WEBVTT 0:00:02.800000 --> 0:00:06.700000 If you have workloads in Azure, particularly if you're running workloads 0:00:06.700000 --> 0:00:10.240000 on virtual machines, there is a very good chance that you're going to 0:00:10.240000 --> 0:00:11.780000 need to connect networks. 0:00:11.780000 --> 0:00:15.800000 Whether those networks are on-premises networks that you're connecting 0:00:15.800000 --> 0:00:19.520000 to virtual networks in Azure, or even connecting virtual networks in Azure 0:00:19.520000 --> 0:00:24.260000 together directly or as part of a larger architecture that is combining 0:00:24.260000 --> 0:00:27.780000 both, which is really typically the case where I've got on-prem, I've 0:00:27.780000 --> 0:00:31.820000 got Azure virtual networks, I've got on-prem in different locations, maybe 0:00:31.820000 --> 0:00:35.740000 different regions, and I need to make the whole thing work. 0:00:35.740000 --> 0:00:40.380000 That is what the Azure Virtual WAN is here to do, is to help you make 0:00:40.380000 --> 0:00:43.200000 that work, and that's what we're going to talk about. 0:00:43.200000 --> 0:00:46.340000 First, we're going to take a look and think about the different Azure 0:00:46.340000 --> 0:00:53.980000 WAN topologies, typical topologies that you'll see in Azure, and what 0:00:53.980000 --> 0:00:56.260000 you would do to set those up. 0:00:56.260000 --> 0:01:01.620000 Then we've got the Azure Virtual WAN, we'll talk about what that is, and 0:01:01.620000 --> 0:01:05.440000 then I'm going to demonstrate a little bit of the Azure Virtual WAN, and 0:01:05.440000 --> 0:01:09.940000 what you would do to configure this component, this resource. 0:01:09.940000 --> 0:01:16.060000 Let's actually start out with thinking about different WAN topologies, 0:01:16.060000 --> 0:01:19.180000 and we're going to just whiteboard this out. 0:01:19.180000 --> 0:01:23.560000 If we think about what we have, let's say at the very beginning, we've 0:01:23.560000 --> 0:01:31.260000 got an on-prem network, and I'll just label this O-P, and the simplest 0:01:31.260000 --> 0:01:39.480000 thing here, I've got a single virtual network, and we'll just say vNet, 0:01:39.480000 --> 0:01:44.000000 and this is hub. 0:01:44.000000 --> 0:01:49.120000 I've got some virtual machines over here, and then the on-premises running, 0:01:49.120000 --> 0:01:51.500000 it could be client, it could be server, it doesn't really matter, I've 0:01:51.500000 --> 0:01:55.080000 got some virtual machines running here in vNet hub, and I need to connect 0:01:55.080000 --> 0:01:58.260000 these up. Well, there's two fundamental ways that I can connect these 0:01:58.260000 --> 0:02:06.140000 up. One is I can set up a VPN gateway, and establish a VPN tunnel between 0:02:06.140000 --> 0:02:15.720000 these two systems, being a site-to-site. 0:02:15.720000 --> 0:02:23.360000 Also, I could set this up over a private circuit using ExpressRoute, and 0:02:23.360000 --> 0:02:28.420000 go and configure that. 0:02:28.420000 --> 0:02:38.700000 Then I can also set up a typical networking scenario, where I've got a 0:02:38.700000 --> 0:02:49.600000 hub, and I've got multiple spokes, say s1, s2, and s3. 0:02:49.600000 --> 0:02:57.760000 I've got multiple spokes that have their own virtual machines, and now 0:02:57.760000 --> 0:03:02.540000 by default, I've got it set up so that the on-prem can communicate all 0:03:02.540000 --> 0:03:05.900000 the way through to those spokes, and the spokes can communicate to on 0:03:05.900000 --> 0:03:10.080000 -prem, the spokes can communicate to the hub, vice versa, but by default, 0:03:10.080000 --> 0:03:13.460000 the spokes cannot communicate with each other, unless I add some routing 0:03:13.460000 --> 0:03:16.720000 in at the hub. That's great. 0:03:16.720000 --> 0:03:21.000000 Now, also what often happens is that you'll have probably more than one 0:03:21.000000 --> 0:03:28.460000 virtual network hub and spoke system, probably in potentially different 0:03:28.460000 --> 0:03:41.640000 locations. That is maybe my VNet hub in East US, and then I've got another 0:03:41.640000 --> 0:03:58.460000 hub that's sitting out here in, we'll say North Europe, and the same kind 0:03:58.460000 --> 0:04:04.520000 of thing, and I can set up connectivity between the on-prem and that hub, 0:04:04.520000 --> 0:04:12.320000 but then I also maybe have another on -prem, which is in, I'm just going 0:04:12.320000 --> 0:04:19.600000 to say EU, EU, and I need to hook that up, and maybe I don't actually 0:04:19.600000 --> 0:04:23.380000 really even want to connect those two, instead I want to connect these, 0:04:23.380000 --> 0:04:27.940000 and that is starting to get a little bit complicated. 0:04:27.940000 --> 0:04:29.240000 Now, I can do this. 0:04:29.240000 --> 0:04:33.340000 I don't need a virtual to do this, but what a virtual WAN does is going 0:04:33.340000 --> 0:04:37.780000 to make this whole process easier, and that's kind of the idea. 0:04:37.780000 --> 0:04:43.900000 So this is drawn out fairly quickly, and it's not the only one, but it's 0:04:43.900000 --> 0:04:49.900000 a really common topology, where I've got hub networks in different regions, 0:04:49.900000 --> 0:04:53.880000 I've got my on-premises, all from referred to as branch offices that are 0:04:53.880000 --> 0:04:59.540000 connected directly to hub networks over either ExpressRoute or a VPN tunnel, 0:04:59.540000 --> 0:05:04.220000 and then I'm setting up peering relationships and possibly setting up 0:05:04.220000 --> 0:05:09.980000 routing systems, routing tables and network virtual appliances for routing 0:05:09.980000 --> 0:05:12.680000 to kind of make this whole thing work. 0:05:12.680000 --> 0:05:18.960000 But what I have now, the capability I have now, is to actually use the 0:05:18.960000 --> 0:05:23.560000 Azure Virtual WAN, and that of course is what we're going to talk about 0:05:23.560000 --> 0:05:27.320000 right now, and then we'll take a quick look at it. 0:05:27.320000 --> 0:05:30.540000 So what is the Azure Virtual WAN? 0:05:30.540000 --> 0:05:35.800000 First of all, the Azure Virtual WAN is designed to provide this hub and 0:05:35.800000 --> 0:05:43.520000 spoke topology, but it's going to do it automatically, and in fact, they've 0:05:43.520000 --> 0:05:50.160000 dramatically simplified the process of configuring it with your on-prem 0:05:50.160000 --> 0:06:00.220000 or often referred to as your branch offices, so that WAN component, that 0:06:00.220000 --> 0:06:04.540000 local component that's not in Azure, the manufacturers are working with 0:06:04.540000 --> 0:06:09.280000 Microsoft, so you can completely automate the process of connecting up, 0:06:09.280000 --> 0:06:10.780000 which is fantastic. 0:06:10.780000 --> 0:06:18.520000 Now, with a virtual WAN, you have resources for the virtual WAN that are 0:06:18.520000 --> 0:06:21.920000 similar to the resources that you would have without it, right? 0:06:21.920000 --> 0:06:25.240000 So if I don't have a virtual WAN, I'll have a hub network, and maybe I'll 0:06:25.240000 --> 0:06:27.000000 put things in it, maybe I won't. 0:06:27.000000 --> 0:06:31.340000 I'll have a VPN gateway set up, maybe I won't, I'll have ExpressRoute, 0:06:31.340000 --> 0:06:35.420000 I have the same kinds of things in the Virtual WAN, except these resources 0:06:35.420000 --> 0:06:38.380000 are specific to the Virtual WAN, right? 