印刷

VeloCloud SD-WAN 6.4 - Administration Guide - VeloCloud SD-WAN in Azure Virtual WAN Hub Deployment 印刷

VeloCloud SD-WAN in Azure Virtual WAN Hub Deployment

About VeloCloud in Azure Virtual WAN Hub Deployment

The VeloCloud SD-WAN in Azure Virtual WAN (vWAN) Hub deployment describes the configurations required to manually deploy a Virtual Edge as a Network Virtual Appliance (NVA) in Azure vWAN Hub network.

Overview

During cloud migration, users encountered a lot of challenges with connecting remote locations to Azure vNets in a simple, optimized, and secure way across myriad connectivity options. VeloCloud SD-WAN addresses these problems by leveraging Dynamic Multipath Optimization ™ (DMPO) technologies and distributed cloud gateway coverage across the globe. VeloCloud SD-WAN transforms the unpredictable broadband transport to Enterprise-class quality connections, ensuring the application performance from remote locations to Azure Cloud.

To meet different deployment scenarios for customers deploying Azure Virtual WAN, VeloCloud SD-WAN has progressively added more capabilities to the solution. With this new integration, customers can now manually deploy VeloCloud Edges directly inside Azure Virtual WAN hubs resulting in an offering that natively integrates Azure Virtual WAN customizable routing intelligence with VeloCloud SD-WAN optimized last-mile connectivity.

Figure 1. Architecture of a VeloCloud SD-WAN and Azure vWAN NVA Manual Deployment

Deploy VeloCloud SD-WAN in Azure Virtual WAN Hub

To deploy VeloCloud Edges in a Virtual Hub manually, you must already have a Resource Group, virtual WAN (vWAN), and virtual Hub (vHUB) on the Azure side.

Once the vWAN Hub is up and running and routing status is complete, you must meet the following prerequisites before proceeding with the Manual deployment of an Azure vWAN Network Virtual Appliance (NVA) via VeloCloud Edge Cloud Orchestrator:
  • Obtain Enterprise account access to Arista Edge Cloud Orchestrator.
  • Obtain access to the Microsoft Azure portal with the appropriate IAM roles.
  • Software image requirements for this deployment are as follows:
    • VeloCloud Edge Cloud Orchestrator- 4.5.0 and later.
    • VeloCloud Gateway- 4.5.0 and later.
    • VeloCloud Edges- 4.2.1 and later.
  • Create an Azure Managed Identity. For steps, see Create Managed Identity.
  1. In the Orchestrator, create a Virtual Edge by navigating to Configure > Edges > New Edge .
  2. In the Orchestrator, once you create the Edges, change the interface settings for all Edges:
    • Change GE1 interface to Route with Auto detect WAN overlay.
    • Change GE2 to Route with WAN overlay deactivated.
    • The GE3 to GE8 interfaces are not used in this deployment.
    Note: You can configure Profiles with Virtual Edge interface settings as required by this integration so that you do not have to change interface settings after creating Virtual Edges on the Orchestrator.
    Note: If you attempt to downgrade an Edge from Release 4.2.1 to an earlier release, the Edge becomes stuck in an activating loop.
  3. The Azure Support team manages SSH access to VeloCloud SD-WAN Azure NVAs. Azure enforces security policies that only allow the source IP address 168.63.129.16 to SSH to Azure Virtual Edges. To allow a Virtual Edge to accept SSH from this source IP, navigate to Configure > Edges > Firewall > Edge Access > Support Access , and add the IP address 168.63.129.16 under the Allow the following IPs field.
    Figure 2. Configuring Edge Security
    Note: You can perform the Step 3 configuration on a Profile used by many or all of the Virtual Edges so you do not need to do it for each individual Virtual Edge.

    For more details regarding this IP configuration, see Microsoft Azure.

  4. Copy the Orchestrator URL and the Activation Key of each Virtual Edge.
    For example, copy the following information:
    • vcoxx-usvi1.velocloud.net
    • Activation Key1: XXXX:ZE8F:YYYY:67YT
    • Activation Key2: XXXX:ZE8F:ZZZZ:67YT
  5. Login to the Azure portal and search for the VeloCloud SD-WAN in vWAN application in the Azure Market place. The VeloCloud SD-WAN in vWAN managed application page appears. You can use this application to automate the deployment of Virtual Edges in Virtual WAN Hub.
    Figure 3. Displaying the VeloCloud SD-WAN in vWAN Application
  6. Select Create on the managed application and enter the following details:
    Figure 4. Creating VeloCloud SD-WAN in a vWAN
    • Subscription- The subscription that created the vWAN hub.
    • Resource Group- Create a new resource group or select the existing one.
    • Region- Select the region where you created the vWAN Hub. Virtual Edges deploy in that vWAN Hub.
    • Application Name- Enter a name for your managed application.
    • Managed Resource Group- Provide the application managed resource group. The managed resource group contains all the resources required by the managed application with limited access for the consumer.
  7. On the VeloCloud SD-WAN in Virtual WAN tab, select Virtual WAN Hub in the selected region. The Virtual Edges deploy in this Hub.
    Figure 5. Selecting the Virtual WAN Hub

    Once you select a Virtual WAN Hub, the BGP neighbor IP Addresses and the ASN of the Virtual WAN Hub appears. Make a note of this information as you need it to configure BGP neighborships on the Orchestrator.

