Customer Portal
NL /EN
Home Insights

Azure Virtual WAN

The pros and cons of Azure Virtual WAN | Arxus
blog

The pros and cons of Azure Virtual WAN

When it comes to connectivity, scalability, and security, organizations often face an important decision: opt for a traditional network architecture or for Microsoft Azure's Virtual WAN. But which one is the best fit for your company? We are happy to help you make the right choice. Let's take a look together at the advantages and potential issues of the Virtual WAN model.

Wed, 17 April 2024

Michiel Quintelier | Arxus

Michiel Quintelier

Network & Security Consultant, Arxus

What is Azure Virtual WAN?

Virtual WAN is an Azure network service, managed by Microsoft, that offers you optimal and automated connectivity on a global scale. However, when this hub-and-spoke architecture first hit the market in 2019, it was still missing many important network features. And it had quite a few limitations, which meant it couldn't meet the needs of the general public: "to provide a unified framework for networking, cybersecurity, and routing".

But in the past 5 years, Microsoft has worked very hard to improve this service. They have added a whole range of new features. And lifted some of the existing limitations, which also brings many advantages. Now we have even reached a point where Azure Virtual WAN has become our favorite hub-and-spoke network architecture.

But why exactly? Let's go over the main advantages together. And look at how we can tackle potential challenges.

Key functions and features

Before we delve into the pros and cons, it might be useful to first examine the various services and components of Azure Virtual WAN. And to discover how they provide high-speed connections with the Azure backbone:

The Virtual WAN hub

Complete mesh hubs through which all traffic flows. Upon creation, you get an address space and various routing tables.

Hub-to-Hub connections

These connections ensure interregional connectivity between all on-prem and Azure network endpoints.

Virtual hub router

This component supports custom routing tables for virtual networks. And functions as a default table for branches (P2S, S2S, ER). Additionally, it also connects to routing tables. And distributes routes from connections to tables.

Connection between sites

There are different types of connections:

  • Any-to-any branch to Azure
  • Branch to branch
  • Users to branch
  • Virtual network (vNet) to virtual network transit
  • VPN to ExpressRoute transit connectivity

Secure virtual hub

This provides additional security, thanks to the integration of the Azure Firewall Manager. With it, you can:

  • Create a policy and apply it to multiple firewalls
  • Working across regions, subscriptions, deployments, ...
  • Secure your internet traffic (virtual network to internet and branch to internet)
  • Secure your private traffic (virtual network to and from a branch)

When you combine these services and features, you can expand your network architecture. You ensure secure transit connectivity paths between multiple spokes, branches, and regions.

Azure Virtual WAN Structure | Arxus

Important to know
There are 2 variants of Azure Virtual WAN: basic and standard. At Arxus, we only implement the standard version because the basic variant only supports S2S VPN connections.

What are the benefits?

An Azure Virtual WAN architecture has quite a few advantages:

  1. Routing configuration is much easier because it automatically learns and creates the necessary routes for connectivity. In addition, features such as routing intent ensure that you can easily direct all private and/or internet traffic through a security solution in the hub.
  2. By leveraging Microsoft's global network infrastructure, you improve the performance of your network. This increases the reliability and user experience of your network. And it also reduces latency.
  3. Thanks to the integration with Azure Firewall (or a supported third-party solution), you give your network security a significant boost.
  4. Azure Virtual WAN scales dynamically as your business needs change. You can add or remove branches, scale bandwidth, and adjust network configurations exactly to your liking. Without interruptions or large upfront investments.
  5. With the help of Global Reach as a global network extension, your users can access resources in different geographical locations in no time.
  6. The Azure Virtual WAN API and Portal tab ensure that you can manage your network routes, configurations, and monitoring centrally.
  7. Virtual WAN is often much more cost-effective than traditional hub-and-spoke models. Especially when you consider the costs for maintenance, operation, and management of your network.

What are the potential challenges?

Although Azure Virtual WAN offers many advantages, there are also some potential disadvantages to consider:

  1. The setup and configuration can be quite complex, especially if your organization has little or no experience with cloud networking. To ensure proper configuration and optimization, you actually need specialized expertise in the area of network design and Azure services. At Arxus, we can support you in this.
  2. Although Azure Virtual WAN now offers all essential networking options, it still lacks a number of advanced features or customization options. So, if your organization has specific network requirements, the capabilities of Azure Virtual WAN might still fall short.

    However, with each update, the limitations are becoming smaller and smaller. Currently, you can only integrate Checkpoint (NVA), Fortinet NGFW (NVA) or Palo Alto NGFW (SaaS) directly into the Virtual WAN hub.
  3. When you use Virtual WAN inefficiently, it can lead to high costs. Therefore, it is very important to thoroughly analyze your network requirements and implement your Virtual WAN structure in a cost-effective manner.
  4. Azure Virtual WAN supports few third-party firewalls for direct integration. And due to capacity limitations, Microsoft is also not going to onboard any new vendors at the moment.

    So, if Microsoft does not support your preferred solution, unfortunately, you will have to make your network architecture unnecessarily complex. Of course, you can always see it as an opportunity to reconsider your firewall options.
  5. It is impossible to integrate other Azure network services, such as Azure Bastion or a central Azure Application Gateway, into the Virtual WAN architecture successfully.

Current capacity issues

Our engineers have recently encountered a problem: the West European Azure region, located in Amsterdam, is currently facing capacity limitations. And Virtual WAN is one of the services that is suffering the most from this. The latest Azure network projects have indeed experienced initial deployment failures. As a result, Microsoft was forced to allocate additional capacity to ensure the implementation could proceed successfully.

But as soon as the new data centers in the Netherlands are ready, this issue will have a much smaller impact. And certainly when the Azure Belgium Central region comes online.

Need help with your Azure network?

At Arxus, we're eager to help you maximize your cloud solutions. In our opinion, Azure Virtual WAN offers more advantages than a traditional hub-and-spoke architecture. We're happy to think along with you!

Our experts assist you with Azure Virtual WAN | Arxus

Want to read more? Check these out!

case
The National Lottery | Arxus
Tue 7 Jan 25

National Lottery relies on our Azure Arc solution for their hybrid cloud

Managing your IT environment? That takes quite a bit of work. Especially if you're running virtual machines both in the cloud and on-premises, like the National Lottery. Luckily, Azure Arc offers a much simpler solution. With it, businesses can now easily manage all of their virtual machines in their entire infrastructure. Wondering how that works? We're more than happy to tell you all about it!

 Read more blog
Resiliency in the cloud | Arxus
Thu 27 Feb 25

How do you build a flexible and robust cloud strategy in Microsoft Azure?

The digital landscape is changing faster than ever before. Creating a resilient and reliable cloud infrastructure is therefore essential to stay ahead of your competitors. But how do you start? With the Azure Resiliency Strategy, based on the Well-Architected framework, you lay a solid foundation for high availability and disaster recovery. Curious about how it works exactly? Let's dive right in.

 Read more blog
With FinOps you get the most out of Azure | Arxus
Tue 27 Sept 22

Azure FinOps makes cost optimization in the cloud easier

With the best practices of the FinOps Framework, your organization will truly get the most out of Azure. Because to fully benefit from the cloud, a structured approach to cost optimization is extremely important. But what exactly is FinOps? And how does it help to keep your cloud costs under control? Ken Kenis, our expert in Cloud Financial Management, will tell you all about it.

 Read more