Designlet: Using Azure ExpressRoute with Azure VMware Solution for On-premises Connectivity

Introduction

When an Azure VMware Solution private cloud is deployed, it initially has no external connectivity. Additional native Azure services are required to establish a connection to an on-premises environment. Azure ExpressRoute provides private and secure connectivity from an on-premises environment into Azure VMware Solution through a high bandwidth, low latency connection. The use of Azure ExpressRoute Global Reach is recommended to establish full interconnectivity (bi-directionally) between an Azure VMware Solution private cloud and an on-premises environment.

Diagram</p> <p>Description automatically generated

Summary and Considerations

Use Case

Azure ExpressRoute is an Azure service that provides a secure private connection (does not go over the public internet) and dedicated speeds with high bandwidth and low latency connecting between Azure VMware Solution and a customer's data center. This connectivity provides access to Azure native services across all regions in a particular geography. An Azure ExpressRoute premium add-on is required to access Azure native services globally. Each ExpressRoute has built-in layer 3 redundancy and uses Border Gateway Protocol (BGP) to exchange routes between your Azure VMware Solution and a customer's on-premises data center. An Azure ExpressRoute circuit is comprised of two connections to two Microsoft Enterprise edge routers (MSEEs) from the peering provider location to the customer's edge network, each one going to a MSEE providing a highly available and resilient connection to Azure VMware Solution.

Note: Azure ExpressRoute Global Reach establishes a connection between ExpressRoute circuits between Azure VMware Solution to a customer’s on-premises environment.

Pre-requisites
  • A valid and active Azure account is required for Microsoft Azure ExpressRoute. To deploy Azure VMware Solution a subscription under an Azure Enterprise Agreement (EA) or a Cloud Solution Provider (CSP) is required
  • Connectivity can be established from one of the following methods:
  • An any-to-any (IP VPN) network,
  • A point-to-point Ethernet network
  • Cross-Connection through a connectivity provider
  • Redundant BGP sessions must be set up between Microsoft’s MSEE routers and the peering routers on each ExpressRoute circuit
  • If Network Address Translation (NAT) is in use in a customer’s on-premises environment, it will require implementing a Source Network Address Translation (SNAT) by the customer or provider. Azure ExpressRoute only accepts a public IP address via peering. For more information see using NAT

General Considerations/Recommendations
  • It is recommended to configure two Azure ExpressRoute circuits for redundancy in different peering location
  • A Virtual Network Gateway or Azure Virtual WAN Hub must be created to connect your Azure VMware Solution network and an on-premises network using Azure ExpressRoute
  • Virtual Network Gateway are non-transitive. Transitive networking can be done using Network Virtual Appliance to control DMZ traffic or gateways in an Azure virtual hub

Additional information and best practices are available in the Azure VMware Solution FAQ Networking and Interconnectivity

Performance Considerations
  • Azure ExpressRoute guarantees a minimum availability of 99.95%
  • An ExpressRoute circuit provides a range of supported bandwidths, from 50 Mbps – 10Gbps

More information can be found at these links:

SLA for Azure ExpressRoute

Bandwidth Options

Note: for migrations using VMware HCX, see the following minimum underlay requirements

Cost Implications

Azure ExpressRoute provides the following flexible billing models:

ExpressRoute – Metered Data

All ingress (inbound) data transfers are free of charge. Egress (outbound) data transfers are charged based on a pre-determined rate. Incudes a fixed monthly port fee charge.

ExpressRoute – Unlimited Data

All ingress (inbound) and egress (outbound) data transfers are free of charge. Incudes a fixed monthly port fee charge.

Global Reach Add-On

Creates a private network between an on-premises environment and Azure VMware Solution by linking Azure ExpressRoute circuits

Additional information and pricing including Azure ExpressRoute Premium add-on available at the Azure ExpressRoute pricing site

Note: ExpressRoute circuit is billed from the moment a service key is issued

Document Reference

Azure VMware Solution Documentation

Azure VMware Solution FAQ

Networking planning checklist for Azure VMware Solution

Azure VMware Solution Networking and Interconnectivity Concepts

ExpressRoute Prerequisites & Checklist

ExpressRoute Documentation

Last Updated

August 2021

 

Planning and Implementation

Implementation

An Azure ExpressRoute can be created from the Azure portal or using alternative methods such as Azure PowerShell, CLI, or ARM template. Follow the steps below are when using the Azure portal.

