cloud and enable global inter-Hub routing as well as VNet-to-VNet traffic transit without using a Network Virtual Appliance or Azure Firewall as a router.

With that extension, virtual WAN is already a great solution to build a massive global backbone, based on the Microsoft Global Backbone.

Based on the virtual WAN you can now add additional solutions.

Azure Secure Hub with Azure Firewall

By introducing Azure Firewall into Azure virtual WAN, a regular unsecured virtual WAN hub will become a secured hub.

When upgrading to a secured hub, security and routing policies will be introduced, handled and configured by Azure Firewall and the Azure Firewall Manager. A secure hub makes it easier for a customer to create a hub and spoke network architecture with native and integrated security services. That makes it easier to govern and protect network traffic transiting through the customer network in Azure.

Currently, you can use a secured hub to filter traffic between virtual Networks, virtual Networks and branch offices and on-premises locations. It is also possible to secure traffic to the internet from branches and virtual Networks. What currently is not possible, and will be fixed during the next release cycle (January to July 2021) of Microsoft, is securing the traffic from one secured hub to another secured hub.

You can use a secured virtual hub to filter traffic between virtual networks (V2V), virtual networks and branch offices (B2V) and traffic to the Internet (B2I/V2I). A secured virtual hub provides automated routing. There’s no need to configure your own UDRs (user-defined routes) to route traffic through your firewall.

You can choose the required security providers to protect and govern your network traffic, including Azure Firewall, third-party security as a service (SECaaS) providers, or both. Currently, a secured hub doesn’t support Branch-to-Branch (B2B) filtering and filtering across multiple hubs.

To learn more about Azure Secured Hub, please visit the Microsoft documentation.

Network Virtual Appliance Partners

In 2020 Microsoft introduced the first Network Appliance Partnership and the first appliances natively integrated into virtual WAN. The first partner that time was Barracuda Network with their cloud gen WAN appliance. Currently Cisco Viptela and Barracuda are the only Partner available, but by the end of 2021, many other tier one SDWAN and Security vendors will join the virtual WAN NVA portfolio.

These Appliances will be deployed in virtual WAN in an own subnet behind an Azure Loadbalancer. These appliances will run as a Virtual Machine Scale Set (VMSS), which means their are highly available and you can easily add additional appliances to the NVA Cluster to add capacity. The NVA then talk External Border Gateway Protocol (EBGP) to the Azure virtual WAN Route Service who orchestrates all routes from all gateways, peerings and integrated services like Azure Firewall.

With the following image, I want to try to illustrate the routing flow. It is not perfectly accurate, but it explains the concept.

Azure Virtual Wan Routing Flow

Microsoft is heavily working to improve the NVA experience, routing and partnership of virtual WAN. In the end, NVA integration should become easy and scalable without the struggles in regards to redundancy and scaling as you have with a classic VNet deployment.

When should I swap from Classic Hub and Spoke to Virtual WAN?

First things first, even if you hear it from your consultants or even from a Microsoft Cloud Solutions Architect, Azure Virtual WAN is not a solution for every networking architecture. It is a managed network service, which should make seventy per cent of network scenarios easier for customers. There is still thirty per cent of scenarios where Virtual WAN cannot solve the issue and may even make things more complex.

The following table may help during daily business decisions in regards to virtual WAN.

Virtual WAN Classic Hub / Spoke
Customer requires managed service Customer can manage complex routing and failover himself
Customer wants to build a global backbone with managed points of presence all around the globe Customer has no need for backbone and only wants to connect single sites
Customer requires more than 120 P2S VPN tunnel 120 P2S VPN are enough
Customer wants to use managed CPE solutions Customer will manage VPN and MPLS connection himself
Customer requires automated routing between branches, Azure and other solutions via different connectivity technologies Customer has no complex custom routing which requires Network Address Translation

There are many more things to consider on what solution to choose. As you may know, every project and infrastructure is different. Maybe the benefits of virtual WAN can sometimes become disadvantages, but one thing I always plan on is to keep an architecture open in order to switch back and forth.

What are the benefits and downsides of Virtual WAN?

When looking at virtual WAN there are some great benefits but also some downsides you maybe need to know.

