You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*[Create a virtual network](../virtual-network/quick-create-portal.md) without any virtual network gateways. This virtual network will be configured with an active/active virtual network gateway in later steps. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to.
In this section you create a VPN Gateway virtual network gateway in active-active mode for your virtual network. When you create the gateway, you can either use existing public IP addresses for the two instances of the gateway, or you can create new public IPs. You'll use these public IPs when setting up the Virtual WAN sites.
Copy file name to clipboardExpand all lines: articles/virtual-wan/routing-deep-dive.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: virtual-wan
6
6
author: erjosito
7
7
ms.service: azure-virtual-wan
8
8
ms.topic: concept-article
9
-
ms.date: 08/24/2023
9
+
ms.date: 03/26/2025
10
10
ms.author: jomore
11
11
---
12
12
@@ -27,7 +27,7 @@ All VNet and branch connections are associated and propagating to the default ro
27
27
:::image type="content" source="./media/routing-deep-dive/virtual-wan-routing-deep-dive-scenario-1.png" alt-text="Diagram that shows a Virtual WAN design with two ExpressRoute circuits and two V P N branches." :::
28
28
29
29
> [!IMPORTANT]
30
-
> The previous diagram shows two secured virtual hubs, this topology is supported with Routing Intent. For more information see [How to configure Virtual WAN Hub routing intent and routing policies][virtual-wan-intent].
30
+
> The previous diagram shows two secured virtual hubs. This topology is supported with Routing Intent. For more information, see [How to configure Virtual WAN Hub routing intent and routing policies][virtual-wan-intent].
31
31
32
32
Out of the box, the Virtual WAN hubs exchange information between each other so that communication across regions is enabled. You can inspect the effective routes in Virtual WAN route tables: for example, the following picture shows the effective routes in hub 1:
Copy file name to clipboardExpand all lines: articles/virtual-wan/virtual-wan-faq.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: cherylmc
5
5
ms.service: azure-virtual-wan
6
6
ms.custom: devx-track-azurepowershell
7
7
ms.topic: faq
8
-
ms.date: 03/27/2024
8
+
ms.date: 03/26/2025
9
9
ms.author: cherylmc
10
10
# Customer intent: As someone with a networking background, I want to read more details about Virtual WAN in a FAQ format.
11
11
---
@@ -219,7 +219,7 @@ A connection from a branch or VPN device into Azure Virtual WAN is a VPN connect
219
219
220
220
### What happens if the on-premises VPN device only has 1 tunnel to an Azure Virtual WAN VPN gateway?
221
221
222
-
An Azure Virtual WAN connection is composed of 2 tunnels. A Virtual WAN VPN gateway is deployed in a virtual hub in active-active mode, which implies that there are separate tunnels from on-premises devices terminating on separate instances. This is the recommendation for all users. However, if the user chooses to only have 1 tunnel to one of the Virtual WAN VPN gateway instances, if for any reason (maintenance, patches etc.) the gateway instance is taken offline, the tunnel will be moved to the secondary active instance and the user might experience a reconnect. BGP sessions won't move across instances.
222
+
An Azure Virtual WAN connection is composed of 2 tunnels. A Virtual WAN VPN gateway is deployed in a virtual hub in active-active mode, which implies that there are separate tunnels from on-premises devices terminating on separate instances. This is the recommendation for all users. However, if the user chooses to only have 1 tunnel to one of the Virtual WAN VPN gateway instances, if for any reason (maintenance, patches, etc.) the gateway instance is taken offline, the tunnel will be moved to the secondary active instance and the user might experience a reconnect. BGP sessions won't move across instances.
223
223
224
224
### What happens during a gateway reset in a Virtual WAN VPN gateway?
Copy file name to clipboardExpand all lines: articles/virtual-wan/virtual-wan-global-transit-network-architecture.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: cherylmc
6
6
7
7
ms.service: azure-virtual-wan
8
8
ms.topic: conceptual
9
-
ms.date: 09/25/2023
9
+
ms.date: 03/26/2025
10
10
ms.author: cherylmc
11
11
12
12
---
@@ -51,7 +51,7 @@ An Enterprise cloud footprint can span multiple cloud regions and it's optimal (
51
51
52
52
**Figure 3: Virtual WAN cross-region connectivity**
53
53
54
-
When multiple hubs are enabled in a single virtual WAN, the hubs are automatically interconnected via hub-to-hub links, thus enabling global connectivity between branches and Vnets that are distributed across multiple regions.
