Hi all
How do you handle your site to site VPNs when having a 3rd party NVA or Azure Firewall?
Azure VPN Gateway or NVA.
What do you mean by “handle”? You handle it like anything else. Configure, monitor, manage. I manage about 60 S2S’s some VNG based and a few ER’s sprinkled in.
When having a nva I route to those. AZURE firewall has no site to site configuratie.
Nva will be cheaper S2S
Or use Azure VNG/LNG if you want
Virtual Gateway in Azure. I just made two of them yesterday in my FortiGates.
Traditional Hub and Spoke Model. Everything else is a spoke that connects to the HUB that contains the NVA. Then in the HUB network you have a Azure VPN Gateway that connects to where ever which can be the S2S or express route VPN. We use 3rd party NVA not the Azure Firewall.
It gets really fun when you introduce SDWAN then the routing is challenging to sort out. GL!
we gave up. we tried to make it work with our existing vpn and our consultant couldnt get it working. we then looked at azure vpn gateway but our users would have rebelled
Azure VPN Gateway in a Hub network which includes Azure Firewall deployed to another subnet is the recommended for easy uptime SLA and no management needed.
If you have a 3rd party NVA deployed in Azure already then just use that, assuming it’s in your hub network. Bear in mind you’ll need to design for resiliency, it’ll deploy 2 VMs. Just create your IKEv2 tunnels in there. Probably end up needing Azure Route Server too to make your life easier with dynamic routing and BGP. Plus you’ll need load balancers.
Take a read of this article: Deploy highly available NVAs - Azure Architecture Center | Microsoft Learn
We have Fortigate firewalls on prem and so we went with Fortigate in Azure. We have a site-to-site setup through those and use FortiClient for P2S.
How do you have your VPNs configured? On the NVA or do you have an Azure VPN Gateway for that?
NVA is cheaper compared to VNG?
Do you use the Fortigates and an Azure VPN Gateway?
So you have both the 3rd party and Azure VPN Gateway?
VNG. I’d love to use an NVA instead if I could find an affordable option. Free options like frrouter isn’t really there for me either.
[edit] I should add. The configuration is just a very standard IKEv2 policy in route based mode. We connect with PAN, Checkpoint, fortigate, cisco ASA, Firepower, and more depending on what the customer has on their end. The azure VNG’s IPSEC feature is very reliable. Rarely have I run into an issue that wasn’t related to a customer misconfiguration.
Having said that there are downsides which make NVA’s so attractive. For startes the VNG is a lousy router. No GRE support, buggy BGP behavior, especially with new APIPA feature, no BGP community support, additional back-end azure bgp limitations forcing wildly and unnecessarily complicated “virtual wan” topologies to solve use cases that BGP and IGP’s solved decades ago in far more simplified formats.
Really bad troubleshooting tools. Garbage packet capture tool. No ability to run direct network testing off the VNG, like pings, traceroutes, and etc.
NVA’s are basically network appliance’s that let you do everything you might want. It just comes with a significant cost over a bsic VNG.
Ya, not deploying a new NVA obv. but if you have an existing nva, just add a new connection to it
3rd party and express route vpn. Express Route VPN can be swapped for S2S VPN instead. You can have both in your gateway subnet but Express Route VPN always take priority over S2S azure VPN; at least that’s the way it was a while back when we tried to set it up and got shut down by MS
Was there a reason why not to just terminate VPNs on the NVA?
Because I’m studying AZ-104 and was labing it out ? 
That’s what I’m wondering because I’ve mostly seen NVA’s handle both if it’s a Palo or Fortigate. When using Azure Firewall instead you need a VNG because it doesn’t do VPN’s itself. Unless the VNG is being used for ExR and VPN.