{"id":6540,"date":"2026-05-15T23:48:03","date_gmt":"2026-05-15T23:48:03","guid":{"rendered":"https:\/\/www.tsls.co.uk\/?p=6540"},"modified":"2026-05-16T00:09:00","modified_gmt":"2026-05-16T00:09:00","slug":"azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration","status":"publish","type":"post","link":"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/","title":{"rendered":"Azure Virtual WAN: What’s Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration"},"content":{"rendered":"\n
\n\n\n\n

Introduction<\/h2>\n\n\n\n

If you’ve ever tried to configure Azure Firewall or third-party Network Virtual Appliance (NVA) like Palo Alto VM-Series in an Azure Virtual WAN (vWAN) topology, you’ll know the documentation can be confusing, contradictory, and spread across dozens of pages and videos with snips of information. After weeks of hands-on lab testing and production deployments, I’ve compiled this guide to give you the definitive answer to one question:<\/p>\n\n\n\n

What routing and security combinations actually work in Azure vWAN \u2014 and which ones don’t?<\/strong><\/p>\n\n\n\n

This post covers six common design scenarios, explains exactly why each one does or doesn’t work, and finishes with a master comparison table so you can make an informed architectural decision.<\/p>\n\n\n\n

\n\n\n\n

Key Concepts You Need to Understand First<\/h2>\n\n\n\n

Before diving into the scenarios, let’s establish some fundamentals.<\/p>\n\n\n\n

What Is Routing Intent?<\/h3>\n\n\n\n

Routing Intent is a declarative feature in Azure vWAN that allows you to configure Internet Traffic<\/strong> and Private Traffic<\/strong> routing policies on a virtual hub. When enabled, it automatically:<\/p>\n\n\n\n

    \n
  • Takes over management of the defaultRouteTable<\/code> and all connection associations\/propagations<\/li>\n\n\n\n
  • Injects RFC1918 aggregate routes (10.0.0.0\/8, 172.16.0.0\/12, 192.168.0.0\/16) for private traffic<\/li>\n\n\n\n
  • Injects a 0.0.0.0\/0 default route for internet traffic<\/li>\n\n\n\n
  • Forces all connections to associate with and propagate to the defaultRouteTable<\/code><\/li>\n<\/ul>\n\n\n\n

    You lose the ability to use custom route tables or manually control association\/propagation. The platform manages everything.<\/p>\n\n\n\n

    What Is a Secured Virtual Hub?<\/h3>\n\n\n\n

    A secured virtual hub is a vWAN hub with a security solution deployed inside<\/strong> it. Valid security solutions are:<\/p>\n\n\n\n

      \n
    • Azure Firewall<\/strong> (deployed in the hub)<\/li>\n\n\n\n
    • Integrated NVA partner<\/strong> (e.g., Fortinet, Barracuda \u2014 deployed in the hub via Firewall Manager)<\/li>\n\n\n\n
    • Palo Alto Cloud NGFW<\/strong> (SaaS resource deployed in the hub)<\/li>\n<\/ul>\n\n\n\n

      A Palo Alto VM-Series deployed as IaaS in a spoke VNet<\/strong> is NOT<\/strong> a hub-integrated security solution and cannot<\/strong> be used as a Routing Intent next hop.<\/p>\n\n\n\n

      Direct Spokes vs Indirect Spokes<\/h3>\n\n\n\n
        \n
      • Direct spoke<\/strong>: A VNet connected directly to the vHub via a hub virtual network connection<\/li>\n\n\n\n
      • Indirect spoke<\/strong>: A VNet peered to another spoke (typically an NVA transit VNet) that is connected to the vHub. The indirect spoke has no direct connection to the hub.<\/li>\n<\/ul>\n\n\n\n

        The Golden Rule of vWAN Static Routes<\/h3>\n\n\n\n

        There are two mutually exclusive ways to steer traffic to Azure Firewall in a vHub:<\/p>\n\n\n\n

          \n
        1. Routing Intent<\/strong> (declarative, platform-managed)<\/li>\n\n\n\n
        2. Static routes in hub route tables<\/strong> (manual, operator-managed)<\/li>\n<\/ol>\n\n\n\n

          You cannot mix these two approaches.<\/strong> Enabling Routing Intent on a hub that has manually configured static routes will cause conflicts, and the platform will not reconcile them automatically.<\/p>\n\n\n\n

          \n\n\n\n

          Scenario 1: Full Routing Intent (Both Policies)<\/h2>\n\n\n\n

          The Design<\/h3>\n\n\n\n

          Azure Firewall deployed in a secured vHub with Routing Intent enabled for both<\/strong> Internet and Private traffic. All spokes connected directly to the hub. No third-party NVA.<\/p>\n\n\n\n

