Hello @RBS
Apologize for Delay in response.
- So the setup is basically Multi site VPN connectivity with NVA i.e VPN VM (Pfsense / Palo Alto etc ).
- It should work like any other Multi site VPN Transit connecivity works as its the site to site connectivity to the third party virtual appliance and its transit configuration. Configuration should be in place for Client to DC's and vice versa on NVA for transit routing based on the vendor you choose.
- From Azure VM for the traffic to your Client/DC1/DC2 you should be having user defined routes associated to the subnet stating if traffic is destined to Client/DC1/DC2 then take next hop as Virtual appliance and provide the interface IP.
- For the incoming traffic for the Azure VM's from Client/DC1/DC2 once it reaches the virtual appliance as its under the same virtual network with Azure default system routes you should be able to reach VM.
Hope this was helpful. Please let us know in case of any additional questions or concerns.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.