Microsoft AZ-700: Create a Network Virtual Appliance (NVA) in a Virtual Hub

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 2: Design and Implement Hybrid Networking – Unit 8: Create a Network Virtual Appliance (NVA) in a Virtual Hubct Devices to Networks with Point-to-Site VPN Connections

A benefit of Azure Virtual WAN is support for reliable connections from many different technologies. E.g.:

  • ExpressRoute
  • VPN Gateway
  • Barracuda CloudGen WAN
  • Cisco Cloud OnRamp for multicloud
  • VMware SD-WAN

These are known as NVAs and are deployed directly into a Virtual WAN Hub with an externally facing public IP. This enables customers to connect branch Customer Premises Equipment (CPE) to the same brand NVA in the hub to maintain advantage of SD-WAN capabilities. Once VNets are connected to hub, NVA allows transitive connectivity throughout the Virtual WAN

  • Manage an NVA in a Virtual Hub
    • NVA available in Azure Marketplace can be directly deployed into virtual hub only
    • Each is a Managed Application allowing Azure Virtual WAN to manage its configuration
    • Cannot be deployed within arbitrary VNets
    • Process for deployment
      • Choose NVA Offer
      • Azure Marketplace Managed App
        • Choose Deployment Settings
        • Choose Agg Capacity
      • NVA VM deployed in Virtual Hub
      • Subscription Resources
        • Managed Resource Group – Net Virtual Appliance ARM resource
        • Customer Resource Group – App Resource
  • Deploy an NVA in your Virtual Hub
    • Deploying an NVA in your virtual hub you access Azure Marketplace through the portal and select the Manage Application for the NVA partner desired
    • Two Resource Groups are created in subscription when NVA created in Virtual WAN Hub
      • Customer Resource Group
        • Contains app placeholder for Managed Application. Partners can use RG to expose customer chosen properties
      • Managed Resource Group
        • Customers cannot configure/modify resources in this RG directly
    • NVA configured automatically during deployment. Once provisioned cannot access directly
    • Unlike Azure VPN Gateway, no need to create the following for branch site to NVA connectivity (in Virtual WAN Hub
      • Site resources
      • Site-to-Site connection resources
      • Point-to-Site connection resources
    • Hub-to-VNet connections still required for Virtual WAN Hub to VNet connectivity
  • Create Network Virtual Appliance in Hub
    • Example based on Barracude CloudGen WAN Gateway (Other vendor products will vary)
      • Locate Virtual WAN Hub created in Azure Portal
      • Find NVA tile and click Create Link
      • Open NVA and choose Barracude CloudGen WAN
      • Click Create
      • Read terms and click Create
      • On Basics Page
        • Chose Subscription from dropdown
        • Chose Resource group from dropdown (one used to deploy Virtual WAN and Hub)
        • Chose Region from dropdown (same as hub)
        • Provide App Name
        • Enter Managed Resource Group
      • Select Next : CloudGen. WAN gateway > button
        • Select Virtual WAN Hub from dropdown
        • Select NVA Infrastructure Units from dropdown
        • Provide Token (required by Barracuda for auth/identification as valid registered user
  • NVA Infrastructure Units
    • When NVA created in Virtual WAN Hub this must be chosen
    • Is an aggregate bandwidth capacity for the NVA in the Virtual WAN Hub
    • Similar to VPN Scale Unit when thinking about capacity and sizing
      • One NVA Infra Unit represents 500 Mbps of agg bandwidth for all connecting sites
      • Azure supports 1-80 NVA Infra Units for a given NVA virtual hub deployment
      • Partners may offer different NVA Infra Unit bundles as a subset of all supports NVA Infra Unit configs
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-create-a-network-virtual-appliance-nva-in-a-virtual-hub/

Leave a Reply

Your email address will not be published.