Virtual WAN (vWAN) introduces new security and connectivity features in Azure, including the ability to operate managed third-party firewalls and SD-WAN virtual appliances, integrated natively within a virtual WAN hub (vhub).
This article will discuss updated network designs resulting from these integrations and examine how to combine firewall protection and SD-WAN connectivity when using vWAN.
The objective is not to delve into the specifics of the security or SD-WAN connectivity solutions, but to provide an overview of the possibilities.
Table of Contents
- Firewall protection in vWAN
- SD-WAN connectivity in vWAN
- Firewall protection and SD-WAN in vWAN
- THE CHALLENGE!
- Solution 1: Routing Intent with Azure Firewall and managed SD-WAN (same vhub)
- Solution 2: Routing Intent with a third-party firewall and managed SD-WAN (2 vhubs)
- Solution 3: Routing Intent and SD-WAN spoke VNet (same vhub)
- Solution 4: Transit firewall VNet and managed SDWAN (same vhub)
- Solution 5 - Transit firewall VNet and SD-WAN spoke VNet (same vhub)
- Conclusion
Firewall protection in vWAN
In a vWAN environment, the firewall solution is deployed either automatically inside the vhub (Routing Intent) or manually in a transit VNet (VM-series deployment).
Routing Intent (managed firewall)
Routing Intent refers to the concept of implementing a managed firewall solution within the vhub for internet protection or private traffic protection (VNet-to-VNet, Branch-to-VNet, Branch-to-Branch), or both.
The firewall could be either an Azure Firewall or a third-party firewall, deployed within the vhub as Network Virtual Appliances or a SaaS solution. A vhub containing a managed firewall is called a secured hub.
For an updated list of Routing Intent supported third-party solutions please refer to the following links:
Transit VNet (unmanaged firewall)
Another way to provide inspection in vWAN is to manually deploy the firewall solution in a spoke of the vhub and to cascade the actual spokes behind that transit firewall VNet (aka indirect spoke model or tiered-VNet design).
In this discussion, the primary reasons for choosing unmanaged deployments are: either the firewall solution lacks an integrated vWAN offer, or it has an integrated offer but falls short in horizontal scalability or specific features compared to the VM-based version.
For a detailed analysis on the pros and cons of each design please refer to this article.
SD-WAN connectivity in vWAN
Similar to the firewall deployment options, there are two main methods for extending an SDWAN overlay into an Azure vWAN environment: a managed deployment within the vhub, or a standard VM-series deployment in a spoke of the vhub. More options here.
SD-WAN in vWAN deployment (managed)
In this scenario, a pair of virtual SD-WAN appliances are automatically deployed and integrated in the vhub using dynamic routing (BGP) with the vhub router. Deployment and management processes are streamlined as these appliances are seamlessly provisioned in Azure and set up for a simple import into the partner portal (SD-WAN orchestrator).
For an updated list of supported SDWAN partners please refer to this link.
For more information on SD-WAN in vWAN deployments please refer to this article.
VM-series deployment (unmanaged)
This solution requires manual deployment of the virtual SD-WAN appliances in a spoke of the vhub. The underlying VMs and the horizontal scaling are managed by the customer.
Dynamic route exchange with the vWAN environment is achieved leveraging BGP peering with the vhub. Alternatively, and depending on the complexity of your addressing plan, static routing may also be possible.
Firewall protection and SD-WAN in vWAN
THE CHALLENGE!
Currently, it is only possible to chain managed third-party SD-WAN connectivity with Azure Firewall in the same vhub, or to use dual-role SD-WAN connectivity and security appliances.
Routing Intent provided by third-party firewalls combined with another managed SD-WAN solution inside the same vhub is not yet supported.
But how can firewall protection and SD-WAN connectivity be integrated together within vWAN?
Solution 1: Routing Intent with Azure Firewall and managed SD-WAN (same vhub)
Firewall solution: managed.
SD-WAN solution: managed.
This design is only compatible with Routing Intent using Azure Firewall, as it is the sole firewall solution that can be combined with a managed SD-WAN in vWAN deployment in that same vhub.
With the private traffic protection policy enabled in Routing Intent, all East-West flows (VNet-to-VNet, Branch-to-VNet, Branch-to-Branch) are inspected.
Solution 2: Routing Intent with a third-party firewall and managed SD-WAN (2 vhubs)
Firewall solution: managed.
SD-WAN solution: managed.
To have both a third-party firewall managed solution in vWAN and an SD-WAN managed solution in vWAN in the same region, the only option is to have a vhub dedicated to the security solution deployment and another vhub dedicated to the SD-WAN solution deployment.
In each region, spoke VNets are connected to the secured vhub, while SD-WAN branches are connected to the vhub containing the SD-WAN deployment.
In this design, Routing Intent private traffic protection provides VNet-to-VNet and Branch-to-VNet inspection. However, Branch-to-Branch traffic will not be inspected.
Solution 3: Routing Intent and SD-WAN spoke VNet (same vhub)
Firewall solution: managed.
SD-WAN solution: unmanaged.
This design is compatible with any Routing Intent supported firewall solution (Azure Firewall or third-party) and with any SD-WAN solution.
With Routing Intent private traffic protection enabled, all East-West flows (VNet-to-VNet, Branch-to-VNet, Branch-to-Branch) are inspected.
Solution 4: Transit firewall VNet and managed SDWAN (same vhub)
Firewall solution: unmanaged.
SD-WAN solution: managed.
This design utilizes the indirect spoke model, enabling the deployment of managed SD-WAN in vWAN appliances.
This design provides VNet-to-VNet and Branch-to-VNet inspection. But because the firewall solution is not hosted in the hub, Branch-to-Branch traffic will not be inspected.
Solution 5 - Transit firewall VNet and SD-WAN spoke VNet (same vhub)
Firewall solution: unmanaged.
SD-WAN solution: unmanaged.
This design integrates both the security and the SD-WAN connectivity as unmanaged solutions, placing the responsibility for deploying and managing the firewall and the SD-WAN hub on the customer.
Just like in solution #4, only VNet-to-VNet and Branch-to-VNet traffic is inspected.
Conclusion
Although it is currently not possible to combine a managed third-party firewall solution with a managed SDWAN deployment within the same vhub, numerous design options are still available to meet various needs, whether managed or unmanaged approaches are preferred.
Updated Mar 20, 2025
Version 5.0
cynthiatreger
Microsoft
Microsoft