Microsoft Azure Virtual WAN
Microsoft Azure Virtual WAN and Citrix SD-WAN provide simplified network connectivity and centralized management across hybrid cloud workloads. You can automate configuration of branch appliances to connect to the Azure WAN and configure branch traffic management policies according to your business requirements. The built-in dashboard interface provides instant troubleshooting insights that can save time and provides visibility for large-scale site-to-site connectivity.
Microsoft Azure Virtual WAN allows you to enable simplified connectivity to Azure Cloud workloads and to route traffic across the Azure backbone network and beyond. Azure provides 54+ regions and multiple points of presence across the globe Azure regions serve as hubs that you can choose to connect to the branches. After the branches are connected, use the Azure cloud service through hub-to-hub connectivity. You can simplify connectivity by applying multiple Azure services including hub peering with Azure VNETs. Hubs serve as traffic gateways for the branches.
Microsoft Azure Virtual WAN offers the following advantages:
-
Integrated connectivity solutions in hub and spoke - Automate site-to-site connectivity and configuration between on-premises and the Azure hub from various sources including connected partner solutions.
-
Automated setup and configuration – Connect your virtual networks to the Azure hub seamlessly.
-
Intuitive troubleshooting – You can see the end-to-end flow within Azure and use this information to take required actions.
Hub-to-Hub Communication
From 11.1.0 release onwards, Azure virtual WAN is supported hub-to-hub communication using Standard type method.
Azure Virtual WAN customers can now leverage Microsoft’s global backbone network for inter-region hub-to-hub communication (Global transit network architecture). This enables branch to Azure, branch-to-branch over the Azure backbone, and branch to hub (in all Azure regions) communication.
You can leverage Azure’s backbone for inter-region communication only when you purchase the Standard SKU for Azure virtual WAN. For pricing details, see Virtual WAN pricing. With the Basic SKU, you cannot use Azure’s backbone for inter-region hub-to-hub communication. For more details, see Global transit network architecture and Virtual WAN.
Hubs are all connected to each other in a virtual WAN. This implies that a branch, user, or VNet connected to a local hub can communicate with another branch or VNet using the full mesh architecture of the connected hubs.
You can also connect VNets within a hub transiting through the virtual hub, and VNets across hub, using the hub-to-hub connected framework.
There are two types of virtual WAN:
-
Basic: Using the Basic method, the hub-to-hub communications happen within one region. The Basic WAN type helps to create a basic hub (SKU = Basic). Basic hubs are limited to site-to-site VPN functionality.
-
Standard: Using Standard method, hub-to-hub communications happen among different regions. A Standard WAN helps to create standard hub (SKU = Standard). Standard hubs contain ExpressRoute, User VPN (P2S), full mesh hub, and VNet-to-VNet transit through the hubs.
Create Azure Virtual WAN service in Microsoft Azure
To create the Azure Virtual WAN resource, perform the following steps:
-
Log into the Azure portal and click Create a resource.
-
Search for Virtual WAN and click Create.
-
Under Basic, provide the values for the following fields:
-
Subscription: select and provide the subscription detail from the drop-down list.
-
Resource group: Select an existing resource group or create a new one.
Note
When creating the service principal to allow Azure API communication, ensure to use the same resource group that contains the Virtual WAN. Otherwise, SD-WAN Orchestrator will not have sufficient permissions to authenticate to Azure Virtual WAN APIs that enable automated connectivity.
-
Resource group location: Select the Azure region from the drop-down list.
- Name: Provide the name for the new Virtual WAN.
- Type: select Standard type if you want to use hub-to-hub communication between different regions, otherwise select Basic.
-
- Click Review + create.
- Review the details that you entered to create the Virtual Wan and click Create to finish the Virtual WAN creation.
The deployment of the resource takes less than a minute.
Note
You can upgrade from Basic to Standard, but cannot revert from Standard back to Basic. For steps to upgrade a virtual WAN, see Upgrade a virtual WAN from Basic to Standard.
