This chapter covers Azure Virtual WAN, a networking service that provides optimized and automated branch-to-branch and branch-to-VNet connectivity through a hub-and-spoke architecture. For the AZ-305 exam, Azure Virtual WAN is a key topic under objective 4.2 'Design a networking solution' and appears in approximately 10-15% of exam questions related to hybrid networking and routing. Understanding Virtual WAN's components, routing mechanics, and integration with VPN, ExpressRoute, and Azure Firewall is critical for designing scalable global networks.
Jump to a section
Think of Azure Virtual WAN as a global airline hub-and-spoke system. In this analogy, Azure regions are airports, and your branch offices, data centers, and VNets are cities with their own local airports (local gateways). Without a hub, if a city wants to send a package to another city, it must fly directly—a point-to-point connection requiring a dedicated plane (VPN tunnel or ExpressRoute circuit) between every pair of cities. This becomes unmanageable as the number of cities grows. With a hub-and-spoke model, each city flies its packages to a central hub airport (the Virtual Hub in a region). The hub sorts packages and routes them to the destination city's airport, possibly via another hub in a different region. The hub handles all the complex routing, security screening (firewall policies), and customs (routing policies). Airlines (Microsoft) manage the hub infrastructure, so cities don't need to maintain their own intercity routes. This scales efficiently: adding a new city only requires one connection to the nearest hub, not connections to all other cities. If a city wants to send packages to multiple destinations, the hub does the distribution. This is exactly how Azure Virtual WAN works: spokes (VNets, branch offices, data centers) connect to regional hubs, and hubs interconnect via Microsoft's global backbone, enabling any-to-any connectivity with centralized management and security.
What is Azure Virtual WAN?
Azure Virtual WAN is a networking service that brings together multiple networking, security, and routing functionalities into a single operational interface. It is built on a hub-and-spoke architecture where each hub (called a Virtual Hub) resides in an Azure region and acts as a central point of connectivity. Spokes can be virtual networks (VNets), branch offices connected via Site-to-Site VPN, remote users via Point-to-Site VPN, or on-premises data centers via ExpressRoute. The Virtual WAN itself is a container that manages multiple hubs across regions, providing global connectivity and routing.
Why Azure Virtual WAN Exists
Traditional hub-and-spoke networking in Azure required manual configuration of VNet peering, VPN gateways, and ExpressRoute gateways in each hub VNet. As organizations expanded globally, managing point-to-point connections between dozens of branches and VNets became complex and error-prone. Azure Virtual WAN automates much of this: it creates and manages the hub infrastructure, including gateways, and provides a centralized routing engine that uses the Border Gateway Protocol (BGP) to propagate routes between all connected entities. It also integrates with Azure Firewall and third-party Network Virtual Appliances (NVAs) for centralized security inspection.
How Azure Virtual WAN Works Internally
When you create a Virtual WAN, you define a container that spans one or more regions. Within each region, you create a Virtual Hub. The hub contains various gateways: - Site-to-Site VPN gateway: For branch offices using IPsec tunnels. - Point-to-Site VPN gateway: For remote users. - ExpressRoute gateway: For dedicated private connections. - Azure Firewall: Optional, for inspecting traffic between spokes and branches. - Routing infrastructure: A built-in router that uses BGP to exchange routes between all connections.
Each spoke VNet is attached to the hub via VNet connection, which is similar to VNet peering but managed by the Virtual WAN. The hub router learns routes from all attached spokes and gateways. For example, a branch office connected via VPN advertises its on-premises prefixes over BGP. The hub router propagates these routes to all other spokes and gateways, enabling direct connectivity between branches and VNets without traversing the hub unnecessarily (unless forced by routing policies).
Key Components, Values, Defaults, and Timers
Virtual WAN: Resource type Microsoft.Network/virtualWans. Default SKU is Standard (required for ExpressRoute and full routing). Basic SKU limited to Site-to-Site VPN only.
Virtual Hub: Resource type Microsoft.Network/virtualHubs. Hub address space must be a /24 or larger (e.g., 10.0.0.0/24). This space is used for internal hub components and cannot overlap with spoke or on-premises addresses.
