Optimize Your SD-WAN Solution with Microsoft's Network Using Azure Virtual WAN


One of the hottest topics among cloud adopters is how to seamlessly integrate on-premises hub locations with an ever-expanding cloud presence that carries seemingly unending complexity. How do we connect every branch location with each other, while also connecting to each branch’s local virtual network? A user in Ohio should be able to access US Central and US East cloud networks, as well as Ohio and New York on-premises sites, easily.

Before there was a built-in software-defined networking solution, a jerry-rigged design would have to do. Consider a customer that has firewall endpoints at branch sites, with the money to spend on ExpressRoute for one location. One could imagine a scenario where the customer establishes ExpressRoute or VPN gateway connectivity from the HQ, and then creates IPSec tunnels at each firewall tunneling back to the HQ to take advantage of the ExpressRoute (or, in the case of just VPN, the advantage of multiple ISP links) to the cloud.


This solution has an obvious shortcoming, and that is resiliency. In a scenario where a natural disaster takes the HQ offline, it would cripple all of the branch locations, neutralizing the usefulness of even having region-based cloud networks to begin with.

Enter Azure Virtual WAN. Having partnered with Microsoft, Vandis can employ the technologies of all the major firewall vendors to offer Azure vWAN. Azure vWAN allows you to leverage Microsoft’s low latency global backbone to connect branch offices into cloud hubs. This gives organizations the ability to easily connect their on-premise locations into an encrypted network with Microsoft, creating a singular global transit network.

Another advantage of this offering is moving away from ISP-based solutions, which depend solely on the fabric of a single carrier. This is the same resiliency issue present in the previous scenario; if the ISP has outages, it has consequences on the whole  business. In Azure vWAN, each branch location would be able to leverage their own local carrier, with the option of backup ISP links at each location.

“Our customers are looking for hybrid solutions to affordably connect their branch offices. Whether it is to support POS systems, VDI environments, remote offices, or even different data centers.  People are trying to have a low touch solution with superior performance.” Said Ryan Young, Vandis’ CTO; “Azure vWAN allows us to deliver a truly global network solution as a cheaper and more effective alternative to current MPLS solutions.”

In effect, the previous example can now  robustly route to Azure vWAN instead of relying on a single location, or a single ISP, allowing each branch to act as an autonomous connection site. All of the subnets can also be imported into Azure via BGP, so Azure would have no issue allowing traffic from one subnet at a branch, as well as a seemingly disconnected subnet at the HQ site. This also has the effect of barring certain subnets—let's say a VPN user subnet for contractors—from transversing into the public cloud.


The Vandis Digital Transformation and Secure Edge teams are already delivering Azure vWAN solutions. With the help of our partners, Vandis has developed a NetDevOps solution with zero touch provisioning which allows our teams to handle branch offices around the globe.

When an organization enables Azure Virtual WAN, they can look to Vandis to deliver a managed solution, or they can choose to manage it themselves. In either case, Vandis can provide networking teams with a full-service global SD-WAN solution. For more information on Azure Virtual WAN, and to discuss how Vandis can assist your organization in standardizing your global network, please email cloud@vandis.com or call (516) 281-2200.