What Is Microsoft's Virtual WAN?


By: Mary Jander

Enterprises are increasingly leveraging cloud services from top public cloud providers in the form of software-as-a-service (SaaS) and Infrastructure as-a-service (IaaS).

This means that the convergence of SaaS and IaaS is driving more traffic into the public cloud networks. Just as importantly, the advent of 5G networking is driving interest in linking public cloud services to mobile applications in a mobile edge cloud. Higher bandwidth, along with the lowest possible latency for applications, is paramount to meeting demands for these trends.

Microsoft has been hitting this trend head-on with Microsoft Azure Virtual WAN. Announced in 2018 and generally released last year, this network option for the vendor’s Azure cloud service is designed to improve throughput, manageability, and security for companies with far-flung global networks.

As its name implies, Microsoft Virtual WAN amalgamates several connectivity options, including ones based on software-defined networking (SD-WAN). It offers a single operational interface for Azure-based connectivity services such as Azure Virtual Networks (VNets), Azure Point-to-Site and Site-to-Site virtual private networks (VPNs), and Azure’s native ExpressRoute.

Putting in the PoPs

Microsoft’s network consists of PoPs (points of presence), edge sites, and peering locations worldwide. The connection between these many nodes provides very high bandwidth and lower latency as compared to the public Internet.

At this point, there are 160+ Microsoft PoP locations globally, and Microsoft is partnering with over 2,700 Internet service providers (ISPs) to get Microsoft-specific traffic to its PoPs.

With Microsoft Virtual WAN, Microsoft aims to replace customer data center facilities with its own global edge network services. The vendor says customers can obtain faster throughput between thousands of offices connected to the Microsoft Virtual WAN than is possible over the Internet.

Many SD-WAN players are taking advantage of these POPs by providing a direct connection into the Microsoft Azure cloud, speeding up access to applications.

Virtual WAN Architecture

The architecture of Microsoft Virtual WAN is based on the vendor’s global transit network architecture, comprising a hub-and-spoke connectivity model. In this model, a hub (or PoP) is the central point of the Azure network in a specific region. (As of this writing, there are 58 Azure regions worldwide.)

Virtual hubs (PoPs) are connected over the global Microsoft virtual WAN network, linking various regions in order to facilitate connectivity for subscribers to Microsoft Virtual WAN. Branches can connect to hubs using different connectivity options like ExpressRoute.

This architecture enables the connection between an end device to any node in a virtual WAN powered by Microsoft. As shown in the figure below, VNets, physical branch sites, remote users, and the Internet are spokes in the Microsoft Virtual WAN model.

Basic Microsoft Virtual WAN Architecture. Source: Microsoft

Devices at customer branch locations can be hooked into Azure Virtual WAN either manually or through gear offered by Microsoft Virtual WAN partners. Partner devices feature configuration management, streamlined operations, and simplified connectivity. You can get a list of virtual WAN partners and locations here.

To enable security and policy control, a Microsoft Virtual WAN hub needs to be equipped with an Azure Firewall. Once this is deployed inside the virtual hub, security and policy control are then orchestrated by Azure Firewall Manager. Azure Firewall Manager sits at the central location, which helps in the management of routing, global policy management, and governance of third-party Internet security services.


In summary, the core advantages offered by Microsoft Virtual WAN include the following:

  • Automated configuration of interconnected sites, incorporating on-premises devices linked into Azure hubs.
  • Streamlined connection of virtual networks and workloads to Azure hubs.
  • Visibility of end-to-end traffic flows within Azure, allowing for pre-emptive and proactive orchestration.