Azure Virtual WAN Hub Concepts

This document provides a detailed explanation of the concepts related to Azure Virtual WAN hubs. A Virtual WAN hub is a networking construct that acts as a central transit point for your global network.

What is a Virtual WAN Hub?

An Azure Virtual WAN hub is a managed, scalable, and highly available resource that serves as the central point of connectivity in your Virtual WAN topology. It aggregates various network connections, such as VPNs, ExpressRoute circuits, and branches, enabling seamless communication between them and your Azure virtual networks.

Key characteristics of a Virtual WAN hub include:

Centralized Transit: It acts as a transit router, allowing traffic to flow between different connected networks without requiring complex mesh configurations.
Managed Service: Microsoft manages the underlying infrastructure, ensuring high availability and scalability.
Integrated Services: It integrates with Azure Firewall, Azure Load Balancer, and other networking services for enhanced security and traffic management.
Scalability: Virtual WAN hubs are designed to scale automatically to meet your connectivity demands.

Components of a Virtual WAN Hub

A Virtual WAN hub comprises several key components that enable its functionality:

Virtual Hub Router

The Virtual Hub Router is the core component responsible for routing traffic within and between connected networks. It dynamically learns routes and applies routing policies to ensure efficient and secure data flow.

VPN Gateway

A VPN gateway within the hub provides secure site-to-site VPN connectivity to your on-premises networks and other remote locations.

ExpressRoute Gateway

An ExpressRoute gateway enables you to connect your Virtual WAN hub to your on-premises networks via Azure ExpressRoute, providing high-bandwidth, low-latency private connections.

Azure Firewall (Optional)

You can deploy an Azure Firewall instance within the hub to centralize and enforce network security policies across your Virtual WAN environment. This provides advanced threat protection, application filtering, and intrusion detection.

Virtual Network Connections

Virtual networks (spokes) are connected to the hub, allowing them to leverage the hub's routing capabilities and access resources in other connected networks.

Hub Routing and Connectivity

The Virtual WAN hub manages the routing of traffic between different network endpoints. It supports various routing scenarios:

Intra-Hub Routing

Traffic between virtual networks connected to the same hub is routed efficiently through the hub's router.

Inter-Hub Routing

For multi-region deployments, Virtual WAN hubs can be interconnected, allowing seamless communication between spokes in different regions.

Branch Connectivity

Branches connected via VPN or ExpressRoute can communicate with resources in connected virtual networks through the hub.

Hub Deployment and Configuration

Deploying a Virtual WAN hub involves several steps:

Create a Virtual WAN resource.
Create a Virtual Hub within the Virtual WAN.
Configure VPN Gateways, ExpressRoute Gateways, and optionally Azure Firewall as needed.
Connect your virtual networks (spokes) to the Virtual Hub.
Establish connections for your branches.

The hub's configuration can be managed through the Azure portal, Azure CLI, or Azure PowerShell.

Important: A Virtual WAN hub is a regional resource. You can create multiple hubs in different regions for a global network.

Use Cases

Virtual WAN hubs are ideal for various scenarios:

Global Network Backbone: Building a scalable and resilient global network for distributed organizations.
Branch Connectivity: Simplifying and centralizing the management of branch office connections.
Hybrid Cloud Connectivity: Seamlessly integrating on-premises networks with Azure resources.
Secure Cloud Networking: Implementing centralized security policies with Azure Firewall.

Next Steps

To learn more about connecting resources to a Virtual WAN hub, see: