Skip to main content
AzureNetworkingadvanced

Azure Virtual WAN Guide

Build enterprise networking with Azure Virtual WAN: hubs, site-to-site VPN, ExpressRoute, Secured Hubs, and routing intent.

CloudToolStack Team24 min readPublished Mar 14, 2026

Prerequisites

  • Understanding of Azure networking (VNets, subnets, NSGs)
  • Familiarity with VPN and ExpressRoute concepts

Introduction to Azure Virtual WAN

Azure Virtual WAN is a networking service that provides optimized and automated branch-to-branch, branch-to-Azure, and Azure-to-Azure connectivity through a hub-and-spoke architecture. It consolidates multiple Azure networking services (VPN Gateway, ExpressRoute Gateway, Azure Firewall, routing, and SD-WAN integration) into a single operational interface, dramatically simplifying the management of complex wide-area networks.

Without Virtual WAN, connecting multiple offices, data centers, and Azure virtual networks requires manually creating and managing VPN gateways, peering connections, route tables, and firewall rules across each spoke. Virtual WAN automates this by providing managed hubs that act as central connection points. Spokes (VNets, branches, remote users) connect to the hub, and the hub automatically handles routing between all connected resources.

This guide covers the complete Virtual WAN architecture: creating WANs and hubs, configuring site-to-site VPN connections, setting up ExpressRoute circuits, implementing Secured Virtual Hubs with Azure Firewall, configuring routing intent and policies, connecting VNets, enabling point-to-site VPN for remote users, and designing multi-hub global transit networks.

Virtual WAN SKUs

Azure Virtual WAN comes in two SKUs. Basic supports site-to-site VPN only, with up to 500 Mbps aggregate throughput. Standardsupports site-to-site VPN, ExpressRoute, User VPN (point-to-site), VNet-to-VNet transit, Azure Firewall, NVA hosting, and routing intent, with throughput up to 20 Gbps per hub. For production environments, always use Standard. The Basic SKU cannot be upgraded to Standard after creation.

Creating a Virtual WAN and Hub

A Virtual WAN is the top-level resource that contains one or more virtual hubs. Each hub is deployed in a specific Azure region and provides connectivity for resources in that region. For global organizations, deploy hubs in multiple regions and they automatically form a full-mesh network over the Microsoft global backbone.

bash
# Create a resource group for Virtual WAN
az group create \
  --name rg-virtualwan \
  --location eastus

# Create the Virtual WAN
az network vwan create \
  --name production-vwan \
  --resource-group rg-virtualwan \
  --type Standard \
  --branch-to-branch-traffic true \
  --vnet-to-vnet-traffic true

# Create a virtual hub in East US
az network vhub create \
  --name hub-eastus \
  --resource-group rg-virtualwan \
  --vwan production-vwan \
  --address-prefix 10.100.0.0/24 \
  --location eastus \
  --sku Standard

# Create a second hub in West Europe for global connectivity
az network vhub create \
  --name hub-westeurope \
  --resource-group rg-virtualwan \
  --vwan production-vwan \
  --address-prefix 10.101.0.0/24 \
  --location westeurope \
  --sku Standard

# Verify hub creation and get routing status
az network vhub show \
  --name hub-eastus \
  --resource-group rg-virtualwan \
  --query '{Name: name, Location: location, Status: provisioningState, RoutingState: routingState, AddressPrefix: addressPrefix}' \
  --output table

Connecting Virtual Networks

VNet connections link your Azure virtual networks to the Virtual WAN hub. Once connected, VNets can communicate with each other (VNet-to-VNet transit), with on-premises branches (through VPN or ExpressRoute), and with remote users. Each VNet connection can optionally propagate routes to and associate with specific route tables for traffic segmentation.

bash
# Connect a VNet to the hub
az network vhub connection create \
  --name conn-app-vnet \
  --resource-group rg-virtualwan \
  --vhub-name hub-eastus \
  --remote-vnet /subscriptions/<sub-id>/resourceGroups/rg-app/providers/Microsoft.Network/virtualNetworks/app-vnet \
  --internet-security true

# Connect a shared services VNet
az network vhub connection create \
  --name conn-shared-services \
  --resource-group rg-virtualwan \
  --vhub-name hub-eastus \
  --remote-vnet /subscriptions/<sub-id>/resourceGroups/rg-shared/providers/Microsoft.Network/virtualNetworks/shared-vnet \
  --internet-security true

# List VNet connections
az network vhub connection list \
  --resource-group rg-virtualwan \
  --vhub-name hub-eastus \
  --query '[].{Name: name, RemoteVNet: remoteVirtualNetwork.id, Status: provisioningState, InternetSecurity: enableInternetSecurity}' \
  --output table

