Although I had shown how to create Virtual Hub under VWAN and convert it to secured hub in my earlier article. Still there is another way to create secured hub with different steps using Azure Firewall Manager. Azure Firewall Manager is a security management and administration service that offers central security policy and route management for cloud-based security boundaries. Firewall Manager can deliver security management for two network architecture types: Secured virtual hub and Hub virtual network.
Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity
To start creating and configuring Virtual Hub in using Firewall Manager, search Firewall Manager in search bar and click on it.
In the Firewall Manager, I am on the Getting Started view page. You can view overall security coverage of firewall with different networking resources here.
From left side pane in the Deployments, click Virtual Hubs and hit + Create new secured virtual hub. From the earlier part i created hub, you can see it is listed already.
Next on the Create new secured virtual hub wizard under Firewall Manager, provide Project details likewise Subscription and Resource Group, choose the Region of new Secured virtual hub details (You can't have more than one hub per virtual wan per region. But you can add multiple virtual WANs in the region to achieve this). Provide Secured virtual hub name and Hub address space (You can't have overlapping IP spaces for hubs in a vWAN). Choose an already created existing vWAN. Select vWAN name. I am keeping include VPN gateway to enable Security Partner Providers unchecked (VPN gateway is required for Security Partner Provider integration), Click Next: Firewall > button.
On the Azure Firewall tab, Secured virtual hubs must have at least one and can have at most two security providers. You may use two security providers to secure different types of connections. You can choose to enable Azure Firewall for this virtual hub and associate a policy. You can also select "None" and associate a policy later.
Keep Azure Firewall toggle button to Enabled. Azure firewall tier I am keeping Standard, I don't need premium features (as discussed in earlier article) for this lab. Availability zone I am keeping None, Enabling Azure Firewall will create an Azure Firewall resource as part of this hub creation process. This action will have an immediate billing impact. Specify number of Public IP addresses and subscription is the default 1. There is a Default Deny Policy is selected, Click Next: Security Partner Provider.
I am not using any Security Partner provider, this is another way to use third party firewall tools to filter internet traffic. Note: VPN Gateway is required for Security Partner Provider integration. Click Next: Review + Create.
On the Review + create of Firewall manager (Secured virtual hub creation) validation will pass, verify the settings, and click Create button.
Deployment will take some time approx 30 min.
Once deployment is completed you can verify new Azure firewall resource is created inside Resource Group.
Next verify hub is created successfully inside Virtual WAN.
Useful Articles
Powershell Azure Az module Install-Package cannot convert value 2.0.0-preview to type system.version
Part 1: Create and deploy a website with Microsoft Azure web app service plan
AzCopy copy transfer fails with 403 This request is not authorized to perform this operation using this permission
Azure azcopy login error Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '579a7132-0e58-4d80-b1e1-7a1e2d337859'