Hey, we had a similar issue with getting connections to work from vWAN hub to Azure ER and vNETs. The way we got it to work with HA functions is as follows; Deploy 2x vMX's with auto-vpn from sites as per normal. Use the guide: https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva Create a Azure standard internal load-balancer with a health check to port 80 to both of the vMXs. Point the static route to the internal IP of the Load-Balancer. We're got full HA working to the vMXs, with ping from a site laptop to local peered vNETs to the vWAN hub, plus connectivity to private express-route hosts directly from sites over the auto-VPN to the vMX. I make no comment if this is the most efficient approach but it works for us - but you won't get BGP routes.
... View more