What is Azure Virtual WAN

Azure Virtual WAN is a managed cloud networking service that centralizes and simplifies connectivity across your organization. It provides a global, cloud-native transit fabric that links branch offices, data centers, remote users, VNets, and ExpressRoute circuits across regions — effectively acting as the central nervous system for your network. Compared with a classic hub-and-spoke design, Azure Virtual WAN replaces individual hubs with Virtual WAN hubs that can interconnect across regions. This enables global transit, centralized management, and consistent security and routing policies. Key connectivity types unified by Azure Virtual WAN:

Connection type	Typical use case
Site-to-site VPN	Branch office or data center ↔ Azure
Point-to-site VPN	Individual remote users (road warriors)
ExpressRoute	Private, dedicated connectivity for high-throughput/low-latency links
VNet-to-VNet / Inter-hub transit	VNet connectivity across regions and hubs

A network diagram titled "Virtual WAN SKUs – Standard SKU (Advanced Scenario)" showing two regions with Virtual WAN hubs connecting multiple VNets and a hub-to-hub link. It also shows connections to HQ/branches via ExpressRoute and site-to-site VPN, plus point-to-site (user) VPN for remote users.

Benefits and features

Centralized management: A single control plane for site-to-site, point-to-site, ExpressRoute, and VNet connectivity.
Global transit and scalability: Add hubs, VNets, branches, or users without redesigning the fabric.
Automation: Automated VNet attachments and route distribution reduce the need for manual peering and bespoke routing.
Observability: Built‑in topology and traffic insights simplify troubleshooting and capacity planning.
Managed service: Azure operates the underlying infrastructure (gateways, route distribution, managed subnets), reducing operational overhead.

Automated VNet integration Virtual WAN automates VNet attachments and routing. You provide the hub CIDR and attach VNets; Virtual WAN handles subnet allocation for gateways and routing components. This removes the need to manually create peering and craft per‑VNet routes in many scenarios, speeding deployments and reducing configuration drift. End-to-end visibility Virtual WAN provides topology and routing views to help you identify bottlenecks, trace traffic paths, and validate routing policies across your distributed network. Use Virtual WAN diagnostics and Network Insights for operational telemetry and alerts. SKUs: Basic vs Standard Azure Virtual WAN is available in two primary SKUs with different capabilities and use cases.

SKU	Best for	Supported connectivity/features
Basic	Simple, low-cost site-to-site deployments	Site-to-site VPN
Standard	Enterprise deployments with remote users and global transit	Site-to-site, Point-to-site (user) VPN, ExpressRoute, VNet-to-VNet, hub-to-hub transit, centralized user VPN configuration

Choose Basic for straightforward, low-cost site‑to‑site scenarios. Choose Standard when you require point‑to‑site (remote user) VPNs, ExpressRoute integration, or inter‑hub transit across regions.

Hub types and SKU matching Important operational rule: the Virtual WAN SKU determines the required hub type. If your Virtual WAN is created with the Standard SKU, you must deploy Standard virtual hubs to use Standard features (hub-to-hub transit, point-to-site, ExpressRoute connectivity). A Basic Virtual WAN requires Basic hubs.

Mixing hub types with a different Virtual WAN SKU is not supported. Plan your SKU selection up front to avoid redeployments or architectural changes later.

Hub IP addressing and planning When creating a virtual hub you must select a hub address space. Azure requires a minimum hub prefix of /24 (256 addresses). Azure reserves a small set of addresses inside each subnet (first 4 and the last one), so plan your address design accordingly. Key points:

Minimum hub address space: /24.
Azure manages internal subnets for gateways, route distribution, and managed services — you only supply the overall CIDR block.
Hub address space is consumed by services such as VPN gateways, routing services, and optional managed firewalls.
Avoid overlapping CIDR ranges with on-premises networks or other cloud VNets to prevent routing conflicts.

A presentation slide titled "Hub IP Addressing" showing four blue rounded feature boxes (minimum address space requirement; no manual subnet planning needed; managed Virtual WAN service; used by key services) on the left and a screenshot of the Azure "Create WAN" form on the right.

Best practices

Centralize IP addressing: Maintain a global IP plan so hub CIDRs, VNet CIDRs, and on-premises ranges do not overlap.
Choose SKU based on required features: Use Standard for any deployment requiring user VPNs, ExpressRoute, or multi-hub transit.
Let Virtual WAN manage hub subnets: Provide a CIDR that fits into your IP plan and allow Azure to provision subnets for managed services.
Monitor and scale: Use Virtual WAN diagnostics, logs, and Network Insights to monitor traffic patterns and scale hubs or gateways as needed.
Document hub-to-hub topology: For multi-region transit, maintain a clear diagram and route policy documentation to simplify troubleshooting and change control.

Resources and references

Azure Virtual WAN overview: https://learn.microsoft.com/azure/virtual-wan/
Azure ExpressRoute: https://learn.microsoft.com/azure/expressroute/
Azure VPN Gateway: https://learn.microsoft.com/azure/vpn-gateway/
Network Insights & diagnostics: https://learn.microsoft.com/azure/network-watcher/

Summary Azure Virtual WAN simplifies and centralizes global connectivity for branches, remote users, and cloud resources. By selecting the appropriate SKU, planning hub CIDRs up front, and leveraging Azure’s managed hub functionality, you can build a scalable, secure, and maintainable network fabric that reduces operational complexity and improves observability.

Watch Video

Introduction

Working with Virtual WAN

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

What is Azure Virtual WAN

Watch Video