Wide area networks (WANs) allow far-flung coworkers to share files and other resources, reduce the complexity of connecting people, and centralize IT infrastructure. On the downside, existing WANs can be challenging and even intrusive to set up, are prone to security breaches, and are difficult to manage.
Now, a team in Microsoft Digital—the organization that powers, transforms, and protects Microsoft—has devised a way to build a virtual wide area network with Microsoft Azure.
They did so using the Microsoft Azure global network, a digital backbone that links Microsoft Azure datacenters in more than 60 countries and regions and gives users the benefit of easy setup, adaptive security, and high performance. It also shields sensitive data from the public internet and uses thousands of miles of fiber optic cable to deliver data at the speed of light.
WANs built on Microsoft Azure can manage the needs of global enterprises while also flexing down and being affordable enough that even a business based in just a few states can benefit from it.
[Learn how Microsoft implemented a Zero Trust security model. Discover how Microsoft uses Azure to provide modern data transfer and storage. Find out more about managing Microsoft’s corporate firewalls with Azure Firewall Manager.]
Less intrusive for customers
For most people who may be on a WAN without even knowing it, it may seem invisible. But managing a traditional WAN is a nuisance. Take universities, says Pete Apple, a principal service engineer with Microsoft Digital. They often deploy WANs but aren’t always happy about it.
“We might be on campus for six months digging trenches and the like,” Apple says. “And maybe the people doing the work will have to get access badges so they can enter secure buildings. And then they’re forced to use the system, and some people get grumpy about that—especially people in the open-source community.”
We can have a customer up and running in two days. We built a WAN for the Xbox game studio in like three days. It blew their minds.
– Pete Apple, principal service engineer, Microsoft Digital
Then, after a WAN is enabled, its users may pay prohibitive costs through a traditional cable provider or telco. The odds are good that their data will be exposed to the wider internet, with all the hazards that can entail.
By building a virtual wide area network with Microsoft Azure, users need only establish a connection to the nearest Azure hub.
“You can just go on the web and find a list of 90 or so datacenters that you can connect to,” Apple says. “We can have a customer up and running in two days. We built a WAN for the Xbox game studio in like three days. It blew their minds.”
And it’s all simply software-defined—no hardware. The customer defines the Virtual WAN, the virtual firewall, the virtual connections, and they’re all set.
Serious engineering work results in ease of use
Easy for the customer, yes. But under the hood, Microsoft Digital engineers had their work cut out to build a virtual wide area network.
“This took a lot of different teams working together,” says Reshmi Yandapalli, principal product manager for Microsoft Azure Virtual WAN. “The challenge is that a lot of the networking pieces like Remote User VPN, firewall, routing, third-party appliances, and ExpressRoute are not easily combined into a single offering that works under a single pane of glass. The challenge was working through what the customers would want, and then integrating different things to form one easy-to-use platform that meets customer needs.”
The team had to figure out things such as providing custom access to certain workloads and managing perhaps thousands of remote workers at home.
To solve this problem, the Virtual WAN team built a remote user VPN solution that uses Microsoft’s own identity managed system (Microsoft Azure Active Directory). This solution uses a built-in global traffic manager that provides users the ability to connect from anywhere.
“This was just one of the cool innovations we came up with in Virtual WAN,” Yandapalli says.
Microsoft’s Azure-powered WAN delivers advantages to four use cases, says Raghavendran Venkatraman, a principal service engineer for Microsoft Digital.
The experience of having something in Azure is just far superior to being in a datacenter. You can scale so much more easily, and you can build in redundancy and manageability.
– DJ Seeds, site reliability engineer, Microsoft
“I think of it as having four swim lanes,” he says. “One is for enterprise device management. A second is for product development where collaboration and security are important. The same goes for research—a third lane. And finally, it’s great for a remote user, which we’re seeing a lot in the recent days due to COVID-19.”
Microsoft Mac Lab connects with Azure WAN
Within Microsoft, one of the early adopters of the virtual wide area network built with Microsoft Azure was the Mac Lab, a team dedicated to connecting Microsoft apps to the Apple OS. That’s a more complicated process than when working with Android or Linux. So the Mac Lab purchased 250 Mac Minis and deployed them in a Microsoft datacenter.
Still, the team wanted the advantage of working on the Microsoft Azure platform. So, while some functions are hosted in the Mac Lab, many others are connected via an Azure WAN to Azure datacenters.
“On our previous design, we had five virtual private network (VPN) tunnels coming into the Mac Lab,” says DJ Seeds, a site reliability engineer with Microsoft. “And every time we’d add a new scenario, we’d have to add another tunnel. But Raghavendran suggested this might be a great application for the Azure Virtual WAN. The experience of having something in Azure is just far superior to being in a datacenter. You can scale so much more easily, and you can build in redundancy and manageability.”
It was easy to set up—just a few clicks and Seeds’s team could communicate via the Azure WAN. It’s also easier to manage security and work with a geographically distributed team, Seeds says.
Secure data access for a sensitive site
Another internal use of the Microsoft Azure-based WAN is a team using Microsoft’s Analytics Platform System (APS), an on-premises data warehouse product shipped as an appliance to customers. APS offers deep data integration, high-speed query processing, highly scalable storage, and simple maintenance for end-to-end business intelligence solutions. Within Microsoft, APS environments are used to test the products and work on new features.
Using a WAN built on the Microsoft Azure global backbone also makes it much easier to securely operate across national borders and geographic regions.
“Deploying APS in the lab, we can simulate customers’ environments,” says Mario Barba Garcia, a senior software engineer with Microsoft. “But due to new security policies, we can’t have any of that connected to the corporate network. With Azure Virtual WAN, we can access the lab in a secure way and control who has that access. We were able to isolate it completely from the corporate network without affecting functionality.”
That sort of security is becoming more important. Various parts of the world—such as the European Union and its recently deployed General Data Protection Regulation (GDPR)—are creating their own regional standards for data sharing and privacy. Using a WAN built on Microsoft Azure makes it easy to tailor data transmission to local requirements.
Now available to all Microsoft Azure subscribers, Azure Virtual WAN is evolving rapidly to accommodate customer suggestions and team ideas. It’s another way Microsoft is using digital transformation to securely connect people and organizations around the world.