Virtual Network Peering in Azure Virtual WAN

Connect your virtual networks seamlessly within Azure Virtual WAN.

Azure Virtual WAN provides a networking optimization and scale solution that brings together various Microsoft cloud networking capabilities. One of the fundamental features is the ability to connect your virtual networks (VNets) to your Virtual WAN hub, enabling simplified connectivity and management across your Azure resources and on-premises environments.

What is Virtual Network Peering in Virtual WAN?

In the context of Azure Virtual WAN, "Virtual Network Peering" refers to the process of connecting an Azure Virtual Network to a Virtual WAN hub. Unlike traditional VNet peering, which peers two VNets directly, Virtual WAN peering connects a VNet to the central hub. This hub then acts as a transit point, allowing resources in peered VNets to communicate with each other, as well as with other connected networks (e.g., on-premises sites).

Key Benefits:

  • Centralized Connectivity: All VNet connections are managed through the Virtual WAN hub.
  • Scalability: Supports a large number of VNet connections.
  • Simplified Management: Reduces the complexity of managing multiple direct VNet peerings.
  • Transit Routing: Enables inter-VNet communication and connectivity to on-premises via the hub.
  • Integrated Services: Leverages Virtual WAN's built-in features like routing, security, and monitoring.

How it Works

When you peer a VNet to a Virtual WAN hub, the hub's routing infrastructure is updated to include the address space of the peered VNet. This allows traffic originating from the VNet to be routed through the hub to other connected networks, and vice-versa. The Virtual WAN hub supports multiple types of connections, including VNet connections, Site-to-Site VPN, ExpressRoute, and Point-to-Site VPN, all of which can communicate through the hub.

Types of Connections to the Hub:

  • Virtual Network Connections: The primary method for connecting VNets to the hub.
  • Site-to-Site VPN: Connects on-premises networks to the hub.
  • ExpressRoute: Provides dedicated private connections from on-premises to the hub.
  • Point-to-Site VPN: Allows remote users to connect to the hub.

Creating a Virtual Network Connection

You can create a Virtual Network Connection to a Virtual WAN hub using the Azure portal, Azure CLI, or Azure PowerShell.

Using the Azure Portal:

  1. Navigate to your Virtual WAN resource.
  2. Under "Connectivity", select "Virtual network connections".
  3. Click "+ Add connection".
  4. Fill in the connection details:
    • Connection name: A descriptive name for your connection.
    • Hubs: Select the Virtual WAN hub to connect to.
    • Resource group: The resource group of the VNet.
    • Virtual network: The VNet you want to connect.
    • Propagate to none: (Optional) Used for specific routing scenarios.
    • Route traffic: (Optional) Enables routing between connected networks.
  5. Click "Create".
Important: Ensure that the address space of the VNet you are connecting does not overlap with the address space of any other VNets or on-premises networks connected to the same Virtual WAN hub.

Managing Connections and Routing

The Virtual WAN hub manages the routing of traffic between all connected resources. You can view and manage your VNet connections, as well as configure routing settings, within the Virtual WAN hub's "Routing intent" and "Routing policies" sections.

Routing Intent:

Routing intent allows you to specify the desired traffic flow. For example, you can set the routing intent to route traffic through a Network Virtual Appliance (NVA) deployed in the hub for advanced security inspection.

Routing Policies:

Routing policies provide granular control over how routes are advertised and learned between different connection types.


# Example: Azure CLI command to list VNet connections
az network vpn-gateway list --resource-group MyResourceGroup --gateway-type Vpn --name MyVpnGateway --query "[].VnetConnections"

Considerations

  • IP Address Spaces: Non-overlapping IP address spaces are crucial for proper routing.
  • Hub Capacity: Ensure your Virtual WAN hub is provisioned with sufficient capacity for the expected traffic load.
  • Routing Propagation: Understand how routes are advertised and learned to avoid connectivity issues.
  • Security: Implement appropriate security measures, such as Network Security Groups (NSGs) and firewalls, to protect your resources.
Best Practice: For optimal performance and management, it's recommended to use Virtual WAN peering for connecting VNets that need to communicate with each other or with on-premises networks, rather than relying solely on direct VNet-to-VNet peering for complex hub-and-spoke architectures.

By effectively leveraging Virtual Network Peering within Azure Virtual WAN, you can build a robust, scalable, and well-managed network infrastructure in the cloud.