The Azure Well-Architected Framework is a set of guidelines for designing efficient and effective systems in the cloud. One important aspect of this framework is designing for scalability, or the ability to handle increasing amounts of work or traffic. To make sure network connectivity and security continue to work well as we add more users or data, it is recommended to use the hub-and-spoke design. This can be achieved with the virtual WAN (vWAN) service in Azure. In this chapter, we will learn about the different ways we can use the vWAN service and how to set it up. By the end, you will have a good understanding of the following:

• Designing a scalable network topology in Azure
• Understanding the design considerations of a virtual hub
• Understanding the routing and SD-WAN configuration in a virtual hub
• Configuring site-to-site connectivity using vWAN
• Implementing a global transit network architecture...

To follow along with the instructions in this chapter, you will need the following:

• A PC with an internet connection
• An Azure subscription

Before we proceed to cover the security best practices, let us prepare our Azure subscription for the hands-on exercises that we will be completing later in the chapter.

If a company wants to grow in its use of Azure, it needs to make it easier for VNet resources to communicate with other VNets, on-premises networks (networks not in the cloud), and the internet. The recommended approach is to use a hub-and-spoke topology. In this design, we have a hub virtual network acting as a central point for connecting spoke networks, on-premises networks, and the internet (Figure 7.1).

The spoke virtual networks connect to the hub to access the internet and other networks. This design is helpful because it centralizes connectivity and security rules, rather than having each spoke VNet handle these things separately. Imagine having to maintain routing and security rules for 100 VNets separately! It also allows for the isolation of network communication if needed, such as creating separate VNets for production and development for traffic isolation at the network level.

Figure 7.1 –...

When implementing a vWAN hub, there are certain design decisions that we need to make. Let us review some of these.

Selecting the regions for the VWAN hub

The first design decision that we need to make is the region where we want to deploy our hub, as shown in Figure 7.6. An Azure VWAN hub can be deployed into almost all available Azure regions except for a small number of newer regions.

Figure 7.6 – Selecting a region for the VWAN hub

For an updated list of supported regions, please refer to this documentation: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations

It is a good practice to only create virtual hubs in regions where you have a cluster of virtual networks present or regions that are close to your branch offices/remote networks. Following this principle helps to ensure reduced latency between the connecting network and the VWAN hub...

A virtual hub is a place where different networks can connect and communicate with each other. A router that lives in the routing infrastructure units that we discussed earlier is responsible for managing the routing between these networks, using BGP.

Each virtual hub has two default route tables, called Default and None and we can also create additional route tables. By default, all connections to the virtual hub are associated with the Default route table, but we can change this to a custom route table. We can also add static routes to both default and custom route tables, which take precedence over routes that are learned automatically.

When we connect a network (virtual network, ExpressRoute, S2S VPN, or user VPN) to a virtual hub, we can choose which route table to use for that connection (association – marked 1 in Figure 7.14), and we can also propagate learned routes (marked 2 in Figure 7.14).

To follow along with the exercises in this chapter, we will provision some Azure resources to work with. We have prepared an Azure ARM template in the GitHub repository of this book for this purpose. The template will deploy two virtual networks in two Azure regions, as shown in Figure 7.21.

Figure 7.21 – Resources deployed via the provided ARM template

The first VNet (CoreServicesVNet) will have two subnets with a virtual machine in each subnet. The second VNet (EngineeringVNet) will have two subnets with a virtual machine in one subnet. One of the virtual machines (WebVM) will be assigned a public IP address so you can connect to it from your PC over the internet. Here is the task that we will complete in this exercise:

• Task 1 – initialize template deployment in GitHub

Let’s get into this!

Task 1 – initialize template deployment in GitHub...

Another key design decision is how we are going to connect remote/on-premises networks to our VWAN hub. We can either do this via ExpressRoute or Site-to-Site VPN (S2S VPN) connections.

To implement S2S VPN connections, we need to deploy S2S VPN gateway instances into our VWAN hub by specifying the number of gateway scale units that we want. This can be done during the creation of the hub or added after. The number that we specify for Gateway scale units defines the aggregate maximum throughput that will be available for S2S VPN connections (Figure 7.25).

Figure 7.25 – VWAN hub gateway scale units

S2S VPN gateway instances in a VWAN hub are always deployed in an active-active setup (Figure 7.26). The maximum supported number of gateway scale units is 20 scale units (Figure 7.25), which deploys two active instances, with each instance supporting 10 Gbps (Figure 7.25). This requires an implementation...

Here are the tasks that we will complete in this exercise:

• Task 1 – add a site-to-site gateway to VWAN
• Task 2 – create a VPN site in VWAN
• Task 3 – connect the VPN site to a VWAN hub
• Task 4 – obtain VPN configuration information
• Task 5 – configure the “on-premises” VPN device
• Task 6 – verify routes and connectivity to the “on-premises” site through VWAN

By the end of this exercise, our implementation will be like what is shown in Figure 7.30. Let’s get into this!

Figure 7.30 – End result of exercise 2

Task 1 – add a site-to-site gateway to VWAN

The first thing that we will do is to add a site-to-site gateway to one of our existing VWAN hubs. To do this, we need to edit its configuration:

1. In the CharisTechVirtualWAN window, in the Connectivity...

One of the advantages of implementing Azure VWAN for connectivity is its support for an “out-of-the-box” global transit network architecture. This is because it allows any-to-any connectivity between all connections to VWAN (branches, VNets, and users)! This removes or reduces the need for full mesh or partial mesh connectivity between multiple networks.

Figure 7.49 – Azure VWAN supports any-to-any connectivity

For example, in the scenario highlighted in Figure 7.49, VWAN supports the following global transit connectivity paths without the need for any additional routing configuration:

• Branch to VNet
• Branch to branch
• Remote user to VNet
• Remote user to branch
• VNet to VNet
• Branch-to-hub-to-hub-to-Branch
• Branch-to-hub-to-hub-to-VNet
• VNet-to-hub-to-hub-to-VNet

So far, we have talked about how the virtual WAN makes connecting networks and routing easier. But what if we need to control and inspect the traffic between connected networks? Can we do this? The answer is yes, there are different ways we can do this, depending on what we need it for. In the next sections, we will quickly look at three common ways of doing this.

Approach 1 – deploy Azure Firewall in the virtual hub

The virtual hub (Standard tier only) supports the deployment of Azure Firewall within the hub. This creates a secured hub that can filter and inspect network traffic between virtual networks, branch offices or remote users, and the internet (Figure 7.50).

Figure 7.50 – Secured hub using Azure Firewall

Traffic inspection is supported for the following scenarios:

• Between connected virtual networks
• Between virtual networks and branch offices (ExpressRoute...

This chapter discussed the process of designing and implementing a scalable network topology in Azure, including understanding the design considerations of a virtual hub and configuring Site-to-Site connectivity using VWAN. It also covered routing and SD-WAN configuration in a virtual hub and the implementation of a global transit network architecture using VWAN. Finally, the chapter covered important security considerations when working with a virtual hub.

In the next chapter, we will learn more about how to keep our networks secure in Azure. This topic is important for the exam.

For more information on the topics covered in this chapter, please refer to the following:

• https://learn.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology
• https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva
• https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom
• https://learn.microsoft.com/en-us/azure/architecture/example-scenario/infrastructure/performance-security-optimized-vwan