Archive
Azure Virtual WAN configuration best practices

Azure Virtual WAN configuration best practices

2024-11-11 Azure Virtual WAN is a networking service that combines networking, security, routing features in one managed service. It is a hub-and-spoke architect

Related articles

Survival Guide 2 on Steam ForticlientがVPN接続エラーを確立できない問題を修正する方法-14、-8、20199、-5、e = 98、-4006 Maximilian Xbox Game Pass: All Games Coming Soon In October 2024 Godot 4 Tutorials

Azure Virtual WAN is a networking service that combines networking, security, routing features in one managed service. It is a hub-and-spoke architecture managed by Microsoft that integrates with other Azure services, such as VPN gateways Azure Firewall, partner solutions. It aims to simplify network management configuration, enhance performance reliability, using Microsoft’s global network.

 

To learn more about Virtual WAN’s features, see Azure Virtual WAN Overview | Microsoft Learn. For the complete list of supported partner solutions in Virtual WAN, see NVAs Virtual WAN hub.

 

This article details Virtual WAN configuration best practices to help you make the most of the benefits Virtual WAN provides. These best practices are aligned to the five pillars of the Azure Well-Architected Framework:

 

  • Reliability
  • Security
  • Cost optimization
  • Operational excellence
  • Performance efficiency

 

Reliability

 

Design checklist

  • Leverage Availability Zones resiliency.
  • Adopt active – active configuration Virtual WAN Site – – Site VPN deployments .
  • Use global VPN profile for more reliable point-to-site connections to Virtual WAN.
  • Allocate a P2S VPN client address pool with enough IP addresses as two times the number of users connecting at the same time.
  • Choose Network Virtual Appliance (NVA) or Software-as-a-service (SaaS) solutions that integrate natively into the virtual hub.
  • Review list Virtual WANKnown Issues and feature limitations before implementation.

 

The following table details all the recommendations, their benefits, mentioned above to optimize your Azure Virtual WAN configuration for reliability.

 

Recommendation

Benefit

When planning your Virtual WAN deployment, choose an Azure region(s) to create your hub(s) that supports Availability Zones, for a higher service-level agreement (SLA). For more information, see Availability Zone service region support.

 

Deploy hub Azure Firewall(s ) Availability Zones , higher SLA . , useAzure Firewall Manager Portal, PowerShell, or Azure CLI.

Except for Azure Firewall, all services deployed in a Virtual WAN hub (VPN, ExpressRoute, etc.) will be automatically deployed across Availability Zones, if the deployment region supports this feature.

 

Deploying hub services Availability Zones increases Virtual WAN service – level agreement ( SLA ) . information ,SLA for Azure Virtual WAN. For information about all Azure SLAs, see SLA summary for Azure services.

Leverage built – resiliency hub VPN gateways fully adopting active – active configuration Site – – Site VPN deployments .

 

When creating a VPN connection to an on-premises site, make sure to establish a tunnel between the on-premises device(s) each VPN gateway instance.

 

It is highly recommended to become familiar with the concepts of VPN connection, link, tunnel in Virtual WAN. For more information, see Azure Virtual WAN FAQ | Microsoft Learn.

All gateways provisioned in a Virtual WAN hub are in active-active mode, but to take advantage of this built-in resiliency, you must establish a separate tunnel between your on-premises device(s) each gateway instance.

 

Doing so will ensure your connections to Virtual WAN are resilient reliable. To learn more about different high availability designs for Site-to-Site VPN in Virtual WAN see: Disaster recovery design for Azure Virtual WAN | Microsoft Learn.

Virtual WAN provides two types of connection profiles for User VPN clients – hub profile global profile.

 

recommended use global profile having multi – hub Virtual WAN deployments , specific requirement restrict access certain hub .

 

For more information on User VPN Profiles in Virtual WAN, see P2S global hub profiles.

