Thank you for reaching out.
I understand you are facing connectivity issue to route traffic from your spoke Vnet to on-prem via Azure Firewall in the Hub Vnet.
Based on a similar implementation here- To route the spoke subnet traffic through the hub firewall, you can use a user-defined route (UDR) that points to the firewall with the Virtual network gateway route propagation option disabled. Disabling this option prevents route distribution to the spoke subnets, so learned routes can't conflict with your UDR. If you want to keep Virtual network gateway route propagation enabled, make sure that you define specific routes to the firewall to override routes that are published from on-premises over Border Gateway Protocol (BGP).
You can also go through the documentation above just to validate if there are no configuration/ prerequisite missed.
If above does not help, you can follow the troubleshooting steps below to help pin-point the issue.
- First validate if Hub Azure Firewall is receiving the traffic from the Spoke Vnet. You can validate this connectivity using Structured firewall logs where can query the AZFWNetworkRule table to see if the traffic reached Azure firewall and was allowed.
- Then you can perform packet capture at your VPN Gateway to validate if the traffic is reaching the VPN Gateway and being forwarded to on-prem and also validate the return traffic from on -prem is present.
Hope this helps! Please let me know if the issue still persists and what were your findings from the troubleshooting steps above. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.