How does Virtual WAN differ from a traditional hub-and-spoke VNet architecture?

In a traditional hub-and-spoke, you deploy and manage your own hub VNet, NVAs, VPN gateways, and route tables. Virtual WAN provides a Microsoft-managed hub with built-in gateway redundancy, automated spoke-to-spoke routing, and integration with SD-WAN partners. Virtual WAN hubs support transitive routing by default (any spoke can reach any other spoke), whereas traditional hub-and-spoke requires NVAs or route tables for transitive connectivity. Virtual WAN also supports inter-hub routing across regions automatically.

What are the Virtual WAN SKU differences?

The Basic SKU supports only site-to-site VPN connections and is intended for simple branch connectivity. The Standard SKU supports site-to-site VPN, point-to-site VPN, ExpressRoute, inter-hub transit, VNet-to-VNet transit, Azure Firewall integration, and NVA hosting. Most enterprise deployments require the Standard SKU. You can upgrade from Basic to Standard but cannot downgrade. Per-hub costs include the hub fee plus data processing charges for traffic flowing through the hub.

Virtual WAN Config Builder

NetworkingAzure

Build Azure Virtual WAN hub, VPN site, and VNet connection configurations.

Virtual WAN Configuration

Build Virtual WAN hub, VPN site, and VNet connection configurations.

Required Fields

nameresourceGrouptypevirtualHubsvirtualHubs[0].namevirtualHubs[0].addressPrefix

{
  "name": "vwan-contoso-global",
  "resourceGroup": "rg-networking",
  "location": "eastus2",
  "type": "Standard",
  "disableVpnEncryption": false,
  "allowBranchToBranchTraffic": true,
  "allowVnetToVnetTraffic": true,
  "virtualHubs": [
    {
      "name": "vhub-eastus2",
      "location": "eastus2",
      "addressPrefix": "10.100.0.0/23",
      "sku": "Standard",
      "routingPreference": "ExpressRoute",
      "hubRoutingPreference": "ASPath"
    },
    {
      "name": "vhub-westeurope",
      "location": "westeurope",
      "addressPrefix": "10.101.0.0/23",
      "sku": "Standard",
      "routingPreference": "VpnGateway",
      "hubRoutingPreference": "ExpressRoute"
    }
  ],
  "vpnSites": [
    {
      "name": "vpn-branch-nyc",
      "location": "eastus2",
      "addressPrefixes": ["192.168.1.0/24", "192.168.2.0/24"],
      "ipAddress": "203.0.113.10",
      "bgpProperties": {
        "asn": 65010,
        "bgpPeeringAddress": "192.168.1.1"
      },
      "deviceVendor": "Cisco",
      "deviceModel": "ISR 4331",
      "linkSpeedInMbps": 200
    }
  ],
  "vnetConnections": [
    {
      "name": "conn-spoke-app",
      "hubName": "vhub-eastus2",
      "remoteVnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-app/providers/Microsoft.Network/virtualNetworks/vnet-spoke-app",
      "enableInternetSecurity": true,
      "routingConfiguration": {
        "associatedRouteTable": "defaultRouteTable",
        "propagatedRouteTables": ["defaultRouteTable"]
      }
    }
  ]
}

Generated Output

Output will appear here...

About This Tool

Azure Virtual WAN is a networking service that provides optimized and automated branch-to-branch, branch-to-Azure, and Azure-to-Azure connectivity through a Microsoft-managed hub-and-spoke architecture. A Virtual WAN can contain multiple hubs across regions, each supporting VPN gateways (site-to-site and point-to-site), ExpressRoute gateways, and VNet connections. The Virtual WAN Config Builder helps you design hub configurations with gateway settings, VPN site definitions, VNet connections, and routing preferences for enterprise-scale network architectures.

When to Use This Tool

•Designing a multi-hub Virtual WAN topology connecting branch offices via VPN and Azure VNets via VNet connections
•Configuring hub VPN gateway settings with BGP, custom IPsec policies, and active-active configurations
•Building VNet connection configurations with routing tables that isolate production and development traffic

Frequently Asked Questions

How does Virtual WAN differ from a traditional hub-and-spoke VNet architecture?: In a traditional hub-and-spoke, you deploy and manage your own hub VNet, NVAs, VPN gateways, and route tables. Virtual WAN provides a Microsoft-managed hub with built-in gateway redundancy, automated spoke-to-spoke routing, and integration with SD-WAN partners. Virtual WAN hubs support transitive routing by default (any spoke can reach any other spoke), whereas traditional hub-and-spoke requires NVAs or route tables for transitive connectivity. Virtual WAN also supports inter-hub routing across regions automatically.
What are the Virtual WAN SKU differences?: The Basic SKU supports only site-to-site VPN connections and is intended for simple branch connectivity. The Standard SKU supports site-to-site VPN, point-to-site VPN, ExpressRoute, inter-hub transit, VNet-to-VNet transit, Azure Firewall integration, and NVA hosting. Most enterprise deployments require the Standard SKU. You can upgrade from Basic to Standard but cannot downgrade. Per-hub costs include the hub fee plus data processing charges for traffic flowing through the hub.

Related Learning Guides

Virtual Network Architecture28 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.