Create a Hub in the Azure Virtual WAN
Perform the following steps to create a hub to enable connectivity from various different endpoints (for example, on-premises VPN devices, or SD-WAN devices):
- Select the previously created Azure Virtual WAN.
-
Select Hubs under Connectivity section and click + New Hub.
-
Under Basic, provide the values for the following fields:
- Region – Select the Azure region from the drop-down list.
- Name – Enter the name for the new Hub.
- Hub private address space – Enter the address range in CIDR. Select a unique network that is dedicated for the hub only.
-
Click Next: Site to Site > and provide the values for the following fields:
- Do you want to create a Site to site (VPN gateway)? – Select Yes.
-
Gateway scale units – Select the scale units from the drop-down list as needed.
- Click Review + create.
- Review the settings and click Create to start the virtual hub creation.
The deployment of the resource can take up to 30 minutes.
Create a service principal for Azure Virtual WAN, and identify IDs
For SD-WAN Orchestrator to authenticate through Azure Virtual WAN APIs and enable automated connectivity, a registered application must be created and identified with the following authentication credentials:
- Subscription ID
- Client ID
- Client Secret
- Tenant ID
Note
When creating the service principal to allow Azure API communication, ensure to use the same resource group that contains the Virtual WAN. Otherwise, SD-WAN Orchestrator will not have sufficient permissions to authenticate to Azure Virtual WAN APIs that enable automated connectivity.
Perform the following steps to create a new application registration:
- In the Azure portal, navigate to Azure Active Directory.
- Under Manage, select App registration.
-
Click + New registration.
-
Provide values for the following fields to register an application:
- Name – Provide the name for the application registration.
- Supported account types – select Accounts in this organizational directory only (* - Single tenant) option.
- Redirect URI (optional) – select Web from the drop-down list and enter a random, unique URL (for example, https:// localhost:4980)
- Click Register.
You can copy and store the Application (client) ID and the Directory (tenant) ID that can be used in SD-WAN Orchestrator for authentication to the Azure subscription for usage of API.
The next step for the application registration, create a service principal key for authentication purposes.
To create the service principal key, perform the following steps:
- In the Azure portal, navigate to Azure Active Directory.
- Under Manage, navigate to App registration.
- Select the registered application (created previously).
- Under Manage, select Certificates & secrets.
-
Under Client secrets, click + New client secret.
- To add a client secret, provide values for the following fields:
- Description: Provide a name for the service principal key.
- Expires: Select the duration for expiration as needed.
- Click Add.
-
The client secrete is disabled in the Value column. Copy the key to your clipboard. This is the Client Secret that you must enter into SD-WAN Orchestrator.
Note
You must copy and store the secret key value before reloading the page because, it will no longer be displayed afterwards.
Perform the following steps to assign the appropriate roles for authentication purpose:
- In the Azure portal, navigate to the Resource Group where the Virtual WAN was created.
- Navigate to Access control (IAM).
-
Click + Add and select Add role assignment.
-
To add role assignment, provide values for the following fields:
- Role – Select Owner from the drop-down list. This role allows management of everything including access to resources.
- Assign access to – select Azure AD user, group, or service principal.
- Select – Provide the name of the registered application created earlier and select the corresponding entry when it appears.
-
Click Save.
Lastly, you need to obtain the Subscription ID for the Azure account. You can identify your Subscription ID by searching for Subscriptions in the Azure portal.
Once you created the virtual WAN, log in to SD-WAN Center UI > Configuration > Azure > Virtual WAN.
Select two different sites and start the deployment. Once the sites are deployed, you can associate both the sites to two different hubs.
NOTE By default branch-to-branch and BGP is disabled. You can create a static route or enable BGP (under Settings) and branch-to-branch connectivity.
Enable BGP and branch-to-branch check box and deploy the tunnels. After the tunnels are deployed successfully, you can verify the status in Microsoft Azure > Resource groups > select the resource group that you created and click VPN sites.