Azure Back to School 2024 – Building a Cloud Centric Network with Azure Virtual WAN

This September, Azure Back to School 2024 is taking place, with loads of awesome sessions and great community content. My session, “Building a Cloud Centric Network with Azure Virtual WAN” is available to watch below:

Check out all of the other awesome sessions and content here: https://azurebacktoschool.com/

In this post I will provide a summary overview of Azure Virtual WAN, use cases, expansion options, and more! Please note, the below is a summary – for the full content please watch the above video! 😊


What is Azure Virtual WAN?

Azure Virtual WAN is a Networking Service that brings various Azure Networking elements together in a single operational and management interface.

  • Key Features Include:
    • Software-defined connectivity
    • Centralised network control and management
    • Optimised security and agility thanks to the Microsoft Global Network
    • Firewalling, Gateway, and Remote User Services

Speaking practically, what are the key impacts of using Virtual WAN?

  • Hub / Spoke – replaced with Virtual WAN Hub and VNET Peering to Spokes, providing a similar architecture but with increase control around routing and topology.
  • Routing and Route Tables – Automated, with manual override and changes as required.
  • VPNs/ExpressRoute – Centralised management and control of these gateways and services.
  • Firewalling – Azure native options and 3rd Party NVAs.

You can read more about Azure Virtual WAN here: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about


Use Cases:

Whilst the key aspect of Azure Virtual WAN is bringing networking aspects together, and providing communication over the Microsoft Global Network, there are a huge range of use cases for Virtual WAN:

  • Branch connectivity – route your branch to branch traffic via Microsoft’s Network.
  • Site-to-site VPN connectivity.
  • Remote user VPN connectivity (point-to-site).
  • Private connectivity (ExpressRoute).
  • Intra-cloud connectivity (transitive connectivity for virtual networks, with the option of Firewalling too).
  • VPN ExpressRoute inter-connectivity (remote sites connecting into Virtual WAN to then traverse an ExpressRoute back to central sites/offices/data centres for example).
  • Routing Configuration – Route Tables, Custom Routing etc.
  • Azure Firewall & Firewall Manager integration
  • Transit & Internal Connectivity – Hub/Hub/Spoke/Spoke etc.

To see more about Connectivity Use Cases – visit MS Docs here: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#connectivity


Easy Expansion – really?

This is probably one of the areas that I hear most from customers I work with – does Azure Virtual WAN actually make expansion across Azure and the globe easier?

Yes! Azure Virtual WAN really helps for these types of scenarios, and in particular where future scaling is required – both in network traffic/services, and geographically.

So what can we do around expansion with Virtual WAN?

  • Regional Expansion
  • Firewalling options – Scale up to Premium as needed, and deploy rulesets across our estate.
  • Hub Routing Intent – Cross Region & Internet traffic all via NVAs/AzFWs
  • Centralised Firewall Rulesets and Management
  • ExpressRoute and VPN Gateway Support (S2S and P2S)
  • Full Mesh Topology – enabling communication via the MS Global Network
  • Spokes can communicate (via Firewall if required).
  • Automated Route Table Management & Provisioning
  • Single Control of Virtual Networks via Virtual WAN
  • Scale in routing units up to 50Gbps and 50,000 VMs per Hub

I often use these diagrams to illustrate the expansion – starting with a simple single region design:

Which, we can then add another hub to – to create a dual region design (this diagram expands things out a little to give an idea of what could connect into each Hub):

Whilst doing this – we’ve benefitted from a few things:

  • The routing units have been provisioned for us in the secondary region.
  • Automated routing configuration will allow VNets to communicate between regions (via the Firewalls if required).
  • Our firewall rules can be applied to an easily deployed Azure Firewall in the secondary region – this uses Azure Firewall Manager to control rules across the estate. (So these are all centralised).
  • Gateways can be added as required in the secondary region easily, providing Site to Site, Point to Site, and ExpressRoute capability.
  • Branch offices connected to the Virtual WAN hubs can also communicate via this Network too – replacing Site to Site VPNs between sites, or private circuits.

The same process and methodology applies for a third region too – with the expansion being simple and managed by Virtual WAN:


Where to get started, a summary:


Resources

Below are a few great resources I’d recommend looking at if you are keen to learn more about Virtual WAN:

Until next time, thanks for reading!

Skip to content