Benefits: 

  • High available Gateway and Backbone infrastructure
  • Easy up and downscaling of the hub environment without any downtime
  • Rich feature set and automation
  • One of Microsoft networking focus services
  • Large Partner ecosystem
  • Managed Service for network connectivity, routing and security

Downsides: 

  • Complex services to understand in the first place
  • Flexibility and solutions limited to the available feature set compared to a classic hub and spoke

There are always reasons to use a hub and spoke instead of virtual WAN. Please do me one favour, always check the virtual WAN feature set and support-ability against your scenario. Sometimes Microsoft and Partners want to sell you virtual WAN as the incredible unicorn to solve all network requirements. From my personal experience, virtual WAN is an awesome product and I really love to work on projects and customers with virtual WAN but virtual WAN cannot cover all scenarios yet.

When should I use Azure Virtual WAN?

Within the last part of my post, I would like to give you some scenarios I tend to cover with virtual WAN when I work with my customers.

Building a global unified Network Backbone

As described above, a perfect use case for virtual WAN is to be used as a global unified full meshed network backbone. In that scenario, a customer builds entry points and virtual WAN hubs near every office location or mobile workers around the globe.

Virtual WAN Global Unified Network Backbone

With such a solution you get a virtual WAN to virtual WAN Hub backbone connection capacity from about 40 GB/s and a possible entry capacity from 20 GB/s per Gateway type. That means you have 20 GB/s  capacity with ExpressRoute per Regions, 20 GB/s or 10.000 Users (limit will be raised soon) per Point to Site VPN Gateway, and 20 GB/s (2 GB/s per tunnel) for Site to Site VPN Gateway. With Network Virtual Appliances like Barracuda Next Gen WAN in virtual WAN even more capacity is possible. Plus price efficient internet or private network connections with a local network provider, that gives the customer a very price-efficient and extremely scalable global backbone solution outside any other solution on the market.

Build your own Cloud Exchange platform

One thing I really like and described in one of my older posts is the option to use virtual WAN as a cloud exchange platform with routing automation. How you can build such an exchange with the use of ExpressRoute, virtual WAN and Partners like Megaport or DE-CIX is described here. How to use Microsoft Global Network with Oracle, Google or AWS (altaro.com)

But there is a hidden secrete in virtual WAN. Did you know that you can use virtual WAN VPN gateways to connect to other clouds and routes between them? Normally that would not be possible because another cloud provider and a regular Azure VPN Gateway is just a IPSec VPN responder and you would need a 3rd party device to establish the tunnel. Virtual WAN instead can be configured as IPSec VPN initiator.

Source: Azure Virtual WAN default IPsec policies | Microsoft Docs

With that option and configurations, you can easily establish IPSec VPN tunnels between all cloud platform like AWS and GCP. On another note, using public IP connections and the Internet to connect to the other, is not such a bad idea. All three big providers maintain a good peering relationship between each other. Like we say in the peering community, “Peering we trust”, even if we are in a (un)friendly competition.

Build a highly secured private internet break out via Azure Backbone

When configuring Azure virtual WAN and for example using secured Hub, you can announce a default route to your clients and branch offices. With that, you can use the Microsoft Global Backbone to provide you with a highly redundant, secured and awesomely peered Internet Breakout.

Microsoft is heavily investing in its peering relationship to network providers and in its backbone security. You can read more about it here.

For customers who want to use ExpressRoute, it has another benefit. With the use of Azure Virtual WAN and secured Hub, you are allowed to transit  Office 365 traffic via ExpressRoute private Peering to the Azure Firewall in virtual WAN. It is the only recommended solution using ExpressRoute for Microsoft 365. As you might know, Microsoft is not recommending using ExpressRoute in any other case for Microsoft 365 traffic.

You can also use Virtual WAN to double-encrypt traffic for other PaaS and SaaS service. The first encryption comes from the service itself because it is encrypted with SSL, and the second encryption can be established using IPSec over the Internet or ExpressRoute using the Gateway private IP.

To learn more about Internet Security with virtual WAN, please visit the virtual WAN security Baseline.

Integrate unmanaged Networks after acquisitions

A good example of virtual WAN flexibility is a scenario I was faced with several times in the last two years. A customer made an acquisition of another company that was using a completely different WAN strategy. In most cases, I had customers already using SDWAN appliances and they acquired a company with a very tradition MPLS network.

