Security in Virtual WAN is comprehensive and multi-layered, as shown on this slide. Let's start with the Azure Firewall deployment command at the top. Notice we're creating a firewall with the --vhub parameter, which deploys it directly into the Virtual WAN hub. The --sku "AZFW_Hub" is specifically optimized for Virtual WAN, and the Premium tier enables advanced features like TLS inspection and intrusion detection. The --public-ip-count 2 provides redundancy for outbound connections.
The firewall policy creation shows how to implement hierarchical security policies. The --threat-intel-mode "Alert" enables Microsoft's threat intelligence feeds, --dns-proxy-enabled allows the firewall to act as a DNS proxy for better security visibility, and --intrusion-detection-mode "Alert" provides signature-based threat detection. These aren't just checkboxes - they fundamentally enhance your security posture.
Looking at the rule collection group creation, you can see how granular control is implemented. The priority system (100 in this example) determines rule evaluation order. The application rule shown allows HTTPS traffic to Microsoft and Azure domains, but notice it also includes web categories like "ComputersAndTechnology". This categorical filtering is powerful for controlling access without maintaining massive URL lists.
The Security Architecture Layers diagram illustrates defense in depth. At the perimeter, you have DDoS Protection and Web Application Firewall. The network layer includes Azure Firewall, NSGs, and Application Security Groups. Identity security leverages Azure AD with Conditional Access and MFA. Finally, data security uses Private Endpoints, TLS encryption, and Key Vault. Each layer protects against different threat vectors.
The Security Integration Components table breaks down where each component operates. Azure Firewall works at L4-L7 per hub with features like TLS inspection and IDPS. DDoS Protection operates at the VNet level with automatic mitigation. NSGs provide microsegmentation at subnet or NIC level using stateful rules. Private Endpoints secure PaaS services with private IP access and DNS integration.
The Zero Trust Implementation principles shown are crucial: Never trust, always verify means all traffic is inspected regardless of source. Least privilege access is implemented through granular routing and firewall rules. Assume breach mentality drives multiple security layers and comprehensive monitoring. Verify explicitly requires strong authentication and conditional access. This isn't just theory - it's how modern secure networks are built.
The Point-to-Site VPN configuration shown on this slide represents enterprise-scale remote access. The first command creates a P2S gateway with 10 scale units, supporting up to 5,000 concurrent users (each unit supports 500 users). The address prefixes "172.16.0.0/20" and "172.16.16.0/20" provide 8,192 addresses, allowing for growth and multiple address pools for different user groups.
The Azure AD authentication configuration is particularly important. The --aadTenant parameter points to your Azure AD tenant, --aadAudience uses the Azure VPN application ID (41b23e61-6c1e-4545-b367-cd054e0ed4b4), and --aadIssuer identifies the token issuer. This integration enables modern authentication with conditional access policies, eliminating the need for certificate management.
The split tunneling configuration using --custom-routes is crucial for performance and user experience. By specifying "10.0.0.0/8", "172.16.0.0/12", and "192.168.0.0/16", only corporate traffic goes through the VPN tunnel. Internet traffic goes directly from the user's location, reducing latency and VPN gateway load. The --associated-route-table parameter ensures P2S users inherit the correct routing policies.
The diagram shows the complete flow from remote users through authentication to resource access. Users on Windows, Mac, and mobile devices connect to Azure AD for authentication. Conditional Access policies can enforce requirements like device compliance or location restrictions. After successful authentication and any required MFA challenges, users connect to the P2S Gateway, which provides access to the Virtual Hub and its routing infrastructure.
The P2S Configuration Options table outlines key decisions. Azure AD authentication enables Conditional Access for enterprise scenarios. OpenVPN protocol provides cross-platform support essential for BYOD. Split tunneling with custom routes optimizes performance for hybrid workers. The scale units from 1-20 support 500-10,000 users with elastic scaling for global workforces.
This configuration transforms remote access from a point solution to an integrated part of your global network. Users anywhere in the world can connect to their nearest P2S gateway and access resources globally through Virtual WAN's routing fabric, all while maintaining security through Azure AD integration and conditional access policies.
This slide illustrates architecting for true global high availability. The diagram shows a primary region (East US) with active VPN and ExpressRoute gateways connected to production VNets, and a secondary region (West US) with standby VPN gateway but active ExpressRoute gateway connected to DR VNets. Notice how branches have connections to both regions - solid lines to the primary and dotted lines to the secondary, indicating the failover paths.
The configuration commands demonstrate how to implement this architecture. The primary hub connection has a --routing-weight of 100, making it preferred, while the secondary has a weight of 50. This ensures traffic flows through the primary under normal conditions. Both connections have --enable-bgp true for dynamic routing and automatic failover. The BGP configuration with redundancyMode="ActiveActive" ensures both paths are maintained and monitored continuously.
ExpressRoute geographic redundancy shown uses premium SKU circuits in different peering locations (Washington DC in this example). This provides path diversity at the physical layer - crucial for true high availability. The --sku-tier "Premium" is required for global routing and accessing resources across regions.
The High Availability Design Patterns comparison shows two approaches. Active-Passive has the primary region handling all traffic with secondary on standby, resulting in lower cost but RPO of 15-30 minutes and RTO of 5-10 minutes. Active-Active has both regions handling traffic with load balancing, higher cost, but RPO under 1 minute and instant RTO. Choose based on your business requirements and budget.
The component failover times table is critical for setting expectations. Virtual Hubs are always active-active with instant failover. VPN connections fail over in under 30 seconds as BGP detects the failure and reconverges. ExpressRoute fails over in under 5 seconds due to BFD (Bidirectional Forwarding Detection). VNet connections take 2-5 minutes as they need to be recreated in the secondary region.
This architecture provides resilience against multiple failure scenarios: individual component failures are handled automatically, regional failures trigger rapid failover to the secondary region, and even global service issues can be mitigated by having diverse connectivity paths. The investment in redundancy pays off when you need it most.
Comprehensive monitoring and diagnostics are essential for managing Virtual WAN at scale. The diagnostic settings command shown enables all critical log categories with appropriate retention periods. Route tables and gateway logs get 90-day retention for operational troubleshooting, while IKE diagnostic logs get 365-day retention for security and compliance. The metrics are retained for 30 days with full granularity.
The metric alert configuration demonstrates proactive monitoring. Setting alerts for CPU usage above 85% with a 5-minute window and 1-minute evaluation frequency provides early warning before performance impacts occur. The severity 1 classification ensures immediate notification to your action group. Similar alerts should be configured for bandwidth utilization, tunnel counts, and BGP session status.
Connection Monitor setup for end-to-end testing is crucial. The configuration shown tests from a branch router simulator to an Azure application over HTTPS (port 443). The --threshold-failed-percent 5 and --threshold-round-trip-time 100 define acceptable performance parameters. This synthetic monitoring catches issues before users report them.
The monitoring architecture diagram shows the complete observability stack. Metrics, logs, traces, and flow logs feed into Log Analytics, which serves as the central repository. Application Insights provides application-level telemetry, while Sentinel adds security intelligence. This data drives dashboards, workbooks, and Power BI reports for visualization, and triggers alerts that invoke runbooks and Logic Apps for automated remediation.
The Key Monitoring Metrics table provides actionable thresholds. Gateway health metrics (CPU and memory) above 80% indicate need for scaling. Connectivity metrics below expected values require investigation. Performance baselines plus 50% suggest optimization opportunities. Route counts above 10,000 require summarization to prevent routing table exhaustion.
The Troubleshooting Toolkit listed combines native Azure tools for comprehensive diagnostics. Network Watcher provides packet capture and flow verification. Connection Monitor enables continuous testing. Traffic Analytics reveals patterns and anomalies. Azure Monitor centralizes metrics and logs. Resource Health indicates service-level issues. Together, these tools provide visibility into every aspect of your Virtual WAN deployment.
Cost optimization in Virtual WAN can deliver 40-60% savings without compromising functionality. The metric cards show the potential: 40-60% savings through optimization, 30% typical waste from over-provisioning, and 3-6 month ROI timeline. These aren't theoretical - they're based on real customer implementations.
The utilization analysis command queries actual bandwidth usage over a month, returning hourly averages. This data drives rightsizing decisions. The auto-scaling configuration shown implements dynamic scaling between 2 and 10 scale units. The scale-out rule adds 2 units when bandwidth exceeds 1500 Mbps for 15 minutes, while the scale-in rule removes 1 unit when below 500 Mbps for 30 minutes. The asymmetric timing prevents flapping.
The Cost Breakdown Analysis table reveals where money goes and where to save. Virtual Hubs at $912.50/month for 5 hubs can be reduced to 3 hubs by consolidating low-traffic regions, saving $365/month. VPN Gateways with 20 units costing $5,270.60 can be right-sized to 12 units, saving $2,108.24. ExpressRoute Gateway downsizing from 10 Gbps to 2 Gbps saves $2,920. Local breakout for internet traffic cuts data processing costs in half. Total potential savings: 54% or $6,268.24 monthly.
The cost optimization strategies go beyond simple rightsizing. Gateway monitoring ensures you're not paying for unused capacity. Hub consolidation requires balancing latency requirements with cost. Local breakout for internet traffic is often the quickest win - why pay to backhaul YouTube traffic through Azure? Reserved instances for connected VMs provide predictable discounts. Automated scaling prevents both over-provisioning and under-provisioning. Regular monthly reviews catch configuration drift and orphaned resources.
The key is treating cost optimization as an ongoing process, not a one-time exercise. Set up automated reports showing Virtual WAN costs by component, region, and cost center. Review utilization metrics monthly and adjust scale units accordingly. Implement showback or chargeback to make teams aware of their network costs. Use tags extensively to track resource ownership and purpose.
Remember that the goal isn't minimum cost but maximum value. Sometimes paying for extra capacity provides business value through improved performance or redundancy. The optimization strategies shown help you make informed decisions about where to invest and where to save, ultimately delivering a network that meets business needs at optimal cost.