Azure Virtual WAN Concepts

This article explains the core concepts of Azure Virtual WAN, a networking service that brings together networking, security, and routing capabilities into a single operational interface.

What is Virtual WAN?

Azure Virtual WAN is a networking service that combines several Microsoft network capabilities into a single service and security administration experience. Virtual WAN is designed to deliver:

Optimized and automatic site-to-cloud connectivity: Via an integrated Scalable VPN service.
Branch connectivity to Azure: Via a highly available and scalable multi-site hub.
Branch connectivity to Branch: Via transit hub in Azure.
Connectivity to Azure public Internet: Via an integrated and scalable Data Center firewall service.
Connectivity to Microsoft 365: Via optimized routing with Microsoft.
Branch-to-branch connectivity: Via hub spokes.
Unified management: For all your networking and security needs.

Key Components

Virtual WAN is built on a hub-and-spoke architecture. A Virtual WAN hub is a Microsoft-managed resource deployed in an Azure region. You can connect your spokes to the hub to enable transit routing between them.

Virtual WAN Hub

A Virtual WAN hub is a network transit center. It aggregates multiple connectivity types and enables transit routing. A hub contains:

VPN Gateway: For Site-to-Site VPN connectivity.
ExpressRoute Gateway: For ExpressRoute connectivity.
Azure Firewall: For security policies and inspection.
Virtual Network Gateway (VNG): For connecting Virtual Networks (spokes).
Routing infrastructure: To manage traffic flow.

Note: A Virtual WAN hub is deployed in a specific Azure region. You can have multiple hubs in different regions to optimize for latency and provide high availability.

Spoke Virtual Networks

Spoke virtual networks are standard Azure virtual networks. You connect them to a Virtual WAN hub via a connection, allowing resources in the spoke VNet to communicate with other spokes, on-premises sites, and the internet.

Connections

Connections are the links between a spoke virtual network and a Virtual WAN hub. There are two primary types of connections:

VNet Connection: Connects a standard Azure Virtual Network to a Virtual WAN hub.
Site-to-Site VPN Connection: Connects your on-premises branch offices to the Virtual WAN hub using VPN devices.

Virtual Hub Router

The Virtual Hub Router is responsible for routing traffic within the Virtual WAN hub. It supports:

Static Routing: Manual route configuration.
Dynamic Routing: Via BGP for VPN and ExpressRoute connections.
ECMP (Equal-Cost Multi-Path) routing: For load balancing.

Connectivity Models

Virtual WAN supports various connectivity models:

Site-to-Site VPN (Branch to Cloud)

Connect your on-premises branch offices to a Virtual WAN hub using Site-to-Site VPN connections. This provides a secure and reliable connection for accessing Azure resources.

Branch Office <-> VPN Device <-> Internet <-> Virtual WAN Hub (VPN Gateway) <-> Azure Resources

ExpressRoute

For private, high-throughput connectivity, you can connect your on-premises network to a Virtual WAN hub using ExpressRoute. This offers lower latency and higher reliability than VPNs.

On-Premises Data Center <-> ExpressRoute Circuit <-> Virtual WAN Hub (ExpressRoute Gateway) <-> Azure Resources

VNet Peering (Hub and Spoke)

Connect your Azure Virtual Networks (spokes) to the Virtual WAN hub. This allows seamless communication between resources in different spokes through the hub.

Spoke VNet 1 <-> VNet Connection <-> Virtual WAN Hub <-> VNet Connection <-> Spoke VNet 2

Global Transit Network

Virtual WAN enables a global transit network, allowing branches in different regions to communicate with each other directly through the Virtual WAN hubs, without requiring complex hub-to-hub VPN configurations.

Security Features

Virtual WAN integrates with Azure Firewall to provide advanced security capabilities:

Network Security: Centralized firewall policies for traffic inspection and filtering.
Threat Protection: Intrusion detection and prevention.
URL Filtering: Control access to websites.
Application Filtering: Restrict access to specific applications.

Important: Azure Firewall is an optional component deployed within the Virtual WAN hub. It can be enabled to enforce security policies across your entire WAN.

Benefits of Virtual WAN

Simplified Management: A single pane of glass for all your networking and security.
Scalability: Built to handle large-scale enterprise networks.
Performance: Optimized routing and global reach.
Cost-Effectiveness: Reduces the need for complex on-premises network hardware.
Enhanced Security: Integrated firewall and security policies.

For more detailed information and configuration steps, refer to the Virtual WAN Quickstart guide.