Site-to-Site VPN gateway: Scale units from 1 to 40, each providing 500 Mbps aggregate throughput. Default BGP timer is 30 seconds for keepalive and 120 seconds for hold.
ExpressRoute gateway: Scale units from 1 to 10, each providing 10 Gbps aggregate throughput. Supports both Standard and Premium add-on for global reach.
Point-to-Site VPN gateway: Scale units from 1 to 40, each supporting 500 concurrent connections. Protocols: OpenVPN, IKEv2, SSTP.
VNet connection: Each spoke VNet must be connected to a hub. Max 500 VNets per hub. Hub-to-spoke traffic is free; inter-spoke traffic goes through the hub router (or directly if same region and configured).
Route tables: Virtual hubs have a default route table. Custom route tables can be created to isolate traffic. Routes can be propagated from connections and advertised to connections.
BGP: Every VPN and ExpressRoute connection can use BGP. Virtual hub supports BGP peering with NVAs via the hub's routing infrastructure.
Configuration and Verification Commands
Azure Virtual WAN is primarily managed through the Azure portal, CLI, or PowerShell. Example CLI commands:
# Create a Virtual WAN
az network vwan create --name MyVwan --resource-group MyRG --location westus --type Standard
# Create a Virtual Hub
az network vhub create --name MyHub --resource-group MyRG --vwan MyVwan --address-prefix 10.0.0.0/24 --location westus
# Create a Site-to-Site VPN gateway in the hub
az network vpn-gateway create --name MyVpnGateway --resource-group MyRG --location westus --hub-name MyHub --scale-unit 2
# Create a VPN site (branch)
az network vpn-site create --name Branch1 --resource-group MyRG --location westus --virtual-wan MyVwan --ip-address 203.0.113.1 --bgp-peering-address 169.254.21.1
# Connect the VPN site to the hub
az network vpn-connection create --name Branch1Conn --resource-group MyRG --vpn-gateway-name MyVpnGateway --vpn-site Branch1
# Connect a VNet to the hub
az network vhub-connection create --name VNet1Conn --resource-group MyRG --vhub MyHub --remote-vnet VNet1
# View effective routes on a hub
az network vhub get-effective-routes --resource-group MyRG --name MyHub --resource-type VNetConnection --resource-id /subscriptions/.../virtualNetworks/VNet1How Virtual WAN Interacts with Related Technologies
Azure Firewall: Can be deployed inside a Virtual Hub (Secured Virtual Hub). All traffic between spokes, branches, and internet can be forced through the firewall for inspection. Routing is automatically configured to send traffic to the firewall.
Network Virtual Appliances (NVAs): Can be deployed in a spoke VNet and attached to the hub. BGP peering between the NVA and the hub allows the NVA to advertise routes and inspect traffic.
Azure Private Link: Can be used with Virtual WAN to access PaaS services privately. The private endpoints can be in spoke VNets or in the hub.
Azure Route Server: Can be deployed in a spoke VNet to exchange routes with NVAs, but in Virtual WAN, the hub router already provides similar functionality.
ExpressRoute Global Reach: Enables direct connectivity between on-premises sites connected via different ExpressRoute circuits. Virtual WAN automatically supports this when ExpressRoute gateways are present.
Routing in Virtual WAN
The hub router maintains a routing table that is populated via BGP from connected gateways and via static routes from VNet connections. By default, the hub router advertises the hub address space and any learned routes to all connected spokes and branches. Traffic between two spokes in the same region can be routed directly through the hub (or via the hub's firewall if configured). Traffic between spokes in different regions always goes through the hub in each region, using the Microsoft backbone. The hub router uses the concept of route tables and labels to control propagation. For example, you can create a custom route table that isolates a set of spokes from others.
