Creating a Network Virtual Appliance (NVA) in a Virtual Hub Demo
Start course

Organizations use site-to-site VPNs and ExpressRoute to connect on-premises networks to Azure. As an organization grows, so does the complexity of implementing and managing connectivity between the cloud and on-premises locations.

In this course, we review Azure Virtual Wide Area Network (WAN). Azure Virtual WAN creates a hub-and-spoke topology that provides a single interface for managing branch connectivity, user access, and connectivity between VNets. We also cover how Azure Virtual WAN hubs connect with other network resources to create a full mesh topology that serves as a backbone of a hybrid network.

Learning Objectives

  • Design an Azure Virtual WAN architecture
  • Understand the SKUs and related features of a Virtual WAN
  • Create a Virtual WAN hub
  • Create a network virtual appliance (NVA) in a virtual hub
  • Configure virtual hub routing
  • Understand connection units and scale units

Intended Audience

  • System or network administrators with responsibilities for connecting an on-premises network to Azure
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking, routing, and VPN concepts
  • An Azure subscription (sign up for a free trial at if you don’t have a subscription)

Here we are in the Azure Virtual WAN portal. There's a new virtual WAN called Virtual NVA WAN, used for this example. Let's open that up. There's also a new hub used for the network virtual appliance. Remember using an NVA such as what we're doing in this example, will connect non Azure resources to the virtual WAN. So we need a virtual WAN without any express route or VPN gateways, such as what we set up previously. Go to search in the Azure portal and search for the NVA provider, Barracuda, for this example. Select Barracuda CloudGen WAN Gateway, and create. Make sure your subscription is selected and select the resource group, or add it to a new resource group. Select the region and give the application a name, Barracuda GW, for this example. The managed resource group is already set and can't be changed. Go to next CloudGen WAN gateway. Select the hub that the gateway will attach to. Leave the NVA infrastructure scale unit set to two. We review scale units in an upcoming lecture. Each NVA will have a different process for onboarding their product. For Barracuda, we need a token that's available from the CloudGen WAN portal.

Once that information is entered, we can go to review and create to finish the deployment. Scroll down to co admin permissions. This will give the template provider, Barracuda in this case, admin level access to the managed resource group. Read and if you agree, indicate so, and once done, click create. The deployment started. This will take a couple minutes to finish. We'll pause here and come back once it's finished. The deployment finished. Let's go to the resource and view what was created. This is the new gateway. From here, we can view the configuration, modify settings, such as the scale units and open a support case. Notice also that we have the resource group for the gateway, what we're looking at now, and a managed resource group. If we go into the managed resource group, we can see all the managed objects.

Next, let's go to the virtual WAN. And from there, we'll open the hub we added the gateway to. The network virtual appliance indicates there is one added. It did take over an hour for the NVA information to show up in the hub. If we go to the network virtual appliance, under third party providers, we have the Barracuda NVA listed. For all NVAs, there's other configuration settings required within the SD WAN infrastructure. The configuration options will be dependent on the provider. That is how we create a direct connected NVA in a virtual hub.

About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.