2.4 Azure Virtual WAN
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is Azure Virtual WAN?
Azure Virtual WAN is a networking service in Microsoft Azure that helps you connect:
- Branch offices
- Remote users
- Virtual Networks (VNets)
- ExpressRoute circuits
It provides centralized connectivity using Microsoft’s global backbone network.
Instead of configuring many separate VPN gateways and connections, Virtual WAN allows centralized and automated network management.
2. What is a Virtual WAN SKU?
A SKU (Stock Keeping Unit) defines:
- Feature availability
- Performance limits
- Supported connectivity types
- Advanced capabilities
When you create a Virtual WAN, you must choose a SKU.
There are two SKUs:
- Basic
- Standard
Choosing the correct SKU is important for the AZ-700 exam because many features are only available in the Standard SKU.
3. Virtual WAN Basic SKU
The Basic SKU is designed for simple connectivity requirements.
Features of Basic SKU
- Supports Site-to-Site (S2S) VPN
- Does NOT support:
- ExpressRoute
- Point-to-Site (P2S) VPN
- User VPN
- Hub-to-hub connectivity
- Virtual network-to-virtual network (VNet-to-VNet) transit
- Routing intent
- Secured Virtual Hub (Azure Firewall integration)
When to Use Basic SKU
In an IT environment:
- A small organization with only branch office VPN connections
- No need for ExpressRoute
- No remote user VPN requirement
- No advanced routing or security requirements
Basic SKU is cost-effective but very limited.
4. Virtual WAN Standard SKU
The Standard SKU is the full-featured version.
It is required for almost all enterprise deployments.
Features of Standard SKU
1. Site-to-Site (S2S) VPN
Connect on-premises networks to Azure.
2. Point-to-Site (P2S) VPN
Remote users can securely connect from laptops or mobile devices.
3. ExpressRoute Integration
You can connect ExpressRoute circuits to the Virtual Hub.
4. VNet-to-VNet Connectivity
Allows communication between VNets connected to the Virtual WAN hub.
5. Hub-to-Hub Connectivity
Connect multiple Virtual WAN hubs across different Azure regions.
6. Global Transit
Allows:
- Branch-to-branch communication
- Branch-to-VNet communication
- VNet-to-VNet communication
7. Routing Intent and Policies
You can control traffic flow:
- Send internet traffic to firewall
- Send private traffic via ExpressRoute
8. Secured Virtual Hub
Integrates with:
- Azure Firewall
- Third-party Network Virtual Appliances (NVA)
9. BGP Support
Supports dynamic routing using Border Gateway Protocol.
5. Basic vs Standard – Comparison Table
| Feature | Basic | Standard |
|---|---|---|
| Site-to-Site VPN | Yes | Yes |
| Point-to-Site VPN | No | Yes |
| ExpressRoute | No | Yes |
| VNet-to-VNet | No | Yes |
| Hub-to-Hub | No | Yes |
| Branch-to-Branch | No | Yes |
| Azure Firewall Integration | No | Yes |
| Routing Intent | No | Yes |
| Global Transit | No | Yes |
6. Important Exam Concepts
For AZ-700, remember:
1. ExpressRoute Requires Standard SKU
If the question includes:
- ExpressRoute
- High-performance private connectivity
→ Choose Standard
2. Remote User VPN Requires Standard
If users connect using:
- P2S VPN
- Azure AD authentication
→ Must use Standard
3. Multiple Regions = Standard
If you need:
- Hub-to-hub connectivity
- Global branch connectivity
→ Standard SKU is required.
4. Basic SKU is Very Limited
If the scenario only mentions:
- Simple Site-to-Site VPN
- No advanced routing
- No ExpressRoute
- No remote users
→ Basic may be sufficient.
However, in real enterprise environments, Standard is usually required.
7. Real IT Environment Example (No Simplified Analogies)
Scenario 1: Small Branch Connectivity
An organization has:
- 3 branch offices
- Each connects to Azure via Site-to-Site VPN
- No ExpressRoute
- No remote user VPN
→ Basic SKU is enough.
Scenario 2: Enterprise Hybrid Network
An organization has:
- ExpressRoute for private connectivity
- Multiple Azure regions
- Remote employees connecting using VPN
- Centralized Azure Firewall inspection
- Need for branch-to-branch communication
→ Must use Standard SKU.
8. Relationship Between Virtual WAN and Virtual Hub
When you create Virtual WAN:
- You select the SKU.
- You create one or more Virtual Hubs.
- You connect:
- VNets
- VPN sites
- ExpressRoute circuits
Important:
You cannot use advanced hub features unless the WAN is Standard.
9. Cost Considerations
Basic SKU:
- Lower cost
- Limited features
- Suitable for simple deployments
Standard SKU:
- Higher cost
- Full enterprise capabilities
- Required for most production environments
Exam Tip:
If the scenario mentions cost optimization and only simple S2S VPN → Basic may be correct.
10. Migration from Basic to Standard
You can upgrade from Basic to Standard.
However:
- Downgrading from Standard to Basic is not supported.
Exam Tip:
If the scenario mentions future growth or expansion, choose Standard.
11. Key Design Decision Points (Exam-Oriented)
When selecting a SKU, ask:
- Is ExpressRoute required?
- Are remote users connecting?
- Is Azure Firewall integration needed?
- Are multiple hubs or regions required?
- Is branch-to-branch communication required?
- Is dynamic routing required?
If answer to any is YES → Choose Standard.
12. Common AZ-700 Exam Traps
Trap 1:
Question says:
Need centralized connectivity with ExpressRoute and VPN.
Correct Answer → Standard
Trap 2:
Question says:
Only need Site-to-Site VPN for two branches.
Correct Answer → Basic
Trap 3:
Question says:
Must inspect traffic using Azure Firewall in Virtual WAN.
Correct Answer → Standard
13. Final Summary (Must Remember for Exam)
- Virtual WAN has two SKUs: Basic and Standard.
- Basic supports only Site-to-Site VPN.
- Standard supports:
- ExpressRoute
- Point-to-Site VPN
- Hub-to-hub
- Global connectivity
- Azure Firewall integration
- Routing intent
- Advanced routing
For most enterprise scenarios in AZ-700 questions, Standard SKU is the correct answer.
