This chapter covers Azure VMware Solution (AVS), a first-party Microsoft service that runs VMware vSphere, vCenter, NSX-T, and HCX on dedicated Azure bare-metal infrastructure. For the AZ-305 exam, understanding AVS is critical for designing hybrid cloud solutions that require seamless migration of existing VMware workloads without refactoring. Approximately 5-8% of exam questions touch on AVS, focusing on use cases, networking integration, and migration strategies. Mastering AVS will help you answer scenario-based questions about lift-and-shift migrations, disaster recovery, and extending on-premises data centers to Azure.
Jump to a section
Imagine you have a fully packed suitcase (your on-premises VMware environment) with clothes, toiletries, and electronics all arranged in a specific way. You need to move to a new house (Azure) but you don't want to unpack and repack everything—you want to move the suitcase as-is. Azure VMware Solution (AVS) is like a special luggage compartment on the moving truck that accepts your exact suitcase without any repacking. The truck (Azure infrastructure) provides the compartment (dedicated bare-metal hosts) that runs VMware ESXi, vCenter, and NSX-T exactly as you have them. The truck driver (Microsoft) maintains the compartment, but you still have full control over the contents—you can add or remove items, rearrange them, and even connect to other compartments (on-premises or other Azure services) via secure tunnels (ExpressRoute). The key is that the suitcase retains its original structure, so you don't need to learn a new packing system—your existing tools, processes, and even the suitcase locks (VMware features like vMotion and HA) work the same way. In contrast, moving to Azure natively would mean unpacking everything and using Azure's built-in storage (Azure VMs with custom images) which requires reconfiguring each item.
What is Azure VMware Solution (AVS)?
Azure VMware Solution is a Microsoft-managed service that provides VMware vSphere, vCenter, NSX-T, and HCX running on dedicated Azure bare-metal infrastructure. It allows organizations to migrate their on-premises VMware workloads to Azure without refactoring applications, rearchitecting networking, or changing management tools. AVS is an Azure first-party service, meaning it is fully integrated with Azure Resource Manager, Azure Active Directory, and Azure networking services like ExpressRoute and VPN Gateway.
Why AVS exists
Many enterprises have significant investments in VMware-based virtualization. Migrating those workloads to Azure natively would require converting VMDK files to VHD, reconfiguring networking, and retraining staff. AVS eliminates these barriers by providing a VMware environment that is fully compatible with existing tools (vCenter, NSX-T, PowerCLI) and processes (vMotion, HA, DRS). It enables a true hybrid cloud where workloads can move between on-premises and Azure without modification.
How AVS works internally
AVS is deployed in an Azure region within a customer's subscription, but it runs on dedicated bare-metal servers that are not shared with other customers. These servers are ESXi hosts managed by a vCenter Server that is accessible via the Azure portal. The service includes:
vCenter Server: Central management for ESXi hosts, VMs, storage, and networking.
NSX-T Data Center: Software-defined networking (SDN) and security. It provides virtual switches, routers, firewalls, and VPN capabilities.
HCX (Hybrid Cloud Extension): A service that enables workload mobility, disaster recovery, and network extension between on-premises and AVS.
Azure NetApp Files: Optional high-performance file storage that can be mounted to AVS clusters.
Key components, values, defaults, and timers
Node types: AVS nodes are available in three SKUs: AV36 (36 cores, 576 GB RAM, 15.36 TB NVMe cache, 3.84 TB capacity), AV36P (36 cores, 768 GB RAM, 15.36 TB NVMe cache, 7.68 TB capacity), and AV52 (52 cores, 1.5 TB RAM, 38.4 TB NVMe cache, 15.36 TB capacity).
Minimum cluster size: 3 nodes (for vSphere HA quorum). Maximum cluster size is 16 nodes per cluster. A private cloud can have multiple clusters.
vCenter Server: Provided as a PaaS component; Microsoft manages its availability and patching. Customers have full administrative access via vSphere Client.
NSX-T: Pre-deployed with a default Tier-0 gateway (for north-south traffic to Azure) and a Tier-1 gateway (for east-west traffic within AVS). Customers can create additional segments, firewalls, and NAT rules.
HCX: Deployed as a virtual appliance in both on-premises and AVS. It uses a site-to-site VPN or ExpressRoute for connectivity.
ExpressRoute: Required for connectivity from on-premises to AVS. Bandwidth can be 1 Gbps or 10 Gbps. AVS uses Global Reach to connect multiple ExpressRoute circuits.
Azure NetApp Files: Can be used as a datastore for AVS clusters with a maximum capacity of 100 TB per account.
Configuration and verification commands
While AVS is managed through the Azure portal and VMware tools, some operations use Azure CLI or PowerShell:
Create a private cloud (Azure CLI):
az vmware private-cloud create \
--resource-group rg-avs \
--name my-private-cloud \
--location eastus \
--sku av36 \
--cluster-size 3 \
--network-block 10.0.0.0/22List private clouds:
az vmware private-cloud list -o tableAdd a cluster:
az vmware cluster create \
--resource-group rg-avs \
--private-cloud my-private-cloud \
--cluster-name cluster-2 \
--sku av36 \
--size 4Get vCenter credentials:
az vmware private-cloud list-admin-credentials \
--resource-group rg-avs \
--private-cloud my-private-cloudEnable HCX:
az vmware hcx-enterprise-site create \
--resource-group rg-avs \
--private-cloud my-private-cloud \
--name hcx-siteHow AVS interacts with related technologies
Azure VNet: AVS private cloud is connected to an Azure VNet via an ExpressRoute circuit. This allows VMs in AVS to communicate with Azure VMs and PaaS services like Azure SQL Database or Azure Storage. The VNet must be in the same region as the AVS private cloud.
ExpressRoute Global Reach: Used to connect on-premises networks to AVS and also to connect multiple AVS private clouds across regions.
VPN Gateway: Can be used as a backup or for smaller deployments, but ExpressRoute is preferred for performance and reliability.
Azure Active Directory: vCenter can be integrated with Azure AD for authentication, allowing users to log in with their Azure AD credentials.
Azure Backup: Can back up VMs running in AVS using Azure Backup Server or third-party tools. Native Azure Backup support for AVS VMs is available via Azure Backup for AVS (preview).
Azure Site Recovery: Can be used for disaster recovery of AVS workloads to another AVS private cloud or to Azure VMs.
Azure Monitor: Provides metrics and logs for AVS infrastructure (host CPU, memory, disk usage) via Azure Monitor for AVS.
Networking deep dive
AVS private cloud is allocated a /22 network block (e.g., 10.0.0.0/22) that is used for management and provisioning. This block is divided into subnets:
Management subnet: Used by vCenter, NSX-T managers, and ESXi hosts. This subnet is managed by Microsoft and customers cannot use it for workloads.
Provisioning subnet: Used for HCX and other services.
Customer workload subnets: Customers can create NSX-T segments that use IP addresses from a different address space. These segments are connected to the Tier-1 gateway.
Traffic flows from AVS to on-premises or Azure VNet via the ExpressRoute circuit. The Tier-0 gateway handles north-south traffic. For east-west traffic between AVS VMs, the Tier-1 gateway and NSX-T distributed firewall provide micro-segmentation.
Migration with HCX
HCX supports multiple migration methods: - vMotion: Live migration of running VMs with zero downtime. Requires low latency (< 10 ms RTT) and high bandwidth. - Cold migration: Power off VM and migrate. Suitable for non-critical workloads. - Bulk migration: Uses replication to migrate many VMs at once. Can be scheduled. - Disaster recovery: Replicates VMs to AVS for failover. Can be tested without impact.
HCX also provides network extension (L2 stretch) so that VMs retain their IP addresses after migration. This is achieved by extending VLANs from on-premises to AVS using the HCX Network Extension appliance.
Storage options
AVS provides local NVMe storage from the bare-metal nodes (vSAN). Additionally, customers can attach: - Azure NetApp Files: NFS datastores that can be used for high-performance workloads. - Azure Disk Storage: Not directly attachable to AVS hosts; instead, use a file server VM inside AVS that mounts Azure disks. - Azure Files: Can be accessed via SMB from VMs in AVS.
Limitations and considerations
No nested virtualization: ESXi hosts cannot run nested hypervisors.
No direct internet access: By default, AVS VMs cannot reach the internet unless you configure an Azure Firewall or an NVA in the connected VNet.
No DRS automation: VMware DRS is available, but you cannot use vSphere Distributed Resource Scheduler to move VMs across clusters automatically without manual setup.
VMware versions: Microsoft keeps the VMware software up to date, but customers cannot choose specific versions. Usually, it is the latest stable version.
Maximum VMs per cluster: Approximately 1,000 VMs per cluster, but this depends on resource usage.
Exam relevance
For AZ-305, you need to know:
When to recommend AVS over native Azure (lift-and-shift, existing VMware investment, need for vMotion, HCX).
How to design networking: ExpressRoute, Global Reach, NSX-T segments, Azure VNet peering.
How to integrate with Azure services: Azure AD, Azure Backup, Azure Site Recovery, Azure Monitor.
The migration process using HCX.
Cost considerations: AVS is more expensive than native Azure VMs due to dedicated hardware and VMware licensing.
Provision AVS Private Cloud
In the Azure portal, navigate to Azure VMware Solution and create a private cloud. You must specify the region, node type (AV36, AV36P, or AV52), initial cluster size (minimum 3), and a /22 network block for management. This block must not overlap with any existing network in your Azure VNet or on-premises. Once created, Microsoft deploys the bare-metal hosts, installs ESXi, vCenter, and NSX-T. The process takes about 2-4 hours. After completion, you receive a vCenter URL and credentials. You can then access vCenter via the internet (by enabling public IP on the vCenter) or via ExpressRoute from your on-premises network.
Connect AVS to Azure VNet
AVS private cloud automatically creates an ExpressRoute circuit. You must authorize this circuit to connect to an ExpressRoute gateway in your Azure VNet. In the Azure portal, under the private cloud, click 'Connectivity' then 'ExpressRoute'. Copy the authorization key and circuit ID. In your VNet, create an ExpressRoute gateway (either Standard or High Performance) and use the key to link it to the AVS circuit. This establishes Layer 3 connectivity between AVS and your Azure VNet. Once connected, VMs in AVS can communicate with Azure VMs using private IP addresses. You can also peer the VNet with other VNets using VNet peering.
Connect On-Premises to AVS
For on-premises connectivity, you need an ExpressRoute circuit from your on-premises location to Azure. Then use ExpressRoute Global Reach to connect that circuit to the AVS ExpressRoute circuit. This creates a direct Layer 3 connection between on-premises and AVS without going through the internet. Alternatively, you can use a VPN gateway (S2S VPN) for lower bandwidth or as a backup. The recommended approach is ExpressRoute for production workloads. After connectivity, you must configure routing in NSX-T to advertise on-premises routes and to accept routes from on-premises. This is done via the NSX-T Tier-0 gateway BGP configuration.
Deploy HCX and Migrate Workloads
In the AVS portal, enable HCX by creating an HCX enterprise site. This deploys the HCX manager appliance in AVS. Then, download the HCX connector appliance from the AVS portal and deploy it on-premises in your VMware environment. Pair the on-premises HCX connector with the AVS HCX manager. Once paired, you can create a service mesh that defines the network connectivity (e.g., VPN or ExpressRoute) and the migration methods allowed. For live migration, use HCX vMotion. For bulk migration, use HCX bulk migration with replication. The HCX network extension appliance allows you to extend L2 networks from on-premises to AVS, so VMs keep their IP addresses. After migration, you can decommission the on-premises VMs.
Configure NSX-T Networking
By default, AVS provides a Tier-0 gateway (for external connectivity) and a Tier-1 gateway (for internal segmentation). You create NSX-T segments (logical switches) for your workload VMs. Each segment can have its own subnet. You can also configure the NSX-T distributed firewall for micro-segmentation between VMs. For north-south traffic, you may need to create NAT rules (for outbound internet access) or configure the Tier-0 gateway to advertise routes to on-premises. If you need internet access for AVS VMs, you must deploy an Azure Firewall or a third-party NVA in the connected VNet and route traffic through it. You can also enable public IP on the vCenter for management access.
Enterprise Scenario 1: Large Financial Institution Migrating Legacy VMware Environment
A global bank has over 2,000 VMs running on VMware vSphere in multiple data centers. Many of these VMs run legacy applications that cannot be containerized or refactored due to compliance and stability requirements. The bank needs to migrate to Azure to reduce data center footprint and gain cloud agility. They choose AVS because it allows them to vMotion live VMs with zero downtime using HCX. They deploy AVS in the East US region with three clusters of AV36 nodes (9 nodes total). They connect on-premises to AVS via ExpressRoute with Global Reach. The migration takes six months, moving 200 VMs per week. During the process, they use HCX network extension to keep IP addresses unchanged. After migration, they integrate vCenter with Azure AD for single sign-on and use Azure Backup for VM backups. The key challenge is managing the large number of NSX-T segments (over 100) and ensuring that firewall rules are correctly migrated. They use the NSX-T migration tool to convert on-premises distributed firewall rules. Performance-wise, they monitor host utilization and add nodes as needed. A common misconfiguration is not reserving enough IP space for HCX network extension appliances, causing IP conflicts.
Enterprise Scenario 2: Healthcare Provider Using AVS for Disaster Recovery
A healthcare provider has a primary data center in Dallas and a secondary site in Phoenix. They want to use Azure as a disaster recovery target for their VMware workloads without changing their existing VMware tools. They deploy AVS in the West US region (closest to Phoenix) with a 3-node cluster. They use HCX disaster recovery to replicate critical VMs (about 500) from on-premises to AVS. Replication is set to every 15 minutes. In the event of a disaster, they can fail over to AVS and access applications via a VPN connection from their secondary site. They use Azure Site Recovery as an alternative, but HCX is preferred because it integrates directly with vSphere. The challenge is ensuring that the ExpressRoute bandwidth is sufficient for replication traffic (they use 1 Gbps). They also need to test failover quarterly without impacting production. A common mistake is not sizing the AVS cluster correctly for failover capacity—they initially underestimated CPU requirements and had to add nodes during a test.
Enterprise Scenario 3: Retail Company Extending Data Center to Azure
A retail company with seasonal peaks (Black Friday) needs to burst capacity to Azure during high demand. They have a VMware environment with 500 VMs that handle e-commerce transactions. They deploy AVS with a 4-node cluster in the same Azure region as their web tier (Azure VMs). They use HCX vMotion to move VMs between on-premises and AVS during peak times. This requires low latency (< 10 ms) between on-premises and Azure, which they achieve with ExpressRoute Direct. They also use NSX-T to create a DMZ segment for web servers and a backend segment for databases. The critical integration is with Azure Load Balancer to distribute traffic to AVS VMs. They configure the Tier-0 gateway to advertise the DMZ subnet to Azure, so Azure Load Balancer can forward traffic. The biggest challenge is managing the dynamic routing updates when VMs are vMotioned—they use BGP with route maps to ensure traffic is optimally routed. A misconfiguration they encountered was not enabling 'send ARP' on the HCX network extension, causing network loops.
What AZ-305 Tests on Azure VMware Solution
AZ-305 objective 4.3 focuses on designing an infrastructure strategy that includes Azure VMware Solution. Exam questions typically present a scenario where a company has existing VMware investments and needs to migrate to Azure. The correct answer often involves AVS when the requirement is to avoid refactoring, maintain existing management tools, or use vMotion for zero-downtime migration. Key objective codes: 4.3.1 (Identify when to use AVS), 4.3.2 (Design networking for AVS), 4.3.3 (Design migration strategy with HCX).
Common Wrong Answers and Why
Choosing native Azure VMs with Azure Migrate: Candidates often select this because it is the default migration approach. However, if the scenario explicitly states that the VMs use VMware-specific features (e.g., vMotion, DRS, or custom VM templates), AVS is the right choice because native Azure does not support those features.
Selecting Azure Stack HCI: Azure Stack HCI is a hyper-converged infrastructure solution for on-premises, not a cloud migration target. Candidates confuse it with AVS because both run VMware. But AVS runs in Azure, while Azure Stack HCI runs on-premises.
Using Azure Site Recovery without HCX: Azure Site Recovery can replicate VMware VMs to Azure, but it does not provide live migration (vMotion) or network extension. If the scenario requires zero downtime or IP preservation, HCX is needed. Candidates often miss that HCX is part of AVS.
Assuming AVS provides native internet access: AVS VMs do not have default internet connectivity. Candidates may think they do because AVS is in Azure. The correct design requires an Azure Firewall or NVA in the connected VNet.
Specific Numbers and Terms on the Exam
Minimum cluster size: 3 nodes
Node SKUs: AV36, AV36P, AV52
Network block: /22
HCX migration methods: vMotion, cold migration, bulk migration, disaster recovery
ExpressRoute Global Reach is required for on-premises to AVS connectivity.
vCenter integration with Azure AD for authentication.
Azure Backup for AVS is in preview.
Edge Cases and Exceptions
Cross-region AVS: You cannot connect two AVS private clouds in different regions directly without ExpressRoute Global Reach or a VPN.
vCenter public IP: By default, vCenter is not accessible over the internet. You must explicitly enable a public IP for vCenter in the Azure portal.
NSX-T license: AVS includes NSX-T licensing; you do not need to bring your own.
VMware version: You cannot upgrade or downgrade VMware software; Microsoft manages it.
How to Eliminate Wrong Answers
If the scenario mentions 'no application changes', 'keep existing management tools', or 'live migration', AVS is the answer.
If the scenario mentions 'need to use existing VMware licenses', note that AVS includes VMware licensing, so you don't need to bring your own.
If the scenario mentions 'need to extend L2 network', HCX network extension is required.
If the scenario mentions 'disaster recovery with minimal RTO', HCX disaster recovery is preferred over Azure Site Recovery for VMware workloads.
AVS is for lift-and-shift migrations of VMware workloads without refactoring.
Minimum cluster size is 3 nodes; maximum is 16 nodes per cluster.
AVS uses a /22 network block for management; do not overlap with on-premises or Azure VNet.
HCX enables live migration (vMotion), bulk migration, and disaster recovery with L2 network extension.
ExpressRoute Global Reach is required for on-premises to AVS connectivity.
AVS VMs do not have internet access by default; use Azure Firewall or NVA.
vCenter can integrate with Azure AD for authentication.
These come up on the exam all the time. Here's how to tell them apart.
Azure VMware Solution (AVS)
Runs VMware vSphere, vCenter, NSX-T, HCX
Supports live migration (vMotion) with zero downtime
Can extend L2 networks via HCX
Requires dedicated bare-metal nodes (3-node minimum)
Includes VMware licensing in node cost
Native Azure VMs
Runs on Hyper-V hypervisor (Azure host)
No vMotion; requires conversion to VHD
No native L2 extension; IP changes required
Shared infrastructure; pay per VM
No VMware licensing; use Azure Hybrid Benefit for Windows
Mistake
AVS is just Azure running VMware on top of Hyper-V.
Correct
AVS runs on bare-metal servers with ESXi directly installed, not on Hyper-V. It is a Type 1 hypervisor environment, not nested virtualization.
Mistake
You can use your existing VMware licenses with AVS.
Correct
AVS includes VMware licensing costs in the node price. You cannot bring your own VMware licenses. However, you can use Microsoft Azure Hybrid Benefit for Windows Server licenses.
Mistake
AVS VMs have direct outbound internet access by default.
Correct
AVS VMs do not have internet access unless you configure an Azure Firewall or NVA in the connected VNet and route traffic through it. The Tier-0 gateway does not provide NAT for internet.
Mistake
HCX can migrate VMs from any hypervisor to AVS.
Correct
HCX only supports VMware vSphere sources. It cannot migrate from Hyper-V, KVM, or other hypervisors. For non-VMware sources, use Azure Migrate.
Mistake
AVS clusters can be scaled down to 1 node.
Correct
Minimum cluster size is 3 nodes for vSphere HA quorum. You cannot reduce a cluster below 3 nodes. To scale down, you must remove the entire cluster and create a new one.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, AVS includes VMware licensing in the node price. You cannot bring your own VMware licenses. However, you can use Microsoft Azure Hybrid Benefit for Windows Server licenses to save on Windows VM costs. For VMware, the cost is bundled into the per-node pricing.
The minimum cluster size is 3 nodes. This is required for vSphere High Availability (HA) quorum. You can start with 3 nodes and scale up to 16 nodes per cluster. To scale down, you must remove the entire cluster and create a new one.
You connect via ExpressRoute. AVS automatically creates an ExpressRoute circuit. You need to authorize it and link it to an ExpressRoute gateway in your Azure VNet. Then, use ExpressRoute Global Reach to connect your on-premises ExpressRoute circuit to the AVS circuit. Alternatively, you can use a site-to-site VPN as a backup.
Yes, using HCX vMotion. HCX supports live migration of running VMs with zero downtime, provided the network latency between on-premises and Azure is low (typically < 10 ms RTT) and bandwidth is sufficient. For bulk migrations, use HCX bulk migration with replication.
By default, no. AVS VMs can only communicate within the private cloud and connected Azure VNet. To enable internet access, you must deploy an Azure Firewall or a third-party NVA in the connected VNet and configure route tables to direct traffic through it. You can also configure NAT on the NVA.
Yes, Azure Backup for AVS is available in preview. You can back up VMs to a Recovery Services vault. Alternatively, you can use third-party backup solutions or deploy a backup server inside AVS. Azure Site Recovery can also be used for disaster recovery.
Microsoft manages the VMware software stack, including ESXi, vCenter, and NSX-T. They apply updates and upgrades automatically. You cannot manually upgrade or downgrade versions. Microsoft ensures the software is kept up to date with the latest stable releases.
You've just covered Azure VMware Solution Design — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?