Connect clients to Azure Virtual WAN

Overview

Azure Virtual WAN provides a unified networking experience that connects branch offices, remote users, and Azure resources. This article explains how to connect client devices (users) to a Virtual WAN hub using Azure Firewall, VPN, and Azure AD authentication.

Prerequisites

• An Azure subscription with Virtual WAN and a configured VPN hub.
• Azure AD tenant with conditional access policies (optional).
• Azure Firewall (if you plan to enforce policies).
• Supported client OS: Windows 10/11, macOS, iOS, Android.

Step‑by‑step guide

1. Create a VPN Site for remote clients

az network vwan vpn-site create \
  --resource-group MyResourceGroup \
  --name RemoteClientVPNSite \
  --virtual-wan MyVirtualWAN \
  --address-prefixes 10.10.0.0/24 \
  --vpn-type RouteBased \
  --gateway-foo ...

2. Configure a Point‑to‑Site (P2S) connection

Use Azure Portal or the CLI to enable P2S on the hub.

az network vwan hub connection create \
  --resource-group MyResourceGroup \
  --hub-name MyHub \
  --name P2SConnection \
  --remote-vpn-site RemoteClientVPNSite \
  --protocol IkeV2 \
  --vpn-client-address-pool 172.16.0.0/24

3. Download the VPN client profile

After the connection is created, download the configuration package for the target OS.

• Windows
• macOS
• Android
• iOS

4. Install and connect

Follow the platform‑specific guide to install the VPN client, import the profile, and connect.

Verification

After connecting, verify the client IP address, routing, and access to Azure resources.

ipconfig /all   # Windows
ifconfig        # macOS/Linux

Check connectivity to a resource in the hub:

ping 10.0.0.4   # Example VM IP in the hub

Troubleshooting

• Authentication failure: Verify Azure AD Conditional Access policies and certificate enrollment.
• Unable to connect: Ensure the client’s public IP is allowed in the hub’s Allowed IPs list.
• Routing issues: Confirm the VPN client address pool does not overlap with on‑premise subnets.