Third Party Firewalls in AVS

There have been quite a few blog posts about third party firewalls or in Azure speak NVA (Network Virtual Appliance) in AVS. Why Azure calls these NVAs and not VNFs (Virtual Network Function) like the rest of the world is a question I’d like to have answered. While the DFW (Distributed Firewall) should be used for anything Layer 2-4 most customers don’t know how to use it and want to continue to use the firewall vendor they are used to. Since service insertion isn’t support in AVS most of posts provide an architecture similar to this:

T0 -> T1 -> NVA -> Segments

This architecture will work. There are some inherent limitations with it.

  • Limited Interfaces on NVA.
    • VMware VMs only support 10 interfaces. 1 for management, 1 for the uplink, 8 for segments
  • All inter segment traffic must traverse the NVA.
    • Hairpinning, limited throughput, and additional latency, no distributed routing

If these limitations are inline with the requirements then use this one. It’s simple and works. Another way to accomplish this type of network is like this:

T0 -> T1 -> NVA -> T1 -> Segments

With this architecture many more networks are allowed off of a single NVA. NSX-T 3.1 supports up to 1000 interfaces on a T1. Up to 8 T1s can be linked to the NVA before needing another NVA. All north south traffic must still traverse the NVA; however, east west traffic within each zone can utilize distributed routing. If further segmentation is required within each zone the gateway firewall on the T1 or the DFW can be used (yes you should just use the DFW for all of this).

To configure this architecture:

  • Create a transit segment connected to the Provider T1
  • Connect an NVA to the transit segment
  • Create a 0/0 route on the NVA with the next hop the Provider T1 transit interface
  • Create static routes on the Provider T1 for all planned segments with the next hop of the NVA transit interface
  • Create transit segments for each T1 to be connected to the NVA
  • Attach NVA interfaces to these segments
  • Create new T1s
  • Connect an interface on T1s connected to the transit segment connected to the NVA
  • Create 0/0 static routes on the T1s with the next hop of the NVA interface

By using this architecture far fewer NVAs are required. This reduces licensing costs and management overhead. While this may have some drawbacks it is far more scalable than creating an NVA for every 8 segments.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: