This is final and last article of vWAN configuration series. In this article I will be configuring Hub Security configuration - Routing on the the Virtual Hub and testing connectivity between Azure Virtual Machines between the different vNETs and across the region. 

Microsoft Azure Virtual Wan Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity

To start configuration, On the Azure Firewall Manager click Virtual Hubs in the Deployments pane. Select the hub you want to configure to use Azure Firewall and check it and click on it.

In the Security configuration, Check the virtual network connections created earlier, Internet traffic and Private traffic status are in Unsecured. Configuring virtual hub security updates will apply globally to all connections. 

Internet Traffic: These settings apply to traffic from secured connections to the internet. Connections must be secured via the Connections page in order for these settings to apply.
Private Traffic: These settings apply to VNet to VNet and Branch to VNet traffic for all connections on this hub. During preview VNet and Branch prefixes must be defined explicitly.

Manage internet and private security configuration for hub connection. Internet security configuration can be updated selectively for individual collections. Private traffic security configuration must collectively secure all/no connections.

To change security configuration select the connections and change Internet traffic to Azure Firewall and Private traffic to Send via Azure Firewall. Save the settings.

While securing internet traffic you will see warning message - Please note that securing internet traffic will cause the vWAN hub to advertise the default route to the internet with next-hop as Azure Firewall. This will disrupt internet connectivity for all Hub connections and must be done during maintenance hours to avoid impact to production workloads. Do you want to continue?

It takes few minutes to change status of Internet and Private traffic to Secured by Azure firewall.

All the rules are already in-place and configured Azure Firewall Policies in earlier article.

Once setting is changed, its time to test the VM connectivity, I will try to connect to vm1-vnet1-westus virtual machine from internet, since it doesn't have Public Ip address I will use Azure Firewall public ip to connect VM and ping connectivity is successful.

Next I will test VM connectivity between two VMs in the same region in different vNETs. Connectivity between those two Azure Virtual Machines are also successful.

Another testing I did is testing website, as you can see I am getting curl reply for microsoft.com website but when testing any other website for example google.com, I am receiving error curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443.

In the last, I tried to check ICMP ping connectivity between virtual machines situated in different regions across the secured hub, I tried all the different configuration combinations, but it never worked and connectivity never established. Finally to solve this issue I raised request with Microsoft Azure service desk. From them I got to know that connectivity between secured hub to hub over azure firewall is not yet supported. To resolve the issue private traffic route configuration will need to be set to Bypass Azure Firewall (Unsecured). I tested the connectivity with this configuration and it was successful.

Useful Articles
Get Azure virtual machine backup reports using Powershell
Why is my Azure recovery services vault not getting deleted?
Create an Azure virtual machine scale set and load balancer using Terraform
Azure Terraform fixed Availibility Zones on Virtual Machine Scale Set
Writing and Using Terraform modules
Terraform Using one module variable in another module
Hashicorp Terraform dynamic block with example
Terraform for_each loop on map example
How to create a Storage Account in Microsoft Azure
Host static website on Azure Storage Account