Azure Virtual WAN Connectivity Options
This document provides a comprehensive overview of connectivity options available with Azure Virtual WAN. Virtual WAN simplifies network management and provides a unified global transit network to connect your on-premises sites, remote users, and virtual networks.
Core Connectivity Principles
Azure Virtual WAN leverages a hub-and-spoke architecture. The Virtual WAN hub acts as a central point of connectivity for all your resources. Different connectivity methods can be established to connect your various locations to this central hub.
Branch Site Connectivity
Connecting your on-premises branch offices to Azure Virtual WAN is a fundamental use case. We support several methods:
- Site-to-Site VPN: Establish secure VPN tunnels from your on-premises VPN devices to the Virtual WAN hub. This is a widely adopted and reliable method.
- Azure ExpressRoute: For high-bandwidth, low-latency connections, you can leverage ExpressRoute circuits to connect your on-premises network to the Virtual WAN hub. This offers a dedicated, private connection.
Site-to-Site VPN Configuration
To configure a Site-to-Site VPN connection:
- Navigate to your Virtual WAN resource in the Azure portal.
- Go to the "Site-to-site VPN" section.
- Click "Create VPN site".
- Provide details for your on-premises VPN device, including IP address, BGP peer IP, and ASN.
- Associate the VPN site with your Virtual WAN hub.
- The Azure portal will generate the necessary configuration parameters for your on-premises VPN device.
Note: Ensure your on-premises VPN device is compatible with Azure VPN Gateway. Refer to the VPN device compatibility list for more information.
Remote User Connectivity
Allowing your remote workforce to securely access Azure resources is crucial. Virtual WAN supports the following for remote users:
- Point-to-Site VPN (P2S VPN): Users can establish VPN connections from their devices directly to the Virtual WAN hub using VPN client software. We support both OpenVPN and IKEv2 protocols.
Point-to-Site VPN Configuration
To set up P2S VPN:
- In your Virtual WAN hub, navigate to "Point-to-site configuration".
- Configure the address pool for clients and select the authentication method (e.g., Azure AD, RADIUS).
- Download the VPN client configuration package. This package contains the necessary scripts and certificates for users to install the VPN client on their machines.
Tip: For enhanced security, consider integrating with Azure Active Directory for user authentication.
Virtual Network Connectivity
Connecting your Azure virtual networks (VNets) to the Virtual WAN hub is essential for enabling transit routing between them and for connecting them to your on-premises sites.
- VNet Connections: You can directly connect your VNets to a Virtual WAN hub. This connection allows traffic to flow between the VNet and other connected VNets, as well as on-premises sites, via the hub.
VNet Connection Management
To connect a VNet:
- Select your Virtual WAN resource and go to "Virtual network connections".
- Click "Add connection".
- Choose the Virtual hub you want to connect to, the VNet you wish to connect, and provide a connection name.
- Configure routing options, such as propagating to the gateway and static routing, as needed.
Warning: Ensure that your virtual networks are not already peered with each other directly if you intend to use Virtual WAN for transit routing. Direct VNet peering can interfere with Virtual WAN routing.
Transit Routing
One of the key benefits of Azure Virtual WAN is its ability to provide transit routing. This means that a branch site connected to a Virtual WAN hub can communicate with another branch site connected to the same hub, or with a virtual network connected to the hub, without requiring complex network configurations or dedicated connections between them.
How Transit Routing Works
When you connect multiple sites and VNets to a Virtual WAN hub, the hub automatically learns the routes from all connected endpoints. The hub then advertises these routes to other connected endpoints, enabling seamless communication. This is managed through the Virtual WAN gateway, which acts as a route reflector.
Key Concepts
- Virtual WAN Hub: A managed Azure resource that acts as a global transit network entry point.
- VPN Site: Represents your on-premises branch office VPN device.
- VNet Connection: A resource that establishes a connection between a virtual network and a Virtual WAN hub.
- Transit Routing: The ability of the Virtual WAN hub to route traffic between different connected endpoints (e.g., branch-to-branch, branch-to-VNet).
For detailed configuration steps and advanced scenarios, please refer to the specific documentation links provided within the sidebar navigation.