Technology Blog

Home » Posts tagged 'SD-WAN'

Tag Archives: SD-WAN

Microsoft Azure Virtual WAN – How it’s getting closer to Business!


This article in the continuous to my previous article ‘Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation’.

Today let’s have discussion on how the Azure Virtual WAN is getting closer to business and how effectively business can plan & transform their enterprise landscape into public and private cloud (hybrid cloud) that will be an another remarkable step into their digital transformation journey, along with that we will also touch based upon various use cases and real benefits that Business is getting as an overall while adopting Azure Virtual WAN solution.

This kind of transformation journey has bit changed now the way in which value is created by business and extends itself to other activities of a customer such as value monetization or value communication.

Below are major outlines which I will be getting covered throughout in this article:

  • Traditional way of using Azure Virtual WAN and global transit network
  • Using Azure Virtual WAN with multiple Azure regions through Azure Global Network
  • Using Azure Virtual WAN with third party SDWAN or vCPE NVA devices
  • Real benefits to Business while adopting the Azure Virtual WAN

Traditional way of using Azure Virtual WAN and global transit network:

You might have observed that AWS has released the transit gateway that simplifying the process of network routing between VPCs and customer on-premises network. By using that customer can use transit gateway to connect various VPC with each other and with on-premises seamlessly by using the optimal routing.

Microsoft has also similar kind of approach by using Azure Hub-Spoke VNets Model where Hub VNet act as interface between on-premises and spoke VNets where Prod and Non-Prod Apps are hosted/configured. This hub VNet does also offer the common services like security infra (firewall, Proxy WAF etc.) and AD/DNS and foundation tools, so this hub VNet is even acting as internet gateway and provide the perimeter security protection for applications hosted in spoke VNets.

An Azure Virtual WAN is even more simplified version of Azure Hub-Spoke VNet Model. This is now more centralized, secure and well connected through Azure backbone by using global transit network. Below design architecture of Azure Virtual WAN describes how a business can communicate/connect seamlessly from their branch offices/remote sites to access their enterprise applications hosted in spokes VNets (5 different spokes vNets are shown in below figure).

Azure Virtual WAN acts a central Hub and will offer the optimize routing between on-premise headquarters/DC’s, branch-offices and spoke VNets seamlessly with appropriate security. The headquarters/DC can still connect to Azure backbone through ExpressRoute whereas branch offices through Site-to-Site VPN but now branch office can reach to On-Premises DC via Azure Virtual WAN without reaching through MPLS corporate network. Now all branch offices can communicate with each other via Azure Virtual Network. This below use case describes only about the specific one Azure region and communications of various business branch offices and data centers

Figure-1: Azure Virtual WAN (Traditional)

Using Azure Virtual WAN with multiple Azure regions through Azure Global Network:

Business does not restrict to any region or country or even does not have any boundary and that’s where Azure Virtual WAN play an important role by utilizing Microsoft largest Azure Global Network and its PoPs/Edges presence. Now business can connect to its closer available PoPs/Edges with appropriate bandwidth and low latency. Approx. 130 PoPs locations are available across globe and in various geographies. Below KB covers the current list of PoPs/Edge availability:

Below Azure Virtual WAN design architecture describes how a business can connect to their closer PoPs location and then PoPs will communicate further through Azure Backbone with higher bandwidth and low latency. In this use case, if Business need to access their hosted applicated from branch office into Azure spoke VNet (let’s say VNet1) then communication flow will be drawn as below:

Branch Office ->Site-to-Site VPN-> Closure PoPs/Edges -> Secure Virtual Hub 1 (Azure Region West US) -> Spoke vNet1

In case of the same enterprise application to accessed through headquarter DC (for any reason) then then communication flow will be drawn as below:

Headquarter/DC-> ExpressRoute -> Closer PoPs/Edges -> Secure Virtual Hub 1 (Azure Region West US) -> Spoke vNet1

Another major improvement for Office 365 service and that can be also accessed through a closer availablePoPs/Edges but will have different and direct communication as below:

Branch Office ->Site-to-Site VPN-> Closer PoPs/Edges -> Office 365 service. Now, the local break-out for office 365 service will also be available to business.

Figure-2: Azure Virtual WAN using Global Network (Evolving)

Using Azure Virtual WAN with third party SDWAN or vCPE NVA devices:

The evolution of Azure Virtual WAN does not here. Microsoft offers SD-WAN services from a large number of SD-WAN vendors including Citrix, Cisco Meraki, Fortinet, Barracuda Networks, Check Point and others (the list is increasing day by day) as part of the overall virtual WAN offering.

