Navigating the End of Azure VM Direct Internet Access: Part 3 - Implementing Network Virtual Appliance (NVA)

Azure VM Internet - Third-Party Appliances

As we continue our journey to adapt to the deprecation of direct internet access for Azure Virtual Machines (VMs), we’ve explored the implementation of NAT Gateway in Part 1 and Azure Firewall in Part 2. In this third installment, we’ll delve deep into Network Virtual Appliances (NVAs) powerful, flexible solutions that offer advanced networking capabilities to meet complex enterprise requirements.

Understanding Network Virtual Appliances (NVAs)

A Network Virtual Appliance is a software image, often provided by third-party vendors, that performs network functions traditionally done by physical hardware appliances. NVAs can provide services such as:

  • Firewalling and Security Filtering
  • Traffic Shaping and Load Balancing
  • Routing and VPN Termination
  • Intrusion Detection and Prevention
  • WAN Optimization

Metaphorically speaking, think of an NVA as a custom-built security checkpoint in your network highway, where you can enforce detailed inspections, rules, and controls that aren’t possible with standard toll booths.

Why Choose an NVA?

  • Advanced Features: When you require sophisticated network services beyond Azure’s native offerings.
  • Vendor Consistency: To maintain uniformity with on-premises systems using the same vendor solutions.
  • Customizability: For environments needing highly customized network configurations and policies.
  • Regulatory Compliance: When specific compliance requirements mandate certain security controls or logging mechanisms.

Deploying an NVA involves several critical steps:

Implementing NVAs for Outbound Connectivity

  1. Selecting the Appropriate NVA Solution
  2. Architecting the Network Topology
  3. Deploying the NVA
  4. Configuring User-Defined Routes (UDRs)
  5. Setting Up Security Rules with NSGs
  6. Ensuring High Availability (Optional)
  7. Validating the Deployment

Let’s explore these steps in detail, considering both Azure Portal and Bicep implementation methods.

1. Selecting the Appropriate NVA Solution

Considerations:

  • Functionality: Does the NVA offer the network services you need?
  • Performance: Can it handle your expected traffic volume?
  • Vendor Support: Is there adequate documentation and support?
  • Cost: Assess both licensing and operational expenses.
  • Compatibility: Ensure the NVA is certified for Azure and supports your required features.
  • Palo Alto Networks
  • Cisco
  • Fortinet
  • F5 Networks
  • Check Point

Tip: Evaluate vendors based on existing expertise within your team to minimize the learning curve.

2. Architecting the Network Topology

Designing an effective network layout is crucial. Here’s an illustrative topology:

graph LR; A["VM Subnet
(User VMs without PIP)"] -->|UDR points to NVA| B[NVA Subnet]; B -->|NVA with PIP| C[Internet]

Key Components:

  • VM Subnet: Contains VMs that require outbound internet access.
  • NVA Subnet: Dedicated subnet hosting the NVA.
  • User-Defined Route (UDR): Routes traffic from the VM Subnet to the NVA.
  • Public IP (PIP): Assigned to the NVA for outbound internet access.

Design Considerations:

  • Security: Isolate the NVA in its own subnet to enforce strict access controls.
  • Scalability: Plan for scaling NVAs vertically or horizontally based on traffic demands.
  • Redundancy: Use availability sets or zones to ensure high availability.

3. Deploying the NVA

Option A: Using the Azure Portal

Step-by-Step Guide:

  1. Deploy the NVA from Azure Marketplace:
    • Navigate to Azure Marketplace.
    • Search for your chosen NVA (e.g., “FortiGate Next-Generation Firewall”).
    • Click “Create” and follow the deployment wizard.
  2. Configure Basic Settings:
    • Subscription & Resource Group: Select appropriately.
    • Instance Details:
      • Region: Same as your Virtual Network.
      • VM Name: Assign a logical name.
      • VM Size: Select based on performance needs.
    • Authentication: Set strong admin credentials.
  3. Configure Networking:
    • Virtual Network: Select your existing VNet.
    • Subnets: Assign the NVA to the NVA-Subnet.
    • Public IP: Create or select a Public IP for the NVA.
  4. Firewall Settings (Vendor-Specific):
    • Configure settings as required by the vendor.
  5. Review and Create:
    • Validate your configurations.
    • Click “Create” to deploy the NVA.

Option B: Using Bicep Template

Advantages of Using Bicep:

  • Infrastructure as Code (IaC): Enables version control and repeatable deployments.
  • Automation: Integrate with CI/CD pipelines for streamlined provisioning.
  • Consistency: Ensures environments are consistently configured.

Sample Bicep Template Snippet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
@description('Name of the NVA VM')
param nvaName string

@description('Admin username for the NVA')
param adminUsername string

@description('Admin password for the NVA')
@secure()
param adminPassword string

@description('NVA VM size')
param vmSize string = 'Standard_D3_v2'

@description('Virtual Network name')
param vnetName string

@description('NVA Subnet name')
param subnetName string = 'NVA-Subnet'

@description('Address prefix for the NVA Subnet')
param subnetAddress string = '10.0.1.0/24'

// Check for existing VNet
resource vnet 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
  name: vnetName
}
// Reference existing subnet
resource nvaSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-05-01' = {
  name: subnetName
  parent: vnet
  properties: {
    addressPrefix: subnetAddress
  }
}

// Create Public IP
resource nvaPublicIP 'Microsoft.Network/publicIPAddresses@2023-05-01' = {
  name: '${nvaName}-publicIP'
  location: resourceGroup().location
  sku: {
    name: 'Standard'
  }
  properties: {
    publicIPAllocationMethod: 'Static'
  }
}

