Azure Virtual WAN - Transit Routing

Overview

This guide walks you through enabling and configuring transit routing for an Azure Virtual WAN hub. Transit routing lets you centralize traffic between multiple virtual networks (VNets) and on‑premises sites, reducing the need for complex peering topologies.

Prerequisites

  • Azure subscription with Owner or Network Contributor role.
  • Existing Virtual WAN and a hub with at least one Standard SKU.
  • One or more VNets you plan to associate with the hub.
  • Azure CLI (2.30+) or Azure PowerShell (7.0+).

Step 1 – Enable Transit Routing on the Hub

Run the following Azure CLI command to enable transit routing:

az network vhub update \
  --name MyTransitHub \
  --resource-group MyResourceGroup \
  --allow-b2b-traffic true \
  --allow-vnet-traffic true \
  --allow-inbound-access true

Alternatively, use Azure PowerShell:

Update-AzVirtualHub -Name "MyTransitHub" `
  -ResourceGroupName "MyResourceGroup" `
  -AllowBranchToBranchTraffic $true `
  -AllowHubToHubTraffic $true `
  -AllowInboundTrafficFromRemoteVnet $true

Step 2 – Configure Hub Route Table

Create a custom route table to control traffic flow between attached VNets:

az network vhub route-table create \
  --resource-group MyResourceGroup \
  --vhub-name MyTransitHub \
  --name TransitRouteTable \
  --type VirtualHub

Add a default route that sends all traffic to the internet via the Azure Firewall (if you have one) or an NVA:

az network vhub route-table route add \
  --resource-group MyResourceGroup \
  --vhub-name MyTransitHub \
  --route-table-name TransitRouteTable \
  --name DefaultInternetRoute \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type ResourceId \
  --next-hop-id /subscriptions/xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Network/azureFirewalls/MyFirewall

Step 3 – Associate VNets to the Hub

Associate each VNet with the hub and the newly created route table:

az network vhub connection create \
  --name VNetToHub1 \
  --resource-group MyResourceGroup \
  --vhub-name MyTransitHub \
  --remote-vnet /subscriptions/xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/VNet1 \
  --route-table TransitRouteTable

Repeat the command for additional VNets.

Verification

Validate the configuration with:

az network vhub show \
  --resource-group MyResourceGroup \
  --name MyTransitHub \
  --query "properties.routingState"

Confirm that "TransitRoutingEnabled": true appears. Use trace route or ping between VMs in different VNets to ensure traffic traverses the hub.

FAQ

Do I need a hub SKU of Standard to enable transit routing?

Yes. The Standard SKU provides the necessary features for hub‑to‑hub and VNet‑to‑VNet transit.

Can I use Azure Firewall as the next hop for all outbound traffic?

Absolutely. Adding an Azure Firewall or a third‑party Network Virtual Appliance (NVA) to the route table is the recommended pattern for centralized security.