Global Transit Network For Azure Virtual WAN

The Journey started with the concept of VNets, with work loads, and have evolved in the direction of Subnets, and quickly became a very complex list of islands which were disconnected

  • Security
  • Public Cloud
  • SaaS, Internet
  • Users
  • Branch Offices

Virtual WAN is a managed service

  • Managed by Microsoft with global scale, and multplie endpoints.
  • Each Hub can support 60Gb of connectivity;
    • Including 20Gb of ExpressRoute.
    • 20Gb of User VPN
    • 20Gb Site to Site
  • Supports 10K users per hub, 1000 sites per hub
  • Transit Routing
  • Cloud Network orchestration
    • Automation large scale branch, SDWAN CPE connectivity

Overview

Simplified networking, ease of user operations, and cost savings:

Conference
Author: Damian
Published:
Updated:

The Journey started with the concept of VNets, with work loads, and have evolved in the direction of Subnets, and quickly became a very complex list of islands which were disconnected

  • Security
  • Public Cloud
  • SaaS, Internet
  • Users
  • Branch Offices

Virtual WAN is a managed service

  • Managed by Microsoft with global scale, and multplie endpoints.
  • Each Hub can support 60Gb of connectivity;
    • Including 20Gb of ExpressRoute.
    • 20Gb of User VPN
    • 20Gb Site to Site
  • Supports 10K users per hub, 1000 sites per hub
  • Transit Routing
  • Cloud Network orchestration
    • Automation large scale branch, SDWAN CPE connectivity

Overview

Simplified networking, ease of user operations, and cost savings:

  • Any-to-Any Connectivity
  • Full mesh hubs
  • Branch to Azure
  • Branch to Branch
  • VPN <-> ExpressRoute
  • User VPN <-> Site
  • vNet to vNet

Whats New

  • Any-to-Any connectivity (Preview)
  • Express Route , User VPN (Point to Site) GA
  • ExpressRoute Encryption
  • Multi Link Azure Path Selection
  • Custom IPSec
  • Connect VNG VPN to Virtual WAN
  • Available in Gove Cloud and China
  • Azure Firewall integration (preview)
  • Pricing

Virtual WAN Types

Basic

  • VPN Only
  • Branch to Azure
  • Branch to Branch
  • Connect VNET
  • DIY VNet Peering (VNet to VNet - no transitive)

Standard = Basic +

Multi Link Support in VPN Sites

Dynamic traffic distribution across ISP at the branch site

Express Route (Standard VWan)

20Gb aggregate throughput

Private Connectivity

  • Requires Premium Circuit
  • In Global Reach LocationExpressRoute VPN Interconnect
  • ExpressRoute and Site-to-Site/Point-to-Site User VPNExpressRoute to ExpressRoute (Premium)

Express Route Encryption

IPSec over Express Route (Azure Azure Private IP)

User VPN

IPSec and OpenVPN support for up to 10K users

Azure Firewall

Firewall in Virtual Hub Centralised Policy and route managmenet

  • VNET to Inernet via Firewall
  • Branhc to ingtern via the firewall

MSP Partner Program

Announced in July 2019 - in the Azure Marketplace

Pricing

Connections, Traffic, Aggregate via the Hubs

Connection Unit

  • Site to Site VPN 0.05/hour
  • User VPN 0.03/hour

Scale Unit 1 Unit = .361/h 500Mb 1 ER Scale Unit = 0.42/hr 2Gbos

Virtual Hub

  • Basic Hub - Free
  • Standard - 0.25/hour

Zero Thrust Networking

Microsegmention

  • Segment Prevent Lateral Movement and data exfilration
  • Protect
  • Connect

Cloud Native Services, all software defined resources implement the Defence in Depth offer, the resources included are:

  • Azure Firewall
  • Azure Web Application Firewall
  • Azure Private Link
  • Azure DDoS Protection
  • Virtual Network
  • Network Security Groups
  • User Defined Routes
  • Load Balancer

Network Segmentation Host Based - With agent Installed HyperVistor Baed - VMWare NSX Network Based - Softwaew Defined Networking

  1. Subscription Logic isolation of environemtn and all resoruces
  2. Virtual Network Isoared and highly secure enviroonment to run virtual machines and applications
  3. Network Security Group Enforce and control network traffic securitly rules to allow or deny traiffc fro a vnet or vm
  4. Web Application Firewall Application specific network security
  5. Azure Firewall

More articles

Thoughts, topics or just solutions I would like to make available to you, colleagues and fellow enthusiasts.

Managed Applications and Custom Resource Providers

Magnify the power of extending Azure platform by enabling customers and partners to easily bring in custom solutions to azure. These can be scoped for offering to our own enterprise, or just some selected customers; or even all customers.

Ignite Session BRK3227
Presenters Gaurav Bhatnagar
Evan Hissey

Challenges with extending azure include many of the typical thoughts we face

  • As part of my deployment i need to do extra works
  • Need to interface with external APIs, create users, storage tables, calling APIs external to Azure, while deploying ARM templates
  • 200 Services, which service should i be selected, What is the correct VM SKU? what would be more cost efficient
  • How do I integrate my service into Azure; What is the correct option to expose my service to my enterprise, or all azure users

How do we deploy and offer?

Deployment Script

New resource type - Microsoft.Resources/DeploymentScripts

Web Application Gateway

Delivering PaaS Services Privately on Azure VNets with Private Link

Ignite Session: BRK3169
Presenter Amit Srivastava

Mission Critical HTTP Applications, there are many things to consider

Personalised, Micro-Services, Rich Context…. To support this MS have a number of services i the Suite - Azure Frontdoor, Application Gateway, Azure CDN, Web Application Firewall, Azure Load Balancer, and Azure Traffic Manager

Azure Application Gateway

Regional Gateway as a service