Scale and Performance
Each Virtual Hub can support up to 500 VNet connections, 1000 Site-to-Site VPN connections, 10 ExpressRoute circuits, and 10,000 concurrent Point-to-Site VPN users. Aggregate throughput for a VPN gateway can reach 40 Gbps (with 40 scale units). ExpressRoute gateways can reach 100 Gbps. Latency is minimal because traffic stays within the Microsoft backbone. For global connectivity, hubs in different regions are interconnected via the Microsoft global network, providing low-latency any-to-any connectivity.
Security and Compliance
Virtual WAN supports Azure Firewall for centralized traffic inspection. For compliance, you can enforce routing so that all traffic between spokes and branches passes through the firewall. Additionally, you can use Private Link to ensure traffic to PaaS services never leaves the Microsoft network. Network security groups (NSGs) can be applied at the subnet level in spoke VNets, but not directly on the hub. Application security groups (ASGs) are also supported in spokes.
Monitoring and Troubleshooting
Azure Monitor provides metrics for gateways (throughput, packet count, BGP peer status). Diagnostic logs can be enabled for VPN and ExpressRoute gateways. The get-effective-routes command is invaluable for troubleshooting routing issues. Common problems include BGP misconfiguration, overlapping address spaces, and route propagation not working due to route table labels. Always verify that the hub's address space does not overlap with any connected network.
Create Virtual WAN resource
Navigate to the Azure portal, search for 'Virtual WAN', and click 'Create'. Provide a name, subscription, resource group, and location. Choose the Standard SKU (required for ExpressRoute and full routing). The Basic SKU only supports Site-to-Site VPN and has limited routing capabilities. The Virtual WAN resource is a container that will hold all hubs and connections. It does not have its own address space.
Create Virtual Hub in a region
Inside the Virtual WAN, create a Virtual Hub by specifying a region and a hub address space (e.g., 10.0.0.0/24). This address space must not overlap with any connected VNets or on-premises networks. The hub will host gateways and the routing infrastructure. You can create multiple hubs in different regions for global connectivity.
Create and configure gateways
Within the hub, add the required gateways: Site-to-Site VPN, Point-to-Site VPN, or ExpressRoute. Specify scale units (1-40 for VPN, 1-10 for ExpressRoute). For VPN, generate a pre-shared key (PSK) or use certificates for IKEv2. For ExpressRoute, provide the authorization key from the ExpressRoute circuit. Gateways are automatically provisioned and take 20-30 minutes.
Connect branch offices via VPN sites
Create VPN sites representing branch offices. Each site requires a public IP address and optional BGP settings. Then create a connection from the site to the hub's VPN gateway. The hub automatically generates two tunnels for high availability. On the branch device, configure IPsec tunnel endpoints using the hub's VPN gateway public IPs and PSK.
Connect VNets to the hub
For each spoke VNet, create a VNet connection in the Virtual Hub. Specify the VNet and optionally associate a route table. The VNet must not have overlapping address spaces with the hub or other connections. After connection, the hub router learns the VNet's prefixes and propagates them to other spokes and branches. Traffic between VNets in the same region flows through the hub.
Configure routing and security
By default, all connected entities can communicate. For isolation, create custom route tables in the hub. For example, create a route table for 'Production' spokes and another for 'Development' spokes. Assign connections to these tables. Traffic between different tables can be blocked or forced through a firewall. To inspect traffic, deploy Azure Firewall in the hub (Secured Virtual Hub) and configure routing policies to send inter-spoke and branch-to-spoke traffic to the firewall.
Enterprise Scenario 1: Global Retail Chain with 500 Stores
A multinational retailer has 500 stores worldwide, each with a local internet connection. They also have three data centers (US, Europe, Asia) and multiple Azure VNets hosting e-commerce and inventory applications. Without Virtual WAN, they would need to configure hundreds of VPN tunnels and manage complex routing. With Azure Virtual WAN, they deploy a hub in each region (US West, US East, West Europe, Southeast Asia). Each store connects to the nearest hub via Site-to-Site VPN using a simple router. The data centers connect via ExpressRoute to their regional hubs. All VNets are attached to the hubs. The hub routers automatically exchange routes via BGP, enabling any store to reach any application or data center. The retail IT team can manage all connections from a single pane in the Azure portal. They also enable Azure Firewall in each hub to inspect traffic between stores and the internet, enforcing security policies. Scale: each hub handles up to 500 VPN connections, easily covering the stores. Performance: each VPN gateway at scale unit 10 provides 5 Gbps, sufficient for store traffic.