    To deploy the NVA via the Managed Application, enter the following required details, and add the already created user assigned managed identity and grant the Managed Application access to other existing resources. For steps on how to create an Azure Managed Identity, see Create Managed Identity.
    • Scale unit- Select the appropriate scale:
       
      Scale Unit Instance Type
      2 D2v2
      4 D3v2
      10 D4v2
    • VeloCloud SD-WAN Orchestrator- Copy and paste the Orchestrator URL from Step 3.
    • IgnoreCertErrors-
    • Set this flag as False. Change this flag to True only if the Orchestrator URL cannot be used and the Orchestrator IP address must be provided.
    • ActivationKey for Edge1- Copy and paste the Activation Key from Step 3.
    • ActivationKey for Edge2- Copy and paste the second Activation Key from Step 3.
    • BGP ASN- The ASN to configure on the Virtual Edges on the VeloCloud Edge Cloud Orchestrator. Azure or IANA reserves the following ASNS:
      • Azure reserved ASNs:
        • Public ASNs- 8074, 8075, and 12076.
        • Private ASNs- 65515, 65517, 65518, 65519, and 65520.
      • IANA reserved ASNs:
        • 23456, 64496-64511, 65535-65551, and 429496729.
    • ClusterName- Enter a unique name for the deployment that does not include special characters such as #, @, _,-, etc.
    • User assigned managed identity- Select the identity to deploy the NVA by selecting +Add . In the Add user assigned managed identity section, select the previously created user assigned managed identity and select Add.
      Figure 6. Adding the User Assigned Managed Identity
    • Once added, the user assigned managed identity appears in the User assigned managed identity table.
    Figure 7. The User Managed Identity Added
  8. After entering all the required fields, select Review + create.
  9. The deployment process begins and takes approximately 10 to 15 minutes to complete. Once the deployment completes, the Virtual Edges connects and activates with the Orchestrator.
  10. Once all of the Virtual Edges are connected to the Orchestrator, you need to configure static routes and BGP neighbors so that the Virtual Edges can connect to the Azure Virtual WAN Hub.
    1. Configure Static Routes: Add /32 static routes sufficient that there is a unique route pointing to the respective GE2 Interface on each Virtual Edge. To add a static route, the Orchestrator requires a next hop IP address. Acquire the next hop IP address by running the Remote Diagnostic Interface Status test on the Remote Diagnostics page of Orchestrator. Select the first IP address of the subnet assigned to GE2 and configure it as the next hop.

      The following example displays the output from Test & Troubleshoot > Remote Diagnostics > Interface Status diagnostic test and provides an IP address assigned to GE2 as 10.101.112.6/25 and the first IP address of this subnet as 10.101.112.1, used to configure the static route on the Orchestrator.

      Figure 8. Displaying the Output of the Interface Status Test

      The output also displays two static routes configured on the Edge to reach BGP neighbors.

      Figure 9. Displaying the Static Route Information
    2. Configure BGP neighbors for each Virtual Edge by using the BGP neighbor IPs and the ASN number as displayed in the information message in Step 7.
      Figure 10. Displaying the BGP Neighbors Configuration

      Once you configure the static routes and BGP neighbors, the Virtual Edges begin learning routes from the Azure Virtual WAN Hub. BGP neighbor status can be verified under Monitor > Network Services .

  11. (Optional) Add the Virtual Edges into a cluster. Go to Configure > Network Services > Edge Cluster to create a new cluster Hub and add the Virtual Edges into the cluster.
  12. (Optional) To add a Virtual Network Connection with the Virtual Networks (vNETs) to the vHub, go to Azure vWAN > Connectivity > Virtual network connections .
    Figure 11. Adding a vNET

    Select on Add Connection and provide a Connection Name. Select the Hub, Subscription, and Resource Group. Select the vNET and the associated Route table to connect to the Hub. For example, the vNET uses the default route table.

    Figure 12. Adding a Connection

    For the vWAN NVA Edge, the example uses a 2 NIC Deployment, and does not use the GE1 interface as the Management interface. This is unique to the vWAN NVA image.

    On all other cloud Edges, the GE1 interface allocates as a Management interface and cannot be used for data traffic.

    Note: For Customers with Azure vWAN Hub Routers created with the Cloud Services infrastructure, see Hub Upgrade Instructions for Deployed as Azure vWAN NVA.

    Accessing the Command Line of Virtual Edges Deployed into an Azure vWAN vHub

    Azure vWAN operates as a managed service. Unlike other virtual machines deployed into Azure, vWAN does not offer the ability to associate a public key to the virtual machine (VM) configured. Since Azure also does not allow password-based SSH authentication, this renders the CLI of the vEdge unreachable.

