How to Migration Onprem VMware to Azure VMware Solution using Site to Site VPN

Question

How to Migration Onprem VMware to Azure VMware Solution using Site to Site VPN

Paul 0

Could you please advise on the best approach to migrating on-premises VMware workloads to Azure VMware Solution (AVS) using a Site-to-Site VPN connection via HCX? Is an Azure Firewall necessary for this process? Furthermore, I've found limited Visio diagrams on AVS illustrating this architecture in the Azure Architecture Center.

Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-06-25T19:52:17.93+00:00

Hi Paul,
Just checking in to see if you had a chance to review my comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

1 answer

Your answer

Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-06-25T19:52:17.93+00:00

Hi Paul,
Just checking in to see if you had a chance to review my comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

Answer 1

Vamsi Ram Annepu 915 Microsoft External Staff Moderator

Hi Paul,
As you're looking to migrate your on-premises VMware workloads to Azure VMware Solution using a Site-to-Site VPN connection through HCX. Here are some steps and considerations.

Deployment Preparation:
- Ensure you have your Azure subscription and a resource group ready.
- Plan your network setup: You need a dedicated Azure Virtual Network with a virtual network gateway for the Site-to-Site connection.
Site-to-Site VPN Setup:
- Establish a Site-to-Site VPN connection between your on-premises environment and Azure using a Virtual Network Gateway. Ensure that the necessary ports are open:
- TCP/443 for HCX
- UDP ports 500 and 4500 for the IPsec VPN.
HCX Deployment:
- Deploy VMware HCX in your Azure VMware Solution environment. You will create a site pairing between your on-premises HCX Connector and the HCX Cloud Manager running in Azure.
Network Segments:
- Use NSX-T Data Center to define network segments for various tasks like vMotion and ensure your CIDR range doesn’t overlap with the IP addresses in your on-premises environment.
Migration Tools:
- You can choose from different migration methodologies, such as live migration, cold migration, or bulk migration, based on your performance needs and downtime tolerance.

For the Visio diagrams on Azure VMware Solution architecture, you might find limited resources directly in the Azure Architecture Center. However, refer to the documentation provided to design your architecture effectively during migration.

For more information you can refer the below document
https://free.blessedness.top/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
https://free.blessedness.top/en-us/azure/migrate/?view=migrate-classic
https://free.blessedness.top/en-us/azure/expressroute/expressroute-introduction
https://free.blessedness.top/en-us/azure/migrate/tutorial-migrate-vmware?view=migrate-classic

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

Paul 0 Reputation points

2025-06-23T20:00:23.09+00:00

Thank you for your prompt response. My understanding is that the on-premises vSphere environment will connect to an Azure Virtual Network Gateway in a Hub network within the Connectivity subscription via a Site-to-Site VPN connection. This same gateway will also utilize an ExpressRoute connection to AVS, located in the Application landing zone subscription. Please confirm if this understanding is accurate. Is the use of Azure Virtual WAN mandatory, or is a traditional Hub and Spoke architecture acceptable? Finally, is there a mechanism to inspect network traffic entering and exiting the Azure Firewall?
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-06-23T20:17:59.0666667+00:00
Hi Paul,
Your understanding is correct, here is a detailed explanation of your query

Your on-premises vSphere environment can indeed connect to an Azure Virtual Network Gateway in a Hub network via a Site-to-Site VPN connection. This allows secure communication between your on-premises infrastructure and Azure.
https://free.blessedness.top/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Yes, the same gateway can also utilize an ExpressRoute connection to Azure VMware Solution (AVS) located in the Application landing zone subscription. This setup provides a private and reliable connection to Azure services.

The use of Azure Virtual WAN is not mandatory. A traditional Hub and Spoke architecture is perfectly acceptable for many scenarios. Azure Virtual WAN is beneficial for large-scale deployments or when you need to connect multiple branches or locations efficiently, but it is not a requirement for all architectures.

https://free.blessedness.top/en-us/azure/virtual-wan/virtual-wan-about

Yes, there are mechanisms to inspect network traffic entering and exiting the Azure Firewall. Azure Firewall provides built-in logging and analytics capabilities. You can enable diagnostic settings to send logs to Azure Monitor, Log Analytics, or a storage account. Additionally, you can use Azure Network Watcher to monitor and analyze network traffic, including flow logs and packet captures.
https://free.blessedness.top/en-us/azure/private-link/inspect-traffic-with-azure-firewall
https://free.blessedness.top/en-us/azure/network-watcher/network-watcher-overview
https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/deploy-azure-firewall-to-inspect-traffic-to-a-private-endpoint/3714575

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Paul 0 Reputation points

2025-06-24T02:44:36.81+00:00

Thank you for your prompt response. To clarify, does "VpnGw2" support both on-premises-to-Azure hub Site-to-Site VPN connections and Azure hub-to-AVS ExpressRoute connections? A diagram illustrating these data flows would be greatly appreciated.
Paul 0 Reputation points

2025-06-24T02:55:38.0633333+00:00

Thank you in advance. I eagerly await your response.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-06-24T07:55:42.9933333+00:00
Hi Paul,
Yes, the "VpnGw2" SKU does support both Site-to-Site VPN connections from on-premises environments to the Azure Hub and also allows for ExpressRoute connections to AVS. This versatility makes it suitable for your hybrid architecture needs.
While I can't provide you a direct diagram, the overall architecture typically includes:

Your on-premises vSphere environment connecting to the Azure Virtual Network Gateway.

That same Gateway can connect to the AVS via ExpressRoute, ensuring a low-latency connection and better performance.

You can still go through the diagram and use Microsoft Visio from the below link
https://free.blessedness.top/en-us/azure/architecture/reference-architectures/hybrid-networking/expressroute-vpn-failover
Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Paul 0 Reputation points

2025-06-24T10:30:25.2266667+00:00

Thanks for details explanation. Could you please confirm the routing behavior in the following scenario?

If an on-premises system sends traffic destined for AVS (e.g., a VM segment within 10.150.0.0/22), and both Site-to-Site VPN and ExpressRoute connections are available, which path will Azure prefer to deliver the traffic to AVS?

My understanding is that ExpressRoute BGP routes would take precedence over VPN routes unless overridden by a user-defined route (UDR). However, i would appreciate your confirmation on this behavior, specifically in the context of hybrid AVS deployments.

Additionally, are there best practices for enforcing a preferred path in case I need to test or temporarily route traffic through the VPN tunnel?

Thanks in advance for your guidance.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-06-24T19:49:05.27+00:00
Hi Paul,
When both Site-to-Site VPN and ExpressRoute connections are available, Azure prefers the ExpressRoute path for routing traffic. This is because ExpressRoute BGP routes take precedence over VPN routes by default.

If you have configured BGP for your ExpressRoute connection, the routes learned via BGP will be preferred over those learned from the Site-to-Site VPN.

You can override the default routing behavior by creating User-Defined Routes (UDRs). If you want to force traffic to go through the VPN tunnel instead of ExpressRoute, you can create a UDR that specifies the next hop as the VPN gateway for the specific destination (e.g., the AVS subnet).

Best Practices for Enforcing a Preferred Path:-

Using UDRs:

To temporarily route traffic through the VPN tunnel, create a UDR that directs traffic destined for the AVS subnet (e.g., 10.150.0.0/22) to the VPN gateway. This will ensure that traffic is routed through the VPN instead of ExpressRoute.

Testing and Validation:

Before implementing UDRs in a production environment, test the changes in a staging environment to validate that the routing behaves as expected.

Use tools like Azure Network Watcher to monitor and validate the routing paths and ensure that traffic is flowing through the intended route.

Monitoring and Alerts:

Set up monitoring and alerts to track the performance and health of both the VPN and ExpressRoute connections. This will help you quickly identify any issues that may arise when changing routing paths.

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Paul 0 Reputation points

2025-06-27T12:39:08.3366667+00:00

Thanks for your guidance on this.
Paul 0 Reputation points

2025-07-07T14:25:53.9966667+00:00
I understand from this Microsoft documentation that Azure Route Server is recommended to provide dynamic route exchange and transitivity between VPN Gateway and ExpressRoute Gateway.

My questions are as follows:

Why exactly is Azure Route Server required in this scenario?

If we already have BGP enabled on VPN Gateway and ExpressRoute Gateway, is it technically possible to configure manual UDRs in all Hub and Spoke subnets (and Azure Firewall) to send traffic between On-prem and AVS without deploying Route Server?

If we do not use Azure Route Server, is it possible to establish end-to-end connectivity between On-prem and AVS over S2S VPN with ExpressRoute Private Peering by relying only on UDRs and BGP separately at each gateway?

Does Microsoft officially support this architecture without Route Server?

i.e., VPN Gateway + ExpressRoute Gateway + Azure Firewall with static UDRs for all prefixes without deploying Route Server.

Share via

How to Migration Onprem VMware to Azure VMware Solution using Site to Site VPN

1 answer

Your answer