Deploying global remote VWAN connectivity with Azure VWAN and Azure VPN

|

Recently, we deployed a global remote and VWAN connectivity solution for our employees using Azure VWAN and Azure VPN.

Microsoft Digital storiesEditor’s note: This is the fifth in an ongoing series on moving our network to the cloud internally at Microsoft. Tap here to read the full series.

In the modern workplace, Microsoft employees access their work from diverse locations. To ensure secure and efficient connectivity to cloud and on-premises resources for our global workforce, we’re adopting Azure Virtual WAN (VWAN) in conjunction with enterprise-scale security solutions.

Our enterprise-scale security solutions are vital in authenticating remote users across Azure and on-premises resources, enabling seamless service-to-service authentication. Our approach creates a more robust and reliable environment by removing interdependencies between network services and physical locations. Through strong authentication enforcement and role-based access control, our security solutions are tailored to support deployments at an enterprise scale.

We’re evolving remote access for our employees by migrating our remote and VPN access infrastructure to a modern, cloud-based solution using Azure VPN and Azure VWAN. Our new solution accommodates evolving security requirements and scales to support the changing demands of our remote workforce. This transition improves our security posture and enhances the overall efficiency of our remote access infrastructure, aligning seamlessly with our commitment to scalable and secure solutions for our global workforce.

Moving to the Azure-based solution allows us to support all remote access users with the Azure VPN client. This unified approach creates a simplified user experience and performs better for remote employees than our previous solution.

Our solution’s core is Azure Virtual WAN, a networking service that combines many networking, security, and routing functionalities to unify Azure and on-premises networking capability into a single operational interface.

Azure VWAN supports site-to-site, point-to-site, and private connections between Azure and on-premises users and resources using ExpressRoute, Azure VPN, Azure Firewall, and advanced routing configuration. The hub and spoke architecture of Azure VWAN provides enterprise scale and performance from cloud-hosted Azure VWAN hubs in Azure regions across the globe. Using the globally distributed Azure public cloud infrastructure, we can quickly deploy a global transit network architecture for our entire enterprise, supporting instant connectivity from the closest Azure VWAN Hub to any on-premises network endpoints.

Using the Azure VPN client and integrated VPN support built into Azure VWAN, our employees connect to the closest regional hub, securely and efficiently integrating them with Azure VWAN and our global corporate network. Currently, Azure VPN is selectively deployed for specific use case scenarios. It doesn’t serve as the default network access now, but its versatility allows for such a role, and we plan to use Azure VPN as the default remote access solution soon.

User traffic flow on Azure VWAN.
Here’s an architecture diagram that shows user traffic flow on Azure VWAN in our hybrid network environment.

Using Azure VWAN and Azure VPN to manage our global network and remote access has resulted in many improvements to our wide area network architecture and the employee experience when using the network.

We’re using infrastructure as code (IaC) to deploy and scale our VPN capacity, enabling us to quickly accommodate and host over 100,000 users. Our ongoing efforts include onboarding all Microsoft employees to Azure VPN.

Protecting intellectual property is paramount for Microsoft. Our solution provides a highly secure environment through Azure VPN, using industry-standard encryption protocols and advanced security features. This ensures that all data transmitted between employees and resources in Azure or on-premises remains confidential and protected from unauthorized access.

Our architecture is designed to scale seamlessly as the user base grows. With the inherent scalability of Azure Virtual WAN, we can accommodate additional users and network resources without compromising performance. This flexibility ensures that Microsoft can support its expanding workforce without sacrificing connectivity or user experience.

Our network build process uses IaC principles to create a highly adaptable, robust, and reliable network environment. Our deployment templates and resource modules—created using the Bicep language—define the desired state of our VWAN infrastructure in a declarative manner. Following Microsoft best practices, we maintain a central Bicep template that invokes distinct modules—also defined in Bicep—to instantiate the necessary resources for deployment. This modular framework allows us to be flexible and accommodate new changes or requirements by applying various deployment patterns. For more information, visit Deploying a VWAN using infrastructure as code and CI/CD.

Our solution offers centralized management and monitoring capabilities, enabling our support ecosystem to manage our VPN infrastructure efficiently. Our security team can easily configure VPN settings and management using Azure Dashboard, allowing them to monitor usage patterns in a smart way. This centralized control ensures streamlined administration and effective troubleshooting.

We design the user experience to maximize productivity. Our solution optimizes network connectivity, relying on a global profile to minimize latency and allow employees to access hosted resources seamlessly from anywhere in the world. This eliminates barriers to productivity and empowers users to collaborate efficiently, irrespective of their geographic location.

Intellectual property protection often involves compliance requirements. Our solution adheres to industry best practices and relevant regulations to ensure that we meet necessary compliance standards. This includes data privacy, access controls, and auditability, providing peace of mind that intellectual property is handled in a secure and compliant manner.

We’re excited about the successful enterprise-scale deployment of our Azure Virtual WAN and Azure VPN-based solution. This deployment increases our ability to safeguard intellectual property while seamlessly supporting the connectivity needs of Microsoft employees. We remain committed to supporting the internal networking needs of Microsoft and ensuring secure and seamless connectivity as our organization grows.

Contact us today to explore how our solutions can help protect your intellectual property, enable remote access at scale, and provide a robust and secure network infrastructure tailored to your organization’s unique requirements.

Key Takeaways

  • Migrate to a cloud-based VPN solution. Transition your VPN and remote access infrastructure to Azure VPN and Azure VWAN for a more scalable and secure remote access solution.
  • Leverage Infrastructure as Code for network management. Adopt infrastructure as code (IaC) using the Bicep language to efficiently manage and scale your network infrastructure, allowing for flexible and rapid deployment.
  • Plan for scalability and user growth. Ensure your network architecture is designed to scale seamlessly with Azure Virtual WAN, accommodating additional users and resources without sacrificing performance.
  • Centralize management and monitoring. Use centralized management and monitoring tools, such as the Azure Dashboard, to efficiently administer VPN settings and manage network usage.

Try it out

Get started with Azure VWAN with routing intent and routing policies at your company.

Related links

We'd like to hear from you!
Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

Recent