Hello @Abdullah Alattar ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to route all your S2S VPN incoming traffic from on premise via Azure Firewall.
In order to setup a Hub and Spoke architecture with an Azure Firewall and route the S2S VPN traffic via the Firewall, you will have to:
1# Deploy the Azure Firewall in the Hub Vnet (Hub Vnet is the Vnet where your VPN gateway is deployed).
2# Peer the Hub and Spoke Vnets with below options for your spokes to use the hub VPN gateway to communicate with remote (on-premises) networks:
- Configure the peering connection in the hub to allow gateway transit.
- Configure the peering connection in each spoke to use remote gateways.
- Configure all peering connections to allow forwarded traffic.
3# For on-premises to Azure traffic:
Create User Defined Routes (UDRs) on the hub VPN gateway subnet with the address spaces of your hub and spoke Vnets pointing to the Azure Firewall IP address as the next hop.
4# For Azure to On-premises traffic:
Create User Defined Routes (UDRs) on the spoke subnets with the destination address space of your on-premises network pointing to the Azure Firewall IP address as the next hop.
Below are a couple of Hub and Spoke architectures for your reference:
https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.