// Create Network Interface
resource nvaNic 'Microsoft.Network/networkInterfaces@2023-05-01' = {
  name: '${nvaName}-nic'
  location: resourceGroup().location
  properties: {
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          subnet: {
            id: nvaSubnet.id
          }
          privateIPAllocationMethod: 'Dynamic'
          publicIPAddress: {
            id: nvaPublicIP.id
          }
        }
      }
    ]
  }
}

// Deploy the NVA VM
resource nvaVM 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  name: nvaName
  location: resourceGroup().location
  properties: {
    hardwareProfile: {
      vmSize: vmSize
    }
    storageProfile: {
      imageReference: {
        publisher: 'vendor'
        offer: 'nva-offer'
        sku: 'nva-sku'
        version: 'latest'
      }
    }
    osProfile: {
      computerName: nvaName
      adminUsername: adminUsername
      adminPassword: adminPassword
    }
    networkProfile: {
      networkInterfaces: [
        {
          id: nvaNic.id
        }
      ]
    }
  }
}
ℹ️
Replace ‘vendor’, ’nva-offer’, and ’nva-sku’ with values specific to your chosen NVA.

Deploy the Template:

1
2
3
4
5
6
7
az deployment group create \\
  --resource-group 'YourResourceGroup' \\
  --template-file nvaDeployment.bicep \\
  --parameters nvaName='myNVA' \\
              adminUsername='azureuser' \\
              adminPassword='YourStrongPassword!' \\
              vnetName='myVNet'

4. Configuring User-Defined Routes (UDRs)

Purpose: Direct traffic from your VM Subnet to the NVA.

Steps:

  1. Create a Route Table:
    • Navigate to Route tables in the Azure Portal.
    • Click "+ Create".
    • Configure basic settings (name, region, resource group).
  2. Add a Route:
    • In the route table, select “Routes” > "+ Add".
    • Route Name: DefaultRoute.
    • Address Prefix: 0.0.0.0/0 (all traffic).
    • Next Hop Type: Virtual Appliance.
    • Next Hop Address: Private IP of the NVA’s NIC.
  3. Associate Route Table with VM Subnet:
    • In the route table, select “Subnets” > "+ Associate".
    • Choose the VM Subnet where your VMs reside.

Result: All outbound traffic from the VM Subnet is directed to the NVA.

5. Setting Up Security Rules with NSGs

Network Security Groups (NSGs) control inbound and outbound traffic.

For VM Subnet:

  • Outbound Rules: Allow traffic to the NVA subnet (e.g., allow all traffic to 10.0.2.0/24).

For NVA Subnet:

  • Inbound Rules: Allow traffic from the VM Subnet.
  • Outbound Rules: Allow traffic to the internet (e.g., HTTP, HTTPS).

Best Practices:

  • Least Privilege Principle: Only permit necessary traffic.
  • Log and Monitor NSG Flows: Use NSG flow logs for auditing and troubleshooting.

Options:

  • Availability Sets:
    • Deploy multiple NVA instances within an availability set.
    • Distributes VMs across fault and update domains.
  • Load Balancing NVAs:
    • Place an Azure Load Balancer in front of NVAs.
    • Enable session persistence if required by the NVA.

Implementation Considerations:

  • Check if the NVA supports clustering or HA configurations.
  • Ensure consistent configurations across NVA instances.
  • Check how the failover especially in active/passive configurations which rely on a failover of IP from one device to another as this can cause delays and outages in the solution.

7. Configuring the NVA

Access the NVA to apply your network policies.

Steps:

  1. Secure Access:
    • Limit management access via NSGs (e.g., allow only your IP).
    • Enable multi-factor authentication if supported.
  2. Apply Network Policies:
    • Configure firewall rules to permit or deny traffic.
    • Set up NAT rules for outbound internet access.
  3. Logging and Monitoring:
    • Enable syslog or other logging mechanisms.
    • Integrate with Azure Monitor or SIEM systems.

Vendor Documentation: Refer to the NVA vendor’s documentation for specific configuration steps.

8. Validating the Deployment

Testing Connectivity:

  • From a VM in the VM Subnet:
    • Ping External Addresses: Ensure ICMP is allowed.
    • Access External Websites: Test HTTP/HTTPS connectivity.
    • Verify Outbound IP: Open a web browser and navigate to ifconfig.me or ident.me

Monitoring Traffic:

  • NVA Logs: Check for expected traffic patterns and any anomalies.
  • Azure Monitor Metrics: Monitor NVA’s CPU, memory, and network utilization.

Additional Insights

Balancing Complexity and Control

While NVAs offer granular control, they introduce complexity.

  • Operational Overhead: Requires expertise to manage and maintain.
  • Updates and Patches: Keep the NVA software updated to mitigate vulnerabilities.
  • Cost Implications: Consider the total cost of ownership, including licensing and VM costs.

Conclusion

Implementing an NVA provides advanced networking capabilities, enabling you to:

  • Customize Network Policies: Tailor security rules to specific needs.
  • Maintain Vendor Consistency: Use familiar tools across environments.
  • Enhance Security Posture: Leverage advanced features like intrusion prevention.

Key Takeaways:

  • Strategic Choice: NVAs are powerful but require thoughtful planning.
  • Vendor Expertise: Leverage vendor support and training.
  • Ongoing Management: Factor in operational efforts for maintenance and monitoring.

Learn More