# View effective routes for a connection
az network vhub get-effective-routes \
  --name hub-eastus \
  --resource-group rg-virtualwan \
  --resource-type HubVirtualNetworkConnection \
  --resource-id /subscriptions/<sub-id>/resourceGroups/rg-virtualwan/providers/Microsoft.Network/virtualHubs/hub-eastus/hubVirtualNetworkConnections/conn-app-vnet

Site-to-Site VPN Configuration

Site-to-site VPN connects your on-premises networks or branch offices to the Virtual WAN hub over encrypted IPsec/IKE tunnels across the public internet. Virtual WAN supports both policy-based and route-based VPN configurations, BGP for dynamic routing, and active-active gateway deployments for high availability.

bash
# Create a VPN gateway in the hub
az network vpn-gateway create \
  --name vpn-gw-eastus \
  --resource-group rg-virtualwan \
  --vhub hub-eastus \
  --scale-unit 2

# Create a VPN site (represents your on-premises device)
az network vpn-site create \
  --name branch-office-nyc \
  --resource-group rg-virtualwan \
  --virtual-wan production-vwan \
  --location eastus \
  --ip-address 203.0.113.10 \
  --address-prefixes 192.168.0.0/16 \
  --device-vendor "Cisco" \
  --device-model "ISR4451" \
  --link-speed-in-mbps 200 \
  --bgp-peering-address 192.168.1.1 \
  --asn 65001

# Create a VPN connection from hub to site
az network vpn-gateway connection create \
  --name conn-branch-nyc \
  --resource-group rg-virtualwan \
  --gateway-name vpn-gw-eastus \
  --remote-vpn-site branch-office-nyc \
  --shared-key "YourStr0ng_PreSharedKey!" \
  --enable-bgp true \
  --internet-security true \
  --vpn-site-link "/subscriptions/<sub-id>/resourceGroups/rg-virtualwan/providers/Microsoft.Network/vpnSites/branch-office-nyc/vpnSiteLinks/branch-office-nyc"

# Download the VPN configuration for your on-premises device
az network vpn-site download \
  --resource-group rg-virtualwan \
  --vwan-name production-vwan \
  --vpn-sites branch-office-nyc \
  --output-blob-sas-url "<sas-url-for-blob>"

# Check VPN connection status
az network vpn-gateway connection show \
  --name conn-branch-nyc \
  --resource-group rg-virtualwan \
  --gateway-name vpn-gw-eastus \
  --query '{Status: connectionStatus, IngressBytes: ingressBytesTransferred, EgressBytes: egressBytesTransferred}' \
  --output table

VPN Gateway Scale Units

Each VPN gateway scale unit provides 500 Mbps aggregate throughput and supports 500 site-to-site connections. A scale unit of 2 provides 1 Gbps. The maximum is 20 scale units (20 Gbps, 1000 connections). Choose your scale unit based on the aggregate throughput needed from all connected sites. You can scale up later without downtime, but scaling down requires gateway recreation.

ExpressRoute Integration

ExpressRoute provides dedicated private connectivity between your on-premises network and Azure through a connectivity provider, bypassing the public internet. Virtual WAN can terminate ExpressRoute circuits in hub ExpressRoute gateways, enabling private, low-latency connectivity from your data centers to all resources connected to the hub.

bash
# Create an ExpressRoute gateway in the hub
az network express-route gateway create \
  --name er-gw-eastus \
  --resource-group rg-virtualwan \
  --virtual-hub hub-eastus \
  --min-val 2

# Connect an ExpressRoute circuit to the hub
az network express-route gateway connection create \
  --name conn-datacenter-er \
  --resource-group rg-virtualwan \
  --gateway-name er-gw-eastus \
  --peering /subscriptions/<sub-id>/resourceGroups/rg-network/providers/Microsoft.Network/expressRouteCircuits/datacenter-circuit/peerings/AzurePrivatePeering \
  --associated-route-table /subscriptions/<sub-id>/resourceGroups/rg-virtualwan/providers/Microsoft.Network/virtualHubs/hub-eastus/hubRouteTables/defaultRouteTable

# Enable ExpressRoute-to-VPN transit (hybrid scenarios)
# This allows traffic from ExpressRoute sites to reach VPN-connected sites
az network vhub update \
  --name hub-eastus \
  --resource-group rg-virtualwan \
  --allow-branch-to-branch-traffic true

