The HUB VNET contains the Firewall Subnet, the Gateway VPN Subnet (which has a SITE TO SITE VPN) and the workload Subnet A. The Spoke VNET contains other workloads in Subnet B.

Once you set it up this way (Gateway Subnet, Firewall Subnet, and Hub Subnet A), then, all traffic anyway goes through the Gateway-VPN-Subnet.

ROUTING so that ALL TRAFFIC goes through the Firewall?

  1. All you have to do is attach a ROUTE (ROUTE-FW) with the NEXT HOP as the Firewall Subnet to the Gateway Subnet.
  2. And you have another Route for Subnet B – one that also has the next hop as the Gateway Subnet  AND disables BGP routing.
  3. This will ensure that traffic from Subnet B (which is a spoke PEERED with the HUB), goes through the firewall. Also, traffic from Subnet A – also goes through the Firewall.
azure hub spoke firewall
azure hub spoke firewall