What is Azure Virtual WAN?

Azure Virtual WAN is a networking service that provides optimized and automated branch-to-branch connectivity through Azure. Virtual WAN lets you connect and configure branch devices to communicate with Azure. This can be done either manually, or by using preferred partner devices through a Virtual WAN partner. See the Preferred partners article for details. Using preferred partner devices allows you ease of use, simplification of connectivity, and configuration management. The Azure WAN built-in dashboard provides instant troubleshooting insights that can help save you time, and gives you an easy way to view large-scale connectivity.

Virtual WAN diagram

This article provides a quick view into the network connectivity of your Azure and non-Azure workloads. Virtual WAN offers the following advantages:

  • Integrated connectivity solutions in hub and spoke: Automate Site-to-Site configuration and connectivity between on-premises sites and an Azure hub.
  • Automated spoke setup and configuration: Connect your virtual networks and workloads to the Azure hub seamlessly.
  • Intuitive troubleshooting: You can see the end-to-end flow within Azure and use this information to take required actions.

Site-to-site connections

To create a Site-to-Site connection using Virtual WAN, you can either go through a Virtual WAN partner, or create the connection manually.

Working with a Virtual WAN partner

When you work with a Virtual WAN partner, the process is:

  1. The branch device (VPN/SDWAN) controller is authenticated to export site-centric information into Azure by using an Azure Service Principal.
  2. The branch device (VPN/SDWAN) controller obtains the Azure connectivity configuration and updates the local device. This automates the configuration download, editing, and updating of the on-premises VPN device.
  3. Once the device has the right Azure configuration, a site-to-site connection (two active tunnels) is established to the Azure WAN. Azure supports both IKEv1 and IKEv2. BGP is optional.

If you don't want to use a preferred partner, you can configure the connection manually, see Create a Site-to-Site connection using Virtual WAN.

Point-to-site connections (Preview)

A Point-to-Site (P2S) connection lets you create a secure connection to your virtual hub from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect.

To create the connection manually, see Create a point-to-site connection using Virtual WAN.

ExpressRoute connections (Preview)

To create the connection manually, see Create an ExpressRoute connection using Virtual WAN.

Virtual WAN resources

To configure an end-to-end virtual WAN, you create the following resources:

  • virtualWAN: The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links to all your virtual hubs that you would like to have within the virtual WAN. Virtual WAN resources are isolated from each other and cannot contain a common hub. Virtual Hubs across Virtual WAN do not communicate with each other. The ‘Allow branch to branch traffic’ property enables traffic between VPN sites as well as VPN to ExpressRoute enabled Sites. Be aware that ExpressRoute in Azure Virtual WAN is currently in Preview.

  • Site: The site resource known as vpnsite represents your on-premises VPN device and its settings. By working with a Virtual WAN partner, you have a built-in solution to automatically export this information to Azure.

  • Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity from your on-premises network (vpnsite). The hub is the core of your network in a region. There can only be one hub per Azure region. When you create a hub using Azure portal, it creates a virtual hub VNet and a virtual hub vpngateway.

    A hub gateway is not the same as a virtual network gateway that you use for ExpressRoute and VPN Gateway. For example, when using Virtual WAN, you don't create a Site-to-Site connection from your on-premises site directly to your VNet. Instead, you create a Site-to-Site connection to the hub. The traffic always goes through the hub gateway. This means that your VNets do not need their own virtual network gateway. Virtual WAN lets your VNets take advantage of scaling easily through the virtual hub and the virtual hub gateway.

  • Hub virtual network connection: The Hub virtual network connection resource is used to connect the hub seamlessly to your virtual network. At this time, you can only connect to virtual networks that are within the same hub region.

  • Hub route table: You can create a virtual hub route and apply the route to the virtual hub route table. You can apply multiple routes to the virtual hub route table.

FAQ

What is the difference between an Azure virtual network gateway (VPN Gateway) and an Azure Virtual WAN vpngateway?

Virtual WAN provides large-scale site-to-site connectivity and is built for throughput, scalability, and ease of use. ExpressRoute and point-to-site connectivity functionality is currently under Preview. CPE branch devices auto-provision and connect into Azure Virtual WAN. These devices are available from a growing ecosystem of SD-WAN and VPN partners. See the Preferred Parner List.

Which device providers (Virtual WAN partners) are supported at launch time?

At this time, many partners support the fully automated Virtual WAN experience. For more information, see Virtual WAN partners.

What are the Virtual WAN partner automation steps?

For partner automation steps, see Virtual WAN partner automation.

Am I required to use a preferred partner device?

No. You can use any VPN-capable device that adheres to the Azure requirements for IKEv2/IKEv1 IPsec support.

How do Virtual WAN partners automate connectivity with Azure Virtual WAN?

Software-defined connectivity solutions typically manage their branch devices using a controller, or a device provisioning center. The controller can use Azure APIs to automate connectivity to the Azure Virtual WAN. For more information, see Virtual WAN partner automation.