A normal solution to interconnect those two networks would be an additional MPLS connection within a customer datacenter or main office location or an additional internet connect and SDWAN appliance in the acquisition datacenter of the office location. Those locations would then be used as a hub site. Depending on the size of the company, you might need to have such a hub on every major continent.

To be honest, that is a good, very common and proved strategy but with one downside. A customer mostly only needs such an interconnect hub only for a few months to max 2 years until the network of the acquisition is fully integrated into the corporate network. Those hub solutions come mostly with high costs and with long term commitments like MPLS network connections.

With virtual WAN you can just spin up a virtual WAN hub in a region you prefer and which is near to the corporate and acquisition offices and you can connect an Azure ExpressRoute or VPN connection to the hub. As soon as you integrated the acquisition network and you no longer need the virtual WAN hub for interconnect, you can just tear or scale it down.

There is currently only one small show-stopper. If you have overlapping IP Ranges between both networks and you do not have the option to NAT on the branch location, virtual WAN in its native setup cannot be used. But that is a small gap which Microsoft will solve sooner or later because it is a highly asked improvement from many customers.

Currently, you can build a workaround by using Barracuda NVA in the hub or using a Network Virtual Appliance from any Partner and terminate the VPN tunnels onto that appliance. Then you can use the Route feature in virtual WAN and the NAT service on the appliance to establish connections and routing via the Microsoft Global Network and virtual WAN. I will not describe the architecture for that design in the current blog, that would be a topic on its own. If you like to read about that topic, please leave me a comment.

In the meantime, I would like you to check out the listed Microsoft docs below.

Closing Thoughts

Ok, that was a very long post. One of the longest I ever wrote for Altaro. Thanks for reading through it, I hope I was able to give you some more clearance and insides about virtual WAN, its possibilities and applicability. If you have any questions, feel free to leave a comment, email me, or send me a tweet.

The post What is Azure Virtual WAN? appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/azure-virtual-wan/feed/ 0
The Best Virtual Machine for Windows 10 https://www.altaro.com/hyper-v/best-vm-windows-10/ https://www.altaro.com/hyper-v/best-vm-windows-10/#respond Fri, 09 Apr 2021 09:11:33 +0000 https://www.altaro.com/hyper-v/?p=19720 Which hypervisor provides the best virtual machine for Windows 10 and other operating systems? Let's compare and find the answer.

The post The Best Virtual Machine for Windows 10 appeared first on Altaro DOJO | Hyper-V.

]]>

Undoubtedly, one of the most significant advancements in computing in the past two decades or so has been server and client virtualization, leading to questions such as what is the best virtual machine for windows 10. Virtualization has unlocked the true potential of modern hardware platforms. It has allowed a paradigm shift in the data center for organizations that can now run much denser, more efficient environments than ever before.

Many different hypervisors and solutions are available, including “pay for” enterprise datacenter hypervisor solutions to freely available desktop and server virtualization products that allow taking advantage of the efficiencies and capabilities provided by virtualization. Microsoft’s Windows 10 operating system is arguably one of the most popular OS’es subject to virtualized solutions. In this guide, we will look at the best virtual machine Windows 10 solution and see what platforms are available to virtualize Microsoft’s most popular OS and run inside a virtual machine Windows 10 environment.

What is Virtualization?

As mentioned, virtualization has been a revolutionary technology that allows organizations to use physical server hardware in ways that were not possible before. With traditional servers and workstations, you have one operating system bound to one set of physical hardware. In traditional data centers, this means you have one copy of the Windows Server operating system or Linux operating system installed on the underlying physical hardware.

The traditional way of installing operating systems on physical hardware is very limiting. It highlights many challenges with the conventional approach to operating systems installed on a single physical hardware set. For one, your operating system and any services, resources, and other critical data residing on it are subject to any hardware failures and other issues with the underlying physical hardware.

Virtualization allows effectively abstracting this traditional 1-to-1 relationship so that many operating system “instances” can run on top of the same set of physical hardware simultaneously. The operating system instances run in what are known as virtual machines. This layer of abstraction now means that multiple virtualized hosts can run in a clustered manner so that an operating system is resilient to a particular virtualization host failure. The operating system instance can move to a different host if a virtualization host fails. What makes these capabilities possible?

