Manage Virtual Hubs and Gateways in Azure Virtual WAN
This article provides guidance on managing virtual hubs and their associated gateways within Azure Virtual WAN. Virtual WAN simplifies network management and connectivity for your Azure and on-premises environments.
Create a Virtual Hub
A virtual hub acts as a central point of connectivity for your Virtual WAN. It contains various network resources such as VPN gateways, ExpressRoute gateways, and virtual network connections.
Prerequisites
- An Azure subscription.
- Permissions to create resources in your subscription.
Steps to Create a Virtual Hub
Navigate to the Virtual WAN service in the Azure portal.
Select Virtual hubs from the left-hand menu and click + Create.
Fill in the required fields: Subscription, Resource group, Region, Name, and Hub private address space. Select a SKU (Standard or Basic).
Click Review + create, then Create.
Manage VPN Gateway
The VPN gateway enables secure site-to-site (S2S) or point-to-site (P2S) VPN connections to your virtual hub.
Creating a VPN Gateway
Within your virtual hub, select VPN gateway from the left-hand menu.
Click + Create VPN gateway.
Configure the gateway: Name, Gateway type (VPN), SKU (e.g., VpnGw1), Generation, Connection type (Vpn), Public IP addresses, and AS Number.
Click Create.
Managing Existing VPN Gateways
You can view, edit, and delete VPN gateways from the VPN gateway blade within your virtual hub. This includes managing connections, certificates, and BGP settings.
Manage ExpressRoute Gateway
An ExpressRoute gateway provides dedicated, private connectivity from your on-premises network to Azure via ExpressRoute circuits.
Creating an ExpressRoute Gateway
Navigate to your virtual hub and select ExpressRoute gateway.
Click + Create ExpressRoute gateway.
Configure the gateway: Name, SKU (e.g., ErGw1AZ), Number of scale units, and AS Number.
Click Create.
Managing Existing ExpressRoute Gateways
Existing gateways can be scaled up or down by adjusting the number of scale units. You can also view their configuration and associated circuits.
Manage Azure Firewall
Azure Firewall can be deployed within a virtual hub to provide centralized network security policies and threat protection.
Deploying Azure Firewall in a Virtual Hub
Go to your virtual hub and select Azure Firewall.
Click + Deploy Firewall.
Choose the Firewall type (Standard or Premium), configure its name, region, and policy.
Specify the management IP address and public IP address. Click Create.
Configuring Firewall Policies
Once deployed, you can manage network rules, application rules, NAT rules, threat intelligence, and other security settings through the Azure Firewall Manager.
# Example: Allowing HTTP traffic to specific backend IPs
{
"ruleCollection": "ApplicationRuleCollection",
"rules": [
{
"name": "AllowHttpToAppServers",
"priority": 100,
"ruleType": "ApplicationRule",
"sourceAddresses": ["*"],
"protocols": [ {"protocolType": "http", "port": 80} ],
"targetFqdns": ["app.example.com"]
}
]
}Manage NVA Transit
Virtual WAN supports routing traffic through Network Virtual Appliances (NVAs) like firewalls or intrusion detection systems deployed in spoke virtual networks. This is known as NVA transit.
Configuring NVA Transit
To enable NVA transit, you typically:
- Deploy your NVA in a spoke virtual network.
- Configure static routes in your virtual hub to direct traffic through the NVA's subnet.
- Ensure the NVA is configured to inspect and forward traffic as needed.
- Associate the spoke virtual network containing the NVA with your virtual hub.
Route Tables
The virtual hub uses route tables to control traffic flow. You can associate route tables with connections to influence which routes are propagated and which next hops are used.
# Example: Route table for NVA transit
{
"routeTableName": "NvaRouteTable",
"routes": [
{
"destinationType": "CIDR",
"destination": "0.0.0.0/0",
"nextHopType": "VnetConnection",
"nextHop": "SpokeVNetWithNVA"
}
]
}