Inside the SDN Architecture for Azure Local

Table of Contents

1. Introduction: Why SDN for Azure Local?
2. SDN Architecture Overview
3. Key SDN Components
   • SDN Controller
   • Software Load Balancer (SLB)
   • Gateway Pool
   • Virtual Filtering Platform (VFP)
4. Component Interactions & Data Flow
5. Real-World Architecture Example (Diagrams)
6. Step-by-Step Traffic Flows
7. Operational Best Practices
8. Troubleshooting Tips
9. Conclusion & Next Steps

1. Introduction: Why SDN for Azure Local?

The rise of hybrid and edge deployments has accelerated the need for cloud-like network programmability and security, on-premises. Microsoft’s Azure Local SDN brings Azure-grade networking to your datacenter, unifying virtual and physical networks with automation, centralized policy, and deep visibility.

By decoupling control from hardware, Azure Local SDN enables rapid provisioning, seamless scaling, and robust multi-tenant isolation—all essential for modern enterprise, service provider, and edge environments.

2. SDN Architecture Overview

Azure Local SDN is a layered system. Each layer abstracts and orchestrates core networking services, allowing admins to declaratively define networks, policies, and services.

High-Level SDN Architecture:

3. Key SDN Components

SDN Controller

• Role: The “brain” of the SDN stack.
• Functions:
  • Centralizes management of logical networks, policies, and resources.
  • Orchestrates and monitors network state across all hosts.
  • Communicates with Windows Admin Center, PowerShell, and Azure Arc for configuration.
  • Pushes network intent to distributed agents and hosts.
• High Availability: Deployed in a highly available cluster for resilience.

Software Load Balancer (SLB)

• Role: L4-L7 load balancing for services, VMs, and applications.
• Functions:
  • Distributes traffic to backend pools based on rules.
  • Supports NAT, VIPs, health probes.
  • Integrates with SDN Controller for policy-driven provisioning.

Gateway Pool

• Role: Manages external connectivity (north-south traffic).
• Functions:
  • Provides NAT, SNAT, and VPN services.
  • Scales out for bandwidth and redundancy.
  • Connects logical SDN networks to external/physical networks.

Virtual Filtering Platform (VFP)

• Role: Kernel-mode switch extension present on every Hyper-V host.
• Functions:
  • Processes data path traffic.
  • Applies security policies, ACLs, and Quality of Service (QoS).
  • Enforces microsegmentation and network virtualization.
  • Receives configuration from SDN Controller.

4. Component Interactions & Data Flow

The components interact in a tightly orchestrated manner:

Component Interaction Diagram:

How it works:

1. Admins define networks, subnets, SLB rules, and policies via WAC, PowerShell, or ARM/Bicep templates.
2. SDN Controller translates intent into distributed policies.
3. SLB and Gateway Pool receive configuration and update state/flow tables.
4. VFP enforces the rules on each host at line rate—ensuring traffic is steered, filtered, and logged as defined.

5. Real-World Architecture Example

a) Basic Multi-Tier SDN Topology

b) Detailed Flow: East-West and North-South

• North-South: External client -> Gateway Pool -> SLB -> Host VFP -> VM
• East-West: VM1 (Host 1) -> VFP (Host 1) -> SDN Policy Routing -> VFP (Host 2) -> VM2

6. Step-by-Step Traffic Flows

North-South Traffic (Internet to VM)

1. Inbound packet hits the Gateway Pool (public VIP or NAT).
2. Gateway Pool checks NAT/SNAT rules and routes to the SLB.
3. SLB selects a backend VM based on load balancing rules.
4. VFP on the host applies ACL, QoS, and forwards packet to VM.
5. Outbound traffic is SNAT’ed (source NAT) as it returns.

East-West Traffic (VM to VM)

1. VM1 sends traffic intercepted by Host 1’s VFP.
2. VFP applies SDN policies (microsegmentation, QoS, etc.).
3. VFP forwards traffic across overlay (VXLAN/GRE) to Host 2.
4. Host 2’s VFP applies policies, then delivers to VM2.

7. Operational Best Practices

• Deploy SDN Controller in HA: Minimum three-node cluster for resilience.
• Automate Provisioning: Use PowerShell or Bicep to create/modify SDN resources.
• Monitor Health: Regularly check VFP agent status, Gateway Pool throughput, and SLB logs.
• Policy as Code: Store network configs as code for versioning, compliance, and rollback.

Sample PowerShell: Create a Logical Network

# Example: Provision a logical network in Azure Local SDN
Import-Module NetworkController
New-NetworkControllerLogicalNetwork -ConnectionUri "https://sdncontroller.local" `
    -Name "CorpNet" `
    -Subnets @("10.1.0.0/16", "10.2.0.0/16")

8. Troubleshooting Tips

• VFP Troubleshooting:
  Use Get-VfpFlow to inspect current flows, dropped packets, and applied ACLs.
• Gateway Pool Health:
  Check for missed heartbeats or high latency. Review SLB logs for backend health probe failures.
• Common Issues:
  • Misconfigured policies: Validate with Get-NetworkController* cmdlets.
  • Outdated host agents: Ensure all Hyper-V hosts run compatible VFP agent versions.

9. Conclusion & Next Steps

Azure Local SDN transforms on-premises networking with programmable control, enterprise-grade security, and automated service delivery—mirroring public cloud experience inside your datacenter.
By understanding each component and their orchestration, architects and engineers can deliver robust, scalable, and secure network services with full operational confidence.

For more detail on automation and integration, see the official Azure SDN documentation.

Disclaimer: The views expressed in this article are those of the author and do not represent the opinions of Microsoft, my employer or any affiliated organization. Always refer to the official Microsoft documentation before production deployment.