When using a global profile, VPN clients connect to the closest available virtual hub that offers the best network performance, thanks to a built-in traffic manager.

 

This configuration also increases resiliency, as the global profile is capable of redirecting users to a back-up Virtual WAN hub.

 

To learn more about remote user connectivity resiliency in Virtual WAN, see Disaster Recovery design.

To ensure all users can connect, even if one P2S VPN gateway instance is down, allocate a client address pool with a number of IP addresses twice the amount of users connecting at the same time.

 

To learn more about client address pools for Virtual WAN P2S configurations, see About client address pools for P2S User VPN – Azure Virtual WAN | Microsoft Learn.

When creating a P2S VPN gateway, you must configure a client address pool from which IP addresses will be automatically assigned to VPN clients.

 

Assigned address pools are split into half allocated to each gateway instance. These halves are statically assigned to instances cannot migrate during maintenance or downtime events.

 

Having a pool of IPs that is twice the number of users ensures all clients are still able to connect in case a gateway instance is down.

possible , choose deploy supported NVA SaaS solution virtual hub running services spoke .

 

For the list of supported partners, see NVA in Virtual WAN hub Software-as-a-Service in Virtual WAN.

Supported solutions in the hub have been tested validated by Microsoft the partner.

 

Natively integrated solutions leverage on the built-in availability resiliency of Virtual WAN integrate more seamlessly with other Virtual WAN features, such as Routing Intent, among other benefits.

Review list Virtual WANknown issues feature limitations (Routing Intent limitations, for example) before implementation.

 

For all the information on recent releases, known issues, feature limitations, see What is ‘s new Azure Virtual WAN ? | Microsoft Learn.

Because Virtual WAN deployments often involve the creation of different network services, reviewing this information prior to implementation helps plan your deployment better avoid future issues.

 

Security

 

Design checklist

 

  • Leverage secured virtual hub(s). Use Routing Intent to secure private internet traffic.
  • Follow Azure Firewall – party security provider   configuration best practices .
  • Leverage Private Link to connect to Azure PaaS services from Virtual WAN.
  • Use Network Security Groups (NSGs) in spoke VNets to control intra-VNet traffic.
  • Use site-to-site/user VPN or ExpressRoute to access Virtual WAN connected networks securely privately.
  • Use Azure Firewall DNAT rules, or a similar feature if using a supported NVA, to securely expose non-http(s) applications on the internet. Use Azure Application Gateway to securely expose http(s) applications on the internet.
  • Protect public IPs in spoke virtual networks against DDoS attacks using Azure DDoS Network or IP Protection.  
  • Apply Zero Trust Principles when configuring Virtual WAN.

 

Recommendations

 

The following table details all the recommendations, their benefits, mentioned above to optimize your Azure Virtual WAN configuration for security.

 

Recommendation

Benefit

Create secured virtual hub(s) by deploying Azure Firewall supported partner solution , (NVA or SaaS) , hub .

In a secured virtual hub, you can enforce a routing policy using Routing Intent to inspect private internet traffic using he security solution deployed in the hub. This increases the overall security of your Virtual WAN deployment.

Follow Azure Firewall – party security provider configuration best practices .

Following your firewall provider’s configuration guidance ensures your Virtual WAN deployment remains secure reliable.

To secure access to PaaS services from Azure non-Azure clients, create Private Endpoints to those services in a spoke virtual network connected to any virtual hub.

 

To learn more about how to use Private Link in Virtual WAN, see Share a private link service across Virtual WAN – Azure Virtual WAN | Microsoft Learn.

Azure Private Link allows you to access PaaS services without having a public endpoint on those services. You can continue to leverage Private Link in Virtual WAN, even secure traffic to private endpoints using Azure Firewall in the hub.

 

learn scenario ,Secure traffic destined to private endpoints in Azure Virtual WAN | Microsoft Learn.  

Use Network Security Groups (NSGs) in spoke virtual networks to control intra-VNet traffic.

