![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 9%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
197 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
I understand you have a Hub and spoke model with third party NVA and Azure Virtual WAN integrated with Azure firewall both environments are fairly separated and connected via express route to on-prem. For the Hub and Spoke model you have set-up an Azure Route Server to configure BGP peering and to provide seamless integration with the NVA, Express Route and VPN.
Based on your question above.
The question is if we would like to have automated BGP peering managed by Azure Virtual WAN hub secure with integrated Azure firewall does required any Route server setup as well or is has in-built Route server to handle BGP configuration automatically as Azure VWAN supports integrated connectivity solutions?
Yes, Azure Virtual WAN hub router, also called as virtual hub router, acts as a route manager and provides simplification in routing operation within and across virtual hubs. In other words, a virtual hub router does the following:
- Simplifies routing management by being the central routing engine talking to gateways such as VPN, ExpressRoute, P2S, and Network Virtual Appliances (NVA).
- Enables advance routing scenarios of custom route tables, association, and propagation of routes.
- Acts as the router for traffic transiting between/to virtual networks connected to a virtual hub.
The virtual hub router now also exposes the ability to peer with it, thereby exchanging routing information directly through Border Gateway Protocol (BGP) routing protocol. NVA or a BGP end point provisioned in a virtual network connected to a virtual hub, can directly peer with the virtual hub router if it supports the BGP routing protocol and ensures that ASN on the NVA is set up to be different from the virtual hub ASN.
You can find more information here regarding how Virtual WAN hub routing differ from Azure Route Server in a VNet.
Key benefits and considerations of Azure Virtual WAN hub router are described here.
- You no longer need to manually update the routing table on your NVA whenever your virtual network addresses are updated.
- You no longer need to update user-defined routes manually whenever your NVA announces new routes or withdraws old ones.
Jus highlighting few Considerations based on your set-up.
- You can't peer a virtual hub router with Azure Route Server provisioned in a virtual network.
- BGP peering feature isn't supported for secured virtual hubs where routing intent is not configured. Routing intent is the mechanism through which you can configure Virtual WAN to send private or internet traffic via a security solution deployed in the hub. You can find more information regarding routing intent here.
What are the best practices if we want to have automated BGP peering configuration setup on Azure Virtual WAN? Is there any additional cost associated with this setup?
Apart from the Considerations shared above. You can refer to following articles for best parctices
- https://video2.skills-academy.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology
- https://techcommunity.microsoft.com/t5/marketplace-blog-for-partners/best-practices-to-secure-your-azure-virtual-wan/ba-p/3695803
As per the pricing for WAN . you can consider following additional charge for Virtual Hub Router.
And as documented here. All of the virtual hub routing is provided by a router that enables multiple services in a virtual hub. There's a base fee for the hub, which is priced at $0.25/hr. There's also a charge for data processing in the virtual hub router for VNet-to-VNet transit connectivity. The data processing charge in the virtual hub router isn't applicable for branch-to-branch transfers (Scenario 2, 2', 3), or VNet-to-branch transfers via the same vWAN hub (Scenario 1, 1') as shown in the Pricing Components.
Any links pointing to related documentations would be also helpful in above scenario for both environments (hub&spoke vs VWAN) described above.
VWAN reference architecture
- https://video2.skills-academy.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture
- Video Link for best practices and introduction https://www.youtube.com/watch?v=ux4pOs2vWR8
Hub and spoke reference architecture:
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.