virtual-hubs
This Bicep AVM module deploys a Virtual Hub.
ipm add --package avm-bicep/virtual-hubs --version 0.4.3 Virtual Hubs [Microsoft.Network/virtualHubs]
This module deploys a Virtual Hub. If you are planning to deploy a Secure Virtual Hub (with an Azure Firewall integrated), please refer to the Azure Firewall module.
You can reference the module as follows:
module virtualHub './packages/virtual-hubs/main.bicep' = {
params: { (...) }
}
For examples, please refer to the Usage Examples section.
Navigation
Resource Types
| Resource Type | API Version | References |
|---|---|---|
Microsoft.Authorization/locks |
2020-05-01 | |
Microsoft.Network/virtualHubs |
2025-01-01 | |
Microsoft.Network/virtualHubs/hubRouteTables |
2025-01-01 | |
Microsoft.Network/virtualHubs/hubVirtualNetworkConnections |
2025-01-01 | |
Microsoft.Network/virtualHubs/routingIntent |
2025-01-01 |
Usage examples
The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository.
Note: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
Note: To reference the module, please use the following syntax
./packages/virtual-hubs/main.bicep.
Example 1: Using only defaults
This instance deploys the module with the minimum set of required parameters.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/defaults]
via Bicep module
module virtualHub './packages/virtual-hubs/main.bicep' = {
params: {
// Required parameters
addressPrefix: '10.0.0.0/16'
name: 'nvhmin'
virtualWanResourceId: '<virtualWanResourceId>'
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"addressPrefix": {
"value": "10.0.0.0/16"
},
"name": {
"value": "nvhmin"
},
"virtualWanResourceId": {
"value": "<virtualWanResourceId>"
}
}
}
via Bicep parameters file
using './packages/virtual-hubs/main.bicep'
// Required parameters
param addressPrefix = '10.0.0.0/16'
param name = 'nvhmin'
param virtualWanResourceId = '<virtualWanResourceId>'
Example 2: Using large parameter set
This instance deploys the module with most of its features enabled.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/max]
via Bicep module
module virtualHub './packages/virtual-hubs/main.bicep' = {
params: {
// Required parameters
addressPrefix: '10.1.0.0/16'
name: 'nvhmax'
virtualWanResourceId: '<virtualWanResourceId>'
// Non-required parameters
hubRouteTables: [
{
name: 'routeTable1'
routes: []
}
]
hubRoutingPreference: 'ASPath'
hubVirtualNetworkConnections: [
{
name: 'connection1'
remoteVirtualNetworkResourceId: '<remoteVirtualNetworkResourceId>'
routingConfiguration: {
associatedRouteTable: {
id: '<id>'
}
propagatedRouteTables: {
ids: [
{
id: '<id>'
}
]
labels: []
}
vnetRoutes: {
staticRoutes: [
{
addressPrefixes: [
'10.150.0.0/24'
]
name: 'route1'
nextHopIpAddress: '10.150.0.5'
}
]
staticRoutesConfig: {
vnetLocalRouteOverrideCriteria: 'Contains'
}
}
}
}
]
location: '<location>'
lock: {
kind: 'CanNotDelete'
name: 'myCustomLockName'
}
preferredRoutingGateway: 'ExpressRoute'
routingIntent: {}
sku: 'Standard'
tags: {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
virtualRouterAsn: 65515
virtualRouterAutoScaleConfiguration: {
minCount: 2
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"addressPrefix": {
"value": "10.1.0.0/16"
},
"name": {
"value": "nvhmax"
},
"virtualWanResourceId": {
"value": "<virtualWanResourceId>"
},
// Non-required parameters
"hubRouteTables": {
"value": [
{
"name": "routeTable1",
"routes": []
}
]
},
"hubRoutingPreference": {
"value": "ASPath"
},
"hubVirtualNetworkConnections": {
"value": [
{
"name": "connection1",
"remoteVirtualNetworkResourceId": "<remoteVirtualNetworkResourceId>",
"routingConfiguration": {
"associatedRouteTable": {
"id": "<id>"
},
"propagatedRouteTables": {
"ids": [
{
"id": "<id>"
}
],
"labels": []
},
"vnetRoutes": {
"staticRoutes": [
{
"addressPrefixes": [
"10.150.0.0/24"
],
"name": "route1",
"nextHopIpAddress": "10.150.0.5"
}
],
"staticRoutesConfig": {
"vnetLocalRouteOverrideCriteria": "Contains"
}
}
}
}
]
},
"location": {
"value": "<location>"
},
"lock": {
"value": {
"kind": "CanNotDelete",
"name": "myCustomLockName"
}
},
"preferredRoutingGateway": {
"value": "ExpressRoute"
},
"routingIntent": {
"value": {}
},
"sku": {
"value": "Standard"
},
"tags": {
"value": {
"Environment": "Non-Prod",
"hidden-title": "This is visible in the resource name",
"Role": "DeploymentValidation"
}
},
"virtualRouterAsn": {
"value": 65515
},
"virtualRouterAutoScaleConfiguration": {
"value": {
"minCount": 2
}
}
}
}
via Bicep parameters file
using './packages/virtual-hubs/main.bicep'
// Required parameters
param addressPrefix = '10.1.0.0/16'
param name = 'nvhmax'
param virtualWanResourceId = '<virtualWanResourceId>'
// Non-required parameters
param hubRouteTables = [
{
name: 'routeTable1'
routes: []
}
]
param hubRoutingPreference = 'ASPath'
param hubVirtualNetworkConnections = [
{
name: 'connection1'
remoteVirtualNetworkResourceId: '<remoteVirtualNetworkResourceId>'
routingConfiguration: {
associatedRouteTable: {
id: '<id>'
}
propagatedRouteTables: {
ids: [
{
id: '<id>'
}
]
labels: []
}
vnetRoutes: {
staticRoutes: [
{
addressPrefixes: [
'10.150.0.0/24'
]
name: 'route1'
nextHopIpAddress: '10.150.0.5'
}
]
staticRoutesConfig: {
vnetLocalRouteOverrideCriteria: 'Contains'
}
}
}
}
]
param location = '<location>'
param lock = {
kind: 'CanNotDelete'
name: 'myCustomLockName'
}
param preferredRoutingGateway = 'ExpressRoute'
param routingIntent = {}
param sku = 'Standard'
param tags = {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
param virtualRouterAsn = 65515
param virtualRouterAutoScaleConfiguration = {
minCount: 2
}
Example 3: Using Routing Intent
This instance deploys the module the Virtual WAN hub with Routing Intent enabled; requires an existing Virtual Hub, as well the firewall Resource ID.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/routing-intent]
via Bicep module
module virtualHub './packages/virtual-hubs/main.bicep' = {
params: {
// Required parameters
addressPrefix: '10.10.0.0/23'
name: 'nvhrtint'
virtualWanResourceId: '<virtualWanResourceId>'
// Non-required parameters
azureFirewallResourceId: '<azureFirewallResourceId>'
hubRoutingPreference: 'ASPath'
hubVirtualNetworkConnections: [
{
name: 'connection1'
remoteVirtualNetworkResourceId: '<remoteVirtualNetworkResourceId>'
}
]
routingIntent: {
internetToFirewall: false
privateToFirewall: true
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"addressPrefix": {
"value": "10.10.0.0/23"
},
"name": {
"value": "nvhrtint"
},
"virtualWanResourceId": {
"value": "<virtualWanResourceId>"
},
// Non-required parameters
"azureFirewallResourceId": {
"value": "<azureFirewallResourceId>"
},
"hubRoutingPreference": {
"value": "ASPath"
},
"hubVirtualNetworkConnections": {
"value": [
{
"name": "connection1",
"remoteVirtualNetworkResourceId": "<remoteVirtualNetworkResourceId>"
}
]
},
"routingIntent": {
"value": {
"internetToFirewall": false,
"privateToFirewall": true
}
}
}
}
via Bicep parameters file
using './packages/virtual-hubs/main.bicep'
// Required parameters
param addressPrefix = '10.10.0.0/23'
param name = 'nvhrtint'
param virtualWanResourceId = '<virtualWanResourceId>'
// Non-required parameters
param azureFirewallResourceId = '<azureFirewallResourceId>'
param hubRoutingPreference = 'ASPath'
param hubVirtualNetworkConnections = [
{
name: 'connection1'
remoteVirtualNetworkResourceId: '<remoteVirtualNetworkResourceId>'
}
]
param routingIntent = {
internetToFirewall: false
privateToFirewall: true
}
Example 4: WAF-aligned
This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/waf-aligned]
via Bicep module
module virtualHub './packages/virtual-hubs/main.bicep' = {
params: {
// Required parameters
addressPrefix: '10.1.0.0/16'
name: 'nvhwaf'
virtualWanResourceId: '<virtualWanResourceId>'
// Non-required parameters
hubRouteTables: [
{
name: 'routeTable1'
}
]
hubVirtualNetworkConnections: [
{
name: 'connection1'
remoteVirtualNetworkResourceId: '<remoteVirtualNetworkResourceId>'
routingConfiguration: {
associatedRouteTable: {
id: '<id>'
}
propagatedRouteTables: {
ids: [
{
id: '<id>'
}
]
labels: [
'none'
]
}
}
}
]
tags: {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"addressPrefix": {
"value": "10.1.0.0/16"
},
"name": {
"value": "nvhwaf"
},
"virtualWanResourceId": {
"value": "<virtualWanResourceId>"
},
// Non-required parameters
"hubRouteTables": {
"value": [
{
"name": "routeTable1"
}
]
},
"hubVirtualNetworkConnections": {
"value": [
{
"name": "connection1",
"remoteVirtualNetworkResourceId": "<remoteVirtualNetworkResourceId>",
"routingConfiguration": {
"associatedRouteTable": {
"id": "<id>"
},
"propagatedRouteTables": {
"ids": [
{
"id": "<id>"
}
],
"labels": [
"none"
]
}
}
}
]
},
"tags": {
"value": {
"Environment": "Non-Prod",
"hidden-title": "This is visible in the resource name",
"Role": "DeploymentValidation"
}
}
}
}
via Bicep parameters file
using './packages/virtual-hubs/main.bicep'
// Required parameters
param addressPrefix = '10.1.0.0/16'
param name = 'nvhwaf'
param virtualWanResourceId = '<virtualWanResourceId>'
// Non-required parameters
param hubRouteTables = [
{
name: 'routeTable1'
}
]
param hubVirtualNetworkConnections = [
{
name: 'connection1'
remoteVirtualNetworkResourceId: '<remoteVirtualNetworkResourceId>'
routingConfiguration: {
associatedRouteTable: {
id: '<id>'
}
propagatedRouteTables: {
ids: [
{
id: '<id>'
}
]
labels: [
'none'
]
}
}
}
]
param tags = {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
Parameters
Required parameters
| Parameter | Type | Description |
|---|---|---|
addressPrefix |
string | Address-prefix for this VirtualHub. |
name |
string | The virtual hub name. |
virtualWanResourceId |
string | Resource ID of the virtual WAN to link to. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
allowBranchToBranchTraffic |
bool | Flag to control transit for VirtualRouter hub. |
azureFirewallResourceId |
string | Resource ID of the Azure Firewall to link to. |
enableTelemetry |
bool | Enable/Disable usage telemetry for module. |
expressRouteGatewayResourceId |
string | Resource ID of the Express Route Gateway to link to. |
hubRouteTables |
array | Route tables to create for the virtual hub. |
hubRoutingPreference |
string | The preferred routing preference for this virtual hub. |
hubVirtualNetworkConnections |
array | Virtual network connections to create for the virtual hub. |
location |
string | Location for all resources. |
lock |
object | The lock settings of the service. |
p2SVpnGatewayResourceId |
string | Resource ID of the Point-to-Site VPN Gateway to link to. |
preferredRoutingGateway |
string | The preferred routing gateway types. |
routeTableRoutes |
array | The VirtualHub route tables. |
routingIntent |
object | The routing intent configuration to create for the virtual hub. |
securityPartnerProviderResourceId |
string | ID of the Security Partner Provider to link to. |
securityProviderName |
string | The Security Provider name. |
sku |
string | The sku of this VirtualHub. |
tags |
object | Tags of the resource. |
virtualHubRouteTableV2s |
array | List of all virtual hub route table v2s associated with this VirtualHub. |
virtualRouterAsn |
int | VirtualRouter ASN. |
virtualRouterAutoScaleConfiguration |
object | The auto scale configuration for the virtual router. |
virtualRouterIps |
array | VirtualRouter IPs. |
vpnGatewayResourceId |
string | Resource ID of the VPN Gateway to link to. |
Parameter: addressPrefix
Address-prefix for this VirtualHub.
- Required: Yes
- Type: string
Parameter: name
The virtual hub name.
- Required: Yes
- Type: string
Parameter: virtualWanResourceId
Resource ID of the virtual WAN to link to.
- Required: Yes
- Type: string
Parameter: allowBranchToBranchTraffic
Flag to control transit for VirtualRouter hub.
- Required: No
- Type: bool
- Default:
True
Parameter: azureFirewallResourceId
Resource ID of the Azure Firewall to link to.
- Required: No
- Type: string
Parameter: enableTelemetry
Enable/Disable usage telemetry for module.
- Required: No
- Type: bool
- Default:
True
Parameter: expressRouteGatewayResourceId
Resource ID of the Express Route Gateway to link to.
- Required: No
- Type: string
Parameter: hubRouteTables
Route tables to create for the virtual hub.
- Required: No
- Type: array
Required parameters
| Parameter | Type | Description |
|---|---|---|
name |
string | The route table name. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
labels |
array | List of labels associated with this route table. |
routes |
array | List of all routes. |
Parameter: hubRouteTables.name
The route table name.
- Required: Yes
- Type: string
Parameter: hubRouteTables.labels
List of labels associated with this route table.
- Required: No
- Type: array
Parameter: hubRouteTables.routes
List of all routes.
- Required: No
- Type: array
Required parameters
| Parameter | Type | Description |
|---|---|---|
destinations |
array | The address prefix for the route. |
destinationType |
string | The destination type for the route. |
name |
string | The name of the route. |
nextHop |
string | The next hop IP address for the route. |
nextHopType |
string | The next hop type for the route. |
Parameter: hubRouteTables.routes.destinations
The address prefix for the route.
- Required: Yes
- Type: array
Parameter: hubRouteTables.routes.destinationType
The destination type for the route.
- Required: Yes
- Type: string
- Allowed:
[ 'CIDR' ]
Parameter: hubRouteTables.routes.name
The name of the route.
- Required: Yes
- Type: string
Parameter: hubRouteTables.routes.nextHop
The next hop IP address for the route.
- Required: Yes
- Type: string
Parameter: hubRouteTables.routes.nextHopType
The next hop type for the route.
- Required: Yes
- Type: string
- Allowed:
[ 'ResourceId' ]
Parameter: hubRoutingPreference
The preferred routing preference for this virtual hub.
- Required: No
- Type: string
Parameter: hubVirtualNetworkConnections
Virtual network connections to create for the virtual hub.
- Required: No
- Type: array
Required parameters
| Parameter | Type | Description |
|---|---|---|
name |
string | The connection name. |
remoteVirtualNetworkResourceId |
string | Resource ID of the virtual network to link to. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
enableInternetSecurity |
bool | Enable internet security. |
routingConfiguration |
object | Routing Configuration indicating the associated and propagated route tables for this connection. |
Parameter: hubVirtualNetworkConnections.name
The connection name.
- Required: Yes
- Type: string
Parameter: hubVirtualNetworkConnections.remoteVirtualNetworkResourceId
Resource ID of the virtual network to link to.
- Required: Yes
- Type: string
Parameter: hubVirtualNetworkConnections.enableInternetSecurity
Enable internet security.
- Required: No
- Type: bool
Parameter: hubVirtualNetworkConnections.routingConfiguration
Routing Configuration indicating the associated and propagated route tables for this connection.
- Required: No
- Type: object
Parameter: location
Location for all resources.
- Required: No
- Type: string
- Default:
[resourceGroup().location]
Parameter: lock
The lock settings of the service.
- Required: No
- Type: object
Optional parameters
| Parameter | Type | Description |
|---|---|---|
kind |
string | Specify the type of lock. |
name |
string | Specify the name of lock. |
notes |
string | Specify the notes of the lock. |
Parameter: lock.kind
Specify the type of lock.
- Required: No
- Type: string
- Allowed:
[ 'CanNotDelete' 'None' 'ReadOnly' ]
Parameter: lock.name
Specify the name of lock.
- Required: No
- Type: string
Parameter: lock.notes
Specify the notes of the lock.
- Required: No
- Type: string
Parameter: p2SVpnGatewayResourceId
Resource ID of the Point-to-Site VPN Gateway to link to.
