Azure Virtual WAN
The Global Transit Hub
Simply Put...
Imagine your house is the main office (on-premises network) and you have many friends who live in different neighborhoods (spoke virtual networks). You want to be able to visit all your friends and have them visit you, but it's complicated to build a direct road to everyone's house. Instead, you decide to build a big, central roundabout (the Azure Virtual WAN hub) in the middle of the town. Now, everyone can easily get to the roundabout, and from there, they can go to any other friend's house or back to your house. The roundabout manages all the traffic, making it easy and safe for everyone to travel. You can even have a security guard (Azure Firewall) at the roundabout to make sure only friendly visitors are allowed. This way, everyone is connected, and it's much easier to manage than building and maintaining separate roads to every single house.
How it Works
The Azure Virtual WAN with Hub-Spoke Topology architecture uses a central Virtual WAN hub to connect various network components. On-premises networks connect to the hub through VPN or ExpressRoute gateways. Spoke virtual networks, which host workloads, are peered with the hub, allowing them to communicate with each other and with on-premises networks through the central hub. This creates a centralized connectivity model where the Virtual WAN hub acts as the single point of contact for all network traffic. Traffic from branch offices or remote users enters the Azure network through the Virtual WAN hub, which then routes it to the appropriate spoke virtual network or another connected site. For traffic between spokes, the Virtual WAN hub facilitates communication, eliminating the need for direct peering between spokes. This architecture simplifies network management and provides a scalable and secure way to connect distributed environments.
Scalability Superpowers
The Azure Virtual WAN and Hub-Spoke architecture offers significant scalability benefits. By using a managed service, it eliminates the operational overhead of managing a complex network infrastructure, allowing for easy scaling of network resources as the organization grows. The Standard Virtual WAN option supports higher throughputs and can be scaled to accommodate increased traffic demands. The architecture also allows for the easy addition of new spoke virtual networks, branches, and remote users without requiring a major redesign of the network. The global transit capabilities of Virtual WAN enable seamless connectivity across different regions, making it a highly scalable solution for global enterprises. This allows businesses to expand their operations to new locations while maintaining a unified and centrally managed network.
Key Parts
- Virtual WAN hub: The central point of connectivity in the hub-spoke topology, managed by Azure.
- Spoke virtual networks: Virtual networks that host workloads and are peered with the hub.
- VPN/ExpressRoute gateways: Connects the virtual network to the VPN device or ExpressRoute circuit.
- Secured virtual hub: A Virtual WAN hub with security and routing policies configured by Azure Firewall Manager.
- Virtual network peering: Used to connect the hub to each spoke.
Security Features
- 🛡️Centrally managed security: Azure Firewall can be integrated into the Virtual WAN hub to create a secured virtual hub. This allows for the central management of security policies and ensures that all traffic passing through the hub is inspected.
- 🛡️Threat protection: Azure Firewall provides threat intelligence-based filtering and can protect against common exploits and vulnerabilities.
- 🛡️Traffic filtering: You can create network and application-level filtering rules to control traffic between spokes, and between spokes and the internet.
- 🛡️DDoS Protection: Azure DDoS Protection can be enabled on the virtual networks to protect against distributed denial-of-service attacks.