Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to filter P2S traffic via Azure Firewall deployed in the Hub VNET connecting to "Company Resources".
Depending on what this "Company Resources" is, the case varies.
NOTE : You cannot route Internet traffic (0.0.0.0/0) to Azure VPN Gateway via P2S.
Now that we have established the above,
1."Company Resources" is a VNET connected to this HubVNET via VNET Peering.
- The case is here
- Access is allowed if HubVNET has “Allow gateway transit” and VNET has “Use remote gateways” enabled.
2."Company Resources" is a VNET connected to this HubVNET via S2S with BGP enabled.
- The case is here
- This won't work without BGP
3."Company Resources" is a Azure Service that is integrated into the HubVNET or a VNET connected to the HubVNET via Peering or BGP S2S
- The same as case 1 and 2
- This won't work if the Service is not integrated into the VNET.
- See : Integrate Azure services with virtual networks
4."Company Resources" is a 3rd Party service in Internet.
- In that case, traditional VPN Gateway cannot be used.
- You must consider using a vWAN with a secured Hub, a P2S Gateway and configure Internet Routing.
Routing Intent:
Make sure you enable "Internet Traffic Routing Policy".
P2S Gateway
- Refer : Configure forced tunneling
- P2S Gateway ARM template : https://learn.microsoft.com/en-us/azure/templates/microsoft.network/p2svpngateways?pivots=deployment-language-arm-template
- Make sure the "enableInternetSecurity" flag is set.
Hope this helps
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.