![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 1%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
189 questions
Hello @PR ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you've created a Virtual WAN and added a HUB with Point to site VPN configuration and now you need to add multiple VNETs to this HUB. So, you would like to know what are the recommended settings for "Associate Route Tables", "Propagate to Route Tables" and "Static Routes" while adding the VNET connections, in order to avoid overlapping IP address and other conflicts while accessing the VM's with Private IP addresses in VPN.
As per Virtual Hub Routing doc, below are the recommended settings:
- All branch connections (Point-to-site, Site-to-site, and ExpressRoute) need to be associated to the Default route table. That way, all branches will learn the same prefixes.
- All branch connections need to propagate their routes to the same set of route tables. For example, if you decide that branches should propagate to the Default route table, this configuration should be consistent across all branches. As a result, all connections associated to the Default route table will be able to reach all of the branches.
Each virtual hub has its own Default route table, which can be edited to add a static route(s). Routes added statically take precedence over dynamically learned routes for the same prefixes. Configuring static routes provides a mechanism to steer traffic from the hub through a next hop IP, which could be of a Network Virtual Appliance (NVA) provisioned in a Spoke VNet attached to a virtual hub. The static route is composed of a route name, list of destination prefixes, and a next hop IP. So, if you need to route traffic from the hub through a next hop, then you can configure static routes accordingly.
Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing#static
Another important thing to remember here is:
Connecting 2 virtual networks with overlapping address spaces to the virtual hub is currently not supported.
However, the routing scenario and setup could change per your requirement. Below are few scenarios for your reference:
If your requirement is to have the same connectivity on all connections from VNets and branches (VPN, ExpressRoute, and User VPN), a single route table is required. As a result, all connections will be associated and propagate to the same route table, the Default route table.
Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-any-to-any
If your requirement is to prevent a specific set of VNets from reaching another set of VNets and branches (VPN/ER/User VPN) are only allowed to reach certain sets of VNets, then you need to create and add custom route tables per your desired routing.
Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-isolate-virtual-networks-branches
If your requirement is to set up routes to access a Shared Service VNet with workloads that you want every VNet and Branch (VPN/ER/P2S) to access, then again you need to create and add custom route tables per your desired routing.
Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-shared-services-vnet
Conclusion: The recommended settings completely depend on what you are trying to achieve. So, refer the above configurations and decide what suits your requirement and configure accordingly.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.