Challenge 5: Network Virtual Appliances

< Previous Challenge - Home


In this exercise a Network Virtual Appliance (NVA) or an Azure Firewall will be deployed in a VNet connected to Virtual WAN. This is a pattern frequently used to allow customers to leverage their own NVA of choice instead of using an Azure Firewall in the hub. In this pattern the workloads are configured as indirect spokes to Virtual WAN. This means they’re VNet peered to the VNet containing the NVA and have no network connection to the Virtual WAN hub itself.


Deploy an NVA or an Azure Firewall instance in each Common Services VNet. Create two additional VNets in each region and peer them to the Common Services VNet.

Make sure that the traffic is not going through the Azure Firewall deployed in the virtual hub from the previous challenge. Traffic should only go through the NVA deployed in the Common Services VNet.

Configure routing in such a way that:

Try configuring routing in such a way that:

Sample topology:


Success Criteria

Learning Resources