Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to route traffic from one OnPrem site to another OnPrem site via VPN Gateway while also inspecting the traffic at Azure using Azure Firewall or a NVA.
I am afraid this won't be feasible with a normal VPN Gateway, but instead doable with vWAN Routing Intent with "Private Traffic Routing Policy" enabled.
However, with traditional VPN Gateway, I could not find any Azure documents supporting this.
- I believe you will be using BGP set up to route OnPrem to OnPrem traffic
- See : Support transit routing between your on-premises networks
- More precisely, like the below,
- This makes sense as there will be routing loop
- Let's say you want to route traffic to Site2 from Site1 via VPN Gw and Azure Firewall (NVA)
- You create a UDR on GatewaySubnet and point 10.2.0.0/16, 10.3.0.0/16 to route towards NVA
- Now traffic reaches NVA, NVA processes the traffic and forwards it to the GatewaySubnet
- However, from the UDR in GatewaySubnet, traffic will once again forward to the NVA
- Thus, there will be a routing loop between GatewaySubnet and NVA and traffic would never reach the Site2
P.S : The same logic applies for a VPN Gateway built over an ExpressRoute Connection
Hope this adds some clarity.
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.