Azure Virtual WAN Architecture
This document provides a comprehensive overview of the architecture behind Azure Virtual WAN, a networking service that brings together networking, security, and routing capabilities into a single operational interface.
What is Azure Virtual WAN?
Azure Virtual WAN is a networking service that enables you to connect your on-premises networks, remote offices, and geographically distributed applications to Microsoft Azure. It simplifies network management and provides a scalable, secure, and highly available connectivity solution.
Key Components of Virtual WAN Architecture
The Virtual WAN architecture is built around several core components:
- Virtual WAN Hub: A Microsoft-managed transit hub in a chosen Azure region. It acts as the central point of connectivity for your entire network.
- Virtual Hub Router: A managed router within the Virtual WAN hub that handles routing between connected sites and spokes.
- Connectivity Partners: Devices or services that connect to the Virtual WAN hub, such as VPN devices, ExpressRoute circuits, or third-party network virtual appliances (NVAs).
- Spoke VNets: Azure Virtual Networks that are peered with the Virtual WAN hub, allowing them to communicate with other spokes and on-premises sites.
- Site-to-Site VPN: Connects your on-premises networks to the Virtual WAN hub over the public internet using IPsec tunnels.
- ExpressRoute: Provides a private, dedicated connection between your on-premises infrastructure and Azure, offering higher bandwidth and lower latency.
- User VPN: Enables remote users to connect to your Azure network securely.
Architectural Patterns
Virtual WAN supports several common architectural patterns:
Hub-and-Spoke Topology
This is the most common pattern, where the Virtual WAN hub acts as the central point of connectivity. Spoke VNets are connected to the hub, enabling traffic to flow between them via the hub. This pattern simplifies management and provides a consistent network infrastructure across your Azure deployment.
Figure 1: Illustrative Hub-and-Spoke Topology with Virtual WAN
Transit Connectivity
Virtual WAN facilitates transit connectivity, allowing traffic to flow between different spoke VNets and between on-premises sites and spoke VNets. This eliminates the need for complex and expensive mesh VPNs or virtual appliances in each VNet.
Branch Connectivity
Connect your remote branches and offices to Azure using Site-to-Site VPN or ExpressRoute. The Virtual WAN hub acts as the gateway, providing seamless connectivity.
Benefits of Virtual WAN Architecture
- Simplified Management: A single pane of glass for managing global network connectivity.
- Scalability: Designed to scale from small deployments to enterprise-wide networks.
- High Availability: Built with redundancy to ensure continuous connectivity.
- Global Reach: Connect your distributed sites and users across the globe.
- Enhanced Security: Integrate with Azure Firewall Manager and Network Security Groups for robust security.
Key Considerations
When designing your Virtual WAN architecture, consider:
- The number and geographical distribution of your sites.
- Your bandwidth requirements for VPN and ExpressRoute connections.
- Your security and compliance needs.
- The need for transit routing between spoke VNets.
Next Steps
Explore the following resources to learn more about implementing Azure Virtual WAN: