Hi everyone - I searched around the various documents and even googled this without any clear answers. If I missed it then apologies :) Long story short I am trying to understand if what I am trying to do is technically possible. I might be trying to do something the services aren't intended for.
I have a VNET with several security appliances (proxy/firewall) per Region with an Azure standard LB.
I have numerous workload VNETs with overlapping CIDRs so cannot peer them to the security VNET. I found the Azure Private Link Service with Private Endpoints to be very similar to the AWS Gateway Load Balancer with VPC Endpoints. However with AWS I can configure my workload VPCs to route (0.0.0.0/0) to the VPC Endpoint which then goes to my security appliances in the security VPC.
I have Azure Private Link Service connected to my Azure Load Balancer that has a backend pool of my appliances. So far so good.
I then create/connect a Private Endpoint in my workload VNETs to the Private Link Service. Those all show up connected, so far so good. For example the private endpoint IP is 10.0.0.5.
In effective routes I see the private endpoint 10.0.0.5/32 shows up. My security appliances have a "health check" running on a web port and if I try to curl it from a workload in the workload VNET its successful. So far so good.
Now, like in AWS, I want to use the endpoint as a next hop for my default route 0.0.0.0/0. I create this UDR with next hop 10.0.0.5. I then try to curl some internet resource like ipinfo.io or google.com and it doesn't work. I verify in the private resolver metrics that no data in/out. I also enabled private network policy options for routing in the workload subnets that have the endpoints and no change. <-- this my problem. Is this supposed to work and I'm doing something wrong or does Azure NOT support using an endpoint as a next hop in routes by design?
High level diagram below: