In this article, I’m going to share my insights about Azure VMware Solution (AVS).
Currently, I’m collaborating with a European client who is planning to exit their data center. Their existing setup runs on VMware infrastructure, prompting them to transition their workloads to the Azure Cloud using AVS services. Given the complexity of their environment and the stringent compliance regulations that must be met, we at Capgemini have proposed several strategies to establish the AVS environment effectively.
Solution 1: On-Premises Traffic to AVS is Inspected at the Check Point Firewall Configured in AVS
In this approach, we have deployed a third-party Network Virtual Appliance (NVA) within the AVS environment. The following considerations were taken into account while designing the solution:
- IDS/IPS inspections are handled at the Check Point Firewall level.
- On-premises traffic is inspected by the Check Point Firewall configured in the AVS environment.
- All East-West traffic is inspected by the Check Point Firewall in AVS using UDR (User-Defined Routes).
- Route summarization is implemented to reduce the size of routing tables and simplify the routing process.

Solution 2: Traffic Between Virtual Machines in the Same Segment is Inspected by the NSX-T Distributed Firewall and Gateway Firewall
In this approach, we have utilized the NSX-T Distributed Firewall and Gateway Firewall. Below are the key considerations taken into account while designing the solution:
- On-premises and other cloud service provider traffic is inspected by the NSX-T Gateway Firewall.
- The NSX-T Gateway Firewall has the capability to inspect IDS/IPS traffic and inter-VLAN (inter-segment) traffic.
- Traffic between Virtual Machines within the same segment is inspected by the NSX-T Distributed Firewall.

Conclusion:
Azure VMware Solution (AVS) is one of Microsoft’s top offerings for clients operating on VMware infrastructure. While AVS is straightforward to deploy and configure, optimizing security, application performance, and latency requires a strategic approach. By implementing the right firewall configurations and traffic inspection mechanisms, organizations can ensure a secure and efficient AVS environment.
