Hello @Sibba Sailor ,
I understand that you are facing issues with VirtualNetwork service tag in NSG, when using UDR for routing via Azure Firewall. When you add a UDR on your Spoke Subnets to use Azure Firewall for default outbound (0.0.0.0/0 -> Azure Firewall IP), the VirtualNetwork service tag on the NSG attached to the Spoke Subnets gets 0.0.0.0/0 prefix value.
I discussed this behavior with the Azure Virtual Network Product Group team, and they confirmed that this is expected behavior.
Virtual Network tag includes VNet address prefixes, peered prefixes and on-prem prefixes propagated via VPN or Express route gateway.
To avoid this, either stop propagating 0.0.0.0/0 and use more specific prefix OR use prefixes in NSG instead of that tag.
We have a plan to introduce customer service tags aka IP groups, but this is still in design so no timelines to share yet.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.