Architecture best practices for Azure Virtual WAN

Review service limits and known problems: Review Virtual WAN limits and known problems before you plan your architecture. Virtual WAN enforces limits on connected resources per hub and per subscription. Known problems include available workarounds.

Choose the Virtual WAN Standard SKU for production deployments to get zone redundancy and advanced routing capabilities.

Anticipate potential failures through failure mode analysis (FMA): FMA helps you anticipate failure scenarios and develop mitigation strategies.

Understand service-level agreement (SLA) and composite reliability targets: Virtual WAN hub routing infrastructure has a 99.95% SLA. During downtime, you can't establish or maintain connections. See SLA terms for service credits.

End-to-end connectivity requires a composite SLA calculation. Hubs, gateways, and firewalls each have independent SLAs. Calculate the combined SLA for critical connectivity paths.

The SLA excludes customer responsibilities, like on-premises equipment failures, internet connectivity problems outside Azure control, and configuration errors.

Plan multiregion redundancy for hub deployment: Distribute virtual hubs across multiple Azure regions to achieve region-level redundancy.

When you select regions, prioritize the following factors:

• Proximity to users and workloads
• Paired regions for disaster recovery
• Cross-region connectivity requirements
• Regulatory and data residency constraints

Establish routing to support automatic or manual region failover. Plan for asymmetric routing patterns during failures and document expected outage behavior. Regulatory and data residency requirements might constrain multiregion deployment strategies.

Plan for layered redundancy: Virtual WAN supports three redundancy layers. Each layer addresses distinct failure scenarios.

Balance redundancy decisions against availability needs, implementation complexity, and cost. Evaluate each failure domain's effect on workload operations. Choose symmetric or asymmetric routing patterns that match operational capabilities.

Plan for reliable hub and gateway scaling: Size infrastructure for expected growth rather than current traffic. Hub routers automatically scale but require up to 25 minutes. Gateways require manual sizing and scheduled maintenance for changes. Overprovision capacity to maintain reliability during demand spikes.

Design resilience for point-to-site VPN: Use the global VPN profile for automatic hub selection and failover. Size point-to-site address pools to handle at least double the expected concurrent users to prevent exhaustion during gateway redistribution.

Set up VPN backup for failover: Deploy a VPN gateway alongside an ExpressRoute gateway. Set the Border Gateway Protocol (BGP) preference to favor ExpressRoute over VPN for automatic failover.

Validate failover behavior: Test routing and network virtual appliance (NVA) behavior during failover scenarios. Document expected traffic flows and client impact for each failover pattern.

Incorporate business continuity testing: Test your failover configuration to avoid surprises during actual outages.

Simulate the following scenarios during testing:

• Region failures to verify multiregion failover behavior
• ExpressRoute circuit failures to confirm VPN backup activation
• Parallel path scenarios to identify asymmetric routing patterns
• BGP route advertisement during failover events

Turn on monitoring and alerting for service health: Set up monitoring for hub routers, gateways, and routing infrastructure to detect problems before users report outages. Create alerts for performance degradation for early response.

Turn on diagnostic logs across all Virtual WAN components to support troubleshooting through event correlation. Azure Resource Health distinguishes Azure service problems from customer-side connectivity problems.

Establish a security baseline: Apply the Azure security baseline for Virtual WAN as your foundational security baseline. The baseline covers Virtual WAN-specific controls for hub security, gateway configuration, routing security, and connection encryption.

This standardized approach addresses Virtual WAN service endpoints, like virtual hubs, VPN gateways, ExpressRoute gateways, and Azure Firewall integration. It provides compliance mapping for network infrastructure requirements.

Implement network segmentation through routing controls: Control network segmentation in Virtual WAN through routing tables. Create custom route tables to isolate routing domains and prevent unauthorized traffic between zones. Apply route maps when standard route table isolation doesn't meet connection requirements.

Deploy a secured virtual hub to inspect traffic centrally. Use Azure Firewall for threat intelligence and Azure service integration, or deploy partner NVAs for deep packet inspection and advanced threat prevention.