0:06:38.380000 --> 0:06:41.840000 So in terms of the types of resources, of course, if I have a virtual 0:06:41.840000 --> 0:06:45.440000 WAN, well, I have a virtual WAN, so we have that, okay? 0:06:45.440000 --> 0:06:47.340000 There's also this concept of a hub. 0:06:47.340000 --> 0:06:50.760000 Now, the hub is a virtual network, but this hub is completely managed 0:06:50.760000 --> 0:06:56.280000 by Microsoft, and really the point of the hub is to facilitate the communication, 0:06:56.280000 --> 0:07:03.680000 and you've got a hub, virtual network connection, so I can connect to 0:07:03.680000 --> 0:07:05.740000 between virtual networks. 0:07:05.740000 --> 0:07:10.740000 I've got a hub to hub connection, as well as, not listed here, but VPN 0:07:10.740000 --> 0:07:14.240000 connection and an ExpressRoute connection, okay? 0:07:14.240000 --> 0:07:17.360000 All of those are set up within the virtual WAN, okay? 0:07:17.360000 --> 0:07:22.440000 You can also, well, it's kind of embedded in-site, you can also set up 0:07:22.440000 --> 0:07:24.100000 a hub route table. 0:07:24.100000 --> 0:07:27.000000 So, you know, you're going to get automatic routing, but if you need additional 0:07:27.000000 --> 0:07:30.600000 routing, maybe, for example, you're using forced tunneling, you can go 0:07:30.600000 --> 0:07:35.540000 ahead and set that up and set up a route table with custom routes in the 0:07:35.540000 --> 0:07:39.740000 hub network. Again, you're not managing the hub network, but there are 0:07:39.740000 --> 0:07:41.200000 some interactions, okay? 0:07:41.200000 --> 0:07:46.040000 The site is what's going to allow you to connect up via either a VPN gateway 0:07:46.040000 --> 0:07:49.800000 or via ExpressRoute, okay? 0:07:49.800000 --> 0:07:52.200000 And what I'm going to do is, and I'm not going to show you absolutely 0:07:52.200000 --> 0:07:56.960000 everything that's in the virtual WAN, but I'm going to touch on the points. 0:07:56.960000 --> 0:08:01.440000 I don't currently, right at the moment, have a gateway set up to connect 0:08:01.440000 --> 0:08:04.580000 to, but that's not really critical because the process would be the same 0:08:04.580000 --> 0:08:08.600000 as the process of connecting up to an on-prem VPN gateway. 0:08:08.600000 --> 0:08:14.180000 A little actually simplified because you do get some, at least a script, 0:08:14.180000 --> 0:08:18.060000 if not full automation from different manufacturers. 0:08:18.060000 --> 0:08:21.540000 All right, let's go ahead, though, and let's go ahead and just take a 0:08:21.540000 --> 0:08:26.880000 look at provisioning and configuring a virtual WAN. 0:08:26.880000 --> 0:08:30.700000 Now, the process takes a little while, so this is going to be a bit of 0:08:30.700000 --> 0:08:32.600000 what I like to call cooking show demo. 0:08:32.600000 --> 0:08:35.080000 I'll show you the process that you go through to provision it. 0:08:35.080000 --> 0:08:36.440000 I've already provisioned one. 0:08:36.440000 --> 0:08:41.360000 I'll show you the process that you would go through to add a hub, but 0:08:41.360000 --> 0:08:44.780000 already have a hub because that takes a pretty good long time to provision. 0:08:44.780000 --> 0:08:50.480000 And I'll explain why during the demo, but let's go ahead and march into 0:08:50.480000 --> 0:08:58.840000 this. Okay, I am in my Azure portal, and if I wanted to provision a virtual 0:08:58.840000 --> 0:09:06.120000 WAN, go in here and virtual WAN, which happened to be the last thing I 0:09:06.120000 --> 0:09:09.440000 provisioned and create. 0:09:09.440000 --> 0:09:13.620000 This process, really pretty simple. 0:09:13.620000 --> 0:09:18.000000 I've got a subscription, a resource group, where it's going, the name, 0:09:18.000000 --> 0:09:21.100000 and the type. There's two types, standard and basic. 0:09:21.100000 --> 0:09:33.640000 Since I'm here, do a quick look at pricing. 0:09:33.640000 --> 0:09:41.040000 And that distinction between the standard and basic. 0:09:41.040000 --> 0:09:46.560000 So now, if you've got a standard virtual WAN hub, it's 25 cents per hour, 0:09:46.560000 --> 0:09:53.740000 per hub. You're going to scale for site -to-site connections, and you've 0:09:53.740000 --> 0:10:01.720000 got 36 cents per 500 megabits per second scale unit, plus 36 cents per 0:10:01.720000 --> 0:10:04.560000 hour, that would be per second, would be a bit much. 0:10:04.560000 --> 0:10:07.920000 5 cents per hour per connection. 0:10:07.920000 --> 0:10:11.920000 If you go up point-to-site, you see that, and express route, you see those 0:10:11.920000 --> 0:10:15.360000 numbers as well. 0:10:15.360000 --> 0:10:20.740000 Okay? And that is all with the standard now. 0:10:20.740000 --> 0:10:26.840000 The standard, there is a basic, and the difference with the basic, you 0:10:26.840000 --> 0:10:28.620000 can actually find out here. 0:10:28.620000 --> 0:10:34.480000 Standard gives you site-to-site, vnet, connection, express route, and 0:10:34.480000 --> 0:10:39.500000 point-to-site users, as well as cross -hub connectivity in the same virtual 0:10:39.500000 --> 0:10:42.700000 WAN. So I can have hubs in different locations. 0:10:42.700000 --> 0:10:45.500000 Express route to express route is only supported through Express route 0:10:45.500000 --> 0:10:50.360000 global reach. Basic virtual WAN support fewer connectivity options, basically 0:10:50.360000 --> 0:10:56.980000 just VPN. But we go with standard, and then I would review and create, 0:10:56.980000 --> 0:10:58.600000 I don't think I gave it a name. 0:10:58.600000 --> 0:11:00.680000 Yeah, I didn't give it a bunch of stuff. 0:11:00.680000 --> 0:11:06.840000 So DM, because I'm not going to create it, and then it would check that, 0:11:06.840000 --> 0:11:09.160000 and then it's going to let me create, but again, I'm not going to click 0:11:09.160000 --> 0:11:14.980000 that button. Because I already have one, so let's take a look at this. 0:11:14.980000 --> 0:11:20.120000 Here is my existing virtual WAN. 0:11:20.120000 --> 0:11:26.280000 Now at the top, there's really not that much, go to configuration, and 0:11:26.280000 --> 0:11:32.740000 because this is standard, and once it's standard, you can't shift it back, 0:11:32.740000 --> 0:11:35.080000 you can go from basic to standard. 0:11:35.080000 --> 0:11:41.420000 Hub to hub is enabled, and branch to branch is enabled, and VNet to VNet 0:11:41.420000 --> 0:11:43.520000 through the hub is also enabled. 0:11:43.520000 --> 0:11:47.620000 So it's basically supporting all of these options. 0:11:47.620000 --> 0:11:53.620000 Now if I go to my hubs, I have one hub, quick hub, which if we're being 0:11:53.620000 --> 0:11:56.660000 honest, was not actually an accurate description of that, because it took 0:11:56.660000 --> 0:11:58.700000 a while for that to provision. 0:11:58.700000 --> 0:12:02.800000 Now if I was going to create another hub, I could create another hub, 0:12:02.800000 --> 0:12:10.280000 possibly put this in a different location, maybe say North Europe, give 0:12:10.280000 --> 0:12:21.440000 this a name of hub North Europe, so not particularly creative, and we'll 0:12:21.440000 --> 0:12:25.300000 give this 10.20.0.0. 0:12:25.300000 --> 0:12:32.440000 16. So that's a private address space for the hub itself, and then when 0:12:32.440000 --> 0:12:35.460000 I'm setting up the hub, the next thing I'm going to do is say, okay, what 0:12:35.460000 --> 0:12:36.900000 are we going to allow? 0:12:36.900000 --> 0:12:39.720000 Are you going to allow this hub to have site to site? 0:12:39.720000 --> 0:12:45.460000 Yes. Now if you do allow it site to site, you have to then specify what 0:12:45.460000 --> 0:12:47.900000 your gateway scale units are. 0:12:47.900000 --> 0:12:50.320000 So I could scale one scale unit. 0:12:50.320000 --> 0:12:54.180000 Next would be point to site. 0:12:54.180000 --> 0:12:59.880000 If you allow point to site, of gateway scale units plus, you set up a 0:12:59.880000 --> 0:13:06.860000 point to site configuration, where for example, you would specify a certificate, 0:13:06.860000 --> 0:13:11.060000 or radius, or if you're using Azure Active Directory, you can set that 0:13:11.060000 --> 0:13:14.560000 up, but I'm not using any of those, so I'm not going to actually enable 0:13:14.560000 --> 0:13:19.380000 this. Express route, if you've got Express route, I can turn that on, 0:13:19.380000 --> 0:13:22.500000 set the gateway scale units for Express route. 0:13:22.500000 --> 0:13:25.240000 But I'm not going to do that. 0:13:25.240000 --> 0:13:31.100000 If I want custom routing, I can put that in as well, and then I could 0:13:31.100000 --> 0:13:39.040000 go to tags, and I can review and create, and then simply click create, 0:13:39.040000 --> 0:13:43.500000 and it's going to tell you, creating a hub with a gateway will take 30 0:13:43.500000 --> 0:13:47.360000 minutes, which that would be a really boring demo, so we're not going 0:13:47.360000 --> 0:13:51.920000 to do that. Instead, I'm going to go back, so I've already got a hub. 0:13:51.920000 --> 0:13:55.340000 The next thing I can do is set up VPN sites. 0:13:55.340000 --> 0:14:00.700000 So I could go in and I could create a site. 0:14:00.700000 --> 0:14:06.140000 This would be connection to some VPN somewhere. 0:14:06.140000 --> 0:14:08.680000 All right, I'm going to put this in the East US. 0:14:08.680000 --> 0:14:15.260000 The name of this would be to branch. 0:14:15.260000 --> 0:14:24.380000 Now, the device vendor, that could be, for example, Cisco, if I'm using 0:14:24.380000 --> 0:14:28.580000 BGP, which I probably would be, I could enable BGP. 0:14:28.580000 --> 0:14:35.160000 I'm going to connect this to a hub, and then links. 0:14:35.160000 --> 0:14:37.200000 I have to give the link detail. 0:14:37.200000 --> 0:14:45.820000 All right, so link, demo, provider name, those speed. 0:14:45.820000 --> 0:14:48.280000 What's the lowest I can go there? 0:14:48.280000 --> 0:14:56.200000 50. IP address, since I don't actually have it, we'll put in that. 0:14:56.200000 --> 0:15:01.060000 A BGP address. Please do not use that. 0:15:01.060000 --> 0:15:05.640000 And then ASN, or many I need to put there. 0:15:05.640000 --> 0:15:06.640000 Oh, there we go. 0:15:06.640000 --> 0:15:10.440000 Too many. There we go. 0:15:10.440000 --> 0:15:13.180000 All right, and then I can review and create that. 0:15:13.180000 --> 0:15:16.680000 And so what that's going to do, it's going to give me a link that I can 0:15:16.680000 --> 0:15:18.640000 set up connectivity to. 0:15:18.640000 --> 0:15:20.620000 And I'm not going to set this link up now. 0:15:20.620000 --> 0:15:23.100000 That's how you go about doing it. 0:15:23.100000 --> 0:15:28.480000 Okay. Next down the line here, user VPN configurations. 0:15:28.480000 --> 0:15:33.500000 Okay. Now I didn't set this up initially, but I could set this up now. 0:15:33.500000 --> 0:15:39.000000 All right, configuration name, demo, tunnel type. 0:15:39.000000 --> 0:15:45.520000 All right, don't open VPN, I could be too open VPN and I could be too. 0:15:45.520000 --> 0:15:47.520000 Okay, we say open VPN. 0:15:47.520000 --> 0:15:48.680000 How do I want to authenticate? 0:15:48.680000 --> 0:15:53.900000 If I go to I could be too, I can only authenticate via Azure certificate 0:15:53.900000 --> 0:15:57.540000 or radius. I can't use Azure AD. 0:15:57.540000 --> 0:16:04.360000 if I do both, it's still limited to that. 0:16:04.360000 --> 0:16:05.620000 All right, and then it's the same thing. 0:16:05.620000 --> 0:16:08.260000 So if I've got a certificate, I would put the certificate information 0:16:08.260000 --> 0:16:11.920000 in here. There's lots of information on how to create that. 0:16:11.920000 --> 0:16:14.460000 It's really outside the scope of this. 0:16:14.460000 --> 0:16:20.300000 And next I would go express route circuits. 0:16:20.300000 --> 0:16:24.560000 Okay. Now in order to do that, I would have to have an authorization key, 0:16:24.560000 --> 0:16:26.100000 which I don't have. 0:16:26.100000 --> 0:16:29.760000 I can redeem an authorization key, set up a peer circuit, all of that 0:16:29.760000 --> 0:16:34.820000 would have to be set up in advance through your express route provider. 0:16:34.820000 --> 0:16:38.700000 The one thing I can do is virtual network connections. 0:16:38.700000 --> 0:16:42.640000 Okay. And in fact, right now I've got one virtual network connection. 0:16:42.640000 --> 0:16:45.540000 That's an internal VNet. 0:16:45.540000 --> 0:16:48.720000 Add another one. 0:16:48.720000 --> 0:16:58.620000 Public VNet hubs, quick hub. 0:16:58.620000 --> 0:17:04.700000 So there's group VWAN, virtual network, public. 0:17:04.700000 --> 0:17:10.240000 Okay. And okay. All right. 0:17:10.240000 --> 0:17:15.200000 And so now once that's created, I'm going to have two spoke virtual networks 0:17:15.200000 --> 0:17:22.000000 connected up to my virtual WAN, and then you would of course set up VPN 0:17:22.000000 --> 0:17:26.000000 sites or express route circuits so that you're going to allow connectivity 0:17:26.000000 --> 0:17:32.640000 in from your branches or your on-prem, whatever you want to call them. 0:17:32.640000 --> 0:17:38.160000 But that's really the process of setting up and using a virtual WAN. 0:17:38.160000 --> 0:17:41.980000 Keep in mind that it does cost money, but the idea is to really simplify 0:17:41.980000 --> 0:17:46.420000 the process. So you're managing all this as one resource rather than provisioning 0:17:46.420000 --> 0:17:52.420000 different virtual networks and hubs and spokes and setting up the period 0:17:52.420000 --> 0:17:57.660000 and setting up the gateway, whether it's virtual network gateway, a VPN 0:17:57.660000 --> 0:18:00.440000 gateway or an express route gateway. 0:18:00.440000 --> 0:18:06.380000 All of that is really being combined for you kind of at the platform level. 0:18:06.380000 --> 0:18:10.280000 And it's really a infrastructure concept, but they're doing so much. 0:18:10.280000 --> 0:18:12.860000 It kind of counts platform as well. 0:18:12.860000 --> 0:18:13.760000 So there you go. 0:18:13.760000 --> 0:18:14.980000 That is the virtual WAN.