It'd be great to see some patterns and consideration for how to serve services, udp and tcp IaaS services publicly using vwan and intent based routing. Not necessarily https. Struggling to find anything in architecture center, I saw a few things around app service but that's about it.
Hey Adam - Great video as usual. I have a question for you that is not specific to routing intent, but I was hoping you can provide some guidance. Say I have a total of (10) IPSEC VPN tunnels terminating in various Azure regions around the globe. Each tunnel will terminate via an NVA in a spoke VNET in each region. Each NVA will be configured with BGP and its BGP peer will be with a VHUB within each Azure region as part of our larger VWAN. The same BGP prefixes will be advertised across all (10) IPSEC tunnels. If each tunnel is advertising the same prefixes (with different AS-PATH lengths) how does Azure VWAN handle this? Would the effective routes within the VHUB show multiple paths to the same prefix but with various AS-PATH lengths as appropriate?
Adam this is great. My org is looking to do something similar. We are an org with a central IT managing hub and spoke for all BUs. Central IT manages the hub and spokes are managed by the BUs. However some of the larger BUs in the org want to have their own hub and manage their own firewall. We are looking for two hubs in the same region on the vwan. Vwan will be managed by central IT. Red will be central IT and in this case Blue will be my BU. This is similar to your design however both blue and red will have firewalls. The purpose of the fw for blue will be to manage inboud and out bound internet traffic. Therefore it would be two secure hubs. Express Rt would still live in Red. Does this make sense to have secure hubs in sam region with one hub providing express rt for both?
Thanks for the video. I can see a used case for inspecting traffic on prem firewall for a restricted workflow and keeping all remaining traffic inspected by Azure firewall. I have wide range of /16 on rfc1918 on existing vhub. If I create a new vHub now I will have defined specific range on prem to azure for the new express route to new hub in the same region for the traffic isolation. Would it be an issue if the specific traffic to the new vhub has some overlap?
hey Adam, great video. I have a question for you: We have a couple of branches with velocloud and one vEdge in Azure. We are looking on how to create an HA on the Azure side and so far we've seen creating a hub in azure then adding the existing vEdge and the additional one to it. Does that make sense? Then on the orchestrator side we would have to make appropriate changes to say "to each branch to connect to the hub" now, does that make sense? Thank you.
I would be asking Velocloud for their recommended design. Some customers connect HA tunnel to multiple NVA in one region/hub, some customers connects to multiple regions. Depends on your requirements and global design.
@@AdamStuart1 yes, thats exactly what we've seen. The question I got lies more into IF creating HUB's is the way to go, either in the same region or spread across regions. Thank you so much!
It'd be great to see some patterns and consideration for how to serve services, udp and tcp IaaS services publicly using vwan and intent based routing. Not necessarily https. Struggling to find anything in architecture center, I saw a few things around app service but that's about it.
Hey Adam - Great video as usual. I have a question for you that is not specific to routing intent, but I was hoping you can provide some guidance. Say I have a total of (10) IPSEC VPN tunnels terminating in various Azure regions around the globe. Each tunnel will terminate via an NVA in a spoke VNET in each region. Each NVA will be configured with BGP and its BGP peer will be with a VHUB within each Azure region as part of our larger VWAN. The same BGP prefixes will be advertised across all (10) IPSEC tunnels. If each tunnel is advertising the same prefixes (with different AS-PATH lengths) how does Azure VWAN handle this? Would the effective routes within the VHUB show multiple paths to the same prefix but with various AS-PATH lengths as appropriate?
Yes if you adjust the Hub Routing preference to be AS-Path, I would expect the as-path to propagate across hubs and be used for traffic forwarding.
Adam this is great. My org is looking to do something similar. We are an org with a central IT managing hub and spoke for all BUs.
Central IT manages the hub and spokes are managed by the BUs. However some of the larger BUs in the org want to have their own hub and manage their own firewall.
We are looking for two hubs in the same region on the vwan. Vwan will be managed by central IT. Red will be central IT and in this case Blue will be my BU. This is similar to your design however both blue and red will have firewalls.
The purpose of the fw for blue will be to manage inboud and out bound internet traffic.
Therefore it would be two secure hubs. Express Rt would still live in Red. Does this make sense to have secure hubs in sam region with one hub providing express rt for both?
Thanks for the video. I can see a used case for inspecting traffic on prem firewall for a restricted workflow and keeping all remaining traffic inspected by Azure firewall. I have wide range of /16 on rfc1918 on existing vhub. If I create a new vHub now I will have defined specific range on prem to azure for the new express route to new hub in the same region for the traffic isolation. Would it be an issue if the specific traffic to the new vhub has some overlap?
hey Adam, great video. I have a question for you: We have a couple of branches with velocloud and one vEdge in Azure. We are looking on how to create an HA on the Azure side and so far we've seen creating a hub in azure then adding the existing vEdge and the additional one to it. Does that make sense? Then on the orchestrator side we would have to make appropriate changes to say "to each branch to connect to the hub" now, does that make sense? Thank you.
I would be asking Velocloud for their recommended design. Some customers connect HA tunnel to multiple NVA in one region/hub, some customers connects to multiple regions. Depends on your requirements and global design.
@@AdamStuart1 yes, thats exactly what we've seen. The question I got lies more into IF creating HUB's is the way to go, either in the same region or spread across regions. Thank you so much!