54
+
When multiple hubs are enabled in a single virtual WAN, the hubs are automatically interconnected via hub-to-hub links, thus enabling global connectivity between branches and VNets that are distributed across multiple regions.
55
55
56
56
Additionally, hubs that are all part of the same virtual WAN, can be associated with different regional access and security policies. For more information, see [Security and policy control](#security) later in this article.
57
57
@@ -87,7 +87,7 @@ ExpressRoute is a private and resilient way to connect your on-premises networks
87
87
88
88
There are two options to enable ExpressRoute to ExpressRoute transit connectivity when using Azure Virtual WAN:
89
89
90
-
* You can enable ExpressRoute to ExpressRoute transit connectivity by enabling ExpressRoute Global Reach on your ExpressRoute circuits. [Global Reach](../expressroute/expressroute-global-reach.md) is an ExpressRoute add-on feature that allows you to link ExpressRoute circuits in different peering locations together to make a private network. ExpressRoute to ExpressRoute transit connectivity between circuits with the Global Reach add-on will not transit the Virtual WAN hub because Global Reach enables a more optimal path over the global backbone.
90
+
* You can enable ExpressRoute to ExpressRoute transit connectivity by enabling ExpressRoute Global Reach on your ExpressRoute circuits. [Global Reach](../expressroute/expressroute-global-reach.md) is an ExpressRoute add-on feature that allows you to link ExpressRoute circuits in different peering locations together to make a private network. ExpressRoute to ExpressRoute transit connectivity between circuits with the Global Reach add-on won't transit the Virtual WAN hub because Global Reach enables a more optimal path over the global backbone.
91
91
92
92
* You can use the Routing Intent feature with private traffic routing policies to enable ExpressRoute transit connectivity via a security appliance deployed in the Virtual WAN Hub. This option doesn't require Global Reach. For more information, see the [ExpressRoute section](how-to-routing-policies.md#expressroute) in routing intent documentation.
93
93
@@ -99,7 +99,7 @@ This option lets enterprises leverage the Azure backbone to connect branches. Ho
99
99
100
100
> [!NOTE]
101
101
> Disabling Branch-to-Branch Connectivity in Virtual WAN -
102
-
> Virtual WAN can be configured to disable Branch-to-Branch connectivity. This configuration will block route propagation between VPN (S2S and P2S) and Express Route connected sites. This configuration will not affect branch-to-Vnet and Vnet-to-Vnet route propagation and connectivity. To configure this setting using Azure Portal: Under Virtual WAN Configuration menu, Choose Setting: Branch-to-Branch - Disabled.
102
+
> Virtual WAN can be configured to disable Branch-to-Branch connectivity. This configuration will block route propagation between VPN (S2S and P2S) and Express Route connected sites. This configuration won't affect branch-to-VNet and VNet-to-VNet route propagation and connectivity. To configure this setting using the Azure portal: Under the Virtual WAN Configuration menu, choose setting: Branch-to-Branch - Disabled.
103
103
104
104
### Remote User-to-VNet (c)
105
105
@@ -111,7 +111,7 @@ The Remote User-to-branch path lets remote users who are using a point-to-site c
111
111
112
112
### VNet-to-VNet transit (e) and VNet-to-VNet cross-region (h)
113
113
114
-
The VNet-to-VNet transit enables VNets to connect to each other in order to interconnect multi-tier applications that are implemented across multiple VNets. Optionally, you can connect VNets to each other through VNet Peering and this may be suitable for some scenarios where transit via the VWAN hub isn't necessary.
114
+
The VNet-to-VNet transit enables VNets to connect to each other in order to interconnect multi-tier applications that are implemented across multiple VNets. Optionally, you can connect VNets to each other through VNet Peering and this might be suitable for some scenarios where transit via the VWAN hub isn't necessary.
