Deployment Guide for Direct Branch-to-Azure Virtual WAN connections using VMware SD-WAN
search cancel

Deployment Guide for Direct Branch-to-Azure Virtual WAN connections using VMware SD-WAN


Article ID: 312363


Updated On:


VMware SD-WAN by VeloCloud



This feature is currently in the limited preview stage. The goal is to demonstrate how Branch- to-Azure Virtual WAN via direct IPsec can be simplified using VMware SD-WAN™ automation. VMware SD-WAN may further enhance the capabilities outlined below in our General Availability launch.


During cloud migration, VMware SD-WAN has heard a common request: connecting remote locations to workloads in Azure in a simple, optimized, and secure way across a myriad of connectivity options. VMware SD-WAN simplifies the connectivity to Azure by providing a fully automated, simple, and intuitive GUI process for connecting remote locations to the Azure cloud.

To meet different deployment scenarios for those who deploy Azure Virtual WAN, VMware SD-WAN has been progressively adding more capabilities to the solution via automation. This guide provides step-by-step instructions for building direct IPsec connectivity from VMware SD-WAN branches to vWAN hubs. While this document focuses on option 1b, option 1a (which focuses on last mile optimization and link aggregation) is covered in Azure Virtual WAN automation via VMware SD-WAN hosted cloud Gateways.


VMware SD-WAN by VeloCloud


Deployment Steps

The automation workflow will simplify the connectivity from VMware SD-WAN Branch Edges to Azure Virtual WAN. By using the VMware SD-WAN Orchestrator, a user can configure, manage, and troubleshoot SD-WAN branch connectivity to Virtual WAN.


To enable the automation, a few steps are needed. This is a onetime configuration per Azure subscription:
1. Generate Application credentials in Azure for the target subscription and store them on the Orchestrator. For details, see: Prerequisite Azure Configuration
2. Make sure Azure virtual WAN resources are configured. For details, see: Configure Azure Virtual WAN for Branch-to-Azure VPN Connectivity.

Configuration Steps

1.   On the Orchestrator, create a construct “Non SD-WAN Destination via Edge” under Configure→Network Service.  This is configured once per Azure virtual hub.

2.        There are two ways to implement direct IPsec automation for the VMware SD-WAN Edge to an Azure Virtual WAN hub.

 Profile level automation: This method is for when the user wants to mass configure many branch sites at once. In this method, the automation is triggered through the profile configuration. All branch Edges in the profile inherit the vWAN configuration from the profile and triggers the automation process to build direct IPsec tunnels to Azure vWAN hubs.

Example: 100 retail stores in a region are using VMware SD-WAN and are assigned to a single profile.  Each store’s VMware SD-WAN Edge appliance using this profile will inherit all Virtual WAN configuration and completely automate the connectivity to the virtual WAN hubs.

To configure Profile level automation, please go to step 3.


Edge level automation: In this method IPsec automation is configured per site and is useful for customers who have different WAN interface requirements on the VMware SD-WAN Edge appliance.


Example: At branch site A, the Edge has GE1 connected to a public WAN link, while at branch site B, the Edge has GE2 connected to a public WAN link.  


To configure Edge level automation, please go to step 4.

3.   Configuring Profile level automation: On the Orchestrator, go to Configure→Profile→CloudVPN and enable “Branch to Non SD-WAN Destination via Edge” and select the vWAN hub site created in step 1.

Enable Checkbox: Check this option to have all the branch Edges in the profile create Azure Sites under Virtual WAN configuration in the Azure portal and build IPsec tunnels to vWAN hubs. Any new site added to the profile will automatically inherit the profile configuration and trigger the automation.

Allow All WAN Links: Check this box to have all the branch Edges build IPsec tunnels to vWAN on all available WAN links. Any new public WAN link added on a branch Edge will trigger the automation and build an IPsec tunnel to vWAN.

Note: If the user prefers to customize WAN link selection on a per site basis, "Allow All WAN Links" should remain unchecked.  Instead the user should navigate to ConfigureEdgeDevice for each site.  Under “Branch to Non SD-WAN Destination via Edge”, select WAN links per Edge.

4.  Configuring Edge level automation: On the Orchestrator, go to the ConfigureEdge page, select the site created in Step 1 in service column and add the “Links” that need to be used for IPsec connection to Azure, when configuration is saved, automation will kick in to populate IPsec parameters and initiate IPsec connection. 

 These actions can be validated on the VMware SD-WAN Orchestrator:

       The Events page on the Orchestrator will display the progress of automation.

      Tunnel status is displayed under the Monitor→Edge page by hovering over the Cloud Services icon for a branch Edge.

      The Azure portal will reflect the same information:

5.    Adding Static Routes: VNet routes are automatically populated on the VMware SD-WAN Edges as IPsec tunnels come up. VMware SD-WAN routes on the Azure sites must be added for bi-directional communications.

 Azure Portal: Go to home>VirtualWAN>VPN Sites>Edit Site

6. Deleting a Tunnel: To delete a tunnel, on the Orchestrator go to ConfigureEdge page, click “Delete” link and Save Changes. This action triggers the Orchestrator to tear down the tunnel and remove the configuration. 


The functionality added with this feature streamlines the configuration process in managing hundreds and even thousands of remote locations. VMware SD-WAN automation removes the complexity and accelerates time to deployment for your enterprise network.

Note: BGP will be added for dynamic route updates in a future release.