How to interconnect Azure Virtual WAN hubs

This article provides detailed steps and considerations for interconnecting multiple Azure Virtual WAN hubs. Interconnecting hubs allows for seamless communication between spokes attached to different hubs, enabling a more distributed and resilient network architecture.

Prerequisites

  • An Azure subscription.
  • At least two Azure Virtual WAN hubs deployed in different regions.
  • Existing VNet connections to these hubs (optional, but common).

Understanding Hub-to-Hub Connectivity

Azure Virtual WAN facilitates hub-to-hub connectivity through its inherent routing capabilities. When you enable transit routing between hubs, traffic can flow between spokes connected to different hubs, provided they are part of the same Virtual WAN resource.

Steps to Interconnect Hubs

  1. Navigate to your Virtual WAN resource in the Azure portal.

  2. In the Virtual WAN portal, go to the Hubs section.

  3. Select the first hub you want to configure for interconnection.

  4. Under the hub's settings, find the Hub-to-hub configuration.

    You will see a list of all other hubs within the same Virtual WAN. For each hub you wish to connect to, ensure that the checkbox under the "Connect" column is selected.

    Note: Hub-to-hub connectivity is enabled by default when you create multiple hubs within the same Virtual WAN resource. This section allows you to explicitly enable or disable these connections and manage routing preferences.

  5. Repeat steps 3 and 4 for all other hubs that you want to be interconnected.

  6. Review Routing Intent (Optional)

    For more advanced routing scenarios, you can configure Routing Intent. This allows you to specify how traffic should be routed between hubs and to/from branches and remote users.

    • In the hub's settings, navigate to Routing intent.
    • Add or edit routing configurations as needed. For example, you can route branch traffic through an NVGRE appliance.

  7. Save Changes

    Ensure any changes are saved. The Virtual WAN service will automatically provision the necessary routing updates.

Verifying Connectivity

After configuring hub-to-hub connectivity, you can verify that spokes connected to different hubs can communicate:

  • Deploy virtual machines (VMs) in spokes attached to different hubs.
  • Attempt to ping or establish network connections between these VMs.
  • Use Azure Network Watcher's connection troubleshoot feature for more in-depth analysis.

Considerations

  • VNet Peering: Hub-to-hub connections are managed by Virtual WAN and do not rely on VNet peering between hub VNets.
  • Global Reach: Hub-to-hub connectivity within a single Virtual WAN is enabled by default and works across Azure regions.
  • Scalability: Virtual WAN is designed to scale to meet the demands of large enterprise networks.
  • Routing: Understand the effective routing tables within your hubs to diagnose any connectivity issues. You can view effective routes for VNet connections and VPN/ExpressRoute connections in the Azure portal.

Tip: For complex routing requirements, consider using Azure Firewall or Network Virtual Appliances (NVAs) deployed in a hub to enforce security policies and perform advanced traffic inspection.

Next Steps

Explore how to connect your on-premises sites and remote users to your Virtual WAN hubs: