3.4.3. Virtual Hub Routing

Routing Intent and Policies: Rather than configuring individual routes, you declare intent:

• "Route all internet traffic through my firewall"
• "Route all private traffic through my NVA"

Virtual WAN automatically programs the required routes across all connected spokes.

Default Route Tables:

• DefaultRouteTable: Where connections associate by default
• NoneRouteTable: Isolates connections (they can't reach each other)

Secured Virtual Hub: Integrating Azure Firewall creates a "secured hub." Traffic inspection happens automatically—you don't need to configure UDRs pointing to the firewall.

NVA (Network Virtual Appliance) in Hub: For third-party firewalls or WAN optimizers, deploy NVAs directly in the hub. Routing intent can direct traffic through these NVAs automatically.

⚠️ Exam Trap: Basic SKU Virtual WAN doesn't support VNet-to-VNet connectivity or routing features. If the scenario requires transitive routing between spokes, the answer requires Standard SKU.