How to use the public IP functionality in Azure VMware Solution

Public IP is a new feature in Azure VMware Solution connectivity. It makes resources, such as web servers, virtual machines (VMs), and hosts accessible through a public network.

You enable public internet access in two ways.

  • Applications can be hosted and published under the Application Gateway load balancer for HTTP/HTTPS traffic.
  • Published through public IP features in Azure Virtual WAN.

As a part of Azure VMware Solution private cloud deployment, upon enabling public IP functionality, the required components with automation get created and enabled:

  • Virtual WAN

  • Virtual WAN hub with ExpressRoute connectivity

  • Azure Firewall services with public IP

This article details how you can use the public IP functionality in Virtual WAN.

Prerequisites

  • Azure VMware Solution environment
  • A webserver running in Azure VMware Solution environment.
  • A new non-overlapping IP range for the Virtual WAN hub deployment, typically a /24.

Reference architecture

Public IP architecture diagram

The architecture diagram shows a web server hosted in the Azure VMware Solution environment and configured with RFC1918 private IP addresses. The web service is made available to the internet through Virtual WAN public IP functionality. Public IP is typically a destination NAT translated in Azure Firewall. With DNAT rules, firewall policy translates public IP address requests to a private address (webserver) with a port.

User requests hit the firewall on a public IP that, in turn, is translated to private IP using DNAT rules in the Azure Firewall. The firewall checks the NAT table, and if the request matches an entry, it forwards the traffic to the translated address and port in the Azure VMware Solution environment.

The web server receives the request and replies with the requested information or page to the firewall, and then the firewall forwards the information to the user on the public IP address.

Test case

In this scenario, you'll publish the IIS webserver to the internet. Use the public IP feature in Azure VMware Solution to publish the website on a public IP address. You'll also configure NAT rules on the firewall and access Azure VMware Solution resource (VMs with a web server) with public IP.

Deploy Virtual WAN

  1. Sign in to the Azure portal and then search for and select Azure VMware Solution.

  2. Select the Azure VMware Solution private cloud.

    Screenshot of the Azure VMware Solution private cloud.

  3. Under Manage, select Connectivity.

    Screenshot of the Connectivity section.

  4. Select the Public IP tab and then select Configure.

    Screenshot that shows where to begin to configure the public IP

  5. Accept the default values or change them, and then select Create.

    • Virtual WAN resource group

    • Virtual WAN name

    • Virtual hub address block (using new non-overlapping IP range)

    • Number of public IPs (1-100)

It takes about one hour to complete the deployment of all components. This deployment only has to occur once to support all future public IPs for this Azure VMware Solution environment.

Tip

You can monitor the status from the Notification area.

View and add public IP addresses

We can check and add more public IP addresses by following the below steps.

  1. In the Azure portal, search for and select Firewall.

  2. Select a deployed firewall and then select Visit Azure Firewall Manager to configure and manage this firewall.

    Screenshot that shows the option to configure and manage the firewall

  3. Select Secured virtual hubs and, from the list, select a virtual hub.

    Screenshot of Firewall Manager

  4. On the virtual hub page, select Public IP configuration, and to add more public IP address, then select Add.

    Screenshot of how to add a public IP configuration in Firewall Manager

  5. Provide the number of IPs required and select Add.

    Screenshot to add a specified number of public IP configurations

Create firewall policies

Once all components are deployed, you can see them in the added Resource group. The next step is to add a firewall policy.

  1. In the Azure portal, search for and select Firewall.

  2. Select a deployed firewall and then select Visit Azure Firewall Manager to configure and manage this firewall.

    Screenshot that shows the option to configure and manage the firewall

  3. Select Azure Firewall Policies and then select Create Azure Firewall Policy.

    Screenshot of how to create a firewall policy in Firewall Manager

  4. Under the Basics tab, provide the required details and select Next : DNS Settings.

  5. Under the DNS tab, select Disable, and then select Next : Rules.

  6. Select Add a rule collection, provide the below details, and select Add and then select Next : Threat intelligence.

    • Name
    • Rules collection Type - DNAT
    • Priority
    • Rule collection Action – Allow
    • Name of rule
    • Source Type- IPaddress
    • Source - *
    • Protocol – TCP
    • Destination port – 80
    • Destination Type – IP Address
    • Destination – Public IP Address
    • Translated address – Azure VMware Solution Web Server private IP Address
    • Translated port - Azure VMware Solution Web Server port
  7. Leave the default value, and then select Next : Hubs.

  8. Select Associate virtual hub.

  9. Select a hub from the list and select Add.

    Screenshot that shows the selected hubs that will be converted to Secured Virtual Hubs.

  10. Select Next : Tags.

  11. (Optional) Create name and value pairs to categorize your resources.

  12. Select Next : Review + create and then select Create.

Limitations

You can have 100 public IPs per SDDCs.

Next steps

Learn more about using public IP addresses using Azure Virtual WAN.