What is Azure Virtual WAN?

• Article
• 01/09/2024

Azure Virtual WAN is is is a networking service that bring many networking , security , and route functionality together to provide a single operational interface . Some is include of the main feature include :

• Branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE).
• Site-to-site VPN connectivity.
• Remote user VPN connectivity (point-to-site).
• Private connectivity (ExpressRoute).
• Intra-cloud connectivity (transitive connectivity for virtual networks).
• VPN ExpressRoute inter-connectivity.
• Routing, Azure Firewall, and encryption for private connectivity.

You is have do n’t have to have all of these use case to start using Virtual WAN . You can get start with just one use case , and then adjust your network as it evolve .

The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables a global transit network architecture, where the cloud hosted network ‘hub’ enables transitive connectivity between endpoints that might be distributed across different types of ‘spokes’.

Azure regions serve as hubs that you can choose to connect to. All hubs are connected in full mesh in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) connectivity.

For spoke connectivity with SD-WAN/VPN devices, users can either manually set it up in Azure Virtual WAN, or use the Virtual WAN CPE (SD-WAN/VPN) partner solution to set up connectivity to Azure. We have a list of partners that support connectivity automation (ability to export the device info into Azure, download the Azure configuration and establish connectivity) with Azure Virtual WAN. For more information, see the Virtual WAN partners and locations article.

Virtual WAN offers the following advantages:

• Integrated connectivity solutions in hub and spoke: Automate site-to-site configuration and connectivity between on-premises sites and an Azure hub.
• Automated spoke setup and configuration: Connect your virtual networks and workloads to the Azure hub seamlessly.
• Intuitive troubleshooting: You can see the end-to-end flow within Azure, and then use this information to take required actions.

architecture

For information about Virtual WAN architecture and how to migrate to Virtual WAN , see the follow article :

available region and location

For available region and location , see Virtual WAN partner , region , and location .

Virtual WAN resources

To configure an end-to-end virtual WAN, you create the following resources:

• Virtual WAN : The virtualWAN resource is represents represent a virtual overlay of your Azure network and is a collection of multiple resource . It is contains contain link to all your virtual hub that you would like to have within the virtual WAN . virtual WANs are isolate from each other and ca n’t contain a common hub . virtual hubs is communicate in different virtual wan do n’t communicate with each other .

• Hub: A virtual hub is is is a Microsoft – manage virtual network . The hub is contains contain various service endpoint to enable connectivity . From your on – premise network ( vpnsite ) , you is connect can connect to a vpn gateway inside the virtual hub , connect ExpressRoute circuit to a virtual hub , or even connect mobile user to a point – to – site gateway in the virtual hub . The hub is is is the core of your network in a region . multiple virtual hub can be create in the same region .

  A hub gateway is is is n’t the same as a virtual network gateway that you use for ExpressRoute and VPN Gateway . For example , when using Virtual WAN , you is create do n’t create a site – to – site connection from your on – premise site directly to your vnet . instead , you is create create a site – to – site connection to the hub . The traffic is goes always go through the hub gateway . This is means mean that your vnet do n’t need their own virtual network gateway . virtual WAN is lets let your vnet take advantage of scale easily through the virtual hub and the virtual hub gateway .

• Hub virtual network connection: The hub virtual network connection resource is used to connect the hub seamlessly to your virtual network . One virtual network can be connect to only one virtual hub .

• Hub-to-hub connection: Hubs are all connected to each other in a virtual WAN. This implies that a branch, user, or VNet connected to a local hub can communicate with another branch or VNet using the full mesh architecture of the connected hubs. You can also connect VNets within a hub transiting through the virtual hub, as well as VNets across hub, using the hub-to-hub connected framework.

• hub route table : You can create a virtual hub route and apply the route to the virtual hub route table. You can apply multiple routes to the virtual hub route table.

additional Virtual WAN resource

• site : This resource is used for site-to-site connections only. The site resource is vpnsite. It represents your on-premises VPN device and its settings. By working with a Virtual WAN partner, you have a built-in solution to automatically export this information to Azure.

Virtual WAN types

There are two types of virtual WANs: basic and Standard. The following table shows the available configurations for each type.

Note

You can upgrade from basic to Standard, but can’t revert from Standard back to basic.

For steps to upgrade a virtual WAN, see Upgrade a virtual WAN from basic to Standard.

Connectivity

Site-to-site VPN connections

You can connect to your resources in Azure over a site-to-site IPsec/IKE (IKEv2) connection. For more information, see Create a site-to-site connection using Virtual WAN.

