Public Connectivity with Azure Virtual WAN

Azure Virtual WAN enables you to achieve robust and scalable public connectivity for your virtual networks and on-premises sites. This article details the different methods and considerations for enabling public access through your Virtual WAN hub.

Understanding Public Connectivity

Public connectivity in the context of Virtual WAN typically refers to the ability for resources within your Azure environment, or connected on-premises sites, to access the public internet. This is often achieved through a Virtual WAN hub, which acts as a central point for traffic routing and policy enforcement.

Key scenarios include:

Providing internet access to virtual machines in Azure VNets connected to the Virtual WAN hub.
Enabling on-premises devices to securely access the internet via the Azure backbone.
Distributing internet egress traffic efficiently across multiple regions.

Methods for Public Connectivity

1. Virtual WAN Hub as an Internet Gateway

The Virtual WAN hub can be configured to act as a universal internet gateway. When you deploy a Virtual WAN hub, you can enable an option to route internet-bound traffic from connected VNets and remote sites through the hub to the public internet.

Configuration Steps:

Ensure your Virtual WAN hub is deployed.
Associate your Azure VNets with the Virtual WAN hub.
Configure a Virtual WAN connection for your on-premises VPN sites or ExpressRoute circuits.
In the Virtual WAN hub configuration, enable the "Internet routing" or similar option. This typically involves associating a Public IP address with the hub's gateway.
Route tables within the hub will direct internet-bound traffic appropriately.

Diagram:

2. Using Network Virtual Appliances (NVAs)

For advanced inspection and filtering of internet-bound traffic, you can deploy Network Virtual Appliances (NVAs) such as firewalls or Unified Threat Management (UTM) devices within your Virtual WAN hub. Traffic destined for the internet is then routed through these NVAs.

Deployment Considerations:

Deploy an NVA in a dedicated VNet connected to the Virtual WAN hub.
Configure routing to direct internet-bound traffic from your VNets and sites to the NVA.
The NVA then forwards the traffic to the public internet.

This approach offers granular control over security policies, content filtering, and intrusion detection for internet traffic.

Key Features and Benefits

Centralized Management: Manage internet connectivity for multiple VNets and sites from a single point.
Scalability: Virtual WAN is designed to scale to meet the demands of large enterprises.
Global Reach: Leverage Azure's global network backbone for efficient traffic routing.
Security: Integrate with Azure Firewall or third-party NVAs for comprehensive security.
Cost-Effectiveness: Often more cost-effective than managing multiple internet egress points.

Pricing and Licensing

Public connectivity through Virtual WAN involves costs associated with the Virtual WAN hub itself, data transfer, and potentially NVAs if used. Refer to the Azure pricing page for detailed information.

Next Steps

To implement public connectivity, consider the following resources:

Important: Ensure you understand the routing implications within your Virtual WAN hub. Proper configuration of effective routes and route propagation is crucial for correct internet traffic flow.