Azure Virtual WAN Architecture

A unified, global network architecture that connects branches, remote users, and datacenters to Azure and each other.

Overview

Azure Virtual WAN provides a central hub that aggregates multiple connectivity options—site‑to‑site VPN, ExpressRoute, point‑to‑site (P2S) VPN, and Azure Firewall—as well as routing, security, and monitoring capabilities.

Virtual WAN Architecture Diagram

Core Components

  • Virtual WAN Hub – Central routing and security point per Azure region.
  • VPN Gateways – Site‑to‑site and point‑to‑site gateways attached to the hub.
  • ExpressRoute Circuits – Private, dedicated connections to Azure datacenters.
  • Azure Firewall (optional) – Centralized network threat protection.
  • Branch Connectivity – Azure Virtual WAN uses VPN devices or SD‑WAN appliances.
  • Policy & Routing – Automated routing tables, BGP, and security policies.

Hub‑and‑Spoke Topology

The hub acts as a transit hub for traffic between spokes (virtual networks, on‑premises sites, and remote users). This model simplifies management and reduces the number of required peering relationships.

az network vnet create \
    --resource-group MyResourceGroup \
    --name SpokeVNet \
    --address-prefixes 10.1.0.0/16

az network vnet peering create \
    --resource-group MyResourceGroup \
    --name SpokeToHub \
    --vnet-name SpokeVNet \
    --remote-vnet MyVwanHubVNet \
    --allow-forwarded-traffic \
    --allow-gateway-transit

Branch Connectivity

Branches can connect via IPsec/IKE VPN or supported SD‑WAN appliances. Azure Virtual WAN automatically provisions the VPN gateway and distributes configuration to the devices.

Device TypeSupported ProtocolsTypical Use‑Case
Cisco ISRIPsec, IKEv2Enterprise branch with existing Cisco infrastructure
Palo Alto PanoramaIPsec, SSL VPNSecure branch with firewall integration
Azure VPN Appliance (Linux/Windows)OpenVPN, SSTPLightweight remote‑office setup

Security & Governance

Azure Virtual WAN integrates with Azure Firewall, Azure DDoS Protection, and Azure Policy to enforce security and compliance across the network.

  • Centralized threat detection with Azure Firewall Manager.
  • Route filtering using Azure Firewall policy and network security groups.
  • Compliance reporting via Azure Monitor and Log Analytics.

Best Practices

  1. Use a single hub per Azure region, and hub‑to‑hub connectivity for global reach.
  2. Enable Azure Firewall for default deny‑all inbound traffic.
  3. Leverage Azure Policy to enforce naming conventions and security standards.
  4. Monitor bandwidth and latency with Azure Monitor metrics dashboards.
  5. Implement BGP prefixes for dynamic routing with ExpressRoute.

FAQs

Azure currently allows up to 10 hubs per subscription per region. This limit can be increased by contacting Azure support.

No. Azure Firewall is optional, but recommended for centralized threat protection. You can attach a single firewall to multiple hubs using Firewall Manager.