MSDN / Documentation / Azure / Networking / Virtual WAN / How‑to / Configure routing

Configure routing in Azure Virtual WAN

This guide walks you through configuring routing for a Virtual WAN hub, including creating the hub, defining a routing intent, and connecting spokes, VPN sites, and ExpressRoute circuits.

Prerequisites

  • An Azure subscription with Owner or Contributor rights.
  • A resource group for the Virtual WAN resources.
  • Existing Virtual WAN instance or create a new one.
  • Network resources (spokes, VPN sites, ExpressRoute) you plan to attach.

1. Create a virtual hub

  1. Navigate to Virtual WAN in the Azure portal.
  2. Select your Virtual WAN and click + Hub.
  3. Provide a name, region, and address prefix (e.g., 10.0.0.0/24).
  4. Click Create and wait for deployment.
az network vwan hub create \
  --resource-group MyRg \
  --name MyHub \
  --vwan MyVwan \
  --address-prefix 10.0.0.0/24 \
  --location eastus

2. Configure routing intent

Routing intent defines the type of traffic the hub will handle (branch, internet, virtual appliance, etc.).

  1. In the hub blade, select Routing intent.
  2. Click Add and choose the desired routing type(s).
  3. Provide a name and, if needed, associate a virtual appliance for NAT or firewall.
  4. Save the configuration.
az network vwan hub-routing-intent create \
  --resource-group MyRg \
  --name MyIntent \
  --hub-name MyHub \
  --vwan MyVwan \
  --routing-type BranchToBranchTraffic

3. Add connections

Connect a virtual hub to a spoke

az network vhub connection create \
  --resource-group MyRg \
  --vhub-name MyHub \
  --name SpokeConnection \
  --remote-vnet MySpokeVnet \
  --remote-vnet-id $(az network vnet show -g MyRg -n MySpokeVnet --query id -o tsv)

Connect a VPN site

az network vpn-connection create \
  --resource-group MyRg \
  --name VpnToHub \
  --vwan MyVwan \
  --hub MyHub \
  --site MyVpnSite \
  --vpn-type RouteBased

Connect an ExpressRoute circuit

az network vhub connection create \
  --resource-group MyRg \
  --vhub-name MyHub \
  --name ErConnection \
  --remote-virtual-network $(az network express-route show -g MyRg -n MyEr --query id -o tsv) \
  --connection-type ExpressRoute

Validate routing

  1. Open Network Watcher → IP flow verify.
  2. Enter source and destination IPs that should be routed through the hub.
  3. Confirm the path matches the expected routing intent.

Alternatively, use Azure CLI:

az network watcher test-ip-flow \
  --resource-group MyRg \
  --direction Outbound \
  --protocol Tcp \
  --local 10.1.0.4 \
  --remote 8.8.8.8 \
  --port 443 \
  --type VirtualHub \
  --vhub MyHub

FAQ

Can I have multiple routing intents on the same hub?
Yes. You can add multiple intents (Branch, Virtual Appliance, Internet, etc.) and associate each with different virtual appliances.
Do I need a separate hub per region?
Best practice is to deploy one hub per region to minimize latency and reduce inter‑region traffic costs.
How do I enable forced tunneling?
Configure a virtual appliance and set forcedTunnelRouting in the routing intent.