Does Virtual WAN change any existing connectivity features?

There are no changes to existing Azure connectivity features.

Are there new Resource Manager resources available for Virtual WAN?

Yes, Virtual WAN introduces new Resource Manager resources. For more information, please see the Overview.

How many VPN devices can connect to a single Hub?

Up to 1000 connections are supported per virtual hub. Each connection consists of two tunnels that are in an active-active configuration. The tunnels terminate in an Azure Virtual Hub vpngateway.

Can the on-premises VPN device connect to multiple Hubs?

Yes. Traffic flow when commencing would be from the on-premises device to the closest Microsoft edge and then to the Virtual Hub.

Is Global VNet peering supported with Azure Virtual WAN?

No.

Can spoke VNets connected to a virtual hub communicate with each other?

Yes. You can directly do VNet peering between spokes that are connected to a virtual hub. For more information, see Virtual Network Peering.

Can I deploy and use my favorite network virtual appliance (in an NVA VNet) with Azure Virtual WAN?

Yes, you can connect your favorite network virtual appliance (NVA) VNet to the Azure Virtual WAN. First, connect the network virtual appliance VNet to the hub with a Hub Virtual Network connection. Then, create a Virtual Hub route with a next hop pointing to the Virtual Appliance. You can apply multiple routes to the Virtual Hub Route Table. Any spokes connected to the NVA VNet must additionally be connected to the virtual hub to ensure that the spoke VNet routes are propagated to on-premises systems.

Can an NVA VNet have a virtual network gateway?

No. The NVA VNet cannot have a virtual network gateway if it is connected to the virtual hub.

Is there support for BGP?

Yes, BGP is supported. To ensure that routes from an NVA VNet are advertised appropriately, spokes must disable BGP if they are connected to an NVA VNet, which in turn, is connected to a virtual hub. Additionally, connect the spoke VNets to the virtual hub to ensure spoke VNet routes are propagated to on-premises systems.

Can I direct traffic using UDR in the virtual hub?

Yes, you can direct traffic to a VNet using Virtual Hub Route Table.

Is there any licensing or pricing information for Virtual WAN?

Yes. See the Pricing page.

How do new partners that are not listed in your launch partner list get onboarded?

Send an email to azurevirtualwan@microsoft.com. An ideal partner is one that has a device that can be provisioned for IKEv1 or IKEv2 IPsec connectivity.

Is it possible to construct Azure Virtual WAN with a Resource Manager template?

A simple configuration of one Virtual WAN with one hub and one vpnsite can be created using an Azure Quick Start Template. Virtual WAN is primarily a REST or Portal driven service.

Is branch-to-branch connectivity allowed in Virtual WAN?

Yes, branch-to-branch connectivity is available in Virtual WAN for VPN and VPN to ExpressRoute. While VPN site-to-site is GA, ExpressRoute and point-to-site are currently in Preview.

Does Branch to Branch traffic traverse through the Azure Virtual WAN?

Yes.

How is Virtual WAN different from the existing Azure Virtual Network Gateway?

Virtual Network Gateway VPN is limited to 30 tunnels. For connections, you should use Virtual WAN for large-scale VPN. You can connect up to 1000 branch connections with 2 Gbps in the hub for all regions except the West Central region. For the West Central region, 20 Gbps is available. We will be rolling out 20 Gbps to additional regions in the future. A connection is an active-active tunnel from the on-premises VPN device to the virtual hub. You can have one hub per region, which means you can connect more than 1000 branches across hubs.

Does this Virtual WAN require ExpressRoute from each site?

No, the Virtual WAN does not require ExpressRoute from each site. It uses standard IPsec site-to-site connectivity via Internet links from the device to an Azure Virtual WAN hub. Your sites may be connected to a provider network using an ExpressRoute circuit. For Sites that are connected using ExpressRoute in Virtual Hub (Under Preview), sites can have branch to branch traffic flow between VPN and ExpressRoute.

Is there a network throughput limit when using Azure Virtual WAN?

Number of branches is limited to 1000 connections per hub/region and a total of 2 G in the hub. The exception is West Central US, which has a total of 20 Gbps. We will be rolling 20 Gbps out to other regions in the future.

Does Virtual WAN allow the on-premises device to utilize multiple ISPs in parallel or is it always a single VPN tunnel?

Yes, you can have active-active tunnels (2 tunnels = 1 Azure Virtual WAN connection) from a single branch depending on the branch device.

How is traffic routed on the Azure backbone?

The traffic follows the pattern: branch device ->ISP->Microsoft Edge->Microsoft DC->Microsoft edge->ISP->branch device

In this model, what do you need at each site? Just an internet connection?

Yes. An Internet connection and physical device, preferably from our integrated partners. You can optionally, manually manage the configuration and connectivity to Azure from your preferred device.

Next steps

View the Virtual WAN partners and locations page.