MicrosoftDocs
diff --git a/‎articles/virtual-wan/how-to-nva-hub.md
Lines changed: 72 additions & 41 deletions b/‎articles/virtual-wan/how-to-nva-hub.md
Lines changed: 72 additions & 41 deletions
diff --git a/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-create.png
73.7 KB b/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-create.png
73.7 KB
diff --git a/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-menu.png
73.5 KB b/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-menu.png
73.5 KB
diff --git a/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png
23.1 KB b/‎articles/virtual-wan/media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png
23.1 KB
@@ -10,74 +10,105 @@ ms.author: cherylmc
 ---
 # How to create a Network Virtual Appliance in an Azure Virtual WAN hub
 
-This article shows you how to use Virtual WAN to connect to your resources in Azure through a **Network Virtual Appliance (NVA)** in Azure. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about Virtual WAN, see [What is Virtual WAN?](virtual-wan-about.md)
+This article shows you how to deploy an **Integrated Network Virtual Appliance (NVA)** in an Azure Virtual WAN hub.  
 
-The steps in this article help you create a **Barracuda CloudGen WAN** Network Virtual Appliance in the Virtual WAN hub. To complete this exercise, you must have a Barracuda Cloud Premise Device (CPE) and a license for the Barracuda CloudGen WAN appliance that you deploy into the hub before you begin.
+## Background
 
-For deployment documentation of **Cisco SD-WAN** within Azure Virtual WAN, see [Cisco Cloud OnRamp for Multi-Cloud](https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/cloudonramp/ios-xe-17/cloud-onramp-book-xe/cloud-onramp-multi-cloud.html#Cisco_Concept.dita_c61e0e7a-fff8-4080-afee-47b81e8df701).
+You can deploy select NVAs directly into your Virtual WAN hub. NVAs deployed in the Virtual WAN hub are typically split into three categories:
 
-For deployment documentation of **VMware SD-WAN** within Azure Virtual WAN, see [Deployment Guide for VMware SD-WAN in Virtual WAN Hub](https://docs.vmware.com/en/VMware-SD-WAN/index.html)
+* **Connectivity appliances**: Used to terminate VPN and SD-WAN connections from on-premises. Connectivity appliances use Border Gateway Protocol (BGP) to exchange routes with the Virtual WAN hub.
+* **Next-Generation Firewall (NGFW) appliances**: Used in conjunction with [Routing Intent](how-to-routing-policies.md) to provide bump-in-the-wire inspection for traffic traversing the Virtual WAN hub.
+* **Dual-role connectivity and Firewall appliances**: Single device that both connects on-premises to Azure connectivtion and security inspection for traffic traversing the Virtual WAN hub.
 
-## Prerequisites
+For the list of NVAs that can be deployed in the Virtual WAN hub and their respective capabiltiies, see [Virtual WAN NVA partners](about-nva-hub.md#partners).
 
-Verify that you've met the following criteria before beginning your configuration:
+## Deployment Mechanisms
 
-* Obtain a license for your Barracuda CloudGen WAN gateway. To learn more about how to do this, see the [Barracuda CloudGen WAN Documentation](https://www.barracuda.com/products/cloudgenwan)
+Network Virtual Appliances can be deployed through a couple of different workflows. Different Network Virtual Appliancce partners support different deployment mechanisms. Every Virtual WAN integrated NVA partner supports the **Azure Marketplace Managed Application** workflow. For information about other deployment methods, reference your NVA provider's documentation.
 
-* You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the [Quickstart](../virtual-network/quick-create-portal.md).
+* **Azure Marketplace Managed Application**: All Virtual WAN NVA partners leverage Azure Managed Applications to deploy Integrated NVAs in the Virtual WAN hub. Azure Managed Applications offer you an easy way to deploy NVAs into the Virtual WAN hub via an Azure Portal experience that is built by the NVA provider. The Azure Portal experience collects critical deployment and configuration parameters needed to deployu and boot-strap the NVA. For more information on Azure Managed Applications, see [Managed Application documentation](../azure-resource-manager/managed-applications/overview.md). Reference your provider's documentation on the full deployment workflow via Azure Managed Application.
+* **NVA orchestrator deployments**: Certain NVA partners allow you to deploy NVAs into the Hub directly from the NVA orchestration or management software. NVA deployments from NVA orchestration software typically requires you to provide an Azure service principal to the NVA orchestration software. The Azure service principal is used by the NVA orchestration software to interact with Azure API's to deploy and manage NVAs in the hub. This workflow is very specific to the NVA provider's implementation. Reference your provider's documentation for more information.
+* **Other deployment mechanisms**: NVA partners may also offer other mechanisms to deploy NVAs in the hub such as ARM templates and Terraform. Reference your provider's documentation for more information on leveraging other supported deployment mecahnisms.
 