115
115
116
116
117
117
## <aname="DefaultRoute"></a>Forced tunneling and default route
@@ -152,7 +152,7 @@ The VNet-to-VNet secured transit enables VNets to connect to each other via secu
152
152
153
153
### VNet-to-Internet or third-party Security Service (i)
154
154
155
-
The VNet-to-Internet enables VNets to connect to the internet via the security appliances (Azure Firewall, select NVA and SaaS) in the virtual WAN hub. Traffic to internet via supported third-party security services doesn't flow through a security appliance and is routed straight to the third-party security service. You can configure Vnet-to-Internet path via supported third-party security service using Azure Firewall Manager.
155
+
The VNet-to-Internet enables VNets to connect to the internet via the security appliances (Azure Firewall, select NVA and SaaS) in the virtual WAN hub. Traffic to internet via supported third-party security services doesn't flow through a security appliance and is routed straight to the third-party security service. You can configure VNet-to-Internet path via supported third-party security service using Azure Firewall Manager.
156
156
157
157
### Branch-to-Internet or third-party Security Service (j)
158
158
@@ -172,21 +172,21 @@ The Branch-to-VNet secured transit enables branches to communicate with virtual
172
172
173
173
### How do I enable default route (0.0.0.0/0) in a Secured Virtual Hub
174
174
175
-
Azure Firewall deployed in a Virtual WAN hub (Secure Virtual Hub) can be configured as default router to the Internet or Trusted Security Provider for all branches (connected by VPN or Express Route), spoke Vnets and Users (connected via P2S VPN).
176
-
This configuration must be done using Azure Firewall Manager. See Route Traffic to your hub to configure all traffic from branches (including Users) as well as Vnets to Internet via the Azure Firewall.
175
+
Azure Firewall deployed in a Virtual WAN hub (Secure Virtual Hub) can be configured as default router to the Internet or Trusted Security Provider for all branches (connected by VPN or Express Route), spoke VNets and Users (connected via P2S VPN).
176
+
This configuration must be done using Azure Firewall Manager. See Route Traffic to your hub to configure all traffic from branches (including Users) as well as VNets to Internet via the Azure Firewall.
177
177
178
178
This is a two step configuration:
179
179
180
-
1. Configure Internet traffic routing using Secure Virtual Hub Route Setting menu. Configure Vnets and Branches that can send traffic to the internet via the Firewall.
180
+
1. Configure Internet traffic routing using Secure Virtual Hub Route Setting menu. Configure VNets and Branches that can send traffic to the internet via the Firewall.
181
181
182
-
2. Configure which Connections (Vnet and Branch) can route traffic to the internet (0.0.0.0/0) via the Azure FW in the hub or Trusted Security Provider. This step ensures that the default route is propagated to selected branches and Vnets that are attached to the Virtual WAN hub via the Connections.
182
+
2. Configure which Connections (VNet and Branch) can route traffic to the internet (0.0.0.0/0) via the Azure FW in the hub or Trusted Security Provider. This step ensures that the default route is propagated to selected branches and VNets that are attached to the Virtual WAN hub via the Connections.
183
183
184
184
### Force tunneling traffic to on-premises firewall in a Secured Virtual Hub
185
185
186
-
If there is already a default route learned (via BGP) by the Virtual Hub from one of the Branches (VPN or ER sites), this default route is overridden by the default route learned from Azure Firewall Manager setting. In this case, all traffic that is entering the hub from Vnets and branches destined to internet, will be routed to the Azure Firewall or Trusted Security Provider.
186
+
If there is already a default route learned (via BGP) by the Virtual Hub from one of the Branches (VPN or ER sites), this default route is overridden by the default route learned from Azure Firewall Manager setting. In this case, all traffic that is entering the hub from VNets and branches destined to internet, will be routed to the Azure Firewall or Trusted Security Provider.
187
187
188
188
> [!NOTE]
189
-
> Currently there is no option to select on-premises firewall or Azure Firewall (and Trusted Security Provider) for internet bound traffic originating from Vnets, Branches or Users. The default route learned from the Azure Firewall Manager setting is always preferred over the default route learned from one of the branches.
189
+
> Currently there is no option to select on-premises firewall or Azure Firewall (and Trusted Security Provider) for internet bound traffic originating from VNets, Branches or Users. The default route learned from the Azure Firewall Manager setting is always preferred over the default route learned from one of the branches.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments