vWAN Routing Intent Selective Internet bound routes

Question

vWAN Routing Intent Selective Internet bound routes

Jackson Harris 20

Hello,

I'm trying to figure out if it's possible to configure via Bicep the routing intent policy for a secured virtual hub in a vWAN to set the internet security configuration selectively for individual connections as described in the portal under the security configuration section of the Firewall Manager. I also can't seem to even do this in the portal as the option to Secure Internet traffic is greyed out with my vnet connections selected.

User's image

Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-11T13:05:50.3533333+00:00
Hi @Jackson Harris

Based on our understanding of the issue, we reproduced it in the Azure portal, and here are the results:

I believe you need to secure the internet traffic for your connections first; only then will the secure internet traffic option become available.

1.Please create a Firewall policy and associate it with a hub by following this document.

After associating the Firewall policy to a hub, you need to define route traffic to your hub by following this document.

After that you can select individual or all connections and apply the security configurations.

Kindly let us know if the above helps or you need further assistance on this issue.
Jackson Harris 20 Reputation points

2025-03-11T13:49:49.6+00:00

Oh that looks very promising! How can I do this with Bicep deployments? I can’t find which resource is used to define that the same way.
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-12T01:11:02.1666667+00:00
Hi @Jackson Harris

Please use the below reference documents to achieve the above configurations through BICEP:

Secure your virtual hub using Azure Firewall Manager - Bicep

Azure Quickstart Samples

azure-quickstart-templates

Kindly let us know if the above helps or you need further assistance on this issue.
Jackson Harris 20 Reputation points

2025-03-12T05:49:36.5233333+00:00

Hey Sai,

I’m afraid those pages only reference templates and examples that generally show how to enable routing through the firewall for all connections, but don’t explain or clarify anywhere how to set the internet security configuration selectively for individual connections via a bicep deployment. However, I discovered the solution on my own just experimenting with a portal deployment vs bicep and comparing the parameters between the options and have posted my findings in a separate answer.
Jackson Harris 20 Reputation points

2025-03-12T05:49:50.2633333+00:00

In testing various deployments via the portal vs bicep, I’ve discovered that in bicep, the property enableInternetSecurity on the vHub connection resource is what determines the selective internet security configuration for individual connections, but it only works if the main routing intent policy is configured to route internet bound traffic through the firewall. So the routing intent policy acts as a master switch to enable the option for routing internet traffic while the enableInternetSecurity property is what determines which connection will use the routing option for internet bound traffic.

Unfortunately, I still haven’t found anything in any documentation that clarifies this distinction, so I hope this helps others.

Accepted answer

0 additional answers

Your answer

Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-11T13:05:50.3533333+00:00

Hi @Jackson Harris

Based on our understanding of the issue, we reproduced it in the Azure portal, and here are the results:

I believe you need to secure the internet traffic for your connections first; only then will the secure internet traffic option become available.

1.Please create a Firewall policy and associate it with a hub by following this document.

After associating the Firewall policy to a hub, you need to define route traffic to your hub by following this document.

After that you can select individual or all connections and apply the security configurations.

Kindly let us know if the above helps or you need further assistance on this issue.
Jackson Harris 20 Reputation points

2025-03-11T13:49:49.6+00:00

Oh that looks very promising! How can I do this with Bicep deployments? I can’t find which resource is used to define that the same way.
Sai Prasanna Sinde 4,335 Reputation points Microsoft External Staff

2025-03-12T01:11:02.1666667+00:00

Hi @Jackson Harris

Please use the below reference documents to achieve the above configurations through BICEP:

Secure your virtual hub using Azure Firewall Manager - Bicep

Azure Quickstart Samples

azure-quickstart-templates

Kindly let us know if the above helps or you need further assistance on this issue.
Jackson Harris 20 Reputation points

2025-03-12T05:49:36.5233333+00:00

Hey Sai,

I’m afraid those pages only reference templates and examples that generally show how to enable routing through the firewall for all connections, but don’t explain or clarify anywhere how to set the internet security configuration selectively for individual connections via a bicep deployment. However, I discovered the solution on my own just experimenting with a portal deployment vs bicep and comparing the parameters between the options and have posted my findings in a separate answer.
Jackson Harris 20 Reputation points

2025-03-12T05:49:50.2633333+00:00

In testing various deployments via the portal vs bicep, I’ve discovered that in bicep, the property enableInternetSecurity on the vHub connection resource is what determines the selective internet security configuration for individual connections, but it only works if the main routing intent policy is configured to route internet bound traffic through the firewall. So the routing intent policy acts as a master switch to enable the option for routing internet traffic while the enableInternetSecurity property is what determines which connection will use the routing option for internet bound traffic.

Unfortunately, I still haven’t found anything in any documentation that clarifies this distinction, so I hope this helps others.

Answer 1

Hi @Jackson Harris

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: How to configure via Bicep the routing intent policy for a secured virtual hub in a vWAN to set the internet security configuration selectively for individual connections as described in the portal under the security configuration section of the Firewall Manager.

Solution: In testing various deployments via the portal vs bicep, op has discovered that in bicep, the property enableInternetSecurity on the vHub connection resource is what determines the selective internet security configuration for individual connections, but it only works if the main routing intent policy is configured to route internet bound traffic through the firewall. So, the routing intent policy acts as a master switch to enable the option for routing internet traffic while the enableInternetSecurity property is what determines which connection will use the routing option for internet bound traffic.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Jackson Harris 20 Reputation points

2025-03-12T06:23:42.27+00:00

Ah that makes sense. Perfect

Share via

vWAN Routing Intent Selective Internet bound routes

0 additional answers

Your answer