Contributing author:
Piyush Raj, Product Manager, Cisco SD-WAN

We are living in a hybrid cloud world in which users are accessing applications from anywhere. The cloud migration question has evolved from whether ‘applications should move to the cloud’ to ‘when applications should move to the cloud’. Every IT organization today is looking to meet the demands of agility, scalability, and faster time to market all while lowering costs by moving towards the cloud. But with cloud migration, comes a new connectivity challenge – how do you extend connectivity from branch sites to the cloud?

In the past, we introduced the Cloud Services Router 1000V (CSR 1000V) to help enterprises connect to cloud workloads through their branches and hub sites. While this approach worked well for hundreds of customers, this transitive connectivity approach was completely manual with each step: from configuration to instantiation of CSR routers in the cloud, setting up IPsec connectivity between transit Microsoft Azure Virtual Networks (VNets) and host VNets, and then setting up BGP peering over those tunnels. This process seemed error-prone, required several hours to complete, and was complex to manage over time as organizational needs changed.

Contributing author:
Sunil Kishen, Principal Program Manager, Azure Networking

To overcome the manual configuration of CSRs, we introduced Cloud OnRamp for IaaS with Microsoft Azure which allowed you to leverage automation to set up CSR 1000V routers in Azure transit VNet. The transit VNet in turn became part of the SD-WAN fabric, providing direct VPN connectivity to branch and data center sites within the private network. This automation addressed the orchestration complexity of IPsec tunnels and VNet connections as well as route automation via BGP peering and route exchange. However, this design required you to build an IPsec overlay network in Azure which limited the number of branches and VNets that could be interconnected. Also, the design didn’t support branch-to-branch connectivity using Microsoft’s global backbone and it didn’t offer flexible options for service chaining. This became more of an intermediate step than the final destination which you were looking for.

A Modern Transit Architecture for Microsoft Azure

Cisco SD-WAN with Microsoft Azure
Cisco SD-WAN with Microsoft Azure

Cisco SD-WAN establishes an overlay fabric that connects campus locations, data centers, branches, and other sites as well as empowers network IT to manage connectivity across their WAN and to cloud platforms from a single dashboard with greater speed, reliability, and efficiency.

Similarly, Azure Virtual WAN is a unified network-as-a-service construct that brings together hybrid connectivity gateways, routing, and security services under a single pane of orchestration and management to build a secure, global scale, any-to-any connectivity fabric between cloud workloads, branches, and end-users. Virtual WAN is comprised of fully mesh connected Virtual WAN hubs interconnected by Microsoft Azure global network

We strongly believe that the best way to build compelling cloud connectivity architectures is through close partnerships with cloud providers. To create this new paradigm, we integrated Cisco’s SD-WAN and Microsoft’s Azure Virtual WAN to create a hybrid WAN architecture that is truly a modern transit architecture for cloud connectivity.

“The partnership between Cisco and Microsoft Azure provides a best-in-class solution between the companies to build a modern WAN transit architecture. Cisco SD-WAN Cloud OnRamp for Azure Virtual WAN delivers a fully integrated and automated solution that extends Cisco SD-WAN fabric between branch sites and on-premises data centers to Microsoft Azure cloud allowing customers to seamlessly connect to applications and workloads in the cloud.”
—Reshmi Yandapalli, Principal Product Manager, Azure Core-Networking

This integration enables you to seamlessly extend your SD-WAN overlay into Azure and improves cloud connectivity from branch offices. You can also use Microsoft Azure’s global network for branch-to-branch connectivity as the SD-WAN transport network. This is also the most optimal and secure way to connect branch sites to Microsoft Azure, taking advantage of Azure Firewall in Virtual WAN hubs to secure branch to VNet traffic.

With the new paradigm, the integrated architecture uses Cisco SD-WAN Network Virtual Appliances (NVAs) deployed in the virtual hubs and extends SD-WAN fabric to Azure cloud. This unique approach also enables native peering with Microsoft Virtual WAN Routing and Security Services and this entire network fabric can be managed from a single pane of glass with automatic high availability, scalability, and security. It provides you with a myriad of benefits from native BGP peering for better throughput and performance, to global connectivity between Virtual WAN hubs through Microsoft’s global backbone network.

This modern transit architecture has already been adopted by several enterprise customers and is poised to become the de-facto cloud connectivity solution between Cisco SD-WAN and Azure Cloud.

For details about the evolution to a modern transit architecture and key benefits, check out the latest joint white paper from Cisco and Microsoft:

Modern Transit Architecture with Cisco Cloud OnRamp for Azure Virtual WAN


Additional resources:

Cisco SD-WAN for Azure Virtual WAN

Cisco SD-WAN Cloud OnRamp

Cisco SD-WAN Cloud OnRamp Configuration guideCisco SD-WAN with Azure Virtual WAN demo video

Cisco SD-WAN

Cisco SD-WAN Ordering Guide



Jeevan Sharma

Senior Manager, Product Management

Cisco SD-WAN and Cloud Networking