Hypervisor

The many capabilities and abstractions provided by virtualization are made possible by using a hypervisor. A hypervisor is a software called a virtual machine monitor that creates and runs virtual machines. The hypervisor separates and isolates the hypervisor, operating system, and all the physical resources. The hypervisor serves as an abstraction layer between the operating system and the underlying physical hardware.

The hypervisor aggregates physical hardware resources, such as CPU, memory, and storage, into resource pools. It allows effectively providing resources for many different virtual machines on the same set of physical hardware. Hypervisors include the following components:

  • Process scheduler
  • Memory manager
  • I/O stack for input/output operations
  • Device drivers
  • Security layer
  • Network stack

The hypervisor uses the above components and others not listed to provide resources to virtual machines. You may wonder how a hypervisor can provide resources such as compute cycles to many different virtual machines using the same hardware. This capability is possible through the hypervisor’s scheduling of physical resources such as the CPU. You can think of the hypervisor as the manager of the CPU’s time that schedules out the processing of requests coming from the various virtual machines. The hypervisor scheduler can schedule time with the CPU so that all requests from the different virtual machines are processed efficiently.

Type 1 vs. Type 2 hypervisor

When choosing the best virtual machine windows 10 solution or any other virtual machine, it means you will select between either a Type 1 or Type 2 hypervisor. What is the difference? Each one has different characteristics to note. To begin with, let’s take a look at the Type 1 hypervisor for running a windows 10 virtual machine.

A Type 1 hypervisor is also known as a bare-metal hypervisor. It is a bare-metal hypervisor because the hypervisor software is installed directly on top of the physical server hardware. Since the Type 1 hypervisor has no software or other operating system between it and the underlying physical hardware, it can achieve excellent performance. The hypervisor itself becomes the operating system. Since the hypervisor is the operating system installed on the physical hardware, it is not intended for any other purpose other than running virtual machines. The Type 1 hypervisor is the primary type of hypervisor used to run virtual machine workloads in the enterprise data center.

Type 2 hypervisors run on top of the operating system of the physical host machine. For this reason, they are known as hosted hypervisors. It means that Type 2 hypervisors have a layer of software between them and the underlying physical hardware. The software layer is the host operating system such as virtual machine Windows 10, Windows Server, or Linux operating system.

Type 2 hypervisors’ performance is not as good as Type 1 hypervisors since there is a software layer between it and the physical hardware. However, Type 2 hypervisors can simply be used as an application installed on the host operating system. It means the hypervisor does not monopolize the utility of the physical host. You can use the host for other purposes than running virtual machines.

The best virtual machine for Windows 10

As we have already covered, the hypervisor plays a crucial role in virtualization technology’s capabilities and functionality. There are many different hypervisor solutions on the market today, some paid products and others that are free. In this guide comparing the various features of different hypervisors available, we will consider the best virtual machine Windows 10 solution and other VM workloads you may have. Let’s look at the following available hypervisors:

  1. Virtualbox
  2. VMware Workstation Pro and Workstation Player
  3. VMware ESXi
  4. Microsoft Hyper-V
  5. VMware Fusion Pro and Fusion Player

How does each of the available hypervisors compare and contrast in terms of price, features, compatibility, and other aspects? Are you wondering how to set up a virtual machine windows 10? Let’s take a look at these different solutions that answer the question – what is the best virtual machine for windows 10?

Virtualbox

VirtualBox is an extremely well-known x86 and AMD64/Intel64 virtualization solution widely used from the enterprise data center to the home user and enthusiast alike for running virtual machine windows 10 solutions. It is a Type 2 hypervisor that runs across a wide range of platforms, including:

  • Windows
  • Linux
  • macOS
  • Solaris

It also supports many guest operating systems that range from legacy OS’es to the latest versions of Windows, Linux, Solaris, OpenSolaris, OS/2, and OpenBSD. It makes it an excellent platform for playing around with, testing, learning, and running workloads for various use cases, including virtual machine windows 10 guests. For those keenly interested in virtual machine Windows 10 virtualization, VirtualBox provides one of the healthiest arrays of different Windows OS’es available for virtualizing, including legacy Windows operating systems back to Windows 3.1.

