Route Traffic Through a Virtual WAN Hub

This guide explains how to configure routing in Azure Virtual WAN to control the flow of traffic through your Virtual WAN hub. This is essential for implementing security policies, managing connectivity between spokes, and optimizing traffic for different workloads.

Objective: To understand and implement traffic routing policies within an Azure Virtual WAN hub.

This article covers scenarios such as routing internet-bound traffic through a firewall, routing traffic between VNets, and managing connectivity to on-premises networks.

Understanding Virtual WAN Hub Routing

The Virtual WAN hub acts as a central transit point for your network. Routing is managed using route tables. Each connection (VNet, VPN, ExpressRoute) is associated with a route table. The hub propagates routes to these route tables, enabling control over traffic flow.

Key Concepts:

Hub Route Table: The default route table for the hub. Routes learned from connected resources are propagated here.
VNet Route Table: Associated with a specific VNet connection. Routes from the hub and other connected resources can be propagated to this table.
Propagating Routes: The process by which routes are shared between the hub and connected resources.
Learned Routes: Routes that a connection (like a VNet) learns from the hub.
Static Routes: Manually configured routes within the hub for specific destinations.

Scenarios and Configuration

Scenario 1: Routing Internet Traffic Through a Firewall

To inspect internet-bound traffic, you can route it through a Network Virtual Appliance (NVA) like Azure Firewall deployed in the hub or a dedicated spoke VNet. This requires specific route table configurations.

Deploy and Configure Firewall

Deploy Azure Firewall or a third-party NVA in a dedicated spoke VNet connected to your Virtual WAN hub.

Configure firewall rules to allow or deny specific traffic.

Configure Hub Routing

In the Virtual WAN hub, associate the NVA spoke with the hub's default route table (or a custom route table).

On the NVA spoke connection, configure route propagation to the hub's route table and enable association with the hub's default route table.

Create a Static Route for Internet Traffic

In the Virtual WAN hub, create a static route:

Destination Type: VirtualNetworkSite (for on-premises) or None (for Internet, if not using a specific service tag).
Destination Prefix: 0.0.0.0/0 (for internet-bound traffic).
Next Hop: The IP address of your firewall instance in the NVA spoke.

This static route overrides any other routes for 0.0.0.0/0 and directs internet traffic to your firewall.

Example Azure CLI command to add a static route (conceptual):


                az network vpn-gateway nat rule create --gateway-name  --resource-group  --name  --type Static --ip-address  --destination-prefix 0.0.0.0/0

Note: The actual command for static routes in Virtual WAN hub routing is configured via the Azure portal or PowerShell/ARM templates.

Scenario 2: Routing Between Spoke VNets

By default, Virtual WAN allows transit routing between connected VNets. This means a VNet can communicate with another VNet as long as both are connected to the same hub.

Connect VNets to the Hub

Ensure all spoke VNets are connected to the Virtual WAN hub.

Verify Route Propagation

When a VNet is connected, its address space is advertised to the hub.

The hub then propagates these routes to all other connected VNets.

To see learned routes for a VNet, navigate to its connection settings in the Virtual WAN hub and check "Effective Routes".

Default Behavior: All connected VNets can communicate with each other by default, assuming no Network Security Groups (NSGs) or Azure Firewall rules are blocking traffic.

Scenario 3: Custom Routing with Route Maps

For more granular control, you can use route maps associated with connections to influence how routes are propagated and learned.

Route maps allow you to modify attributes of routes (like AS path, community tags) or conditionally advertise/withdraw routes.

This is an advanced topic often used with BGP for on-premises or complex hub-to-hub routing.

Managing Routes in the Azure Portal

You can manage hub routing directly from the Azure portal:

Navigate to your Virtual WAN resource.
Select the specific hub you want to configure.
Under "Connectivity," choose "Route tables".
Here you can view:
- Labels: The route table names (e.g., Default, None).
- Connections: View connections associated with each route table.
- Routes: See the routes that are propagated to and learned by the hub.
To configure static routes, select the relevant route table and click "Add static route".
To configure route propagation and association for a specific connection (VNet, VPN, etc.), navigate to "Virtual network connections" or "VPN sites" / "ExpressRoute circuits", select the connection, and configure "Route Tables" settings.

Tip: Always review the "Effective Routes" for a connection to understand exactly which routes are being learned and used by that resource.