Azure Firewall Concepts - Azure Networking

Azure Virtual WAN Concepts

This document provides an overview of the core concepts that underpin Azure Virtual WAN. Understanding these concepts is essential for designing, implementing, and managing your global network connectivity on Azure.

What is Azure Virtual WAN?

Azure Virtual WAN is a networking service that brings together networking, security, and routing functionalities into a single operational interface. It is designed to provide optimized and automated branch-to-branch and branch-to-internet connectivity on Azure. It simplifies the management of large-scale network infrastructures, offering a scalable and resilient solution for connecting your on-premises sites and remote users to Azure resources.

Key Components of Virtual WAN

Virtual WAN Hub: A Microsoft-managed virtual network that acts as a central transit hub for your network. It contains network services such as VPN gateways, Azure Firewall, and Azure Application Gateway. The hub is deployed in an Azure region and provides connectivity to resources in that region.
Virtual Hub Router: A component within the Virtual WAN hub that handles the routing of traffic between different network endpoints connected to the hub.
Site-to-Site VPN Connection: Establishes a secure, encrypted connection between your on-premises VPN devices and the Virtual WAN hub.
ExpressRoute Connection: Connects your on-premises network to the Virtual WAN hub via Azure ExpressRoute for private, high-throughput connectivity.
User VPN (Point-to-Site): Allows remote users to connect to the Virtual WAN hub securely over the internet using native VPN clients.
Azure Firewall Integration: Virtual WAN can integrate with Azure Firewall to provide advanced threat protection and centralized security policy management for traffic transiting through the hub.
Azure Firewall Manager: A service that allows you to centrally manage and deploy Azure Firewall policies across your Virtual WAN hubs and other virtual networks.

Connectivity Models

Virtual WAN supports several connectivity models:

Branch-to-Azure: Connect your on-premises branch offices to Azure VNets via a Virtual WAN hub.
Branch-to-Branch: Enable seamless communication between different branch offices connected to the same or different Virtual WAN hubs.
Branch-to-Internet: Securely route internet-bound traffic from your branch offices through Azure Firewall deployed in the Virtual WAN hub.
Remote User-to-Azure/Internet: Allow remote users to connect to Azure resources and the internet securely through a Virtual WAN hub.

Routing and Propagation

Virtual WAN utilizes a sophisticated routing system. Routes are advertised from connected sites and VNets to the Virtual WAN hub and then propagated to other connected sites and VNets based on your configuration. This ensures optimal path selection for traffic flow.

Scalability and Resilience

Virtual WAN is built for scale and resilience. Virtual WAN hubs are deployed across multiple availability zones in a region, ensuring high availability. The service automatically scales the capacity of its gateways to accommodate changing network demands.

Important: Virtual WAN is designed for large-scale branch connectivity. For smaller, simpler network topologies, a hub-and-spoke model using Azure VPN Gateway or ExpressRoute Gateway in a hub VNet might be more suitable.

Use Cases

Global transit network for enterprises with multiple branches.
Connecting branch offices to Azure IaaS and PaaS resources.
Centralized security enforcement for branch traffic using Azure Firewall.
Simplifying management of complex network architectures.

By leveraging these concepts, you can build a robust, scalable, and secure global network infrastructure on Azure with Virtual WAN.