architecture-center
architecture-center copied to clipboard
MicrosoftDocs
Cost optimization section not clear
Cost optimization A customer-managed hub infrastructure introduces management cost to underlying Azure resources. To achieve a transitive connectivity with a predictable latency, you must have a Network Virtual Appliance (NVA) or Azure Firewall deployed in each hub. Using Azure Firewall with either choice will lower the cost compared to an NVA. Azure Firewall costs are the same for both options. There is an extra cost for Azure Virtual WAN; however, it is much less costly than managing your own hub infrastructure.
The highlighted section refers to connectivity and latency, how are these related to cost? Implementing secure VWAN hubs break cross regional routing, particularly in Az Gov where Routing Intent is not available, this creates significant issues. It would be helpful if this language was clarified. It is my current understanding that to support cross regional communication, you must implement Az Firewall in a spoke, not on the hub itself.
The language here implies that integrating a security appliance with the hubs is the only way to achieve reliable connectivity and latency. If that is the case, this article should clearly explain why and what the result would be if the Firewall is configured in a spoke rather than on the hub.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 44ba53f7-4773-946c-fffc-cf51122973f8
- Version Independent ID: 802d7f2e-ee23-c3e1-0294-f3941d0c30c2
- Content: Hub-spoke network topology with Azure Virtual WAN - Azure Architecture Center
- Content Source: docs/networking/hub-spoke-vwan-architecture.yml
- Service: architecture-center
- Sub-service: example-scenario
- GitHub Login: @martinekuan
- Microsoft Alias: yemrea
@dmaranya-afs Thank you for bringing this to our attention. I've delegated this to content author @martinekuan, who will review it and offer their insightful opinions.
@yemrea - Here's the issue raised about VWAN hub-spoke cost optimization. There's probably some room to provide additional clarity on this topic when you have time. Here's some input from one of our engineers on the topic: https://github.com/MicrosoftDocs/architecture-center-pr/pull/11661#discussion_r1503081871
@yemrea - Any chance you could provide some updated text to clarify the cost optimization section.
I would rewrite as follows, if you all agree.
from this: A customer-managed hub infrastructure introduces management cost to underlying Azure resources. To achieve a transitive connectivity with a predictable latency, you must have a Network Virtual Appliance (NVA) or Azure Firewall deployed in each hub. Using Azure Firewall with either choice will lower the cost compared to an NVA. Azure Firewall costs are the same for both options. There is an extra cost for Azure Virtual WAN; however, it is much less costly than managing your own hub infrastructure.
to this: A customer-managed hub infrastructure introduces management cost to underlying Azure resources. To achieve a transitive connectivity with a predictable latency, you must have a Network Virtual Appliance (NVA) or Azure Firewall deployed in each hub. Using Azure Firewall with either choice will lower the cost compared to an NVA. Azure Firewall costs are the same for both options. There is an extra cost for Azure Virtual WAN; however, it is much less costly than managing your own hub infrastructure. **If the latency and connectivity constraints are not prioritised for your organization/workload, you can always choose to implement hub and spoke architecture using a network virtual appliance or Azure Firewall as suggested here: Hub-spoke network topology in Azure **
If we want to compare apples to apples we should target the same level of latency and capabilities.
