Deployment Solutions Azure Virtual Edge Guide - …...Step 1.4 Create Route Tables, Associate...

Azure Virtual EdgeDeployment SolutionsGuide

VMware SD-WAN by VeloCloud 3.3

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. Copyright and trademark information.

Azure Virtual Edge Deployment Solutions Guide

VMware, Inc. 2

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

1 Azure Virtual Edge Deployment Solutions Guide 4Overview of Virtual Edge on Azure 4

Deploy a Virtual Edge 5

Topology for Virtual Edge on Azure VNets (Single) 5

Deployment High-level Workflow 5

Step 1: Create Azure VNets 6

Step 2: Add the Virtual Edge (vVCE) to the VCO 14

Step 3: Deploy the Virtual Edge (vVCE) 17

Step 4: Verify that vVCE is Running In the VCO 19

VMware, Inc. 3

Azure Virtual Edge DeploymentSolutions Guide 1This document provides instructions for Azure Virtual Edge deployment.

This chapter includes the following topics:

n Overview of Virtual Edge on Azure

n Deploy a Virtual Edge

Overview of Virtual Edge on AzureThis document describes how to deploy a Virtual Edge on Azure.

More customers are moving their workload to the Public Cloud infrastructure and are expecting to extendSD-WAN from remote sites to the public cloud to guarantee SLA. VeloCloud offers multiple options thatleverage distributed VCGs to establish IPSec towards public cloud private network or to deploy the VirtualEdge directly in Azure.

n For a small branch deployment that demands throughput less than 1G, a single Virtual Edge can bedeployed in the private network (Azure VNets).

n For larger data center deployments that demand a multi-gig throughput, hub clustering can bedeployed.

VeloCloud Hub Clustering DesignIn the VeloCloud hub clustering design, we leverage the Layer 3 switch on the LAN side and run a routingprotocol between hubs in the cluster and the Layer 3 switch for route distribution in LAN. Because theAzure router doesn’t support dynamic routing protocol, a third party virtual router is required in the Azureinfrastructure. In this solution, we verified with a redundant Cisco Service Router (CSR) 1000v, but othervirtual routers that support HA and BGP are expected to work as well.

PrerequisitesBefore you can deploy the Virtual Edge in the Azure environment, you need the following items:

n Azure account and login information

n VCO host name and admin account to login

VMware, Inc. 4

Deploy a Virtual EdgeThis section describes how to deploy a Virtual Edge on Azure VNets.

Topology for Virtual Edge on Azure VNets (Single)The following figure show the Virtual Edge on Azure VNets Topology (Single).

Deployment High-level WorkflowDeploying Virtual Edge in Azure involves the following high-level workflow:

1 In the Azure Console, create Azure VNets (Resource & Security Groups, Subnets & Routing Tables).

2 In VeloCloud, create and configure vVCE in the VCO.

3 In the Azure Console, launch VeloCloud Instance from the Marketplace.

4 In the Azure CLI, create eth1(GE2) and eth2(GE3) interfaces and attach to the vVCE.

5 In the Azure CLI, assign Public IP to eth1.

6 Activate vVCE.

a CLOUD-INIT

b Jump Host

7 Verify that vVCE activates in VCO.


VMware, Inc. 5

Step 1: Create Azure VNetsThis section describes how to create Azure VNets.

Step 1.1 Create Resource GroupResource Group: VELO_vVCE_RG


VMware, Inc. 6

Step 1.2 Create Network Security GroupsCreate a Security Group to allow Inbound connectivity to vVCE.

n VCMP: UDP port 2426

n Other ports as needed, examples below:

n SSH: TCP port 22

n SNMP UDP port 161

n ICMP Request/Reply

Network Security Group: VELO_vVCE_SG


VMware, Inc. 7

Step 1.3 Create Virtual Networks/Subnetsn VELO_vVCE_SN_Public_WAN - 172.16.1.0/24

n VELO_vVCE_SN_Public_JH - 172.16.2.0/24

n VELO_vVCE_SN_Private_LAN - 172.16.132.0/24


VMware, Inc. 8

Step 1.4 Create Route Tables, Associate Subnets and add RoutesIn this example, two route tables are used:

1 one for VCE WAN

2 one for VCE LAN

The packet flow needs to traverse the Virtual Edge to reach the LAN-side services via the WAN-sideinterface and vice versa. Depending on deployment needs and/or already existing infrastructure, this stepmay vary. A Default Route (0.0.0.0/0) must be associated to the Public Routing Table pointing to theInternet Gateway to ensure WAN connectivity for Virtual Edge activation. Second, a Private Routing Tablewill utilize a Default Route point to the LAN Interface (GE3) on the VCE.

Routing Table Setting

Public Routing Table VELO_vVCE_RT

Private Routing Table VELO_vVCE_RT_PRIVATE


VMware, Inc. 9

Step 1.5 Launch vVCE from the MarketplaceSearch for VeloCloud in the Azure Marketplace, and then launch vVCE from the Azure Markeplace.


VMware, Inc. 10


VMware, Inc. 11

Note There is no need to assign a Public IP to the initial interface (eth0). Activation will be performedover (eth1).


VMware, Inc. 12

Step 1.6 Create Additional Interfaces for Virtual EdgeCreate additional interfaces for the Virtual Edge.

