Converting VWAN hub to secure hub (Azure Firewall)


How can get Terraform to “Convert to secure hub”?

I’m trying to deploy a virtual WAN in Azure, and I’ve got the vWAN created with hubs, and VNETs connected.

I’m using

I’m confused why there’s no syntax in the *_virtual_hub module that would allow me to create the hub as secured with a block inside.

I see that there is *_virtual_hub_security_partner_provider, which happens at least similarly, or perhaps only similar through the GUI? Is there an analogous “*_virutal_hub_secure_hub” or something with a better name?

I don’t find any settings elsewhere that indicate converting a hub to a secured hub.

I’ve also gone after the idea of creating an azurerm_firewall and attaching it to the hub, but I get blocked at trying to define the subnet ID for the hub, or why the subnet isn’t named “AzureFirewallSubnet”.

I’m hoping that I’ve missed something simple.

Thanks for any assistance.


  1. You create the hub’s virtual network with a subnet named “AzureFirewallSubnet”. It can only have that name.
  2. Create the wan and virtual hub.
  3. Create the firewall with a virtual_hub section, sku_name = “AZFW_Hub” and threat_intel_mode = “”
    (Yes, an empty string is what we want. Apparently anything else will result in error including Off)
  4. Create the azurerm_virtual_hub_connection and azurerm_virtual_hub_route_table. Failure to setup routing will result in something like “provisioning route: failed to provision routing on Virtual Hub”.