Tutorial: Create an ExpressRoute association using Azure Virtual WAN (Preview)

This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over using an ExpressRoute circuit and association. For more information about Virtual WAN, see the Virtual WAN Overview

In this tutorial, you learn how to:

  • Create a vWAN
  • Create a hub
  • Find and associate a circuit to the hub
  • Associate the circuit to a hub(s)
  • Connect a VNet to a hub
  • View your virtual WAN
  • View resource health
  • Monitor a connection


This public preview is provided without a service level agreement and should not be used for production workloads. Certain features may not be supported, may have constrained capabilities, or may not be available in all Azure locations. See the Supplemental Terms of Use for Microsoft Azure Previews for details.

Before you begin


This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Verify that you have met the following criteria before beginning your configuration:

  • If you already have a virtual network that you want to connect to, verify that none of the subnets of your on-premises network overlap with the virtual networks that you want to connect to. Your virtual network does not require a gateway subnet and cannot have any virtual network gateways. If you do not have a virtual network, you can create one using the steps in this article.
  • Obtain an IP address range for your hub region. The hub is a virtual network and the address range that you specify for the hub region cannot overlap with any of your existing virtual networks that you connect to. It also cannot overlap with your address ranges that you connect to on premises. If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
  • If you don't have an Azure subscription, create a free account before you begin.

Register this feature

Before you can configure Virtual WAN, you must first enroll your subscription in the Preview. Otherwise, you will not be able to work with Virtual WAN in the portal. To enroll, send an email to azurevirtualwan@microsoft.com with your subscription ID. You will receive an email back once your subscription has been enrolled.

Preview Considerations:

  • The ExpressRoute circuit must be enabled in a country/region that supports ExpressRoute Global Reach.
  • The ExpressRoute circuit must be a Premium circuit in order to connect to Virtual WAN hub.

1. Create a virtual network

To quickly create a VNet, you can click "Try It" in this article to open a PowerShell console in Azure Cloud Shell. Adjust the values, then copy and paste the commands into the console window.

Be sure to verify that the address space for the VNet that you create does not overlap with any of the address ranges for other VNets that you want to connect to, or with your on-premises network address spaces.

Create a resource group

If you don't already have a resource group that you want to use, create a new one. Adjust the PowerShell commands to reflect the resource group name you want to use, then run the following cmdlet:

New-AzResourceGroup -ResourceGroupName WANTestRG -Location WestUS

Create a VNet

Adjust the PowerShell commands to create a VNet that is compatible for your environment.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name FrontEnd -AddressPrefix ""
$vnet   = New-AzVirtualNetwork `
            -Name WANVNet1 `
            -ResourceGroupName WANTestRG `
            -Location WestUS `
            -AddressPrefix "" `
            -Subnet $fesub1

2. Create a virtual WAN

From a browser, navigate to the Azure portal (preview) and sign in with your Azure account.

  1. Navigate to the Virtual WAN page. One way to navigate to the page is to go to All services, and then search for Virtual WAN.

  2. Click +Add to open the Create WAN page.

  3. On the Create WAN page, fill in the following fields:

    • Name - Select the Name that you want to call your WAN.
    • Subscription - Select the subscription that you want to use.
    • Resource Group - Create new or use existing.
    • Resource Location - Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to more easily manage and locate the WAN resource that you create.
  4. After you finish filling out the fields, click Create.

Getting started page

On the Wide area networks (WANs) page, select the WAN that you created. From the left menu, select the Getting started page. This page shows you the order in which you should create your virtual WAN resources. You need to complete steps 1-4 in order to create a functional WAN. You can create sites and hubs in either order, as they do not depend on each other. However, you must have both sites and hubs created prior to associating them.

The steps are:

  1. Create sites
  2. Create hubs
  3. Associate sites with hubs
  4. Download file
  5. Connect hubs with virtual network (optional for some configurations)

3. Create a hub

A hub contains the gateway. Once the hub is created, you'll be charged for the hub, even if you don't attach any sites. It takes 30 minutes to create the hub and gateway.

  1. Locate the Virtual WAN that you created. On the Virtual WAN page, under the Virtual WAN architecture section, click Hubs.

  2. On the Hubs page, click +New Hub to open the Create virtual hub page.

  3. On the Create virtual hub page, complete the following fields:

    • Location
    • Name
    • Hub private address space

Click Confirm to create the hub. Click Refresh to view the hub on the Hubs page.

4. Find and associate a circuit to the hub

  1. Select your vWAN and under Virtual WAN Architecture, select ExpressRoute Circuits.
  2. If the ExpressRoute circuit is in the same subscription as your vWAN, click Select ExpressRoute circuit from your subscription(s).
  3. Using the pull-down, select your ExpressRoute you would like to associate to the hub.
  4. If the ExpressRoute circuit is not in the same subscription or you have been provided an authorization key and peer ID, select Find a circuit redeeming an authorization key
  5. Enter the following details:
  6. Authorization key - Generated by the circuit owner as described above
  7. Peer circuit URI - Circuit URI that is provided by the circuit owner and is the unique identifier for the circuit
  8. Routing weight - Routing Weight allows you to prefer certain paths when multiple circuits from different peering locations are connected to the same hub
  9. Click Find circuit and select the circuit, if found.
  10. Select 1 or more hubs from the drop down and click Save.

5. Connect your VNet to a hub

In this step, you create the peering connection between your hub and a VNet. Repeat these steps for each VNet that you want to connect.

  1. On the page for your virtual WAN, click Virtual network connection.

  2. On the virtual network connection page, click +Add connection.

  3. On the Add connection page, fill in the following fields:

    • Connection name - Name your connection.
    • Hubs - Select the hub you want to associate with this connection.
    • Subscription - Verify the subscription.
    • Virtual network - Select the virtual network you want to connect to this hub. The virtual network cannot have an already existing virtual network gateway.

6. View your virtual WAN

  1. Navigate to the virtual WAN.
  2. On the Overview page, each point on the map represents a hub. Hover over any point to view the hub health summary.
  3. In the Hubs and connections section, you can view hub status, site, region, VPN connection status, and bytes in and out.

7. View your resource health

  1. Navigate to your WAN.
  2. On your WAN page, in the SUPPORT + Troubleshooting section, click Health and view your resource.

8. Monitor a connection

Create a connection to monitor communication between an Azure VM and a remote site. For information about how to set up a connection monitor, see Monitor network communication. The source field is the VM IP in Azure, and the destination IP is the Site IP.

9. Clean up resources

When you no longer need these resources, you can use Remove-AzResourceGroup to remove the resource group and all of the resources it contains. Replace "myResourceGroup" with the name of your resource group and run the following PowerShell command:

Remove-AzResourceGroup -Name myResourceGroup -Force

Next steps

In this tutorial, you learned how to:

  • Create a vWAN
  • Create a hub
  • Find and associate a circuit to the hub
  • Associate the circuit to a hub(s)
  • Connect a VNet to a hub
  • View your virtual WAN
  • View resource health
  • Monitor a connection

To learn more about Virtual WAN, see the Virtual WAN Overview page.