 

If there is a requirement to inspect traffic between subnets of the same VNet, add a subnet level UDR for each subnet whose traffic you want to force through the firewall. For example, if you want to inspect traffic between subnet 10.3.0.0/26 subnet 10.3.1.0/24, add a route table to subnet 10.3.0.0/26 containing a 10.3.1.0/24 UDR with next hop Azure Firewall or NVA Private IP vice-versa.

 

SeeAzure virtual network traffic routing | Microsoft Learn to learn more.

Virtual WAN hub can’t attract traffic between two subnets in the same virtual network.

 

For this reason, it is recommended to apply NSGs at subnet level to control traffic between subnets. For more routing considerations, see virtual hub routing – Azure Virtual WAN | Microsoft Learn.

 

Even though using NSGs to control intra-VNet traffic is less error prone, it is still possible to inspect traffic between subnets of the same VNet using subnet level UDRs.

Whenever possible, use site-to-site/user VPN and/or ExpressRoute to access workloads in spoke virtual networks connected to the virtual hub, including RDP/SSH access.

 

For sites where the above connectivity options are not feasible, consider deploying Azure Bastion in a connected spoke virtual network to access virtual machines. To learn more about how Azure Bastion integrates with Virtual WAN, see Azure Bastion FAQ | Microsoft Learn.

Leveraging site-to-site VPN or User VPN ensures you can securely access your Virtual WAN connected networks over the public internet. Azure ExpressRoute, on the other hand, offers a highly reliable secure connection that does not traverse the public internet.

 

Azure Bastion lets you securely RDP/SSH to Azure virtual machines, even on-premises machines, using IP-based connections, without exposing a public IP on target machines.    

For publicly facing, non-http(s), workloads running in spoke virtual networks, it is recommended to securely expose them on the internet through a DNAT rule Azure Firewall ( running hub .

 

Deploy Azure Application Gateway spoke virtual network securely expose publicly facing , regional , http(s ) applications , running spoke virtual networks .

 

You can also leverage Application Gateway’s features to access privately facing http(s) applications. To learn more about Application Gateway’s features, see What is Azure Application Gateway | Microsoft Learn.

Leveraging Azure Firewall and/or Application Gateway to expose your applications ensures client traffic is always inspected before being sent to the application servers, which can be kept private.

 

Azure Firewall offers advanced threat protection is features features, such as Threat intelligence-based filtering or IDPS, whereas Application Gateway can protect applications against L7 DDoS attacks using WAF, as well as L3 L4 attacks when combined with Azure DDoS protection.

 

Azure Firewall Application Gateway can also be combined in the same design to benefit from the features of both services. To learn more about possible designs, see Firewall, App Gateway for virtual networks – Azure Example Scenarios | Microsoft Learn.

Enable Azure DDoS Network Protection in spoke virtual networks containing services with public IPs. Alternatively, enable protection on specific public IPs using DDoS IP Protection

 

It is not possible to enable DDoS protection on services deployed in the Virtual WAN hub at this time.

Azure DDoS Protection provides always-on traffic monitoring, adaptive real time tuning, metrics alerts for protected virtual networks public IPs, to ensure services with public endpoints remain available.

 

To learn more, see Azure DDoS Protection Overview | Microsoft Learn.

In addition to the best practices described in this article, apply Zero Trust principles to your Azure Virtual WAN deployments by following the configuration guidance described here: Apply Zero Trust principles to Azure Virtual WAN | Microsoft Learn.

Increase security even more in your Virtual WAN deployment by applying Zero Trust principles in your configuration – verify explicitly, use least privileged access, assume breach.

 

Cost optimization

 

Design checklist

 

  • Understand Virtual WAN pricing components data transfer costs.
  • Estimate throughput requirements in advance to achieve cost-effectiveness when selecting gateway scale units virtual hub capacity.
  • Monitor optimize the utilization of hub services to maintain cost-effectiveness.
  • Keep in mind security throughput requirements when selecting an Azure Firewall SKU.
  • Optimize VWAN routes minimize costs . Consider cost implications transferring data different Virtual WAN components .

