Thank you for reaching out.
Based on your questions above.
traffic between Azure regions is using Azure inter-regional connection between the vHubs not via egress internet using SDWAN (this is cheaper option based on Azure billing, correct?
Yes, these are the pricing for Data transfer in Azure.
Reference: https://learn.microsoft.com/en-us/azure/virtual-wan/pricing-concepts#data-transfer
Regarding Options you mentioned above.
As per my understanding from the architectures shared above I think OPTION 2: using same vHUB for the SDWAN NVA and standalone firewall will not be possible due to the limitation below
As the ability to deploy both an SD-WAN connectivity NVA and a separate Firewall NVA or SaaS solution in the same Virtual WAN hub is currently in the road-map. Once routing intent is configured with next hop SaaS solution or Firewall NVA, connectivity between the SD-WAN NVA and Azure is impacted. Instead, deploy the SD-WAN NVA and Firewall NVA or SaaS solution in different Virtual Hubs. Alternatively, you can also deploy the SD-WAN NVA in a spoke Virtual Network connected to the hub and leverage the virtual hub BGP peering capability. This limitation is currently documented here.
You can also explore dual-role SD-WAN connectivity and security (Next-Generation Firewall) Network Virtual Appliances
Before I answer any questions related to Option1. Have you considered deploying the architecture as described here with BGP peering feature of VWAN.
- As described in architecture above you can establish connectivity (North South) between NVA Branch and virtual network with Firewall NVA deployed in the hub Additional Reference: https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom#alternate
- For the communication between the Virtual networks
vnet1 to vnet3 no firewalling
you can directly peer these VNETS and not send the traffic via Firewall NVA deployed in the hub.
Hope this helps! Please let me know if you have any additional questions and we will gladly continue with our discussion. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.