Virtualizing Windows 10 with Oracle VirtualBox
Virtualizing Windows 10 with Oracle VirtualBox

In particular, VirtualBox runs vm for Windows 10 environments very well and provides many different settings and features that allow a seamless and pleasant experience with the virtual machine Windows 10 OS across its various flavors for virtual machine windows 10 environments. One of VirtualBox’s “features” that stands out is it is an open-source program that is free. You pay no license fees or any other fees to use and run virtual machines on Windows 10. Some may be a bit concerned about VirtualBox’s open-source nature regarding support and any issues that may arise. However, VirtualBox has a healthy following and is a community-supported product with support from VirtualBox gurus on the forums, helping to troubleshoot virtual machine windows 10 and other environments.

VirtualBox is easy to run and requires very little to no previous experience with other hypervisors to get up and running with a Windows 10 VM. The software interface is intuitive and easy and features a very “point and click” oriented approach to running your virtual machine windows 10 VMs. However, while you can certainly accept the defaults with the program, it features many extra “nerd knobs” you can tweak to your liking with your virtual machine Windows 10 VMs.

One of the features that may especially appeal to virtual machine windows 10 for some users is a new feature called seamless mode. With the seamless mode functionality of VirtualBox, you can display windows found in a virtual machine side by side next to the windows shown in your host. After the seamless mode functionality is enabled, VirtualBox suppresses the display of your guest’s desktop background. It makes the windows appear seamlessly next to host windows, which provides the feel of the window from the guest operating system residing natively on the host. This greatly improves the virtual machine Windows 10 experience.

VirtualBox provides a robust set of network management features that allow customizing networking and connectivity as needed while using VirtualBox. VirtualBox for virtual machine Windows 10 certainly does not disappoint with the networking features made possible with the VirtualBox Host Network Manager. Using the Host Network Manager, you can create new virtual networks configured manually or automatically. You can also configure your host networks with DHCP capabilities for guest IP configuration running on a particular host network segment.

VirtualBox Host Network Manager
VirtualBox Host Network Manager

Below, we enable the DHCP server on a new Host-only network segment configured using the Host Network Manager in VirtualBox. You can configure the DHCP server IP address ranges assigned to virtual machine Windows 10 guests.

Configuring the Host Network Manager DHCP server
Configuring the Host Network Manager DHCP server

The flexibility offered by VirtualBox allows configuring your virtual machine Windows 10 VMs and others for various types of connectivity use cases, test scenarios, lab environments, etc. It is nice to see that VirtualBox provides a robust feature set in the area of virtual machine Windows 10 networking. Networking support is arguably one of the most important functional features and capabilities to look for with a hypervisor.

What about nested virtualization? Nested virtualization allows you to run a hypervisor inside another hypervisor. Why is this important? Suppose you want to use Hyper-V inside a virtual machine Windows 10 test VM that you have running inside a hypervisor such as VirtualBox. Having the ability to use nested virtualization means you can test and use Hyper-V installed on your virtual machine Windows 10 virtual machine running inside VirtualBox. VirtualBox supports this by enabling nested virtualization at the VM level.

Nested virtualization allows exposing the physical processor’s virtualization settings on your virtualization host to an underlying virtual machine. With VirtualBox, you can enable nested virtualization using either the GUI or the command-line.

Enabling nested virtualization on a Windows 10 VM running in VirtualBox
Enabling nested virtualization on a Windows 10 VM running in VirtualBox

From the command-line in VirtualBox, you can enable nested virtualization using the following commands:

  • Vboxmanage.exe list vms
  • Vboxmanage.exe modifyvm “<your VM>” –nested-hw-virt on

Using the VirtualBox command-line to enable nested virtualization
Using the VirtualBox command-line to enable nested virtualization

Another point to mention with VirtualBox is Oracle has provided several pre-built VirtualBox VMs readily available for download. For the most part, the VMs cater to developers who want quick access to developer VMs running Oracle. These are Linux boxes that come preinstalled with developer tools to interact with Oracle and other solutions.

VMware Workstation Pro and Workstation Player

VMware Workstation has long been a standard in desktop virtualization in the enterprise and for power users. It is a Type 2 hypervisor that provides the “Cadillac” of features that offer users robust capabilities to run virtual machine Windows 10 vms and many other types of workloads, including containers. What features does VMware Workstation provide for virtual machine Windows 10 environments and to create virtual machine windows 10?