- Required: No
- Type: string
Parameter: preferredRoutingGateway
The preferred routing gateway types.
- Required: No
- Type: string
Parameter: routeTableRoutes
The VirtualHub route tables.
- Required: No
- Type: array
Parameter: routingIntent
The routing intent configuration to create for the virtual hub.
- Required: No
- Type: object
Optional parameters
| Parameter | Type | Description |
|---|---|---|
internetToFirewall |
bool | Configures Routing Intent to Forward Internet traffic to the firewall (0.0.0.0/0). |
privateToFirewall |
bool | Configures Routing Intent to forward Private traffic to the firewall (RFC1918). |
Parameter: routingIntent.internetToFirewall
Configures Routing Intent to Forward Internet traffic to the firewall (0.0.0.0/0).
- Required: No
- Type: bool
Parameter: routingIntent.privateToFirewall
Configures Routing Intent to forward Private traffic to the firewall (RFC1918).
- Required: No
- Type: bool
Parameter: securityPartnerProviderResourceId
ID of the Security Partner Provider to link to.
- Required: No
- Type: string
- Default:
''
Parameter: securityProviderName
The Security Provider name.
- Required: No
- Type: string
- Default:
''
Parameter: sku
The sku of this VirtualHub.
- Required: No
- Type: string
- Default:
'Standard' - Allowed:
[ 'Basic' 'Standard' ]
Parameter: tags
Tags of the resource.
- Required: No
- Type: object
Parameter: virtualHubRouteTableV2s
List of all virtual hub route table v2s associated with this VirtualHub.
- Required: No
- Type: array
- Default:
[]
Parameter: virtualRouterAsn
VirtualRouter ASN.
- Required: No
- Type: int
Parameter: virtualRouterAutoScaleConfiguration
The auto scale configuration for the virtual router.
- Required: No
- Type: object
Required parameters
| Parameter | Type | Description |
|---|---|---|
minCount |
int | The minimum number of virtual routers in the scale set. |
Parameter: virtualRouterAutoScaleConfiguration.minCount
The minimum number of virtual routers in the scale set.
- Required: Yes
- Type: int
Parameter: virtualRouterIps
VirtualRouter IPs.
- Required: No
- Type: array
Parameter: vpnGatewayResourceId
Resource ID of the VPN Gateway to link to.
- Required: No
- Type: string
Outputs
| Output | Type | Description |
|---|---|---|
location |
string | The location the resource was deployed into. |
name |
string | The name of the virtual hub. |
resourceGroupName |
string | The resource group the virtual hub was deployed into. |
resourceId |
string | The resource ID of the virtual hub. |
Cross-referenced modules
This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).
| Reference | Type |
|---|---|
./packages/utl-common-types/main.bicep |
Local Reference |
Data Collection
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
Changelog
The latest version of the changelog can be found here.
0.4.3
Changes
- Updated child module deployment names to use stable identifiers instead of
deployment().nameto prevent deployment history accumulation when using Azure Deployment Stacks. - Update API versions to 2025-01-01
- Added additional resource derived types
Breaking Changes
- None
0.4.2
Changes
- Updated all resource API versions to where available to address lint warnings.
Breaking Changes
- None
0.4.1
Changes
- Added type for
tagsparameter - Updated LockType to 'avm-common-types version'
0.6.0, enabling custom notes for locks.
Breaking Changes
- None
0.4.0
Changes
- Initial version
- Updated ReadMe with AzAdvertizer reference
Breaking Changes
- None
{
"workingFolder": "packages",
"packages": [
// packages defined earlier
{
"name": "avm-bicep/virtual-hubs",
"version": "0.4.3"
}
]
}
Stats
Selected version:
0.4.3
Downloads this version:
0
Downloads all versions:
1
Latest version:
0.4.3
Latest update:
14-01-2026
avm-bicep
Other packages
from avm-bicep
Ready to End Infrastructure Code Chaos?
Join infrastructure teams who've moved from scattered repositories to unified package management
Built by infrastructure experts
Who understand your challengesComplete solutions
No scattered filesSee what's deployed where
When it needs updatesZero vendor lock-in
Packages work without usDirect founder access Zero security incidents in 2+ years Works with any cloud, any CI/CD platform