Enterprise Scenario 2: Financial Services with Strict Compliance
A bank requires that all traffic between branches and Azure VNets be inspected by a certified NVA. They deploy a third-party firewall (e.g., Palo Alto) in a spoke VNet in each region. They use Virtual WAN with BGP peering between the hub and the NVA. The NVA advertises a default route (0.0.0.0/0) to the hub, causing all outbound traffic from spokes and branches to be sent to the NVA for inspection. Additionally, they create custom route tables to isolate different business units (retail, investment, corporate). The hub router ensures that traffic between units is forced through the NVA. They also use ExpressRoute with Global Reach for low-latency connectivity between data centers. Common misconfiguration: overlapping BGP AS numbers between the NVA and the hub, which causes route flapping. They solved this by using unique private AS numbers for each NVA.
Enterprise Scenario 3: Remote Work Solution for 10,000 Employees
A technology company transitions to remote work and needs secure connectivity for 10,000 employees globally. They use Point-to-Site VPN on Azure Virtual WAN. They deploy hubs in three regions (North America, Europe, Asia). Each hub's Point-to-Site gateway is configured with 20 scale units, supporting 10,000 concurrent connections. Employees use the Azure VPN Client with Azure Active Directory authentication. Traffic from remote users is routed through the hub and then to corporate VNets or to the internet (with Azure Firewall inspection). The company also integrates with Azure Private DNS so that employees can resolve on-premises resources. Common issue: users in one region connecting to a hub far away, causing high latency. They solved this by using Azure Traffic Manager to redirect users to the nearest hub based on geo-location.
What AZ-305 Tests on Azure Virtual WAN
The AZ-305 exam covers Virtual WAN under objective 4.2 'Design a networking solution', specifically 'Design a hybrid networking solution' and 'Design a hub-and-spoke topology'. Expect questions that require you to choose between Virtual WAN and traditional hub-and-spoke, to identify correct components, and to understand routing behavior. Key areas: - Virtual WAN vs. traditional hub-and-spoke: Know that Virtual WAN is recommended for global, multi-region, or multi-site scenarios; traditional hub-and-spoke with VNet peering is simpler for single-region, few spokes. - SKU selection: Standard SKU is required for ExpressRoute, Azure Firewall, and full routing. Basic SKU only supports Site-to-Site VPN. - Secured Virtual Hub: Azure Firewall deployed inside the hub. Know that it provides centralized security and routing. - Route tables and labels: Understand how to isolate traffic using custom route tables. Exam may ask how to prevent two spokes from communicating. - BGP propagation: Virtual WAN uses BGP to exchange routes. Know that BGP is enabled by default for VPN and ExpressRoute connections. - Limits: Hub address space /24 minimum; max 500 VNet connections per hub; max 1000 VPN connections per hub.
Common Wrong Answers and Why Candidates Choose Them
Choosing Basic SKU for ExpressRoute: Candidates see 'Basic' and think it's sufficient. Reality: Basic SKU does not support ExpressRoute gateways. The exam will present a scenario requiring ExpressRoute; the correct answer must be Standard SKU.
Assuming VNet peering is always better for cost: In a single-region, few-spoke scenario, VNet peering is cheaper. But for global connectivity with many branches, Virtual WAN is more cost-effective due to reduced management overhead. The exam may test cost vs. complexity trade-offs.
Thinking Virtual WAN creates a single hub for all regions: Virtual WAN is a container; you create separate hubs per region. A common wrong answer is 'deploy one Virtual WAN hub globally' — that's not possible; hubs are regional.
Confusing Virtual WAN with Azure Route Server: Route Server is for exchanging routes with NVAs in a traditional hub VNet. Virtual WAN has built-in routing and does not require Route Server. The exam may present a scenario with NVAs; know that Virtual WAN can peer directly with NVAs via BGP.
