Virtual WAN Hub not advertising other Hub IP Space over VPN

Bryan Bartik 40 Reputation points
2024-06-20T14:48:04.5666667+00:00

I have the following Azure VWAN with Palo Alto Cloud NGFWs set up:

Azure VWAN:

  • hub-west: 10.100.0.0/16
  • hub-east: 10.200.0.0/16

Cloud NGFWs are deployed as follows

  • hub-west-cngfw: 10.100.112.0/24
  • hub-east-cngfw: 10.200.112.0/24

I then have 2 "spoke" VNETs connected the hubs respectively:

  • spoke-west: 10.101.0.0/16
  • spoke-east: 10.201.0.0/16

From hub-west I have a VPN to a site that contains the Panorama management platform for the Palo CGNFWs. However, over this VPN only the following IP ranges are advertised, hub-east is missing:

  • hub-west: 10.100.0.0/16
  • spoke-west: 10.101.0.0/16
  • spoke-east: 10.201.0.0/16

Why is the hub-east range not advertised? This prevents Panorama from reaching them. Is this by design? What would be a possible workaround?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
225 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee
    2024-06-24T12:35:24.0366667+00:00

    Hello @Bryan Bartik ,

    I understand that you have an Azure VWAN with 2 virtual hubs and Palo Alto Cloud NGFWs set up but the Virtual WAN is not advertising Hub2 address range or route over VPN.

    This is a known limitation documented in the Azure Virtual WAN doc as below:

    https://learn.microsoft.com/en-us/azure/virtual-wan/whats-new

    User's image

    As mentioned above, if your NVA or SaaS orchestrator is deployed on-premises, connect that on-premises site to all Virtual WAN hubs with NVAs or SaaS solutions deployed in them. If your orchestrator is in an Azure VNET, manage NVAs or SaaS solutions using public IP. Support for Azure VNET orchestrators is on the roadmap.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.