VMware Workstation Pro provides an excellent desktop virtualization platform
VMware Workstation Pro provides an excellent desktop virtualization platform

  • Ability to run VMs, containers, and Kubernetes clusters on a single workstation
  • Work with a wide range of operating systems and technologies
  • It offers a robust set of nested virtualization features
  • Interact with and even manage VMware vSphere environments
  • Provide secure, isolated environments for development, testing, and other use cases

VMs, Containers, and Kubernetes

With VMware Workstation, you can run multiple virtual machine Windows 10 instances, OCI containers, and Kubernetes clusters on the same Windows or Linux host running VMware Workstation. You can create fully segmented and isolated networks with network condition simulation. The platform provides a “Swiss Army knife” solution that is an excellent choice for developers, solutions architects, application testing, and demonstrating product functionality.

Work with a wide range of operating systems and technologies

VMware Workstation provides the ability to work with a wide range of operating systems, including the virtual machine Windows 10 operating system’s latest versions. You can also work with OCI containers and Kubernetes clusters using kind and Minikube.

Robust set of nested virtualization features

VMware Workstation is known for its abilities in the realm of nested virtualization. You can easily configure and provision an entire lab containing virtual machine Windows 10 workstations, Hyper-V, and nested virtual machines running virtual machine Windows 10 VMs with the Hyper-V role installed.

Interact with and manage VMware vSphere environments

One of the great features you get with VMware Workstation is interacting with and managing VMware vSphere environments. If you have an existing enterprise VMware vSphere environment, you can use your VMware Workstation GUI dashboard to add and manage vSphere. It includes configuring, powering on and down virtual machines in vSphere, and creating and managing locally housed Windows 10 and other VMs in VMware Workstation.

Secure, isolated environments

Many choose to use VMware Workstation running on their Windows 10 host to run a Windows 10 VM used for another purpose such as a browsing VM, development, cybersecurity forensics, network management, etc. With the snapshot and other features provided by VMware Workstation, it allows quickly rolling your Windows 10 VM back to a known good state at any point.

VMware Workstation provides a robust feature set that connects your virtual machines to fit your environment needs from a networking perspective. By default, VMware Workstation creates the following networks in the Virtual Network Editor. These include a bridged network, Host-only, and NAT. As with VirtualBox, you can tweak the DHCP Settings.

Virtual Network Editor with VMware Workstation
Virtual Network Editor with VMware Workstation

After clicking the DHCP Settings button, you can configure the DHCP Settings with all the expected settings, including starting and ending address and lease time settings.

Customizing the virtual network DHCP settings in VMware Workstation
Customizing the virtual network DHCP settings in VMware Workstation

A really interesting ability that VMware Workstation provides is the ability for network condition simulation that allows simulating network conditions, including latency, packet loss, and even the bandwidth of your connection. The network condition simulation is a convenient tool to have access to for troubleshooting, development, and other purposes.

Having the ability in your Windows 10 development workstation or other VM to simulate network conditions is a great tool to allow development applications or testing processes and services over very slow links or other adverse network conditions. The network condition simulation is a feature not found in VirtualBox. However, VMware Workstation is a pay-for product. You can install and use VMware Workstation for 30-days in a trial period.

As mentioned earlier, nested virtualization is something that VMware Workstation does exceptionally well. Many in the community house their entire virtualization home lab off VMware Workstation running on either a workstation-class machine or a powerful laptop. It means you can set up your entire virtualization lab featuring nested hypervisors such as ESXi running child VMs with Windows client operating systems like virtual machine Windows 10 VMs.

Configuring hardware virtualization in VMware Workstation for nested virtualization
Configuring hardware virtualization in VMware Workstation for nested virtualization

VMware Workstation Player is a free version of VMware’s desktop virtualization platform that provides the ability to have both a graphical and command-line interface for running a single VM. It is meant for use cases where a single VM is needed to create a secure, isolated sandbox on a PC. It is commonly used in education environments as a free and easy way to learn more about IT and computer systems in general.

VMware ESXi

VMware’s enterprise hypervisor is arguably the most well-known hypervisor in the enterprise environment today. VMware has a long history in the world of virtualization. They pioneered the virtualization movement back in the early 2000s and have revolutionized the virtualization industry ever since. In its current form, the ESXi hypervisor represents many years in development and touts some of the most cutting-edge features compared to any other hypervisor available on the market.

