Home » Azure Global Transit Network
Category Archives: Azure Global Transit Network
This article in the continuous to my previous article ‘Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation’.
Today let’s have discussion on how the Azure Virtual WAN is getting closer to business and how effectively business can plan & transform their enterprise landscape into public and private cloud (hybrid cloud) that will be an another remarkable step into their digital transformation journey, along with that we will also touch based upon various use cases and real benefits that Business is getting as an overall while adopting Azure Virtual WAN solution.
This kind of transformation journey has bit changed now the way in which value is created by business and extends itself to other activities of a customer such as value monetization or value communication.
Below are major outlines which I will be getting covered throughout in this article:
- Traditional way of using Azure Virtual WAN and global transit network
- Using Azure Virtual WAN with multiple Azure regions through Azure Global Network
- Using Azure Virtual WAN with third party SDWAN or vCPE NVA devices
- Real benefits to Business while adopting the Azure Virtual WAN
Traditional way of using Azure Virtual WAN and global transit network:
You might have observed that AWS has released the transit gateway that simplifying the process of network routing between VPCs and customer on-premises network. By using that customer can use transit gateway to connect various VPC with each other and with on-premises seamlessly by using the optimal routing.
Microsoft has also similar kind of approach by using Azure Hub-Spoke VNets Model where Hub VNet act as interface between on-premises and spoke VNets where Prod and Non-Prod Apps are hosted/configured. This hub VNet does also offer the common services like security infra (firewall, Proxy WAF etc.) and AD/DNS and foundation tools, so this hub VNet is even acting as internet gateway and provide the perimeter security protection for applications hosted in spoke VNets.
An Azure Virtual WAN is even more simplified version of Azure Hub-Spoke VNet Model. This is now more centralized, secure and well connected through Azure backbone by using global transit network. Below design architecture of Azure Virtual WAN describes how a business can communicate/connect seamlessly from their branch offices/remote sites to access their enterprise applications hosted in spokes VNets (5 different spokes vNets are shown in below figure).
Azure Virtual WAN acts a central Hub and will offer the optimize routing between on-premise headquarters/DC’s, branch-offices and spoke VNets seamlessly with appropriate security. The headquarters/DC can still connect to Azure backbone through ExpressRoute whereas branch offices through Site-to-Site VPN but now branch office can reach to On-Premises DC via Azure Virtual WAN without reaching through MPLS corporate network. Now all branch offices can communicate with each other via Azure Virtual Network. This below use case describes only about the specific one Azure region and communications of various business branch offices and data centers
Using Azure Virtual WAN with multiple Azure regions through Azure Global Network:
Business does not restrict to any region or country or even does not have any boundary and that’s where Azure Virtual WAN play an important role by utilizing Microsoft largest Azure Global Network and its PoPs/Edges presence. Now business can connect to its closer available PoPs/Edges with appropriate bandwidth and low latency. Approx. 130 PoPs locations are available across globe and in various geographies. Below KB covers the current list of PoPs/Edge availability:
Below Azure Virtual WAN design architecture describes how a business can connect to their closer PoPs location and then PoPs will communicate further through Azure Backbone with higher bandwidth and low latency. In this use case, if Business need to access their hosted applicated from branch office into Azure spoke VNet (let’s say VNet1) then communication flow will be drawn as below:
Branch Office ->Site-to-Site VPN-> Closure PoPs/Edges -> Secure Virtual Hub 1 (Azure Region West US) -> Spoke vNet1
In case of the same enterprise application to accessed through headquarter DC (for any reason) then then communication flow will be drawn as below:
Headquarter/DC-> ExpressRoute -> Closer PoPs/Edges -> Secure Virtual Hub 1 (Azure Region West US) -> Spoke vNet1
Another major improvement for Office 365 service and that can be also accessed through a closer availablePoPs/Edges but will have different and direct communication as below:
Branch Office ->Site-to-Site VPN-> Closer PoPs/Edges -> Office 365 service. Now, the local break-out for office 365 service will also be available to business.
Using Azure Virtual WAN with third party SDWAN or vCPE NVA devices:
The evolution of Azure Virtual WAN does not here. Microsoft offers SD-WAN services from a large number of SD-WAN vendors including Citrix, Cisco Meraki, Fortinet, Barracuda Networks, Check Point and others (the list is increasing day by day) as part of the overall virtual WAN offering.
As per Microsoft, “Although Azure Virtual WAN itself is a Software Defined WAN (SD-WAN), it is also designed to enable seamless interconnection with the on-premises-based SD-WAN technologies and services. Many such services are offered by Microsost Virtual WAN ecosystem and Azure Networking Managed Services partners (MSPs)”.
Businesses that are transforming their private MPLS WAN to SD-WAN have now options to interconnect their private SD-WAN with Azure Virtual WAN. Businesses can choose from these options:
Direct Interconnect Model: In this kind of architecture model, the SD-WAN branch customer-premises equipment (CPE) device can be directly connected to Virtual WAN hubs via IPsec connection. This branch CPE device may also be connected to other branches via the private SD-WAN, or leverage Azure Virtual WAN for branch to branch connectivity.
Indirect Interconnect Model: In this architecture model, SD-WAN branch CPEs are indirectly (via v-CPE NVA) connected to Virtual WAN hubs. In this model an SD-WAN virtual CPE (v-CPE NVA) is deployed in one of the Business VNet. This v-CPE NVA is, in turn connected to the Virtual WAN hub using IPsec. The virtual CPE act as an SD-WAN gateway into Azure. Branches that need to access their applications/workloads in Azure will be able access them via the v-CPE gateway.
Managed Hybrid WAN Model: In this architecture model, enterprises can leverage a managed SD-WAN service offered by a Managed Service Provider (MSP) partner. This model is similar to the direct or indirect models described earlier. However, in this model, the SD-WAN design, orchestration, and operations are delivered by the SD-WAN Provider. Below architecture diagram covers the managed hybrid virtual WAN model.
Real benefits to Business while adopting the Azure Virtual WAN:
As I explained in my previous article, the MPLS corporate WAN has its own challenges and limitation but Azure Virtual WAN along with SD-WAN is leading towards to address all these and providing a large number of benefits to business as below but not limited to:
- Optimized and seamless integrated connectivity solutions for branch to branch, branch to hubs/spokes, branch to DC, hub to hub and hub to spokes
- Automate site-to-site configuration and connectivity between on-premises sites and an Azure hub
- A global reach through azure global transit network and its associated PoPs/Edges
- Automated spoke setup and configuration with optimal routing through VNet connections
- Centralized secured policy enforcement and firewall protection
- Provides on-demand high bandwidth with low latency
- Cost optimizations
- Ready for quick deployment
- Offers the capability to use partner SD-WAN devices
- Enables seamless and secured connectivity to office 365
- Intuitive way of operational troubleshooting
To have further more insight on my previous blog on “Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation” , Refer to below article:
Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.