I am summarizing my comments as well and i highly appreciate if you could Accept the answer
A hub and spoke design deploys shared network components in the hub virtual network and application-specific components in the spokes. In most systems, Azure Firewall Premium is a shared resource. But Web Application Firewall can be a shared network device or an application-specific component. it's usually best to treat Application Gateway as an application component and deploy it in a spoke virtual network:
- It can be difficult to troubleshoot Web Application Firewall alerts. You generally need in-depth knowledge of the application to decide whether the messages that trigger those alarms are legitimate.
- If you treat Application Gateway as a shared resource, you might exceed Azure Application Gateway limits.
- You might face role-based access control problems if you deploy Application Gateway in the hub. This situation can come up when teams manage different applications but use the same instance of Application Gateway. Each team then has access to the entire Application Gateway configuration.
regarding your queries
- it is limited to only one certificate per HTTP listener, however you can generate SAN certificate and have a single certificate for multiple domains.
- If the inbound traffic to all your applications can be handled with the same WAF rules and SSL termination requirements.
- Only one place you need to go to make changes, reducing the administrative overhead.
- If you have different domains with unique SSL certificates, you will need separate listeners.
- If different applications or services have varying WAF rules or routing requirements.
- If you want to isolate the impact of changes or incidents to one of your services, using multiple listeners can be beneficial.
With per-site WAF policies, you will be able to protect multiple sites with differing security needs behind a single WAF. For example, if there are five sites behind your WAF, you can have five separate WAF policies (one for each listener) to customize the exclusions, custom rules, managed rule sets, and all other WAF settings for each site.
- End-to-end TLS with the v2 SKU
Authentication Certificates have been deprecated and replaced by Trusted Root Certificates in the Application Gateway v2 SKU.
- Certificates signed by well known CA authorities whose CN matches the host name in the HTTP backend settings don't require any additional step for end to end TLS to work.