Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Virtual WAN is updated regularly. Stay up to date with the latest announcements. This article provides you with information about:
- Recent releases
- Previews underway with known limitations (if applicable)
- Known issues
- Deprecated functionality (if applicable)
You can also find the latest Azure Virtual WAN updates and subscribe to the RSS feed here.
Recent releases
| Type | Area | Name | Description | Date added | Limitations |
|---|---|---|---|---|---|
| Feature | ExpressRoute | ExpressRoute metrics can be exported as diagnostic logs | April 2023 | ||
| Feature | ExpressRoute | ExpressRoute circuit page now shows vWAN connection | August 2022 | ||
| Feature | Branch connectivity/Site-to-site VPN | Multi-APIPA BGP | Ability to specify multiple custom BGP IPs for VPN gateway instances in vWAN. | June 2022 | Currently only available via portal. (Not available yet in PowerShell) |
| Feature | Branch connectivity/Site-to-site VPN | Custom traffic selectors | Ability to specify what traffic selector pairs site-to-site VPN gateway negotiates | May 2022 | Azure negotiates traffic selectors for all pairs of remote and local prefixes. You can't specify individual pairs of Traffic selectors to negotiate. |
| Feature | Branch connectivity/Site-to-site VPN | Site-to-site connection mode choices | Ability to configure if customer or vWAN gateway should initiate the site-to-site connection while creating a new S2S connection. | February 2022 | |
| Feature | Branch connectivity/Site-to-site VPN | Packet capture | Ability for customer to perform packet captures on site-to-site VPN gateway. | November 2021 | |
| Feature | Remote User connectivity/Point-to-site VPN | Global profile include/exclude | Ability to mark a point-to-site gateway as "excluded", meaning users who connect to global profile won't be load-balanced to that gateway. | February 2022 | |
| Feature | Remote User connectivity/Point-to-site VPN | Forced tunneling for P2S VPN | Ability to force all traffic to Azure Virtual WAN for egress. | October 2021 | Only available for Azure VPN Client version 2:1900:39.0 or newer. |
| Feature | Remote User connectivity/Point-to-site VPN | macOS Azure VPN client | General Availability of Azure VPN Client for macOS. | August 2021 | |
| Feature | Remote User connectivity/Point-to-site VPN | Remote RADIUS server | Ability for a P2S VPN gateway to forward authentication traffic to a RADIUS server in a virtual network connected to a different hub, or a RADIUS server hosted on-premises. | April 2021 | |
| Feature | Remote User connectivity/Point-to-site VPN | Dual-RADIUS server | Ability to specify primary and backup RADIUS servers to service authentication traffic. | March 2021 | |
| Feature | Remote User connectivity/Point-to-site VPN | Custom IPsec policies | Ability to specify connection/encryption parameters for IKEv2 point-to-site connections. | March 2021 | Only supported for IKEv2- based connections. View the list of available parameters. |
| SKU | Remote User connectivity/Point-to-site VPN | Support up to 100K users connected to a single hub | Increased maximum number of concurrent users connected to a single gateway to 100,000. | March 2021 | |
| Feature | Remote User connectivity/Point-to-site VPN | Multiple-authentication methods | Ability for a single gateway to use multiple authentication mechanisms. | June 2023 | Supported for gateways running all protocol combinations. Azure AD authentication still requires the use of OpenVPN |
Known issues
| # | Issue | Description | Date first reported | Mitigation |
|---|---|---|---|---|
| 1.2 | Traffic from a Virtual Network connected to Virtual WAN destined to Azure Storage accounts deployed in the same region as your Virtual WAN hub bypasses Virtual WAN routing configuration. | Traffic from a Virtual Network connected to Virtual WAN destined for same region storage account public IP addresses bypasses Virtual WAN routing configurations to send traffic to a security appliance deployed in another Virtual WAN spoke Virtual Network. | September 2023 | This issue applies to storage account access over public IP. Utilize Private Link to deploy private endpoints in spoke Virtual Networks connected to Virtual WAN hub to access storage accounts over private IP. If Private Link is not a technically feasible solution, deploy and configure routing to a security appliance in the hub as instead of another Virtual WAN spoke. This mitigation only applies to traffic from Virtual Networks and does not apply to traffic from on-premises. Reference Known Issue #1.1 for guidance related to on-premises connections. |
| 2 | Default routes (0/0) won't propagate inter-hub | 0/0 routes won't propagate between two virtual WAN hubs. | June 2020 | None. Note: While the Virtual WAN team has fixed the issue, wherein static routes defined in the static route section of the VNet peering page propagate to route tables listed in "propagate to route tables" or the labels listed in "propagate to route tables" on the VNet connection page, default routes (0/0) won't propagate inter-hub. |
| 3 | Two ExpressRoute circuits in the same peering location connected to multiple hubs | If you have two ExpressRoute circuits in the same peering location, and both of these circuits are connected to multiple virtual hubs in the same Virtual WAN, then connectivity to your Azure resources might be impacted. | July 2023 | Make sure each virtual hub has at least 1 virtual network connected to it. This ensures connectivity to your Azure resources. The Virtual WAN team is also working on a fix for this issue. |
| 11 | Unable to update route tables and routing configuration (propagated route table and label) for on-premises (VPN, ExpressRoute, NVA) connections. | When a Virtual WAN hub and its gateway(s) are in different Azure resource groups, updating routing configuration results in a "resource not found" error. | March 2025 | This issue is caused by a code defect in Azure portal. Use Terraform, PowerShell, CLI or REST API to manage your Virtual WAN deployment. |
| 12 | Hub won't advertise routes to VPN sites | When a customer uses Route-Maps for the first time it triggers an upgrade. After the upgrade is complete, If VPN sites aren't advertising routes to the hub, the hub won't advertise routes to the VPN sites. | December 2024 | If the VPN sites start adverting any routes to the hub, the hub will start adverting routes again. |
Next steps
For more information about Azure Virtual WAN, see What is Azure Virtual WAN and frequently asked questions- FAQ.