Create a secure hub using Azure Firewall in Virtual WAN

5.4 Azure Firewall and Firewall Manager

📘Microsoft Azure Networking Solutions (AZ-700)

1. What is a Secure Hub in Azure Virtual WAN?

A secure hub in Azure Virtual WAN (VWAN) is a hub that integrates Azure Firewall to manage and secure traffic coming into and leaving your network. Essentially, it’s a centralized location where all your traffic is inspected, filtered, and controlled.

Key points:

  • A hub is a network gateway in Azure Virtual WAN.
  • When you integrate Azure Firewall, it becomes a secure hub.
  • It allows organizations to enforce network and security policies consistently across multiple branches, VPNs, or connections.

2. Why use a Secure Hub?

  • Centralized security: All traffic flows through the hub, so policies are easier to enforce.
  • Traffic inspection: Azure Firewall can block malicious traffic, allow approved traffic, and log traffic.
  • Support for hybrid networks: You can connect on-premises sites via VPN or ExpressRoute and secure them.
  • Scalability: Virtual WAN hubs automatically scale to handle increasing traffic.

IT Example:
If your company has multiple branch offices, all their VPN traffic can be routed through the secure hub. Azure Firewall inspects traffic to prevent malware or unauthorized access to your corporate network.

3. Components Needed to Create a Secure Hub

To create a secure hub using Azure Firewall in Virtual WAN, you need:

  1. Azure Virtual WAN (VWAN):
    • Acts as the backbone network that connects multiple regions, offices, and remote users.
    • Provides hubs to connect branches, VPNs, or ExpressRoute circuits.
  2. Virtual Hub:
    • The hub is the “network center” where connections terminate.
    • Supports routing and can integrate with Azure Firewall for security.
  3. Azure Firewall:
    • A stateful firewall that provides:
      • Network rules (allow/block traffic by IP, port, protocol)
      • Application rules (allow/block traffic by URL or domain)
      • Threat intelligence-based filtering (blocks known malicious IPs or domains)
    • Can inspect traffic from branches, users, and external connections.
  4. Connections to the Hub:
    • Site-to-Site VPNs: For branch office connectivity.
    • Point-to-Site VPNs: For remote users.
    • ExpressRoute: For private, high-speed connections from on-premises data centers.

4. Steps to Create a Secure Hub with Azure Firewall

Here’s a simplified step-by-step process for exam purposes:

Step 1: Create a Virtual WAN

  • Go to the Azure portal → Create a Virtual WAN.
  • Choose Standard or Basic (for secure hub, Standard is recommended).
  • Enable VPN and/or ExpressRoute connectivity.

Step 2: Create a Virtual Hub

  • Inside Virtual WAN, create a Virtual Hub in your region.
  • Assign an address space (subnet range) for the hub.
  • Optionally, enable Azure Firewall integration while creating.

Step 3: Deploy Azure Firewall in the Hub

  • If not enabled during hub creation, deploy Azure Firewall separately and associate it with the hub.
  • Assign public IP for external traffic inspection.
  • Configure Azure Firewall rules:
    • Network rules for IP/port traffic control.
    • Application rules for URL/domain filtering.
    • Enable Threat Intelligence to block malicious traffic.

Step 4: Configure Routing

  • Ensure hub routes traffic from branch offices or P2S VPNs through Azure Firewall.
  • Virtual WAN automatically creates User Defined Routes (UDRs) to send traffic through the firewall.
  • Verify that the firewall sits inline in the traffic path.

Step 5: Connect Branches or Users

  • Add VPN sites (branch offices) to the hub.
  • Enable Point-to-Site VPN for remote users.
  • Optional: connect ExpressRoute circuits to the hub for private network traffic.

Step 6: Test and Monitor

  • Use Azure Firewall logs and Network Watcher to verify traffic flow.
  • Check that rules are applied correctly, and malicious or unauthorized traffic is blocked.

5. Key Features to Know for the Exam

FeaturePurpose
Azure Firewall integrationConverts a hub into a secure hub to filter traffic
Hub routingRoutes branch traffic through the firewall automatically
Application rulesAllow/block traffic by FQDN or URL
Network rulesAllow/block traffic by IP, port, protocol
Threat intelligenceBlocks known malicious IPs and domains
VPN/ExpressRoute supportSecurely connects branches and on-premises environments
ScalabilityVirtual WAN hubs automatically scale for high throughput

6. Tips for Exam Questions

  • Always remember: a secure hub = Virtual Hub + Azure Firewall.
  • Traffic from VPN or ExpressRoute connections goes through Azure Firewall by default if configured.
  • You may be asked to enable threat intelligence, configure hub routing, or deploy Azure Firewall in a hub.
  • Know the difference between standard hub (can integrate firewall) and basic hub (cannot integrate firewall).

Summary:
A secure hub in Virtual WAN is a central network hub with Azure Firewall deployed to inspect and control traffic. It supports branch connections, remote users, and on-premises networks. The firewall enforces rules, blocks threats, and logs traffic, making your network safe and manageable.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by