Choose an appropriate scale unit for each gateway type

2.4 Azure Virtual WAN

📘Microsoft Azure Networking Solutions (AZ-700)

Overview

Before we dive into scale units, it’s important to understand what Azure Virtual WAN (VWAN) is:

  • Azure Virtual WAN is a networking service that allows you to connect multiple sites, branches, and users to Azure through a unified hub.
  • A Virtual WAN hub contains gateways that provide connectivity for different types of traffic: site-to-site VPN, point-to-site VPN, and ExpressRoute.

Each gateway type in VWAN has a scale unit, which is essentially the performance and throughput capacity that the gateway can handle. Choosing the right scale unit ensures your network is reliable and performs well.

Azure Virtual WAN Gateway Types

Azure Virtual WAN has 3 main gateway types:

  1. VPN Gateway (Site-to-Site or Point-to-Site)
  2. ExpressRoute Gateway
  3. Firewall Gateway

Each of these gateways has different scale units that impact throughput and supported connections.

1. VPN Gateway Scale Units

Purpose: Connect branch offices, on-premises networks, or remote users to Azure using IPsec/IKE VPN tunnels.

Scale Units:

  • Basic – small workloads, test environments, or a few connections.
    • Max 500 Mbps throughput
    • Max 10 site-to-site VPN connections
  • Standard – moderate workloads or multiple branches.
    • Max 1 Gbps throughput
    • Max 30 site-to-site VPN connections
  • HighPerformance – heavy workloads, many branches.
    • Max 5 Gbps throughput
    • Max 100+ site-to-site VPN connections

Exam Tip: For exam scenarios, match the scale unit with the number of connections and throughput requirement.

Example: If you have 50 branches connecting via site-to-site VPN, Standard is sufficient. For 200 branches or heavy traffic, choose HighPerformance.

2. ExpressRoute Gateway Scale Units

Purpose: Connect your on-premises networks to Azure via a private connection using ExpressRoute circuits.

Scale Units:

  • ExpressRoute gateways are measured in SKU sizes, which determine throughput capacity:
    • Small – up to 1 Gbps
    • Medium – up to 2 Gbps
    • Large – up to 5 Gbps
    • Extra Large – up to 10 Gbps

Important: Each scale unit increases throughput, but also increases cost.

  • Choose Small or Medium for test or dev environments.
  • Choose Large or Extra Large for production workloads with high traffic.

Exam Tip: Always match the gateway SKU to the ExpressRoute circuit speed.

Example: If your ExpressRoute circuit is 2 Gbps, you need at least Medium scale unit.

3. Firewall Gateway Scale Units

Purpose: Provides security services for Virtual WAN hub traffic using Azure Firewall.

Scale Units:
Firewall gateways have scale units measured in throughput (Mbps/Gbps) and number of rules supported:

  • Small: ~500 Mbps
  • Medium: ~1 Gbps
  • Large: ~2 Gbps
  • Extra Large: ~10 Gbps

Exam Tip:

  • The more traffic and the more rules you have, the higher the scale unit you should choose.
  • Firewall gateways scale automatically, but initial scale unit selection affects performance and cost.

Example: If your hub needs to inspect traffic from 1000+ users and multiple VPN branches, choose Large or Extra Large.

Guidelines to Choose Appropriate Scale Units

  1. Estimate your traffic volume: How many branches, users, or data throughput?
  2. Map to gateway type: VPN, ExpressRoute, or Firewall.
  3. Check the max supported connections/throughput for each scale unit.
  4. Consider cost: Higher scale units cost more. Only choose high scale units if required.
  5. For redundancy: You can deploy multiple gateways if needed, instead of oversizing one gateway.

Exam Tip: The AZ-700 exam often gives scenarios like:

“You need to connect 50 branch offices with 2 Gbps combined traffic to Azure using Virtual WAN.”

  • Step 1: Recognize this is VPN Gateway or ExpressRoute Gateway.
  • Step 2: Check scale unit table:
    • VPN Gateway Standard supports 30 S2S connections, 1 Gbps – not enough.
    • VPN Gateway HighPerformance supports 100+ S2S connections, 5 Gbps – suitable.

Summary Table for Exam

Gateway TypeScale Units/OptionsMax ThroughputMax Connections / UsersUse Case for Exam Scenarios
VPN GatewayBasic, Standard, HighPerformance500 Mbps → 5 Gbps10 → 100+ site-to-site VPNBranch-to-Azure or P2S connections
ExpressRoute GatewaySmall, Medium, Large, Extra Large1 → 10 GbpsCircuit-dependentPrivate connection to on-prem
Firewall GatewaySmall, Medium, Large, Extra Large500 Mbps → 10 GbpsRule/connection dependentHub traffic inspection, security

Key Exam Strategy: Focus on throughput, connections, and number of users or branches to select the correct scale unit.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by