MicrosoftDocs
diff --git a/‎articles/virtual-wan/how-to-nva-hub.md
Lines changed: 72 additions & 40 deletions b/‎articles/virtual-wan/how-to-nva-hub.md
Lines changed: 72 additions & 40 deletions
diff --git a/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-create.png
73.7 KB b/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-create.png
73.7 KB
diff --git a/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-menu.png
73.5 KB b/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-menu.png
73.5 KB
diff --git a/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png
23.1 KB b/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png
23.1 KB
@@ -10,74 +10,106 @@ ms.author: cherylmc
 ---
 # How to create a Network Virtual Appliance in an Azure Virtual WAN hub
 
-This article shows you how to use Virtual WAN to connect to your resources in Azure through a **Network Virtual Appliance (NVA)** in Azure. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about Virtual WAN, see [What is Virtual WAN?](virtual-wan-about.md)
+This article shows you how to deploy an **Integrated Network Virtual Appliance (NVA)** in an Azure Virtual WAN hub.  
 
-The steps in this article help you create a **Barracuda CloudGen WAN** Network Virtual Appliance in the Virtual WAN hub. To complete this exercise, you must have a Barracuda Cloud Premise Device (CPE) and a license for the Barracuda CloudGen WAN appliance that you deploy into the hub before you begin.
+## Background
 
-For deployment documentation of **Cisco SD-WAN** within Azure Virtual WAN, see [Cisco Cloud OnRamp for Multi-Cloud](https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/cloudonramp/ios-xe-17/cloud-onramp-book-xe/cloud-onramp-multi-cloud.html#Cisco_Concept.dita_c61e0e7a-fff8-4080-afee-47b81e8df701).
+ NVAs deployed in the Virtual WAN hub are typically split into three categories:
 
-For deployment documentation of **VMware SD-WAN** within Azure Virtual WAN, see [Deployment Guide for VMware SD-WAN in Virtual WAN Hub](https://docs.vmware.com/en/VMware-SD-WAN/index.html)
+* **Connectivity appliances**: Used to terminate VPN and SD-WAN connections from on-premises. Connectivity appliances use Border Gateway Protocol (BGP) to exchange routes with the Virtual WAN hub.
+* **Next-Generation Firewall (NGFW) appliances**: Used with [Routing Intent](how-to-routing-policies.md) to provide bump-in-the-wire inspection for traffic traversing the Virtual WAN hub.
+* **Dual-role connectivity and Firewall appliances**: Single device that both connects on-premises devices to Azure and inspects traffic traversing the Virtual WAN hub with [Routing Intent](how-to-routing-policies.md).
+
+For the list of NVAs that can be deployed in the Virtual WAN hub and their respective capabilities, see [Virtual WAN NVA partners](about-nva-hub.md#partners).
+
+## Deployment Mechanisms
+
+Network Virtual Appliances can be deployed through a couple of different workflows. Different Network Virtual Appliance partners support different deployment mechanisms. Every Virtual WAN integrated NVA partner supports the **Azure Marketplace Managed Application** workflow. For information about other deployment methods, reference your NVA provider's documentation.
+
+* **Azure Marketplace Managed Application**: All Virtual WAN NVA partners use Azure Managed Applications to deploy Integrated NVAs in the Virtual WAN hub. Azure Managed Applications offer you an easy way to deploy NVAs into the Virtual WAN hub via an Azure portal experience that is created by the NVA provider. The Azure portal experience collects critical deployment and configuration parameters needed to deploy and boot-strap the NVA. For more information on Azure Managed Applications, see [Managed Application documentation](../azure-resource-manager/managed-applications/overview.md). Reference your provider's documentation on the full deployment workflow via Azure Managed Application.
+* **NVA orchestrator deployments**: Certain NVA partners allow you to deploy NVAs into the Hub directly from the NVA orchestration or management software. NVA deployments from NVA orchestration software typically require you to provide an Azure service principal to the NVA orchestration software. The Azure service principal is used by the NVA orchestration software to interact with Azure APIs to deploy and manage NVAs in the hub. This workflow is specific to the NVA provider's implementation. Reference your provider's documentation for more information.
+* **Other deployment mechanisms**: NVA partners may also offer other mechanisms to deploy NVAs in the hub such as ARM templates and Terraform. Reference your provider's documentation for more information on other supported deployment mechanisms.
 
 ## Prerequisites
 
-Verify that you've met the following criteria before beginning your configuration:
+The following tutorial assumes that you have deployed a Virtual WAN resource with at least one Virtual WAN hub. The tutorial also assumes that you are deploying NVAs via Azure Marketplace Managed Application. 
+
+### <a name="requiredpermissions"></a> Required Permissions
+
+To deploy a Network Virtual Appliance in a Virtual WAN Hub, the user or service principal that creates and manages the NVA must have at minimum the following permissions:
+
+* Microsoft.Network/virtualHubs/read over the Virtual WAN hub in which the NVA is deployed into.
+* Microsoft.Network/networkVirtualAppliances/write over the resource group where the NVA is deployed into.
+* Microsoft.Network/publicIpAddresses/join over the public IP address resources that are deployed with the Network Virtual Appliance for [Internet Inbound](how-to-network-virtual-appliance-inbound.md) use cases.
 
-* Obtain a license for your Barracuda CloudGen WAN gateway. To learn more about how to do this, see the [Barracuda CloudGen WAN Documentation](https://www.barracuda.com/products/cloudgenwan)
+These permissions need to be granted to the Azure Marketplace Managed Application to ensure deployments succeed. Other permissions may be required based on the implementation of the deployment workflow developed by your NVA partner.
 
-* You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the [Quickstart](../virtual-network/quick-create-portal.md).
+## Assigning Permissions to Azure Managed Application
 
-* Your virtual network doesn't have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. This configuration requires that virtual networks are connected instead, to the Virtual WAN hub gateway.
+Network Virtual Appliances that are deployed via Azure Marketplace Managed Application are deployed in a special resource group in your Azure tenant called the **managed resource group**. When you create a Managed Application in your subscription, a corresponding and separate **managed resource group** is created in your subscription. All Azure resources created by the Managed Application (including the Network Virtual Appliance) are deployed into the **managed resource group**.
 
-* Obtain an IP address range for your hub region. The hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the hub can't overlap with any of your existing virtual networks that you connect to. It also can't overlap with your address ranges that you connect to your on-premises sites. If you're unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.
+Azure Marketplace owns a first-party service principal that performs the deployment of resources into the **managed resource group**. This first-party principal has permissions to create resources in the **managed resource group**, but doesn't have permissions to read, update or create Azure resources outside of the **managed resource group**.
 
-* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+To ensure that your NVA deployment is performed with the sufficient level of permissions, grant additional permissions to the Azure Marketplace deployment service principal by deploying your Managed Application with a user-assigned managed identity that has permissions over the Virtual WAN hub and public IP address that you want to use with your Network Virtual Appliance. This user-assigned Managed Identity is used only for initial deployment of resources in the managed resource group and is used solely in the context of that Managed Application deployment.
 
-## <a name="openvwan"></a>Create a virtual WAN
+>[!NOTE]
+> Only user-assigned system identities can be assigned to Azure Managed Applications to deploy Network Virtual Appliances in the Virtual WAN Hub. System-assigned identities are not supported.
 
-[!INCLUDE [Create virtual WAN](../../includes/virtual-wan-create-vwan-include.md)]
+1. Create a new user-assigned identity. For steps on creating new user-assigned identities, see [managed identity documentation](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). You can also use an existing user-assigned identity.
+2. Assign permissions to your user-assigned identity to have at minimum the permissions described in the [Required Permissions](#requiredpermissions) section alongside any permissions your NVA provider requires. You can also give the user-assigned identity a built-in Azure role like [Network Contributor](../role-based-access-control/built-in-roles/networking.md#network-contributor) that contains a superset of the needed permissions.
 
-## <a name="hub"></a>Create a hub
+Alternatively, you can also create a [custom role](../role-based-access-control/custom-roles.md) with the following sample definition and assign the custom role to your user-assigned managed identity.
 
-Create a virtual hub by filling out the **Basics** tab to create an empty virtual hub (a virtual hub that doesn't contain any gateways).
+```
+{  
+"Name": "Virtual WAN NVA Operator", 
+  "IsCustom": true,
+  "Description": "Can perform deploy and manage NVAs in the Virtual WAN hub.",
+  "Actions": [
+    "Microsoft.Network/virtualHubs/read",
+    "Microsoft.Network/publicIPAddresses/join",
+    "Microsoft.Network/networkVirtualAppliances/*",
+    "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/*"    
+  ],
+  "NotActions": [],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/{subscription where Virtual Hub and NVA is deployed}",
+    "/subscriptions/{subscription where Public IP used for NVA is deployed}",
+  ]
+}
+```
+## Deploying the NVA
 
-[!INCLUDE [Create a virtual hub](../../includes/virtual-wan-hub-basics.md)]
+The following section describes the steps needed to deploy a Network Virtual Appliance into the Virtual WAN hub using Azure Marketplace Managed Application.
 
-## Create the Network Virtual Appliance in the hub
+1. Navigate to your Virtual WAN hub and select **Network Virtual Appliance** under **Third party providers**.
 
-In this step, you'll create a Network Virtual Appliance in the hub. The procedure for each NVA will be different for each NVA partner's product. For this example, we're creating a Barracuda CloudGen WAN gateway.
+  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-menu.png"alt-text="Screenshot showing how to navigate to NVA menu under Virtual WAN hub."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-menu.png":::
 
-1. Locate the Virtual WAN hub you created in the previous step and open it.
+2. Select **Create network virtual appliance**.
 
-   :::image type="content" source="./media/how-to-nva-hub/nva-hub.png" alt-text="Screenshot of the Network Virtual Appliance tile." lightbox="./media/how-to-nva-hub/nva-hub.png":::
+  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png"alt-text="Screenshot showing how to create NVA."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png":::
 
-1. Find the **Network Virtual Appliance** tile and select the **Create** link.
-1. On the **Network Virtual Appliance** page, from the dropdown, select **Barracuda CloudGen WAN**, then select the **Create** button and **Leave**. This takes you to the Azure Marketplace offer for the Barracuda CloudGen WAN gateway.
-1. Read the terms, select **Get it now**, then click **Continue** when you're ready. The page will automatically change to the page for the **Barracuda CloudGen WAN Gateway**. Select **Create** to open the **Basics** page for gateway settings.
+3. Choose the NVA vendor. In this example, "fortinet-ngfw" is selected and select **Create**. At this point, you're redirected to the NVA partner's Azure Marketplace managed application.
 
-   :::image type="content" source="./media/how-to-nva-hub/barracuda-create-basics.png" alt-text="Screenshot of the Basics page."lightbox="./media/how-to-nva-hub/barracuda-create-basics.png":::
-1. On the Create Barracuda CloudGen WAN Gateway **Basics** page, provide the following information:
+  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png"alt-text="Screenshot showing how to select NVA vendor."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png":::
 
-   * **Subscription** - Choose the subscription you used to deploy the Virtual WAN and hub.
-   * **Resource Group** - Choose the same Resource Group you used to deploy the Virtual WAN and hub.
-   * **Region** - Choose the same Region in which your Virtual hub resource is located.
-   * **Application Name** - The Barracuda NextGen WAN is a Managed Application. Choose a name that makes it easy to identify this resource, as this is what it will be called when it appears in your subscription.
-   * **Managed Resource Group** - This is the name of the Managed Resource Group in which Barracuda will deploy resources that are managed by them. The name should be pre-populated for this.
-1. Select **Next: CloudGen WAN gateway** to open the **Create Barracuda CloudGen WAN Gateway** page.
+4. Follow the managed application creation experience to deploy your NVA and reference your provider's documentation. Ensure that the user-assigned system identity created in the previous section is selected as part of the managed application creation workflow.
 
-   :::image type="content" source="./media/how-to-nva-hub/barracuda-cloudgen-wan.png" alt-text="Screenshot of the Create Barracuda CloudGen WAN Gateway page."lightbox="./media/how-to-nva-hub/barracuda-cloudgen-wan.png":::
-1. On the **Create Barracuda CloudGen WAN Gateway** page, provide the following information:
+## Common Deployment Errors
 
-   * **Virtual WAN Hub** - The Virtual WAN hub you want to deploy this NVA into.
-   * **NVA Infrastructure Units** - Indicate the number of NVA Infrastructure Units you want to deploy this NVA with. Choose the amount of aggregate bandwidth capacity you want to provide across all of the branch sites that will be connecting to this hub through this NVA.
-   * **Token** - Barracuda requires that you provide an authentication token here in order to identify yourself as a registered user of this product. You'll need to obtain this from Barracuda.
-1. Select the **Review and Create** button to proceed.
-1. On this page, you'll be asked to accept the terms of the Co-Admin Access agreement. This is standard with Managed Applications where the Publisher will have access to some resources in this deployment. Check the **I agree to the terms and conditions above** box, and then select **Create**.
+### Permission errors
 
-## <a name="vnet"></a>Connect the VNet to the hub
+>[!NOTE]
+> The  error message associated with a **LinkedAuthorizationFailed** only displays one missing permission. As a result, you may see a different  missing permission after you update the permissions assigned to your service principal, managed identity or user.
 
-In this section, you create a connection between your hub and VNet.
+* If you see an error message with error code **LinkedAuthorizationFailed**,  the user-assigned identity supplied as part of the Managed Application deployment didn't have the proper permissions assigned. The exact permissions that are missing are described in the error message. In the following example, double-check that the user-assigned managed identity has READ permissions over the Virtual WAN hub you're trying to deploy the NVA into. 
 
-[!INCLUDE [Connect](../../includes/virtual-wan-connect-vnet-hub-include.md)]
+```
+The client with object id '<>' does not have authorization to perform action 'Microsoft.Network/virtualHubs/read' over scope '/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Network/virtualHubs/<>' or the scope is invalid. If access was recently granted, please refresh your credentials
+```
 
 ## Next steps