first draft

wtnlee · wtnlee · commit 301d2bfdb45d · 2024-08-22T14:55:13.000-07:00
diff --git a/articles/virtual-wan/how-to-routing-policies.md b/articles/virtual-wan/how-to-routing-policies.md
@@ -96,6 +96,57 @@ Consider the following configuration where Hub 1 (Normal) and Hub 2 (Secured) ar
   * Network Virtual Appliances (NVAs) can only be specified as the next hop resource for routing intent if they're Next-Generation Firewall or dual-role Next-Generation Firewall and SD-WAN NVAs. Currently, **checkpoint**, **fortinet-ngfw** and **fortinet-ngfw-and-sdwan** are the only NVAs eligible to be configured to be the next hop for routing intent. If you attempt to specify another NVA, Routing Intent creation fails. You can check the type of the NVA by navigating to your Virtual Hub -> Network Virtual Appliances and then looking at the **Vendor** field. [**Palo Alto Networks Cloud NGFW**](how-to-palo-alto-cloud-ngfw.md) is also supported as the next hop for Routing Intent, but is considered a next hop of type **SaaS solution**. 
   * Routing Intent users who want to connect multiple ExpressRoute circuits to Virtual WAN and want to send traffic between them via a security solution deployed in the hub can enable open up a support case to enable this use case. Reference [enabling connectivity across ExpressRoute circuits](#expressroute) for more information.
 
+### Virtual Network Limitations
+
+> [!NOTE]
+> The maximum number of Virtual Network address spaces that you can connect to a single Virtual WAN hub is adjustable. Please open an Azure support case request a limit increase. The limits are applicable at the Virtual WAN hub level. If you have multiple Virtual WAN hubs that require a limit increase, request a limit increase for all Virtual WAN hubs in your Virtual WAN hub.
+
+
+For customers using routing intent, the maximum number of address spaces across all Virtual Networks **directly connected** to a single Virtual WAN hub is 400. This limit is applied to each Virtual WAN hub in a Virtual WAN hub. Virtual Network address spaces connected to Virtual WAN other Virtual WAN hubs do not contribute to this limit.
+
+If the number of directly connected Virtual Network address spaces connected to a hub exceeds the limit, enabling routing intent on the Virtual Hub will fail. For hubs already configured with routing intent where Virtual Network address spaces exceeds the limit as a result of an operation such as a Virtual Network address space update, the newly connected address space may not be routable.
+
+Request a limit increase if your network has Virtual Network address spaces greater than 90% of the limit or if you have any planned network expansion or deployment operations that will increase the number of Virtual Network address spaces past this limit.
+ 
+The following table provides a few example  Virtual Network address space calculation.
+
+|Virtual Hub| Virtual Network Count| Address spaces per Virtual Network | Total number of Virtual Network address spaces connected to Virtual Hub| Suggested Action|
+|--|--|--|--|--|
+| Hub #1| 200| 1 | 200|  No action required, request limit increase once there are ~350 address spaces.| 
+| Hub #2| 150 | 3 | 450| Request limit increase to enable routing intent.|
+| Hub #3 |370 | 1| 370| Request limit increase.|
+
+You can use the following Powershell script to approximate the number of address spaces in Virtual Networks connected to a single Virtual WAN hub. Run this script for all Virtual WAN hubs in your Virtual WAN. An Azure Monitor metric to allow you to track and configure alerts on connected Virtual Network address spaces is on the roadmap.
+
+```powershell-interactive
+$hubVNETconnections = Get-AzVirtualHubVnetConnection -ParentResourceId "/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualHubs/<virtual hub name>"
+
+$addressSpaceCount = 0
+
+foreach($connection in $hubVNETconnections) {
+
+try{
+
+$resourceURI = $connection.RemoteVirtualNetwork.Id
+$RG = ($resourceURI -split "/")[4]
+$name = ($resourceURI -split "/")[8]
+$VNET = Get-AzVirtualNetwork -Name $name -ResourceGroupName $RG -ErrorAction "Stop"
+$addressSpaceCount += $VNET.AddressSpace.AddressPrefixes.Count
+}
+catch{
+Write-Host "An error ocurred  while processing VNET connected to Virtual WAN hub with resource URI:  " -NoNewline
+Write-Host $resourceURI 
+Write-Host "Error Message: " -ForegroundColor Red
+Write-Host $_.Exception.Message -ForegroundColor Red 
+}
+finally{
+}
+}
+Write-Host "Total Address Spaces in VNETs connected to this Virtual WAN Hub: " -ForegroundColor Green -NoNewline
+Write-Host $addressSpaceCount -ForegroundColor Green
+```
+
+
 ## Considerations
 
 Customers who are currently using Azure Firewall in the Virtual WAN hub without Routing Intent may enable routing intent using Azure Firewall Manager, Virtual WAN hub routing portal or through other Azure management tools (PowerShell, CLI, REST API).
