What is this Azure Virtual WAN Terraform page?
This page is a provider-specific Terraform implementation guide for Azure Virtual WAN. Instead of giving only a tiny snippet, it explains the actual Azure concepts you work with in production: virtual WAN, virtual hub, hub connection, routing, and the optional gateway services that make the platform useful at enterprise scale.
What you will deploy
- One Azure resource group
- One Virtual WAN instance
- One Virtual Hub
- One spoke VNet
- One hub-to-VNet connection
- Optional foundation for adding VPN or ExpressRoute later
Why this is useful
- Good starting pattern for enterprise hub-and-spoke
- Repeatable across regions with Terraform modules
- Cleaner than manually building large connectivity estates
- Easy to extend with security and branch connectivity
Why use Terraform for Azure Virtual WAN?
Azure Virtual WAN usually appears in larger environments where consistency matters. Teams may need multiple hubs, repeated connection patterns, secure routing, and predictable deployment workflows. Terraform helps you declare the topology once and reuse it across regions, environments, or business units.
Consistency
Repeat the same vWAN pattern across dev, test, production, or across countries and regions with fewer manual errors.
Scalability
As more VNets, branches, and routing policies are added, Infrastructure as Code becomes much easier to manage than portal-only operations.
Governance
Terraform supports reviews, pull requests, version history, tagging, and policy integration, which is valuable for enterprise networking teams.
Azure Virtual WAN explained with the 5 Ws
What
Azure Virtual WAN is a Microsoft-managed wide area networking service that centralizes connectivity between VNets, remote users, branches, VPN sites, and ExpressRoute circuits using virtual hubs.
Why
It reduces the operational complexity of building many individual gateways and ad hoc transitive routing designs. It gives teams a more structured transit model.
When
Use it when a standard VNet peering setup becomes hard to scale, when branch connectivity is growing, or when centralized routing and security are needed across multiple regions.
Where
Virtual WAN lives as an Azure networking construct, while its virtual hubs are deployed in selected Azure regions and act as your managed transit points.
Who
Cloud network engineers, platform teams, enterprise architects, and Terraform practitioners building shared connectivity services for applications and branches.
How
You create a Virtual WAN, place one or more Virtual Hubs inside it, connect VNets or branch connections into those hubs, and let Azure manage much of the transit and routing behavior.
Core Azure Virtual WAN components in Terraform
A strong Azure page should explain provider-specific terms, not generic cloud language. These are the core pieces you should understand before using the code.
| Component | Azure Meaning | Terraform Relevance |
|---|---|---|
| Virtual WAN | The top-level managed WAN resource that organizes hubs and connectivity services. | Created with azurerm_virtual_wan. |
| Virtual Hub | A regional transit hub inside the Virtual WAN. | Created with azurerm_virtual_hub. |
| Hub Connection | Connects a VNet to the Virtual Hub for transit and routing. | Created with azurerm_virtual_hub_connection. |
| VPN Gateway | Provides branch connectivity over site-to-site VPN inside the vWAN model. | Often added later with azurerm_vpn_gateway. |
| ExpressRoute Gateway | Brings ExpressRoute into the managed hub architecture. | Useful for hybrid enterprise designs. |
| Secured Hub | A Virtual Hub integrated with Azure Firewall Manager and security policy flows. | Common in production-grade enterprise environments. |
| Routing | Controls how connected networks reach one another through the hub. | Needs careful design when security or custom route intent is involved. |
How Azure Virtual WAN works in practice
At a high level, Azure Virtual WAN acts like a managed transit backbone. Instead of creating separate independent gateways for many networks, you centralize connectivity into one or more virtual hubs.
- Create a resource group to contain the networking resources.
- Create a Virtual WAN as the top-level WAN container.
- Create a Virtual Hub in a chosen Azure region with its own hub address prefix.
- Create a spoke VNet for workloads.
- Connect the spoke VNet to the hub using Virtual Hub Connection.
- Optionally add VPN Gateway, ExpressRoute Gateway, or Azure Firewall secured hub.
- Control routing behavior so workloads, branches, and security services communicate correctly.
Simple Azure Virtual WAN architecture diagram
This diagram reflects the Terraform example on this page. It starts with the most practical base pattern and can later be extended with a VPN gateway, ExpressRoute gateway, or secured hub design.
+--------------------------------------+
| Azure Virtual WAN |
| (global construct) |
+-------------------+------------------+
|
|
+-----------------v-----------------+
| Azure Virtual Hub |
| Region: South Africa North |
| Hub Prefix: 10.250.0.0/24 |
+-----------------+-----------------+
|
+------------------------+------------------------+
| |
| |
+-----------v-----------+ +-----------v-----------+
| Spoke VNet | | Optional Services |
| 10.10.0.0/16 | | - VPN Gateway |
| App subnets | | - ExpressRoute GW |
| Workloads | | - Azure Firewall |
+-----------------------+ +-----------------------+
Azure Virtual WAN Terraform example
This example creates a resource group, Virtual WAN, Virtual Hub, spoke VNet, and hub connection. It is intentionally clean and production-friendly so you can extend it into modules later.
terraform {
required_version = ">= 1.5.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.100.0"
}
}
}
provider "azurerm" {
features {}
}
locals {
project = "cn-vwan"
location = "South Africa North"
resource_group_name = "rg-cn-vwan-san-1"
tags = {
environment = "lab"
workload = "networking"
owner = "cloudnetworking-io"
managed_by = "terraform"
}
}
resource "azurerm_resource_group" "this" {
name = local.resource_group_name
location = local.location
tags = local.tags
}
resource "azurerm_virtual_wan" "this" {
name = "vwan-cn-san-1"
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
type = "Standard"
tags = local.tags
}
resource "azurerm_virtual_hub" "this" {
name = "vhub-cn-san-1"
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
virtual_wan_id = azurerm_virtual_wan.this.id
address_prefix = "10.250.0.0/24"
tags = local.tags
}
resource "azurerm_virtual_network" "spoke" {
name = "vnet-cn-spoke-san-1"
location = azurerm_resource_group.this.location
resource_group_name = azurerm_resource_group.this.name
address_space = ["10.10.0.0/16"]
subnet {
name = "apps"
address_prefix = "10.10.1.0/24"
}
subnet {
name = "data"
address_prefix = "10.10.2.0/24"
}
tags = local.tags
}
resource "azurerm_virtual_hub_connection" "spoke_connection" {
name = "conn-vhub-to-spoke-san-1"
virtual_hub_id = azurerm_virtual_hub.this.id
remote_virtual_network_id = azurerm_virtual_network.spoke.id
internet_security_enabled = false
routing {
associated_route_table_id = azurerm_virtual_hub.this.default_route_table_id
propagated_route_table {
labels = ["default"]
}
}
}
output "resource_group_name" {
value = azurerm_resource_group.this.name
}
output "virtual_wan_name" {
value = azurerm_virtual_wan.this.name
}
output "virtual_hub_name" {
value = azurerm_virtual_hub.this.name
}
output "spoke_vnet_name" {
value = azurerm_virtual_network.spoke.name
}
output "hub_connection_name" {
value = azurerm_virtual_hub_connection.spoke_connection.name
}
# Optional if you later refactor into variables location = "South Africa North" resource_group_name = "rg-cn-vwan-san-1" virtual_wan_name = "vwan-cn-san-1" virtual_hub_name = "vhub-cn-san-1" spoke_vnet_name = "vnet-cn-spoke-san-1" hub_address_prefix = "10.250.0.0/24" spoke_address_space = ["10.10.0.0/16"]
terraform init terraform fmt terraform validate terraform plan -out tfplan terraform apply tfplan
What the Terraform code is doing
azurerm_virtual_wan
This creates the top-level Virtual WAN resource. The page uses the Standard type because enterprise features and scale typically align with Standard deployments.
azurerm_virtual_hub
The Virtual Hub is your regional transit anchor. It is associated with the Virtual WAN and gets a dedicated hub prefix that should not overlap with connected VNets.
azurerm_virtual_network
This example uses one spoke VNet to represent workload connectivity. Real environments usually add several spokes, often across multiple subscriptions.
azurerm_virtual_hub_connection
This links the spoke VNet into the hub. The routing block shows the VNet associating with the hub's default route table and propagating into default routing.
Real-world Azure Virtual WAN Terraform use cases
The strongest resource pages connect concepts to actual engineering scenarios. These are the kinds of situations where Virtual WAN becomes more appropriate than plain peering.
Multi-region application estate
A company runs workloads in several Azure regions and wants a repeatable way to connect regional VNets into a managed transit architecture without manually chaining peerings.
Hybrid enterprise connectivity
Branch offices, data centers, or partner sites connect into Azure using VPN or ExpressRoute, while cloud workloads sit in spoke VNets attached to Virtual Hubs.
Centralized security insertion
A security team wants traffic inspection and central policy control using secured hubs and Azure Firewall, rather than distributing many network appliances across spokes.
Azure Virtual WAN vs VNet peering vs traditional gateway design
This section helps avoid one of the biggest mistakes: choosing Virtual WAN when a simpler pattern would do, or choosing a simpler pattern when operations will later become painful.
| Option | Best For | Strengths | Trade-Offs |
|---|---|---|---|
| Azure Virtual WAN | Enterprise-scale transit, branch connectivity, centralized routing | Managed hubs, large-scale connectivity, easier expansion, security integration | More architectural planning, may be unnecessary for very small environments |
| VNet Peering | Simple direct connectivity between a smaller number of VNets | Fast, straightforward, often enough for simpler Azure estates | Becomes harder to manage at scale, not a full managed WAN model |
| Traditional per-VNet gateways | Older hybrid patterns or isolated gateway designs | Works for narrow use cases | Can become operationally complex, fragmented, and less elegant at scale |
Azure Virtual WAN Terraform best practices
- Plan address space early. Hub prefixes, spoke prefixes, branch CIDRs, and future region expansion must not overlap.
- Use Standard where appropriate. Enterprise WAN designs usually depend on Standard-level capability rather than entry-level assumptions.
- Keep naming consistent. Use region and purpose in names such as
vhub-san-prodorconn-vhub-app1. - Tag everything. Cost ownership, environment, workload, compliance, and operations tags help later.
- Modularize after the first clean deployment. Build a working reference first, then convert to reusable modules.
- Be intentional with routing. Do not leave route behavior vague when multiple spokes, branch sites, or security services exist.
- Document security posture. If using secured hubs, document which traffic should be inspected and where exceptions apply.
- Validate Azure provider support. Some Virtual WAN features evolve over time, so pin tested provider versions in production repositories.
Common mistakes engineers make with Azure Virtual WAN
1. Treating Virtual WAN like a normal VNet resource
Virtual WAN is a managed transit framework, not just another network object. Teams sometimes deploy it without understanding the routing model, which causes confusion later.
2. Overlapping address space
Overlaps between hub prefixes, spoke VNets, and on-premises networks can break connectivity and create painful redesign work.
3. Choosing vWAN when the environment is still very small
Not every Azure network needs Virtual WAN. For a small environment with a few VNets, standard peering may be simpler and easier to operate.
4. Ignoring routing tables and propagation design
The first deployment may look fine, but routing complexity grows quickly when many spokes, VPN sites, or security controls are added.
5. Skipping module structure for larger estates
Once multiple hubs and regions are involved, keeping everything in one flat Terraform file becomes difficult to maintain.
Frequently asked questions about Azure Virtual WAN Terraform
What is Azure Virtual WAN in simple terms?
It is a managed Azure networking service for building centralized WAN connectivity using regional virtual hubs.
When should I use Azure Virtual WAN instead of VNet peering?
Use Virtual WAN when your environment needs managed transit, branch connectivity, multiple regions, centralized routing, or secured hub patterns at scale.
Can I connect spoke VNets with Terraform?
Yes. The usual pattern is to create a azurerm_virtual_hub_connection resource that links the VNet to the hub.
Can this design be expanded later with VPN or ExpressRoute?
Yes. That is one of the biggest strengths of Virtual WAN. You can start with hub and spoke connectivity, then extend into hybrid and branch scenarios.
Should I use modules for Azure Virtual WAN?
For learning, a single file is fine. For production, modules are strongly recommended, especially when regions, hubs, or many spokes are involved.