microsoftdocs/azure-virtual-wan
skills/azure-virtual-wan/SKILL.md
Expert knowledge for Azure Virtual WAN development including troubleshooting, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when designing VWAN hubs, P2S VPN, hub routing with NVAs/Firewall, ExpressRoute/SD-WAN, or Entra ID-secured access, and other Azure Virtual WAN related development tasks. Not for Azure Virtual Network (use azure-virtual-network), Azure VPN Gateway (use azure-vpn-gateway), Azure ExpressRoute (use azure-expressroute), Azure Traffic Manager (use azure-traffic-manager).
$ install --global
skillsauthnpx skillsauth add microsoftdocs/agent-skills azure-virtual-wanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 3, 2026, 3:10 AM85.4s1 file scanned
SKILL.md
- name:
- azure-virtual-wan
- description:
- Expert knowledge for Azure Virtual WAN development including troubleshooting, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when designing VWAN hubs, P2S VPN, hub routing with NVAs/Firewall, ExpressRoute/SD-WAN, or Entra ID-secured access, and other Azure Virtual WAN related development tasks. Not for Azure Virtual Network (use azure-virtual-network), Azure VPN Gateway (use azure-vpn-gateway), Azure ExpressRoute (use azure-expressroute), Azure Traffic Manager (use azure-traffic-manager).
- compatibility:
- Requires network access. Uses mcp_microsoftdocs:microsoft_docs_fetch or fetch_webpage to retrieve documentation.
- generated_at:
- 2026-05-31
- generator:
- docs2skills/1.0.0
Azure Virtual WAN Skill
This skill provides expert guidance for Azure Virtual WAN. Covers troubleshooting, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.
How to Use This Skill
IMPORTANT for Agent: Use the Category Index below to locate relevant sections. For categories with line ranges (e.g.,
L35-L120), useread_filewith the specified lines. For categories with file links (e.g.,[security.md](security.md)), useread_fileon the linked reference file
IMPORTANT for Agent: If
metadata.generated_atis more than 3 months old, suggest the user pull the latest version from the repository. Ifmcp_microsoftdocstools are not available, suggest the user install it: Installation Guide
This skill requires network access to fetch documentation content:
- Preferred: Use
mcp_microsoftdocs:microsoft_docs_fetchwith query stringfrom=learn-agent-skill. Returns Markdown. - Fallback: Use
fetch_webpagewith query stringfrom=learn-agent-skill&accept=text/markdown. Returns Markdown.
Category Index
| Category | Lines | Description | |----------|-------|-------------| | Troubleshooting | L36-L41 | Diagnosing and fixing Virtual WAN issues, including P2S VPN client prerequisite checks, connectivity problems, and using built-in tools and diagnostics for troubleshooting. | | Decision Making | L42-L49 | Guidance on planning Virtual WAN deployments: using NVAs in hubs, migrating Linux VPN clients, upgrading from Basic to Standard, and choosing partners and hub locations. | | Architecture & Design Patterns | L50-L78 | Designing and troubleshooting Azure Virtual WAN architectures: routing patterns, hub-and-spoke and global transit designs, security/firewall integration, SD-WAN, isolation, DR, and Microsoft 365 connectivity. | | Limits & Quotas | L79-L84 | P2S VPN client IP pool sizing, scale limits, and Virtual WAN hub routing capabilities, throughput caps, and performance constraints | | Security | L85-L96 | Configuring secure P2S VPN access in Virtual WAN using Microsoft Entra ID (MFA, OpenVPN, custom app IDs), Azure VPN Client setup/migration, and hub roles/permissions. | | Configuration | L97-L148 | Configuring Azure Virtual WAN hubs, routing, VPN (P2S/Always On), IPsec, NAT, BGP, NVAs, Azure Firewall, Entra ID auth, certificates, and monitoring/metrics for Virtual WAN. | | Integrations & Coding Patterns | L149-L156 | PowerShell and automation patterns for integrating Virtual WAN with ExpressRoute, SD-WAN/VPN CPEs, RADIUS user groups, and sharing services via Azure Private Link | | Deployment | L157-L161 | PowerShell-based deployment of cross-tenant VNet connections to Virtual WAN hubs and step-by-step setup of integrated NVAs inside Virtual WAN hubs. |
Troubleshooting
| Topic | URL | |-------|-----| | Use Azure VPN Client prerequisites check for P2S | https://learn.microsoft.com/en-us/azure/virtual-wan/azure-vpn-client-prerequisites-check | | Troubleshooting tools and diagnostics for Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-troubleshooting-overview |
Decision Making
| Topic | URL | |-------|-----| | Use Network Virtual Appliances in a Virtual WAN hub | https://learn.microsoft.com/en-us/azure/virtual-wan/about-nva-hub | | Plan migration from Azure VPN Client for Linux | https://learn.microsoft.com/en-us/azure/virtual-wan/azure-vpn-client-linux-retirement | | Decide and perform upgrade from Basic to Standard Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/upgrade-virtual-wan | | Select Azure Virtual WAN partners and hub locations | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners |
Architecture & Design Patterns
| Topic | URL | |-------|-----| | Routing intent patterns to secure internet access | https://learn.microsoft.com/en-us/azure/virtual-wan/about-internet-routing | | Choose routing preference in Azure Virtual WAN hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing-preference | | Design disaster recovery architecture for Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/disaster-recovery-design | | Design selective Azure Firewall bypass in secure hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/firewall-custom-bypass | | Combine Azure Firewall and spoke NVAs with static routing | https://learn.microsoft.com/en-us/azure/virtual-wan/hybrid-firewall-spoke-static | | Route traffic to indirect spokes with Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/indirect-spoke-architecture | | Architect China interconnect using Virtual WAN secured hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/interconnect-china | | Migrate hub-and-spoke networks to Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology | | Deep dive into Azure Virtual WAN routing behavior | https://learn.microsoft.com/en-us/azure/virtual-wan/routing-deep-dive | | Use routing intent with static routes in Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/routing-intent-static-route | | Connect Microsoft 365 via ExpressRoute private peering in Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-365-expressroute-private | | Implement any-to-any routing with Virtual WAN hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-any-to-any | | Configure BGP peering with Azure Virtual WAN hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-bgp-peering-hub | | Design Virtual WAN routing to isolate VNets | https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-isolate-vnets | | Configure custom VNet isolation with Virtual WAN routing | https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-isolate-vnets-custom | | Secure Application Gateway traffic via Virtual WAN secured hub | https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-secured-hub-app-gateway | | Route to shared services VNets using Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-shared-services-vnet | | Integrate private SD-WAN with Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/sd-wan-connectivity-architecture | | Inspect north-south traffic with spoke NVAs in Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/spoke-inspection-north-south | | Design static routing patterns in Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/static-routes | | Route Virtual WAN traffic through Azure Firewall | https://learn.microsoft.com/en-us/azure/virtual-wan/static-routes-firewall-basic | | Select third-party integrations in Virtual WAN hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/third-party-integrations | | Design hub-and-spoke with Virtual WAN and Network Manager | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-network-manager-integration | | Choose connectivity options between Azure Virtual WANs | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-connectivity | | Design global transit network architecture with Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-global-transit-network-architecture |
Limits & Quotas
| Topic | URL | |-------|-----| | Plan P2S client address pools and scale for Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/about-client-address-pools | | Virtual hub routing capabilities and throughput limits | https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing |
Security
| Topic | URL | |-------|-----| | Secure P2S client access to spoke VNets with Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/manage-secure-access-resources-spoke-p2s | | Enable Microsoft Entra multifactor authentication for VPN users | https://learn.microsoft.com/en-us/azure/virtual-wan/openvpn-azure-ad-mfa | | Configure a Microsoft Entra tenant for Virtual WAN P2S OpenVPN | https://learn.microsoft.com/en-us/azure/virtual-wan/openvpn-azure-ad-tenant | | Configure Entra-based OpenVPN auth with multiple apps | https://learn.microsoft.com/en-us/azure/virtual-wan/openvpn-azure-ad-tenant-multi-app | | Migrate P2S VPN to Microsoft-registered Azure VPN Client app | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-entra-gateway-update | | Create custom Entra app IDs for P2S VPN authentication | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-entra-register-custom-app | | Configure Azure VPN Client for P2S with Microsoft Entra ID | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-entra-vpn-client-windows | | Assign roles and permissions for Azure Virtual WAN hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/roles-permissions |
