Link Search Menu Expand Document

Microsoft Azure Virtual WAN

Configuration > Cloud Services > Microsoft Azure Virtual WAN

Microsoft Azure optimizes routing, automates large scale connectivity from various branches to Azure workloads, and provides unified network and policy management within Orchestrator. Use Azure to deploy to a single WAN circuit or for branch to branch connectivity by configuring virtual WANs to associated hubs.

Before you begin Microsoft Azure Virtual WAN configuration in Orchestrator, you need to use the Azure Virtual WAN portal to authenticate and authorize Orchestrator in Azure. You need to create the service principal, which focuses on single-tenant application to run within only one organization. Click here to get started.

Microsoft Azure Prerequisites

  1. Create an application in Azure and note the following Subscription details from the Azure Active Directory:

    • Subscription ID

    • Tenant (Directory) ID

    • Application (Client) ID

    • Client Secret Key

  2. Create a storage account in Azure and get the following:

    • Storage Account Name

    • Storage Access Key

  3. Create a resource group.

  4. Create Azure Virtual WANs with hubs from your resource groups.

Orchestrator Prerequisites

Complete the following tasks in Orchestrator:

  1. Configure a VTI IP Pool.

    • Enter a valid IPv4 Subnet.

      NOTE: This is a unique address across the network. VTI interfaces created for Azure integration will be selected from this pool.

      *INFO* Azure VTI interface zone is set to WAN interface zone. Any change in deployment for the WAN interface zone is applied to Azure VTI as well.

      WARNING: Any change in the VTI pool after it is configured is networking affecting. This operation should be performed during a maintenance window as it can take several hours for some Cloud services to complete.

  2. Configure BGP ASN Global Pool.

    • Enter the start and end ranges for ASNs.

    • Add any reserved ASNs to exclude from being applied to appliances.

      NOTE: If not previously enabled, Orchestrator enables BGP.

Orchestrator Configuration

When are you finished with the Azure and Orchestrator prerequisites, navigate to the Microsoft Azure Virtual WAN tab in Orchestrator. There are five buttons at the top of the table that are used to complete the Azure and Orchestrator integration: Subscription, Interface Labels, Virtual Wan Association, Tunnel Settings, and Zone.

To begin, click the Subscription icon.


  1. Enter the information in the Subscription fields that reflect your Azure portal account.

  2. Click Save after you have finished entering the information in the table below. The Azure field should reflect Connected.

The following table represents the values in the Subscription window from the Azure portal.

Field Description
Azure Reachability Connection status of your account with Azure.
Subscription ID ID of your subscription.
Tenant ID Name of your Azure AD tenant.
Client ID Client ID of your Azure portal.
Client Secret Key Secret key of your Azure application.
Storage Account Name Name of your storage account.
Storage Account Key Storage account key.
Storage URL Storage account URL.*
Configuration Polling Interval Indicates hows often Orchestrator should check for configuration changes in Azure. The default polling interval is ten minutes.

*Storage URL

The Storage URL is present on the Storage Accounts tab in your Azure portal. Complete the following steps to obtain your storage account URL.

  1. After your storage account is created in Azure, create a blob container.

  2. Get the blob container URL.

  3. Suffix the URL with a slash and add a file name in the Storage URL field.

    NOTE: Append the URL with a slash for the file name. Do not end the URL with a slash.

Interface Labels

Select the order in which you want your interface labels to be used.

  1. Click the Interface Labels button. The Build Tunnels Using These Interfaces displays.

  2. Drag the Interface labels you want to use into the Preferred Interface Label Order column.

  3. Click Save.

Virtual WAN Association

Each appliance is associated with one virtual WAN. Use the Virtual Wan Association button to add or remove specific sites to your virtual WANs.

  1. Click the Virtual Wan Association button.

  2. Select an appliance from the tree in the left menu.

  3. Select the check box to Add or Remove the appliance to your virtual WAN in Azure.

Tunnel Settings

The Tunnel Settings button opens the Tunnel Settings dialog box, which enables you to define the tunnels associated with Azure and Orchestrator. It is recommended that you use the default tunnel settings for General, IKE, and IPSec; however, you can modify any field. The tunnel settings are set using the default VPN configuration parameters received from virtual WAN APIs located in your Azure portal account.

In your Azure Portal Account, navigate to the Azure Configuration table. This table displays the VPN site created for Orchestrator appliances associated to Azure virtual WANs. Additionally, manually associate sites to your hubs in Azure.

  1. Navigate to Azure Virtual WAN.

  2. Select Azure VPN site.

  3. Select New Hub Association.


You can apply configured segments to your VTI interfaces associated for Azure. Click the Zone button and select the zone from the drop-down you want to apply.


The Tunnel page displays that Azure and Orchestrator have an established connection with Azure by displaying a tunnel status of up - active.

For more information about Azure configuration, visit the following link:

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America