Establish private connectivity and protect public endpoints: Deploy private endpoints in spoke networks to access Azure platform as a service (PaaS) solutions without internet exposure. On-premises users reach these services through ExpressRoute or VPN connections. Routing through secured hubs provides inspection but adds latency and cost.

Protect public-facing spoke workloads by using Azure DDoS Protection at the virtual network or IP address level. Hub public IP addresses don't support DDoS Protection.

Implement identity and access management: Select your point-to-site VPN authentication method based on requirements.

• Microsoft Entra ID authentication provides Microsoft Entra Conditional Access policies, multifactor authentication (MFA), device compliance checks, and risk-based authentication.
• Certificate-based authentication requires public key infrastructure (PKI) and certificate life cycle management.
• Remote Authentication Dial-In User Service (RADIUS) authentication integrates with existing RADIUS infrastructure.

Control Virtual WAN configuration access by using role-based access control (RBAC):

• Apply RBAC assignments to control who can modify Virtual WAN configuration.
• Use built-in Network Contributor and Reader roles for most scenarios.
• Create custom roles for more granular permission boundaries when built-in roles are too permissive.

Control and filter network traffic by using defense in depth: Deploy security controls at multiple network layers. Use the Virtual WAN Standard SKU to deploy Azure Firewall or partner security solutions in the hub for centralized application-aware filtering and threat protection. Deploy network security groups (NSGs) in spoke networks for subnet-level filtering based on IP addresses, ports, and protocols.

Each layer addresses different security requirements. Hub security controls enforce organization-wide policies and detect threats across all connected networks. Spoke NSGs provide workload-specific controls that teams define based on application requirements.

Ensure encrypted connectivity: Select strong encryption algorithms like AES-256-GCM or AES-256-CBC to protect data confidentiality. Use strong integrity algorithms like SHA-256 or SHA-384 to prevent tampering. To prevent tunnel establishment failures, align Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) encryption policies for site-to-site VPN between Azure and on-premises VPN devices.

Manage encryption for ExpressRoute and point-to-site VPN: Evaluate ExpressRoute encryption requirements separately from VPN requirements because each connection type requires different configurations. Manage point-to-site VPN encryption based on client requirements and security policies.

Harden architecture by following Zero Trust principles: Assume breach and limit the blast radius. Implement deny-by-default network access controls with explicit permit rules for required traffic only.

Turn off unused features to reduce attack surface:

• Avoid legacy or weak VPN cipher suites like DES, 3DES, and MD5.
• Remove unnecessary point-to-site authentication modes.
• Eliminate unneeded public IP address assignments.

Turn on diagnostic logging, metric alerts, and Microsoft Sentinel threat detection to monitor for breaches.

Implement security monitoring and threat detection: Turn on diagnostic logging for Virtual WAN components, like hubs, gateways, and Azure Firewall, for security event visibility. Use a Log Analytics workspace to provide centralized log collection, long-term retention, and query-based analysis.

Create Azure Monitor alerts for reactive notification of specific metric thresholds or log patterns. Deploy Microsoft Sentinel to add proactive threat detection through machine learning and correlation with broader organizational signals.

Understand pricing structures to create accurate cost models: Virtual WAN pricing has fixed and variable components. Fixed costs include SKU selection and allocated scale and connection units. Variable costs include data transfer charges and active features.

Data transfer costs represent significant variable expenses. Hub-to-hub transfers across regions incur cross-region charges, while hub router processing contributes to hub data processing costs. Estimate both fixed and variable costs before deployment to avoid budget surprises.

Monitor costs and hub utilization for ongoing optimization: Implement daily cost tracking for Virtual WAN spending. Focus on hub data processing charges, gateway connection usage, and cross-region data transfer costs.

Organize resources by business unit or application by using tags for cost allocation. Implement chargeback or showback reporting. Monitor spending against budgets to detect unexpected increases early.

Establish spending guardrails by using budgets and alerts: Implement budgets and alerts to prevent unexpected spending. Set graduated alert thresholds for early warnings before budget exhaustion.

Track metrics that directly affect variable costs. Monitor hub router traffic volume for hub data processing charges and connection unit usage for capacity costs.

Apply governance policies to prevent unauthorized cost increases. Use Azure Policy to require approvals for high-cost changes and mandate reviews before you add capacity.

Rightsize infrastructure capacity based on actual workload requirements: Size routing infrastructure units based on actual workload needs rather than maximum theoretical capacity. Each unit increases virtual machine (VM) capacity and costs.

Each hub incurs fixed monthly costs regardless of traffic volume. Add hubs only where connectivity requirements justify the cost. Size gateway scale units based on actual throughput requirements. Track usage patterns and adjust capacity when monitoring shows sustained changes in demand.

Choose cost-effective connection types and integrated service SKUs: Site-to-site VPN provides cost-effective connectivity for lower bandwidth and noncritical connections. ExpressRoute delivers higher performance at substantially higher cost. Point-to-site VPN supports remote users that have different cost characteristics.

Use VPN for development and test environments where lower cost justifies variable performance. Use ExpressRoute for production workloads that require consistent bandwidth and reliability. Implement hybrid approaches that route routine traffic through a VPN and direct business-critical applications through ExpressRoute.

Optimize routing to minimize data transfer costs: Traffic flow patterns directly affect variable costs. Hub-to-hub communication across regions generates cross-region charges. Hub router processing contributes to hub data processing costs.

Optimize the routing topology to reduce costs without sacrificing connectivity. Use direct virtual network peering for spoke-to-spoke communication to bypass hub processing charges. Evaluate the hub location based on dominant traffic patterns to minimize cross-region transfer charges. Balance cost optimization against security and routing policy requirements.

Develop a cost-effective scaling strategy for growth: Plan hub placement to balance latency requirements with costs. Position hubs near user populations to reduce latency and avoid excessive hub count. Consolidate regions where acceptable latency thresholds permit.

Optimize connection unit allocation based on actual bandwidth requirements rather than theoretical capacity. Monitor utilization to identify optimization opportunities as demand fluctuates.

Implement infrastructure as code (IaC) for consistent deployments: Use Azure Resource Manager templates (ARM templates), Bicep, or Terraform for repeatable Virtual WAN deployments across environments. ARM templates and Bicep provide native Azure integration. Terraform supports multicloud scenarios.

Design modular IaC templates: Separate core hub infrastructure from connection policies and routing rules. Core infrastructure changes infrequently, and routing rules change more often. Parameterize environment-specific values like scale units and address spaces.

Orchestrate resource dependencies: Sequence operations correctly because gateways require hubs, connections require gateways, and routing policies require connections. Include wait conditions in your automation to verify route propagation before you mark the deployment complete.

Establish build and deployment pipelines for automation: Design deployment pipelines with stage separation for validation, approval, and deployment. Implement quality gates between stages to block problematic changes.

Include static validation for syntax checking, policy compliance, and security rule verification. Implement predeployment testing for configuration validation against organizational standards.

Implement monitoring for topology, services, and dependencies: Establish complete visibility across topology, service health, and operational telemetry. Monitor global hub distribution, spoke connectivity, and gateway operational status.

Collect gateway performance metrics for throughput utilization and connection counts. Track connection reliability metrics for tunnel availability. Monitor routing health metrics for route propagation status.

Design role-based operational views. Create real-time health dashboards for operations teams and capacity trend views for architects. Set data retention periods that balance the need for historical investigation with storage costs.

Create alerting for connectivity and performance problems: Design alerting around failure scenarios that affect operations. Target connectivity failures that disrupt user access, performance degradation that slows applications, and configuration anomalies that indicate errors.

Define specific measurable conditions like tunnel disconnections, gateway CPU saturation above safe thresholds, and unexpected routing changes. Balance alert thresholds between early detection and alert fatigue. Establish notification routing that matches alert severity with appropriate urgency.

Automate operational tasks and connectivity validation: Automate repetitive Virtual WAN tasks like connection status validation and multihub configuration updates. Automate time-sensitive operations to reduce manual effort.

Implement scheduled automation for routine health checks. Use event-driven automation for configuration drift remediation. Create validation scripts and troubleshooting tools that operators can run on demand.

Use Virtual WAN native automation capabilities, including automatic route advertisement, route propagation across hub infrastructure, and gateway autoscaling that responds to load patterns.

Implement progressive deployment practices: Deploy to development first and then to staging, and validate at each step. Run static configuration validation and policy compliance checks before deployment. Follow deployment with smoke tests to verify gateway reachability and connection establishment.

Establish rollback capability: Maintain configuration versioning in an IaC repository. Document rollback procedures for reverting gateway settings and routing policies. Separate routine deployments from emergencies. Route routine changes through full validation with approvals. Allow emergencies to skip extended approvals while still validating syntax.

Conduct capacity planning for components: Plan Virtual WAN capacity by assessing VPN and ExpressRoute gateways, hub routers, and routing infrastructure. Start by estimating VPN gateway throughput per tunnel because all active tunnels share the total gateway capacity.

Monitor current utilization across gateways and hub routers to establish performance baselines. Use these baselines to project future capacity needs accurately. Include peak traffic scenarios, expected business growth, and planned site connections in your capacity plans.

Implement performance monitoring: Implement performance monitoring for every Virtual WAN component to maintain optimal operation. Establish a performance baseline during normal operations to identify typical behavior and detect deviations.

Monitoring data supports capacity planning initiatives and identifies optimization opportunities before performance degradation occurs. Tracking performance trends over time helps you predict future requirements and plan infrastructure changes proactively.

Design for scalable architecture: Plan for horizontal scaling by adding hubs within regions when requirements exceed per-hub limits. Design routing infrastructure to support anticipated inter-hub and spoke-to-spoke traffic volumes while balancing performance requirements with cost considerations.

Validate scaling effectiveness through performance monitoring and capacity utilization analysis to ensure that the architecture meets business needs as requirements evolve.

Establish performance testing practices: Performance testing practices require deploying nonproduction Virtual WAN environments that match production configuration for validation. Test routing configurations, connectivity scenarios, and feature activation before production deployment to ensure optimal performance.

Use testing to validate performance for branch-to-Azure, branch-to-branch, and virtual network-to-virtual network traffic patterns. Evaluate gateway performance under peak traffic and concurrent connection loads. Compare test results against performance targets and baselines before you implement changes to prevent performance problems in production environments.

Optimize hub placement for minimal latency: Optimize hub placement by positioning hubs in regions close to user populations and branch office locations to minimize network latency. Optimize hub placement for dominant traffic patterns like branch-to-Azure, branch-to-branch, or virtual network-to-virtual network connectivity. Consider cross-region traffic requirements and inter-hub connectivity performance.

Optimize configurations for performance: Evaluate gateway sizing strategies by assessing VPN and ExpressRoute gateway capacity against bandwidth requirements and traffic projections. Account for peak traffic scenarios and expected business growth when you choose appropriate gateway SKUs.

Select IPsec encryption algorithms that balance security requirements with gateway CPU efficiency. Design routing path preferences to optimize business-critical traffic patterns. Consider the performance characteristics of different routing options, like hub-to-hub paths versus ExpressRoute paths for virtual network-to-virtual network scenarios.

Validate routing for performance troubleshooting: Design operational procedures to verify route learning and propagation across hybrid network components. Document troubleshooting workflows for routing-related performance problems. Apply findings from routing incidents to improve monitoring and preventive measures.

Monitor and optimize capacity continuously: Establish proactive practices that maintain performance as requirements evolve. Design a proactive capacity management approach that includes regular performance reviews. Plan capacity adjustments before utilization reaches limits to avoid negative performance impact. This approach aligns capacity optimization with business growth and changing connectivity patterns.