Azure vWAN: A Comprehensive Guide to Setup and Management

Azure vWAN is a highly scalable and secure virtual wide area network solution that provides a single, unified network fabric for your entire organization.

It's designed to simplify network management and reduce costs by eliminating the need for physical WAN connections.

To set up Azure vWAN, you'll need to create a virtual hub, which is the central location for your network.

Azure vWAN supports multiple network protocols, including IPsec, SSL/TLS, and IKEv2.

With Azure vWAN, you can connect multiple sites and branches to a single, unified network, making it easier to manage and secure your network.

This allows for better network visibility and control, as well as improved security and compliance.

Availability Zones and Resiliency are handled in Virtual WAN by automatically deploying services like VPN and ExpressRoute across Availability Zones, if the region supports them.

This means that if one Availability Zone goes down, the other zones can still handle traffic, providing built-in resiliency.

Users can also connect to multiple hubs for additional resiliency across regions.

Azure Firewall, however, requires a different approach to support Availability Zones and needs to be deleted and redeployed using Azure Firewall Manager Portal, PowerShell, or CLI.

Virtual WAN resources are deployed regionally, but if the virtual WAN region itself experiences an issue, existing hubs will continue to function, but new hubs cannot be created until the region is available again.

In Azure Virtual WAN, each Virtual Hub must have its own Firewall.

You can't share a Firewall between hubs, and trying to do so will result in deployment failure.

Each hub needs its own Firewall for security and routing reasons.

Custom routes that point to another hub's Firewall will not complete successfully.

This means you'll need to convert hubs to secured hubs with their own Firewalls if you're currently sharing a Firewall.

Azure Virtual WAN User VPN (point-to-site) supports Azure VPN client, OpenVPN Client, or any IKEv2 client.

You'll need a minimum of Windows 10 client OS version 17763.0 or higher to use Azure VPN Client, and OpenVPN client(s) can support certificate-based authentication.

Microsoft-registered app is supported on Virtual WAN, and you can migrate your User VPN from manually registered app to Microsoft-registered app for a more secure connectivity.

You can connect to your resources in Azure over an IPsec/IKE (IKEv2) or OpenVPN connection, which requires a VPN client to be configured on the client computer.

Intriguing read: Azure App Insights vs Azure Monitor

The Azure Virtual WAN User VPN supports a variety of clients, including Azure VPN client, OpenVPN Client, and any IKEv2 client.

For Azure VPN client, Microsoft Entra authentication is supported, but you'll need a minimum of Windows 10 client OS version 17763.0 or higher.

If you choose to use OpenVPN client, you can support certificate-based authentication, which will give you an .ovpn* file to download to your device.

IKEv2 clients support both certificate and RADIUS authentication, making it a versatile option for users.

Explore further: Azure Auth Json Website Azure Ad Authentication

When choosing a scale unit for your User VPN, it's essential to consider the client support capacity. With 1 scale unit, each gateway instance supports up to 500 concurrent connections.

To give you a better idea, here are the supported concurrent connections for different scale units:

For scale units greater than 20, each pair of highly available gateway instances supports up to 10,000 additional users.

Azure Virtual WAN User VPN supports Azure VPN client, OpenVPN Client, or any IKEv2 client, making it a versatile option for users.

Microsoft Entra authentication is supported with Azure VPN Client, which is a convenient feature for users who already use Azure services.

A minimum of Windows 10 client OS version 17763.0 or higher is required to use Azure VPN Client, so be sure to update your client OS if necessary.

OpenVPN client(s) can support certificate-based authentication, which adds an extra layer of security for users.

IKEv2 supports both certificate and RADIUS authentication, giving users more options for secure connections.

Here's a summary of the supported clients:

By choosing the right client and authentication method, users can enjoy a secure and reliable connection to their Azure resources.

A branch is a separate section within a company's organizational structure, often responsible for a specific product or service. This can help companies adapt to changing market conditions and customer needs.

Think of a branch like a specialized team, focused on a particular area of expertise. For instance, a company might have a branch dedicated to supporting customers with technical issues.

In a client and user support context, a branch can be thought of as a subset of the overall support team, dealing with unique customer segments or product lines. This can be seen in the example of a company with multiple product lines, each with its own dedicated support branch.

Here's an interesting read: Azure Company

A well-organized branch can provide more personalized support to customers, increasing satisfaction and loyalty. By being focused on a specific area, the support team can develop deeper knowledge and expertise.

In some cases, a branch might be a separate entity within the company, with its own management and resources. This can be seen in the example of a company that has spun off a separate branch for a new product line.

Effective communication between branches is crucial for seamless support experiences. This can be achieved through regular meetings and collaboration between teams.

By understanding what a branch is and how it functions, companies can better organize their support teams and provide more effective support to their customers.

Authentication and Authorization is a crucial aspect of Azure Virtual WAN. Microsoft-registered apps are supported on Virtual WAN.

For point-to-site connections, you can use Microsoft-registered apps in Entra Id Authentication for a more secure connectivity experience. This is a great option for migrating from manually registered apps.

Virtual WAN supports Microsoft-registered apps, making it easier to manage your connections. This feature allows for a more streamlined and secure experience.

You can migrate your User VPN from manually registered apps to Microsoft-registered apps for improved security. This is a recommended best practice for Virtual WAN users.

Azure Virtual WAN's gateway and scale capabilities are impressive. A scale unit is a unit that defines an aggregate throughput of a gateway in Virtual hub.

Each scale unit of VPN is equivalent to 500 Mbps, while each scale unit of ExpressRoute is equivalent to 2 Gbps. This means that 10 scale units of VPN would imply 5 Gbps.

Virtual WAN supports up to 20-Gbps aggregate throughput for both VPN and ExpressRoute, making it suitable for large-scale deployments.

Gateway Scale Units are defined to pick an aggregate throughput of a gateway in Virtual hub. Each scale unit has a specific throughput value, with 1 scale unit of VPN equal to 500 Mbps and 1 scale unit of ExpressRoute equal to 2 Gbps.

For example, 10 scale units of VPN would imply 5 Gbps of aggregate throughput. Virtual WAN supports up to 20-Gbps aggregate throughput for both VPN and ExpressRoute.

A scale unit is a unit of measurement that helps determine the total throughput of a gateway. This is important for understanding how much data can be transferred through the gateway at any given time.

When creating a Virtual WAN hub, it's essential to choose the right address space. The recommended Virtual WAN hub address space is /23.

A /23 address space is the minimum recommended size during hub creation. This allows for future flexibility and scalability.

Virtual WAN hubs can assign subnets to various gateways, including ExpressRoute, site-to-site VPN, point-to-site VPN, Azure Firewall, and Virtual hub Router.

The hub address space can be carved out for NVA instances, with a /28 typically assigned for single NVA deployments. For multiple NVA deployments, a /27 subnet might be assigned.

Considering these scenarios, it's best to plan ahead and choose a hub address space that can accommodate future needs.

Direct Spokes are a key component of vWAN architecture, allowing remote locations and users to connect directly to a central hub in Azure.

This connection is facilitated by Azure vWAN, which enables automated VPN and ExpressRoute connections.

Direct Spokes offer enhanced network performance and security, making them suitable for greenfield environments and small brownfield deployments in the Azure cloud.

In these environments, Direct Spokes can be migrated to the "vHubs and direct vNET spokes" reference model, consolidating routing and security functionalities in vHubs.

This consolidation provides centralized monitoring and management through the Azure portal, streamlining network operations and management.

In a vNET, there can only be one Virtual Network Gateway (VGW), and it must be either a local or remote gateway in the peered virtual network.

A key consideration when designing a vNET is the need to minimize risk and comply with security policies, as was the case in a specific use scenario where Partners needed access to very specific resources in certain vNETs.

The solution to this problem involved deploying the VGW in the indirect Spoke to support Partner connectivity and comply with the security policy.

NVA vNETs (direct Spokes) cannot have their own VGW when connected to vWAN through a vNET connection, which makes deploying the VGW in the indirect Spoke the best option.

This approach ensures that Partners can access the resources they need while minimizing the risk of unauthorized access to the rest of the environment.

Explore further: Azure Access

If you're looking to automate connectivity with Azure Virtual WAN, you're in luck because Virtual WAN partners can make this process a breeze. They can automate connectivity using software-defined connectivity solutions that manage branch devices with a controller or device provisioning center.

To automate connectivity, Virtual WAN partners use Azure APIs to upload branch information, download Azure configuration, set up IPsec tunnels into Azure Virtual hubs, and establish connectivity from the branch device to Azure Virtual WAN. This process is especially useful for large-scale deployments with hundreds of branches.

As long as your device supports IPsec IKEv1 or IKEv2, Virtual WAN partners can automate connectivity from the device to Azure VPN end points. This includes automating steps like branch information upload, IPsec configuration, and connectivity setup.

Unfortunately, if your device isn't from a Virtual WAN partner ecosystem, you'll need to manually take the Azure configuration and update your device to set up IPsec connectivity, which can be a more labor-intensive process.

Virtual WAN partners automate IPsec connectivity to Azure VPN end points, making it easier to connect your SD-WAN devices.

If your SD-WAN provider is a Virtual WAN partner, the SD-WAN controller manages automation and IPsec connectivity to Azure VPN end points. This means you can focus on other tasks while the automation takes care of the setup.

To connect your SD-WAN device, you can deploy the SD-WAN end point in an Azure virtual network and coexist with Azure Virtual WAN. This allows you to use Azure Virtual WAN while still utilizing your SD-WAN device's proprietary functionality.

Virtual WAN supports BGP Peering, which enables you to connect your SD-WAN device to Azure Virtual WAN. Additionally, you can deploy NVAs into a virtual WAN hub for more advanced networking capabilities.

If your VPN/SD-WAN device provider isn't listed as a Virtual WAN partner, you can still set up a site-to-site connection using the step-by-step instructions in the Create a site-to-site connection using Virtual WAN article. This will allow you to connect your SD-WAN device to Azure Virtual WAN, albeit without the automation benefits of a partner device.

A fresh viewpoint: Azure Data Studio Connect to Azure Sql

If your on-premises devices are working fine but the site-to-site VPN connection in Azure is disconnected, use the Gateway Reset button to reboot the instances in the VPN gateway in a sequential manner without disrupting your connections.

There will be a brief gap of less than a minute as connections move from one instance to the other, but it won't affect your Public IPs.

You'll need to configure a daily maintenance window for Virtual WAN customer-controlled gateway maintenance.

This maintenance window is required for site-to-site VPN gateways and ExpressRoute gateways in the Maintenance Configuration scope of Network Gateways.

For Virtual WAN, you can configure maintenance windows for these gateways.