As per Microsoft, “Although Azure Virtual WAN itself is a Software Defined WAN (SD-WAN), it is also designed to enable seamless interconnection with the on-premises-based SD-WAN technologies and services. Many such services are offered by Microsost Virtual WAN ecosystem and Azure Networking Managed Services partners (MSPs)”.

Businesses that are transforming their private MPLS WAN to SD-WAN have now options to interconnect their private SD-WAN with Azure Virtual WAN. Businesses can choose from these options:

Direct Interconnect Model: In this kind of architecture model, the SD-WAN branch customer-premises equipment (CPE) device can be directly connected to Virtual WAN hubs via IPsec connection. This branch CPE device may also be connected to other branches via the private SD-WAN, or leverage Azure Virtual WAN for branch to branch connectivity.

Indirect Interconnect Model: In this architecture model, SD-WAN branch CPEs are indirectly (via v-CPE NVA) connected to Virtual WAN hubs. In this model an SD-WAN virtual CPE (v-CPE NVA) is deployed in one of the Business VNet. This v-CPE NVA is, in turn connected to the Virtual WAN hub using IPsec. The virtual CPE act as an SD-WAN gateway into Azure. Branches that need to access their applications/workloads in Azure will be able access them via the v-CPE gateway.

Managed Hybrid WAN Model: In this architecture model, enterprises can leverage a managed SD-WAN service offered by a Managed Service Provider (MSP) partner. This model is similar to the direct or indirect models described earlier. However, in this model, the SD-WAN design, orchestration, and operations are delivered by the SD-WAN Provider. Below architecture diagram covers the managed hybrid virtual WAN model.

Figure-3: Azure Virtual WAN with SD-WAN (Managed Hybrid Model)

Real benefits to Business while adopting the Azure Virtual WAN:

As I explained in my previous article, the MPLS corporate WAN has its own challenges and limitation but Azure Virtual WAN along with SD-WAN is leading towards to address all these and providing a large number of benefits to business as below but not limited to:

  • Optimized and seamless integrated connectivity solutions for branch to branch, branch to hubs/spokes, branch to DC, hub to hub and hub to spokes
  • Automate site-to-site configuration and connectivity between on-premises sites and an Azure hub
  • A global reach through azure global transit network and its associated PoPs/Edges
  • Automated spoke setup and configuration with optimal routing through VNet connections
  • Centralized secured policy enforcement and firewall protection
  • Provides on-demand high bandwidth with low latency
  • Cost optimizations
  • Ready for quick deployment
  • Offers the capability to use partner SD-WAN devices
  • Enables seamless and secured connectivity to office 365
  • Intuitive way of operational troubleshooting

To have further more insight on my previous blog on “Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation” , Refer to below article:

Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation


Last year in November, Microsoft has released a new networking services named as Azure Virtual WAN as a general availability. This is an additional service over existing services such as ExpressRoute, Site-to-Site, Point-to-Site VPN and few more, these earlier services are responsible for connecting or extending the customer on-premises data centre’s or branch office network into azure public cloud.

It’s not only Microsoft and even its major competitors such as Amazon and Google are bringing some major services (may not exactly the same) towards to the similar model. AWS recently launched its Transit Gateway, which is greatly simplifying the process of routing between VPCs and customer on-premises network. Google Cloud Platform too allow for virtual private connectivity on directly into their backbone

Prior we proceed to further have a deep dive into Azure Virtual WAN, Lets go a decade back and discuss about the network connectivity.

Traditional MPLS and IPSec used as a corporate WAN:

Let’s have some light on how widely MPLS along with IPSec VPN networks are/were deployed, particularly in large global enterprises. this was the standard approach for building a on-premises corporate WAN where all customer data centres and branch offices are getting connected and access their business and infra applications to operate their business, sometimes IPsec VPN were used as a backup service and even used for remote sites to connect where MPLS was either too expensive or not feasible.

Not even that, there are physical constraints imposed by the propagation time over large distances, and the need to integrate multiple service providers (including multi-clouds) to cover global geographies, MPLS face important operational challenges, including network congestion, packet delay variation, packet loss, and even service outages.

