Skip to content

Update Azure Bastion FAQ for Virtual WAN support #128053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aparnabhatms wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Azure Bastion FAQ for Virtual WAN support #128053

aparnabhatms wants to merge 1 commit into from

Conversation

@aparnabhatms
Copy link

@aparnabhatms aparnabhatms commented Dec 23, 2025

Clarified Azure Bastion support for Virtual WAN, including details on subnet requirements and routing configurations.

@aparnabhatms
Update Azure Bastion FAQ for Virtual WAN support
bc3d1a9 
Clarified Azure Bastion support for Virtual WAN, including details on subnet requirements and routing configurations.
@prmerger-automator
Copy link
Contributor

prmerger-automator bot commented Dec 23, 2025

@aparnabhatms : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. @abell

@learn-build-service-prod
Copy link
Contributor

learn-build-service-prod bot commented Dec 23, 2025

Learn Build status updates of commit bc3d1a9:

⚠️ Validation status: warnings

File Status Preview URL Details
articles/bastion/bastion-faq.md ⚠️Warning Details

articles/bastion/bastion-faq.md

  • Line 39, Column 227: [Warning: hard-coded-locale - See documentation] Link 'https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-virtual-wan-dns-virtual-hub-extension-pattern' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites.
  • Line 39, Column 877: [Warning: hard-coded-locale - See documentation] Link 'https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#azurefirewall' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites.
  • Line 39, Column 227: [Suggestion: docs-link-absolute - See documentation] Absolute link 'https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-virtual-wan-dns-virtual-hub-extension-pattern' will be broken in isolated environments. Replace with a relative link.
  • Line 39, Column 877: [Suggestion: docs-link-absolute - See documentation] Absolute link 'https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#azurefirewall' will be broken in isolated environments. Replace with a relative link.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

ShannonLeavitt
ShannonLeavitt reviewed Dec 23, 2025
View reviewed changes
articles/bastion/bastion-faq.md
### <a name="vwan"></a>Does Azure Bastion support Virtual WAN?

Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level.
Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network with only AzureBastionSubnet using [virtual hub extention pattern](https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-virtual-wan-dns-virtual-hub-extension-pattern) and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level. Additionally, under the [Secured hub routing configuration](https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#azurefirewall), INTERNET TRAFFIC for the Bastion spoke should be set to Unsecured. This ensures that Internet traffic to the Bastion Host does not pass through the Azure Firewall.
Copy link
Contributor

@ShannonLeavitt ShannonLeavitt Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network with only AzureBastionSubnet using [virtual hub extention pattern](https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-virtual-wan-dns-virtual-hub-extension-pattern) and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level. Additionally, under the [Secured hub routing configuration](https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#azurefirewall), INTERNET TRAFFIC for the Bastion spoke should be set to Unsecured. This ensures that Internet traffic to the Bastion Host does not pass through the Azure Firewall.
Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network with only AzureBastionSubnet using [virtual hub extension pattern](/azure/architecture/networking/guide/private-link-virtual-wan-dns-virtual-hub-extension-pattern) and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level. Additionally, under the [Secured hub routing configuration](/azure/virtual-wan/how-to-routing-policies#azurefirewall), INTERNET TRAFFIC for the Bastion spoke should be set to Unsecured. This ensures that Internet traffic to the Bastion Host does not pass through the Azure Firewall.

Suggestion to fix links and typo

Copilot AI reviewed Dec 23, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Azure Bastion FAQ to provide more detailed guidance on Virtual WAN support. The changes clarify deployment patterns and routing configurations when using Azure Bastion with Virtual WAN and Azure Firewall.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

articles/bastion/bastion-faq.md
### <a name="vwan"></a>Does Azure Bastion support Virtual WAN?

Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level.
Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network with only AzureBastionSubnet using [virtual hub extention pattern](https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-virtual-wan-dns-virtual-hub-extension-pattern) and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level. Additionally, under the [Secured hub routing configuration](https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#azurefirewall), INTERNET TRAFFIC for the Bastion spoke should be set to Unsecured. This ensures that Internet traffic to the Bastion Host does not pass through the Azure Firewall.
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence is very long and covers multiple distinct topics (deployment pattern, IP-based connections, secured virtual hub configuration, and routing settings). Consider breaking it into separate sentences or a bulleted list for better readability.

Copilot uses AI. Check for mistakes.
@ShannonLeavitt
Copy link
Contributor

ShannonLeavitt commented Dec 23, 2025

@AbdullahBell - Could you review the proposed changes?

IMPORTANT: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

@prmerger-automator prmerger-automator bot added the aq-pr-triaged tracking label for the PR review team label Dec 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShannonLeavitt ShannonLeavitt ShannonLeavitt left review comments

Copilot code review Copilot Copilot left review comments

@cherylmc cherylmc Awaiting requested review from cherylmc

@AbdullahBell AbdullahBell Awaiting requested review from AbdullahBell

Assignees

@AbdullahBell AbdullahBell

Labels

aq-pr-triaged tracking label for the PR review team azure-bastion/svc Change sent to author do-not-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aparnabhatms @ShannonLeavitt @AbdullahBell