Azure Virtual WAN Reference

Introduction

Azure Virtual WAN is a networking service that brings together a number of networking, security, and routing functionalities to provide a single operational interface. This service provides optimized and automated branch-to-branch and branch-to-internet connectivity through Azure. Virtual WAN is a distributed, scalable, and highly available cloud networking platform.

It is designed to simplify the management and operation of large-scale, multi-site cloud networks. With Virtual WAN, you can connect your on-premises networks, remote offices, and users to Azure, and also connect them to each other, all through a unified hub-and-spoke architecture.

Key Concepts

Virtual WAN Hub: A managed Virtual WAN resource that acts as a transit point for your network traffic. It hosts various network services like VPN gateways, ExpressRoute gateways, and firewall services.
Virtual Hub Connections: Resources that connect your spoke Virtual Networks or on-premises sites to a Virtual WAN Hub.
Site-to-Site VPN: Connects your on-premises network to a Virtual WAN Hub over a secure VPN tunnel.
Point-to-Site VPN: Enables remote users to connect to your Virtual WAN securely.
ExpressRoute: Provides a private, high-bandwidth connection between your on-premises network and Azure.
VNet Peering: Connects Virtual Networks within Azure. In a Virtual WAN context, spoke VNets are peered to the Virtual WAN Hub.
Transit Routing: The Virtual WAN Hub acts as a transit point, allowing traffic to flow between different connected sites and VNets.

Architecture

Virtual WAN follows a hub-and-spoke architecture:

Azure Virtual WAN Architecture

In this model:

Hubs are deployed in Azure regions. They host the connectivity and security services.
Spokes (Virtual Networks) are connected to the hubs.
Branches/On-premises sites are connected to the hubs via VPN or ExpressRoute.
The hub provides transit routing for all connected spokes and branches, simplifying network management and improving connectivity.

Features

Global Reach: Connects your dispersed sites and users globally.
Scalability: Handles large-scale network deployments with ease.
High Availability: Designed for resilience and continuous operation.
Simplified Management: A single pane of glass for managing all your network connections.
Security: Integrates with Azure Firewall for advanced security policies.
Optimized Routing: Provides efficient routing for traffic between sites and to Azure services.
Hybrid Connectivity: Seamlessly integrates on-premises networks with Azure.

Components

Virtual WAN Hub

The Virtual WAN Hub is the core component. It's a managed Azure resource that can be deployed in an Azure region. It aggregates all your site-to-site VPN connections, ExpressRoute circuits, and VNet connections.

Key features of a Virtual WAN Hub:

Virtual Hub Gateway: Can be a VPN gateway (for Site-to-Site and Point-to-Site VPN) or an ExpressRoute gateway.
Azure Firewall: Optionally deploy Azure Firewall in the hub for centralized security inspection.
Route Server: Enables dynamic routing with network virtual appliances (NVAs).

Virtual Hub Connections

Connections link your Virtual Networks (spokes) or remote sites to the Virtual WAN Hub. There are several types of connections:

VNet Connection: Connects an Azure Virtual Network to the Virtual WAN Hub. This enables transit routing for resources within the VNet to reach other sites and VNets.
Site-to-Site VPN Connection: Connects your on-premises VPN devices to the Virtual WAN Hub.
ExpressRoute Connection: Connects your ExpressRoute circuits to the Virtual WAN Hub.
Remote User VPN Connection (P2S): Allows individual users to connect remotely.

Connectivity Options

Virtual WAN supports various connectivity methods:

Site-to-Site VPN: Securely connect your branch offices to Azure.
ExpressRoute: For high-bandwidth, private connections between your datacenter and Azure.
Point-to-Site VPN: Enables remote users to access Azure resources securely.
VNet Peering: Connects spokes to the hub, allowing for transit routing.

Common Scenarios

Scenario: Global Branch Connectivity

Connect multiple branch offices across different regions to Azure and to each other. Virtual WAN hubs in each region provide transit routing, ensuring seamless communication between all branches and Azure resources.

Scenario: Hybrid Cloud Integration

Integrate your on-premises datacenter with Azure. Use ExpressRoute or Site-to-Site VPN to connect to the Virtual WAN hub, providing a unified network for both cloud and on-premises resources.

Scenario: Secure Remote Access

Provide secure access for remote employees to corporate resources in Azure and on-premises. Virtual WAN's Point-to-Site VPN functionality, often coupled with Azure AD authentication, offers a robust solution.

Best Practices

Plan your Hub Placement: Deploy hubs in regions that are geographically close to your most critical resources and user bases.
Leverage Azure Firewall: For centralized security and traffic inspection, integrate Azure Firewall into your Virtual WAN hubs.
Use Adequate Gateway SKUs: Choose gateway SKUs that meet your throughput and connection requirements.
Implement Redundancy: Use multiple VPN devices or ExpressRoute circuits for high availability.
Monitor Performance: Regularly monitor gateway utilization, latency, and packet loss.
Naming Conventions: Adopt clear and consistent naming conventions for your Virtual WAN resources.

Limitations

While Virtual WAN is powerful, it's important to be aware of its limitations:

SKU Limitations: Gateway SKUs have specific limits on connections, throughput, and tunnels.
VNet Peering Behavior: Ensure you understand how VNet peering works with Virtual WAN hubs to avoid routing conflicts.
Global VNet Peering: Virtual WAN primarily uses a hub-and-spoke model; direct VNet-to-VNet peering between spokes in different regions is not the standard pattern.
IPv6 Support: IPv6 support can vary by component and configuration.

Always refer to the latest Azure documentation for the most up-to-date information on limitations and capabilities.