Blog | Arxus

Azure Virtual WAN: what are the pros and cons? | Arxus

Written by Cloud Custodian | Apr 17, 2024 10:00:00 AM

When it comes to connectivity, scalability and security, organizations often face an important decision: going for a traditional network architecture or embracing Microsoft Azure’s Virtual WAN. But what should you choose? We’ll help you make the right call for your business. Let’s do a quick deep dive into the benefits and potential issues of the Virtual WAN architecture model.

 

What is Azure Virtual WAN?

Virtual WAN is an Azure-based networking service, that is managed by Microsoft. This hub-and-spoke architecture option provides you with optimized, automated and global scale connectivity. But back in 2019 when it first launched, it was still missing some key networking features. And had several limitations in place, making it hard to live up to its promise: “providing a unified framework for networking, security, and routing”.

However, in the last five years, Microsoft has been working very hard to improve the service. They’ve been adding a lot of new features and removing existing limitations, creating many benefits along the way. And now it has reached a point where we consider it our preferred hub-and-spoke network architecture.

But why is that? Let’s take a closer look at the benefits of Azure Virtual WAN and at how we counter any potential challenges.

 

Key features and functionalities

Before we dive deep into the advantages and disadvantages, let’s check out Azure Virtual WAN’s different services and components. And find out how they provide high-speed connections to the Azure backbone:

The Virtual WAN hub

Fully meshed hubs where all traffic flows through. Upon creation, you are provided with an address space and routing tables.

Hub-to-Hub connections

This enables cross-region connectivity between all on-prem and Azure network endpoints.

Virtual hub router

This supports custom route tables for virtual networks. And acts as the default route table for branches (P2S, S2S, ER). It also associates connections to route tables and propagates routes from connections to route tables.

Connection between sites

There are several types of possible connections:

  • Any-to-any branch to Azure
  • Branch to branch
  • Users to branch
  • Virtual network (vNet) to virtual network transit
  • VPN to ExpressRoute transit connectivity

Secure virtual hub

This offers added security with the integration of Azure Firewall Manager. It allows you to:

  • Create a policy and apply across multiple firewalls
  • Work across regions, subscriptions, deployments, …
  • Secure internet traffic (virtual network to internet and branch to internet)
  • Secure private traffic (virtual network to and from a branch)

 

When you combine these services and components, you’re able to create a networking architecture. Offering you secured transit connectivity paths between multiple spokes, branches and regions.

Important to note
Azure Virtual WAN comes in 2 types: basic and standard. At Arxus, we always deploy the standard variation, because the basic one only supports S2S VPN connections.

 

What are the benefits?

An Azure Virtual WAN architecture has a lot of advantages:

  1. It greatly simplifies routing configuration by automatically learning and propagating the necessary routes for connectivity. Features like routing intent allow you to send all private and/or internet traffic through a security solution in the hub, with minimal effort.
  2. It optimizes your network's performance by leveraging Microsoft's global network infrastructure. That way, it reduces latency, and improves reliability and user experience.
  3. When integrating with the Azure Firewall (or a supported third-party solution), it enhances your network’s security.
  4. It scales dynamically to accommodate changing business needs. That way, you can add or remove branch offices, scale bandwidth, and adjust network configurations as required. Without significant upfront investments or disruptions.
  5. Using Global Reach as a global network extension, it allows your users to reach resources in different geographical locations with ease.
  6. The Azure Virtual WAN API or Portal tab allow for centralized management of your networking routes, configurations and monitoring.
  7. Virtual WAN is often more cost-efficient than traditional hub-and-spoke models. Especially when the operational, management and maintenance costs are taken into account.

 

What are the potential challenges?

While Azure Virtual WAN offers many benefits, there are also some possible disadvantages to consider:

  1. The setup and configuration can be quite complex, especially for organizations without prior experience in cloud networking. To ensure proper configuration and optimization, you need specialized expertise in network design and Azure services. At Arxus, we pride ourselves in our ability to assist our customers in this matter.
  2. While Azure Virtual WAN provides essential networking capabilities, it may lack some advanced features or customization options. So, if your organization has specific networking requirements, the available features of Azure Virtual WAN might be insufficient for your needs.

    But with every update, these limitations keep fading. At the moment of writing you can only integrate Checkpoint (NVA), Fortinet NGFW (NVA) or Palo Alto NGFW (SaaS) directly into the Virtual WAN hub.
  3. When used inefficiently, Virtual WAN can generate high costs. That’s why it’s really important to analyze the networking requirements and implement Virtual WAN in a cost-efficient way.
  4. Azure Virtual WAN supports only a few third-party firewalls for direct integration. And due to capacity constraints, Microsoft is not onboarding any new vendors at the moment.

    So, if your preferred solution is not supported, you might need to overcomplicated your network architecture. However, you could also consider it as an opportunity to reexamine your firewalling options.
  5. It is impossible to integrate other Azure networking services, such as Azure Bastion or a centralized Azure Application Gateway, into the Virtual WAN architecture.


Current capacity issues

As of late, our engineers have been facing a problem: the West-Europe Azure region, located in Amsterdam, is currently experiencing capacity issues. And Virtual WAN is one of the services that is most impacted by this problem. Most of the recent Azure networking projects have suffered initial deployment failures. And forced Microsoft to assign extra capacity for successful deployment.

This problem will become less impactful, once the new datacenters in The Netherlands finish completion. And once the Azure Belgium Central region comes online.

 

Need help with your Azure network?

At Arxus, we're committed to helping your business harness the power of cloud networking solutions, like Azure Virtual WAN. We firmly believe that it offers significant advantages over a more traditional hub-and-spoke architecture. But every organization is unique. And requires its own solution.

Our team of experienced cloud architects and networking experts stand at the ready to guide you through the entire process: from initial assessment to deployment and ongoing management.