Introduction to Azure Virtual WAN

Azure Virtual WAN is a networking service that brings together networking, security, and routing functionalities to provide a single, unified management experience. It's designed to simplify the operation of large-scale, global networks by enabling connections across your Azure virtual networks, on-premises sites, and remote users.

Virtual WAN offers:

  • Global connectivity: Connect your on-premises data centers and branch offices to Azure in a scalable and manageable way.
  • Secure access: Integrate with Azure Firewall for advanced threat protection and unified security policies.
  • Optimized routing: Leverage Azure's global backbone for optimized traffic flow and reduced latency.
  • Simplified management: A single pane of glass to manage your entire WAN, from cloud to edge.
Azure Virtual WAN Architecture Diagram
High-level Azure Virtual WAN Architecture

Prerequisites

Before you begin deploying Azure Virtual WAN, ensure you have the following:

  1. Azure Subscription: An active Azure subscription is required.
  2. Permissions: Sufficient permissions to create and manage network resources within your subscription.
  3. On-premises Connectivity: Ensure your on-premises sites are ready for VPN connectivity. This typically involves having compatible VPN devices at your branch offices.
  4. Azure CLI or PowerShell (Optional): For automated deployments, you might want to install and configure the Azure CLI or Azure PowerShell.

Core Concepts

Understanding these core concepts will help you design and implement your Virtual WAN solution effectively:

Virtual WAN Hub

The Virtual WAN hub is a Microsoft-managed network hub deployed in an Azure region. It serves as the central point for connectivity. All your branches, VNETs, and remote users connect to this hub.

Virtual Hub Connections

Connections allow you to associate resources like Azure Virtual Networks, VPN sites (on-premises), and ExpressRoute circuits to a Virtual WAN hub. There are different types of connections:

  • VNet Connection: Connects an Azure Virtual Network to a Virtual WAN hub.
  • Site-to-Site VPN Connection: Connects your on-premises sites to the Virtual WAN hub.
  • ExpressRoute Circuit Connection: Connects your ExpressRoute circuits to the Virtual WAN hub.
  • Remote User VPN Connection: For connecting individual remote users.

Virtual Network Gateway

Within the Virtual WAN hub, Microsoft manages the underlying gateway infrastructure (VPN gateway, ExpressRoute gateway, and Firewall). You don't manage individual gateway instances.

Hub and Spoke Model

Virtual WAN is based on a hub-and-spoke topology. Your Virtual WAN hubs are the central "hubs," and your Virtual Networks or on-premises sites are the "spokes."

Deployment Steps

Here's a simplified guide to deploying Azure Virtual WAN:

1

Create a Virtual WAN Resource

Navigate to the Azure portal and search for "Virtual WAN." Create a new Virtual WAN instance, providing a name, region, and resource group.

2

Create a Virtual Hub

Within your Virtual WAN resource, create a Virtual Hub. Choose a region, a name, and specify the address space for the hub. You can also configure the hub routing settings.

Consider deploying hubs in regions closest to your users or resources for optimal performance.

3

Configure Connectivity

For Site-to-Site VPN:

  • Create a VPN site representing your on-premises location, providing its public IP address and address space.
  • Connect the VPN site to your Virtual Hub. This will provision a VPN gateway in the hub.
  • Configure your on-premises VPN device to establish a tunnel to the provisioned VPN gateway endpoint.

For VNet Connection:

  • Ensure your Azure Virtual Network has a sufficient address space that doesn't overlap with other connected networks.
  • Create a VNet connection from your Virtual Hub, selecting the Virtual Network to connect.
4

Configure Routing

Virtual WAN automatically propagates routes. You can further customize routing behavior using route tables within your Virtual Hub to control traffic flow between different connections.

For example, you can ensure all traffic from branch sites destined for other branch sites goes through the Virtual WAN hub.

5

Test Connectivity

Once configurations are complete, thoroughly test connectivity from your on-premises sites to Azure resources and vice versa. Verify routing and ensure traffic is flowing as expected.

Next Steps

Once you have your Virtual WAN deployed, consider these next steps to enhance your network:

  • Integrate Azure Firewall: Deploy Azure Firewall in your Virtual WAN hub for centralized security policies and threat protection.
  • Configure Remote User VPN: Enable remote users to connect securely to your network using P2S VPN.
  • Leverage ExpressRoute: If you require dedicated, high-bandwidth connectivity, integrate your ExpressRoute circuits with Virtual WAN.
  • Advanced Routing: Explore advanced routing features, such as custom route tables and route propagation, to fine-tune traffic flow.
  • Monitor and Optimize: Utilize Azure Monitor and network analytics to track performance, identify bottlenecks, and optimize your WAN.

Refer to the official Azure Virtual WAN documentation for detailed guides and advanced configurations.