Virtual WAN Routing Overview - Azure Networking

Understanding Virtual WAN Routing

Azure Virtual WAN is a networking service that brings together networking, security, and routing functionalities into a single operational interface. It offers a highly scalable and global WAN architecture to connect your cloud and on-premises environments.

A core component of Virtual WAN is its advanced routing capabilities. This section provides an overview of how traffic flows within Virtual WAN and how routing is managed.

Key Routing Concepts

Virtual Hub: The central point of connectivity in a Virtual WAN. It hosts various networking services, including the Virtual WAN router.
Connection: Virtual WAN supports multiple connection types, including Site-to-Site VPN, ExpressRoute, and Point-to-Site VPN. Each connection type has specific routing implications.
Route Tables: Virtual WAN uses route tables to control how traffic is forwarded between different branches (sites), virtual networks, and the internet.
Route Propagation: Routes learned from connected networks (e.g., on-premises routers, virtual networks) are propagated to the Virtual WAN hub and then distributed to other connected resources.
Route Distribution: Routes are distributed from the Virtual WAN hub to connected virtual networks and sites based on association and propagation rules.

Traffic Flow Scenarios

1. On-premises to Azure VNet (via VPN/ExpressRoute)

Diagram illustrating traffic flow from an on-premises site through a Virtual WAN hub to an Azure VNet.

Traffic from an on-premises site arrives at the Virtual WAN hub via a VPN or ExpressRoute connection. The hub's router then inspects the destination IP address and consults its route tables. Based on the learned routes, it forwards the traffic to the appropriate connected virtual network.

2. Azure VNet to VNet (via Virtual WAN)

Diagram illustrating traffic flow between two Azure VNets connected through a Virtual WAN hub.

When a virtual network is connected to a Virtual WAN hub, its routes are advertised to the hub. If another virtual network is also connected to the same hub, the hub's router can directly forward traffic between them, eliminating the need for VNet peering in some scenarios.

3. Internet Egress and Ingress

Diagram showing internet breakout through the Virtual WAN hub, optionally with NVA integration.

Virtual WAN allows for centralized internet breakout. Traffic destined for the internet from connected virtual networks or on-premises sites can be routed through the Virtual WAN hub. You can integrate Network Virtual Appliances (NVAs) at the hub for advanced security inspection.

Route Propagation and Association

Understanding how routes are propagated and associated is crucial for effective Virtual WAN routing:

Virtual Network Association: When you associate a virtual network with a Virtual WAN hub, the hub learns the address space of that VNet.
Connection Propagation: Routes from VPN and ExpressRoute connections are advertised to the hub.
Route Table Association: Each virtual network and connection is associated with a specific route table within the hub. This association determines which routes are learned and propagated.
Route Table Propagation: Routes are propagated to associated route tables. For example, routes from a VNet can be propagated to the 'default' route table of the hub, making them available to other connections and VNets.

Custom Routing with Route Maps and Policies

Virtual WAN offers advanced customization options for routing:

Route Maps: Used with ExpressRoute connections to filter and modify routes advertised to and received from the Virtual WAN hub.
Routing Intent and Policies: For VNet connections, you can define routing intent to steer traffic through specific NVAs or directly to the internet, overriding default VNet routing.

For detailed configuration and advanced routing scenarios, please refer to the How-to Guides and Architecture sections.