Recommended prerequisites: familiarity with Azure networking concepts (VNet, subnet, Network Security Groups), Site-to-Site and Point-to-Site VPN basics, and an Azure subscription with contributor access to networking resources.
Learning objectives
By the end of this article you will be able to:- Describe Azure Virtual WAN and its hub-and-spoke transit model.
- Choose between the Basic and Standard WAN SKUs based on features and scale.
- Design IP address allocation for Virtual WAN hubs and hub services.
- Connect VNets from different Azure tenants to the same Virtual WAN hub for cross-organization or cross-team transit.
- Configure and control routing: route tables, associations, propagation, and custom labels to manage traffic flows.
What is Azure Virtual WAN?
Azure Virtual WAN provides an operationally simple, scalable way to connect distributed resources to a central transit hub that is managed by Microsoft. Key characteristics:- Managed hub: Microsoft handles the underlying infrastructure for the hub.
- Global transit: Hubs in different regions can be used for global connectivity patterns.
- Multi-protocol termination: Supports Site-to-Site VPN, ExpressRoute, and Point-to-Site VPN from the hub.
- VNet connectivity: Connect multiple VNets to the hub for centralized routing.
WAN SKUs — Basic vs Standard
Choosing a WAN SKU affects scale, performance, and features. Below is a simplified comparison to help with selection.Before choosing a SKU, verify throughput and feature requirements for your expected traffic patterns (VPN tunnels, ExpressRoute, and Point-to-Site connections) and confirm SKU availability in your regions.
IP address allocation for Virtual WAN hubs
Proper IP planning avoids overlap and enables hub services to function correctly. Best practices:- Allocate a private, non-overlapping address range to each hub (e.g., /24 or larger) that does not conflict with connected VNets or on-premises networks.
- Reserve subnets for hub services if required by specific integrations.
- Document and enforce addressing policies across subscriptions and tenants to prevent collisions during cross-tenant VNet attachments.
Connecting VNets across tenants
Virtual WAN supports connecting VNets from different Azure AD tenants to the same hub, which is useful for intercompany networks, multi-team boundaries, or separation of billing/subscription ownership. Key considerations:- Permission model: subscriptions and resource groups that own the VNets must grant appropriate permissions for hub attachment.
- Peering alternatives: consider whether hub-based transit is required or if VNet peering across tenants (with proper authorization) could be simpler for your scenario.
- Security and governance: ensure RBAC, network policies, and logging are configured to meet compliance requirements.
Routing in Azure Virtual WAN
Routing is a central function of the Virtual WAN hub. Understand these concepts:- Route tables: Define how traffic is routed through the hub to connected resources or on-premises networks.
- Association: Route tables can be associated with specific connections or spokes to apply routing behavior.
- Propagation: Routes can be learned from on-premises or ExpressRoute and propagated to route tables.
- Labels: Custom route labels allow you to organize and prioritize routes for different traffic flows, enabling fine-grained control across multiple VNets and connections.
- Use separate route tables for different traffic zones (for example, north-south external vs east-west VNet transit).
- Test route propagation and use network watcher or packet capture tools to validate expected forwarding paths.
- Document how labels and associations are applied to avoid unintended transit behavior.