The Microsoft Azure Network Partner Ecosystem Explained

Save to My DOJO

The Microsoft Azure Network Partner Ecosystem Explained

The purpose of this blog post is to help build some clarification around Microsoft Network Virtual Appliances and other Network Security Partners.

If you are working with the Partner Ecosystem of Microsoft, especially around Network Virtual Appliances and Security Partners, you will often see the same names for different solutions.

That can be very confusing. Today, I want to help you understand the different solutions and partners.

We will speak about the following Partner Solutions:

    • Customer Managed Network Virtual Appliances in Virtual Networks
    • Network Virtual Appliances with Azure Virtual WAN
    • Azure Firewall Network Security Providers
    • Other Partner Solutions

Customer Managed Network Virtual Appliances

A customer-managed Network Virtual Appliance is traditionally deployed into a classic hub and spoke environment. They are available and deployed from the Azure Marketplace, as shown in the example below.

Azure Marketplace


These appliances are deployed in different deployment models like active standby, active active, or single Virtual Machine. They are mostly deployed through templates or deployment guides from the vendors.

Therefore, Microsoft provides different deployment options like linked below.

Deploy highly available NVAs – Azure Architecture Center | Microsoft Docs

Not every Vendor supports every deployment and high availability model. So, you need to check the provided template or have a discussion with your Network Virtual Appliance Vendor.

Most customers are using Network Virtual Appliances for the following use cases:

    • As routers between Virtual Networks in a Hub and Spoke environment
    • As an Internal and/or Internet Facing Firewall, Web Application Firewall, Load Balancer or Reverse Proxy
    • SDWAN or VPN Device

As with every Infrastructure Virtual Machine Service, these Appliances have their upsides and downsides.

Upsides are:

    • A large offering of Network Virtual Appliances and Partners within the Azure Marketplace
    • Relatively easy onboarding for Partners into the Marketplace
    • No special support agreements needed with Microsoft


    • Totally customer-managed, and the customer needs to configure routing and high availability on his own
    • A lot of room for configuration mistakes on the customer’s side
    • Hard to support when having any issue, as there are always three parties, Microsoft Support, Vendor Support, and the Customer and often an additional configuration or managed service partner

Network Virtual Appliances are a very common and proven solution but not cloud-native. Most of these appliances are also only migrated into a Virtual Machine Image without additional changes to integrate with cloud services backends.

For example, most appliances in Azure are not able to leverage Accelerated Network, which can boost Virtual Machine Network performance up to 20 GBE per NIC.

Create an Azure VM with Accelerated Networking using Azure CLI | Microsoft Docs

Some of them are not even able to provide you with proper high availability, as they need either Layer 2 Link available to their cluster peer or broadcast available. Both options are not possible within the Azure Software Defined Network.

They are still very flexible, but you should choose wisely which Vendor you use and mostly the traditional Network Vendors were not able to pass the BRIDGE to reach the cloud age. Some of them even hit the cloud solution WALL harder than Sonic the hedgehog with the robots of Dr Eggman.

Network Virtual Appliances with Azure Virtual WAN

Within Virtual WAN Network Virtual Appliances and Partners can become a bit more confusing. With Virtual WAN you have two kinds of Partners, Managed CPE Partners and Azure Virtual WAN integrated Network Virtual Appliances.

I will explain both within the next part of the post.

Azure Virtual WAN managed CPE Partners

Together with these Partners Azure Virtual WAN provides optimized and automated branch-to-branch connectivity through the Microsoft Global Network. With Azure Virtual WAN Managed CPEs, also called Customer-premises equipment, can be configured to automatically connect, and build a network to and through Azure Virtual WAN. A configuration can either be done manually or automated through the appliances or Vendor out of band management like Palo Alto Panorama or FortiNet FortiManager. As soon as these devices are connected and automated, customers no longer need to update, add, or delete routes manually. These routes will be updated for all branch devices and Network Virtual Appliances through the out of band management and Azure Virtual WAN.

Let me visualize the relationship in the schematic drawing below.

Azure Virtual WAN

As you can see in the schema, a managed CPE is not directly running on Azure but the Vendor of the CPE build a solution together with Microsoft to build a hybrid Network as a Service solution based on on-premises hardware or virtual appliances combined with Azure Services.