-* Your virtual network doesn't have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. This configuration requires that virtual networks are connected instead, to the Virtual WAN hub gateway.
+## Pre-requisites
 
-* Obtain an IP address range for your hub region. The hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the hub can't overlap with any of your existing virtual networks that you connect to. It also can't overlap with your address ranges that you connect to your on-premises sites. If you're unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.
+The following tutorial assumes that you have already created a Virtual WAN resource with at least one Virtual WAN hub. The tutorial also assumes that you are deploying NVAs via Azure Marketplace Managed Application. 
 
-* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+### <a name="requiredpermissions"></a> Required Permissions
 
-## <a name="openvwan"></a>Create a virtual WAN
+To deploy a Network Virtual Appliance in a Virtual WAN Hub, the user or service principal that creates and manages the NVA must have at minimum the following permissions:
 
-[!INCLUDE [Create virtual WAN](../../includes/virtual-wan-create-vwan-include.md)]
+* Microsoft.Network/virtualHubs/read over the Virtual WAN hub in which the NVA is deployed into.
+* Microsoft.Network/networkVirtualAppliances/write over the resource group where the NVA is deployed into.
+* Microsoft.Network/publicIpAddresses/join over the public IP address resources that are deployed with the Network Virtual Appliance for [Internet Inbound or DNAT](how-to-network-virtual-appliance-inbound.md) use cases.
 
-## <a name="hub"></a>Create a hub
+These permissions need to be granted to the Azure Marketplace Managed Application to ensure deployments succeed. Additional permissions may be required based on the implementation of the deployment workflow developed by your NVA partner.
 
-Create a virtual hub by filling out the **Basics** tab to create an empty virtual hub (a virtual hub that doesn't contain any gateways).
+## Assigning Permissions to Managed Application
 
-[!INCLUDE [Create a virtual hub](../../includes/virtual-wan-hub-basics.md)]
+Network Virtual Appliances that are deployed via Azure Marketplace Managed Application are deployed in a special resource group in your Azure tenant called the **managed resource group**. When you create a Managed Application in your subscription, a corresponding and separate **managed resource group** is created in your subscription. All Azure resources created by the Managed Application (including the Network Virtual Appliance) are deployed into the **managed resource group**.
 
-## Create the Network Virtual Appliance in the hub
+Azure Marketplace owns a first-party service principal that performs the deployment of resources into the **managed resource group**. This first-party principal has permissions to create resources in the **managed resource group**, but does not have permissions to read, update or create Azure resources outside of the **managed resource group**.
 
-In this step, you'll create a Network Virtual Appliance in the hub. The procedure for each NVA will be different for each NVA partner's product. For this example, we're creating a Barracuda CloudGen WAN gateway.
+To ensure that your NVA deployment is performed with the sufficient level of permissions, grant additional permissions to Azure Marketplace. You can do this by deploying your Managed Application with a user-assigned managed identity that has permissions over the Virtual WAN hub and public IP address(es) with which you want to use the Network Virtual Appliance. This user-assigned Managed Identity is used only for initial deployment of resources in the Managed Resource Group and is only used in the context of that Managed Application deployment.
 
-1. Locate the Virtual WAN hub you created in the previous step and open it.
+>[!NOTE]
+> Only user-assigned system identities can be assigned to Azure Managed Applications to deploy Network Virtual Appliances in the Virtual WAN Hub. System-assigned identities are not supported.
 
-   :::image type="content" source="./media/how-to-nva-hub/nva-hub.png" alt-text="Screenshot of the Network Virtual Appliance tile." lightbox="./media/how-to-nva-hub/nva-hub.png":::
+1. Create a new user-assigned identity. For steps on creating new user-assigned identities, see [managed identity documentation](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity). You can also use an existing user-assigned identity.
+2. Assign permissions to your user-assigned identity to have at minimum the permissions described in the [Required Permissions]($requirespermissions) section alongside any permissions your NVA provider requires. You can also give the user-assigned identity a built-in Azure role like [Network Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/networking#network-contributor) that contains a superset of the needed permisisons.
 
-1. Find the **Network Virtual Appliance** tile and select the **Create** link.
-1. On the **Network Virtual Appliance** page, from the dropdown, select **Barracuda CloudGen WAN**, then select the **Create** button and **Leave**. This takes you to the Azure Marketplace offer for the Barracuda CloudGen WAN gateway.
-1. Read the terms, select **Get it now**, then click **Continue** when you're ready. The page will automatically change to the page for the **Barracuda CloudGen WAN Gateway**. Select **Create** to open the **Basics** page for gateway settings.
+Alternatively, you can also create a [custom role](../role-based-access-control/custom-roles.md) with the following sample definition and assign the custom role to your user-assigned managed identity.
 