Specific Numbers and Terms on the Exam
Hub address space must be /24 or larger.
Maximum 500 VNet connections per hub.
Maximum 1000 Site-to-Site VPN connections per hub.
VPN gateway scale units: 1-40, each 500 Mbps.
ExpressRoute gateway scale units: 1-10, each 10 Gbps.
Point-to-Site gateway scale units: 1-40, each 500 concurrent users.
BGP keepalive timer: 30 seconds (default).
Secured Virtual Hub: Azure Firewall deployed in the hub.
Edge Cases and Exceptions
Overlapping address spaces: If a spoke VNet or on-premises network has an overlapping address with the hub, the connection will fail. The exam may test that you must redesign addressing.
Global connectivity: For hubs in different regions, traffic between them uses the Microsoft backbone. No need for additional peering.
ExpressRoute with Global Reach: Virtual WAN automatically enables Global Reach when ExpressRoute gateways are present in multiple hubs.
NVAs in spoke: Can be used but require BGP peering with the hub. The hub does not support transitive routing through NVAs unless explicitly configured.
How to Eliminate Wrong Answers
If the scenario involves multiple regions and branches, eliminate options that only use a single hub or VNet peering.
If the scenario requires centralized internet breakout or firewall inspection, look for 'Secured Virtual Hub' or 'Azure Firewall in the hub'.
If the scenario mentions cost optimization for a small deployment, traditional hub-and-spoke might be correct.
Always check if ExpressRoute is involved — that forces Standard SKU.
Azure Virtual WAN is a managed hub-and-spoke service for global connectivity across branches, VNets, and data centers.
Standard SKU is required for ExpressRoute, Point-to-Site VPN, and Azure Firewall; Basic SKU only supports Site-to-Site VPN.
Each Virtual Hub requires a unique /24 or larger address space that does not overlap with any connected network.
Virtual WAN supports up to 500 VNet connections, 1000 Site-to-Site VPN connections, and 10 ExpressRoute circuits per hub.
BGP is used for dynamic route exchange between the hub and connected VPN sites, ExpressRoute circuits, and NVAs.
Secured Virtual Hub integrates Azure Firewall directly into the hub for centralized traffic inspection.
Traffic between spokes in different regions flows through the Microsoft backbone automatically via hub-to-hub connectivity.
Virtual WAN is recommended for multi-region, multi-site scenarios; traditional VNet peering is simpler for single-region small deployments.
Common exam trap: choosing Basic SKU when ExpressRoute or Azure Firewall is required.
Use 'az network vhub get-effective-routes' to troubleshoot routing issues.
These come up on the exam all the time. Here's how to tell them apart.
Azure Virtual WAN
Managed service: Microsoft creates and maintains gateways and routing.
Global scale: Multiple regional hubs automatically interconnected.
Integrated with Azure Firewall, ExpressRoute, VPN, and NVAs.
BGP-based routing automatically propagates routes.
Higher management overhead for simple single-region deployments.
Traditional Hub-and-Spoke with VNet Peering
Manual configuration: Create VNet, deploy gateways, set up peering.
Limited to a single region without additional complex peering.
Requires separate Azure Firewall deployment in the hub VNet.
Routing must be configured manually via UDRs or BGP on gateways.
Lower cost for small deployments with few spokes.
Virtual WAN with Secured Hub (Azure Firewall)
Azure Firewall is deployed inside the Virtual Hub (managed).
Automatic routing: all traffic can be forced through firewall via routing policies.
No need to manage firewall VMs or scaling.
Limited to Azure Firewall features (no third-party advanced features).
Simpler deployment and maintenance.
Virtual WAN with NVA in Spoke
NVA is deployed in a spoke VNet and peered with the hub.
Requires BGP peering between NVA and hub for route exchange.
Full control over NVA software and advanced security features.
More complex to configure and scale.
Supports third-party firewalls (Palo Alto, Check Point, etc.).
Mistake
Azure Virtual WAN creates a single global hub that spans all regions.
