Azure Virtual WAN Documentation

Diagnose Routing Issues in Azure Virtual WAN

This guide helps you identify and resolve common routing problems in Azure Virtual WAN. Follow the steps below to use built‑in diagnostics, Azure Monitor, and Network Watcher.

Table of Contents

Prerequisites

  • Azure subscription with Owner/Contributor rights.
  • Virtual WAN and at least one Hub configured.
  • Network Watcher enabled in the region of the Virtual WAN.
  • Azure CLI 2.0 or PowerShell 7 installed.

Diagnostic Tools Overview

Azure CLI provides quick command‑line access to routing diagnostics.

az network vwan hub route-table list \
  --resource-group MyResourceGroup \
  --hub-name MyHub

PowerShell offers rich object manipulation.

Get-AzVirtualWanHubRouteTable `
  -ResourceGroupName "MyResourceGroup" `
  -HubName "MyHub"

Navigate to Virtual WAN → Hub → Route tables** in the Azure portal to view routing entries and status.

Step 1 – Verify Connectivity

Use az network watcher test-connectivity to ensure that spokes can reach the hub.

az network watcher test-connectivity \
  --source-resource-id $(az network vnet show -g MyRG -n SpokeVNet --query id -o tsv) \
  --dest-resource-id $(az network vnet show -g MyRG -n HubVNet --query id -o tsv)

Step 2 – Review Route Tables

Check the effective routes on a subnet within the spoke.

az network vnet subnet show-effective-route-table \
  --resource-group MyRG \
  --vnet-name SpokeVNet \
  --name SubnetA

Step 3 – Use Network Watcher – IP Flow Verify

Validate traffic flow against Network Security Groups and routing rules.

az network watcher ip-flow-verify \
  --resource-group MyRG \
  --direction "Outbound" \
  --protocol "Tcp" \
  --local-port 443 \
  --remote-ip 10.0.0.4 \
  --remote-port 443 \
  --target-resource-id $(az network nic show -g MyRG -n SpokeNIC --query id -o tsv)

Step 4 – Analyze Logs with Azure Monitor

Enable Diagnostic Settings for the Virtual WAN hub and stream logs to Log Analytics.

az monitor diagnostic-settings create \
  --name "VwanHubDiagnostics" \
  --resource $(az network vwan hub show -g MyRG -n MyHub --query id -o tsv) \
  --workspace $(az monitor log-analytics workspace show -g MyRG -n MyWorkspace --query id -o tsv) \
  --logs '[{"category":"VirtualWanGateway","enabled":true}]'

Run a Kusto query to find routing errors:

AzureDiagnostics
| where ResourceType == "VIRTUALWANHUBS"
| where Category == "VirtualWanGateway"
| where OperationName == "RouteConfiguration"
| summarize count() by ResultDescription, bin(TimeGenerated, 5m)
| order by TimeGenerated desc

Common Issues & Fixes

  • Missing routes in effective route table: Verify that the Hub’s Route Table includes a default route to the appropriate VPN or ExpressRoute.
  • Traffic blocked by NSG: Use az network watcher ip-flow-verify to pinpoint the rule and adjust the NSG priority.
  • Route propagation disabled on the Hub: Enable Propagate to VNet connections in the hub configuration.
  • Incorrect BGP advertisement: Check BGP settings on the Virtual WAN Branch Router and ensure ASN and community values match on both ends.

FAQ

Can I automate routing diagnostics?
Yes. Use Azure CLI or PowerShell scripts within Azure DevOps pipelines or GitHub Actions.
Do I need a separate Log Analytics workspace for each hub?
No. A single workspace can collect diagnostics from multiple hubs, using distinct tables for each hub.
Is there a cost associated with Network Watcher?
Network Watcher traffic inspection (IP flow verify, connectivity check) is billed per test. Diagnostic logs incur standard Log Analytics charges.