Azure Landing Zone Accelerator for AVS – Using a Central Hub in Azure

Options for network connectivity with AVS

There are many options for connectivity when it comes to Azure VMware Solution.  This post reviews utilizing a central hub in Azure.

Network Architecture


  • Use ExpressRoute for maximum bandwidth from on-premises. is also available when not limited by bandwidth constraints.
  • Use ExpressRoute to enable Global Reach for route exchange between on-premises and AVS.
  • Create an Azure Route Server and peer it to BGP-capable (s).
  • Enable ExpressRoute FastPath to bypass the gateway port speed for improved data path performance.

In the Hub VNet, create a User-Defined Route (UDR) to workloads in the Spoke VNet(s) with a next-hop of the NVA in the gateway subnet. Next, the destination traffic needs to get securely back to the source. The native behavior with Azure VNet peering will bypass the Disabling BGP route propagation will prevent routes from being learned dynamically via BGP from the gateway, ensuring that traffic doesn't go directly to the gateway of the peered . From there, creating a default UDR with a next-hop of the NVA will send the return traffic back through the .

When to use Secured Hub vWAN with Traditional Hub & Spoke

Azure VWAN can be used instead of a Traditional Hub VNET or alongside it to provide transit from AVS to Azure and back to on-premises. Azure VWAN is a solid option for using Azure Firewall or large-scale, multisite/multi-regional deployments with several or more ExpressRoute and connections. In a separate Hub Virtual Network, other operations can take place, such as using a 3rd party network appliance to route or filter traffic securely. The Hub VNet can also facilitate Layer-7 operations through Traffic Manager, Application Gateway, or enabling DDOS protection with WAF.


  • Azure VWAN is a managed service meaning transitivity for ExpressRoute, , and WAN to AVS is built in, so there is no need for Azure Route Server.
  • Natively, a user can use Azure Firewall for a Secured vWAN hub.

*Note: If you are in a location where Global Reach is unavailable, VWAN with route intent may be used as an alternative for secure transit over the ExpressRoutes between two secured hubs using Azure Firewall. For more information, please see  How to configure Virtual WAN Hub routing policies – Azure Virtual WAN 

In this video, Sabine Blair – Sr Cloud Solution Architect at Microsoft, will cover these scenarios and more.

What you will learn from this video:

  • Connecting to AVS from on-premises when using a WAN, VPN, or ExpressRoute circuit.
  • exchange routes between a VPN and an ExpressRoute Gateway.
  • Centralizing routes and inspecting traffic using a network appliance.
  • Reducing the number of User Defined Static Routes with Azure Route Server.

Stay tuned for more Azure VMware Solution network scenarios.

Special thanks to Sabine Blair for taking the time to explain the scenario.

As always, please leave feedback so we can continue to improve and help you!

Amy Colyer



This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.