Azure Virtual WAN is a robust network service that combines networking, security, and routing functionalities into a single operational interface. This innovative approach simplifies the complexity of managing multiple connectivity types such as VNet, VPN, remote user, and ExpressRoute connectivity. To gain the benefits of Azure Virtual WAN you can begin with 2 VNets —and add others as your networks and business needs evolve.
The key takeaway here is that Azure Virtual WAN is a “network-as-a-service” model that uses a familiar hub-and-spoke architecture and leverages the Microsoft global backbone for seamless transit connectivity.
Challenges of Hub-and-Spoke Architectures
The traditional hub-and-spoke network architecture has limitations, particularly when scaling. Key challenges include:
- Scale constraints: As the network grows, new ExpressRoute gateways must be deployed in each region, adding complexity.
- Management overhead: Managing multiple VPN gateways and connections becomes cumbersome.
- Limited utilization of the Microsoft backbone: Traffic flows through VPN or ExpressRoute gateways, preventing full leverage of the Microsoft global network.
Benefits of Migrating to Azure Virtual WAN
Azure Virtual WAN supports comprehensive East-West and North-South traffic inspection. Anything connected to the Virtual WAN hub—such as VPN clients, branch offices, and VNet connections—is subject to inspection. By integrating Check Point’s CloudGuard Network Security NVAs (Network Virtual Appliances) into Azure Virtual WAN, organizations can seamlessly enforce robust security protocols across all their on-premises and Azure networks from one management console.
The integration simply involves deploying Check Point as a third-party service within the Azure Virtual WAN hub. Routing between NVAs and other services is automated, offering seamless East-West and North-South traffic protection. This integration secures the entire perimeter, covering traffic flows to and from any spoke or hub. Moreover, the setup ensures high availability of hubs and simplifies scenarios like ExpressRoute-to-ExpressRoute traffic inspection without needing additional security gateways.
Migrating to Azure Virtual WAN eliminates the limitations of the traditional hub-and-spoke model. Key benefits include:
- Scalability: Simplified scaling without deploying additional gateways.
- Streamlined management: Unified management of all network components in one interface.
- Enhanced security: Comprehensive traffic inspection and protection across all traffic flows.
- Global backbone utilization: Leverage Microsoft’s high-performance global network for optimized connectivity.
Use Cases for Azure Virtual WAN
Azure Virtual WAN supports a wide range of traffic flows, such as:
- East-West traffic: Branch-to-branch and VNet-to-VNet communication.
- North-South traffic: Branch-to-VNet, VNet-to-branch, branch-to-internet, and VNet-to-internet.
- Hybrid connectivity: Azure ExpressRoute-to-VNet and integration with SD-WAN.
Steps to Migrate from Hub-and-Spoke to Azure Virtual WAN
Here is a step-by-step guide to transitioning from a hub-and-spoke architecture to Azure Virtual WAN:
Step 1: Deploy the Virtual WAN Hub and Security Appliances
- Deploy Virtual WAN Hub: Set up a Virtual WAN hub in Azure.
- Integrate security appliances: Deploy Check Point’s CloudGuard Network Security for virtual WAN and connect it to Check Point’s security management system. Then configure the security policies for your environment.
- Enable routing intent: Configure routing intent for either internet-bound or private traffic.
Step 2: Test connectivity
- Connect VNets: Link two test VNets to the virtual WAN hub.
- Validate security logs: Test traffic between 2 VNets and validate traffic flow in Check Point CloudGuard security logs.
Step 3: Integrate virtual WAN with existing security infrastructure
- Optional expansion: Connect the Virtual WAN hub with an existing security VNet or another Check Point security setup to test hybrid connectivity.
- Validate connectivity: Test traffic flows between the integrated hubs and ensure security policies are enforced.
Step 4: Transition production traffic
- Add gateways: Deploy a VPN gateway for network traffic and an ExpressRoute gateway and validate networks flows.
- Connect core networks: Link production and development VNets to the Virtual WAN hub.
- Integrate on-premises infrastructure: Connect data centers and headquarters using ExpressRoute and branch offices via site-to-site VPN.
- Decommission legacy infrastructure: After validating all traffic flows, decommission the existing security VNets.
Step 5: Configure remote access VPN
- Support roaming users: Set up CloudGuard Network Security remote access VPN for users accessing the cloud over the public internet. Ensure secure and efficient connectivity for remote employees. See this document for VPN setup.
By following these migration steps, organizations can optimize their network architecture, simplify management, and enhance security.
To learn more, check out this informative video or request a live demo.