The purpose of this article is to help understand the different options available when connecting your network to Azure’s Cloud Computing Services via SD WAN. Enterprise favourite, Microsoft’s Azure offers a plethora of services on four different cloud computing models; infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and their serverless model.
On these models services such as networking, storage and Office 365 can be utilised but there are many more capabilities including Azure DevOps for seamless building, testing and deploying of applications and Azure Cosmos DB for a fully managed NoSQL database. With Microsoft investing more than 1 Billion USD annually on cybersecurity and development, it’s apparent why Azure is the corporate favourite. Azure Virtual WAN (VWAN) service lets customers easily create a large-scale branch connected network using the Microsoft global infrastructure. They provide this with a seamless operational interface that connects all their cloud services together.
By 2025, 80% of enterprises will have shut down their traditional data center, versus 10% today.
I don’t completely agree with this as the cost to move and upgrade your entire system is high - we all know there's smaller companies out there still running Windows Server 2008. In my opinion, a hybrid network is the best bet for most organisations, but as more and more vendors pop up with newer solutions, the price is only guaranteed to decline. The importance of selecting the correct SD WAN vendor will help you to simplify your WAN operations and increase performance, reliability and security.
Azure offers two types of VWANs; Basic and Standard. To fully utilise the capabilities of the virtual WAN I would only suggest the standard offering. Where basic only offers site-to-site VPN, standard has the following; ExpressRoute, User VPN (p2s), VPN (s2s), Inter-hub and VNet-to-VNet transiting through the virtual hub, Azure Firewall and NVA in a virtual WAN. Using these you can ensure any user, anywhere, can connect directly to the VWAN, and if configured correctly you should have an any-to-any capability.
For example, a remote user would require a point to site/user VPN connection. Here the user would connect to their nearest point of presence within Azure over the internet. Point to site is needed more than ever with the increase in employees working remotely due to Covid-19.
Next, ExpressRoute is another service provided by Azure that lets you have private, encrypted connections between their data centers and your own infrastructure. This provides advanced security and reliability, plus superior speeds to a typical connection over the internet. Ideally you would have an ExpressRoute connection going from your datacenter/head branch/major location to a point within the Azure network.
Brands such as Barracuda offer network virtual appliances (NVA) in Azure. These provide a range of different features including optimisation of your WANs and added security through firewalls and encryption. Again, all under one seamless user interface which is easily deployable via VM images.
Which SD WAN Azure architecture is best for your business?
Before we dive into the large list of partners you first need to decide how you’re going to connect. Each model ensures seamless connection with the Azure VWAN and there is a choice of four different connectivity architectures to choose from.1. Direct Interconnect Model - SD WAN branch customer-premises equipment has a direct connection to the VWAN via IPsec connections. As long as there is a CPE in each location, any-to-any connections can be made via the SD WAN. This process can be automated, saving companies hours upon hours of troubleshooting tedious IPsec tunnels.
2. Direct Interconnect Model with NVA-in-VWAN-hub - Same as above, but with the capability of connecting a partner’s Network Virtual Appliance (NVA) in your virtual hub. Choosing this allows you to take advantage of each brand's proprietary end-to-end SD WAN capabilities. This is a solid choice if you’re already using the same brand CPEs in your locations. There’s more on NVA and vendors that offer them below.
3. Indirect Interconnect Model - Here the SD WAN branch CPEs are connected indirectly to the VWAN. As the image below shows, there is a virtual CPE deployed in the VNet. With this model the client is responsible for managing the SD WAN NVA.
4. Managed Hybrid WAN Model - Similar to the models above, but this SD WAN architecture and deployment is managed and delivered by the SD WAN provider, for example ANS Group or BT.
Although some of the top industry equipment manufacturers like Juniper and Arista currently aren’t listed, you won't struggle to find a suitable, respected partner.
Which SD WAN vendors are available in Azure?
The following are your options for branch IPsec connectivity:
- Barracuda - Offering their CloudGen Firewall and Secure SD WAN as a single combined solution, their easily deployable systems allows for seamless expansion and protection against threats like malware. Their automatic branch-to-branch, branch-to-Microsoft Azure and active-active IPsec VPNs offerings allow you to replace your MPLS line with a high-performing branch-to-branch network via Azure VWAN. They also offer a nice savings calculator which can be found here. How does Barrcauda connect to Azure? Connection is provided by their GloudGen firewall for automated connectivity to the Azure VWAN in only a few clicks via the marketplace. This allows rapid and secure connections for peace of mind.
- Check Point - Automatically establishing VPN connections into the Azure cloud in a simple and secure way. Offer lower operation costs compared to other vendors, without compromise to support. Good choice if you are an existing Check Point customer as they offer a zero touch, automated service for connecting. How does Check Point connect to Azure? Check Point’s solution for connectivity is using automatically established VPN tunnels (IPsec site-to-site).
- Cisco Meraki - Meraki is usually played as “networking for dummies” because of their heavily GUI based platform. Cisco’s Meraki offers an extremely simple solution. They take pride in their “SD WAN in three clicks” system, which runs on the MX appliances. Meraki are known for their cloud managed systems and powerful dashboards. Using the dashboard you can automatically create VPN routes and manage authentication and encryption protocols. A good, secure, respected system ideal for those smaller organisations looking for a “set it and forget it” solution. How does Cisco Meraki connect to Azure? Branch tunnels directly into the Azure VWAN via IKEv2 IPsec VPN, this is done automatically using the toolkit that Meraki provide.
- Citrix - Citrix and Microsoft have a long-standing partnership and efficiently route traffic to their nearest Office 365 point of entry. Existing customers benefit from multi-cloud integration and WAN optimisation, and enable a more flexible cloud transition. A solid choice if you’re a heavy Office 365/Teams user. These usually put a traditional network under pressure and can slow down aaS applications. Although, no migration tool is offered. How does Citrix connect to Azure? Site-to-site connections with two active IPsec tunnels needed to establish the connection to Azure WAN. Offer automated on-ramp for Azure with a one-click approach using the SD WAN virtual appliance (VPX).
- CloudGenix (Prisma SD WAN) - Arguably the industry’s most complete solution. Allow the combination of MPLS private WANs to create a hybrid network. Reduce manual labour with their automated, lightweight virtual appliances. Already claiming to be the “Industry’s first next-gen SD WAN” they’re all about the numbers. Their Prisma SD WAN is providing an average ROI of 243%, with a 10x increase in bandwidth and 99% reduction in network trouble tickets. Great customer support, pre and post sale. How does Prisma SD WAN connect to Azure? Their CloudBlades platform enables API based branch integration via the CPE.
- Fortinet - Offering advanced SASE security alongside cost effective SD WAN, their FortiGate system offers a secure yet simple global connection to the Azure network. Also have native support for 4G/5G which is superior for future proofing. Powerful SD WAN rules capability that allow you to cater for bespoke systems and monitor the quality and availability of the connections. Their solution provides advanced routing, IPsec and security all in one box. How does Fortinet SD WAN connect to Azure? Utilising dynamic path selection, Fortinet offers branch-to-azure and secure branch-to-branch connectivity.
- HPE Aruba - Upon first look they seem to be a bit more basic compared to other vendors. But their goal is simplifying and automating the process. They still offer the same services as others, including branch-to-branch and branch-to-azure IPsec connections. Best suited for distributed enterprises that are looking for a better understanding of their traffic. Easily enforce policies for WAN, WLAN and LAN on their network management system. How does Aruba SD WAN connect to Azure? With Aruba Cloud Connect, branch gateways establish secure connections with the Azure VWAN using orchestrated IPsec tunnels.
- NetFoundry - Easy to deploy, capability to spin up a WAN in a couple of minutes and without requiring any additional hardware. They provide a software-only connection to Azure VWAN, running off your existing network. Simply add the NetFoundry virtual containerised gateways on the sites that you want to connect. Good for companies familiar with the microservice style deployment. Reliable tool that provides secure and cost efficient integration. How does NetFoundry SD WAN connect to Azure? Software only approach. Using the NetFoundry management console, software-only endpoints are established at each branch which instantly form a connection to the Azure VWAN hub.
- Nuage/Nokia - Provides optimised routing through on premises equipment/users, virtual appliances and the Azure network. API integration allows management of the Azure VWAN environment from the Nuage console. An overly intricate SD WAN solution and is relatively complex to deploy but consequently makes it one of the most capable systems on the market. How does Nuage SD WAN connect to Azure? Nuage Networks Virtualized Network Services (NVS) is their SD WAN 2.0 platform which allows connections to physical branches, data centers and private and/or public clouds.
- Open Systems - One of the only vendors to have a heavy focus on SASE. Ensuring secure branch connections with the capability of thousands of locations that can easily be managed. Top rated support, paired with the robustness of the solution, Open Systems is a good call for those whose main focus is security. But this does come at a premium. How does Open Systems SD WAN connect to Azure? Effortlessly connect to Azure VWAN using Open Systems Security Delivery Platforms (SDPs). Their portal allows engineers to automate and manage IPsec connections.
- Palo Alto Networks - The global cybersecurity leader. Back in April of 2020 they purchased CloudGenix for approximately $420 million. Incorporating the two into the Prisma SD WAN. A great choice. How does Palo Alto SD WAN connect to Azure? Using their Azure Virtual WAN toolkit you can configure the VWAN resources (WANs, Hubs and branch connections via IPsec tunnels.) Once the connection to Azure is established, you are able to automatically spin up new connections and manage the flow of traffic.
- Riverbed Technology - Offering a simple yet powerful approach, Riverbed is enabling fast and secure connectivity between the user and Azure VWAN. They offer a simplified roll out and guarantee reduced equipment and maintenance cost savings. Good use-case example for Riverbed is when GHD merged with North American Conestoga-Rovers and Associates - they needed a quick, cost-effective solution to merge the 3,000 employees and 100 offices. Their SteelConnect solution helped achieve this saving the company nearly $1 million per annum. How does Riverbed SD WAN connect to Azure? SteelConnect allows for fast, secure and reliable connections to the Azure VWAN with automated IPsec tunnels.
- Silver Peak - (Now HPE) Automate connectivity to the Azure VWAN with the highest quality. Offering full integration into Azure provisioning of their EdgeConnect product with the capability to support complex network requirements. A stand out feature they offer is the ability to see both real time and historical charts for packet loss, latency, inbound and outbound throughput and many more. This is normally a paid extra feature, especially with vendors like Cisco. They have real focus on monitoring, quality of service (QoS) and fault avoidance. Great for mass deployment of equipment as they provide templates, ensuring everything is configured correctly. How does Silver Peak SD WAN connect to Azure? Their EdgeConnect system and Silver Peak Unity Orchestrator allow you to build, maintain and troubleshoot connectivity between branches/appliances.
- VMware SD WAN - Gartner leader, VMware continues to set the pace for SD WAN networks and security. Compact in size, flexible, scalable and easy to set up, it's not hard to see why they are one of the top choices. They continue to help customers shift their legacy networks into the cloud. Catering for all organisations and able to scale from small to very large is an excellent service. An extremely powerful monitoring platform with built in detection capabilities, makes management uninterrupted. How does VMWare SD WAN connect to Azure? VMware and Azure have a joint solution called Velocloud. It allows you to simplify the process with their GUI and automate connections between your endpoints and the Azure cloud.
- Versa - Delivering a fully automated and software-based experience connecting into the Azure VWAN. Great features including intelligent traffic steering across the Microsoft backbone. One of the most comprehensive SD WAN vendors with capabilities of delivering both simple and complex solutions, that allow non-expert engineers to create, operate and manage the SD WAN. How does Versa SD WAN connect to Azure? Their Versa Secure SD WAN platform sits on the CPE which allows for branch-to-branch and branch-to-Azure connectivity with features like application-aware traffic routing.
Looking for SD WAN NVA (Network Virtual Appliance)?
Barracuda Networks, Cisco Cloud Service Router (CSR) VWAN and VMware SD WAN in Virtual WAN Hub all offer managed applications that are available to deploy on the VWAN hub. All three offer similar benefits including; added security with next-gen virtual firewalls, optimisation for cloud access (ideal for latency-sensitive applications) and automation of last-mile internet connections. Where Barracuda and Cisco’s offerings are both pay as you go, VMware is a monthly/annual plan which obviously varies on your location and requirements. Azure has plans to incorporate Aviatrix, Citrix and Versa Networks in the near future. If you’re an existing customer of any of these partners it's worthwhile to reach out to them and enquire. These offerings will allow you to best utilise SD WAN and add a layer of future proofing to your organisation.