vWAN for SDWAN and Firewall - critical design

Many thanks @ChaitanyaNaykodi-MSFT
however still the idea not very clear for me.
i will go through your response one by one:
1-thanks for confirming the pricing statment
2-As per my understanding from the architectures shared above I think OPTION 2: using same vHUB for the SDWAN NVA and standalone firewall will not be possible due to the limitation below
Zein: clear and understood.
3-Before I answer any questions related to Option1. Have you considered deploying the architecture as described here with BGP peering feature of VWAN.
Zein: this is not helping in my case, as it use SDWAN NVA in service vnet (or transient vnet), however the SDWAN NVA in the vHub can be automated from the SDWAN controllers , which deploy the vHub automatically.
so the need for SDWAN vHub is mandatory,
the Firewall NVA can be installed in service vNet (not recommended but still OK)

so the solution you shared is not option.

4-now the remaining option 1 is either
Option1.1: using another vHub for the Firewall NVA

same questions:
Opt1 Q1-East west traffic vnet1< -- > vnet2 is not passing via Firewall (vFG), yes/no?

Opt1 Q2-East west traffic vnet1< -- > vnet3 is not passing via Firewall (vFG) , Yes/no?

Opt1 Q3-What can be done to make East west traffic vnet1< -- > vnet2 pass via the Firewall (vFG)?

Opt1 Q4-North South traffic vnet1 < -- > on-premises (SDWAN):



Case1: no public IP for the Firewalls WAN - Firewall at vHubX1 no need to access internet.

How traffic from vNet1 can access SDWAN and pass via Firewall?
in this topology, the traffic will go to the vHubX1 routing units and will use the full mesh to the vHubX2 routing units (BGP , AS path 65520 65520) and reach the SDWAN NVA, without passing via the Firewalls?



Case2:public IP for the Firewalls WAN – Firewalls at vHubX1 will access internet.
same question as case1

How traffic from vNet1 can access SDWAN and pass via Firewall?
in this topology, the traffic will go to the vHubX1 routing units and will use the full mesh to the vHubX2 routing units (BGP , AS path 65520 65520) and reach the SDWAN NVA, without passing via the Firewalls?



Opt1 Q5- intent routing can help or not? the main issue with intent routing it enforce all 
private IPs (RFC1982) to go through the firewall, however the target is selective:
e.g. vnet1 to vnet3 no firewalling, but vnet1 to sdwan use firewall




Opt1 Q6-for the North south traffic mentioned in question 4, the traffic will pass via vHubX1 and then vHubx2(both in same region), but i understand that Azure billing for vHub is consider the processing data, so this will make double pricing, e.g. data of 10TB per month processed in vHubX1 and vHubX2 is double price the 10TB per month processed in vHubX1 only (if no vHubX2 at all)?

Option1.2: using Transient vnet for the Firewall NVA:
does it help ? and how it can be better than dedicated vHub for the Forewall NVA?

@ZEIN Ahmed OBS/S EUR

Thank you for getting back and sharing additional details.

Regarding Option 1.1

Based on your questions above.

Opt1 Q1-East west traffic vnet1< -- > vnet2 is not passing via Firewall (vFG), yes/no?

Yes, the traffic will go through the Firewall (vFG). From your question above you had mentioned about using Checkpoint or FortiGate firewalls. As mentioned here these Virtual Appliances can be used to inspect all North-South, East-West, and Internet-bound traffic.

Opt1 Q2-East west traffic vnet1< -- > vnet3 is not passing via Firewall (vFG) , Yes/no?

Yes, similar to the point above. If you wish to not send the traffic via NVA for this East west communication. You can configure VNET peering between these VNETS.

Opt1 Q3-What can be done to make East west traffic vnet1< -- > vnet2 pass via the Firewall (vFG)?


As documented here All routing scenarios supported by Virtual WAN are supported with NVAs in the hub. If you have configured Hub routing intent and policies. When a Private Traffic Routing Policy is configured on a Virtual WAN hub, all branch and Virtual Network traffic in and out of the Virtual WAN Hub including inter-hub traffic will be forwarded to the Next Hop Azure Firewall resource that was specified in the Private Traffic Routing Policy.

Opt1 Q4-North South traffic vnet1 < -- > on-premises (SDWAN):


As documented here When multiple hubs exist, hub-to-hub routing (also known as inter-hub) is enabled by default in Standard Virtual WAN. As per the any-any connectivity model described here this connectivity should be possible.

Although I could not find a documentation for this particular architecture. I am reaching out to the team regarding this and will confirm the scenario above and will also confirm the VNET1-SDWAN via firewall with the team (Case 1 and Case 2)

Opt1 Q5- intent routing can help or not? the main issue with intent routing it enforce all 
private IPs (RFC1982) to go through the firewall, however the target is selective:
e.g. vnet1 to vnet3 no firewalling, but vnet1 to sdwan use firewall




If you wish to not send the traffic via NVA for this East west communication. You can configure VNET peering between these Vnet1 and Vnet3.

I am reaching out to the team regarding Opt1 Q6 and Option1.2

I will share an update as soon as I hear back from them. Thank you!

@ChaitanyaNaykodi-MSFT is there any hope to get an answer for my questions ?

@ZEIN Ahmed OBS/S EUR
First of all, Apologies for the delayed response here and thank you for your patience.

I got a response back from the team.

Based on your questions above

Option1.2: using Transient vnet for the Firewall NVA:
does it help ? and how it can be better than dedicated vHub for the Forewall NVA?

Currently this not possible to implement in Virtual WAN today.

So only Option 1.1 will be possible to implement.

For Option 1.1

Opt1 Q4-North South traffic vnet1 < -- > on-premises (SDWAN):

Case1: no public IP for the Firewalls WAN - Firewall at vHubX1 no need to access internet.

How traffic from vNet1 can access SDWAN and pass via Firewall?
in this topology, the traffic will go to the vHubX1 routing units and will use the full mesh to the vHubX2 routing units (BGP , AS path 65520 65520) and reach the SDWAN NVA, without passing via the Firewalls?

Case2:public IP for the Firewalls WAN – Firewalls at vHubX1 will access internet.
same question as case1

How traffic from vNet1 can access SDWAN and pass via Firewall?
in this topology, the traffic will go to the vHubX1 routing units and will use the full mesh to the vHubX2 routing units (BGP , AS path 65520 65520) and reach the SDWAN NVA, without passing via the Firewalls?



The routing scenario above will be very similar to the use case documented here.

The North South traffic vnet1 < -- > on-premises (SDWAN)

With the hubs configured with Private Traffic Policy with Next Hop Hub 1 Azure Firewall, NVA or SaaS solution the traffic above will pass through the Firewall And SDWAN NVA.

Also, just a note Internet Traffic must egress through the local security solution in the hub as the default route (0.0.0.0/0) does not propagate across hubs.

Opt1 Q6-for the North south traffic mentioned in question 4, the traffic will pass via vHubX1 and then vHubx2(both in same region), but i understand that Azure billing for vHub is consider the processing data, so this will make double pricing, e.g. data of 10TB per month processed in vHubX1 and vHubX2 is double price the 10TB per month processed in vHubX1 only (if no vHubX2 at all)?

In your scenario, there shouldn't be any hub router processing charges billed. The only piece is Firewall NVA data processing $0.05/GB for every packet going through the FGT/CKPT as well as inter-hub data processing charge. For more information on when packets go through the router and when inter-hub data processing charge comes into play please see About Virtual WAN pricing - Azure Virtual WAN | Microsoft Learn. 

Once again apologies for the delayed response here. Please let me know if you have any additional questions. Thank you!

many thanks @ChaitanyaNaykodi-MSFT
answers are clear, but i have another problem
the topology i am talking about is realy huge in Azure (more than 20 regions) and i think routing will be very complex,
example,
vnet1-->SDWAN , will go to X1 and then it will load balance over X2 and Y2 (as both X2 and Y2 in full mesh with X1)
so now assume that X2/X1 are in EU and Y1/Y2 in LATAM
so traffic from vnet1 (EU) will pass via X1 FW (in EU) --good
but then traffic will load balance to X2 (EU) and Y2(LATAM)

imagine how this case will be !!

the SDWAN sites are in full mesh with all vHubs, so both X2 and Y2 are receviing the routes of SDWAN and both adv to X1 (full mesh between all vHubs)

issue is clear for you?

can we have a quick call?