Network and connectivity topologies

For both cloud-native and hybrid scenarios, implementing a VMware Software-Defined Data Center (SDDC) with the Azure cloud ecosystem has some unique design challenges to think about when planning for your deployment. Some of these challenges are outlined as follows:

• Hybrid connectivity: This is the connectivity between your on-premises environment and your AVS. This is where you will need to look at what connectivity method you are currently using to connect your on-premises data center to Azure if you already have a presence in Azure. If there is no existing connectivity make sure you understand what the options are (ExpressRoute, S2S VPN, or SDWAN). We will dive deeper into these areas in a later chapter.
• Reliability and performance: This is very important as you will need to have consistent and low latency for your workloads. You will also need to design for scalability for future growth.
• A zero-trust network security model: Security should be the heart of every solution that you implement in Azure, and AVS is no exception. You will need to plan for security for your network perimeter, and for traffic inspection for ingress and egress flows.
• Extensibility: Your network footprint should be easily extended without the need for a redesign. This is very important as your AVS needs grow.

We will now review the various network traffic flows within the AVS architecture between AVS, Azure-native services, and a customer’s on-premises environment:

• AVS without any connectivity:

Figure 1.4 – An overview of AVS deployment without any connectivity

The preceding diagram shows AVS deployment without any connectivity to Azure or the customer’s on-premises data center.

• AVS with Global Reach enabled:

Figure 1.5 – An overview of a BGP traffic flow to on-premises

The preceding diagram shows a BGP traffic flow (blue dotted arrows) from AVS to the customer’s on-premises data center. BGP traffic will flow between both environments once Azure Global Reach is enabled.

• AVS with Global Reach enabled – BGP traffic flowing to Azure from AVS:

Figure 1.6 – The BGP traffic flow from AVS to Azure-native services through the customer MSEE

The preceding diagram shows the BGP traffic flow from AVS to Azure-native services through the customer’s MSEE. BGP traffic will flow between both environments once Azure Global Reach is enabled.

• AVS connection between AVS and Azure-native:

Figure 1.7 – The BGP traffic flow from AVS to Azure-native services through the customer’s ExpressRoute gateway

The preceding diagram shows the BGP traffic flow from AVS to Azure-native services through the customer’s ExpressRoute gateway. This connection is only to Azure services and not to the customer’s on-premises environment.

• Internet traffic flow from AVS via a vWAN:

Figure 1.8 – Internet traffic flow from AVS via a secure Azure Virtual WAN

The preceding diagram shows internet traffic flow from AVS via a secure Azure Virtual WAN.

• Internet traffic flow from AVS via an Azure Route Server and a Network Virtual Appliance (NVA):

Figure 1.9 – Internet traffic flow from AVS via an NVA

The preceding diagram shows internet traffic flow from AVS via an NVA.

• Internet traffic flow from AVS via the customer on-premises firewall:

Figure 1.10 – Internet traffic flow from AVS via the customer’s on-premises infrastructure

The preceding diagram depicts internet traffic flow between AVS and the customer’s on-premises infrastructure, flowing through their firewall.