CloudHub Automated Deployment of NVA in Azure vWAN Hub

The VeloCloud SD-WAN and Azure virtual WAN (vWAN) NVA Automated Deployment guide describes the configurations that are required to automatically deploy a Virtual Edge as a Network Virtual Appliance (NVA) in Azure vWAN Hub network.

About CloudHub Automated Deployment of NVA in Azure Virtual WAN Hub

Note: Automated Deployment of NVA in Azure Virtual WAN Hub is supported only for Hosted Orchestrator.

Overview

During cloud migration, there were lot of challenges on how to connect remote locations to Azure VNets in a simple, optimized, and secure way across myriad connectivity options. VeloCloud SD-WAN addresses these problems by leveraging Dynamic Multipath Optimization ™ (DMPO) technologies and distributed cloud gateway coverage across the globe. VeloCloud SD-WAN transforms the unpredictable broadband transport to Enterprise-class quality connections, ensuring the application performance from remote locations to Azure Cloud.

To meet different deployment scenarios for customers who deploy Azure Virtual WAN, VeloCloud SD-WAN have been progressively adding more capabilities to the solution via automation. With this new integration, customers can now deploy VeloCloud Edges directly inside Azure Virtual WAN hubs automatically, resulting in an offering that natively integrates Azure Virtual WAN’s customizable routing intelligence with VeloCloud SD-WAN’s optimized last-mile connectivity.

The following diagram illustrates the VeloCloud SD-WAN and Azure vWAN NVA Automated Deployment scenario.

Figure 1. VeloCloud SD-WAN and Azure vWAN NVA Automated Deployment Scenario

CloudHub Deployment Prerequisites

To use automatic deployment of VeloCloud Edges as a Network Virtual Appliance (NVA) in Azure virtual WAN (vWAN) Hub, you must have already created Resource Group, vWAN, and virtual Hub (vHUB) on the Azure side. Once vWAN Hub is up and running and routing status is completed, you must ensure the following prerequisites are met before proceeding with the Automated deployment of Azure vWAN NVA via VeloCloud Orchestrator:

Obtain Enterprise account access to VeloCloud Orchestrator.
Obtain access to the Microsoft Azure portal with the appropriate IAM roles.
Ensure you have already created Resource Group, vWAN and vHUB on the Azure side. For steps, see Virtual WAN Documentation.
Software image requirements for this deployment are as follows:
- VeloCloud Orchestrator: 5.1.0.
- VeloCloud Gateway: 4.2.1 and above.
- VeloCloud Edges: 4.2.1 and above.

Note: For additional information about the supported regions of NVA in Virtual Hub, see https://docs.microsoft.com/en-us/azure/virtual-wan/about-nva-hub#regions.

CloudHub Automated Deployment of Azure vWAN NVA via Arista Edge Cloud Orchestrator

To use Automated deployment of Azure vWAN NVA via Arista Edge Cloud Orchestrator, perform the following steps:

In the Orchestrator, ensure the Multi-Cloud Service (MCS) account is activated. You can verify that by checking the following system properties:
- session.options.enableMcsServiceAccount
- vco.system.configuration.data.mcsNginxRedirection
Note: Contact the EdgeOps team to activate the MCS account for your Orchestrator.

Figure 2. Verify System Property Settings
For an Enterprise user, once the MCS account is activated, you can access the MCS service by selecting Configure > Cloud Hub in the Orchestrator UI. The Cloud Hub page appears.

Figure 3. Configure Cloud Hub Screen
To deploy a NVA Edge in vWAN HUB network, perform the following two steps:
1. Create a new credential
2. Create a new Cloud Hub

To create new credential, select Configure > Credential > New Credential . Provide all the required details and select Create.

Table 1. Add Credentials Field Descriptions
Field	Description
Name	Enter a unique name for your Azure credential.
Cloud Provider	Select Azure as the Cloud Provider.
Client ID	Enter the Client ID of your Azure subscription.
Tenant ID	The ID for an Azure Active Directory (AD) tenant in the Azure portal. Enter the tenant ID to which your subscription belongs.
Client Secret	Enter the Client Secret of your Azure subscription.
Subscription ID	The ID for a subscription in the Azure portal. Enter the Azure Subscription ID which has the created Virtual WAN Hub to deploy Virtual Edges.

For additional information on how to retrieve IDs for a subscription in Azure portal, see How to create a new Azure Active Directory (Azure AD) application and service principal.

