Smarter Routing in Azure: Route-Maps for Virtual WAN
If you are managing routing at scale in Azure, you know how painful it can be to make Azure do what you need it to do—especially when it comes to BGP. Until now, the options for controlling what gets advertised into or out of a Virtual WAN hub have been limited. That just changed.
Route-maps for Azure Virtual WAN are now generally available, bringing much-needed control over route advertisements and path selection.
What Are Route-Maps?
Think of route-maps as a way to define rules about routing logic. You can match and manipulate BGP route attributes, and decide what gets advertised in or out of your virtual hub. It’s a feature networking teams have had on-premises for years, and now you can do the same in Azure’s managed WAN service.
You can use route-maps on:
- Site-to-Site (S2S) VPN connections
- Point-to-Site (P2S) User VPN connections
- ExpressRoute connections
- Virtual Network (VNet) connections
This gives you the ability to control:
- What prefixes are advertised into the hub
- What prefixes are propagated out to remote connections
- How BGP route attributes are handled for influencing path selection
Why It Matters
BGP is powerful, but without control, it’s also a mess. The default behaviour in Virtual WAN is fine for simple topologies, but if you need to do anything non-trivial, you hit walls quickly.
With route-maps, you can:
- Filter routes based on prefix length or match conditions
- Tag routes to control propagation and preference
- Prepend AS paths to steer traffic away from less-preferred paths
- Stop advertising sensitive or internal routes to the wrong peers
This kind of control is critical when connecting hybrid environments, especially if you’re dealing with overlapping address spaces, selective connectivity, or complex routing domains.
Real-World Use Case
Say you have multiple branches connecting to Azure over VPN, and you want to advertise only a specific set of internal routes from each branch to Azure—not the entire on-prem network. With route-maps, you can define exactly what prefixes to allow or deny and apply those maps per connection.
Or maybe you’re using ExpressRoute and want to make sure certain VNets don’t advertise their routes back over that circuit. Again, apply a route-map on the VNet connection, and you’re in full control.
How to Set Up Route-Maps in Azure Virtual WAN
Setting up route-maps in Azure Virtual WAN is done through the portal or using IaC. Here’s a quick guide using the Azure Portal:
Navigate to your Virtual WAN hub
Go to the Azure Portal and open your existing Virtual WAN hub.Open the Routing section
Under the Virtual Hub settings, select Routing > Route maps.Create a new Route Map
Click + Add and give your route-map a name. Choose the direction (Inbound or Outbound) depending on whether you’re filtering incoming or outgoing routes.Define your match conditions
You can match based on:- Prefix (CIDR blocks)
- AS Path
- Communities
Add actions
Choose what to do with matched routes:- Allow or deny
- Prepend AS paths
- Modify route attributes like communities or next hop
Assign the route-map to a connection
Go to the connection (e.g. VPN, VNet, ExpressRoute) where you want the map applied, and select your new route-map under the appropriate direction.Save and validate
Review the effective routes and confirm that the route-map is being applied as expected.
Tip: Test your configuration in a non-production environment before rolling it out widely.
Final Thoughts
Routing in the cloud doesn’t have to be guesswork. With route-maps in Azure Virtual WAN, we finally get the tools to manage BGP like we would in any enterprise network.
This feature gives teams the flexibility they need without abandoning the benefits of a managed WAN platform. If you’ve been holding off on Virtual WAN because of routing limitations, this might be the feature that makes it worth another look.