Virtual Geek

Tales from real IT system administrators world and non-production environment

Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN

A virtual hub is a Microsoft-managed virtual network. The hub includes different service endpoints to enable connectivity from your on-premises network (vpnsite). It is aa Microsoft-managed virtual network that allows and enables connectivity from other resource services. When a virtual hub is created from a Virtual WAN in the Azure portal, a virtual hub VNet and gateways (optional) are created as its components. In the below diagram green marked resources are created on Azure cloud, I am going to create Red marked resource services on the portal in this article.

Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity

Microsoft vWAN Firewall Virtual Hub secured virtual network virtual machine vm vnet azure firewall microsoft azure networking routing branch subnet nsg subnet address space ip address pool public ip firewall manager.png

I have already deployed a Virtual WAN in my environment in my earlier blog, as you can see in the below screenshot. The next virtual hub resources in the table, I am going to create.

Virtual HubLocationAddress SpaceVirtual WAN
hub-westusWest US10.3.0.0/16common-vwan
hub-westeuropeWest Europe10.4.0.0/16common-vwan

Microsoft Virtual network azure portal vnet vwan virtual wan cost management cost analysis cost alerts budges region location visualizer access control resource group.png

Inside the Virtual WAN, click Hubs under connectivity from left hand side navigation pane. Click + New Hub.

Microsoft Azure portal virtua wan vwan New hub connectivity vpn sites user vpn configurations expressroute circuits virtual network connections tags access control(IAM).png

On the Basics tab, the hub will be created under the same subscription and resource group as per the vWAN details inside Project details. Under Virtual Hub details choose Region, Name and Hub private address space (The hub's address range in CIDR notation). Creating a hub with gateway takes 30 minutes to deploy. For this deployment I am not creating gateway, Click Next: Site to site > to proceed.

In the Site to site tab, you can enable Site to site (VPN gateway) before connecting to VPN sites. You can do this after hub creation but doing it now will save time and reduce the risk of service interruptions later. I have kept toggle button to No under, Do you want to create a Site to site (VPN gateway)?

Click Next: Point to site >.

Create virtual hub microsoft virtual wan azure portal basics region name hub private address space gateway site to site vpn gateway vnet virtual network connectivity firewall.png

In the Point to site and ExpressRoute tab, if you are planning to use this hub with Point-to-site connections or ExpressRoutes, you will need to enable Point-to-site gateway or ExpressRoute gateway before connecting end-user devices or ExpressRoute circuits respectively. You can do this after hub creation as well, but doing now will save time and reduce the risk of service interruptions later.

Click Next: Tags > button.

Microsoft Azure windows Create virtual hub virtual wan deployment vwan point to site vpn gateway expressroute gateway vwan hub secured firewall tags.png

On the Tags tab, configure and define tags for better management of resources on Azure. Proceed with Review + create button. Validation must be passed then click Create button.

Microsoft Azure portal create virtual hub tags site to site vpn point to site express route tags vwan virtual wan secured hub firewall vpn gateway expressroute connectivity bgp networking azure.png

Once hub deployment is completed (Actual Deployment takes around 30 minutes) click go to resource and verify the hub resource settings.

Microsoft Azure portal Virtual hub deployment free trial virtual wan poc secured hub firewall manager virtualhubdeployment inputs outputs template redeploy correlation id operation details azfw fw.png

This is Inside Virtual WAN > New Hub looks like below, it is not secured yet.

Microsoft azure portal virtual wan vwan secured hub firewall manager hub status succeeded address space vpn sites expressroute circuits point-to-site secured hub firewall policy.png

On the overview page of Hub status is succeeded as deployed but Routing status is in Provisioning which takes approx 30 minutes to get succeeded.

Microsoft Azure portal virtual wan convert to securre hub vpn site to site gateway expressroute user vpn point to site routing network virtual appliance routing status provisioning private address space location firewall.png

Next under Security choose Convert to secure hub. The hubs you select in the list of hubs will be converted into secured virtual hubs (It will deploy Azure firewall and associate it with hub). Depending on the provider you select in the next step, there might be an immediate billing impact.

Security status of the hub is Unsecured. and observe the icon of Hub. Click Next: Azure Firewall > button.

Microsoft Azure portal convert to secure hub unsecured vwan virtual wan hub poc location resource gateway vpn gateway routing microsoft resources deployment azure firewall vpn gateway user sitesecurity partner provider.png

Secured virtual hubs must have at least one, and can have at most two security providers. You may use two security providers to secure different types of connections. you can choose to enable Azure Firewall for this virtual hub and associate a policy. you can also select "None" and associate a policy later.

Azure Firewall is selected Enabled, in the Azure Firewall tier I have kept standard selected as tier. With premium tier you can use features like IDPS and TLS inspection. Availability zone is none for this demo firewall. Specify number of Public Ip Addresses, In my case it is only one which I will use to connect to Virtual Machines using DNAT rule in later part of this series. The use of Public IP address is required If you have any public downstream filtering on your network, you need to make available all public IP addresses connected with your firewall. Think using a public IP address prefix to simplify this design. Default policy name is Default Deny Policy. Click Next: Security Partner Provider > button to proceed.

Microsoft Azure Portal Convert to secure hub Enabled azure firewall disable standard premium public ip Address default deny policy security.png

You can choose to enable a Security Partner Provider as a security provider for this virtual hub for filtering internet traffic. For this POC I am keeping it Disabled, I see there are Zscaler, Check point and iboss 3rd party entities are available as Security Partner Provider. Just note VPN gateway is required for Security Partner Provider incorporation. Click Next: Review + Confirm.

Microsoft Azure portal convert to secure hub virtual wan azure firewall zscaler check point iboss filtering internet traffice routing networking vpn gateway point to site to site expressroute network virtual appliance.png

Validation is passed and Hub is ready to convert to Secure Hub and click Confirm button.

Microsoft Azure virtual wan hub convert to secure hub vpn expressroute routing azure firewall tier standard basic firewall policy none location networking peering.png

Once conversion is successful check the new icon of the Virtual HUB. Also Routing Status is changed provisioned. Hub is secured with Azure Firewall, to manage security provider and route settings for secured virtual hub use Azure Firewall Manager.

Microsoft Azure portal Virtual hub secured setting routing user vpn expressroute site-to-site s2s vpn virtual gateway point p2s.png

This is the view inside my Resource Group, The automatically deployed Azure Firewall name is a combination of AzureFirwall_ + Virtual Hub name, and the location region is same as Virtual Hub.

Microsoft firewall manager resource groups virtual wan virtual hub Azure firewall manager csv access control iam deployments security policies vnet virtual network query budget azure.png

Useful Articles
Powershell Azure Az module Install-Package cannot convert value 2.0.0-preview to type system.version

Azure web apps, app service plan, paas platform as a service, domain name ssl website hosting microsoft iis nginx windows apache httpd.PNG

Part 1: Create and deploy a website with Microsoft Azure web app service plan
Part 3: Uploading to Azure Web Apps Using FTP
<span "="" open="" background-color="background-color">Part 4: Add and manage TLS SSL certificates on Azure Web App

AzCopy copy transfer fails with 403 This request is not authorized to perform this operation using this permission
Azure azcopy login error Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '579a7132-0e58-4d80-b1e1-7a1e2d337859'

Go Back


Blog Search

Page Views


Follow me on Blogarama