Configuration
| Topic | URL | |-------|-----| | Work with Azure Virtual WAN User VPN client profiles | https://learn.microsoft.com/en-us/azure/virtual-wan/about-vpn-profile-download | | Configure optional Azure VPN Client OpenVPN settings | https://learn.microsoft.com/en-us/azure/virtual-wan/azure-vpn-client-optional-configurations | | Generate P2S User VPN certificates using PowerShell | https://learn.microsoft.com/en-us/azure/virtual-wan/certificates-point-to-site | | Generate P2S User VPN certificates using MakeCert | https://learn.microsoft.com/en-us/azure/virtual-wan/certificates-point-to-site-makecert | | Configure BGP peering to NVA in Virtual WAN hub | https://learn.microsoft.com/en-us/azure/virtual-wan/create-bgp-peering-hub-portal | | Configure BGP peering from Virtual WAN hub to NVA (PowerShell) | https://learn.microsoft.com/en-us/azure/virtual-wan/create-bgp-peering-hub-powershell | | View effective routes for a Virtual WAN hub | https://learn.microsoft.com/en-us/azure/virtual-wan/effective-routes-virtual-hub | | Configure and understand Virtual WAN gateway settings | https://learn.microsoft.com/en-us/azure/virtual-wan/gateway-settings | | Configure forced tunneling for Virtual WAN P2S VPN | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel | | Manage IP configurations for NVAs in Virtual WAN hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-network-virtual-appliance-add-ip-configurations | | Configure DNAT for Virtual WAN integrated NVAs | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-network-virtual-appliance-inbound | | Configure Palo Alto Cloud NGFW in Azure Virtual WAN hub | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-palo-alto-cloud-ngfw | | Configure Virtual WAN hub routing policies (intent) | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies | | Configure Azure Virtual WAN virtual hub routing | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-virtual-hub-routing | | Configure virtual hub routing with Azure PowerShell | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-virtual-hub-routing-powershell | | Set virtual hub routing preference with PowerShell | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-virtual-hub-routing-preference-powershell | | Configure Always On VPN device tunnel for Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/howto-always-on-device-tunnel | | Configure Always On VPN user tunnel for Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/howto-always-on-user-tunnel | | Configure Azure Firewall in a Virtual WAN secured hub | https://learn.microsoft.com/en-us/azure/virtual-wan/howto-firewall | | Set virtual hub routing preference in Azure portal | https://learn.microsoft.com/en-us/azure/virtual-wan/howto-virtual-hub-routing-preference | | Configure Azure Virtual WAN hub settings and scale units | https://learn.microsoft.com/en-us/azure/virtual-wan/hub-settings | | Reference monitoring metrics and logs for Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/monitor-virtual-wan-reference | | Configure VPN NAT rules on Azure Virtual WAN gateways | https://learn.microsoft.com/en-us/azure/virtual-wan/nat-rules-vpn-gateway | | Configure VPN NAT rules for Virtual WAN using PowerShell | https://learn.microsoft.com/en-us/azure/virtual-wan/nat-rules-vpn-gateway-powershell | | Use next hop IP and BGP peering in Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/next-hop-ip | | Configure Azure path selection across multiple WAN links | https://learn.microsoft.com/en-us/azure/virtual-wan/path-selection-multiple-links | | Generate P2S User VPN certificates on Linux with OpenSSL | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-certificates-linux-openssl | | Generate P2S User VPN certificates on Linux with strongSwan | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-certificates-linux-strongswan | | Configure Virtual WAN P2S VPN with Entra ID and registered client | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-entra-gateway | | Configure Azure VPN Client with Entra ID on Linux | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-entra-vpn-client-linux | | Configure Azure VPN Client with Entra ID on macOS | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-entra-vpn-client-mac | | Reference IPsec policy combinations for Virtual WAN P2S | https://learn.microsoft.com/en-us/azure/virtual-wan/point-to-site-ipsec | | Understand and configure Virtual WAN Route-maps | https://learn.microsoft.com/en-us/azure/virtual-wan/route-maps-about | | Drop inbound branch routes with Virtual WAN Route-maps | https://learn.microsoft.com/en-us/azure/virtual-wan/route-maps-drop-inbound-branch-sites | | Configure Route-maps for Azure Virtual WAN hubs | https://learn.microsoft.com/en-us/azure/virtual-wan/route-maps-how-to | | Summarize routes leaving Virtual WAN using Route-maps | https://learn.microsoft.com/en-us/azure/virtual-wan/route-maps-how-to-summarize-routes-leaving-your-virtual-wan | | Prepend routes using Virtual WAN Route-maps | https://learn.microsoft.com/en-us/azure/virtual-wan/route-maps-prepend-routes | | Summarize NVA spoke routes with Virtual WAN Route-maps | https://learn.microsoft.com/en-us/azure/virtual-wan/route-maps-summarize-from-device-spoke-vnet-nva | | Tag routes using Virtual WAN Route-maps | https://learn.microsoft.com/en-us/azure/virtual-wan/route-maps-tag-routes | | Understand user groups and IP pools for P2S VPN | https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-about | | Configure P2S user groups and IP address pools | https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-create | | Configure custom IPsec policies for Virtual WAN in the portal | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-custom-ipsec-portal | | Reference IPsec policy combinations for Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-ipsec | | Configure Virtual WAN P2S with Entra ID auth | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-point-to-site-azure-ad | | Create virtual hub route tables to NVAs via PowerShell | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-route-table-nva | | Create virtual hub route tables to NVAs via portal | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-route-table-nva-portal | | Configure IPsec over ExpressRoute in Azure Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/vpn-over-expressroute | | Create Intune custom profiles for Azure VPN clients | https://learn.microsoft.com/en-us/azure/virtual-wan/vpn-profile-intune |
Integrations & Coding Patterns
| Topic | URL | |-------|-----| | Create ExpressRoute associations to Virtual WAN via PowerShell | https://learn.microsoft.com/en-us/azure/virtual-wan/expressroute-powershell | | Share Azure Private Link services via Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/howto-private-link | | Configure RADIUS VSAs for Virtual WAN user groups | https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-radius | | Automate SD-WAN and VPN CPE integration with Virtual WAN | https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-configure-automation-providers |
Deployment
| Topic | URL | |-------|-----| | Connect cross-tenant VNets to Virtual WAN hubs with PowerShell | https://learn.microsoft.com/en-us/azure/virtual-wan/cross-tenant-vnet | | Deploy an integrated NVA in an Azure Virtual WAN hub | https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-nva-hub |
Related Skills
microsoftdocs/microsoft-foundry
tools
VerifiedTrustedCommunity
Expert knowledge for Microsoft Foundry (aka Azure AI Foundry) development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building Foundry agents with Azure OpenAI, model router patterns, MCP tools, private networking, or eval workflows, and other Microsoft Foundry related development tasks. Not for Microsoft Foundry Classic (use microsoft-foundry-classic), Microsoft Foundry Local (use microsoft-foundry-local), Microsoft Foundry Tools (use microsoft-foundry-tools).
568SKILL.mdUpdated Apr 17, 2026
microsoftdocs/microsoft-foundry-local
tools
VerifiedTrustedCommunity
Expert knowledge for Microsoft Foundry Local (aka Azure AI Foundry Local) development including troubleshooting, decision making, configuration, and integrations & coding patterns. Use when calling Foundry Local REST/chat APIs, tools, transcription, LangChain apps, Olive HF compilation, or CLI, and other Microsoft Foundry Local related development tasks. Not for Microsoft Foundry (use microsoft-foundry), Microsoft Foundry Classic (use microsoft-foundry-classic), Microsoft Foundry Tools (use microsoft-foundry-tools), Azure Local (use azure-local).
568SKILL.mdUpdated Apr 17, 2026
microsoftdocs/microsoft-foundry-classic
tools
VerifiedTrustedCommunity
Expert knowledge for Microsoft Foundry Classic (aka Azure AI Foundry classic) development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building Foundry agents, configuring model routing, securing VNets/Private Link, integrating tools/SDKs, or deploying hubs, and other Microsoft Foundry Classic related development tasks. Not for Microsoft Foundry (use microsoft-foundry), Microsoft Foundry Local (use microsoft-foundry-local), Microsoft Foundry Tools (use microsoft-foundry-tools).
568SKILL.mdUpdated Apr 17, 2026
microsoftdocs/azure-well-architected
development
VerifiedTrustedCommunity
Expert guidance for designing, assessing, and optimizing Azure workloads using Azure Well Architected. Covers design review checklists, recommendations, design principles, tradeoffs, service guides, workload patterns, and assessment questions. Use when designing AI, HPC, SaaS, AVD, or mission-critical workloads with WAF-aligned Azure patterns and guidance, and other Azure Well Architected related development tasks.
568SKILL.mdUpdated Apr 17, 2026