Can vNET spoke to vNET spoke traffic be routed through an Azure Firewall deployed into a dedicated security spoke?

Question

I am working on a virtual wan deployment for a client and came across this scenario. The client would like to use vWAN with two hubs in separate Azure regions. There would be various application and identity spokes connected to the virtual hubs. There is also a requirement to have all vNET to vNET traffic pass through a firewall.

Secure hubs were considered but inter-hub traffic is not supported currently. The proposed design is to place Azure Firewalls in dedicated security spokes that are peered to each virtual hub and route vNET to vNET traffic through them.

Something like this:

I have looked at both of these Microsoft routing scenarios and can't find support for this design. They both peer the protected vNETs directly to the security spoke instead of the virtual hubs.
https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva
https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nvas-custom

Does anyone know if this is possible in vWAN? Any documentation either way would be appreciated.

Answer 1

Hi,

For clarity, if I am in Spoke 6 and want to reach Spoke 3, you would like traffic to do the following

Spoke6->SecurityWest->HubWest->HubEast->SecurityEast->Spoke3

If so, I don't see this being an issue. You are simply manipulating routes at spoke level, leaving your hub-hub-spoke routing as a supported scenario.

Joe