 

Recommendations

 

The following table details all the recommendations, their benefits, mentioned above to optimize your Azure Virtual WAN configuration for cost optimization.

 

Recommendation

Benefit

Virtual WAN deployments is involve involve creation different networking services , gateways firewalls . It is ’s important aware costs associated use services , data processing charges .

 

A detailed breakdown of Virtual WAN costs can be found here: About Virtual WAN pricing – Azure Virtual WAN | Microsoft Learn.

By understanding Virtual WAN pricing beforehand, you’re able to plan your deployment better make an informed decision on what services should be included/excluded from the design, for example, therefore avoiding unexpected costs in the long run.

Estimate throughput requirements in advance to achieve cost-effectiveness when selecting gateway scale units virtual hub capacity.

 

While the virtual hub router is capable of scaling out, it is important to secure enough minimum capacity when creating the virtual hub.

 

To learn more about virtual hub capacity, see virtual hub settings – Azure Virtual WAN | Microsoft Learn.

 

To learn more about gateway scale units, see gateway settings Virtual WAN – Azure Virtual WAN | Microsoft Learn.

This will allow you to select the appropriate number of scale units for your hub gateways number of routing infrastructure units for your virtual hub, which can be adjusted if needed allow you to avoid overspending.

 

 

Leverage Virtual WAN metrics to monitor the utilization of hub services to maintain cost-effectiveness.

 

To learn more about supported Virtual WAN metrics recommended alerts, see Monitoring Virtual WAN – Best practices – Azure Virtual WAN | Microsoft Learn.

By continuously monitoring the utilization of hub services, in particular hub gateways, you’re able to quickly detect if these services are underutilized, if so, adjust the number of scale units accordingly.

Azure Firewall comes in three SKUs, with different features pricing associated. Choose the SKU that fulfills your security requirements, as well as throughput needs.

 

For a feature comparison across the three Azure Firewall SKUs, see Choose the right Azure Firewall version to meet your needs | Microsoft Learn.

Selecting the appropriate Firewall SKU ensures you don’t incur unnecessary costs in your Virtual WAN deployment.

Optimize your Virtual WAN environment to minimize costs. Consider the cost implications of transferring data between different Virtual WAN components.

 

For example, clients should access spoke virtual networks in a region primarily through the hub where those spokes are connected in the same region. From a cost perspective (and performance), this is a better approach when compared to accessing a spoke in region B through a hub in region A first, which requires traversing the hubs in both regions. This latter approach implies inter-hub inter-region processing charges, whereas the former doesn’t.

 

To learn more about Virtual WAN pricing, see About Virtual WAN pricing – Azure Virtual WAN | Microsoft Learn.   

Optimizing your Virtual WAN environment ensures your deployment remains cost-effective. By accessing latency-sensitive workloads directly via the hub connected to these spoke virtual networks, you will also experience better traffic performance.

 

Operational excellence

 

Design checklist

 

  • Use Infrastructure-as-Code (IaC) technologies to provision maintain your Virtual WAN deployment.
  • Leverage Azure Monitor Insights to keep track of Virtual WAN topology, services deployed, dependencies.  
  • Configure Azure alerts to quickly detect act on connectivity performance issues.
  • Leverage customer-controlled gateway maintenance.
  • Assign a /23 subnet when creating virtual hubs.

 

Recommendations

 

The following table details all the recommendations, their benefits, mentioned above to optimize your Azure Virtual WAN configuration for operational excellence.

 

Recommendation

Benefit

Use Infrastructure-as-Code (IaC) technologies, such as Azure Resource Manager (ARM) templates or Bicep, to provision maintain your Virtual WAN deployment.

Provides consistency acts as a safeguard in case there’s a need to redeploy your Virtual WAN.  

Leverage Azure Monitor Insights to monitor your Virtual WAN deployment.

 

 

Azure Monitor Insights for Virtual WAN provides a centralized view of your Virtual WAN topology, services deployed dependencies, as well as metrics at hub, gateway, connection level.

Closely monitor health utilization metrics for hub services like VPN (point-to-site or site-to-site), ExpressRoute, or Azure Firewall. You can also configure alerts for these metrics.

 

Configure Azure alerts to quickly detect act on connectivity performance issues. For a list of recommended alerts, see Monitoring Virtual WAN – Best practices – Azure Virtual WAN | Microsoft Learn.

 

For the complete list of supported Virtual WAN metrics logs, see Monitoring Azure Virtual WAN – Data reference | Microsoft Learn.

Proactively configuring alerts for key Virtual WAN metrics logs minimizes the chances of downtime, which is crucial in a production environment.

Configure a maintenance window1 for site-to-site VPN ExpressRoute gateways.

 

learn feature ,Azure Virtual WAN FAQ | Microsoft Learn.

Gives customers more control over periodic maintenance updates. Guest OS Service maintenance events will happen during the window specified by the user.

Virtual WAN hub requires /24 minimum subnet size , , recommended subnet size is is creation /23 , accommodate creation multiple hub services gateways , Azure Firewall , virtual hub router , NVAs .

The virtual hub’s address space cannot be changed after creation. Thus, to avoid having to redeploy your virtual hub experiencing downtime, make sure you create your hub with enough address space in advance to enable the creation of planned hub services, as well as to accommodate potential changes to the design in the long run.

 

To learn more about subnet size requirements in Virtual WAN, see Azure Virtual WAN FAQ | Microsoft Learn.

1Customer-controlled gateway maintenance is currently in public preview, is therefore not recommended for production environments. learn feature ,Configure customer-controlled maintenance for your Virtual WAN gateways.

 

Performance efficiency

 

Design checklist

 

  • Consider the per-hub limits when choosing how many virtual hubs to create in each region.
  • Review the routing implications of redundant connectivity when planning for high availability disaster recovery in Virtual WAN.
  • Choose the hub routing preference option that works best for your scenario.
  • Prioritize hub-to-hub path over ExpressRoute for VNet-to-VNet connectivity.
  • Estimate the need per VPN tunnel when planning for a VPN gateway.
  • Use the GCMAES256 algorithm for both IPSec Encryption Integrity for optimal performance when configuring VPN site-to-site connections.  
  • Regularly monitor the utilization of virtual hub gateways (VPN or ExpressRoute) resize when needed.
  • Monitor virtual hub capacity.

 

Recommendations

 

The following table details all the recommendations, their benefits, mentioned above to optimize your Azure Virtual WAN configuration for performance efficiency.

 

Recommendation

Benefit

Evaluate if your regional presence exceeds or is near to reaching the capacity of a single virtual hub. Additional hubs in the same region can be added if there is a requirement to scale beyond the limits of a single hub, or if there’s a requirement for a different hub configuration.

 

To learn more about Virtual WAN limits, see Azure subscription limits quotas – Azure Resource Manager | Microsoft Learn.  

Ensures your Virtual WAN maintains optimal performance.

Review the routing implications of redundant connectivity for VPN (Site-to-Site, Point-to-Site) ExpressRoute when planning for high availability disaster recovery in Virtual WAN.

 

Having more than one path to the same network can cause asymmetric routing or lead to suboptimal performance when not properly architected. This is why it is important to review supported designs their routing implications, detailed in this article: Disaster recovery design for Azure Virtual WAN | Microsoft Learn.

 

Moreover, it is important to test your high availability disaster recovery mechanisms regularly to ensure they are working as intended.

Ensure you adopt a design that meets your business continuity disaster recovery (BCDR) requirements, while maintaining optimal performance during steady state.