                    Spoke 4              Spoke 5\n        (direct conn)        (direct conn)\n              \\                  \/\n               \\                \/\n         \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n         \u2502   Secured vHub           \u2502\n         \u2502   Azure Firewall         \u2502\n         \u2502   Routing Intent:        \u2502\n         \u2502   Internet \u2192 AzFW        \u2502\n         \u2502   Private  \u2192 AzFW        \u2502\n         \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                    \u2502\n               ExpressRoute \/ VPN\n                    \u2502\n                On-Premises\n<\/code><\/pre>\n\n\n\n
          Traffic Flows<\/h3>\n\n\n\n
          Source \u2192 Destination<\/th>Path<\/th>Inspected?<\/th><\/tr><\/thead>
          Spoke \u2194 Spoke<\/td>Via Azure Firewall<\/td>\u2705 Azure Firewall<\/td><\/tr>
          Spoke \u2194 Branch<\/td>Via Azure Firewall<\/td>\u2705 Azure Firewall<\/td><\/tr>
          Spoke \u2192 Internet<\/td>Via Azure Firewall<\/td>\u2705 Azure Firewall<\/td><\/tr>
          Branch \u2192 Internet<\/td>Via Azure Firewall<\/td>\u2705 Azure Firewall<\/td><\/tr>
          Inter-hub (if multi-hub)<\/td>Via Azure Firewall (both hubs)<\/td>\u2705 Azure Firewall<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
          Configuration<\/h3>\n\n\n\n
          Routing Intent:<\/strong><\/p>\n\n\n\n
          Policy<\/th>Destination<\/th>Next Hop<\/th><\/tr><\/thead>
          InternetTraffic<\/td>Internet<\/td>Azure Firewall<\/td><\/tr>
          PrivateTraffic<\/td>PrivateTraffic<\/td>Azure Firewall<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
          VNet Connections (managed by platform):<\/strong><\/p>\n\n\n\n
          Setting<\/th>Value<\/th><\/tr><\/thead>
          Associated route table<\/td>defaultRouteTable<\/code> (auto)<\/td><\/tr>
          Propagated route tables<\/td>defaultRouteTable<\/code> + noneRouteTable<\/code> (auto)<\/td><\/tr>
          enableInternetSecurity<\/code><\/td>true<\/code> (auto)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
          Prerequisites<\/h3>\n\n\n\n
            \n
          • Only defaultRouteTable<\/code> and noneRouteTable<\/code> can exist \u2014 delete all custom route tables<\/li>\n\n\n\n
          • No static routes with next hop type = VNet connection<\/li>\n\n\n\n
          • Azure Firewall must be deployed in<\/strong> the hub (not in a spoke VNet)<\/li>\n\n\n\n
          • If non-RFC1918 private address space is used, add it as “Private Traffic Prefixes”<\/li>\n<\/ul>\n\n\n\n
            Critical Lesson Learnt<\/h3>\n\n\n\n
            If the hub previously had static routes, custom next hops, or custom route tables before<\/strong> Routing Intent was enabled, simply deleting those routes while intent is active is not sufficient<\/strong>. The correct procedure is:<\/p>\n\n\n\n
              \n
            1. Fully remove<\/strong> Routing Intent<\/li>\n\n\n\n
            2. Delete<\/strong> all static routes, custom next hops, and custom route tables<\/li>\n\n\n\n
            3. Verify<\/strong> only defaultRouteTable<\/code> and noneRouteTable<\/code> remain<\/li>\n\n\n\n
            4. Re-enable<\/strong> Routing Intent<\/li>\n<\/ol>\n\n\n\n
              This forces the platform to rebuild the routing state from scratch.<\/p>\n\n\n\n
              Verdict: \u2705 Fully Supported<\/h3>\n\n\n\n
              \n\n\n\n
              Scenario 2: PA Cloud NGFW (Internet) + Azure Firewall (Private) with Routing Intent<\/h2>\n\n\n\n
              The Design<\/h3>\n\n\n\n
              Split the security duties using Routing Intent with two different in-hub security solutions<\/strong>: Palo Alto Cloud NGFW (a SaaS offering deployed inside the vHub) for internet traffic, and Azure Firewall for private\/east-west traffic.<\/p>\n\n\n\n
                        Spoke 4              Spoke 5\n        (direct conn)        (direct conn)\n              \\                  \/\n               \\                \/\n         \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n         \u2502   Secured vHub           \u2502\n         \u2502                          \u2502\n         \u2502   Azure Firewall         \u2502\n         \u2502   (private traffic)      \u2502\n         \u2502                          \u2502\n         \u2502   PA Cloud NGFW (SaaS)   \u2502\n         \u2502   (internet traffic)     \u2502\n         \u2502                          \u2502\n         \u2502   Routing Intent:        \u2502\n         \u2502   Internet \u2192 PA NGFW     \u2502\n         \u2502   Private  \u2192 AzFW        \u2502\n         \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/code><\/pre>\n\n\n\n
              Traffic Flows<\/h3>\n\n\n\n
              Source \u2192 Destination<\/th>Path<\/th>Inspected by<\/th><\/tr><\/thead>
              Spoke \u2194 Spoke<\/td>Via Azure Firewall<\/td>\u2705 Azure Firewall<\/td><\/tr>
              Spoke \u2194 Branch<\/td>Via Azure Firewall<\/td>\u2705 Azure Firewall<\/td><\/tr>
              Spoke \u2192 Internet<\/td>Via PA Cloud NGFW<\/td>\u2705 Palo Alto<\/td><\/tr>