# Create Public IP to be attached to eth1/GE2

az network public-ip create --name vvce-mp-ge2-wan-ip --resource-group VELO_vVCE_RG

# Create interfaces for WAN [GE2(eth1)] and LAN [GE3(eth2)]

# Enable IP Forwarding on the interfaces (--ip-forwarding)

az network nic create --resource-group VELO_vVCE_RG --name vvce-mp-ge2 --location "West US" --subnet

VELO_vVCE_SN_Public_WAN --private-ip-address 172.16.1.41 --ip-forwarding --vnet-name VELO_vVCE_AZURE

--public-ip-address vvce-mp-ge2-wan-ip

az network nic create --resource-group VELO_vVCE_RG --name vvce-mp-ge3 --location "West US" --subnet

VELO_vVCE_SN_Private_LAN --private-ip-address 172.16.132.41 --ip-forwarding --vnet-name

VELO_vVCE_AZURE


VMware, Inc. 13

# Add NICs to vVCE (NOTE: vVCE VM must be stopped to complete this step)

az vm nic add --nics vvce-mp-ge2 vvce-mp-ge3 --resource-group VELO_vVCE_RG --vm-name vVCE-MP-01

Step 2: Add the Virtual Edge (vVCE) to the VCOComplete the following steps to add the Virtual Edge (vVCE) to the VCO.

Steps for 3.x Virtual Edges (Segmentation)For 3.x Virtual Edges (Segmentation), complete the following steps:

1 Enable segmentation for the Customer.

2 Create a Segmentation Profile.

3 Add the Management IP.


VMware, Inc. 14

4 Configure Virtual Edge Interfaces.

5 Change the interface settings of the newly created Virtual Edge profile as follows:

a Change the GE2 interface capability from Switched to Routed and enable DHCP Addressingand WAN Overlay.

b In the GE3 interface, disable WAN Overlay because this interface will be used LAN-side. Also,disable NAT Direct Traffic.

Note If you are using a Jump Host, make sure you enable the Support Access for the JumpHost server’s IP to allow SSH access to the Edge from the jump server in the Firewall page.


VMware, Inc. 15

Steps for 2.x Virtual Edges (Non-Segmentation)For 2.x Virtual Edges (Non-Segmentation), complete the following steps:

1 Select Edges.

2 Configure Virtual Edge Interfaces.

3 Change the interface settings of the newly created Virtual Edge profile as follows:

a Change the GE2 interface capability from Switched to Routed and enable DHCP Addressingand WAN Overlay.

b In the GE3 interface, disable WAN Overlay because this interface will be used LAN-side. Also,disable NAT Direct Traffic.


VMware, Inc. 16

Note If using a Jump Host, make sure you enable the Support Access for the Jump Hostserver’s IP to allow SSH access to the Edge from the Jump Server in the Firewall page.

Step 3: Deploy the Virtual Edge (vVCE)This section describes the steps to deploy the Virtual Edge (vVCE).

Step 3.1: Virtual Edge on Azure Interfaces Explained

Interface Description

GE1 (eth0) For Management Only, cannot be used activate vVCE (L2 Switched Port).

GE2 (eth1) Routed Interface for WAN connectivity, Overlay and Activation.

GE3 (eth2) Routed Interface for LAN connectivity to reach backend services.

Step 3.2: Jump Host ActivationComplete the following steps for Jump Host activation.

Step 3.2.1 Jump Host Interfaces

Interface Description

eth0 Used for SSH / WAN connectivity and Public IP

eth1 Local interface on the same subnet as the vVCE Management Interface (GE1)

Step 3.2.2 From Jump Host SSH to Virtual Edge (vVCE)Run the following command:

ssh -i private.key root@<eth0_ip_address>


VMware, Inc. 17

Step 3.2.3 Verify Internet accessibility.Run the following command:

velocloud root:~# ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

64 bytes from 8.8.8.8: icmp_req=1 ttl=60 time=2.91 ms

64 bytes from 8.8.8.8: icmp_req=2 ttl=60 time=2.29 ms

64 bytes from 8.8.8.8: icmp_req=3 ttl=60 time=2.56 m

Step 3.2.4 Activate Edge from ShellRun the following command.

VCE:~# /opt/vc/bin/activate.py -s <VCO> -i <Activation String>


VMware, Inc. 18

Step 3.3: CLOUD-INIT Activation (Future Release)The following is a sample CLOUD-INIT file. Replace "vco" and activation_code according to your VCOset up.

#cloud-config

velocloud:

vce:

vco: demo.velocloud.net

activation_code: 2Y2S-WSK2-TMKT-2SV6

vco_ignore_cert_errors: false

CLOUD-INIT CLI Example with Staged Image:

az vm create --admin-username "vcadmin" --admin-password "Velocloud123" --resource-group VELO_vVCE_RG

--name VELO_vVCE_31 --size Standard_DS3_v2 --image VELO_vVCE_31_IMG --nics velo-vvce31-ge1 velo-

vvce31-ge2 velo-vvce31-ge3 --custom-data cloud-init.txt

Step 4: Verify that vVCE is Running In the VCOVerify that the vVCE is up and running in the VCO.


VMware, Inc. 19


VMware, Inc. 20

Deployment Solutions Azure Virtual Edge Guide - …...Step 1.4 Create Route Tables, Associate...

Documents

Transcript of Deployment Solutions Azure Virtual Edge Guide - …...Step 1.4 Create Route Tables, Associate...