Deploy an NVA in Your Virtual Hub

Quick overview
Portal walkthrough — step by step (high level)
Common configuration checklist
Vendor selection — quick comparison
Summary
Links and references

Welcome — this lesson covers how to deploy a Network Virtual Appliance (NVA) into an Azure Virtual WAN hub. An NVA is a virtual machine that provides network functions (firewalling, SD‑WAN, WAN optimization, IDS/IPS) from third‑party vendors. Azure Virtual WAN simplifies integrating NVAs into a hub so you can centralize routing, inspection, and traffic steering without manual network plumbing. Key terms: Azure Virtual WAN, Virtual Hub, Network Virtual Appliance (NVA), Azure Marketplace, vendor licensing, scale units.

Quick overview

High-level deployment flow:

Open your Virtual WAN resource in the Azure portal.
Select the hub to host the NVA.
Create a Network Virtual Appliance entry and choose a Marketplace vendor image.
Configure vendor- and deployment-specific options (scale units, licensing/token, credentials, image version).
Review and create — Azure provisions the NVA and integrates it with the hub routing fabric.

When evaluating vendors (Barracuda, Cisco, Check Point, Fortinet, VMware, etc.), consider required features (next‑gen firewall, SD‑WAN, IPS/IDS), existing contracts, and licensing models (BYOL vs pay‑as‑you‑go). This helps ensure consistent management and predictable cost. Common configuration items you’ll see when creating an NVA:

Virtual WAN hub selection — selects region and the hub attachment.
Infrastructure scale units — capacity units used to size the appliance for expected throughput (refer to vendor docs for exact per‑unit throughput).
Licensing and authentication token — vendor tokens, BYOL, or Marketplace billing options.

A slide titled "Deploying NVA in a Virtual Hub" with three teal buttons listing steps: "Select Virtual WAN hub", "Define NVA infrastructure units", and "Authentication token." To the right is a screenshot of an Azure CloudGen WAN gateway configuration panel.

Many vendor images are delivered through the Azure Marketplace. For example, Barracuda appliances commonly require an authentication token obtained from the vendor after subscribing in Marketplace; Fortinet offers both BYOL and pay‑as‑you‑go plans. Azure will provision the VM(s) and attach them into the hub’s routing fabric so traffic can be steered through the NVA.

Check vendor documentation for exact scale unit throughput and licensing requirements. Bandwidth per scale unit varies by vendor and SKU.

Portal walkthrough — step by step (high level)

Open your Virtual WAN resource in the Azure portal and navigate to Hubs. Then:

Select the hub you want to extend.
In the hub management blades, choose Network Virtual Appliances.
Click Create network virtual appliance. This opens the Marketplace and lists supported vendor images.
Select a vendor listing and click Create to start the deployment workflow.
Complete the vendor-specific configuration pages (subscription, resource group, region, license model, credentials, image version, scale units).
Review and create. Azure provisions and integrates the appliance into the hub.

A screenshot of the Microsoft Azure portal showing the Virtual WAN hub management page for "vwan-az700-eus-hub," with essentials (name, resource group, address space, location) and tiles for VPN, virtual network connections, ExpressRoute, and other networking options. The left navigation pane lists connectivity, routing, security, and monitoring sections.

Example: Fortinet FortiGate for Virtual WAN

Choose the Fortinet Marketplace listing, select the plan (BYOL or pay‑as‑you‑go), and click Create.
Provide FortiGate credentials, license details (or BYOL token), region, and image version.
Specify scale units and any vendor-specific deployment options then deploy.

A screenshot of the Microsoft Azure portal showing the "Create Azure Virtual WAN Secured by FortiGate" setup form with fields for subscription, resource group, region, FortiGate credentials, license type and image version. Tabs across the top and navigation buttons ("Previous", "Next", "Review + create") are also visible.

Because vendor forms, licensing, and token flows differ, the portal pages will vary by vendor and image. The important point: once the Marketplace deployment completes, Azure integrates the NVA into the Virtual WAN hub automatically.

Vendor-specific settings (licensing, tokens, image versions) are managed by the vendor’s Marketplace offering. Ensure you have the correct license or subscription before deploying.

Common configuration checklist

Configuration item	Purpose	Notes
Virtual WAN hub	Attach NVA to the correct hub/region	Must match hub where traffic will be steered
Scale units	Capacity sizing for expected throughput	Verify vendor documentation for per-unit throughput
Licensing/token	License the appliance (BYOL, token, PAYG)	Some vendors require tokens obtained after Marketplace subscription
Credentials	Admin account and SSH/RDP options	Use secure credential handling and Key Vault when possible
Image version	Select vendor image and patch level	Keep images updated to address security fixes

Vendor selection — quick comparison

Vendor examples	Typical use cases
Fortinet (FortiGate)	Next‑gen firewall, NGFW features in Virtual WAN
Cisco	Enterprise firewall and SD‑WAN integration
Check Point	Advanced firewalling and threat prevention
Barracuda	Cloud firewalling and security services
VMware	SD‑WAN and virtualization-centric network services

Summary

NVAs are third‑party VMs that provide network functions and can be attached to Azure Virtual WAN hubs.
Navigate to Virtual WAN > Hubs > Network virtual appliances in the portal to create an NVA.
Select a Marketplace vendor image, configure hub, scale units, licensing/token, and credentials, then review and create.
Azure provisions the VM(s) and connects them into the hub routing fabric — always consult vendor documentation for sizing and licensing details.

Links and references

Azure Virtual WAN documentation
Azure Marketplace
Vendor docs (example):
- Fortinet: https://www.fortinet.com/
- Barracuda: https://www.barracuda.com/
- Cisco: https://www.cisco.com/
- Check Point: https://www.checkpoint.com/
- VMware SD‑WAN: https://www.vmware.com/products/sd-wan.html

This completes the lesson on deploying NVAs into an Azure Virtual WAN hub.

Watch Video

Introduction

Manage an NVA in a Virtual Hub

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

​Quick overview

​Portal walkthrough — step by step (high level)

​Common configuration checklist

​Vendor selection — quick comparison

​Summary

​Links and references

Watch Video

Quick overview

Portal walkthrough — step by step (high level)

Common configuration checklist

Vendor selection — quick comparison

Summary

Links and references