Overview
This guide provides systematic steps to diagnose and resolve routing issues in Azure Virtual WAN. It covers verification of hub configurations, connection health, route tables, and diagnostics tools.
Prerequisites
- Azure subscription with appropriate permissions (Network Contributor or higher)
- Access to Azure portal or Azure CLI
- Knowledge of your Virtual WAN topology (hubs, spokes, VPN/ExpressRoute connections)
Common Issues
- Hub route table not propagating to spokes
- ExpressRoute connection status “Disconnected”
- VPN site-to-site traffic not reaching the hub
- Incorrect BGP advertisements
Step‑by‑step troubleshooting
1. Verify hub and spoke configuration
In the Azure portal, navigate to Virtual WAN > Hubs and confirm that the hub is attached to the correct virtual network and that spokes are listed.
az network vwan hub show --resource-group MyResourceGroup --name MyHub
Check that the hub’s Route Table includes the expected routes.
2. Check connection health
Use the Connection health blade to view status of VPN and ExpressRoute connections.
az network vwan connection show --resource-group MyResourceGroup --vwan-name MyWAN --connection-name MyConnection
Look for "provisioningState": "Succeeded" and "connectionState": "Connected".
3. Validate BGP advertisements
Run a BGP route lookup from a virtual machine in a spoke to see which routes are learned.
az network vwan hub route-table summary list --resource-group MyResourceGroup --hub-name MyHub
Confirm that the expected prefixes appear with the correct next hop type.
4. Use Network Watcher diagnostics
Enable Network Watcher and run a Connection Monitor between a VM in a spoke and a destination in another spoke or on‑prem.
az network watcher connection-monitor create --name vm-to-vnet --resource-group MyResourceGroup --location eastus --src-resource MySpokeVM --dest-address 10.1.0.0 --dest-port 0
Review the output for packet loss or latency.
5. Review NSG and firewall rules
Ensure Network Security Groups (NSGs) attached to subnets do not block required traffic.
az network nsg rule list --resource-group MyResourceGroup --nsg-name MySpokeNSG
Also verify Azure Firewall policies if a firewall is deployed.