Print

VeloCloud SD-WAN 6.4 - Administration Guide - CloudHub Automated Deployment of NVA in Azure vWAN Hub Print

CloudHub Automated Deployment of NVA in Azure vWAN Hub

The VeloCloud SD-WAN and Azure virtual WAN (vWAN) NVA Automated Deployment guide describes the configurations that are required to automatically deploy a Virtual Edge as a Network Virtual Appliance (NVA) in Azure vWAN Hub network.
Note: Automated Deployment of NVA in Azure Virtual WAN Hub is supported only for VeloCloud Hosted Orchestrator.

Overview

Cloud migration generated a lot of challenges on how to connect remote locations to Azure vNets in a simple, optimized, and secure way across myriad connectivity options. VeloCloud SD-WAN addresses these problems by leveraging Dynamic Multipath Optimization ™ (DMPO) technologies and distributed cloud gateway coverage across the globe. VeloCloud SD-WAN transforms the unpredictable broadband transport to Enterprise-class quality connections, ensuring the application performance from remote locations to Azure Cloud.

To meet different deployment scenarios for customers who deploy Azure Virtual WAN, VeloCloud SD-WAN have been progressively adding more capabilities to the solution via automation. With this new integration, customers can now deploy VeloCloud Edges directly inside Azure Virtual WAN hubs automatically, resulting in an offering that natively integrates Azure Virtual WAN customizable routing intelligence with VeloCloud SD-WAN optimized last-mile connectivity.

The example topology illustrates the VeloCloud SD-WAN and Azure vWAN NVA Automated Deployment scenario.

Figure 1. Example Topology with Automated Deployment of NVA in Azure vWAN Hub

CloudHub Deployment Prerequisites

To use automatic deployment of VeloCloud Edges as a Network Virtual Appliance (NVA) in Azure virtual WAN (vWAN) Hub, you must have already created Resource Group, vWAN, and virtual Hub (vHUB) on the Azure side. Once vWAN Hub is up and running and routing status is completed, you must ensure the following prerequisites are met before proceeding with the Automated deployment of Azure vWAN NVA via Arista Edge Cloud Orchestrator:
  • Obtain Enterprise account access to Arista Edge Cloud Orchestrator.
  • Obtain access to the Microsoft Azure portal with the appropriate IAM roles.
  • Ensure you have already created Resource Group, vWAN and vHUB on the Azure side. For steps, see Virtual WAN Documentation.
  • Software image requirements for this deployment are as follows: 
    • VeloCloud Edge Cloud Orchestrator: 5.1.0.
    • VeloCloud Gateway: 4.2.1 and above.
    • VeloCloud Edges: 4.2.1 and above.
Note: For additional information about the supported regions of NVA in Virtual Hub, see About NVA Hubs for Microsoft Azure .

CloudHub Automated Deployment of Azure vWAN NVA via Arista Edge Cloud Orchestrator

To use Automated deployment of Azure vWAN NVA via Arista Edge Cloud Orchestrator, perform the following steps:

  1. In the Orchestrator, ensure the Multi-Cloud Service (MCS) account is activated. You can verify that by checking the following system properties:
    • session.options.enableMcsServiceAccount
    • vco.system.configuration.data.mcsNginxRedirection
    Note: Contact the Edge Ops team to activate the MCS account for your Orchestrator.
    Figure 2. Displaying System Properties
  2. For an Enterprise user, once the MCS account activates, you can access the MCS service by selecting Configure > Cloud Hub to display the Cloud Hub page.
    Figure 3. Displaying Cloud Hub
  3. To deploy a NVA Edge in vWAN HUB network, perform the following two steps:
    1. Create a new credential.
    2. Create a new Cloud Hub.
  4. To create new credential, select Configure > Credential > New Credential . Provide all the required details and select Create.
    Figure 4. Adding New Credentials
    Table 1. Credential Fields
    Field Description
    Name Enter a unique name for your Azure credential.
    Cloud Provider Select Azure as the Cloud Provider.
    Client ID Enter the Client ID of your Azure subscription.
    Tenant ID The ID for an Azure Active Directory (AD) tenant in the Azure portal. Enter the tenant ID to which your subscription belongs.
    Client Secret Enter the Client Secret of your Azure subscription.
    Subscription ID The ID for a subscription in the Azure portal. Enter the Azure Subscription ID which has the created Virtual WAN Hub to deploy Virtual Edges.

    For additional information on how to retrieve IDs for a subscription in Azure portal, see How to create a new Azure Active Directory (Azure AD) application and service principal.

    It is recommended for customers to create a custom role with the below permissions (JSON) to provide access to only the necessary resources for the Cloud Hub function.

    "permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Network/virtualWans/read",
"Microsoft.Network/virtualWans/join/action",
"Microsoft.Network/virtualWans/virtualHubs/read",
"Microsoft.Network/virtualHubs/read",
"Microsoft.AzureStack/linkedSubscriptions/linkedResourceGroups/linkedProviders/virtualNetworks/read",
"Microsoft.Network/networkVirtualAppliances/delete",
"Microsoft.Network/networkVirtualAppliances/read",
"Microsoft.Network/networkVirtualAppliances/write",
"Microsoft.Network/networkVirtualAppliances/getDelegatedSubnets/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
"Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
  5. To create a New Cloud Hub, perform the following steps:
    The Cloud Hub Workflow is tested only for the new Profile. So, it is recommended to create a new Profile before proceeding with the deployment of NVA Edge in vWAN HUB network.
    1. Navigate to Configure > Workflow and select New Cloud Hub to display the Cloud Credentials page appears.
      Figure 5. Configuring a New Cloud Hub Credentials
    2. Provide all the required Cloud Credentials details and select Next.
      Table 2. Cloud Credential Details
      Field Description
      Cloud Provider Choose Azure as the Cloud Provider.
      Azure Connectivity Options Choose Deploy Virtual Edge as an NVA in Azure vWAN as the connectivity option between you Hub and vNET.
      Cloud Subscription You can use the existing cloud subscription or create a new subscription by selecting the Create New option.
      The vWAN and vHUB Options page appears.
      Figure 6. Displaying vWAN and vHub Options
    3. Select vWAN, vHUB, and provision Virtual Azure NVA Edge (with unique name) by providing all the required details.
      Table 3. vWAN and vHUB Options
      Field Description
      Resource Group Select a resource group that you created on the Azure side.
      vWAN Select a Virtual WAN that you created on the Azure side.
      Choose vHUB
      Region Select the region in which you want to deploy the Virtual WAN Hub. Virtual Edges will be deployed in that Virtual WAN Hub.
      vHub Select a Virtual WAN Hub to deploy the virtual Edges.
      Address Space The hub's address range in CIDR notation. The minimum address space is /24 to create a hub.
      Workflow Name Enter the workflow name for the Virtual WAN Hub.
      Create Edge Networking
      NVA Name Enter a unique name for the Network Virtual Appliance (NVA) Edge device.
      Select NVA Version Select the NVA version.
      Edge Cluster Name Enter a unique name for the Edge Cluster.
      Scale Units A pair of Edges will be spun up. Scale Units can be 2, 4, or 10 which map to a Azure instance type.
      Select Profile Select a Profile to associate the Virtual Edge. You can use the existing Profile or create a new Profile before deploying the Azure vWAN NVA Edges in Azure vWAN Hub.
      Edge License Select the Edge license associated with the Virtual Edges.
      Contact Name Enter a contact name.
      Contact Email Enter a contact email ID.
      BGP ASN Enter the ASN value that will be configured on the Virtual Edges in the Arista Edge Cloud Orchestrator. The ASNs reserved by Azure:
      • Public ASNs: 8074, 8075, and 12076.
      • Private ASNs: 65515, 65517, 65518, 65519, and 65520.
    4. Select Finish. The newly created Cloud Hub appears in the Workflow page.
    5. Under Detail column, select View to view the Event Details of the selected Cloud Hub.
      Currently there is no separate Monitor page for Cloud Hub service. You can use the Monitor page of the SD-WAN service for verifying the Edge actions and states.
  6. In the SD-WAN service portal, select Monitor > Edges to verify the Virtual Azure NVA Edge that you have provisioned or deployed with the Cloud Hub automation service are connected.
    Figure 7. Displaying the Virtual Azure NVA Edge
  7. To verify if the BGP sessions established for the deployed Virtual Azure NVA Edge, select Monitor > Routing .
    Figure 8. Display BGP Sessions

    Once the Virtual Edges are created, configure IP address for each of the Virtual Edges by navigating to Configure > Edges > Firewall > Edge Access and by adding the IP address 168.63.129.16 under the Allow the following IPs field.

    Figure 9. Configuring Edge Security

    You can perform this configuration on a Profile used by many or all of the Virtual Edges so you do not need to do it for each individual Virtual Edge. For more details regarding this IP configuration, see Microsoft IP Reference.

..