1 Intro
2 Documentation
3 Tips and Tidbits
4 Create a network virtual appliance (NVA) in a virtual hub
5 Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

Intro

Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity.

Documentation

Tips and Tidbits

Hub: A virtual hub is a Microsoft-managed virtual network.
The hub contains various service endpoints to enable connectivity.
From your on-premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or even connect mobile users to a Point-to-site gateway in the virtual hub.
The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region.

There are two types of virtual WANs: Basic and Standard. The following table shows the available configurations for each type.

Virtual WAN type	Hub type	Available configurations

Virtual WAN type	Hub type	Available configurations
Basic	Basic	Site-to-site VPN only
Standard	Standard	ExpressRoute User VPN (P2S) VPN (site-to-site) Inter-hub and VNet-to-VNet transiting through the virtual hub Azure Firewall NVA in a virtual WAN

A WAN is a global resource and does not live in a particular region. However, you must select a region to manage and locate the WAN resource that you create.
What are Virtual WAN gateway scale units?
A scale unit is a unit defined to pick an aggregate throughput of a gateway in Virtual hub.
- 1 scale unit of VPN = 500 Mbps.
- 1 scale unit of ExpressRoute = 2 Gbps.
- Example: 10 scale unit of VPN would imply 500 Mbps * 10 = 5 Gbps
ExpressRoute gateways are provisioned in units of 2 Gbps. 1 scale unit = 2 Gbps with support up to 10 scale units = 20 Gbps.

Connect remote resources by using Azure Virtual WANs
What is Azure Virtual WAN?
Azure Virtual WAN combines all these methods of connectivity to enable the organization to leverage the Microsoft backbone network, which connects Microsoft data centers across Azure regions and a large mesh of edge-nodes around the world.
A Virtual WAN is a security delineation; each instance of a Virtual WAN is self-contained in terms of connectivity and hence also provides security isolation.
Organizations will generally only require one instance of a Virtual WAN.
- Each Virtual WAN is implemented as a hub-and-spoke topology, and can have one or more hubs.
A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.
Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection.

The minimum address space is /24 to create a hub.

Connect cross-tenant VNets to a Virtual WAN hub
You can use Virtual WAN to connect a VNet to a virtual hub in a different tenant.
This architecture is useful if you have client workloads that must be connected to be the same network but are on different tenants.
- Requirement: Non-overlapping address spaces in the remote tenant and address spaces within any other VNets already connected to the parent virtual hub.

The routing capabilities in a virtual hub are provided by a router that manages all routing between gateways using Border Gateway Protocol (BGP).
- A virtual hub can contain multiple gateways such as a Site-to-site VPN gateway, ExpressRoute gateway, Point-to-site gateway, Azure Firewall.
- This router also provides transit connectivity between virtual networks that connect to a virtual hub and can support up to an aggregate throughput of 50 Gbps.
A virtual hub route table can contain one or more routes.
- A route includes its name, a label, a destination type, a list of destination prefixes, and next hop information for a packet to be routed.
Connections are Resource Manager resources that have a routing configuration. The four types of connections are:
- VPN connection: Connects a VPN site to a virtual hub VPN gateway.
- ExpressRoute connection: Connects an ExpressRoute circuit to a virtual hub ExpressRoute gateway.
- P2S configuration connection: Connects a User VPN (Point-to-site) configuration to a virtual hub User VPN (Point-to-site) gateway.
- Hub virtual network connection: Connects virtual networks to a virtual hub.
Each connection is associated to one route table.
- Associating a connection to a route table allows the traffic to be sent to the destinations indicated as routes in the route table.
Multiple connections can be associated to the same route table.
By default, all connections are associated to a Default route table in a virtual hub.

Connections dynamically propagate routes to a route table.
With a VPN connection, ExpressRoute connection, or P2S configuration connection, routes are propagated from the virtual hub to the on-premises router using BGP.

Create a network virtual appliance (NVA) in a virtual hub

Create a network virtual appliance (NVA) in a virtual hub
The NVAs available in the Azure Marketplace can be deployed directly into a virtual hub and nowhere else.
Each is deployed as a Managed Application, which allows Azure Virtual WAN to manage the configuration of the NVA.
They cannot be deployed within an arbitrary VNet.
they all offer a Managed Application experience through Azure Marketplace, NVA Infrastructure Unit-based capacity and billing, and Health Metrics surfaced through Azure Monitor.
When you create an NVA in the Virtual WAN hub, like all Managed Applications, there will be two Resource Groups created in your subscription.
- Customer Resource Group - This will contain an application placeholder for the Managed Application. Partners can use this resource group to expose whatever customer properties they choose here.
  Managed Resource Group - Customers cannot configure or change resources in this resource group directly, as this is controlled by the publisher of the Managed Application. This Resource Group will contain the NetworkVirtualAppliances resource.
Unlike Azure VPN Gateway configurations, you do not need to create Site resources, Site-to-Site connection resources, or point-to-site connection resources to connect your branch sites to your NVA in the Virtual WAN hub. This is all managed via the NVA partner.
An NVA Infrastructure Unit is a unit of aggregate bandwidth capacity for an NVA in the Virtual WAN hub.
One NVA Infrastructure Unit represents 500 Mbps of aggregate bandwidth for all branch site connections coming into this NVA.
Azure supports from 1-80 NVA Infrastructure Units for a given NVA virtual hub deployment.

Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

Tutorial: Create a Site-to-Site connection using Azure Virtual WAN
Create a virtual WAN
Configure hub Basic settings
Configure site-to-site VPN gateway settings
Create a site
Connect a site to a hub
Connect a VPN site to a hub
Connect a VNet to a hub
Download a configuration file
View or edit your VPN gateway