It is recommended for customers to create a custom role with the below permissions (JSON) to provide access to only the necessary resources for the CloudHub function.

"permissions": [ { "actions": [ "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", "Microsoft.Resources/subscriptions/resourcegroups/resources/read", "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", "Microsoft.Network/virtualWans/read", "Microsoft.Network/virtualWans/join/action", "Microsoft.Network/virtualWans/virtualHubs/read", "Microsoft.Network/virtualHubs/read", "Microsoft.AzureStack/linkedSubscriptions/linkedResourceGroups/linkedProviders/virtualNetworks/read", "Microsoft.Network/networkVirtualAppliances/delete", "Microsoft.Network/networkVirtualAppliances/read", "Microsoft.Network/networkVirtualAppliances/write", "Microsoft.Network/networkVirtualAppliances/getDelegatedSubnets/action", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/join/action", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/write", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ]

To create a New Cloud Hub, perform the following steps:

Note: The Cloud Hub Workflow is tested only for the new Profile. So, it is recommended to create a new Profile before proceeding with the deployment of NVA Edge in vWAN HUB network.

Navigate to Configure > Workflow and select New Cloud Hub.

The Cloud Credentials page appears.

Figure 5. New Cloud Hub Screen

Provide all the required Cloud Credentials details and select Next.

The vWAN and vHUB Options page appears.

Table 2. vWAN and vHUB Configuration Options
Field	Description
Cloud Provider	Choose Azure as the Cloud Provider.
Azure Connectivity Options	Choose Deploy Virtual Edge as an NVA in Azure vWAN as the connectivity option between you Hub and vNet.
Cloud Subscription	You can use the existing cloud subscription or create a new subscription by selecting the Create New option.

Choose vWAN, vHUB, and provision Virtual Azure NVA Edge (with unique name) by providing all the required details.

Table 3. vWAN and vHUB Field Descriptions
Field	Description
Resource Group	Select a resource group that you created on the Azure side.
vWAN	Select a Virtual WAN that you created on the Azure side.
Choose vHUB
Region	Select the region in which you want to deploy the Virtual WAN Hub. Virtual Edges will be deployed in that Virtual WAN Hub.
vHub	Select a Virtual WAN Hub to deploy the virtual Edges.
Address Space	The hub's address range in CIDR notation. The minimum address space is `/24` to create a hub.
Workflow Name	Enter the workflow name for the Virtual WAN Hub.
Create Edge Networking
NVA Name	Enter a unique name for the Network Virtual Appliance (NVA) Edge device.
Select NVA Version	Select the NVA version.
Edge Cluster Name	Enter a unique name for the Edge Cluster.
Scale Units	A pair of Edges will be spun up. Scale Units can be 2, 4, or 10 which map to a Azure instance type.
Select Profile	Select a Profile to associate the Virtual Edge. Note: You can use the existing Profile or create a new Profile before deploying the Azure vWAN NVA Edges in Azure vWAN Hub.
Edge License	Select the Edge license associated with the Virtual Edges.
Contact Name	Enter a contact name.
Contact Email	Enter a contact email ID.
BGP ASN	Enter the ASN value that will be configured on the Virtual Edges in the Arista Edge Cloud Orchestrator. Note: The ASNs reserved by Azure: Public ASNs: 8074, 8075, and 12076. Private ASNs: 65515, 65517, 65518, 65519, and 65520.

Select Finish. The newly created Cloud Hub appears in the Workflow page.
Under Detail column, select View to view the Event Details of the selected Cloud Hub.

Note: Currently there is no separate Monitor page for Cloud Hub service. You can use the Monitor page of the SD-WAN service for verifying the Edge actions and states.

In the SD-WAN service portal, select Monitor > Edges to verify the Virtual Azure NVA Edge that you have provisioned/deployed with the Cloud Hub automation service are connected.

Figure 7. Monitor Edge Status
To verify if the BGP sessions are established for the deployed Virtual Azure NVA Edge, select Monitor > Routing .

Figure 8. Monitor Routing- BGP Edge Neighbor States

Important: Once the Virtual Edges are created, configure IP address for each of the Virtual Edges by navigating to Configure > Edges > Firewall > Edge Access and by adding the IP address "168.63.129.16" under the Allow the following IPs field.

Figure 9. Configure Edge Security

Note: You can perform this configuration on a Profile used by many or all of the Virtual Edges so you do not need to do it for each individual Virtual Edge.

For additional details regarding this IP configuration, see Azure IP address Overview.