topic If you're using a Network in Network Security

Microsoft Azure ASAv network design consideration

vadim.vedmedenko — Tue, 12 Mar 2019 07:27:27 GMT

Hi! Since recent availability of ASAv for Microsoft Azure I have question about network design. Currently it is possible to have 4 network interfaces in ASAv, so we limited to 3 subnets in Azure VNET. We have more than 3 subnets and Azure Gateway for S2S connectivity.
Is it possible to place ASAv inside interface in gateway subnet to substitute azure gateway and provide connectivity to all VNET subnets.

Buy two ASAv's?

Philip D'Ath — Thu, 10 Mar 2016 00:01:32 GMT

Buy two ASAv's?

Change to Amazon AWS to get rid of restriction?

Sounds like an awkward problem.

Philip, thanks for proposals

vadim.vedmedenko — Thu, 10 Mar 2016 11:03:53 GMT

Philip, thanks for proposals I believe that also there are great places outside of our solar system )

To be close to subject, I asked this to Azure Support and got answer:

unfortunately the gateway subnet is only destined to Azure gateway.
We often due some maintenance and upgrades or downgrades to the gateways, and if some more appliances or vm’s were inside that subnet, they could suffer with this operations.
This is why that type of implementation is not supported.

If you're using a Network

jonor0001 — Fri, 01 Jul 2016 22:38:49 GMT

If you're using a Network Virtual Appliance (the ASAv) you don't need to use the Gateway subnet at all. Just assign a Public IP address to one of the ASAv NICs and set up your site-to-site VPN to that Public IP and don't use the Gateway subnet at all. You only need the Gateway subnet when you're using an Azure native gateway for either Azure provided VPN or ExpressRoute gateways.

Jonor003 you are right but in

vadim.vedmedenko — Sat, 24 Sep 2016 10:00:52 GMT

Jonor003 you are right but in details it's not so simple. Currently you can attach only 3 subnets to ASAv, but we have more than 7.

You can't attach anything to gateway subnet only Azure gateway can reside there. It's because of redundancy which Azure apply to the their gateway.

I am not aware of the subnet

Avery Spates — Mon, 24 Jul 2017 22:14:53 GMT

I am not aware of the subnet limitation described above in the Azure Virtual Network. This has never been the limitation. Make sure that you have properly assigned your IP Address Space and Subnet Layout to accommodate that Address Space.

Re: Jonor003 you are right but in

a_mohammed@hotmail.com — Wed, 13 Feb 2019 16:21:20 GMT

Hello:

I am really struggling with the ASAv Platform Implementation on Azure. Per the Azure - ASAv Install document, only NIC 0 / Management can be assigned a Public IP Address. Even when I try to assign the same external IP Address via the ssh session, I automatically lose connection to the device and have to try to recover via the Serial Console.

Is the expectation to use NIC0 / Management as the Interface launching the IPSec Tunnel? Would you also be able to provide any specific links on establishing a VPN Tunnel? In addition, would I use Static Routing to route between the Management / NIC1 / NIC2 / NIC3 Interfaces?

Thank you