Network Security in Azure Virtual WAN

Azure Virtual WAN provides a unified hub-and-spoke architecture that simplifies large-scale branch connectivity, security, and routing. This page covers the core security features you can enable for a Virtual WAN hub.

Key Security Capabilities

Azure Firewall Manager – Centralized firewall policy management across hubs.
Network Security Groups (NSGs) – Fine‑grained traffic filtering for subnet resources.
Azure DDoS Protection – Built‑in protection against volumetric attacks.
Hub Security Configuration – Enables IPsec, BGP, and route table settings.

Configure a Hub Firewall

Integrate Azure Firewall Manager with the hub to enforce centrally managed policies.

az network firewall create \
    --resource-group MyRG \
    --name MyFirewall \
    --vnet-name MyVNet \
    --location eastus

Apply NSG Rules to Hub Subnet

NSGs can be attached to the AzureFirewallSubnet or any custom subnet.

Sample NSG Rule▼

{
  "name": "Allow-HTTPS-From-Branch",
  "properties": {
    "priority": 100,
    "direction": "Inbound",
    "access": "Allow",
    "protocol": "Tcp",
    "sourcePortRange": "*",
    "destinationPortRange": "443",
    "sourceAddressPrefix": "VirtualNetwork",
    "destinationAddressPrefix": "*"
  }
}

Enable Azure DDoS Protection

Activate DDoS protection at the virtual network level.

az network vnet update \
    --resource-group MyRG \
    --name MyVNet \
    --ddos-protection true \
    --ddos-protection-plan MyDdosPlan

Best Practices

Use Azure Firewall Manager to maintain consistent policies across all hubs.
Limit inbound traffic using NSGs before it reaches the firewall.
Enable DDoS Protection on all VNETs hosting hubs.
Monitor hub security via Azure Monitor and Log Analytics workspaces.