My customer is planning to implement two sets of firewalls , total 4 VMs of Palo Alto NVA
These 2 sets of NVAs of Palo Alto would be present in the Hub VNET in two different subnets.
There are like 2 spoke VNETS that has VNET peering with the Hub and traffic is routed via the Hub, means transitive peering is enabled via Hub to the On Prem via Express Route.
They will also use few PaaS Services like Web Apps and SQL PaaS etc.
So my question is , is it mandatory to enable outbound Internet from Azure for these PaaS Services to work properly ?
What if UDRs are created in the NVA and no egress internet traffic is allowed from Azure directly for example and everything has to be inspected by the Palo Alto NVA and then to the On Prem firewall and then outbound to Internet, will that break Azure PaaS Services and create a problem for their effective functioning ?
Security team doesn't want any outbound Internet Traffic directly from Azure without being inspected by Azure Palo Alto NVA and On Prem Firewall.