← Back to Dashboard

Design 32: Enterprise Connectivity (Virtual WAN)

Summary

This design implements Azure Virtual WAN (vWAN). This is the evolution of Hub & Spoke. Instead of managing a Hub VNet yourself, Microsoft manages it for you.

Topology: vWAN Hub is the center. All Spoke VNets connect to the vWAN Hub.

1. Key Design Decisions (ADR)

ADR-01: Architecture

  • Decision: Use Virtual WAN Standard.
  • Rationale: Supports Hub-to-Hub routing (Global Transit) and ExpressRoute/VPN/SD-WAN in a single appliance.

ADR-02: Security

  • Decision: Secured Virtual Hub.
  • Rationale: Deploys Azure Firewall inside the vWAN Hub automatically.

2. High-Level Design (HLD)

                                  INTERNET
                                     |
                                     v
                           +--------------------+
                           |  Azure Virtual WAN |
                           |  (Global Mesh)     |
                           +---------+----------+
                                     |
                  /------------------+------------------\
                  |                                     |
                  v                                     v
        +------------------+                  +------------------+
        | vWAN HUB (East)  |                  | vWAN HUB (West)  |
        | [Azure Firewall] |<---------------->| [Azure Firewall] |
        | [VPN Gateway]    |    Global        | [VPN Gateway]    |
        +------------------+    Transit       +------------------+
                  |                                     |
        +------------------+                  +------------------+
        |  SPOKE VNet      |                  |  SPOKE VNet      |
        |  (Workload)      |                  |  (DR Workload)   |
        +------------------+                  +------------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| Virtual WAN: vwan-global                                              |
|                                                                       |
|   +---------------------------------------------------------------+   |
|   | Virtual Hub: vhub-east                                        |   |
|   | Address: 10.0.0.0/24                                          |   |
|   | [Azure Firewall]                                              |   |
|   | [VPN Gateway]                                                 |   |
|   +-----------|---------------------------------------------------+   |
|               |                                                       |
|               v (Connection)                                          |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-spoke-east (10.1.0.0/16)                             |
|   +-----------------------+                                           |
|   | Subnet: Workload      |                                           |
|   | [VM]                  |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
|   +---------------------------------------------------------------+   |
|   | Virtual Hub: vhub-west                                        |   |
|   | Address: 10.2.0.0/24                                          |   |
|   | [Azure Firewall]                                              |   |
|   +-----------|---------------------------------------------------+   |
|               |                                                       |
|               v (Connection)                                          |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-spoke-west (10.3.0.0/16)                             |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Virtual Hub: A Microsoft-managed VNet. You cannot create subnets in it. You just "turn on" services (VPN, Firewall).

5. Strategy: High Availability (HA)

  • SLA: 99.95%.
  • Redundancy: Hubs are Zone Redundant by default in supported regions.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Multi-Hub.
  • Process: Deploy a Hub in East and a Hub in West. Connect them. If East Hub fails, you can route traffic via West (though latency increases).

7. Strategy: Backup

  • Config: vWAN configuration is complex. Use IaC (Terraform/Bicep) to backup the config.

8. Strategy: Security

  • Firewall Manager: Central policy management for all Firewalls in all Hubs.
  • Encryption: VPN/ExpressRoute encryption.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High.
  • Cost Optimization: Low. Expensive. Hub cost + VPN cost + Firewall cost.
  • Operational Excellence: Excellent. Simplifies routing. No UDRs needed (mostly).
  • Performance Efficiency: High. Any-to-Any connectivity.

10. Detailed Traffic Flow

1. Spoke East: VM sends packet to Spoke West.

2. Hub East: Packet enters East Hub.

3. Firewall: Inspected by East Firewall.

4. Backbone: Routed across Azure Backbone to West Hub.

5. Hub West: Packet enters West Hub.

6. Spoke West: Delivered to destination VM.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Virtual WAN

1. Search: "Virtual WANs" -> + Create.

2. Resource Group: rg-vwan-global.

3. Name: vwan-corp-global.

4. Type: Standard (Required for Hub-to-Hub).

5. Create.

Phase 2: Create Virtual Hub (East US)

1. Go to vwan-corp-global -> Hubs (Left Menu) -> + New Hub.

2. Region: East US.

3. Name: vhub-east.

4. Hub private address space: 10.0.0.0/24 (Minimum /24).

5. Virtual Hub Capacity: 2 Routing Infrastructure Units.

6. Site-to-site VPN: Yes (Optional, select Gateway Scale Unit 1).

7. Azure Firewall: Enabled (This makes it a Secured Hub).

8. Create.

* *Warning: This takes 30-45 minutes.*

Phase 3: Connect Spoke VNet

1. Prerequisite: Create a VNet vnet-spoke-east (10.1.0.0/16) in East US.

2. Go to vwan-corp-global -> Virtual network connections -> + Add connection.

3. Connection name: conn-spoke-east.

4. Hubs: vhub-east.

5. Subscription: Yours.

6. Resource Group: rg-spoke-east.

7. Virtual network: vnet-spoke-east.

8. Propagate to none: No (Default).

9. Create.

Phase 4: Verify Routing

1. Go to Hubs -> vhub-east -> Routing -> Effective Routes.

2. Route Table: Default.

3. View.

4. You should see 10.1.0.0/16 (Spoke) listed with Next Hop as Virtual Network Connection.

5. If you have a VPN connected, you will see On-Prem routes too.

Phase 5: Create West Hub (Optional for DR)

1. Repeat Phase 2 for vhub-west in West US (10.2.0.0/24).

2. vWAN automatically connects the two hubs (Global Mesh).