cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2669
Views
0
Helpful
6
Replies

Microsoft Azure ASAv network design consideration

Hi! Since recent availability of ASAv for Microsoft Azure I have question about network design. Currently it is possible to have 4 network interfaces in ASAv, so we limited to 3 subnets in Azure VNET. We have more than 3 subnets and Azure Gateway for S2S connectivity.
Is it possible to place ASAv inside interface in gateway subnet to substitute azure gateway and provide connectivity to all VNET subnets.

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

Buy two ASAv's?

Change to Amazon AWS to get rid of restriction?

Sounds like an awkward problem.

Philip, thanks for proposals I believe that also there are great places outside of our solar system )

To be close to subject, I asked this to Azure Support and got answer:

unfortunately the gateway subnet is only destined to Azure gateway.
We often due some maintenance and upgrades or downgrades to the gateways, and if some more appliances or vm’s were inside that subnet, they could suffer with this operations.
This is why that type of implementation is not supported.

I am not aware of the subnet limitation described above in the Azure Virtual Network. This has never been the limitation. Make sure that you have properly assigned your IP Address Space and Subnet Layout to accommodate that Address Space. 

jonor0001
Level 1
Level 1

If you're using a Network Virtual Appliance (the ASAv) you don't need to use the Gateway subnet at all. Just assign a Public IP address to one of the ASAv NICs and set up your site-to-site VPN to that Public IP and don't use the Gateway subnet at all. You only need the Gateway subnet when you're using an Azure native gateway for either Azure provided VPN or ExpressRoute gateways.

Jonor003 you are right but in details it's not so simple. Currently you can attach only 3 subnets to ASAv, but we have more than 7.

You can't attach anything to gateway subnet only Azure gateway can reside there. It's because of redundancy which Azure apply to the their gateway.

Hello:

I am really struggling with the ASAv Platform Implementation on Azure.  Per the Azure - ASAv Install document, only NIC 0 / Management can be assigned a Public IP Address.  Even when I try to assign the same external IP Address via the ssh session, I automatically lose connection to the device and have to try to recover via the Serial Console.

 

Is the expectation to use NIC0 / Management as the Interface launching the IPSec Tunnel? Would you also be able to provide any specific links on establishing a VPN Tunnel?  In addition, would I use Static Routing to route between the Management / NIC1 / NIC2 / NIC3 Interfaces?

 

Thank you

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: