Speakers:
- Reshmi Yandapalli (main speaker), Principal Program Manager
- Ben Peeri, KPMG customer story
Lots more content in the hidden slides in the download.
Scale
Usual stats. Interesting note: a new POP being built almost every day.
Azure WAN: Global Transit Architecture
The Beginning
- HQ/Bigger Office
- Branhc office(s)
- Users
- Private WAN
- Shared services
Start with HQ. Users multiply. VLANs multiply. Locations multiply. WAN grows. You grow:
- Need to simplify network
- Need ease of use
- Need operational savings.
Azure Virtual WAN
- Managed hub & spoke architecture, with hub being Azure and spokes being offices.
- Public (VPN) and private (ExpressRoute) connectivity.
- Global Scale:
- 20 Gbps S2S VPN and 20 Gbps ER = 20 Gbps user VPN
- 10K users per hub
- 1000 sites per hub
- 1 hub per region
- Transit routing
- Cloud Network Orchestration
- Automated large-sale branch/SDWAN CPE connectivity
Connectivity
What if you had many regions – many hubs. And what if you wanted any branch to access any Azure VNet, regardless of local vWAN hub? In other words, connect to a hub, and use the Azure WAN to seamlessly reach the destination. So you build hub/spoke in different Azure regions, each with a vWAN hub. And a branch connects to the closest vWAN hub, and can get to any Azure VNet via transitive routing between vWAN hubs across the Azure WAN.
- Simplified network
- Ease of use
- Operational savings
This is called Global Transit Architecture over Azure Virtual WAN.
Azure Virtual WAN – What’s New
- Any-to-Any connectivity (Preview, soon GA)
- ExpressRoute and User VPN GA
- ExpressRoute encryption
- Multi-link Azure Path Selection
- Custom IPsec
- Connect VNG VPN to Virtual WAN
- Availble in Gov Cloud & China
- Azure Firewall integration (Preview) – this is the big announcement IMO
- Pricing – reduced
- New partnerships coming soon
- Arista,
- Aruba
- Cisco
- F5
- OpenSystems
- VeroCloud
Global Transit Architecture – A Customer Example
- 4 regions, 70 countries with 100’s of sites. 34 VNets, 2 ExpressRoute Premium circuits.
- Challenges: scale issues, routing complexity, ER VNet limits
The before and after architecture diagrams are totally different – after is much more simple.
Azure Virtual WAN Types
Basic:
- VPN only
- Branch to Azure
- Branch to Branch
- Connect VNet
- DIY VNet peering, VNet to VNet non-transitive via hub
- Hubs are not connected
Standard = Basic + Following
- Stuff
Multi-Link Support in VPN Site
Support dual links of different types/ISPs. Azure sees the link information. The branch partner can do path selection across these links.
Barracuda CloudGen Firewall is the first to support this. You get always-on Azure in the branch.
ExpressRoute
- GA in Standard Virtual WAN.
- Up to 20 Gbps aggregate per hub.
- Private connectivity – requires premium circuit.
- In Global Reach Location
- ExpressRoute VPN Interconnect
- Integrated with Azure Monitor
EXPRESSROUTE + VPN Path Selection
Path selection between ER and VPN. Fortinet can do this.
Customer Story – Ben Peeri, KPMG
No notes here – sales story.
User VPN
- Available in Standard Virtual WAN
- Up to 20 Gbps aggregate and 10K users per hub
- Cloud based secure remote access
- Works with OpenVON and IKEv2 client
- Cert based and RADIU authentication
- Any-to-Any
- User to branch, user to Azure VNet
- More
Azure Firewall
- Firewall in virtual hub
- Centralized policy and route management
- VNet to Internet through Azure Firewall
- Branch to Internet through Azure Firewall
- Managed through Azure Firewall Manager
Azure MSP Program
Announced in July. Focused on networking. Offerings in Azure Marketplace.
Pricing
- Connection Unit
- Site-to-site VPN / ExpressRoute: No reduced
- User VPN
- Scale Unit – aggregate throughput
- 1 VPN scale unit
- 1 ER scale unit
- Virtual Hub (Effective CYQ1 2020)
- Basic vWAN hub: no charge
- Standard hub
- Data processing intra region
- Data processing inter region