Operational excellence and Network Virtual Appliances (NVA)
Network Virtual Appliances (NVA) are typically used to control the flow of traffic between network segments classified with different security levels, for example between a perimeter network (also known as DMZ, demilitarized zone, and screened subnet) and the public internet.
Examples of NVAs include:
- Network firewalls
- Layer-4 reverse-proxies
- Internet Protocol Security (IPsec) Virtual Private Network (VPN) endpoints
- Web-based reverse-proxies
- Internet proxies
- Layer-7 load balancers
For more information about Network Virtual Appliances, reference Deploy highly available NVAs.
To understand how NVAs promote operational excellence, reference the following topics:
- Scenario: Route traffic through an NVA
- Scenario: Route traffic through NVAs by using custom settings
- Gateway Load Balancer
Checklist
Have you configured your Network Virtual Appliances (NVA) with operational excellence in mind?
- NVAs should be deployed within a Landing Zone or solution-level Virtual Network.
- For Virtual Wide Area Network (VWAN) topologies, deploy the NVAs to a separate Virtual Network (such as, NVA VNet). Connect the NVA to the regional Virtual WAN Hub and to the Landing Zones that require access to NVAs.
- For non-Virtual Wide Are Network (WAN) topologies, deploy the third-party NVAs in the central Hub Virtual Network (VNet).
Configuration recommendations
Consider the following recommendations to optimize reliability when configuring your Network Virtual Appliances (NVA):
Recommendation | Description |
---|---|
NVAs should be deployed within a Landing Zone or solution-level Virtual Network. | If third-party NVAs are required for inbound HTTP/S connections, deploy NVAs together with the applications that they're protecting and exposing to the internet. |
For Virtual Wide Area Network (VWAN) topologies, deploy the NVAs to a separate Virtual Network (such as, NVA VNet). Connect the NVA to the regional Virtual WAN Hub and to the Landing Zones that require access to NVAs. | If third-party NVAs are required for east-west or south-north traffic protection and filtering, reference Scenario: Route traffic through an NVA. |
For non-Virtual Wide Area Network (WAN) topologies, deploy the third-party NVAs in the central Hub Virtual Network (VNet). | If third-party NVAs are required for east-west or south-north traffic protection and filtering, deploy the third-party NVAs in the central Hub Virtual Network. |