Hub-spoke network that uses Azure Virtual WAN.

• It's a hub-spoke network that's implemented with Azure Virtual WAN.
• There are two regions, each with a regional Azure Firewall secured virtual hub.
• Each secured regional virtual hub has the following security settings for Azure Virtual Network connections: Internet traffic: Secured by Azure Firewall - All traffic out to the internet flows through the regional hub firewall. Private traffic: Secured by Azure Firewall - All traffic that transits from spoke to spoke flows through the regional hub firewall.
• Each regional virtual hub is secured with Azure Firewall. The regional hub firewalls have the following settings Servers: Default (Azure provided) - The regional hub firewall explicitly uses Azure DNS for FQDN resolution in rule collections Proxy: Enabled - The regional hub firewall responds to DNS queries on port 53. It forwards queries to Azure DNS for uncached values. The firewall logs rule evaluations and DNS proxy requests to a Log Analytics workspace that's in the same region. Logging of these events is a common network security logging requirement.
• Each connected virtual network spoke has its default DNS server configured to be the private IP address of the regional hub firewall. Otherwise the FQDN rule evaluation can be out of sync.

Multi-region routing

Secured Virtual WAN hubs have limited support for inter-hub connectivity when there are multiple secured virtual hubs. This limitation affects multi-hub, intra-region, and cross-region scenarios. As such, the network topology doesn't directly facilitate the filtering of private, cross-region traffic through Azure Firewall. Support for this capability is delivered by using Virtual WAN hub routing intent and routing policies. This capability is currently in preview.

For this series of articles, the assumption is that internal secured traffic doesn't traverse multiple hubs. Traffic that must traverse multiple hubs must do so on a parallel topology that doesn't filter private traffic through a secured virtual hub, but lets it pass through instead.

Adding spoke networks

When you add spoke networks, they follow the constraints that are defined in the starting network topology. Specifically, each spoke network is associated with the default route table that's in its regional hub, and the firewall is configured to secure both internet and private traffic.