Azure ExpressRoute

The following steps assume a service provider has been selected, Azure VMware Solution private cloud and a Virtual Network Gateway are deployed

  • In the Azure Portal, select Create a resource > Networking > ExpressRoute. If not available on screen, use the search services and marketplace option.
  • Note: Alternatively use the search option at the top of the Azure portal and search for “ExpressRoute circuits”
  • From the Create ExpressRoute page, Provide the necessary information, and click Next: Configuration
  • Resource Group
  • Region
  • ExpressRoute Circuit name
  • Fill out the ExpressRoute configuration tab and click Review + Create
  • Port Type [Provider or Direct]
  • Create new or import from classic circuit
  • Provider Information [Service provider granting the connection service]
  • Peering location [physical peering location]
  • Bandwidth
  • SKU [ ExpressRoute type of Standard or Premium add-on]
  • Billing Model [metered or unlimited]
  • Review the ExpressRoute information, and click Create
  • The ExpressRoute circuit is now created, select go to resource group which will take you to the Overview page. On this page copy the service key that will be used to when configuring the connection on the service provider side.
  • Once connectivity is configured from the service provider, check the ExpressRoute overview page, provider status property should now be “provisioned” [this may take some time to complete, check periodically for status change]

In the following steps, create an authorization key and retrieve the ExpressRoute ID for the Azure VMware Solution private cloud internal ExpressRoute.  These items will be used to connect the ExpressRoute to the virtual network gateway in Azure.

  • Go to the Azure VMware Solution private cloud
  • Click on Connectivity and select the ExpressRoute tab
  • Click on the + Request an authorization key and enter a Name
  • Click the copy icon next to the authorization key which was just created. This authorization key will be used to connect internal Azure VMware Solution ExpressRoute to the virtual network gateway
  • The ExpressRoute ID will also be needed for the Peer circuit URI field in the next section

Go to the virtual network gateway blade, connect the internal Azure VMware Solution ExpressRoute to the virtual network gateway.  This establishes connectivity from the Azure VMware Solution private cloud to the Azure Virtual Network.

  • Click on Connections in the Virtual network gateway blade and click +Add
  • Enter a connection name and select “ExpressRoute” from Connection type drop down
  • Click on the Redeem authorization tick-box and paste the authorization key from the previous section
  • For the Peer circuit URI field, use the ExpressRoute ID under the Azure VMware solution private cloud > connectivity > ExpressRoute tab [from the previous section] and Click OK.

Notice the virtual network gateway successfully is created, the connection type is ExpressRoute, and the peer listed is the Azure VMware Solution internal ExpressRoute.  Connectivity between Azure and Azure VMware solution is now in place. Even though connectivity to Azure from on-premises via an ExpressRoute is in place there is not a path to the Azure VMware Solution service within Azure. ExpressRoute Global Reach will establish this connectivity.

Note: To test internal connectivity to Azure VMware Solution a jump server or bastion host can be deployed within Azure to connect to vCenter Server or NSX-T manager.

Azure ExpressRoute Global Reach

Azure ExpressRoute Global Reach establishes a connection between ExpressRoute circuits between Azure VMware Solution to a customer’s on-premises environment.

The next steps are required to generate an authorization to be used by Azure ExpressRoute Global Reach to connect the Azure VMware Solution ExpressRoute to the on-premises ExpressRoute.

  • Go to the created ExpressRoute circuit page and select “Authorizations”
  • Click into the Enter Name field under the Name column and provide the name for the Global Reach Authorization that will be created, press Enter > click Save at the top
  • Copy both the Global Reach authorization key and return to the connectivity page in the Azure VMware Solution private cloud and select on ExpressRoute Global Reach tab.
  • Click the + Add and select the ExpressRoute circuit from the dropdown
  • Provide the Global Reach authorization key from the ExpressRoute authorization page, and click Create

Notice there is a circuit now in the On-prem cloud connections list with a connected state. This indicates that there is an ExpressRoute Global Reach connection established successfully between the Azure VMware Solution ExpressRoute and the customer data center ExpressRoute.

Additional Resources

Additional Resources

Authors and Contributors

  • Emad Younis, Director, Multi-Cloud Center of Excellence, VMware

 

 

 

Filter Tags

Integrations Azure Services Networking Azure VMware Solution Document Designlet Technical Guide Intermediate Design Deploy