End-to-End Connection through Azure Virtual WAN (1) ExpressRoute

1. What is Azure Virtual WAN?

[Figure 1] Azure Virtual WAN Architecture

• A networking service that brings many networking, security, and routing functionalities together to provide a single operational interface 
• Availability to set a connectivity to Azure through SD-WAN equipment from a variety of partners 
• Hub and Spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users(Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits and virtual networks
• Cloud-hosted network "hub" enables transitive connectivity between endpoints that might be distributed across different types of "spokes"
• All hubs are connected in full mesh in a Standard Virtual WAN 

 

• Secured Virtual Hub
  • An Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager 
  • Provides automated routing, so no need to configure the own UDRs(User Defined Routes) to route traffic through the Firewall
  • Security partner providers in Azure Firewall Manager allow us to use a third-party security as a service (SECaaS) to protect Internet access
  • The supported security partners are Zscaler, Check Point, iboss 

 

•  Virtual WAN types (SKU)
  • Basic : Site-to-Site VPN only
  • Standard : ExpressRoute, P2S VPN, S2S VPN, Vnet-to-Vnet transiting through virtual hub, Azure Firewall and so on  

 

• source link : https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

Azure Virtual WAN Overview

 

2. Overall architecture of the Lab

Here is the overall architecture of today's lab

• Create a total of three virtual hubs, one each in Korea Central, in East US, and in Japan regions
• Connect the ExpressRoute Gateway to the virtual hub in the Korea Central region
  • In the case of ExpressRoute Circuit, it exists in the different subscription from the subscription that virtual wan will be configured
• Connect the P2S VPN Gateway to the virtual hub in the East US region
• Connect the Virtual Network to the virtual hub in the Japan East region
• After completing the configuration, perform the communication and throughput tests between spoke virtual machines in each region

 

3. Create Azure Virtual WAN and Configure ExpressRoute connection

3.1 Create Azure Virtual WAN 

• Access the Azure Portal (https://portal.azure.com/) and search for Virtual WAN in the search bar at the top

 

 

• Click the [+ Create] button to create Virtual WAN

 

 

• Basics Tab 

Subscription : # Select the subscription to use 
Resource group : rg-vwan-test  # Enter the desired name
Region : Korea Central # Azure Virtual WAN requires region for resource management but it is a global resource
Name : vwan-test # Enter the desired name
Type : Standard # Basics or Standard, check SKU details above

• After passing the validation in [Review + create], click [Create] to create a Virtual WAN

 

3.2 Create a virtual hub (Korea Central)

A virtual hub is a virtual network that can contain gateways for S2S, P2S, ExpressRoute, or Hub-to-VNet functionality 

※ You must have an activated ExpressRoute Circuit to perform this step ※

• Click the Virtual WAN you created, select [Hubs] in the [Connectivity] blade. And then, click the [+ New Hub] button to create a hub

 

• Basics Tab 

Region: Korea Central # Select the region to deploy the virtual hub
Name: vhub-kr-01 # Enter the desired name
Hub private address space : 100.0.0.0/24 # Enter the addres range of the hub (minimum /24)
Virtual hub capacity : 2 Routing Infrastructure Units, 3 Gbps Router, Supports 2000 VMs 
# Check the minimum throughput of the Virtual WAN hub router and the number of Virtual Machines that can be deployed in Virtual Networks connected to the Virtual WAN hub
Hub routing preference : ExpressRoute # Select the route selection algorithm of the virtual hub router 

 

• For the Korea Central region, we will only coonect the ExpressRoute gateway, so move to the [ExpressRoute] tab by clicking the "Next" button 

Do you want to create an ExpressRoute gateway? : Yes
Gateway scale units : 1 scale unit - 2Gbps  
                                    # defined units for gateway aggregate throughput (select the smallest unit for this lab)

 

• After passing the validation in [Review + create], click [Create] to create a Virtual Hub
• Creating a hub using a gateway takes about 30 minutes

 

3.3 Connect an ExpressRoute Circuit to a Virtual Hub 

※ This step requires an active ExpressRoute Circuit. (If not, go to step 4)  ※ 

• search for ExpressRoute circuits in the search bar at the top 

 

3.3.1 Create Azure Private Peering

• In the [Overview] tab, select the "Azure Private" in the Peering section

 

• After entering the required information, click [Save] at the bottom to complete the configuring of private peering

Peer ASN : 65001 # Enter the ASN Number
IPv4 Primary subnet && Secondary subnet : 10.10.10.0/30 && 20.20.20.0/30 # Each subnet is used for primary and secondary links 
VLAN ID : 100 # Enter the VLAN ID to use for Circuit
Shared Key : # Authentication key required if you want to use ExpressRoute Circuit in another subscription  

 

3.3.2 Create the Virtual Network Gateway 

After configuring Private Peering for ExpressRoute, create an ExpressRoute gateway(Virtual Network Gateway) to connect the virtual network to Circuit 

 

• search for Virtual network gateways in the search bar at the top 

 

 

• Basics Tab

Name : vgw-er-01 # Enter the desired name
Gateway type : ExpressRoute 
SKU : Standard # Select the lowest SKU for this lab (among the GA SKU)
Virtual network : vnet-kr-er-01 # Click the [Create virtual network] button and create a new virtual network
Public IP address : # Select the [Create new]
Public IP address name : pip-ergw-01 # Enter the desired name
Public IP address SKU : Standard 

 

• Create virtual network 

Name : vnet-kr-er-01 # Enter the desired name
Address range : 10.0.0.0/16 # Enter the virtual network address range
Subnets : snet-vm-01(10.0.0.0/24) # Subnet for the VM that will be connected to the ERGW
                GatewaySubnet(10.0.1.0/24) # Subnet where ERGW will be created

 

• Click the [OK] button to create a new virtual network 
• Once the above configuration is complete, click the [Review + create] button to create a Virtual Network Gateway 

 

3.3.3 Virtual Network - Create a connection

• Click the [Connection] tab in the [Settings] blade. And then, click the [+ Add] button to create a connection

 

• After entering the required information, click [OK] at the bottom to create a [Connection]

Name : conn-er-01 # Enter the desired name
Connection type : ExpressRoute
ExpresRoute Circuit : er-seoul # Select the ExpressRoute Circuit to use

 

• If the connection is completed successfully, the status changes to [Succeeded] as shown below

 

• Through this process, ExpressRoute Circuit and virtual network are connected with each other

 

3.3.4 Connect a virtual hub to ExpressRoute Circuit

① Create the Authorizations 

To connect ExpressRoute Circuit and a virtual hub, Resource ID and Authentication Key are required

• Click the [Authorizations] tab in the [Settings] blade. And then enter a name for the Authentication Key. After that, click the [Save] button to create an Authentication Key

 

• Copy the Resource ID and Authentication Key and paste them into notepad

 

② Virtual hub and ExpressRoute Circuit connection via Authentication Key

• Select the virtual hub (vhub-kr-01) and then click the [ExpressRoute] tab in the [Connections blade]

 

• Click [+ Use Authentication Key] and enter the copied [Authentication Key] and [Peer Circuit URI = Resource ID]. Lastly, click the [Add] button to proceed with the connection

 

• When the task is completed, you can see that the ExpressRoute Circuit named er-seoul is connected to the virtual hub as shown below

 

3.4 Verify connectivity to virtual hub via route table in ExpressRoute Circuit

• In the [Overview] tab, click the [•••] button on the right side of [Azure Private Peering]. And then click the [View Route Table]

 

• You can see that the virtual hub's address range(100.0.0.0/24) is visible

 

 

다음 글 : https://sundlscha.tistory.com/5

Azure Virtual WAN을 통한 End-to-End 연결하기 (2) Point-to-Site VPN