              Branch \u2192 Internet<\/td>Via PA Cloud NGFW<\/td>\u2705 Palo Alto<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              Why This Works<\/h3>\n\n\n\n
              PA Cloud NGFW is a SaaS resource deployed inside the vHub<\/strong> \u2014 it’s a first-class Routing Intent next hop, just like Azure Firewall. You can point each routing policy at a different in-hub resource.<\/p>\n\n\n\n
              Trade-offs<\/h3>\n\n\n\n
                \n
              • \u2705 Cleanest split architecture \u2014 fully declarative, single-hop<\/li>\n\n\n\n
              • \u2705 Fully supported by Microsoft and Palo Alto<\/li>\n\n\n\n
              • \u2705 PA Cloud NGFW integrates with Panorama \/ Strata Cloud Manager<\/li>\n\n\n\n
              • \u274c Requires PA Cloud NGFW licensing (consumption-based SaaS) \u2014 not<\/strong> existing VM-Series licensing<\/li>\n\n\n\n
              • \u274c Feature set differ from VM-Series<\/li>\n<\/ul>\n\n\n\n
                Verdict: \u2705 Fully Supported<\/h3>\n\n\n\n
                \n\n\n\n
                Scenario 3: Routing Intent with Private-Only Policy + PA VM-Series (Spoke) for Internet<\/h2>\n\n\n\n
                The Design<\/h3>\n\n\n\n
                Enable Routing Intent for only Private Traffic<\/strong> (pointing at Azure Firewall), then use a static route on the PA transit VNet connection to steer internet traffic (0.0.0.0\/0) to the Palo Alto VM-Series in a spoke VNet.<\/p>\n\n\n\n
                          Spoke 4              Spoke 5       PA Transit VNet\n        (direct conn)        (direct conn)   (direct conn +\n              \\                  \/            static 0\/0 \u2192 PA)\n               \\                \/                 \u2502\n         \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510             \u2502\n         \u2502   Secured vHub           \u2502\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n         \u2502   Azure Firewall         \u2502\n         \u2502   Routing Intent:        \u2502\n         \u2502   Private  \u2192 AzFW        \u2502\n         \u2502   Internet \u2192 ???         \u2502\n         \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/code><\/pre>\n\n\n\n
                Why This DOESN’T Work<\/h3>\n\n\n\n
                When Routing Intent is enabled \u2014 even with only the Private Traffic policy \u2014 the platform takes over management of the defaultRouteTable<\/code><\/strong> and all connection associations\/propagations. You cannot layer a static route (0.0.0.0\/0 \u2192 PA ILB) on a VNet connection on top of an active Routing Intent configuration.<\/p>\n\n\n\n
                The static route pattern documented by Microsoft for Routing Intent is specifically for reaching indirect spokes behind an NVA<\/strong> \u2014 not for routing internet traffic to an NVA in a spoke bypassing the hub security solution.<\/p>\n\n\n\n
                Routing Intent next hops must be a resource deployed in or integrated with the vHub<\/strong>:<\/p>\n\n\n\n
                Valid Next Hop<\/th>Type<\/th><\/tr><\/thead>
                \u2705 Azure Firewall<\/td>Deployed in hub<\/td><\/tr>
                \u2705 Integrated NVA partner<\/td>Deployed in hub<\/td><\/tr>
                \u2705 PA Cloud NGFW<\/td>SaaS in hub<\/td><\/tr>
                \u274c PA VM-Series in a spoke VNet<\/td>Not valid<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                Verdict: \u274c Not Supported \u2014 Tested and Confirmed<\/h3>\n\n\n\n
                \n\n\n\n
                Scenario 4: Service Chaining Azure Firewall (Hub) \u2192 PA VM-Series (Spoke) for Internet<\/h2>\n\n\n\n
                The Design<\/h3>\n\n\n\n
                Use Routing Intent for both policies pointing at Azure Firewall, then have Azure Firewall “forward” internet-bound traffic to the PA VM-Series in a spoke VNet for deep inspection before egress.<\/p>\n\n\n\n
                          Spoke 4\n        (direct conn)\n              \u2502\n              \u25bc\n         Azure Firewall (hub)\n              \u2502\n              \u25bc  \u2190 \"forward internet to PA\"\n         PA Transit VNet (spoke)\n              \u2502\n              \u25bc\n           Internet\n<\/code><\/pre>\n\n\n\n
                Why This DOESN’T Work<\/h3>\n\n\n\n
                There is no mechanism<\/strong> to get traffic from Azure Firewall inside the hub to an NVA in a spoke:<\/p>\n\n\n\n
                What you’d need<\/th>Why it’s impossible<\/th><\/tr><\/thead>
                UDR on Azure Firewall’s subnet<\/td>It’s managed infrastructure \u2014 no subnet access<\/td><\/tr>
                VNet peering into the firewall<\/td>Hub infrastructure isn’t peerable<\/td><\/tr>
                Azure FW “forward to next hop” rule<\/td>Azure FW rules allow\/deny\/DNAT \u2014 no “forward to NVA” action<\/td><\/tr>
                BGP from PA in spoke to vHub router<\/td>PA VM-Series IaaS can’t BGP peer with the vHub router<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                Azure Firewall in a vHub is a walled garden<\/strong>. There is no data-plane path from Azure Firewall to say “after inspection, send this to the PA ILB in a spoke VNet.”<\/p>\n\n\n\n
                Microsoft does document a “Forced Tunnel” mode, but the valid sources of a 0.0.0.0\/0 for forced tunnel are limited to: on-premises (via BGP), an NVA deployed in<\/strong> the hub, or a SaaS solution in the hub \u2014 not an NVA in a spoke VNet.<\/p>\n\n\n\n
                Verdict: \u274c Not Supported \u2014 No Mechanism Exists<\/h3>\n\n\n\n
                \n\n\n\n
                Scenario 5: Static Routes Only \u2014 PA VM-Series (Internet), east\\west not supported<\/h2>\n\n\n\n
                The Design<\/h3>\n\n\n\n
                Manually configure static routes in the defaultRouteTable<\/code> to steer 0.0.0.0\/0 to the PA VM-Series<\/strong> transit VNet connection for internet access. RFC1918 traffic to PA VM-Series NOT supported<\/p>\n\n\n\n
                                    \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n                    \u2502  vHub (Secured - NO Routing   \u2502\n                    \u2502  Intent enabled)              \u2502\n                    \u2502  Azure Firewall deployed      \u2502\n                    \u2502                               \u2502\n                    \u2502  defaultRouteTable:           \u2502\n                    \u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502\n                    \u2502  \u2502 10.0.0.0\/8    \u2192 NA       \u2502 \u2502\n                    \u2502  \u2502 172.16.0.0\/12 \u2192 NA       \u2502 \u2502\n                    \u2502  \u2502 192.168.0.0\/16\u2192 NA       \u2502 \u2502\n                    \u2502  \u2502 0.0.0.0\/0     \u2192 PA conn  \u2502 \u2502\n                    \u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2502\n                    \u2514\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                       \u2502        \u2502        \u2502\n                  Spoke 4   Spoke 5   PA Transit VNet\n<\/code><\/pre>\n\n\n\n
                Traffic Flows<\/h3>\n\n\n\n
                Source \u2192 Destination<\/th>Path<\/th>Inspected by<\/th><\/tr><\/thead>
                Spoke \u2194 Spoke<\/td>Via Azure Firewall<\/td>\u2705 Palo Alto<\/td><\/tr>
                Spoke \u2194 Branch<\/td>Via Azure Firewall<\/td>\u2705 Palo Alto<\/td><\/tr>
                Spoke \u2192 Internet<\/td>Via PA transit VNet \u2192 PA<\/td>\u2705 Palo Alto<\/td><\/tr>
                Branch \u2192 Internet<\/td>Via PA transit VNet \u2192 PA<\/td>\u2705 Palo Alto<\/td><\/tr>
                Inter-hub<\/td>\u274c Not inspected<\/strong><\/td>Direct via vWAN backbone<\/td><\/tr>
                Branch \u2194 Branch<\/td>\u274c Not inspected<\/strong><\/td>Direct via vHub<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                Configuration<\/h3>\n\n\n\n
                defaultRouteTable<\/code> Static Routes:<\/strong><\/p>\n\n\n\n
                Route Name<\/th>Destination Prefix<\/th>Next Hop Type<\/th>Next Hop<\/th><\/tr><\/thead>
                private_traffic<\/code><\/td>10.0.0.0\/8, 172.16.0.0\/12, 192.168.0.0\/16<\/code><\/td>Azure Firewall<\/td>Azure Firewall resource ID<\/td><\/tr>
                internet_traffic<\/code><\/td>0.0.0.0\/0<\/code><\/td>Virtual Network Connection<\/td>PA transit VNet connection<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                Spoke VNet Connections (Spoke 4, Spoke 5, etc.):<\/strong><\/p>\n\n\n\n
                Setting<\/th>Value<\/th><\/tr><\/thead>
                Associated route table<\/td>defaultRouteTable<\/code><\/td><\/tr>
                Propagated route tables<\/td>noneRouteTable<\/code><\/td><\/tr>
                Propagated labels<\/td>none<\/code><\/td><\/tr>
                Static routes<\/td>None<\/td><\/tr>
                enableInternetSecurity<\/code><\/td>true<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                \n
                Critical<\/strong>: Spokes must propagate to noneRouteTable<\/code>, not defaultRouteTable<\/code>. If spokes propagated their specific prefixes (e.g., 10.20.20.0\/24), these would be more specific than the RFC1918 aggregates (10.0.0.0\/8) and traffic would bypass Azure Firewall via longest-prefix match.<\/p>\n<\/blockquote>\n\n\n\n
                PA Transit VNet Connection:<\/strong><\/p>\n\n\n\n
                Setting<\/th>Value<\/th><\/tr><\/thead>
                Associated route table<\/td>defaultRouteTable<\/code><\/td><\/tr>
                Propagated route tables<\/td>noneRouteTable<\/code><\/td><\/tr>
                Static route<\/td>0.0.0.0\/0<\/code> \u2192 PA ILB VIP<\/td><\/tr>
                enableInternetSecurity<\/code><\/td>false<\/code><\/strong> \u26a0\ufe0f<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                \n
                Critical<\/strong>: If enableInternetSecurity<\/code> is true<\/code> on the PA connection, the 0.0.0.0\/0 route gets advertised back to the PA VNet, creating a routing loop<\/strong>. The PA must use its own external interface for internet egress.<\/p>\n<\/blockquote>\n\n\n\n
                Limitations<\/h3>\n\n\n\n
                  \n
