Embed Size (px)
Citation preview
SD-WAN Azure Virtual Edge Deployment Guide
2020VMware SD-WAN by VeloCloud 3.4
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Copyright © 2020 VMware, Inc. All rights reserved. Copyright and trademark information.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 2
Contents
1 VMware SD-WAN™ by VeloCloud® Azure Virtual Edge Deployment Guide 4Azure Virtual Edge Deployment Overview 4
Azure Instance Types 5
Azure Resource Manger Template Overview 5
Deploying Virtual Edge with ARM Template 6
VMware, Inc. 3
VMware SD-WAN™ by VeloCloud® Azure Virtual Edge Deployment Guide 1This document provides step-by-step instructions for the VMware SD-WAN ™ by VeloCloud® Azure Virtual Edge Deployment Guide.
This chapter includes the following topics:
n Azure Virtual Edge Deployment Overview
n Azure Instance Types
n Azure Resource Manger Template Overview
n Deploying Virtual Edge with ARM Template
Azure Virtual Edge Deployment OverviewThe Azure Vritual Edge Deployment Guide focuses on how to deploy a Virtual Edge in Azure leveraging the convenience of an Azure Resource Manager (ARM) Template.
More customers are moving workload to Public Cloud infrastructure and expect to extend SD-WAN from remote sites to public cloud to guarantee SLA. There are multiple options offered by VeloCloud, leveraging distributed VCGs to establish IPsec towards public cloud private network or deploy virtual edge directly in Azure.
For small branch deployment that demand throughput less than 1G, single virtual edge can be deployed in the private network (Azure vNets). For larger data center deployments that demand multi-gig throughput, hub clustering can be deployed.
Note In the VeloCloud hub clustering design, we leverage a Layer 3 Instance on the LAN side to run BGP between hubs in the cluster and the Layer 3 Instance for route distribution in LAN. Since the Azure UDR doesn’t support dynamic routing protocol, a third-party virtual router is required in the Azure infrastructure.
PrerequisitesThe following prerequisites are required before you begin:
n An Azure account and login information.
n Familiarity with Azure Virtual Network concepts. (For more information, go to: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview)
VMware, Inc. 4
n RSA Public Key (For more information, go to: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys
n VeloCloud ARM Template (download the template here: https://code.vmware.com/samples?id=6437
n SD-WAN Orchestrator target and admin account to login.
Azure Instance TypesThis section describes the Azure Instance Types.
The bandwidth throughput and the number of network interfaces must be considered when sizing the VMware SD-WAN™ by Velocloud® Virtual Edge. The minimum number of network interfaces required is three (GE1, GE2, GE3).
Throughput 30 Mbps 50 Mbps 100 Mbps 200 Mbps 400 Mbps 1 Gbps
vCPU 2 2 2 2 4 4
Memory 4 GB 4 GB 4 GB 8 GB 8 GB 8 GB
Table 1-1. General Purpose
Instance Type vCPUs Memory (Gb Max NICs
Standard_DS3_v2 4 14 4
Standard_DS4_v2 8 28 8
Azure Resource Manger Template OverviewThis section provides an important overview of the Azure Resource Manger (ARM) template and a link where you can download the template.
CAUTION: Make sure to review and understand the template before deploying. This is intended as a reference and may need to be altered to accommodate specific environments.
Download the ARM template here: VMware SD-WAN By VeloCloud Azure Resource Manager Template
The default template is built to achieve a common deployment within Azure representative of the basic topology illustrated in the next section. The ARM Template takes care of creating necessary resources, collecting VCO target and activation key to push via CLOUD-INIT. Below are the default values represented in the template.
n Instance Type: Standard_DS3_v2
n Attach Interfaces to VeloCloud Instance (GE1 – eth0 / GE2 – eth1 / GE3 – eth2)
n Allocate Public IP and attach to GE2
n Security Groups – Allowed Ports:
n UDP 2426 – VeloCloud Multipath Protocol
n TCP 22 – SSH Access (for Support Access)
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 5
n UDP 161 – SNMP
n Public Route Table (UDR): 0.0.0.0/0 to Internet Gateway
n Private Route Table (UDR): 0.0.0.0/0 to Virtual Appliance (VeloCloud Edge GE3)
n Enable IP Forwarding on all interfaces
The template is built to accommodate either a “NEW” Virtual Network or “EXISTING” Virtual Network. If using “EXISTING”, the vNET, subnets, and route tables are not created. Ensure vNET name, subnet name and IP scheme reflect accurately with the existing environment.
While this template will activate a Virtual Edge the simplicity of the topology will not accommodate all environments. It is up to the individual user to edit for their environment accordingly. For better understanding of ARM Template structure and syntax see:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates
Deploying Virtual Edge with ARM TemplateThis section describes how to deploy a Virtual Edge with an Azure Resource Manager (ARM) template.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 6
Basic TopologyIn this example, the Azure Virtual Network (vNET 172.16.0.0/16) is divided into a Public subnet (172.16.0.x/24) and a Private subnet (172.16.1.x/24). The Virtual Edge routes between the two subnets. The Public User-Defined Routes (UDR) will forward all offnet traffic to the Internet Gateway. The UDR in the Private subnet will forward all traffic to the LAN facing interface on the Virtual Edge (type Virtual Appliance). In this example, a default route is used to forward “ALL” traffic from the workloads but is not necessary. RFC1918 summarization or specific branch/hub prefixes can be used to narrow what is sent to the Virtual Edge. For example, if the workloads in the Private Subnet still need to be accessible via SSH from publicly sourced IPs then the UDR could be configured to point the default route (0.0.0.0/0) to Internet Gateway and RFC1918 summarization to the Virtual Edge.
Azure
Public Route TableInternet <-- 0.0.0.0/0
Internet(Public IP)
GE2 (eth1) 0.4WAN Overlay
172.16.0.x/24 (WAN)Public Subnet
172.16.1.x/24 (LAN)Private Subnet
GE3 (eth2) 1.4LAN Interface
Private Route TableVirtual Appliance <-- 0.0.0.0/0
(VCE [GE3] 172.16.1.4)VM
1.200
VM
1.201
VM
1.202
VNET:172.16.0.0/16<...>
UDR UDR
VCE
Procedure:1 Add the Virtual Edge to SD-WAN Orchestrator. First step is to add the Virtual Edge to the
Enterprise. This requires login credentials for the SD-WAN Orchestrator.
a From the SD-WAN Orchestrator, go to Configure > Edges and click the New Edge button, as shown in the image below.
The Provision New Edge dialog box displays.
b In the Provision New Edge dialog:
1 Enter a name in the Name text box.
2 In the Model drop-down menu, choose Virtual Edge.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 7
3 Choose a Profile in the Profile drop-down menu.
The Edge will be provisioned with an activation key, as show in the image below. Make a note of this activation key.
2 Add VLAN IP.
The VLAN configuration must have an IP address assigned to it in order to save the Device Settings, but the IP address will not be used.
a For the Virtual Edge that was just created, click the Device tab on the VCO.
b Scroll down to the Configure VLAN section, and click the Add VLAN button.
The VLAN dialog box displays.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 8
c In the VLAN dialog, make sure to adhere to the following:
1 Check the Enable Edge Override checkbox in the top, right corner of the dialog.
2 For the Edge LAN IP Address, use: 169.254.0.1
3 For the Cidr Prefix, use: 24
4 Leave the Advertise checkbox, unchecked.
5 In the DHCP area, check the Enable Edge Override checkbox
6 In the DHCP area, click Disabled.
3 Configure Virtual Edge Interfaces
CAUTION The SD-WAN Orchestrator needs the Device Settings configured first before activation. If this step is missed, the Virtual Edge activates but then goes offline a few minutes later.
a Navigate to the Virtual Edge’s Device Settings, as shown in the image below.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 9
b Change the interface settings as follows:
1 Change the GE2 interface capability from “Switched” to “Routed” and enable DHCP addressing and WAN overlay.
2 In the GE3 interface, disable WAN overlay as this interface will be used for the LAN-side gateway. Also, disable NAT Direct Traffic.
4 Launch Virtual Edge via ARM Template
Note If this is first deployment of Virtual Edge you may need to “Subscribe” to the Edge version in the Azure Marketplace before deploying from ARM Template.
a Navigate to Azure Templates as shown in the image below.
b Enter the Name and Description of the Template or Deployment. (See image below).
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 10
c Cut and paste the template in the ARM Template area.
d When ready click Deploy, as shown in the image below.
e Complete the template form.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 11
f Agree to Terms and click the Purchase button.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 12
At this point, Azure will begin the deployment which can take a few minutes to complete. To follow the progress, click “Deployment in Progress… and refresh.
Once the Virtual Edge deployment is complete, the Virtual Edge will boot up and reach out to the SD-WAN Orchestrator with its activation key to complete Virtual Edge activation.
5 Verify that the Virtual Edge is Activated in the SD-WAN Orchestrator.
Once the instance is running in Azure and all information provided was correct, the Virtual Edge will reach out to the SD-WAN Orchestrator with the activation key, activate and perform software update if needed (and reboot if upgraded). Typical deployment time is between three to four minutes.
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 13
SD-WAN Azure Virtual Edge Deployment Guide
VMware, Inc. 14
