Create a Virtual Hub route table to steer traffic to a Network Virtual Appliance

This article shows you how to steer traffic from a Virtual Hub to a Network Virtual Appliance.

Virtual WAN diagram

In this article you learn how to:

  • Create a WAN
  • Create a hub
  • Create hub virtual network connections
  • Create a hub route
  • Create a route table
  • Apply the route table

Before you begin

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Verify that you have met the following criteria:

  1. You have a Network Virtual Appliance (NVA). This is a third-party software of your choice that is typically provisioned from Azure Marketplace in a virtual network.
  2. You have a private IP assigned to the NVA network interface.
  3. The NVA cannot be deployed in the virtual hub. It must be deployed in a separate VNet. For this article, the NVA VNet is referred to as the 'DMZ VNet'.
  4. The ‘DMZ VNet’ may have one or many virtual networks connected to it. In this article, this VNet is referred to as ‘Indirect spoke VNet’. These VNets can be connected to the DMZ VNet using VNet peering.
  5. Verify that you have 2 VNets already created. These will be used as spoke VNets. For this article, the VNet spoke address spaces are 10.0.2.0/24 and 10.0.3.0/24. If you need information on how to create a VNet, see Create a virtual network using PowerShell.
  6. Ensure there are no virtual network gateways in any VNets.

1. Sign in

Make sure you install the latest version of the Resource Manager PowerShell cmdlets. For more information about installing PowerShell cmdlets, see How to install and configure Azure PowerShell. This is important because earlier versions of the cmdlets do not contain the current values that you need for this exercise.

  1. Open your PowerShell console with elevated privileges, and sign in to your Azure account. This cmdlet prompts you for the sign-in credentials. After signing in, it downloads your account settings so that they are available to Azure PowerShell.

    Connect-AzAccount
    
  2. Get a list of your Azure subscriptions.

    Get-AzSubscription
    
  3. Specify the subscription that you want to use.

    Select-AzSubscription -SubscriptionName "Name of subscription"
    

2. Create resources

  1. Create a resource group.

    New-AzResourceGroup -Location "West US" -Name "testRG"
    
  2. Create a virtual WAN.

    $virtualWan = New-AzVirtualWan -ResourceGroupName "testRG" -Name "myVirtualWAN" -Location "West US"
    
  3. Create a virtual hub.

    New-AzVirtualHub -VirtualWan $virtualWan -ResourceGroupName "testRG" -Name "westushub" -AddressPrefix "10.0.1.0/24"
    

3. Create connections

Create hub virtual network connections from Indirect Spoke VNet and the DMZ VNet to the virtual hub.

$remoteVirtualNetwork1= Get-AzVirtualNetwork -Name "indirectspoke1" -ResourceGroupName "testRG"
$remoteVirtualNetwork2= Get-AzVirtualNetwork -Name "indirectspoke2" -ResourceGroupName "testRG"
$remoteVirtualNetwork3= Get-AzVirtualNetwork -Name "dmzvnet" -ResourceGroupName "testRG"

New-AzVirtualHubVnetConnection -ResourceGroupName "testRG" -VirtualHubName "westushub" -Name  "testvnetconnection1" -RemoteVirtualNetwork $remoteVirtualNetwork1
New-AzVirtualHubVnetConnection -ResourceGroupName "testRG" -VirtualHubName "westushub" -Name  "testvnetconnection2" -RemoteVirtualNetwork $remoteVirtualNetwork2
New-AzVirtualHubVnetConnection -ResourceGroupName "testRG" -VirtualHubName "westushub" -Name  "testvnetconnection3" -RemoteVirtualNetwork $remoteVirtualNetwork3

4. Create a virtual hub route

For this article, the Indirect Spoke VNet address spaces are 10.0.2.0/24 and 10.0.3.0/24, and the DMZ NVA network interface private IP address is 10.0.4.5.

$route1 = New-AzVirtualHubRoute -AddressPrefix @("10.0.2.0/24", "10.0.3.0/24") -NextHopIpAddress "10.0.4.5"

5. Create a virtual hub route table

Create a virtual hub route table, then apply the created route to it.

$routeTable = New-AzVirtualHubRouteTable -Route @($route1)

6. Commit the changes

Commit the changes into the virtual hub.

Update-AzVirtualHub -VirtualWanId $virtualWan.Id -ResourceGroupName "testRG" -Name "westushub" -RouteTable $routeTable

Next steps

To learn more about Virtual WAN, see the Virtual WAN Overview page.