Follow the below steps to configure a Non SD-WAN Destination of type Microsoft Azure Virtual Hub in the SASE Orchestrator.

Prerequisites

Procedure

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Network Services, and then under Non SD-WAN Destinations, expand Non SD-WAN Destinations via Gateway.
  2. Click New, and then enter the Name and Type of the Non SD-WAN Destination. Once you enter the Type as Microsoft Azure Virtual Hub, Virtual Hub Configuration section is displayed in the dialog:
  3. You can configure the following settings:
    Option Description
    Name You can edit the previously entered name for the Non SD-WAN Destination.
    Type Displays the type as Microsoft Azure Virtual Hub. You cannot edit this option.
    Tunnel Mode Active/ Hot-Standby mode supports to set up a maximum of 2 tunnel endpoints or Gateways.
    Active/Activemode supports to set up a maximum of 4 tunnel endpoints or Gateways. All Active tunnels can send and receive traffic through ECMP.
    ECMP Load Sharing Method Flow Load Based (Default) Flow load based algorithm maps the new flow to the path with least number of flows mapped among the available paths to the destination.
    Hash Load Based algorithm takes input parameters from 5-tuple (SrcIP, DestIP, SrcPort, DestPort, Protocol). These inputs can be any or all or any subset of this tuple based on user configuration. Flow is mapped to the path based on hash value with selected inputs.
    Subscription Select a subscription from the drop-down menu.
    Virtual WAN The application fetches all the available Virtual WANs dynamically from Azure. Select a virtual WAN from the drop-down menu.
    Resource Group The application auto-populates the resource group to which the selected Virtual WAN is associated.
    Virtual Hub Select a virtual Hub from the drop-down menu.
    Azure Region The application auto-populates the Azure region corresponding to the selected Virtual Hub.
    Enable Tunnel(s) Select the Enable Tunnel(s) check box to allow VMware VPN Gateways to initiate VPN connections to the target Virtual Hub as soon as the site is successfully provisioned.
    Note:
    • VMware VPN Gateways initiate the IKE negotiation only when the Non SD-WAN Destination is configured on at least one profile.
    • For Microsoft Azure Non SD-WAN Destination, the default local authentication ID value used is SD-WAN Gateway Interface Public IP.
  4. Click Create.
    The SASE Orchestrator automatically initiates deployment, provisions Azure VPN Sites, and downloads the VPN Site Configuration for the newly configured sites. It stores the configuration in the SASE Orchestrator’s Non SD-WAN Destination configuration database.

    Once the Azure VPN sites are provisioned at the SASE Orchestrator side, you can view the VPN sites (Primary and Redundant) in the Azure portal by navigating to Virtual WAN > Virtual WAN architecture > VPN sites.

What to do next

  • Associate the Microsoft Azure Non SD-WAN Destination to a Profile to establish a tunnel between a branch and Azure Virtual Hub. For more information, see Associate a Microsoft Azure Non SD-WAN Destination to an SD-WAN Profile.
  • You must add SD-WAN routes into Azure network manually. For more information, see Edit a VPN Site.
  • After associating a Profile to the Microsoft Azure Non SD-WAN Destination, you can return to the Non SD-WAN Destinations via Gateway section by navigating to Configure > Network Services, and then configure the BGP settings for the Non SD-WAN Destination. Scroll to the name of your Non SD-WAN Destination, and then click the Edit link in the BGP column. For more information, see Configure BGP Over IPsec from Gateways.
  • In the Non SD-WAN Destinations via Gateway area, click the Edit link in the BFD column for a Non SD-WAN Destination, to configure the BFD settings. For more information, see Configure BFD for Gateways.

For information about Azure Virtual WAN Gateway Automation, see Configure SASE Orchestrator for Azure Virtual WAN IPsec Automation from SD-WAN Gateway.