                • Inter-hub traffic is not inspected<\/strong> \u2014 traffic between hubs bypasses Palo Alto (inter-hub inspection requires Routing Intent)<\/li>\n\n\n\n
                • Branch-to-branch traffic is not inspected<\/strong> \u2014 ExpressRoute \u2194 VPN bypasses not inspected<\/li>\n\n\n\n
                • Cannot enable Routing Intent<\/strong> \u2014 the two approaches are mutually exclusive<\/li>\n\n\n\n
                • Manual route management<\/strong> \u2014 static routes must be maintained across all hubs<\/li>\n<\/ul>\n\n\n\n
                  Verdict: \u2705 Fully Supported for Internet Access only<\/h3>\n\n\n\n
                  \n\n\n\n
                  Scenario 6: Transit NVA vNet – PA VM-Series for Everything \u2014 Indirect Spoke Pattern (No Azure Firewall)<\/h2>\n\n\n\n
                  The Design<\/h3>\n\n\n\n
                  No Azure Firewall, no Routing Intent. Standard vHub with all spokes peered to a regional PA transit VNet. The PA handles all inspection \u2014 internet and east-west. UDRs on every spoke subnet point 0.0.0.0\/0 at the PA internal load balancer VIP.<\/p>\n\n\n\n
                       Spoke 4              Spoke 5\n   (VNet peer)          (VNet peer)\n        \\                  \/\n         \\                \/\n      PA Transit VNet (NVA)\n      (PA VM-Series Active\/Active\n       behind Standard ILB)\n              \u2502\n         Hub VNet Connection\n         (static routes for spoke\n          prefixes \u2192 PA ILB VIP)\n              \u2502\n         \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n         \u2502  vHub (Standard)     \u2502\n         \u2502  No Azure Firewall   \u2502\n         \u2502  No Routing Intent   \u2502\n         \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                  \u2502\n             ExpressRoute \/ VPN\n                  \u2502\n              On-Premises\n<\/code><\/pre>\n\n\n\n
                  Traffic Flows<\/h3>\n\n\n\n
                  Source \u2192 Destination<\/th>Path<\/th>Inspected by<\/th><\/tr><\/thead>
                  Spoke \u2194 Spoke<\/td>Via PA (UDR \u2192 PA ILB)<\/td>\u2705 Palo Alto<\/td><\/tr>
                  Spoke \u2194 Branch<\/td>Via PA \u2192 vHub \u2192 Branch<\/td>\u2705 Palo Alto<\/td><\/tr>
                  Spoke \u2192 Internet<\/td>Via PA (SNAT) \u2192 Internet<\/td>\u2705 Palo Alto<\/td><\/tr>
                  Branch \u2192 Spoke<\/td>Via vHub \u2192 PA transit \u2192 PA \u2192 Spoke<\/td>\u2705 Palo Alto<\/td><\/tr>
                  Inter-hub (remote spokes)<\/td>Via vHub \u2192 remote hub \u2192 PA \u2192 Spoke<\/td>\u2705 Palo Alto (at source)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                  Configuration<\/h3>\n\n\n\n
                  Spoke Subnets \u2014 UDR:<\/strong><\/p>\n\n\n\n
                  Route<\/th>Next Hop<\/th>Gateway Route Propagation<\/th><\/tr><\/thead>
                  0.0.0.0\/0<\/code><\/td>PA internal LB VIP<\/td>Disabled<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                  \n
                  UDRs must be applied to every<\/strong> subnet in every spoke VNet.<\/p>\n<\/blockquote>\n\n\n\n
                  PA Transit VNet Connection to vHub:<\/strong><\/p>\n\n\n\n
                  Setting<\/th>Value<\/th><\/tr><\/thead>
                  Associated route table<\/td>defaultRouteTable<\/code><\/td><\/tr>
                  Propagated route tables<\/td>defaultRouteTable<\/code> (label: default<\/code>)<\/td><\/tr>
                  Static route<\/td>Spoke summary prefix \u2192 PA ILB VIP<\/td><\/tr>
                  enableInternetSecurity<\/code><\/td>false<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                  defaultRouteTable<\/code>:<\/strong><\/p>\n\n\n\n
                  Route<\/th>Destination<\/th>Next Hop<\/th><\/tr><\/thead>
                  Regional spoke summary<\/td>e.g., 10.20.0.0\/16<\/code><\/td>PA transit VNet connection<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                  Advantages<\/h3>\n\n\n\n
                    \n
                  • \u2705 Single inspection point \u2014 PA handles everything<\/li>\n\n\n\n
                  • \u2705 Uses existing PA VM-Series licensing and Panorama<\/li>\n\n\n\n
                  • \u2705 No Azure Firewall cost<\/li>\n\n\n\n
                  • \u2705 Full PA feature set (App-ID, Threat Prevention, URL Filtering, SSL Decryption, WildFire)<\/li>\n\n\n\n
                  • \u2705 Proven pattern for enterprises with existing Palo Alto investment<\/li>\n<\/ul>\n\n\n\n
                    Limitations<\/h3>\n\n\n\n
                      \n
                    • \u274c More complex operational management (UDRs on every subnet, static routes per spoke)<\/li>\n\n\n\n
                    • \u274c No Routing Intent simplicity<\/li>\n\n\n\n
                    • \u274c Spoke onboarding requires UDR creation and VNet peering<\/li>\n\n\n\n
                    • \u274c PA becomes a single point of inspection (capacity planning critical)<\/li>\n<\/ul>\n\n\n\n
                      Verdict: \u2705 Fully Supported \u2014 Production Proven<\/h3>\n\n\n\n
                      \n\n\n\n
                      Master Comparison Table<\/h2>\n\n\n\n
                      <\/th>Scenario 1<\/th>Scenario 2<\/th>Scenario 3<\/th>Scenario 4<\/th>Scenario 5<\/th>Scenario 6<\/th><\/tr><\/thead>
                      Name<\/strong><\/td>Full Routing Intent<\/td>Cloud NGFW + AzFW Routing Intent<\/td>Private Intent + PA Spoke<\/td>Service Chain AzFW \u2192 PA<\/td>Static Routes<\/td>Transit NVA Network<\/td><\/tr>
                      Supported?<\/strong><\/td>\u2705 Yes<\/td>\u2705 Yes<\/td>\u274c No<\/td>\u274c No<\/td>\u2705 Yes<\/td>\u2705 Yes<\/td><\/tr>
                      Routing Intent<\/strong><\/td>Both policies<\/td>Both policies<\/td>Partial<\/td>Both policies<\/td>None<\/td>None<\/td><\/tr>
                      Internet inspection<\/strong><\/td>Azure Firewall<\/td>PA Cloud NGFW<\/td>\u2014<\/td>\u2014<\/td>Palo Alto VM-Series<\/td>Palo Alto VM-Series<\/td><\/tr>
                      East-west inspection<\/strong><\/td>Azure Firewall<\/td>Azure Firewall<\/td>\u2014<\/td>\u2014<\/td>\u274c No, Direct vHub<\/td>Palo Alto VM-Series<\/td><\/tr>
                      Inter-hub inspection<\/strong><\/td>\u2705 Yes<\/td>\u2705 Yes<\/td>\u2014<\/td>\u2014<\/td>\u274c No<\/td>\u2705 Via PA at source<\/td><\/tr>
                      Branch-to-branch inspection<\/strong><\/td>\u2705 Yes<\/td>\u2705 Yes<\/td>\u2014<\/td>\u2014<\/td>\u274c No<\/td>\u2705 Via PA<\/td><\/tr>
                      Uses PA VM-Series IaaS<\/strong><\/td>\u274c<\/td>\u274c<\/td>\u2014<\/td>\u2014<\/td>\u2705<\/td>\u2705<\/td><\/tr>
                      Uses PA Cloud NGFW<\/strong><\/td>\u274c<\/td>\u2705<\/td>\u2014<\/td>\u2014<\/td>\u274c<\/td>\u274c<\/td><\/tr>
                      Uses Azure Firewall<\/strong><\/td>\u2705<\/td>\u2705<\/td>\u2014<\/td>\u2014<\/td>yes, instead of Palo Alto<\/td>\u274c<\/td><\/tr>
                      Custom route tables<\/strong><\/td>\u274c Not allowed<\/td>\u274c Not allowed<\/td>\u2014<\/td>\u2014<\/td>\u2705 Supported<\/td>\u2705 Supported<\/td><\/tr>
                      UDRs on spoke subnets<\/strong><\/td>Not required<\/td>Not required<\/td>\u2014<\/td>\u2014<\/td>Not required<\/td>Required (every subnet)<\/td><\/tr>
                      Operational complexity<\/strong><\/td>Low<\/td>Low<\/td>\u2014<\/td>\u2014<\/td>Medium<\/td>Medium-High<\/td><\/tr>
                      Routing management<\/strong><\/td>Platform-managed<\/td>Platform-managed<\/td>\u2014<\/td>\u2014<\/td>Manual static routes or BGP<\/td>Manual UDRs + static routes or BGP<\/td><\/tr>
                      Spoke onboarding effort<\/strong><\/td>Low (connect to hub)<\/td>Low (connect to hub)<\/td>\u2014<\/td>\u2014<\/td>Low (connect to hub)<\/td>High (peer + UDR per subnet)<\/td><\/tr>
                      Azure Firewall cost<\/strong><\/td>\u2705 Yes<\/td>\u2705 Yes<\/td>\u2014<\/td>\u2014<\/td>\u274c None<\/td>\u274c None<\/td><\/tr>
                      PA licensing model<\/strong><\/td>N\/A<\/td>Cloud NGFW SaaS<\/td>\u2014<\/td>\u2014<\/td>VM-Series IaaS<\/td>VM-Series IaaS<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                      \n\n\n\n
                      Decision Flowchart<\/h2>\n\n\n\n
                      Do you need a third-party NVA (e.g., Palo Alto) for ANY traffic?\n\u2502\n\u251c\u2500 NO \u2192 Scenario 1 (Azure Firewall + Full Routing Intent)\n\u2502\n\u2514\u2500 YES \u2192 Is it PA Cloud NGFW (SaaS) or PA VM-Series (IaaS)?\n         \u2502\n         \u251c\u2500 Cloud NGFW \u2192 Scenario 2 (Cloud NGFW Internet + AzFW Private)\n         \u2502\n         \u2514\u2500 VM-Series IaaS \u2192 Do you need Azure Firewall for east-west?\n                              \u2502\n                              \u251c\u2500 YES \u2192 Scenario 5 (Static Routes Split)\n                              \u2502        \u26a0\ufe0f No inter-hub or branch-to-branch inspection, traffic is direct via vWAN\\vHubs\n                              \u2502\n                              \u2514\u2500 NO \u2192 Scenario 6 (Transit NVA vNet)\n                                       \u2705 Full inspection coverage\n<\/code><\/pre>\n\n\n\n
                      \n\n\n\n
                      Conclusion<\/h2>\n\n\n\n
                      The Azure vWAN routing landscape is powerful but opinionated. The platform gives you clean, declarative routing through Routing Intent \u2014 but only if your security solutions are deployed inside<\/strong> the hub. The moment you introduce an IaaS NVA in a spoke VNet, you’re working outside the Routing Intent model and must use manual static routes and UDRs.<\/p>\n\n\n\n
                      The two approaches \u2014 Routing Intent and static routes \u2014 are mutually exclusive<\/strong>. Understanding this single constraint will save you hours of troubleshooting.<\/p>\n\n\n\n
                      Key takeaways:<\/strong><\/p>\n\n\n\n
                        \n
                      1. Routing Intent next hops must be in-hub resources<\/strong> \u2014 Azure Firewall, integrated NVA, or Cloud NGFW SaaS<\/li>\n\n\n\n
                      2. PA VM-Series IaaS in a spoke is NOT a valid Routing Intent next hop<\/strong> \u2014 no matter how you configure it<\/li>\n\n\n\n
