Configure Azure Express Route as Transport with SD-WAN in a Click

Available Languages

Download Options

  • PDF     (428.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (484.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (329.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 4, 2022
Document ID:217859

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to integrate Express Route as an SD-WAN transport inside of the VHUB with the Cloud OnRamp for the Multi-Cloud Azure solution.

    Background Information

    This document allows users to use both Express Route and the Public Internet inside VHUB to provide tangible benefits.

    • It allows for redundant paths from edge locations to Azure Workload VNets
    • Can allow higher throughput and lower latency

    Problem

    With the use of default parameters, Cloud OnRamp does not allow the use of both public Internet and Express Route as SD-WAN transport inside of the VHUB. And, users want to use Internet and Express Route/MPLS as transport to terminate tunnels on our NVAs inside of the VHUB.

    Solution

    Assumptions:

    • vManage 20.4 or higher
    • Cloud OnRamp MultiCloud knowledge
    • Some Azure knowledge 

    Solution Summary:

    NVAs inside the VHUB can only have two interfaces. One is for the service VPN and the other is for transport. Currently, the default template assigns a color of default to the transport interface. This means only TLOC with public colors can form tunnels to the NVA with Public IPs. Express Route is a private link that uses a private IP address since the default template color is a public category that by nature tries to form the tunnels in public space where the express route can't reach.

    To address this challenge, you can use a private category of color on TLOCs of cloud routers which allow other private colored TLOCs to form tunnels that use the private IP and allow public colored TLOCs to form tunnels with the use of the Public IP. In this case, when you change the TLOC color of the Azure SDWAN router on the GE 1 transport interface of the NVAs to a private color you can terminate both Express Route and Internet traffic on the same interface as shown in the image.

    Data Centre Connecting to Azure SD-wan Devices via Express Route and Internet

    Solution Steps:

    1. Copy the default template to a non-default template:

    Under Template configuration, look for the default template: Default_Azure_vWAN_C8000V_Template_V01 as shown in the image.

    Copy the Default Template and Make a Custom One

    Copy the template as shown in the image.

    Interface Colour Change for Private Category to let the Same Interface Speak to Private and Public both Type of Sites

    2. Change interface TLOC color on GE1 of the non-default template that was created previously.

    In the new template, create a new feature template to replace Default_Azure_vWAN_C8000V_VPN0_INTF_GE1_V01 as shown in the image. 

    Express Route Connection to Azure

    Add a private color to the tunnel interface. 

    Show Command Outputs for BFD Sessions

    3. Create CGW with the new template.

    4. Connect ER Circuit to VHUB.

    In Azure Portal, create an Express Route connection to the vnet-gateway. Please note that the user needs appropriate permissions.

    Express Route Connection to Azure

    5. Verify connectivity.

    On the edge device, you must see your VNet workloads. You must also see multiple TLOCS as shown in the image.

    Show Command Outputs for BFD Sessions

    BFD Sessions.

    Show Command Outputs for BFD Sessions

    Summary:

    When you change the color of GE1 of the NVAs inside the VHUB from default to a private color, it allows the usage of both Express Route and Public Internet as SD-WAN transports. This provides tangible benefits.

    • It allows for redundant paths from edge locations to Azure Workload VNets
    • Can allow higher throughput and lower latency

    Revision History

    Revision Publish Date Comments
    1.0
    06-May-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Cyril Wilson
      Cisco TAC Engineer
    • Prashant Tripathi
      Cisco Engineering

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products