How to enable inter hub communication between two hubs in single Azure Virtual WAN?

Question

How to enable inter hub communication between two hubs in single Azure Virtual WAN?

Suman Bikram Singh 20

I have one Azure Virtual WAN and two hubs in this VWAN.

Each hub is connected to respective virtual networks. By default without any setting VMs in both regions are communicating without any problem.

The moment I introduce two azure firewalls in each hub and configure custom routes and select Azure Firewalls as next hop, communication breaks.

Both firewalls are able to manage internet traffic and log says inter hub communication is allowed but still not able to communicate when I route the traffic through custom routes.

Same time, if I attach default route and bypass the firewalls then communication happens. Any idea what im missing?

Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-08-07T06:50:05.1133333+00:00

Hello @Suman Bikram Singh,

Hope you're doing well!

Thanks for reaching out to Microsoft Q&A.

I understand that you are looking for some clarity on how to enable inter hub communication between two hubs in single Azure Virtual WAN.

To assist you effectively, could you please provide me the below details?

Just to clarify, in your current setup, are you ensuring that both incoming and return traffic between the two spokes is consistently routed through the same firewall in each respective hub?

Is there a chance that traffic is getting routed asymmetrically (e.g., entering through Firewall-1 and returning via Firewall-2)?

Can you please share the UDR configurations for the spokes and confirm whether you’re using any custom route tables on the hub’s side to force traffic through the firewalls?
Suman Bikram Singh 20 Reputation points

2025-08-07T08:11:20.15+00:00

Hi. I have 4 spoke virtual networks in each region connected to their own vwan hub under one vwan. Hub-1 for UK and Hub-2 in UAE

Each hub has its own firewall. Lets say fw-1 and fw-2. So traffic to UAE is routed through UK’s firewall and Traffic to Uk is routed through UAE firewall. Each region has own firewall

Also asymmetric routing, I believe each region has its own custom route and next hop as local firewall. Both firewall are showing that remote destination are allowed but no log of incoming traffic from remote networks. Routes are propagated are at each side

UDR for London

CIDR-10.0.0.0/27 and 0.0.0.0/0

next hope -Azure Firewall-FW1

UDR for UAE

CIDR-192.168.0.0/25 and 0.0.0.0/0

next hope -Azure Firewall-FW2

FW rules at both firewall

allow all from all (testing purpose)
Suman Bikram Singh 20 Reputation points

2025-08-07T13:33:30.1033333+00:00

Thaks for your reponse. Attachine some ref images.
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-08-12T05:39:00.1233333+00:00

Hello @Suman Bikram Singh,

Hope You're doing well!

Did you had a chance to review our last response in the comment. Kindly let us know if that helps or you need further assistance on this issue.

Thanks & Regards,
M Ravi Varma
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-08-19T09:04:27.64+00:00

Hello @Suman Bikram Singh,
Hope you're doing well!

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please "up vote" if the information helped you. This will help us and others in the community as well

1 answer

Your answer

Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-08-07T06:50:05.1133333+00:00

Hello @Suman Bikram Singh,

Hope you're doing well!

Thanks for reaching out to Microsoft Q&A.

I understand that you are looking for some clarity on how to enable inter hub communication between two hubs in single Azure Virtual WAN.

To assist you effectively, could you please provide me the below details?

Just to clarify, in your current setup, are you ensuring that both incoming and return traffic between the two spokes is consistently routed through the same firewall in each respective hub?

Is there a chance that traffic is getting routed asymmetrically (e.g., entering through Firewall-1 and returning via Firewall-2)?

Can you please share the UDR configurations for the spokes and confirm whether you’re using any custom route tables on the hub’s side to force traffic through the firewalls?
Suman Bikram Singh 20 Reputation points

2025-08-07T08:11:20.15+00:00

Hi. I have 4 spoke virtual networks in each region connected to their own vwan hub under one vwan. Hub-1 for UK and Hub-2 in UAE

Each hub has its own firewall. Lets say fw-1 and fw-2. So traffic to UAE is routed through UK’s firewall and Traffic to Uk is routed through UAE firewall. Each region has own firewall

Also asymmetric routing, I believe each region has its own custom route and next hop as local firewall. Both firewall are showing that remote destination are allowed but no log of incoming traffic from remote networks. Routes are propagated are at each side

UDR for London

CIDR-10.0.0.0/27 and 0.0.0.0/0

next hope -Azure Firewall-FW1

UDR for UAE

CIDR-192.168.0.0/25 and 0.0.0.0/0

next hope -Azure Firewall-FW2

FW rules at both firewall

allow all from all (testing purpose)
Suman Bikram Singh 20 Reputation points

2025-08-07T13:33:30.1033333+00:00

Thaks for your reponse. Attachine some ref images.
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-08-12T05:39:00.1233333+00:00

Hello @Suman Bikram Singh,

Hope You're doing well!

Did you had a chance to review our last response in the comment. Kindly let us know if that helps or you need further assistance on this issue.

Thanks & Regards,
M Ravi Varma
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-08-19T09:04:27.64+00:00

Hello @Suman Bikram Singh,
Hope you're doing well!

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please "up vote" if the information helped you. This will help us and others in the community as well

Answer 1

Hello @Suman Bikram Singh,

Thank you for confirming your setup and routes. Based on your current network design, the issue seems to be caused by asymmetric routing.

Here’s what’s happening:

You have two Azure Virtual WAN hubs, each with its own firewall: one in the UK (Firewall 1) and one in the UAE (Firewall 2).
Traffic from the UK to the UAE goes through the UK firewall (FW1).
Traffic from the UAE to the UK goes through the UAE firewall (FW2).
However, the networks connected to each hub are set to send returning traffic back through their local firewall, causing the return path to be different from the original path. This mismatch is what we call asymmetric routing.

Why is it a problem? Because traffic that goes out one firewall and returns via another can get dropped or not logged properly.

How to fix this step-by-step:

Confirm Asymmetric Routing Make sure traffic flows in and out through the same firewall between the regions. Right now, it enters one firewall but returns through the other, which causes issues.
Adjust Routing Update the custom routes on both UK and UAE networks so that traffic between these regions and to the Internet goes through the same firewall. For example, if you pick the UK firewall (FW1) as the central point:
1. UAE networks send traffic through FW1 instead of FW2
2. UK networks also use FW1
```
      This keeps all traffic consistent and maintains connection tracking.
```
Use Routing Intent in Azure Virtual WAN This feature lets you direct all internet and private traffic through a specific firewall clearly, avoiding routing confusion. (You can find more about this in Azure’s documentation on routing policies.)
Enable Logging and Monitoring Use Azure Firewall diagnostics and Network Watcher tools to watch traffic and ensure packets flow properly through the firewall.

Alternative if you can’t enforce symmetric routing: Set up Source NAT (SNAT) on each firewall so return traffic goes back to the same firewall that handled the outgoing traffic. Keep in mind this might hide the original source IP unless extra headers like X-Forwarded-For are used.

In short, your current setup looks like this:

Outbound UK to UAE traffic passes FW1 but return traffic routes back through FW2 (and vice versa), causing problems.

The preferred setup is:

Both outbound and return traffic between UK and UAE go through the same firewall (for example, FW1 in both directions), ensuring smooth and consistent routing.

Supporting documents:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies

Please let us know if this helps or if you need further assistance fixing this issue.

Share via

How to enable inter hub communication between two hubs in single Azure Virtual WAN?

1 answer

Your answer