AZ-500 Microsoft Azure Security Technologies Exam

Design and deploy secured virtual hubs with policy-based routing and firewall integration

Azure Virtual WAN is a global transit network service built on a hub-and-spoke architecture. A secured virtual hub places a firewall instance—such as Azure Firewall or a partner NVA—directly inside the hub. This design centralizes security controls to inspect and filter all inter-spoke, branch, and Internet traffic. By default, it enforces a Zero Trust stance where only explicitly allowed traffic flows are permitted. The hub network fabric delivers any-to-any connectivity across branches, VNets, and users.

To set up security across multiple hubs, you use Azure Firewall Manager. This tool lets you create or import a Firewall Policy and link it to one or more secured virtual hubs. You can start from a blank policy, base it on an existing one, or import rules you already manage. Underlines traffic steering by advertising a default route (0.0.0.0/0) through trusted security providers, ensuring all private and Internet traffic is processed by the right security stack.

Policy-based routing relies on custom route tables and hub-level routing settings. Each route table contains entries with an address prefix and a next hop, such as the private IP address of Azure Firewall or an NVA. You apply these tables to the virtual hub and decide whether spokes or sites should use forced tunneling. You can also group routes with labels for easier management and scale hubs by adjusting hub infrastructure units, handling thousands of VMs without manual user-defined routes.

You can deploy secured virtual hubs through the Azure portal or via Azure PowerShell for automation. In the portal, navigate to Firewall Manager → Secured Hubs, choose a hub, and configure Internet and private traffic settings with Private Traffic Prefixes. With PowerShell, use cmdlets like New-AzVirtualWan, New-AzVirtualHub, New-AzFirewallPolicy, New-AzFirewall, New-AzVirtualHubRouteTable, and Update-AzVirtualHub. Automation ensures repeatable deployments and supports zone redundancy for high availability.

Key benefits of secured virtual hubs include:

• Centralized security with consistent policies across global regions
• Scalability through automated spoke onboarding and hub infrastructure units
• Optimized routing by leveraging Azure’s backbone for full mesh connectivity
• Compliance via deep traffic inspection and unified logging

These features help enforce Zero Trust, minimize the attack surface, and maintain high availability and performance in your Azure network.

Conclusion

In this section, we explored how Azure Virtual WAN uses a hub-and-spoke model to offer a global transit network. We saw how a secured virtual hub integrates Azure Firewall or partner NVAs for centralized traffic inspection and a Zero Trust stance. We reviewed the role of Azure Firewall Manager in provisioning firewall policies and linking them to multiple hubs. We examined policy-based routing with custom route tables, forced tunneling, and scaling with hub infrastructure units. Finally, we covered deployment methods—both the Azure portal and PowerShell—and the key benefits of centralized security, scalability, optimized routing, and compliance. These practices equip you to plan and implement a secure, high-performance Virtual WAN in Azure.