2.4 Azure Virtual WAN
📘Microsoft Azure Networking Solutions (AZ-700)
Overview
Before we dive into creating a hub, let’s quickly understand what Azure Virtual WAN is:
- Azure Virtual WAN (VWAN) is a networking service that provides a centralized hub-and-spoke architecture for connecting multiple branch offices, virtual networks (VNets), and remote users.
- It simplifies global network connectivity, routing, and security, so you can manage connections at scale.
- In a Virtual WAN, the hub acts as a central network point where all connectivity converges.
Think of it as a cloud-based networking center where VNets, VPNs, and ExpressRoute circuits can connect.
What is a Virtual WAN Hub?
A Virtual WAN hub is:
- A regional virtual network that serves as a central connection point.
- Deployed in a specific Azure region (e.g., East US, West Europe).
- Automatically configured to support VPN, ExpressRoute, and VNet connectivity.
- Includes built-in routing, security, and monitoring.
Key features of a Virtual WAN hub:
| Feature | Description |
|---|---|
| Hub type | Can be Standard or Basic. Standard supports more scale and features. |
| VPN Gateway | Allows branch-to-hub connectivity over VPN. |
| ExpressRoute Gateway | Connects on-premises networks using private circuits. |
| Firewall / Security | Optional integration with Azure Firewall for security. |
| Routing | Automatically handles routing between connected VNets and on-premises. |
Steps to Create a Hub in Azure Virtual WAN
Here’s a step-by-step guide for the exam. You can do this using the Azure portal, CLI, or PowerShell, but the exam typically expects you to understand the concepts and configuration options.
Step 1: Create a Virtual WAN
- Go to Azure portal → Virtual WAN → Create Virtual WAN.
- Provide:
- Name: e.g.,
Contoso-VWAN - Subscription and Resource Group
- Region: Where you want the WAN (this is just the hub deployment region)
- Type: Usually Standard (for production)
- VPN / ExpressRoute connections: Optional to pre-configure
- Name: e.g.,
Step 2: Add a Hub to the Virtual WAN
- Go to Virtual WAN → Hubs → + Hub.
- Provide the following:
| Field | Explanation |
|---|---|
| Name | e.g., EastUS-Hub |
| Region | Choose the Azure region for this hub (East US, West Europe, etc.) |
| Virtual WAN | Select the Virtual WAN you created in Step 1 |
| SKU | Standard or Basic. Standard is recommended for scale and features. |
| Address Space | The hub’s IP range in CIDR format (e.g., 10.0.0.0/24) |
| VPN Gateway / ExpressRoute Gateway | Choose if you want the hub to support site-to-site VPN or ExpressRoute. |
| Firewall (optional) | You can attach Azure Firewall later for traffic inspection |
⚠️ Important Exam Note: Each hub exists in a single region. If you need multi-region connectivity, create multiple hubs and connect them with Virtual WAN hub-to-hub connections.
Step 3: Configure Routing & Connectivity
Once the hub is deployed, you can:
- Connect VNets: Use the hub to connect multiple VNets, creating a hub-and-spoke model.
- Connect Branches: Use site-to-site VPN or point-to-site VPN through the hub.
- Connect ExpressRoute circuits: For private on-premises connectivity.
- Enable Security: Optional Azure Firewall integration for centralized inspection.
Exam Tip: Understand that Virtual WAN automatically manages routing between connected networks; you don’t need to create route tables manually.
Step 4: Verify the Hub
- Go to Virtual WAN → Hubs → Select Your Hub
- Check:
- Connected VNets
- VPN/ExpressRoute connections
- Routing tables
Exam-Focused Tips
- Hubs are region-specific: Multi-region designs require multiple hubs.
- Standard vs Basic SKU: Standard is scalable and supports hub-to-hub connections; Basic is limited.
- Connectivity options: Hub can connect:
- VNets (Azure-to-Azure)
- Branch offices (VPN)
- On-premises (ExpressRoute)
- Routing is automatic: No manual route tables required unless using custom routing.
- Security integration: Optional Azure Firewall and security partners can be attached to hubs.
Summary for Exam
- A Virtual WAN hub is the central connection point in a region for VNets, on-premises networks, and remote users.
- Steps to create a hub:
- Create a Virtual WAN.
- Add a hub to the Virtual WAN (choose region, SKU, address space, and gateways).
- Connect VNets, VPNs, or ExpressRoute.
- Optionally integrate security (Azure Firewall).
- Hubs simplify connectivity, centralize routing, and allow scalable network architecture.
