```html Azure Virtual WAN – Service Chaining | Microsoft Docs

Service Chaining in Azure Virtual WAN

Service chaining lets you direct traffic through an ordered set of network virtual appliances (NVAs) or security services before it reaches its final destination. This capability enables you to apply layered security, inspection, and transformation policies across your Azure Virtual WAN hub.

Architecture

The diagram below illustrates a typical service chaining topology:

Service Chaining Architecture
Traffic flows from a branch VPN, through a series of NVAs, and out to the internet or on-premises network.

Configuration Steps

  1. Create or select an existing Virtual WAN hub.
  2. Deploy the desired NVAs in the hub's virtual network (e.g., Azure Firewall, Palo Alto, Fortinet).
  3. Configure Virtual Hub Route Tables to define the sequence of services.
  4. Associate the route table with the hub’s Secure Virtual Hub setting.
  5. Validate traffic flow using Packet Capture or Azure Network Watcher.

Example Policy (Azure CLI)

az network vhub route-table create \
    --resource-group MyResourceGroup \
    --vhub-name MyVHub \
    --name ServiceChainTable \
    --labels "service-chain"

az network vhub route-table rule create \
    --resource-group MyResourceGroup \
    --vhub-name MyVHub \
    --route-table-name ServiceChainTable \
    --name ToFW \
    --next-hop-type VirtualAppliance \
    --next-hop-ip-address 10.0.0.4 \
    --destination-type CIDR \
    --destinations 0.0.0.0/0

az network vhub route-table rule create \
    --resource-group MyResourceGroup \
    --vhub-name MyVHub \
    --route-table-name ServiceChainTable \
    --name ToIDS \
    --next-hop-type VirtualAppliance \
    --next-hop-ip-address 10.0.0.5 \
    --destination-type CIDR \
    --destinations 0.0.0.0/0

Best Practices

  • Use separate subnets for each NVA to simplify IP management.
  • Leverage Azure Firewall Manager for centralized policy orchestration.
  • Monitor hop latency with Network Watcher.
  • Implement health probes on each NVA and configure failover routes.

FAQ

QuestionAnswer
Can I mix Azure‑native and third‑party NVAs? Yes. Service chaining supports any virtual appliance accessible via a private IP in the hub VNet.
Is there a limit to the number of hops? Currently up to 10 hops per route table are supported.
How does scaling work? Scale each NVA independently; the hub route table directs traffic to the scaled instances automatically.
```