Current huge demand in digital transformation and it’s modern applications such as, IoT, machine learning, data science, analytics, VoIP calling, videoconferencing, streaming media, and virtualized applications require low latency. Bandwidth requirements are also increasing, especially for applications featuring high-definition video and sudden hike in data growth. It can be expensive and difficult to expand MPLS corporate WAN capability, with corresponding difficulties related to network management and troubleshooting.

The role and importance of cloud exchange providers:

While connecting to Public Clouds, customer has to depends on Cloud Exchange Provider to have established connectivity between On-Premises MPLS and Public Cloud VNet/VPC, in this scenario latency becomes a challenge for business to connect their branch offices/remote sites into public cloud to access their applications. At the same time the data centre connectivity was seamless (via ExpressRoute /DirectConnect) and it’s allowed business to migrate and access their applications into cloud.

In the meanwhile, many players had emerged and have started to offer on-demand global interconnectivity and becomes network hub to reach/connects most of public and private clouds along with on-premises data centres and even terminate these connection into corporate MPLS network. Now, business is allowed to migrate/host their business application based on their choice, flexibility and needs. It’s was the time where customer can host/migrate their enterprise application between multi-cloud service providers and create their seamless hybrid cloud platform but the real business challenges about latency, cost and others for accessing their cloud application from remote sites/ branch offices are still present

Another evolution and revolution in the network landscape:

On the other side, as cloud computing and mobile device has transformed the modern digital workplace, digital transformation is now taking major shift in the networking landscape. the cloud computing has evolved the terminology “as a service” several years back and that becomes mature and reality in the today business.

In the current digital transformation era, the dynamic (on-demand) provisioning and scaling of network capacity and slicing the network resources is now more aligned and satisfying the current enterprise needs. Likewise, the automation has gained the presence in the cloud, the Network-as-a-services (NaaS) has evolved into new phase and becomes a potent technology in a very short period of time.

the virtualized network function (VNF) as a software-based services, software defined networking, network as-a-service and 5G/Edge computing are the emerging trends in the network services, and those are adding another revolution remark in digital transformation industry, in the similar line of software-defined networking revolution, the SD-WAN has emerged and become a new digital transformation pillar which address the traditional MPLS limitation and challenges

SD-WAN simplifies the management and operation of a traditional corporate WAN by decoupling the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation.

A key application of SD-WAN is to allow organization to build higher-performance WANs using lower-cost and commercially available Internet access, enabling businesses to partially or wholly replace more expensive corporate WAN connection technologies such as MPLS

As per research firm Gartner prediction in 2018, by 2023 more than 90 percent of WAN edge infrastructure refresh initiatives will be based on virtualized customer premises equipment (vCPE) platforms or SD-WAN software/appliances

Azure Virtual WAN goes hand in hand with Partner’s SD-WAN/vCPE NVA:

Now we are entering into a new emerge model which is taking the cloud connectivity to the next level where the cloud is moving closer to the business and on other side the business moving closer to the cloud. So, we foresee a new gear shift where the existing MPLS WAN will be transformed to a SD-WAN based network. Precisely, you might have observed a parallel thread is running where all major cloud service providers are building their own network presence globally.

Microsoft, Google and Amazon are rapidly increasing their global network reach and created their own global network backbone and that has large number of PoPs/Edges locations across globe and these are very close to business enterprise. In other words, we will eventually see a compelling alternative to traditional MPLS providers where the connectivity is served directly into the business by cloud service provider. This kind of transition is already witnessed with AWS. AWS now allows the companies to run AWS infrastructure in their own private data centers.

Microsoft Azure Virtual WAN has brought a WAN-centric service to the market last year that brings many networking (utilizing their existing services such as ExpressRoute/Site-to-Site VPN), security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity.


Initially you might not need all of these Azure Virtual WAN functionalities to start using Virtual WAN. You can simply get started with just one or two, and then adjust further your network as it evolves. The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables global transit network architecture, where the cloud hosted network ‘hub’ enables transitive connectivity between endpoints that may be distributed across different types of ‘spokes’.

The Virtual WAN key promising is the potential for API-based integration with various SD-WAN solutions (various third party such as Cisco Meraki, Citrix, Fortinet, Barracuda Networks, Check Point etc.), that would allow for the encrypted tunnel creation process to be automated. A branch office would connect to their nearest PoPs and this would automatically allow the branch to communicate with the rest of the global WAN.

To have further more insight technical details about Azure Virtual WAN design and architecture, Refer to below article:

Microsoft Azure Virtual WAN – How it’s getting closer to Business!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

%d bloggers like this: