Azure Virtual WAN design: hubs, secured hubs and global transit

Azure Virtual WAN turns hub-and-spoke from a manual UDR puzzle into a managed global service.

Hubs

• Standard or secured (Azure Firewall integrated).
• One hub per region; auto-mesh between hubs.

Connectivity

• VNet connections, branch (S2S VPN/SD-WAN partner), P2S, ExpressRoute.

Routing

• Custom route tables for transit control.
• Static routes for chained NVAs.

Secured hub

• Azure Firewall manages east-west and north-south.

Pitfalls

• Pricing scales with hubs and traffic; model before deploy.
• Some legacy patterns (forced tunneling) need extra design.

Train Azure routing in a TechLeague tournament.