Understanding Azure Virtual WAN Resources

Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. It is a hub-and-spoke architecture that allows you to connect your branches, users, and other cloud providers to Azure.

This section details the core resources that constitute an Azure Virtual WAN deployment, enabling you to build a scalable and secure global network.

Key Virtual WAN Resources

  • Virtual WAN: The foundational resource representing your global transit network. It acts as a central point for managing connectivity and routing.
    • Properties: Includes region, associated resource group, tags, and SKU (Basic or Standard).
    • Features: Enables hub management, site-to-site VPN, ExpressRoute, P2S VPN, and more.
  • Virtual Hub: A regional resource that acts as the transit point within a specific Azure region. Multiple hubs can be deployed across different regions to create a global network.
    • Connection: Connects to various network endpoints like VPN gateways, ExpressRoute circuits, and spokes.
    • Routing: Manages route tables and propagation for efficient traffic flow.
    • Security: Integrates with Azure Firewall and Network Security Groups (NSGs).
  • Virtual Hub Connection: A resource that establishes a connection between a Virtual Hub and another Azure resource, such as a Virtual Network (VNet) or another Virtual Hub.
    • Type: Can be a VNet connection, a VPN connection, or an ExpressRoute connection.
    • Configuration: Specifies parameters for the connection, including IP address pools and routing preferences.
  • Virtual Hub Router: An integral component of the Virtual Hub responsible for managing routing and traffic forwarding between connected sites and services.
    • Route Tables: Maintains route tables for different connections and services.
    • Route Propagation: Propagates routes from connected devices and services to the appropriate route tables.
  • VPN Gateway: Deployed within a Virtual Hub, this gateway facilitates site-to-site (IPsec) VPN connections from your on-premises branches to Azure.
    • SKU: Options like VpnGw1, VpnGw2, etc., determining throughput and features.
    • Scale: Supports multiple tunnels and high availability.
  • ExpressRoute Gateway: Also deployed within a Virtual Hub, this gateway enables private, high-bandwidth connectivity between your on-premises network and Azure via ExpressRoute circuits.
    • SKU: Options like ErGw1AZ, ErGw2AZ, etc.
    • Performance: Designed for predictable performance and low latency.
  • Azure Firewall: Can be deployed within a Virtual Hub to provide centralized network security policy enforcement, threat protection, and filtering.
    • Policies: Define rules for network traffic filtering, application control, and web filtering.
    • Threat Intelligence: Integrates with Azure threat intelligence feeds for enhanced security.

Common Scenarios and Resource Usage

Here are some common scenarios where these resources are utilized:

Scenario 1: Connecting Branches to Azure

To connect your on-premises branches to Azure, you would typically:

  1. Create a Virtual WAN resource.
  2. Deploy a Virtual Hub in a chosen Azure region.
  3. Deploy a VPN Gateway within the Virtual Hub.
  4. Configure a site-to-site VPN connection from your on-premises VPN device to the VPN Gateway.
  5. Create a Virtual Hub Connection to connect your spokes (e.g., VNet) to the Virtual Hub.

Scenario 2: Extending On-Premises Network to Azure with ExpressRoute

For high-bandwidth, private connectivity:

  1. Ensure you have an ExpressRoute circuit provisioned.
  2. Create a Virtual WAN and a Virtual Hub.
  3. Deploy an ExpressRoute Gateway within the Virtual Hub.
  4. Create a Virtual Hub Connection of type ExpressRoute, linking your ExpressRoute circuit to the Virtual Hub.

Scenario 3: Hub-to-Hub Connectivity

To connect multiple Virtual Hubs for global reach:

  1. Deploy multiple Virtual Hubs in different regions.
  2. Create Virtual Hub Connections of type VPN or Global Reach between these hubs. This enables seamless routing between regions.

Managing Virtual WAN Resources

You can manage these resources through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Azure CLI Example: Creating a Virtual Hub


az network vwan hub create \
  --name MyVirtualHub \
  --resource-group MyResourceGroup \
  --location eastus \
  --virtual-wan MyVirtualWAN \
  --address-prefix 10.1.0.0/24 \
  --tags Environment=Production

Azure PowerShell Example: Creating a VPN Gateway


$vwan = Get-AzVirtualWan -Name "MyVirtualWAN" -ResourceGroupName "MyResourceGroup"
$hub = Get-AzVirtualHub -Name "MyVirtualHub" -ResourceGroupName "MyResourceGroup"

New-AzVirtualHubVpnGateway -Name "MyVpnGateway" `
  -ResourceGroupName "MyResourceGroup" `
  -VirtualHubId $hub.Id `
  -Location $hub.Location `
  -VpnGatewayScaleUnit 2 `
  -VpnGatewayBandwidth 100

For detailed guidance on deploying and configuring each resource, please refer to the specific documentation pages linked below.

View All Virtual WAN Tutorials Get Started with Virtual WAN