Reference Architecture
This guide presents a proven reference architecture for implementing Azure Virtual WAN at scale. It covers core components, connectivity models, sample topologies, and deployment best practices.
Architecture Overview
The Virtual WAN architecture connects branch offices, remote users, and workloads across multiple Azure regions through a highly available, fully managed hub-and-spoke model.
- Virtual WAN Hub – Centralized routing and security point with integrated firewall, VPN, and ExpressRoute.
- Spoke VNet Integration – Connects Azure resources using VNet peering or VPN.
- Branch Connectivity – Site‑to‑site VPN, SD‑WAN, or ExpressRoute circuits.
- User Connectivity – Point‑to‑site VPN or Azure AD‑based Secure Remote Access.
Core Components
resource "azurerm_virtual_wan" "example" {
name = "example-vwan"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
type = "Standard"
}
resource "azurerm_virtual_hub" "hub1" {
name = "hub-eastus"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
virtual_wan_id = azurerm_virtual_wan.example.id
address_prefix = "10.0.0.0/24"
}Connectivity Models
Choose the best connectivity model based on latency, bandwidth, and security requirements:
- VPN (IPSec) – Low‑cost, internet‑based connections for branch sites.
- ExpressRoute – Private, high‑throughput connectivity for large data centers.
- SD‑WAN Integration – Leverage third‑party virtual WAN appliances.
Sample Topology
The diagram below illustrates a multi‑region deployment with two Virtual Hubs, each serving several branch sites and remote users.
Deployment Guide
Follow these steps to deploy the reference architecture using Azure CLI:
# Create a resource group
az group create -n rg-vwan -l eastus
# Deploy Virtual WAN
az network vwan create \
--name MyVwan \
--resource-group rg-vwan \
--location eastus \
--type Standard
# Deploy two hubs (East US & West US)
for hub in eastus westus; do
az network vhub create \
--name hub-${hub} \
--resource-group rg-vwan \
--location ${hub} \
--address-prefix 10.${hub:0:1}.0.0/24 \
--sku Standard \
--vwan MyVwan
done
# Create VPN sites and associate them
az network vpn-site create \
--name BranchA \
--resource-group rg-vwan \
--location eastus \
--address-prefixes 10.1.0.0/16 \
--asn 65001 \
--vpn-site-link \
name=link1 ip-address=203.0.113.10
az network vhub connection create \
--name conn-branchA \
--resource-group rg-vwan \
--vhub-name hub-eastus \
--remote-vpn-site BranchA \
--vpn-link-name link1 \
--shared-key MySecretKeyBest Practices
- Enable Azure Firewall Manager on each hub for centralized security policies.
- Use Route Tables to control traffic flow between spoked VNets.
- Implement Azure Monitor diagnostics for bandwidth and latency insights.
- Leverage Azure Policy to enforce hub naming conventions and SKU usage.