In the past few months we’ve added several new features to Azure Virtual WAN that customers can use to greatly simplify routing design and management in Azure, and to secure traffic. Before we introduce these new features, let’s take another look at what Azure Virtual WAN is.

Azure virtual WAN is a unified hub and spoke-based architecture that provides Network-as-a-Service (NaaS) for connectivity, security and routing using the Microsoft Global Backbone. Customers transforming their networks by migrating to the Azure cloud or using hybrid deployments shared between Azure and their traditional data centers or on-premises networks benefit from Azure Virtual WAN for scalability, ease of deployment, reduced IT costs, low cost Latency, transit capabilities, high performance, and advanced routing.

Customers design networks for their services by defining the requirements along with three design aspects – connectivity, security and routing – and then taking on the key functions that bring Azure Virtual WAN together, as shown in the figure below.

Customers build a network for their services by defining requirements based on 3 design aspects - connectivity, security and routing

Today we’re announcing new features that customers can leverage when applicable to their scenarios.

New partner solutions integrated in Azure Virtual WAN

We are pleased to announce that two new partners have been integrated into Azure Virtual WAN.

Fortinet logoVersa Networks logo

  • Fortinet FortiGate is the first dual role SD-WAN and security-enabled Network Virtual Appliance (NVA) natively integrated with the Azure Virtual WAN hub, enhancing the end-to-end experience and lifecycle management of using FortiGate NVAs in Azure will be vastly improved.

    Customers can choose from a carefully compiled menu of configurations and throughputs and easily deploy and configure FortiGate in Azure with just a few simple clicks. You no longer have to worry about setting up load balancers, custom routing, and choosing the right virtual machine configurations and network settings. With just a few clicks in a managed application and a few quick configurations in the Azure Virtual WAN portal to configure our new routing model (routing intent and routing policies), you can easily configure your local and virtual networks to send traffic to an Azure Virtual WAN Hub hosted FortiGate Next-Generation Firewall (NGFW) for inspection.

    Customers can also rest assured that Azure Virtual WAN and FortiGate are built for high availability and resilience so you can focus on running your business. Read more about the Fortinet FortiGate integration.

  • Versa SASE By integrating with Azure Virtual WAN Hub, customers can take advantage of the best-in-class SD-WAN capabilities with the signature any-to-any routing of Azure Virtual WAN, all in one place for easy configuration and deployment. With this integration, customers can now deploy Versa in the virtual hub for a central point of connectivity in Azure and leverage Microsoft’s backbone while combining Versa’s network, security and application awareness. Read more about the Versa SASE integration.

Branch Connectivity (Site-to-Site VPN)

The following features are now available for configuring connectivity from on-premises (also known as branch offices) to the site-to-site VPN gateway in a virtual hub.

Custom traffic selectors

Customers using a policy-based VPN can now set custom traffic selectors on the VPN gateways in the virtual hub to ensure predefined and consistent routing across site-to-site connections. Custom traffic selectors allow you to specify precise, wide, or narrow traffic selectors that the VPN gateway will propose or accept during Internet Key Exchange (IKE) negotiations.

Picture of how Traffic Collectors make it possible to specify exact, wide or narrow traffic selectors that VPN Gateway suggests or accepts

Packet capture

Connectivity and performance related issues are often complex. It can take a lot of time and effort just isolating the cause of the problem. Packet capture on the Azure Virtual WAN VPN gateway records all packets across all connections for a holistic view. That way you can tell if the problem is on the local network or in Azure or somewhere in between. The niche filter function allows the user to focus on specific behaviors, packet types, source and destination subnets and efficiently resolve the problem.

The New Packet Capture button is highlighted on the site-to-site (VPN) blade in a virtual WAN hub

The options with which a user can filter their packets within a packet capture operation are displayed

Remote user connectivity (point-to-site VPN)

The resources that customers host in Azure or on-premises are made available to their remote users over Azure Virtual WAN by using Internet Protocol Security (IPsec) or Internet Key Exchange Version 2 (IKEv2) or OpenVPN-based VPN connectivity for point-to-point Site VPN gateway in the virtual hub. The design for managing authentication for users is now more flexible with the new feature below.

