Virtual WAN: Private Connectivity Options
Table of Contents
Introduction to Private Connectivity
Azure Virtual WAN (vWAN) provides a networking service that brings together networking, security, and routing capabilities into a single operational interface. Private connectivity is crucial for securely connecting your on-premises networks, remote branches, and other cloud environments to your Azure resources without exposing them to the public internet.
Virtual WAN simplifies the management of complex global networks by acting as a central hub for all your connections. This document outlines the primary methods for establishing private connectivity with Azure Virtual WAN.
Hub-and-Spoke Model for Private Connectivity
Virtual WAN's architecture is inherently based on a hub-and-spoke model. The Virtual WAN hub acts as the central transit point, and your VNets (spokes) and on-premises sites are connected to this hub. This design ensures that all traffic between spokes, or between spokes and on-premises, transits through the hub, allowing for centralized management, security inspection, and policy enforcement.
This model provides:
- Simplified Connectivity: No need for complex VNet peering or transitive routing configurations between spokes.
- Centralized Management: Manage all your network connections from a single pane of glass.
- Scalability: Easily add new VNets or sites to your network.
Site-to-Site VPN
Site-to-Site (S2S) VPN provides a secure, encrypted tunnel over the public internet between your on-premises VPN devices and the Azure Virtual WAN hub. This is a cost-effective solution for connecting your branch offices or data centers to Azure.
Key Features:
- IPsec/IKE VPN Tunnels: Standardized and secure VPN protocols.
- High Availability: Support for active-active connections with redundant VPN devices.
- Bandwidth Options: Choose VPN gateways that meet your throughput requirements.
To configure S2S VPN with Virtual WAN:
- Create a Virtual WAN resource.
- Create a Virtual Hub within your Virtual WAN.
- Deploy a VPN gateway in the Virtual Hub.
- Create a Site-to-Site connection from the VPN gateway to your on-premises VPN device, downloading the configuration details provided by Azure.
ExpressRoute
Azure ExpressRoute provides dedicated, private connections from your on-premises infrastructure to Azure, bypassing the public internet. This offers higher reliability, faster speeds, lower latencies, and enhanced security compared to VPN connections.
Key Features:
- Dedicated Bandwidth: Guaranteed throughput for predictable performance.
- Low Latency: Ideal for latency-sensitive applications.
- Enhanced Security: Traffic remains within a private network.
- Integration with Virtual WAN: Connect your ExpressRoute circuits to the Virtual WAN hub for seamless integration with other connectivity options.
To leverage ExpressRoute with Virtual WAN:
- Establish an ExpressRoute circuit with a supported connectivity provider.
- Configure an ExpressRoute gateway within your Virtual WAN hub.
- Create an ExpressRoute circuit connection from your ExpressRoute provider to the Virtual WAN hub.
Virtual WAN Hub Routing
The Virtual WAN hub plays a critical role in routing traffic between connected VNets and on-premises sites. It uses a route table that is automatically populated and managed, but can also be customized.
Key Routing Concepts:
- Default Route Table: Propagates routes from connected VNets and VPN/ExpressRoute sites.
- Hub Routing: The hub advertises routes to connected networks, enabling transitive routing.
- Virtual Network Connection Routes: When connecting a VNet to the hub, you can control which routes are propagated from the VNet to the hub and vice-versa.
- Route Analytics: Provides insights into route propagation and learning within the hub.
// Example of route propagation configuration for a VNet connection
{
"type": "Microsoft.Network/virtualWans/virtualHubs/virtualNetworkConnections",
"properties": {
"routingConfiguration": {
"associatedRouteTable": {
"id": "/subscriptions/{subid}/resourceGroups/{rg}/providers/Microsoft.Network/virtualWans/{vwan}/virtualHubs/{hub}/hubRouteTables/defaultRouteTable"
},
"propagatedRouteTables": {
"labels": [
"default"
],
"routeTableIds": [
"/subscriptions/{subid}/resourceGroups/{rg}/providers/Microsoft.Network/virtualWans/{vwan}/virtualHubs/{hub}/hubRouteTables/defaultRouteTable"
]
},
"staticRoutes": []
}
}
}
Connecting VNets to the Hub
Azure Virtual WAN allows you to connect your existing or new VNets to the Virtual WAN hub. This is achieved through a resource called a "Virtual Network Connection."
When you create a Virtual Network Connection, you specify:
- The Virtual WAN hub to connect to.
- The VNet to connect.
- Whether to enable traffic forwarding to the hub (for S2S VPN or ExpressRoute).
- The route table that the VNet's routes will be associated with and propagated to.
On-Premises Connectivity Summary
Virtual WAN supports connecting your on-premises environment through:
- Site-to-Site VPN: Secure and cost-effective over the internet.
- ExpressRoute: Dedicated, private, and high-performance connection.
Both methods terminate at the Virtual WAN hub, allowing for centralized management and routing of your hybrid cloud traffic.
Best Practices for Private Connectivity
- Design for Redundancy: Implement redundant VPN devices or ExpressRoute circuits for high availability.
- Use Hub-and-Spoke: Leverage the Virtual WAN hub for all inter-network routing.
- Plan IP Addressing: Carefully plan your IP address spaces to avoid overlaps.
- Monitor Performance: Utilize Azure Monitor and Virtual WAN's diagnostic tools to track connectivity and performance.
- Secure Traffic: Consider deploying Network Virtual Appliances (NVAs) in the hub for advanced security inspection.