                      3. You cannot service-chain from Azure Firewall in a hub to an NVA in a spoke<\/strong> \u2014 there’s no mechanism<\/li>\n\n\n\n
                      4. You CAN split Azure Firewall (east-west) and PA VM-Series (internet) using static routes<\/strong> \u2014 but you must NOT enable Routing Intent<\/li>\n\n\n\n
                      5. If the hub had pre-existing static routes before Routing Intent was enabled<\/strong>, you must fully remove intent, clean up all routes, and re-enable \u2014 the platform doesn’t auto-reconcile<\/li>\n<\/ol>\n\n\n\n
                        Choose the scenario that matches your security requirements, licensing investment, and operational maturity. There’s no single “right” answer \u2014 but there are several combinations that simply don’t work, and now you know which ones they are.<\/p>\n\n\n\n
                        \n\n\n\n
                        Tested and validated in lab and production environments, May 2026. Based on Microsoft Learn documentation and hands-on deployment experience.<\/em><\/p>\n\n\n\n
                        \n\n\n\n
                        That’s the full blog post ready to copy. Want me to also generate a featured image \/ header graphic for it, or export it as a Word document?<\/p>\n","protected":false},"excerpt":{"rendered":"
                        If you’ve ever tried to combine Azure Firewall with Palo Alto VM-Series in an Azure Virtual WAN topology and wondered why nothing works the way you’d expect \u2014 you’re not alone. After weeks of hands-on lab testing and production troubleshooting, I’ve documented exactly what’s supported and what isn’t. This post covers six real-world routing scenarios, including Routing Intent, static route splits, service chaining, and indirect spoke patterns \u2014 with a master comparison table so you can stop guessing and start building.<\/p>\n","protected":false},"author":11,"featured_media":6541,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[2785],"tags":[],"class_list":["post-6540","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"jetpack_publicize_connections":[],"yoast_head":"\r\nAzure Virtual WAN: What's Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration - TSLS - Luke Smith<\/title>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_GB\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"Azure Virtual WAN: What's Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration - TSLS - Luke Smith\" \/>\r\n<meta property=\"og:description\" content=\"If you've ever tried to combine Azure Firewall with Palo Alto VM-Series in an Azure Virtual WAN topology and wondered why nothing works the way you'd expect \u2014 you're not alone. After weeks of hands-on lab testing and production troubleshooting, I've documented exactly what's supported and what isn't. This post covers six real-world routing scenarios, including Routing Intent, static route splits, service chaining, and indirect spoke patterns \u2014 with a master comparison table so you can stop guessing and start building.\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/\" \/>\r\n<meta property=\"og:site_name\" content=\"TSLS - Luke Smith\" \/>\r\n<meta property=\"article:published_time\" content=\"2026-05-15T23:48:03+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2026-05-16T00:09:00+00:00\" \/>\r\n<meta property=\"og:image\" content=\"http:\/\/www.tsls.co.uk\/wp-content\/uploads\/2026\/05\/AzurevWANRouting-1024x683.png\" \/>\r\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\r\n\t<meta property=\"og:image:height\" content=\"683\" \/>\r\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\r\n<meta name=\"author\" content=\"Luke Smith\" \/>\r\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Luke Smith\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/\",\"url\":\"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/\",\"name\":\"Azure Virtual WAN: What's Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration - TSLS - Luke Smith\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsls.co.uk\/#website\"},\"datePublished\":\"2026-05-15T23:48:03+00:00\",\"dateModified\":\"2026-05-16T00:09:00+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsls.co.uk\/#\/schema\/person\/e4d7dac4fe1b3f8df31f3857bb3ebda7\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsls.co.uk\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Azure Virtual WAN: What’s Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsls.co.uk\/#website\",\"url\":\"https:\/\/www.tsls.co.uk\/\",\"name\":\"TSLS - Luke Smith\",\"description\":\"- Knowledge - Thoughts - Microsoft -\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsls.co.uk\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsls.co.uk\/#\/schema\/person\/e4d7dac4fe1b3f8df31f3857bb3ebda7\",\"name\":\"Luke Smith\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.tsls.co.uk\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/29abc50f07a4ebe68cb4f31981884f89b2157d7e4ed63b09631d40c0717faa94?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/29abc50f07a4ebe68cb4f31981884f89b2157d7e4ed63b09631d40c0717faa94?s=96&d=mm&r=g\",\"caption\":\"Luke Smith\"},\"description\":\"I\u2019ve been working with Microsoft Technologies for over 20 years, my main focus now being Microsoft Online Services. I manage the Cloud Services at ElysianIT Limited and as a P-SELLER at Microsoft. I have worked with many organisations from SMC to Enterprise. I\u2019ve been working with Microsoft Technologies since DOS 5.0, to date I have been working on Microsoft\u2019s latest cloud technology Windows Azure, Windows 10 Office 365 and Microsoft SharePoint\",\"sameAs\":[\"http:\/\/www.tsls.co.uk\"],\"url\":\"https:\/\/www.tsls.co.uk\/index.php\/author\/luke\/\"}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Azure Virtual WAN: What's Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration - TSLS - Luke Smith","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/","og_locale":"en_GB","og_type":"article","og_title":"Azure Virtual WAN: What's Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration - TSLS - Luke Smith","og_description":"If you've ever tried to combine Azure Firewall with Palo Alto VM-Series in an Azure Virtual WAN topology and wondered why nothing works the way you'd expect \u2014 you're not alone. After weeks of hands-on lab testing and production troubleshooting, I've documented exactly what's supported and what isn't. This post covers six real-world routing scenarios, including Routing Intent, static route splits, service chaining, and indirect spoke patterns \u2014 with a master comparison table so you can stop guessing and start building.","og_url":"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/","og_site_name":"TSLS - Luke Smith","article_published_time":"2026-05-15T23:48:03+00:00","article_modified_time":"2026-05-16T00:09:00+00:00","og_image":[{"width":1024,"height":683,"url":"http:\/\/www.tsls.co.uk\/wp-content\/uploads\/2026\/05\/AzurevWANRouting-1024x683.png","type":"image\/png"}],"author":"Luke Smith","twitter_misc":{"Written by":"Luke Smith","Estimated reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/","url":"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/","name":"Azure Virtual WAN: What's Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration - TSLS - Luke Smith","isPartOf":{"@id":"https:\/\/www.tsls.co.uk\/#website"},"datePublished":"2026-05-15T23:48:03+00:00","dateModified":"2026-05-16T00:09:00+00:00","author":{"@id":"https:\/\/www.tsls.co.uk\/#\/schema\/person\/e4d7dac4fe1b3f8df31f3857bb3ebda7"},"breadcrumb":{"@id":"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsls.co.uk\/index.php\/2026\/05\/15\/azure-virtual-wan-whats-actually-supported-a-practical-guide-to-routing-intent-azure-firewall-and-nva-integration\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsls.co.uk\/"},{"@type":"ListItem","position":2,"name":"Azure Virtual WAN: What’s Actually Supported \u2014 A Practical Guide to Routing Intent, Azure Firewall, and NVA Integration"}]},{"@type":"WebSite","@id":"https:\/\/www.tsls.co.uk\/#website","url":"https:\/\/www.tsls.co.uk\/","name":"TSLS - Luke Smith","description":"- Knowledge - Thoughts - Microsoft -","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsls.co.uk\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.tsls.co.uk\/#\/schema\/person\/e4d7dac4fe1b3f8df31f3857bb3ebda7","name":"Luke Smith","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.tsls.co.uk\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/29abc50f07a4ebe68cb4f31981884f89b2157d7e4ed63b09631d40c0717faa94?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/29abc50f07a4ebe68cb4f31981884f89b2157d7e4ed63b09631d40c0717faa94?s=96&d=mm&r=g","caption":"Luke Smith"},"description":"I\u2019ve been working with Microsoft Technologies for over 20 years, my main focus now being Microsoft Online Services. I manage the Cloud Services at ElysianIT Limited and as a P-SELLER at Microsoft. I have worked with many organisations from SMC to Enterprise. I\u2019ve been working with Microsoft Technologies since DOS 5.0, to date I have been working on Microsoft\u2019s latest cloud technology Windows Azure, Windows 10 Office 365 and Microsoft SharePoint","sameAs":["http:\/\/www.tsls.co.uk"],"url":"https:\/\/www.tsls.co.uk\/index.php\/author\/luke\/"}]}},"jetpack_featured_media_url":"https:\/\/www.tsls.co.uk\/wp-content\/uploads\/2026\/05\/AzurevWANRouting.png","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2gf1k-1Hu","_links":{"self":[{"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/6540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=6540"}],"version-history":[{"count":2,"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/6540\/revisions"}],"predecessor-version":[{"id":6544,"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/6540\/revisions\/6544"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/media\/6541"}],"wp:attachment":[{"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=6540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=6540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsls.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=6540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}