Azure Virtual WAN – Configuration

MSDN Docs

Overview

Azure Virtual WAN provides a unified networking and security architecture for connecting branches, remote users, and virtual networks. This guide walks you through the essential steps to configure a Virtual WAN, create hubs, and establish site‑to‑site connections.

Prerequisites

  • Azure subscription with Owner/Contributor rights.
  • Resource group created for networking resources.
  • Existing virtual networks or on‑premises VPN devices.
  • Azure CLI (2.x) or Azure PowerShell installed.

Step 1 – Create a Virtual WAN

Run the following Azure CLI command to create a Virtual WAN:

az network vwan create \
  --name MyVirtualWAN \
  --resource-group MyNetworkRG \
  --location eastus \
  --type Standard

Step 2 – Add Virtual Hubs

Virtual Hubs act as regional points for routing. Create a hub in each region you need.

az network vhub create \
  --name HubEastUS \
  --resource-group MyNetworkRG \
  --address-prefix 10.0.0.0/24 \
  --vwan MyVirtualWAN \
  --location eastus

Step 3 – Configure Site‑to‑Site Connections

Define a connection between your on‑premises VPN device and the hub.

az network vhub connection create \
  --name OnPremConnection \
  --vhub-name HubEastUS \
  --resource-group MyNetworkRG \
  --remote-vpn-site MyOnPremSite \
  --vpn-type RouteBased \
  --shared-key MySecretKey

Step 4 – Apply Routing Policies

Use Azure Firewall or third‑party NVA to enforce security policies. Associate the firewall to the hub:

az network firewall create \
  --name MyFW \
  --resource-group MyNetworkRG \
  --location eastus

az network firewall policy create \
  --name MyFWPolicy \
  --resource-group MyNetworkRG

az network firewall policy rule-collection-group create \
  --policy-name MyFWPolicy \
  --resource-group MyNetworkRG \
  --name RCGroup1 \
  --priority 100

az network firewall policy rule-collection-group rule add \
  --policy-name MyFWPolicy \
  --resource-group MyNetworkRG \
  --collection-group RCGroup1 \
  --collection-type Network \
  --rule-name AllowHTTP \
  --rule-type NetworkRule \
  --action Allow \
  --protocols TCP \
  --source-addresses * \
  --destination-addresses * \
  --destination-ports 80

ARM Template Sample

The following ARM template deploys a Virtual WAN with one hub and a site‑to‑site connection.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vwanName": { "type": "string", "defaultValue": "MyVirtualWAN" },
    "hubName": { "type": "string", "defaultValue": "HubEastUS" },
    "resourceGroup": { "type": "string" },
    "location": { "type": "string", "defaultValue": "eastus" }
  },
  "resources": [
    {
      "type": "Microsoft.Network/virtualWans",
      "apiVersion": "2023-09-01",
      "name": "[parameters('vwanName')]",
      "location": "[parameters('location')]",
      "properties": { "disableVpnEncryption": false, "type": "Standard" }
    },
    {
      "type": "Microsoft.Network/virtualHubs",
      "apiVersion": "2023-09-01",
      "name": "[parameters('hubName')]",
      "location": "[parameters('location')]",
      "dependsOn": [ "[resourceId('Microsoft.Network/virtualWans', parameters('vwanName'))]" ],
      "properties": {
        "addressPrefix": "10.0.0.0/24",
        "virtualWan": { "id": "[resourceId('Microsoft.Network/virtualWans', parameters('vwanName'))]" }
      }
    }
  ]
}

Next Steps

  • Enable Azure Monitor for Virtual WAN diagnostics.
  • Integrate Azure Bastion for secure RDP/SSH access.
  • Explore Virtual WAN hub routing preferences (P2S, ExpressRoute).