    To overcome these restrictions and access the vEdge CLI for troubleshooting and operational purposes, use VeloCloud SD-WAN Secure Edge Access. This uses the Orchestrator to create key-based, per-user SSH access to the vEdge CLI. Refer to Access SD-WAN Edges Using Key-based Authentication to enable Secure Edge Access.

Create Managed Identity

This section describes the steps to create an Azure Managed Identity.

To create a Managed Identity, perform the following steps:
  1. Under Subscription, create a Custom Role say ‘vWANNVACustomRole’ with the following permissions. 
    "permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/networkVirtualAppliances/delete",
"Microsoft.Network/networkVirtualAppliances/read",
"Microsoft.Network/networkVirtualAppliances/write",
"Microsoft.Network/networkVirtualAppliances/restart/action",
"Microsoft.Network/networkVirtualAppliances/getDelegatedSubnets/action",
"Microsoft.Network/virtualHubs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
  2. Create a new user-assigned managed identity such as NVAmgdIdentity in the desired Managed Group and Region.
    Figure 13. Creating a New Managed Identity
  3. Under the resource group where the vWAN Hub is deployed, assign the Managed Identity by navigating to Resource Group (where the Azure vWAN Network Virtual Appliance (NVA) will be provisioned) > IAM > Add Role Assignment .

    In the Add role assignment screen, under the Role tab search for the custom role that you created, vWANNVACustomRole.

    Figure 14. Adding Role Assignment

  4. In the Members tab, select Managed Identity. In the Select managed identities section that appears on the right-side of the page, select the user assigned managed identity 'NVAmgdIdentity' that you have previously created and select Select. The selected managed identity appears under the Selected Members area.

  5. Select Review+Assign to assign the selected Managed Identity the custom role with scope as the resource group with the deployed vWAN hub.

Hub Upgrade Instructions for Deployed as Azure vWAN NVA

This document is intended for customers who use VeloCloud Edges in Azure and deploy them as Network Virtual Appliances (NVAs) in the Azure Virtual WAN (vWAN) Hub.

For more information, see Azure Upgrade Information.

Upgrade Instructions

Azure deprecated the Cloud Services-based infrastructure, and the Virtual WAN team upgraded the virtual routers from the current Cloud Services infrastructure to Virtual Machine Scale Sets deployments. If you navigate to your Virtual WAN hub resource and see a message to upgrade your router to the latest version, click Update router to latest software version to initiate router upgrade.

Note: All newly created Virtual Hubs automatically deploy on the latest Virtual Machine Scale Sets-based infrastructure and do not require this upgrade.
Figure 15. Displaying Upgrade Status

After clicking Upgrade Router to the latest software version, a message displays that this operation must be performed during a maintenance window.

Figure 16. Performing the Upgrade During a Maintenance Window
The Hub Status displays Updating and the Routing State as Provisioning. This process takes approximately 30 to 60 minutes to complete.
Figure 17. Displaying the Hub and Router Status

After successful completion of the router update, the Hub Status displays Succeeded and the Routing State displays Provisioned.

Figure 18. After Provisioning Completes

IP addresses display in the Virtual Hub resource JSON as the virtualRouterIps field. Alternatively, you can find it in the Virtual Hub > BGP Peers menu.

Figure 19. Displaying IP Addresses

Copy the IP Addresses. In this case, the IP addresses displays as 172.16.32.8 and 172.16.32.9. Use these IP addresses on the Virtual Hub with the BGP Peers (VeloCloud SD-WAN NVA) that require configuration.

On the Orchestrator, the Virtual Edge BGP connections to the Virtual Hub display as the Active or Connect state as Down.

Before configuring BGP neighbors on the Virtual Edge, static routes must be configured to allow the Virtual Edges to connect to the Azure Virtual WAN Hub.

Configuring Static Routes

Before configuring static routes, add sufficient X.X.X.X/32 static routes to ensure a unique route that points to the respective GE2 interface on each Virtual Edge. To add a static route, the Orchestrator requires a next-hop IP address. The next hop IP address can be obtained by running the Remote Diagnostic Interface Status test in the Remote Diagnostics page of the Orchestrator. Select the first IP address of the subnet assigned to GE2 and configure it as the next hop.

The example displays an IP address assigned to GE2 as 172.16.112.5/25, with the first IP address of this subnet as 172.16.112.1. Use this IP address to configure the static route on Orchestrator.

Figure 20. Displaying Output from Interface Status

The output displays two configured static routes on the Edge to reach BGP neighbors.

Figure 21. Displaying Two Static Routes on the Edge

Configuring BGP Neighbors

Configure BGP neighbors for each Virtual Edge. Use the BGP neighbor IPs and the ASN number as displayed in the virtual Hub BGP Peers output. Also, configure the BGP Max-Hop to 2.

Figure 22. Configuring BGP Neighbors

Once you configure static routes and BGP neighbors, the Virtual Edges begin learning routes from the Azure Virtual WAN Hub. Verify the status of the BGP neighbors under Monitor > Network Services .

Figure 23. Verifying the Status ofBGP Neighbors
..