Review the supported hub routing preference options in Virtual WAN choose the one that works best for your scenario.

 

To learn more about virtual hub routing preference, see Virtual WAN virtual hub routing preference – Azure Virtual WAN | Microsoft Learn.

The default hub routing preference in Virtual WAN is ‘ExpressRoute’, however, ‘AS Path’ may be the best option to fulfill your specific routing requirements, for example.

 

To make an informed decision on which hub routing preference option fulfills your requirements the best, see Azure Virtual WAN FAQ | Microsoft Learn.

By default, VNet-to-VNet VNet to Virtual WAN connectivity is disabled through an ExpressRoute circuit.

 

However, when two hubs are connected there is a single ExpressRoute connected as a bow-tie to both hubs, the ExpressRoute circuit will be the preferred path over hub-to-hub for a VNet connected to the first hub to reach a VNet connected to the second hub.

 

sure hub – – hub preferred path , recommended configureAS-Path as the hub routing preference. Alternatively, configure multiple ExpressRoute circuits to connect to each hub.

 

learn scenario ,Azure Virtual WAN FAQ | Microsoft Learn.

The ExpressRoute path is not ideal for VNet-to-VNet traffic. ExpressRoute gateways have resource limitations (bandwidth, for example) can therefore become bottlenecks. In addition, ExpressRoute doesn’t offer optimal performance when compared to hub-to-hub. With ExpressRoute there is an extra hop because traffic must pass through the MSEE devices in the peering location.

 

Preferring the hub-to-hub path ensures optimal performance for VNet-to-VNet connectivity.

 

To learn more, see Connectivity between virtual networks over ExpressRoute | Microsoft Learn.

The throughput of a VPN gateway instance is available across all tunnels connecting to that instance. Thus, it is important to select the adequate number of gateway scale units to avoid performance issues down the line.

 

Estimate the need per VPN tunnel when planning for a VPN gateway to ensure your gateway has enough aggregate throughput.

 

information supported scale units Virtual WAN VPN gateway ,Azure Virtual WAN FAQ | Microsoft Learn.

Avoid having the gateway become a performance bottleneck in the long run.

Virtual WAN VPN supports many algorithm combinations. The full list of supported parameters can be found here: Virtual WAN site-to-site IPsec policies – Azure Virtual WAN | Microsoft Learn.

 

For optimal performance, the recommended algorithm for both IPSEC Encryption Integrity is GCMAES256.

Optimal performance VPN site – – site connections Virtual WAN .

Regularly monitor your virtual hub gateways (VPN or ExpressRoute) to make sure they’re not overutilized adjust the number of scale units as needed.

 

To do so, leverage on Virtual WAN metrics logs. Consider configuring alerts for recommended metrics logs. For more information, see Monitoring Virtual WAN – Best practices – Azure Virtual WAN | Microsoft Learn.

By regularly monitoring hub gateways you’re able detect potential performance bottlenecks early act on them.

Estimating throughput requirements advance configuring virtual hub capacity important cost perspective , performance standpoint .

Moreover, while the virtual hub can automatically scale out, it is still important to regularly monitor virtual hub metrics such as ‘Virtual Hub Data Processed ’ or ‘Spoke VM Utilization’.

 

For more information on virtual hub metrics virtual hub metrics, see Monitoring Azure Virtual WAN – Data reference | Microsoft Learn.

These metrics can help prevent situations, such as nearing the limits of a single hub, acting on it early by deploying an additional hub, for example.

 

For more information on virtual hub capacity, see virtual hub settings – Azure Virtual WAN | Microsoft Learn.

 

Next steps

 

gone list configuration best practices , additional useful resources is ‘s :

 

Virtual WAN is Learn routing deep dive – Azure Virtual WAN | Microsoft Learn

How to configure Virtual WAN Hub routing policies – Azure Virtual WAN | Microsoft Learn