Remote or local RADIUS servers

Users connecting to the virtual hub can now be authenticated during the setup of the VPN connection using RADIUS servers located on site or on a remote virtual spoke network. To date, only the RADIUS servers deployed on a virtual network connected to a virtual hub could be used to authenticate users connected to that virtual hub.

This feature simplifies RADIUS deployments, reduces administrative overhead, and provides design options for high availability through the use of RADIUS servers in Azure regions or in Azure and on-premises. This feature will be available in early 2022.

This shows how this simplifies RADIUS deployments and reduces administrative overhead

Advanced routing

The following are the new routing features of a virtual hub.

Hub-to-hub preference over ExpressRoute (in the gated preview)

In some Azure Virtual WAN scenarios, customers choose to connect their on-premises environment to Azure using an ExpressRoute connection with multiple hubs. When VNet-to-VNet traffic flow between virtual networks connected to different hubs, the traffic flow traverses the multi-tenant routers, called MSEE, in Microsoft Points-of-Presence (POPs) where the ExpressRoute connection is ends.

If customers activate the new function for their Virtual WAN, the same data traffic would then take an optimal route directly between the hubs and thus experience improved latencies. The new path is shown in the diagram with blue arrows. This will become the default behavior once the feature is generally available.

Image showing how remote users can use Azure Vitural WAN by enabling IPsec / KE or Open VPNr

To access the preview, contact with your Virtual WAN ID, Subscription ID, and Azure Region.

BGP peering with Azure Virtual WAN Hub (in gated preview)

Companies using Azure in the hybrid infrastructure model often have SD-WAN appliances on-site that connect to compatible Network Virtual Appliances (NVAs) in spoke virtual networks of a virtual WAN. In such scenarios, the NVAs act as gateways to Azure for their on-premises networks, and routing information exchange between them is configured using the Border Gateway Protocol (BGP). To date, customers have been connecting the NVA to the virtual hub using static routes to access services provided on virtual networks connected to the hub and to reach their on-premises locations connected to the hub via ExpressRoute.

With the BGP endpoint in the virtual hub, the routing information from NVA to the virtual hub can now be exchanged via BGP. This eliminates the need for a complex static route configuration between the NVA and the virtual hub. In addition, all network changes within the local networks, which in the past led to manual updates of such static routes, can now be announced dynamically from the NVA to the hub via BGP, which further simplifies maintenance.

BGP peering with Virtual WAN Hub

Routing intent and policies that enable security between hubs (in the gated preview)

Customers securing traffic with Azure Firewall Manager must manually set up policies to identify the flows. This applies to all Internet-bound or private data traffic, ie between local and virtual networks via point-to-site, site-to-site and ExpressRoute connections and a virtual hub. Using Routing intention, customers can do this without complex manual configuration by simply specifying whether or not the virtual hub will route internet-bound, private, or inter-hub traffic flow routes through Azure Firewall. In addition, customers can configure their deployments so that all flows (east-west, north-south and Azure as the Internet edge) using an Azure firewall or a virtual network appliance (such as Fortinet) deployed in the Azure Virtual WAN hub will be checked.

View of the routing intent with BGP

To sum up, each company’s needs are unique, and as their networks are migrated from traditional data centers or on-premises to a pure cloud or hybrid model, the journey requires complex design decisions. Azure Virtual WAN aims to make this journey go smoothly with NaaS services that are easy to use and efficient. Every new feature discussed so far makes Azure Virtual WAN more beneficial to our customers.

Learn more

To learn how to get started with Azure Virtual WAN or try out the new features, see the resources below. For information about features in the gated preview, please refer to the relevant documentation to learn more about activating the preview for your subscription.


Source link

Leave a Reply