To see a full list of partners, please see the documentation below.

Azure Virtual WAN partners and locations | Microsoft Docs

Virtual WAN Managed Network Virtual Appliance

Now to make it even more confusing, Microsoft is working with several Partners to provide their appliances as a managed infrastructure in Virtual WAN.

With these managed Network Virtual Appliances, Azure Virtual WAN can deploy them like its own managed services. This means they are deployed highly available as a Virtual Machine Scale Set and within Availability Zones, if available within the Azure Region.

These appliances are also integrated and peered with the Azure Virtual WAN Route Service, which makes static routing for branches obsolete and resolves the struggles around support and deployment you would have with classic Network Virtual Appliance deployments in Azure.

Azure Virtual WAN: About Network Virtual Appliance in the hub | Microsoft Docs

Depending on the partner, these appliances are deployed through a managed application from the Azure Marketplace or via a different image. Afterwards, the Network Virtual Appliances need to connect to an out of band management because customers cannot access the appliances themselves. Those appliances are deployed within a Microsoft managed subscription and secure environment. This environment is only made accessible for Microsoft Support during support cases.

Let me again try to visualize the deployment for you.

Azure Virtual WAN Deployment

In comparison to a self-managed Network Virtual Appliances, where customers are handling conversation between Microsoft and the Network Virtual Appliances Partners, with a Virtual WAN integrated appliances Microsoft and the Appliance Partner join forces during the support case. They will fix the issue together. So, the customer does not need a proxy.

With that kind of deployment and the integrated support between Microsoft and the Partner, these appliances become more or less a Platform Services or Network Device as a Service.

Currently, Microsoft has agreements with three partners and more partners in the pipeline for the next twelve months. Keep an eye on the Ignite Announcements. 😊

Azure Virtual WAN partners and locations | Microsoft Docs

Azure Firewall Network Security Providers

Another confusion comes up if you want to Azure Firewall together with a partner solution. In addition to Network Virtual Appliances, there are a few Partners who offer extensions to Azure Firewall for additional security and cloud proxy capabilities.

These partners are called security partner providers. The three partners who are currently working with the Azure Firewall Team and providing their solutions are:

    • zScaler
    • CheckPoint
    • iBoss

What are Azure Firewall Manager security partner providers? | Microsoft Docs

If you deploy these Partner Solutions, they are deployed as managed services in the responsible Azure Region and will be managed by Azure. You can see that when adding these sites to zScaler management.

After the partner provider environment was deployed in a secure Microsoft managed environment, the Azure Firewall builds a tunnel for the managed service and changes the internal routing from the Azure Firewall.

Those partner solutions are deployed as full software service solutions. They may also have a limited feature set compared to what you know from the non-integrated solution.

You can find some examples of how to deploy such a solution here.

Secure Azure virtual hubs using Check Point Cloudguard Connect | Microsoft Docs

Other Partner Solutions

In addition to Network Virtual Appliances and the Network Partner Solutions, you also have a lot of other Solutions from Partners available via the Microsoft Azure Marketplace.

As an example, I posted the offering in the screenshot below.

Network Virtual Appliances

There are also other offerings of Microsoft Partners, which are not directly visible with the Azure Marketplace but still are Partner Solutions for Azure Services or Hybrid Services like Azure Stack HCI. I linked the example for Altaro Backup below.

Utility applications for Azure Stack HCI – Azure Stack HCI | Microsoft Docs

As you can see Altaro is one of the preferred partners of Microsoft when it comes to backup and replication of Azure Stack HCI and Windows Server Hyper-V.

Closing Words

This article should give some clarification on the different Microsoft Appliance and Services Partner Solutions. To be honest, even within Microsoft, the different partners are often confused. If you would like me to clarify anything, drop me a message in the comments below!

Altaro Hyper-V Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment or ask a question

Your email address will not be published. Required fields are marked *

Your email address will not be published. Required fields are marked *

Notify me of follow-up replies via email

Yes, I would like to receive new blog posts by email

What is the color of grass?

Please note: If you’re not already a member on the Dojo Forums you will create a new account and receive an activation email.