Different egress points for prod and non-prod using virtual wan

Shane Corgatelli 40 Reputation points


I'm looking to use Virtual WAN for centralized internet egress and vnet-to-vnet connectivity.

However, I need to be able to differentiate between non-prod and prod egress traffic while allowing access from a common management network to both non-prod and prod resources.

My original plan was to create separate non-prod and prod secure virtual hubs in the same Virtual WAN. In theory, this would allow me to have all non-prod traffic egress through the non-prod hub and prod traffic through the prod one, while allowing the management network to access both environments.

However, I discovered that only one secured virtual hub is allowed per-region which means I cannot use this setup.

I also cannot use different virtual wans because of the requirement for a shared management network (since virtual wans in the same tenant cannot be connected).

Any recommendations on how to best approach this?

Thank you!

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
190 questions
{count} votes

Accepted answer
  1. AlineDutra-MSFT 250 Reputation points Microsoft Employee

    Hello @Shane Corgatelli .

    I understand that you would like to use Virtual WAN for centralized internet egress and vnet-to-vnet connectivity, while being able to differentiate the non-prod and prod egress traffic.

    In case you are trying to use Virtual Hub, to isolate two VNets on Virtual WAN and have them use the same egress point, you can create a custom route table in each hub and associate the VNets to the route table. You can then configure the route tables to propagate to each other and to the default route table. This will allow the VNets to reach all branches (VPN, ER, and User VPN) while remaining isolated from each other, also you can check here for Custom Vnet Isolation, if you prefer: Scenario: https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-isolate-vnets-custom

    You can also use Multiple Hubs with an Any-to-Any scenario:



    This could, as well, be applied using Multiple Secure Hubs with Routing Intent. It is no longer the case that we cannot have more than one secured virtual hub per-region.



    I created a lab similar to your requirement and I was able to deploy a single vWAN with 2 Secure vHUB (same region, in my case I have used West Europe).

    User's image

    User's image

    There are few requirements/prerequisites to be followed.

    How to configure Virtual WAN Hub routing policies - Azure Virtual WAN | Microsoft Learn

    Advised you to give it a try and you tried it again via portal but it was giving you an error stating "You can't have more than one hub per virtual wan per region".

    Then you tried to deploy it via Terraform and it worked and you were able to achieve your requirement successfully. Glad to hear that the issue is now resolved.

    Regarding the portal error, it looks like a cosmetic bug on the portal for a few users. I've reported this to the Virtual WAN Product Group team and they will investigate and fix it accordingly.

    Kindly let us know if you need further assistance on this issue.

    Please don’t forget to close the thread by clicking "Accept the answer", as this can be beneficial to other community members.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Shane Corgatelli 40 Reputation points

    I was initially attempting to create the new secure hub via Firewall Manager in the portal. This was throwing me off because it was giving me the error shown below. However, when I created via Terraform it works fine.

    User's image

    Thank you!