user-guides

Context: Azure Virtual WAN Integration

Answer:

To connect your customer’s on-premises network to Azure Virtual WAN using an existing ExpressRoute circuit when they provide an activation code:

Receive and Validate the Service Key
- The customer will provide you with an ExpressRoute circuit service key (authorization key) for an existing ExpressRoute circuit.
Create ExpressRoute Gateway in Virtual WAN Hub
- Navigate to your Virtual WAN in the Azure Portal.
- Select the virtual hub where you want to enable ExpressRoute connectivity.
- Create an ExpressRoute gateway (if not already present).
Add ExpressRoute Connection
- In the Virtual WAN hub, go to “ExpressRoute” connections.
- Click “+ Add connection”, enter the authorization key (service key) provided by the customer, configure routing settings.
Validate Connection
- Check that the circuit status shows “Enabled” and “Provisioned”.
- Validate BGP peering is established.

Points to note:

Ensure no overlapping address spaces between on-premises and Azure VNets.
ExpressRoute circuits must be in the same geopolitical region (for standard SKU) or can be global (for premium SKU).
Virtual WAN handles routing automatically between connected networks.

Answer:

To connect your Azure Virtual WAN hub to an existing traditional hub-and-spoke topology using VPN, there are 2 options:

ER Style Diagram

Option 1 (Direct VNet Connection)

Option 2 (Existing VPN Gateway)

Azure Virtual WAN connects via VPN to the existing VPN/ER Gateway in the hub VNet.
On-prem uses ASN (custom, avoid 65515).
This option supports gradual migration without downtime.

Prerequisites:

The existing hub VNet must not have a VPN Gateway or ExpressRoute Gateway.
If a gateway exists, you’ll need to remove it first (this will break existing connections temporarily).

Steps:

If you have an existing VPN Gateway in your hub VNet and want to maintain connectivity during migration:

Set Up VPN Gateway in Active-Active Mode
- Ensure your existing VPN Gateway is configured in active-active mode.
- Note both public IP addresses of the gateway.
Create VPN Sites in Virtual WAN
- In Virtual WAN, go to “VPN sites”.
- Create a new VPN site for each public IP of your gateway.
- Configure the site with:
  - Device vendor information
  - Public IP addresses
  - Private address space (your hub VNet CIDR)
  - BGP settings (avoid using ASN 65515 – reserved for Virtual WAN)
Create Site-to-Site VPN Gateway in Virtual WAN Hub
- Navigate to your Virtual WAN hub.
- Create a VPN Gateway (Site-to-Site) if not already present.
- Specify scale units based on throughput requirements.
Connect VPN Sites to Hub
- Select “VPN (Site to site)” in your Virtual WAN hub.
- Click “Connect VPN sites”.
- Select the VPN sites you created.
- Configure connection settings:
  - Pre-shared key (PSK)
  - BGP settings
  - IPsec/IKE policy if needed
Download VPN Configuration
- Download the VPN device configuration from Virtual WAN.
- Apply this configuration to your existing VPN Gateway.
Verify Connection
- Check connection status in Virtual WAN portal.
- Validate routing propagation.
- Test connectivity between resources.

Points to note:

Address Space: Ensure no overlapping IP ranges between Virtual WAN hub, connected VNets, and on-premises networks.
Routing: Virtual WAN provides automatic route propagation between all connected resources.
Transition Strategy: Using VPN allows you to gradually migrate from traditional hub-and-spoke to Virtual WAN without downtime.
Cost: Consider the cost implications of running both VPN Gateway and Virtual WAN during transition.