-   :::image type="content" source="./media/how-to-nva-hub/barracuda-create-basics.png" alt-text="Screenshot of the Basics page."lightbox="./media/how-to-nva-hub/barracuda-create-basics.png":::
-1. On the Create Barracuda CloudGen WAN Gateway **Basics** page, provide the following information:
+```
+{  
+"Name": "Virtual WAN NVA Operator", 
+  "IsCustom": true,
+  "Description": "Can perform deploy and manage NVAs in the Virtual WAN hub.",
+  "Actions": [
+    "Microsoft.Network/virtualHubs/read",
+    "Microsoft.Network/publicIPAddresses/join",
+    "Microsoft.Network/networkVirtualAppliances/*",
+    "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/*"    
+  ],
+  "NotActions": [],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/{subscription where Virtual Hub and NVA is deployed}",
+    "/subscriptions/{subscription where Public IP used for NVA is deployed}",
+  ]
+}
+```
 
-   * **Subscription** - Choose the subscription you used to deploy the Virtual WAN and hub.
-   * **Resource Group** - Choose the same Resource Group you used to deploy the Virtual WAN and hub.
-   * **Region** - Choose the same Region in which your Virtual hub resource is located.
-   * **Application Name** - The Barracuda NextGen WAN is a Managed Application. Choose a name that makes it easy to identify this resource, as this is what it will be called when it appears in your subscription.
-   * **Managed Resource Group** - This is the name of the Managed Resource Group in which Barracuda will deploy resources that are managed by them. The name should be pre-populated for this.
-1. Select **Next: CloudGen WAN gateway** to open the **Create Barracuda CloudGen WAN Gateway** page.
+## Deploying the NVA
 
-   :::image type="content" source="./media/how-to-nva-hub/barracuda-cloudgen-wan.png" alt-text="Screenshot of the Create Barracuda CloudGen WAN Gateway page."lightbox="./media/how-to-nva-hub/barracuda-cloudgen-wan.png":::
-1. On the **Create Barracuda CloudGen WAN Gateway** page, provide the following information:
+The following section describes the steps needed to deploy a Network Virtual Appliance into the Virtual WAN hub using Azure MarketplaceManaged Appliation.
 
-   * **Virtual WAN Hub** - The Virtual WAN hub you want to deploy this NVA into.
-   * **NVA Infrastructure Units** - Indicate the number of NVA Infrastructure Units you want to deploy this NVA with. Choose the amount of aggregate bandwidth capacity you want to provide across all of the branch sites that will be connecting to this hub through this NVA.
-   * **Token** - Barracuda requires that you provide an authentication token here in order to identify yourself as a registered user of this product. You'll need to obtain this from Barracuda.
-1. Select the **Review and Create** button to proceed.
-1. On this page, you'll be asked to accept the terms of the Co-Admin Access agreement. This is standard with Managed Applications where the Publisher will have access to some resources in this deployment. Check the **I agree to the terms and conditions above** box, and then select **Create**.
+1. Navigate to your Virtual WAN hub and select **Network Virtual Appliance** under **Third party providers**.
 
-## <a name="vnet"></a>Connect the VNet to the hub
+  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-menu.png"alt-text="Screenshot showing how to navigate to NVA menu under Virtual WAN hub."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-menu.png":::
 
-In this section, you create a connection between your hub and VNet.
+2. Select **Create network virtual appliance**.
+
+  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png"alt-text="Screenshot showing how to create NVA."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png":::
+
+3. Choose the NVA vendor. In this example, "fortinet-ngfw" is selected and select  **Create**. At this point you will be re-directed to the NVA partner's Azure Marketplace managed application.
+
+  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png"alt-text="Screenshot showing how to select NVA vendor."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png":::
+
+4. Follow the managed application creation experience to deploy your NVA and reference any provider documentation. Ensure that the user-assigned system identity created in the previous section is selected as part of the managed application creation workflow.
+
+## Common Deployment Errors
+
+### Permission errors
+
+* If you see an error message with error code **LinkeAuthorizationFailed**, this means that the user-assigned identity supplied as part of the Managed Application deployment did not have the proper permissions assigned. The exact permission(s) that are missing are described in the error message. In the example below, double-check that the user-assigned managed identity has READ permissions over the Virtual WAN hub you are trying to deploy the NVA into.
+
+```
+The client <> with object id <> has permission to perform action 'Microsoft.Network/networkVirtualAppliances/write' on scope '/subscriptions/<>/resourceGroups/mrg-<>; however, it does not have permission to perform action(s) 'Microsoft.Network/virtualHubs/read on the linked scope(s) '/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Network/virtualHubs/<> (respectively) or the linked scope(s) are invalid."
+```
 
-[!INCLUDE [Connect](../../includes/virtual-wan-connect-vnet-hub-include.md)]
 
 ## Next steps