Quickstart: Route to shared services VNets using an ARM template

This quickstart describes how to use an Azure Resource Manager template (ARM template) to set up routes to access a shared service VNet with workloads that you want every VNet and Branch (VPN/ER/P2S) to access. Examples of these shared workloads might include virtual machines with services like domain controllers or file shares, or Azure services exposed internally through Azure Private Endpoint.

An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. In declarative syntax, you describe your intended deployment without writing the sequence of programming commands to create the deployment.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.

Deploy to Azure


  • If you don't have an Azure subscription, create a free account before you begin.
  • Public key certificate data is required for this configuration. Sample data is provided in the article. However, the sample data is provided only to satisfy the template requirements in order to create a P2S gateway. After the template completes and the resources are deployed, you must update this field with your own certificate data in order for the configuration to work. See User VPN certificates.

Review the template

The template used in this quickstart is from Azure Quickstart Templates. The template for this article is too long to show here. To view the template, see azuredeploy.json.

In this quickstart, you'll create an Azure Virtual WAN multi-hub deployment, including all gateways and VNet connections. The list of input parameters has been purposely kept at a minimum. The IP addressing scheme can be changed by modifying the variables inside of the template. The scenario is explained further in the Scenario: Shared services VNet article.

Deployment architecture

This template creates a fully functional Azure Virtual WAN environment with the following resources:

  • 2 distinct hubs in different regions.
  • 4 Azure Virtual Networks (VNet).
  • 2 VNet connections for each VWan hub.
  • 1 Point-to-Site (P2S) VPN gateway in each hub.
  • 1 Site-to-Site (S2S) VPN gateway in each hub.
  • 1 ExpressRoute gateway in each hub.
  • Custom Route Tables RT_SHARED in each hub.
  • A label LBL_RT_SHARED to group RT_SHARED route tables.

Multiple Azure resources are defined in the template:


This ARM template doesn't create the customer-side resources required for hybrid connectivity. After you deploy the template, you still need to create and configure the P2S VPN clients, VPN branches (Local Sites), and connect ExpressRoute circuits.

To find more templates, see Azure Quickstart Templates.

Deploy the template

To deploy this template properly, you must use the button to Deploy to Azure button and the Azure portal, rather than other methods, for the following reasons:

  • In order to create the P2S configuration, you need to upload the root certificate data. The data field does not accept the certificate data when using PowerShell or CLI.
  • This template does not work properly using Cloud Shell due to the certificate data upload.
  • Additionally, you can easily modify the template and parameters in the portal to accommodate IP address ranges and other values.
  1. Click Deploy to Azure.

    Deploy to Azure

  2. To view the template, click Edit template. On this page, you can adjust some of the values such as address space or the name of certain resources. Save to save your changes, or Discard.

  3. On the template page, enter the values. For this template, the P2S public certificate data is required. If you are using this article as an exercise, you can use the following data from this .cer file as sample data for both hubs. Once the template runs and deployment is complete, in order to use the P2S configuration, you must replace this information with the public key certificate data for your own deployment.

  4. When you have finished entering values, select Review + create.

  5. On the Review + create page, after validation passes, select Create.

  6. It takes about 75 minutes for the deployment to complete. You can view the progress on the template Overview page. If you close the portal, deployment will continue.

    Example of deployment complete

Validate the deployment

  1. Sign in to the Azure portal.

  2. Select Resource groups from the left pane.

  3. Select the resource group that you created in the previous section. On the Overview page, you will see something similar to this example: Example of resources

  4. Click the virtual WAN to view the hubs. On the virtual WAN page, click each hub to view connections and other hub information. Example of hubs

Complete the hybrid configuration

The template does not configure all of the settings necessary for a hybrid network. You need to complete the following configurations and settings, depending on your requirements.

Clean up resources

When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.

  1. Open the virtual WAN that you created.
  2. Select a virtual hub associated to the virtual WAN to open the hub page.
  3. Click Delete. Delete all entities (connections, gateways, etc.) in the hub. This can take 30 minutes to complete.
  4. You can either delete the hub at this point, or delete it later when you delete the resource group.
  5. Repeat for all hubs associated to the virtual WAN.
  6. Navigate to the resource group in the Azure portal.
  7. Select Delete resource group. This deletes everything in the resource group, including the hubs and the virtual WAN.

Next steps