Virtual WAN Connections

Azure Virtual WAN provides optimized and automated branch-to-branch and branch-to-internet connectivity through Azure. This document details the various connection types available within Virtual WAN and how to configure them.

Virtual WAN Connections Diagram
Conceptual diagram of Virtual WAN connections.

Connection Types

Virtual WAN supports several types of connections to your virtual hub:

  • Site-to-Site VPN: Connect your on-premises network to your Azure Virtual WAN hub using IPsec/IKE VPN tunnels. This is a common choice for connecting branch offices.
  • ExpressRoute: Establish dedicated, private connections between your on-premises infrastructure and Azure Virtual WAN. This offers higher bandwidth and lower latency than VPN.
  • Point-to-Site VPN: Allow individual users to connect to your Virtual WAN hub from their devices (laptops, desktops) over the internet. Ideal for remote users.
  • Azure Firewall: Integrate Azure Firewall into your Virtual WAN hub for centralized security policy enforcement and threat protection.
  • Network Virtual Appliances (NVAs): Deploy third-party network appliances (like firewalls or routers) within your Virtual WAN hub to extend network services.

Configuring Site-to-Site VPN Connections

To establish a Site-to-Site VPN connection, you'll need to configure both the Virtual WAN hub and your on-premises VPN device.

Steps:

  1. Create a Virtual Hub: If you haven't already, create a Virtual Hub in your desired Azure region.
  2. Create a Site-to-Site VPN Gateway: Within the Virtual Hub, create a VPN gateway. Configure its SKU and scale settings.
  3. Create a VPN Site: Define your on-premises network as a "VPN Site" in Virtual WAN. Provide the public IP address of your VPN device, its address space, and the connection type (e.g., IPsec).
  4. Create a Connection: From the Virtual Hub, create a new connection. Select the VPN Site you created, the VPN gateway, and configure the shared key (PSK) for authentication.
  5. Configure On-Premises Device: Configure your physical or virtual VPN device on-premises to match the parameters set in Azure, including the public IP of the Virtual WAN gateway, the shared key, and encryption/hashing algorithms.

Refer to the Azure documentation for specific device configuration examples.


# Example CLI command to create a VPN Site (Illustrative)
az network vpn-gateway list --resource-group MyResourceGroup --hub-name MyVWANHub --output table

az network vpn-site create --name MyVPNSite \
    --resource-group MyResourceGroup \
    --location westus \
    --address-prefixes 10.1.0.0/24 \
    --public-ip-address

Integrating ExpressRoute

ExpressRoute connections offer a reliable and high-speed link to your Virtual WAN.

Steps:

  1. Provision ExpressRoute Circuit: Work with a connectivity provider to provision an ExpressRoute circuit.
  2. Create an ExpressRoute Gateway: In your Virtual WAN hub, create an ExpressRoute gateway.
  3. Connect Circuit to Hub: Create a connection from the Virtual Hub to your ExpressRoute circuit.
Note: ExpressRoute connections require a peering location and often involve coordination with your network provider.

Best Practices for Connections

  • Redundancy: For critical connections, configure multiple VPN tunnels or use redundant ExpressRoute circuits.
  • Bandwidth Planning: Choose gateway SKUs and ExpressRoute bandwidth appropriate for your traffic needs.
  • IP Addressing: Ensure non-overlapping IP address spaces between your on-premises networks and Azure VNets.
  • Monitoring: Utilize Azure Monitor to track connection health, bandwidth utilization, and troubleshoot issues.

For detailed configuration guides, examples, and troubleshooting tips, please refer to the official Azure documentation.