Microsoft Azure VMware Solution (AVS) recently added a new feature that enables public IP addresses to be published down to the NSX-T Edge, providing a new option for internet connectivity. In this blog post, we will explore the three options available for providing internet access to AVS deployments, their advantages and disadvantages, and how to configure each option.
Option 1: Microsoft-Managed SNAT
———————————-
The first option is the Microsoft-managed SNAT feature, which allows for outbound connectivity only. This feature is the easiest and most cost-effective option, as the public IP addresses are fully managed by Microsoft free of charge. With this option, two public IPs are used and rotated to provide outbound connectivity to Azure VMware Solution workloads with up to 128,000 concurrent connections.
Advantages:
* Easy to set up and manage
* Cost-effective
* Fully managed by Microsoft
Disadvantages:
* Limited to outbound connectivity only
* No inbound connectivity support
Option 2: Default Route Advertisement
————————————–
The second option is based on the default route advertisement from another component in the Azure infrastructure. This advertisement can be done using a variety of methods, such as routing protocols or static routes. If no default route is advertised to AVS, the VMs will not be able to access the internet. This option is also used to disable internet access on AVS deployments.
Advantages:
* Allows for inbound and outbound connectivity
* Can be used to disable internet access on AVS deployments
Disadvantages:
* Requires additional infrastructure and configuration
* Limited control over SNAT and DNAT rules
Option 3: Public IP Addresses on NSX-T Edge
———————————————-
The third option is the newest feature released by Microsoft, which allows for public IP addresses to be published down to the NSX-T Edge. This feature provides the best of both previous options and enables inbound and outbound connectivity. With this option, public IP addresses are billed separately from the AVS instance itself, as they are used for other Azure purposes.
Advantages:
* Allows for inbound and outbound connectivity
* Provides the best of both previous options
* Enables internet access with NSX-T components
Disadvantages:
* Requires additional configuration and infrastructure
* Separate billing for public IP addresses
Configuring Internet Connectivity on AVS
——————————————
To enable internet connectivity on AVS, you will need to create at least one public IP block and configure a SNAT rule on the NSX-T T1 router. Depending on the firewall configuration on NSX-T, you may need to create firewall rules to allow the traffic to pass through. For inbound connectivity, a DNAT rule can be used to forward traffic from the public IP address to the internal IP address of the workload.
Conclusion
———-
With the new Public IP address down to the NSX-T edge feature now available for AVS, new capabilities are available to manage the internet connectivity of the AVS workloads. This setup offers a new set of possibilities and is a real asset to consider when hosting internet-facing applications or controlling outgoing internet connections.