A virtual hub is a Microsoft-managed virtual network. The hub includes different service endpoints to enable connectivity from your on-premises network (vpnsite). It is aa Microsoft-managed virtual network that allows and enables connectivity from other resource services. When a virtual hub is created from a Virtual WAN in the Azure portal, a virtual hub VNet and gateways (optional) are created as its components. In the below diagram green marked resources are created on Azure cloud, I am going to create Red marked resource services on the portal in this article.
Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity
I have already deployed a Virtual WAN in my environment in my earlier blog, as you can see in the below screenshot. The next virtual hub resources in the table, I am going to create.
Virtual Hub | Location | Address Space | Virtual WAN |
hub-westus | West US | 10.3.0.0/16 | common-vwan |
hub-westeurope | West Europe | 10.4.0.0/16 | common-vwan |
Inside the Virtual WAN, click Hubs under connectivity from left hand side navigation pane. Click + New Hub.
On the Basics tab, the hub will be created under the same subscription and resource group as per the vWAN details inside Project details. Under Virtual Hub details choose Region, Name and Hub private address space (The hub's address range in CIDR notation). Creating a hub with gateway takes 30 minutes to deploy. For this deployment I am not creating gateway, Click Next: Site to site > to proceed.
In the Site to site tab, you can enable Site to site (VPN gateway) before connecting to VPN sites. You can do this after hub creation but doing it now will save time and reduce the risk of service interruptions later. I have kept toggle button to No under, Do you want to create a Site to site (VPN gateway)?
Click Next: Point to site >.
In the Point to site and ExpressRoute tab, if you are planning to use this hub with Point-to-site connections or ExpressRoutes, you will need to enable Point-to-site gateway or ExpressRoute gateway before connecting end-user devices or ExpressRoute circuits respectively. You can do this after hub creation as well, but doing now will save time and reduce the risk of service interruptions later.
Click Next: Tags > button.
On the Tags tab, configure and define tags for better management of resources on Azure. Proceed with Review + create button. Validation must be passed then click Create button.
Once hub deployment is completed (Actual Deployment takes around 30 minutes) click go to resource and verify the hub resource settings.
This is Inside Virtual WAN > New Hub looks like below, it is not secured yet.
On the overview page of Hub status is succeeded as deployed but Routing status is in Provisioning which takes approx 30 minutes to get succeeded.
Next under Security choose Convert to secure hub. The hubs you select in the list of hubs will be converted into secured virtual hubs (It will deploy Azure firewall and associate it with hub). Depending on the provider you select in the next step, there might be an immediate billing impact.
Security status of the hub is Unsecured. and observe the icon of Hub. Click Next: Azure Firewall > button.
Secured virtual hubs must have at least one, and can have at most two security providers. You may use two security providers to secure different types of connections. you can choose to enable Azure Firewall for this virtual hub and associate a policy. you can also select "None" and associate a policy later.
Azure Firewall is selected Enabled, in the Azure Firewall tier I have kept standard selected as tier. With premium tier you can use features like IDPS and TLS inspection. Availability zone is none for this demo firewall. Specify number of Public Ip Addresses, In my case it is only one which I will use to connect to Virtual Machines using DNAT rule in later part of this series. The use of Public IP address is required If you have any public downstream filtering on your network, you need to make available all public IP addresses connected with your firewall. Think using a public IP address prefix to simplify this design. Default policy name is Default Deny Policy. Click Next: Security Partner Provider > button to proceed.
You can choose to enable a Security Partner Provider as a security provider for this virtual hub for filtering internet traffic. For this POC I am keeping it Disabled, I see there are Zscaler, Check point and iboss 3rd party entities are available as Security Partner Provider. Just note VPN gateway is required for Security Partner Provider incorporation. Click Next: Review + Confirm.
Validation is passed and Hub is ready to convert to Secure Hub and click Confirm button.
Once conversion is successful check the new icon of the Virtual HUB. Also Routing Status is changed provisioned. Hub is secured with Azure Firewall, to manage security provider and route settings for secured virtual hub use Azure Firewall Manager.
This is the view inside my Resource Group, The automatically deployed Azure Firewall name is a combination of AzureFirwall_ + Virtual Hub name, and the location region is same as Virtual Hub.
Useful Articles
Powershell Azure Az module Install-Package cannot convert value 2.0.0-preview to type system.version
Part 1: Create and deploy a website with Microsoft Azure web app service plan
AzCopy copy transfer fails with 403 This request is not authorized to perform this operation using this permission
Azure azcopy login error Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '579a7132-0e58-4d80-b1e1-7a1e2d337859'