Deploying Azure Virtual WAN

A comprehensive guide to setting up and configuring Azure Virtual WAN.

Table of Contents

Introduction to Azure Virtual WAN

Azure Virtual WAN is a networking service that brings together networking, security, and routing capabilities into a single operational interface. It simplifies the management of global WANs by providing a scalable hub-and-spoke architecture. Virtual WAN allows you to connect your on-premises sites, remote users, and other cloud environments to Azure.

This document will guide you through the process of deploying and configuring Azure Virtual WAN to establish a robust and secure global network.

Prerequisites

Important Consideration

Ensure that your on-premises network devices are compatible with Azure VPN gateways. Refer to the official Azure documentation for a list of tested and recommended devices.

Deployment Steps

Follow these steps to deploy and configure your Azure Virtual WAN environment.

1

Step 1: Create Virtual WAN Resource

The Virtual WAN resource acts as the central management point for your global network. You can create this resource through the Azure portal, Azure CLI, or Azure PowerShell.

Azure Portal:

  1. Navigate to the Azure portal.
  2. Search for "Virtual WAN" and select it.
  3. Click "Create".
  4. Select your subscription and resource group.
  5. Provide a region and a name for your Virtual WAN.
  6. Choose the type: "Standard" is recommended for most scenarios.
  7. Click "Review + create" and then "Create".

Azure CLI Example:


az network vwan create \
  --name MyVirtualWAN \
  --resource-group MyResourceGroup \
  --location eastus \
  --sku Standard
2

Step 2: Create a Virtual Hub

A Virtual Hub is a managed Virtual Network (VNet) that acts as the central point of your Virtual WAN. It hosts various network services like VPN gateways, ExpressRoute gateways, and Azure Firewall. You can have multiple hubs in a Virtual WAN.

Azure Portal:

  1. Navigate to your Virtual WAN resource.
  2. In the left-hand menu, select "Hubs".
  3. Click "+ Create hub".
  4. Select the region for the hub (must match a region in your Virtual WAN).
  5. Provide a hub name.
  6. Define an address space for the hub (e.g., 10.0.0.0/24).
  7. Configure the hub's route tables and security policies as needed.
  8. Click "Review + create" and then "Create".

Azure CLI Example:


az network vhub create \
  --name MyVirtualHub \
  --resource-group MyResourceGroup \
  --vwan MyVirtualWAN \
  --location eastus \
  --address-prefix 10.0.1.0/24

Note on Hub Address Space

The hub address space is private to the hub VNet and should not overlap with any connected VNets or on-premises networks.

3

Step 3: Configure Connections

Connections establish the links between your Virtual Hub and your remote sites or networks.

Site-to-Site VPN

Connect your on-premises networks to your Virtual Hub using IPsec VPN tunnels.

  1. In your Virtual WAN, navigate to "Virtual network connections".
  2. Click "+ Add connection".
  3. Select the Virtual Hub.
  4. Provide a connection name.
  5. Choose "IPsec" as the connection type.
  6. Select the "Site-to-site (IPsec)" VPN gateway type.
  7. Configure the hub's IPsec parameters (e.g., IKE protocol, encryption, integrity algorithms).
  8. Provide the shared key.
  9. Enter the IP address of your on-premises VPN device and its BGP ASN if using BGP.
  10. Associate this connection with a specific route table.
  11. Click "Create".

On your on-premises VPN device, configure a matching VPN tunnel using the same parameters and shared key. Ensure your device's public IP address is correctly configured.

ExpressRoute

Connect your on-premises network via an Azure ExpressRoute circuit.

  1. Ensure you have a provisioned ExpressRoute circuit.
  2. In your Virtual WAN, navigate to "Virtual network connections".
  3. Click "+ Add connection".
  4. Select the Virtual Hub.
  5. Provide a connection name.
  6. Choose "ExpressRoute" as the connection type.
  7. Select your existing ExpressRoute circuit.
  8. Configure routing parameters, including BGP.
  9. Click "Create".

Point-to-Site VPN

Allow remote users to connect to your Virtual WAN securely.

  1. In your Virtual Hub, navigate to "VPN (site to site) gateway".
  2. Configure the gateway type as "VPN".
  3. Ensure the gateway is provisioned with the desired scale units.
  4. Under the hub's settings, navigate to "Point-to-site configuration".
  5. Define the address pool for clients (a private IP address range).
  6. Configure authentication settings (e.g., Azure AD, RADIUS, or certificates).
  7. Generate and distribute the client VPN configuration packages to your users.

Tip for VPN Gateways

For high availability, consider provisioning VPN gateways in multiple regions and using Azure's active-active configuration where supported.

4

Step 4: Configure Routing

Virtual WAN uses route tables to control traffic flow between your connected networks. By default, there is a default route table for the hub. You can create custom route tables for more granular control.

Key Routing Concepts:

  • Default Route Table: Routes learned from connections are propagated to this table.
  • Connections to Route Tables: Each connection can be associated with a specific route table.
  • Routes Propagation: You can control which connections propagate routes to which route tables.
  • Static Routes: You can define static routes within a route table to direct traffic to specific next hops.

Azure Portal:

  1. Navigate to your Virtual Hub.
  2. Under "Routing", select "Route tables".
  3. Click "+ Create route table" to create custom tables if needed.
  4. Select a route table, then go to "Routes" to add static routes or "Connections" to manage associations and propagations.

Warning: Route Overlap

Ensure that your connected network address spaces do not overlap with each other or with the Virtual Hub's address space. Route conflicts can lead to connectivity issues.

Verification and Monitoring

After deployment, it's crucial to verify that your connections are established and traffic is flowing as expected.

Monitoring Tools

Azure Network Watcher provides tools like Connection Monitor and IP Flow Verify to help diagnose connectivity problems.

Best Practices

Troubleshooting Common Issues

No Connectivity

  • Verify IPsec tunnel status (for VPN).
  • Check route table configurations for correct route propagation and associations.
  • Ensure no IP address space overlaps.
  • Confirm on-premises firewall rules allow VPN traffic.

Slow Performance

  • Check VPN gateway SKU and scale units.
  • Monitor bandwidth utilization on both Azure and on-premises links.
  • Review BGP metrics for any path issues.

Configuration Errors

  • Double-check shared keys and encryption parameters for VPNs.
  • Verify BGP ASN and peer IP addresses.
  • Ensure compatible firmware on on-premises VPN devices.
Explore Advanced Configurations