Following is the Architecture - Azure Virtual WAN which has Cisco SD-WAN virtual appliances integrated with vWAN Hub (partner solution) and it also consist of Hub & Spoke topology. Hub Vnet consist of common services such as NVA, AD etc and Spoke vnet consist of actual App workloads. Hub Vnet consist of Cisco Firewall in sandwich topology (load balanced between Azure Internal & External LB) to route Internet bound traffic. FW outside interfaces does not have public IPs and all Internet bound traffic is going through Azure Ext LB with help of Outbound rules and public frontend IP Hub Vnet & Spoke Vnet peered to vWAN Hub using "Vnet connection" and all Vnet connections and SD-WAN virtual appliances associated & propagated to 'Default Route Table' of vWAN Hub VM in spoke Vnet has UDR with default route pointing to Azure Int LB 'private frontend IP' to route Internet traffic to Cisco FW However traffic from VM in spoke Vnet does not reach to Cisco FW itself in Hub Vnet As per my understanding, Azure vWAN integrated with partner SDWAN virtual appliances can propagate learned route only to 'Default Route Table' of vWAN Hub As per following diagram and article " https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom " , it suggest to create two custom route table. One for Hub Vnet (which has NVA) and another for Spoke Vnet When followed the steps given in this article for "Alternate Workflow", it does not seem to be work Added default route in "Default Route Table" of vWAN Hub with next hop as Hub Vnet connection and added static default route in "Hub Vnet Connection(which has NVA) with next hop IP address as "Private Frontend IP of Azure Int LB" However when we added default route in Default Route Table and Vnet connection, connectivity from Onprem to Azure using SDWAN breaks Would like to know whether it is feasible to route outbound traffic to Internet using NVA in Hub Vnet by leveraging Azure vWAN Vnet Connections

Issue with outbound Internet Traffic through Load Balanced NVA in Azure Virtual WAN

Raviraj Velankar 86

Following is the Architecture -

Azure Virtual WAN which has Cisco SD-WAN virtual appliances integrated with vWAN Hub (partner solution) and it also consist of Hub & Spoke topology. Hub Vnet consist of common services such as NVA, AD etc and Spoke vnet consist of actual App workloads.
Hub Vnet consist of Cisco Firewall in sandwich topology (load balanced between Azure Internal & External LB) to route Internet bound traffic.
FW outside interfaces does not have public IPs and all Internet bound traffic is going through Azure Ext LB with help of Outbound rules and public frontend IP
Hub Vnet & Spoke Vnet peered to vWAN Hub using "Vnet connection" and all Vnet connections and SD-WAN virtual appliances associated & propagated to 'Default Route Table' of vWAN Hub
VM in spoke Vnet has UDR with default route pointing to Azure Int LB 'private frontend IP' to route Internet traffic to Cisco FW
However traffic from VM in spoke Vnet does not reach to Cisco FW itself in Hub Vnet

As per my understanding, Azure vWAN integrated with partner SDWAN virtual appliances can propagate learned route only to 'Default Route Table' of vWAN Hub

As per following diagram and article "https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom" ,

it suggest to create two custom route table. One for Hub Vnet (which has NVA) and another for Spoke Vnet

When followed the steps given in this article for "Alternate Workflow", it does not seem to be work

Added default route in "Default Route Table" of vWAN Hub with next hop as Hub Vnet connection and added static default route in "Hub Vnet Connection(which has NVA) with next hop IP address as "Private Frontend IP of Azure Int LB"

However when we added default route in Default Route Table and Vnet connection, connectivity from Onprem to Azure using SDWAN breaks

Would like to know whether it is feasible to route outbound traffic to Internet using NVA in Hub Vnet by leveraging Azure vWAN Vnet Connections

User's image

Konstantinos Passadis 17,381 MVP

Hello @Raviraj Velankar !

it is feasible to route outbound traffic to the internet using NVA in Hub Vnet by leveraging Azure vWAN Vnet Connections. Here are some steps you can follow to troubleshoot the issue:

Verify the routing table: Make sure the correct routing tables are being used in each VNet, and that they are being propagated to the virtual WAN hub. Also, ensure that the NVA is configured correctly to route traffic to the internet.

Check the NSG rules: Verify that the network security group (NSG) rules allow outbound traffic from the spoke VNet to the NVA in the hub VNet, and from the NVA to the internet.

Verify the load balancer: Ensure that the Azure Load Balancer is configured correctly, with the appropriate frontend IP addresses and backend pool targets.

Check the firewall rules: Verify that the Cisco Firewall rules are configured correctly to allow outbound traffic from the NVA to the internet.

Check the UDR: Make sure that the User-Defined Routes (UDRs) are configured correctly in each VNet to route traffic to the appropriate NVA or load balancer.

Verify the SD-WAN configuration: Double-check the SD-WAN configuration to ensure that it is correctly integrated with Azure vWAN and that the routes are being propagated correctly.

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Konstantinos Passadis 17,381 Reputation points MVP

2023-05-07T20:22:04.0033333+00:00

Hello @Raviraj Velankar !

Do you have any feedback or your issue is resolved?

In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!

Regards
Konstantinos Passadis 17,381 Reputation points MVP

2023-05-09T15:28:19.44+00:00

Hello @Raviraj Velankar !

Do you have any feedback or your issue is resolved?

In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!

Regards

Share via

Issue with outbound Internet Traffic through Load Balanced NVA in Azure Virtual WAN