Simplify your WAN with Azure Virtual WAN - Nov 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi i'm rashmi and paulie very happy to be here today i'm going to cover how to simplify your wide area network using microsoft product as your virtual wan like always we have a ton of content so i apologize in advance for going very fast first we'll cover the overview then we'll cover two partner announcements followed by microsoft product announcements then we'll touch on some customer use cases and some key takeaways followed by a bit on pricing and then we'll wrap it up so let's get started azure virtual van provides a unified hub and spoke architecture for connectivity security and routing using the microsoft global backbone this is network as a service which provides you these simplified options for connectivity security and routing so let's get started here first you deploy a virtual van then in it you deploy multiple hubs you can have various hubs which are nothing but microsoft v-nets that you deploy in different regions and as you start connecting the different users we start looking at what kind of users so you can have a remote user connecting a branch user connecting a private connectivity or an express route user connected or an sd-wan user connected and as you start connecting in these connectivity endpoints in virtual one are the gateways now these gateways have different kinds of features now you can be a small customer and get going or you could be a huge enterprise customer that could be using azure virtual van with this hub and spoke topology wherein on the brand side you get scale and not only on the branch on the point to site or the remote user connectivity on the express route side also you get scale on the brand side you also get the ability to connect sd band connection ins and let's say if you had overlapping branch ips then you also can enjoy the nat functionality on the azure vpn gateway on the remote user connectivity or the point-to-site vpn gateways you get scale as well as global traffic manager so what that means is if your user is let's say moving around in the globe they can just download a global van profile and they can connect to any region automatically and access your azure resources we also support the microsoft azure windows and mac os clients so these clients can connect in to those point-to-side gateways on the private connectivity side express route provides private connectivity into the expressway gateways now if you are looking for encryption you can do ipsec over er where the ipsec endpoint is the azure vpn gateway so now that you know about connectivity what if you wanted to protect your traffic so in azure virtual one you have the ability to add an azure firewall and in that azure firewall you can have multiple security policies so we allow both standard and premium capabilities and by the way these azure firewalls conceptually are known as the secure hub capabilities now let's say you didn't want the azure firewall you just wanted internet breakout policies for third-party systems like ibos checkpoint z-scaler and so on you can also do that and let's say you didn't want the azure firewall the policies but you wanted your favorite network virtual appliance you could also deploy that last but not the least let's say you wanted to have multiple v-nets connected and you wanted different kinds of routing routing is where virtual van shines when you deploy a hub you actually get a router which is 3 gb psn capacity out of the box that router is provisioned inside each and every hub now you can have multiple hubs and every hub comes with its own router this router enables you the ability to do transit now you can have transit connectivity between v-nets you can have transit connectivity between branches and remote users you can have transit connectivity between express route and sd-wan users you can have transit connectivity across any of these spokes which are v-nets branches point-to-side users or express route or sd-band users additionally we also support advanced routing so you have the ability to propagate and associate route tables you have also the ability to do routing intent and bgp pairing which i'm going to talk to you shortly after last we also have the managed nba solutions in virtual wan these solutions are third-party or non-microsoft solutions that are available in the virtual van hub speaking of managed nba let's look at the partner ecosystem so first when virtual when started we started with the ipsec connectivity you had all these ipsec cpes that were out there that would terminate their ipsec connection into the azure vpn gateway then we extended the virtual wan to include firewall policies for internet breakout through checkpoint eyeboss and z-scaler and then as we heard our customers they wanted solutions inside the virtual van hub and that's how we started this managed mba program so first we introduced barracuda cisco and velocloud vmware sd-ban and there are a few other solutions that are coming up soon but we are super happy to announce today the first ng firewall security solution from fortinet as well as the versa sd van now available in azure virtual van so with that let's hear from the photonet folks hi i'm martin twombly principal cloud solutions architect at fortinet i'm excited to announce a new solution for it and security professionals to effortlessly configure networking and security in azure you can now deploy fortinet's market leading secure sd-wan solution into azure virtual wan hubs and for the first time in the industry this also incorporates all the security capabilities of a next-gen firewall extending the fortinet security fabric to azure virtual win allowing customers to manage security and sd-wan policies under a single pane of glass with a few clicks in a managed app fortigates are deployed into a virtual win hub bgp peering dynamically extends secure sd-wan capabilities into your v-nets routing is configured through one-touch configuration from the azure virtual win portal as an example you might start with a virtual wan hub and fortigate in a single azure region and connect a few branch offices via sd-wan to business business-critical applications in pure v-nets now the fortigate can serve as the xero trust security provider for all v-net to v-net branch to v-net and v-net to internet communication scanning all traffic for security concerns you can further expand to other azure regions and connect global branch offices this can be done seamlessly with all routing and policy configuration managed by 40 manager and azure virtual win let's zoom in on a primary use case connecting branches via sd-wan with ngfw here on my branch fortigate you can see four tunnels going to the fortigates hosted in azure virtual win these are configured via sd-wan policy as you see here similarly looking at the view from one of the azure fortigates there are two tunnels going to my branch since the fortigates are load balancing via four active tunnels across two nvas scale and high availability are built in as are all the benefits of fortigate application steering deep packet inspection malware detection and more here you see a custom ips signature triggering on traffic leaving an azure v-net for my branch office for more information on the first combined secure sd-wan and next-gen firewall in azure virtual win please contact us thanks for your time and enjoy the rest of the conference okay so now we heard from the fortinet team how they support all the flows now let's look at what actually this is like how does this differ if you were to do it yourself if you were to go set up your virtual appliance in any cloud in azure today you would have to think about how to configure it how to provision it how to manage routing how to manage the entire life cycle of upgrade patching aha resiliency support there's so many things to consider in virtual van we make it easy you just need to know what your appliance is and it is just done for you you have all these options where you can go into the portal pick the appliance of choice a managed application is deployed behind the scene the router in the virtual van hub speaks bgp with the virtual appliance so you don't need to worry about any routing as well as any aha or resiliencies in the setup you can also now no longer need to worry about any kind of support or upgrade or patching because that all comes with the service with that said let's go to the second partner announcement here from versa hi everyone i'm rohan ravindranath principal solutions architect at versa and i'm excited to present versa's offering on azure virtual van today bertha delivers sd-wan full-stack security and carrier-class routing as a fully integrated solution and the entire network and security stack of versa can be actioned in a single pass to optimize tco this solution is also natively multi-tenant application aware and platform agnostic we are very excited today to announce that versa sassy is now available within azure virtualbar natively in private preview leveraging this branch offices now get application aware smart connectivity to your cloud workloads in azure this also guarantees adaptive cloud workload protection for your assets in azure now let's take a look at this in action from the azure virtual van marketplace select versa sassy and vivan offer and fill out the required parameters my hub happens to be in west central us notice here that the router ips are automatically fetched these will be needed to be populated in the versa orchestrator now let's log into the versa orchestrator using our workflows we can go ahead and configure the cluster name the interfaces the routing config that we saw from the azure portal and i will also go ahead and select next generation firewall right out of the box and with this all the required configuration will be automatically downloaded to the versa instances in virtual van as part of our zero touch provisioning process so in a nutshell this offer gives you the most optimal way to utilize the microsoft backbone while blending in network security and application awareness from versa for a test drive of versa in virtual van please reach out to us through the link on the screen okay so those were two partner announcements from fortinet and versa and now let's switch gear to microsoft product announcements on the branch vpn site we now have the ability to do packet capture so you can set up different filters and you can enjoy packet capture on the azure vpn gateway in the virtual van hubs the second feature on the side-to-side vpn is the custom traffic selector often we hear from our customers the need to support either a narrow or a wide traffic selector so now you can enjoy that feature using the custom traffic selectors on the remote user connectivity or the point-to-side vpn we now have the ability to support remote or on-prem radio servers so today if you were to set up a radio server you would need to do it locally on the hub where your users are coming in today if you had to support remote users you would have to do it on the hubs where your users are connecting into now with this remote and on-prem radio server you can now enable multiple solutions where you no longer need the radius server to be present in the local hubs the next feature is in the routing area now in azure virtual van you have azure firewalls and with each firewall you have the ability to apply policies but something that happens magically behind the scene is all the routing in the firewall manager of azure firewall you can set up policies for private traffic for internet traffic and what happens behind the scene is the routing engine kicks in so now we are super happy to extend this functionality front and center in the virtual van portal as well so you have the ability to set up routing intent and routing policies for any kind of traffic flows whether it's not south east west azure as internet edge interhub inter region whatsoever also we now support branch to branch connectivity through the azure firewall in the sense that it will secure your traffic when it's coming from vpn or express route branches earlier we couldn't do that if you wanted express r2 express route security through azure firewall that was impossible now it is we also through this routing intent support a next top of azure firewall or a managed nba or a network virtual appliance that's available inside the virtual one hub the next routing feature is the ability to bgp pair with the virtual one hub this is a long awaited feature that customers have asked us with this you can simplify routing you no longer need to have manual updates to different route tables you can just simply bjpr with the virtual van hub which has the router inside if your virtual appliance is sitting in a spoke v-net and enjoy all the routing capabilities last but not the least on the routing side we have enabled the ability to prefer the hub to her path over an express route circuit that's connected to two different hubs traditionally you would have an express route circuit connected to two different hubs and then have v-net to win a traffic flowing through those mses or the edge routers now those edge routers don't have capacity built in for you so in virtual one hubs we have the router that starts off with 3gbps and then it scales out and scales in according to the traffic that's moving through it so with this feature the hub to a path is the default pathway now enabled and it's soon going to be the default behavior when we ga this feature next year okay now that we went over our partner and our feature announcements it's time to look at some customer scenarios and some key takeaways this is a common question we get so we thought we'll cover this in this session the first customer is a financial customer they have hundreds of remote users and they're all using on-prem vdi they had different business applications hosted on-prem so as they started looking at their challenges they learned that they had challenges with infrastructure management they had some business continuity issues they also needed to look into data security so when they considered azure they moved into a hub and spoke topology where with virtual van they got any to any routing with all their workload in azure some of it also on-prem they were able to set up end-to-end encryption through er encryption and they also dramatically improved their reliability and performance so the takeaway here is if you are considering a hub and spoke topology in azure then think about er encryption if you're using express route think about custom routing when you're looking at routing or traffic policies for your workloads in azure the second customer base that we touch upon here is the retail customer we have a retail customer a with hundreds of sites with about 1500 plus vpn tunnels coming into the azure vpn gateway the second customer here had a topology of a primary and a dr region in europe and they were primarily using express rod connectivity coming into azure the challenges seemed similar they had latency issues they had high costs with dedicated lines they had a complex design they required a lot of manual configuration so when we start looking at the topology it starts to look like this multiple units or networks and then you start stitching up the networks you have hybrid connectivity on-prem connectivity coming in trying to access all these resources and soon it becomes very complicated so this customer a basically did the same they set up multiple regions they set up a bunch of hubs they set up a bunch of spokes and they improved their latency they got ease of use they got cost efficiency through virtual van side to side vpn and they also improve the efficiency in configuration and management so the takeaway for this customer was that if you are looking for scale cost efficiency cross region configuration and just ease of management consider virtual van with regional hubs the second customer here basically had a security requirement they wanted a first party firewall so azure firewall met all their required security guidelines they got that and along with it they also got branch to branch connectivity by default this also helped them simplify the routing and scalability challenges that they had because as soon as you add another v-net the automatic routing and the security kicks in and this just simplified their entire setup so the takeaway here is if you're looking for security think about azure firewall or now you can also think about this network virtual appliances that could be provisioned inside the virtual van hubs and let's say if you have express route connectivity coming in you could consider different providers to the same hub or the region all right the last customer here is from the services sector this customer basically provides services to their end users or end customers they were deployed in six azure regions now they have expanded to more but basically they had a bunch of spoke v-nets with a lot of virtual appliances some for sd-wan some for firewall and the users were all coming to those virtual appliances the problem they had was there was this route limit with routing and in order to overcome that we were able to enable the bgp pairing capability so with that the takeaway here is that if you have a hub and spoke and if you have a virtual appliance in any spoke that's attached to a virtual one hub consider bgp pairing with the virtual van hub this way you can not only enjoy all the functionality you can also simplify the global routing challenges that you may have with that we switch gears to pricing this is a common question we get from our customers about how do you price it why do you not have a single price well the answer to that is if you had a single price then it would be a big number and because cloud is all about choices we wanted to provide you some flexible pricing so let me walk you through how to calculate the pricing so there are basically two concepts one is fixed and the other is variable on the fixed side let's say you deploy a hub so the hub basically comes with a 3gbps router as soon as you deploy a hub the 25 cents an hour kicks in and let's say if you have multiple vms in different spokes that are attached to a virtual van hub those vms are routes and those routes need to be processed by the router we support up to 2000 vms across all vnets connected to one single hub and again this is one single hub if you were to extend it for every thousand vms we charge additional 10 cents now you may be thinking okay um when does the hub data processing kick in well the hub data processing charges kick in when there is traffic flowing through the router and this is usually the case when you have v-net to vena transit or maybe you're going to access a v-net in a remote region that's where the data processing charges kick in but let's say if you had an azure firewall in the path then the firewall charges and the firewall data processing kicks in there is no concept of router data processing so it's all about flexibility and let's say you did not want the azure firewall you did not want the router but you basically wanted to apply some third-party policies through the azure firewall manager the charges for the hub then is 40 cents an hour so the whole concept of different use cases come in which is where the cost comes in as a fixed or a variable cost now when you're going between the hubs let's say you're going from u.s to australia or let's say you're going between u.s to europe the charges inter-region comes in there is no concept of in and out charges it's basically a region to region which is based on source and destination so if the traffic's going from u.s to europe the charge is different than let's say going from u.s to australia now let's say you have some connectivity or connections coming in basically we don't have a bunch of skus it's just two skus scale units and connection unit scale unit basically implies the capacity of the gateway so whether it's a vpn gateway an express route gateway they have some capacity and for example 500 mbps is one scale unit so you pay per hour and let's say you have multiple connections coming in so depending on the number of connections you have a connection per hour charge so to keep it simple it's just scale unit and connection unit of course when you leave azure the egress charges kick in which has got nothing to do with what you'll want and also if you're going between the regions hub to hub the us australia the u.s europe example the inter-region charges kick in now let's say you add v-nets so when you add multiple v-nets to a hub and you can have multiple hubs in a region there is connections right but we don't charge for the connection unit the connection unit is free when you are attaching v-nets within azure because it's all within azure but if there is traffic going in and out of a spoke we need the v-net pairing charges for that spoke v-net kicks in there is no charge for v-net pairing on the azure hub sign but of course if you're leaving azure the azure egress charges kick in if the traffic is flowing to a firewall the firewall data processing kicks in and if you're going between the region the inter region data transfer charges kick in and these charges are all documented in the azure bandwidth charge page the last one is the virtual appliance we just learned about the different virtual appliance solutions so whenever a virtual appliance is deployed it comes with its own set of compute and storage etc so for every 500 mbps we charge for one scale unit about 25 cents an hour and for the virtual appliance charge that is specific to the vendor or the isv or the partner the marketplace charges apply of course the azure egress charges and the inter-region charges don't change and this is just to kind of give you an idea of how to compute the charges so in general you have the fixed charges and you have the variable charges and depending on your use case you can do the calculation so let's summarize today we learned about a bunch of announcements on the connectivity side we learned about branch or side to side vpn's packet capture and custom traffic selectors on the remote user on the point-to-side connectivity we learned about remote radius servers on the security side we also learned about routing intent it enables you to do branch-to-branch traffic inspection through the azure firewall and then on the routing side we learned about preview features of bgp pairing interhub or express road path and also new solutions from fortinet and versa so virtual van provides you a ubiquitous connectivity security and routing network as a service using the microsoft global backbone so if you are looking to simplify your wide area network consider virtual one i hope this was useful thank you for watching

Info

Channel: Azure Virtual WAN (vWAN)

Views: 466

Rating: undefined out of 5

Keywords:

Id: UbDt4nL4ze8

Channel Id: undefined

Length: 23min 20sec (1400 seconds)

Published: Wed Nov 17 2021