Correct
Virtual WAN is a container that holds multiple regional Virtual Hubs. Each hub is deployed in a specific Azure region and has its own address space and gateways. Hubs in different regions are interconnected via the Microsoft backbone, but they are separate entities.
Mistake
Virtual WAN Basic SKU supports ExpressRoute and Azure Firewall.
Correct
Basic SKU only supports Site-to-Site VPN (IPsec). Standard SKU is required for ExpressRoute, Point-to-Site VPN, Azure Firewall, and full routing capabilities. Always choose Standard for enterprise scenarios.
Mistake
You can attach a VNet to a Virtual Hub without ensuring no overlapping IP addresses.
Correct
Overlapping address spaces between the hub, spokes, or on-premises networks will cause routing failures. The hub address space must be unique and not overlap with any connected network. Azure will reject the connection if overlap is detected.
Mistake
Virtual WAN replaces the need for BGP configuration on branch devices.
Correct
While Virtual WAN automates many aspects, branch devices still need to be configured with IPsec tunnel parameters and BGP settings (if using dynamic routing). The hub provides the gateway IPs and PSK, but the branch device must initiate the connection.
Mistake
Traffic between two spoke VNets in the same region always goes through the hub router.
Correct
By default, traffic between spokes in the same region is routed through the hub router. However, if the spokes are directly peered (which is not recommended in a Virtual WAN design), traffic can bypass the hub. In a proper Virtual WAN deployment, all inter-spoke traffic goes through the hub for centralized routing and security.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Virtual WAN is a managed service that automates the creation and management of hub-and-spoke networks, including gateways and routing. In a traditional hub-and-spoke, you manually create a hub VNet, deploy VPN/ExpressRoute gateways, configure VNet peering, and manage route tables. Virtual WAN simplifies this by providing a single interface to connect branches, VNets, and remote users globally. For the AZ-305 exam, remember that Virtual WAN is ideal for global, multi-site, multi-region scenarios, while traditional hub-and-spoke is suitable for simple, single-region deployments.
Yes, but only with the Standard SKU. You can connect an ExpressRoute circuit to a Virtual Hub by creating an ExpressRoute gateway in the hub. The hub will automatically propagate routes learned from ExpressRoute to all other connections (spokes, VPN sites, etc.). You can also use ExpressRoute Global Reach to connect on-premises sites across different circuits. On the exam, if a scenario includes ExpressRoute, the correct SKU is always Standard.
Use custom route tables in the Virtual Hub. By default, all spokes can communicate. To isolate, create separate route tables (e.g., 'Production' and 'Development') and assign each VNet connection to a specific table. Then configure the route tables to not propagate routes to each other. You can also force traffic through a firewall by adding a route to the firewall's IP. On the exam, this is a common way to enforce network segmentation.
A Secured Virtual Hub is a Virtual Hub that has Azure Firewall deployed inside it. This allows you to inspect and control traffic between spokes, branches, and the internet. The hub automatically routes traffic through the firewall based on routing policies. For the exam, remember that Secured Virtual Hub provides centralized security without deploying a separate firewall VM.
Up to 500 VNet connections per hub. This is a hard limit. If you need more, you can deploy additional hubs in the same region (each with its own address space) or in different regions. The exam may test this limit in a scenario where a company has 600 VNets in one region — you would need at least two hubs.
Yes, BGP is used extensively. Site-to-Site VPN connections can use BGP to dynamically exchange routes with branch offices. ExpressRoute circuits always use BGP. The hub router also uses BGP to exchange routes with NVAs in spoke VNets. BGP is enabled by default on VPN and ExpressRoute gateways. The default BGP keepalive timer is 30 seconds.
Yes, as long as the device supports IPsec (IKEv1 or IKEv2) and optionally BGP. You create a VPN site representing the branch, configure the hub's VPN gateway, and then configure the on-premises device with the hub's public IP addresses and pre-shared key. The hub automatically creates two tunnels for high availability. Most enterprise-grade firewalls and routers are compatible.
You've just covered Azure Virtual WAN — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?