# List ExpressRoute connections
az network express-route gateway connection list \
  --resource-group rg-virtualwan \
  --gateway-name er-gw-eastus \
  --query '[].{Name: name, Status: provisioningState, RoutingWeight: routingWeight}' \
  --output table

Secured Virtual Hub with Azure Firewall

A Secured Virtual Hub is a Virtual WAN hub with Azure Firewall deployed inside it. When you secure a hub, all traffic flowing through the hub (branch-to-VNet, VNet-to-internet, branch-to-internet) is inspected by Azure Firewall according to your firewall policies. This provides centralized network security without deploying separate firewall instances in each spoke VNet.

bash
# Create a firewall policy
az network firewall policy create \
  --name hub-firewall-policy \
  --resource-group rg-virtualwan \
  --sku Premium \
  --threat-intel-mode Deny \
  --intrusion-detection '{
    "mode": "Deny",
    "configuration": {
      "bypassTrafficSettings": [],
      "signatureOverrides": []
    }
  }'

# Create a rule collection group with network rules
az network firewall policy rule-collection-group create \
  --name DefaultNetworkRuleGroup \
  --policy-name hub-firewall-policy \
  --resource-group rg-virtualwan \
  --priority 200

# Add a network rule collection
az network firewall policy rule-collection-group collection add-filter-collection \
  --name AllowInternalTraffic \
  --resource-group rg-virtualwan \
  --policy-name hub-firewall-policy \
  --rule-collection-group-name DefaultNetworkRuleGroup \
  --collection-priority 100 \
  --action Allow \
  --rule-type NetworkRule \
  --rule-name allow-spoke-to-spoke \
  --source-addresses "10.0.0.0/8" \
  --destination-addresses "10.0.0.0/8" \
  --destination-ports "*" \
  --ip-protocols TCP UDP ICMP

# Deploy Azure Firewall in the hub
az network firewall create \
  --name fw-hub-eastus \
  --resource-group rg-virtualwan \
  --vhub hub-eastus \
  --sku AZFW_Hub \
  --tier Premium \
  --firewall-policy hub-firewall-policy \
  --public-ip-count 1

Routing Intent and Policies

Routing Intent is the recommended way to configure traffic routing through Azure Firewall in a Secured Virtual Hub. When you configure routing intent, the hub automatically creates the necessary routes to direct internet-bound traffic and private traffic (VNet-to-VNet, branch-to-VNet) through the firewall. This replaces the manual route table configuration that was previously required.

bash
# Configure routing intent to send both internet and private traffic
# through Azure Firewall
az network vhub routing-intent create \
  --name routing-intent-eastus \
  --resource-group rg-virtualwan \
  --vhub hub-eastus \
  --routing-policies '[
    {
      "name": "InternetTraffic",
      "destinations": ["Internet"],
      "nextHop": "/subscriptions/<sub-id>/resourceGroups/rg-virtualwan/providers/Microsoft.Network/azureFirewalls/fw-hub-eastus"
    },
    {
      "name": "PrivateTraffic",
      "destinations": ["PrivateTraffic"],
      "nextHop": "/subscriptions/<sub-id>/resourceGroups/rg-virtualwan/providers/Microsoft.Network/azureFirewalls/fw-hub-eastus"
    }
  ]'

# Verify routing intent configuration
az network vhub routing-intent show \
  --name routing-intent-eastus \
  --resource-group rg-virtualwan \
  --vhub hub-eastus \
  --query '{Name: name, Status: provisioningState, Policies: routingPolicies[].{Name: name, Destinations: destinations}}' \
  --output json

# View effective routes after routing intent
az network vhub route-table show \
  --name defaultRouteTable \
  --resource-group rg-virtualwan \
  --vhub-name hub-eastus \
  --query '{Name: name, Routes: routes[].{Destination: destinationPrefix, NextHop: nextHopType}}' \
  --output json

Routing Intent vs. Custom Route Tables

Use Routing Intent for straightforward scenarios where all traffic should flow through Azure Firewall. It is simpler to configure and less error-prone than custom route tables. Use custom route tables when you need granular control, such as routing only specific VNets through the firewall while allowing others to communicate directly, or when implementing network segmentation with isolated route domains. Routing Intent and custom route tables cannot be used simultaneously on the same hub.

Point-to-Site VPN for Remote Users

Virtual WAN User VPN (Point-to-Site) enables remote users to connect to Azure and on-premises resources securely from anywhere. It supports OpenVPN, IKEv2, and the Azure VPN client with Azure AD authentication, certificate authentication, or RADIUS authentication. This replaces the need for traditional VPN concentrators.

bash
# Create a P2S VPN gateway configuration
az network p2s-vpn-gateway create \
  --name p2s-gw-eastus \
  --resource-group rg-virtualwan \
  --vhub hub-eastus \
  --scale-unit 2 \
  --vpn-server-config p2s-config \
  --address-space 172.16.0.0/24

# Create a VPN server configuration with Azure AD auth
az network vpn-server-config create \
  --name p2s-config \
  --resource-group rg-virtualwan \
  --vpn-protocols OpenVPN \
  --vpn-auth-types AAD \
  --aad-audience "41b23e61-6c1e-4545-b367-cd054e0ed4b4" \
  --aad-issuer "https://sts.windows.net/<tenant-id>/" \
  --aad-tenant "https://login.microsoftonline.com/<tenant-id>"

# Download the VPN client configuration
az network p2s-vpn-gateway vpn-client generate \
  --name p2s-gw-eastus \
  --resource-group rg-virtualwan \
  --authentication-method EAPTLS

Monitoring and Troubleshooting

Monitor Virtual WAN health using Azure Monitor metrics and diagnostic logs. Key metrics include tunnel bandwidth, packet counts, BGP route counts, and gateway health status. Enable diagnostic logging for detailed VPN connection events, routing changes, and firewall activity.

bash
# Enable diagnostic logs for the VPN gateway
az monitor diagnostic-settings create \
  --name vpn-diagnostics \
  --resource /subscriptions/<sub-id>/resourceGroups/rg-virtualwan/providers/Microsoft.Network/vpnGateways/vpn-gw-eastus \
  --workspace /subscriptions/<sub-id>/resourceGroups/rg-monitoring/providers/Microsoft.OperationalInsights/workspaces/log-analytics \
  --logs '[{"category": "GatewayDiagnosticLog", "enabled": true}, {"category": "TunnelDiagnosticLog", "enabled": true}, {"category": "RouteDiagnosticLog", "enabled": true}]' \
  --metrics '[{"category": "AllMetrics", "enabled": true}]'

# Check VPN tunnel status
az network vpn-gateway connection show \
  --name conn-branch-nyc \
  --resource-group rg-virtualwan \
  --gateway-name vpn-gw-eastus \
  --query 'vpnLinkConnections[].{Link: name, Status: connectionStatus, Bandwidth: connectionBandwidth, IngressBytes: ingressBytesTransferred}' \
  --output table

# View hub routing table
az network vhub route-table show \
  --name defaultRouteTable \
  --resource-group rg-virtualwan \
  --vhub-name hub-eastus

Multi-Hub Design Considerations

When deploying multiple hubs, all hubs within the same Virtual WAN automatically form a full-mesh network. Traffic between hubs flows over the Microsoft global backbone with optimized routing. However, cross-hub traffic incurs hub-to-hub data transfer charges in addition to standard VNet peering charges. For latency-sensitive applications, deploy resources and their dependencies in the same hub region. Use Azure Monitor Network Insights to visualize the entire Virtual WAN topology and identify performance bottlenecks.

Azure Virtual WAN simplifies complex enterprise networking by providing a unified hub-and-spoke architecture with automated routing, integrated security, and global reach over the Microsoft backbone. Start with a single hub for your primary region, connect your VNets and branches, and expand to additional regions as needed. Use Secured Virtual Hubs with Routing Intent for centralized security policy enforcement across your entire network.

Azure Event Hubs GuideAzure Arc GuideAzure Batch Guide

Key Takeaways

  1. 1Virtual WAN automates hub-and-spoke networking with full-mesh connectivity between hubs.
  2. 2Secured Virtual Hubs integrate Azure Firewall for centralized traffic inspection.
  3. 3Routing Intent simplifies traffic routing through Azure Firewall without manual route tables.
  4. 4Multi-hub deployments use the Microsoft global backbone for optimized inter-region connectivity.

Frequently Asked Questions

When should I use Virtual WAN vs. traditional hub-and-spoke?
Use Virtual WAN when connecting multiple branches, regions, or VPCs with automated routing and you want a managed networking service. Use traditional hub-and-spoke when you need full control over routing, have a simple topology (< 5 VNets), or need specific NVA configurations not supported by Virtual WAN. Virtual WAN scales better for large, complex networks.
What is the difference between Basic and Standard SKU?
Basic supports only site-to-site VPN with 500 Mbps throughput. Standard supports VPN, ExpressRoute, User VPN, VNet transit, Azure Firewall, NVAs, and routing intent with up to 20 Gbps per hub. Always use Standard for production. Basic cannot be upgraded to Standard after creation.

Written by CloudToolStack Team

Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.

Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.