Learning objectives
By the end of this lesson you will be able to:- Explain what Azure Virtual WAN is and how it streamlines connectivity between branch offices, remote users, and virtual networks.
- Compare Virtual WAN SKUs and choose between Basic and Standard for your requirements.
- Plan and allocate private IP address space for the Virtual WAN hub (for example, reserving a /24) to host hub services without address overlap.
- Connect VNets from different Azure tenants to a shared Virtual WAN hub for cross-tenant or intercompany connectivity.
- Understand routing in Virtual WAN: route tables, associations and propagation, and how to apply custom route labels to organize traffic flows.
Tip: Before you plan hub addressing, capture existing on-prem and VNet address spaces to avoid overlap. Reserving a contiguous private range (for example, a /24) for the hub simplifies routing and service placement.
What is Azure Virtual WAN?
Azure Virtual WAN provides a global, managed hub-and-spoke architecture where each hub is a managed Virtual WAN resource. Hubs connect to on-premises networks (VPN/ExpressRoute), remote users (Point-to-Site), and VNets. Azure manages the underlying networking fabric and scale, so you focus on topology, address planning, and routing policies. Key capabilities:- Centralized hub for connectivity across regions and tenants
- Built‑in transit routing between connections attached to the same hub
- Managed VPN and ExpressRoute integration
- Support for point-to-site (remote users) and branch connectivity
- Route tables with association and propagation controls to manage traffic flow
Choosing the right Virtual WAN SKU
Azure Virtual WAN is available in multiple SKUs to address different scale and feature needs. Use the table below to compare the common options and pick the one that fits your scenario.| SKU | Best for | Key differences |
|---|---|---|
| Basic | Small or simple deployments that need hub connectivity without advanced transit or partner integrations | Lower cost, essential connectivity features for hub-to-VNet and basic VPN/ExpressRoute attachments |
| Standard | Medium-to-large enterprise deployments requiring transit routing, higher scale, and partner integrations | Full feature set: managed transit routing, security and routing integrations, higher throughput and scale |
Warning: SKU capabilities and limits change over time. Confirm the current feature set and regional availability before design and procurement.
Planning IP address allocation for the Virtual WAN hub
When you create a Virtual WAN hub, plan a dedicated private address block for hub services to avoid address overlap with connected VNets and on-premises ranges. Common guidance:- Reserve a contiguous CIDR block (for example, /24) per hub to host hub services (firewalls, NVA endpoints, etc.).
- Ensure no overlapping addresses between the hub and any VNets or on-prem networks you plan to connect.
- Account for future growth: reserve additional blocks or design a consistent addressing scheme across regions and tenants.
- Maintain an IP address inventory for all VNets and hubs.
- Use network planning tools or spreadsheets to visualize allocations before creation.
- Consider using Azure IPAM tools or tagging to track assigned ranges.
Connecting VNets from different tenants to the same Virtual WAN hub
Virtual WAN supports cross-tenant connectivity scenarios where VNets from different Azure tenants connect to a single Virtual WAN hub. This is useful for:- Intercompany or subsidiary network connectivity
- Centralized shared services hosted in a hub (e.g., security appliances, DNS)
- Cross-team or cross-project transit without duplicating hub resources
- Ensure RBAC and subscription permissions are in place so the hub tenant can accept VNet connections from other tenants.
- Configure virtual network connections (hub-to-spoke) from the spoke VNet to the hub using the Virtual WAN connection model.
- Validate route table associations and propagation so expected traffic flows traverse the hub.
Routing in Virtual WAN
Virtual WAN routing relies on route tables, associations, and propagation to control traffic flows between hub connections (VNets, VPN, ExpressRoute, and P2S). Key concepts:- Route tables: define static/custom routes that influence packet forwarding for associated connections.
- Associations: attach route tables to specific connections (for example, a VNet or VPN site) so the routes apply to that connection.
- Propagation: allow route sources (such as VPN/ExpressRoute) to inject learned routes into a hub route table.
- Custom route labels: use labels/tags to group routes and enforce organized policies for multi-tenant or multi-application environments.
- Hub learns routes from attached VPN/ExpressRoute and can propagate those routes to associated VNets via route tables.
- You can use custom route tables to implement asymmetric routing, security inspection, or traffic steering through NVAs.
Summary
This lesson covers the essential planning and design decisions for Azure Virtual WAN:- What Virtual WAN is and how it centralizes global connectivity
- How to choose between Basic and Standard SKUs
- How to reserve and allocate private IP space for hubs
- How to connect VNets across tenants to a shared hub
- How routing, route tables, associations, propagation, and custom route labels control traffic flows