Introduction
Software Defined Networking (SDN) is no longer exclusive to hyperscale public clouds. With the public preview of SDN on Azure Local enabled by Azure Arc, Microsoft is bringing its powerful SDN fabric to edge and on-premises deployments. This evolution enables centralized policy, microsegmentation, and hybrid control over distributed environments, without sacrificing locality or sovereignty.
This blog dives deep into the architecture powering this capability, breaking down each component from the SDN controller to the Virtual Filtering Platform (VFP). Whether you are designing for a factory edge, financial data center, or branch deployment, understanding the SDN control plane and data path interaction is essential.
Architectural Layers: High-Level Overview
Here’s a quick glance at how Azure Local SDN components stack up across control and data planes:
Let’s now break down each major component in technical detail.
Azure Arc + SDN Controller
Azure Arc provides the control-plane glue between Azure and your Azure Local cluster. The SDN controller is deployed locally and acts as the policy and topology brain.
Key SDN Controller Services:
- Network Controller (NC): Manages virtual networks, subnets, access control lists (ACLs), and routes.
- SLB Manager: Software Load Balancer orchestrator for east-west and north-south traffic.
- Gateway Manager: Manages site-to-site VPN, NAT, and egress paths.
- Policy Synchronizer: SDN state is managed declaratively, there is no dedicated “Policy Synchronizer” component. Instead, Azure Arc projects SDN resources into Azure, where policies can be applied using Azure Policy.
Note: Unlike NSX-T or Cisco ACI, Azure Local uses RESTful endpoints and is Azure Arc aware, making governance part of your centralized control strategy.
Software Load Balancer (SLB)
The Azure Local SLB mimics Azure’s public SLB and operates in distributed mode using host-level agents.
Capabilities:
- L4 TCP/UDP load balancing
- North-south VIP provisioning (floating IPs)
- Dynamic reprogramming of flow tables
SLB rules are automatically programmed via the controller’s northbound APIs or Bicep templates.
Gateway Pool
Gateways are the bridge to the outside world, supporting:
- NAT: Static and dynamic translation for egress
- SNAT pools: Per-tenant NAT mapping
- VPN: Site-to-site or point-to-site tunnels
- Route-based and Policy-based tunnels
Each SDN gateway is part of a Gateway Pool, with HA and multiple path options.
Real-World Tip: Azure Virtual WAN supports third-party NVAs via Network Function Manager, but Azure Arc-enabled SDN for Azure Local does not currently support NVA insertion. This may be possible in the future or via custom routing, but it’s not part of the current preview.
VFP: Virtual Filtering Platform
VFP is the programmable forwarding plane on each Hyper-V host. This is where ACLs, SLB decisions, NAT, and VXLAN encapsulation all happen at line rate.
VFP Layers:
| Layer | Role |
|---|---|
| Ingress ACL | Filters traffic entering the VM NIC |
| QoS | Applies traffic shaping policies |
| Encap/Decap | Handles VXLAN tagging, SLB VIPs |
| Egress ACL | Filters before exiting to virtual switch |
Debug Insight: Use Get-VfpPort and Get-VfpFlowEntry for packet traceability during troubleshooting.
Data Flow Diagram
Below is a simplified flow of a packet from client to tenant VM via SLB and VFP:
This architecture allows east-west microsegmentation and north-south policy control without external firewalls or L3 switches.
Management & Automation Tooling
- Azure Arc: Policy config via GitOps or Azure Policy
- Azure Arc supports GitOps for Kubernetes clusters and VM configurations, but not yet for SDN policies. SDN configurations are currently managed via Azure Policy, PowerShell, or Bicep/ARM templates.
- Windows Admin Center: GUI interface to manage SLB, Gateway, and ACLs
- PowerShell:
Get-SdnProviderAddress,New-SdnGatewayConnection - Bicep/ARM: Declarative VNet, SLB, and NSG deployment
- Rest APIs: Native SDN controller endpoints for automation pipelines
Real-World Lab Scenario
In our lab, we provisioned:
- 2 SDN Gateways (active/standby)
- 1 SLB with 3 backends
- 2 tenant VNets with ACLs
- All orchestrated via PowerShell and Arc GitOps
Outcome:
- Seamless failover
- Consistent policy enforcement
- 1.2 Gbps throughput across tunnels (intra-site)
- Instant route updates via Arc policy sync
Conclusion
Azure Local with SDN is no longer a lightweight imitation of the cloud. It is an enterprise-grade network fabric extended to the edge. With Arc-enabled policy control, distributed SLBs, gateway pools, and programmable forwarding via VFP, you now have a unified stack that mirrors Azure’s scale-out networking in your own data center.
As this preview matures, expect tighter integrations, faster telemetry, and support for next-gen NVA insertions and BGP routing policies.
Disclaimer: The views expressed in this article are those of the author and do not represent the opinions of Microsoft, my employer or any affiliated organization. Always refer to the official Microsoft documentation before production deployment.
Introduction In today’s hybrid and multi-cloud world, Software Defined Networking (SDN) is the backbone of scalable, policy-driven connectivity across cloud and on-premises...