VMware ESXi is a Type 1, bare-metal hypervisor that provides a complete set of features and capabilities needed in enterprise data centers. It is both a free product from VMware and a licensed software solution purchased with support and additional licensed features we will cover below.

Specifically, VMware markets the VMware ESXi free edition as vSphere Hypervisor. You can easily download the vSphere Hypervisor by signing up for a VMware account (free) and requesting the ESXi free hypervisor. If you have a dedicated physical host that you plan on using for virtualization learning, practice, and to create virtual machine windows 10, and other guest VMs in a dedicated fashion, this is a great option.

Downloading VMware vSphere Hypervisor 7.0
Downloading VMware vSphere Hypervisor 7.0

VMware touts the vSphere ESXi hypervisor as the “world’s smallest and most robust architecture.” There are a few limitations to note with VMware ESXi free. The restrictions for the free vSphere Hypervisor include the following:

  • Virtual Machine vCPUs are limited to 8 vCPUs
  • No VMware Support
  • No vSphere Storage APIs are exposed
  • No management using vCenter Server

The free version of ESXi will function essentially as a dedicated workstation or laptop that would run your virtual machine Windows 10 or other virtual machines. Keep in mind that even though this is a Type 1 bare-metal hypervisor, you will not be able to do any fancy high-availability or resource scheduling between multiple nodes. These enterprise features require a vCenter Server in the mix. However, if you are looking at the list of hypervisors to use for the best virtual machine for Windows 10, VMware ESXi is arguably the “cream of the crop” among hypervisors out there.

Now, as mentioned, there are limitations with the free version of the ESXi hypervisor. However, if you want to have all of the enterprise features and capabilities for your Windows 10 and other workloads, you can step up to the paid version of VMware ESXi. With the latest licensed version of VMware vSphere ESXi 7.0 Update 1, you can now create virtual machines with a whopping 24 TB of memory and 768 vCPUs. What other enterprise features do you get with the paid version of vSphere ESXi?

  • VMware High Availability (HA)
  • VMware Distributed Resource Scheduler (DRS)

VMware High Availability (HA)

Let’s say you have to create virtual machine windows 10 that is production critical, and you want to ensure it can withstand the failure of a hypervisor host. With the paid version of VMware ESXi and vCenter Server in the mix, you can configure a vSphere cluster. The vSphere cluster ensures that you have multiple hosts sharing a pool of resources. If a single host fails, VMware High Availability (HA) kicks in, and the virtual machine relocates to a healthy host remaining in the cluster.

Distributed Resource Scheduler (DRS)

DRS is a tremendously powerful feature found in the enterprise version of vSphere. With DRS, the resources in the vSphere cluster are automatically normalized across the available cluster resources. With DRS’s capabilities, virtual machines can be vMotioned across different hosts in the cluster depending on which host better satisfies the equation of a “happy VM” over the others.

In terms of networking capabilities, in both the free and paid version of ESXi, you get access to the vSphere Standard Switch (VSS), which provides robust networking capabilities out of the box. VSS features include VLAN trunking, the ability to create isolated switches, failover behavior, some light security features, etc. Those who have the Enterprise Plus license of vSphere or a vSAN license have access to the vSphere Distributed Switch (vDS). The vDS switch provides the most powerful and fully-featured virtual switch capabilities. With the vDS, you can automate and streamline your virtual networking configuration and centralize the management with the vCenter Server.

Viewing virtual networks configured for an ESXi host
Viewing virtual networks configured for an ESXi host

VMware ESXi also provides the ability to run virtual machines using nested virtualization. It allows the ability to run virtual machines that are hypervisors and run child VMs running in the environment. Nested virtualization in ESXi is configured using the Hardware Virtualization – Expose hardware-assisted virtualization to the guest OS flag set on a per-VM basis on VMs running on top of ESXi. As a note, this setting is also available and configurable with the free version of ESXi.

Configuring the hardware virtualization setting for nested virtualization
Configuring the hardware virtualization setting for nested virtualization

Any way you slice it, VMware ESXi is an excellent hypervisor with world-class features used to host millions of workloads across myriads of data centers, both public and private. In its free form, it is still powerful but has limits to note. Licensing for vSphere ESXi and vCenter Server is not cheap, so ESXi free may provide all the functionality and features needed.

Microsoft Hyper-V

Microsoft has been playing catchup with VMware over the past several years in enterprise virtualization. Over the past several years, they have been working hard to advance the Hyper-V solution to incorporate the features and functionality that enterprise customers have longed for over the past several years. With the introduction of Windows Server 2019, Microsoft Hyper-V has become a fully-featured enterprise-class hypervisor that is genuinely ready for enterprise workloads.

Like VMware vSphere, Microsoft Hyper-V comes in a free and paid version. Hyper-V Server is the free version of Microsoft Hyper-V. Hyper-V Server, a Type 1 hypervisor, is a special-purpose operating system from Microsoft that is essentially Windows Server Core with the Hyper-V Role installed by default. When you install Hyper-V Server, you can customize and configure the server through the sconfig utility, which provides a pseudo-GUI interface in text format that is menu-driven for configuration. Afterward, you can use Hyper-V Manager on a management workstation or Windows Admin Center to manage the Hyper-V host.

With Hyper-V Server, there are limitations from the full-blown Windows Server installation with the Hyper-V Role added. For one, there are no licenses included with Hyper-V Server compared to Windows Server Standard with 2 VM instances and Windows Server Datacenter, unlimited VMs. Microsoft Hyper-V Server is a great platform, especially for running Linux virtual machines. However, there are no limits to running Windows guest VMs other than licensing. However, it is noted this is a consideration with any hypervisor platform unless running Windows Server 2019 with the Hyper-V Role installed.

Create a virtual machine in Windows 10

There is yet another Hyper-V hypervisor to consider when you want to run Windows 10 or other virtual machines. It is the Hyper-V Windows feature for Windows 10 used to create virtual machine windows 10.

Hyper-V Windows feature for Windows 10
Hyper-V Windows feature for Windows 10

When you install the Hyper-V Windows feature, this installs the Hyper-V feature in Windows and instantiates the Hyper-V hypervisor before the Windows 10 operating system. This process is how the Hyper-V Role is still considered a Type 1 hypervisor despite the appearance that it is running on top of the host operating system.

Microsoft makes a few things easier with Hyper-V on Windows 10, such as creating a default virtual switch for network connectivity, which is not the case with Windows Server Hyper-V. With Windows 10 Hyper-V, you get the “Quick Create” wizard that easily creates virtual machines. Think of Windows 10 Hyper-V functionally the same as VMware Workstation and VirtualBox

With the quick installation of the Hyper-V role in Windows 10, you can create a virtual machine in Windows 10 easily. It is worth noting. To have the ability to create a virtual machine in Windows 10 by installing the Hyper-V role, you must be running Windows 10 Pro, Enterprise, or Education edition

VMware Fusion Pro and Fusion Player

The VMware Fusion Pro and Fusion Player products from VMware are the MacOS equivalent to VMware Workstation Pro and Workstation Player products for Windows and Linux and share the same basic features as mentioned above. It includes support for running VMs, containers, Kubernetes clusters, and interacting with VMware vSphere. With VMware Fusion Pro and Fusion Player, you can run Windows 10 on top of macOS and even run additional copies of MacOS in your Mac environment. Here is more information about VMware Fusion Pro and Fusion Player.

To properly protect your Hyper-V virtual machines, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.

 

To keep up to date with the latest Hyper-V best practices, become a member of the Altaro DOJO | Hyper-V now (it’s free).

Concluding Thoughts

Choosing the best virtual machine for virtual machine Windows 10 environments depends on your needs and use case. It also relies on which operating system you want to use for the host. If you are looking to use virtualized Windows 10 instances from time to time but do not need VMs constantly running, the Type 2 hypervisors mentioned such as VirtualBox, VMware Workstation, and VMware Fusion may be excellent choices. Windows 10 Hyper-V, which is a Type 1 hypervisor can also function in this way. However, if you are looking to run virtual machine Windows 10 VMs continuously, you will want to consider VMware vSphere ESXi or Microsoft Hyper-V for this purpose.

The post The Best Virtual Machine for Windows 10 appeared first on Altaro DOJO | Hyper-V.

]]>
https://www.altaro.com/hyper-v/best-vm-windows-10/feed/ 0