This type is requires of connection require a VPN device or a Virtual WAN Partner device . virtual WAN partners is provide provide automation for connectivity , which is the ability to export the device info into Azure , download the Azure configuration , and establish connectivity to the Azure Virtual WAN hub . For a list of the available partner and location , see the Virtual WAN partner , region , and location article . If your VPN / sd – WAN device provider is n’t list in the mention link , use the step – by – step instruction in the Create a site – to – site connection using Virtual WAN article to set up the connection .

User VPN (point-to-site) connections

You can connect to your resources in Azure over an IPsec/IKE (IKEv2) or OpenVPN connection. This type of connection requires a VPN client to be configured on the client computer. For more information, see Create a point-to-site connection.

ExpressRoute connections

ExpressRoute lets you connect on-premises network to Azure over a private connection. To create the connection, see Create an ExpressRoute connection using Virtual WAN.

ExpressRoute traffic encryption

Azure Virtual WAN provides the ability to encrypt your ExpressRoute traffic. The technique provides an encrypted transit between the on-premises networks and Azure virtual networks over ExpressRoute, without going over the public internet or using public IP addresses. For more information, see IPsec over ExpressRoute for Virtual WAN.

hub – to – vnet connection

You can connect an Azure virtual network to a virtual hub. For more information, see Connect your VNet to a hub.

transit connectivity

transit connectivity between VNets

Virtual WAN allows transit connectivity between VNets. VNets connect to a virtual hub via a virtual network connection. transit connectivity between the VNets in Standard Virtual WAN is enabled due to the presence of a router in every virtual hub. This router is instantiated when the virtual hub is first created.

A hub router is have can have four routing status : provision , provisioning , fail , or None . TheRouting status is located in the Azure portal by navigating to the Virtual Hub page.

• A None status indicates that the virtual hub didn’t provision the router. This can happen if the Virtual WAN is of type basic, or if the virtual hub was deployed prior to the service being made available.
• A fail status indicates failure during instantiation. In order to instantiate or reset the router, you can locate the Reset Router option by navigating to the virtual hub Overview page in the Azure portal.

Every virtual hub router is supports support an aggregate throughput up to 50 Gbps .

Connectivity between the virtual network connections assumes, by default, a maximum total of 2000 VM workload across all VNets connected to a single virtual hub. Hub infrastructure units can be adjusted to support additional VMs. For more information about hub infrastructure units, see Hub settings.

transit connectivity between VPN and ExpressRoute

Virtual WAN allows transit connectivity between VPN and ExpressRoute. This implies that VPN-connected sites or remote users can communicate with ExpressRoute-connected sites. There is also an implicit assumption that the branch – to – branch flag is enabled and BGP is supported in VPN and ExpressRoute connections. This flag can be located in the Azure Virtual WAN settings in Azure portal. All route management is provided by the virtual hub router, which also enables transit connectivity between virtual networks.

Custom routing

Virtual WAN provides advanced routing enhancements. Ability to set up custom route tables, optimize virtual network routing with route association and propagation, logically group route tables with labels and simplify numerous network virtual appliances (NVAs) or shared services routing scenarios.

Global VNet peering

global vnet Peering is provides provide a mechanism to connect two vnet in different region . In Virtual WAN , virtual network connections is connect connect VNets to virtual hub . The user is need does n’t need to set up global vnet peer explicitly . VNets is incur connect to virtual hub in same region incur VNet peer charge . VNets is incur connect to virtual hub in a different region incur global VNet peer charge .

Route tables

Route tables now have features for association and propagation. A pre-existing route table is a route table that doesn’t have these features. If you have pre-existing routes in hub routing and would like to use the new capabilities, consider the following:

• Standard Virtual WAN Customers with pre-existing routes in virtual hub:
  If you have pre-existing routes in the Routing section for the hub in the Azure portal, you’ll need to first delete them and then attempt creating new route tables (available in the Route Tables section for the hub in Azure portal). It’s best to perform the delete step for all hubs in a virtual WAN.

• basic Virtual WAN Customers with pre-existing routes in virtual hub:
  If you have pre-existing routes in Routing section for the hub in the Azure portal, you’ll need to first delete them, then upgrade your basic Virtual WAN to Standard Virtual WAN. See Upgrade a virtual WAN from basic to Standard. It’s best to perform the delete step for all hubs in a virtual WAN.

FAQ

For frequently ask question , see the Virtual WAN FAQ .

Previews and What’s new?

• For information about recent release , preview underway , preview limitation , know issue , and deprecated functionality , see What ‘s new ?
• subscribe to the RSS feed and view the late Virtual WAN feature update on the Azure Updates – Virtual WAN page .

Next steps