Azure Firewall in force tunnel configuration dropping port 53 traffic?

xmnj40 

So what ended up being the issue in my environment is that the setting for "Propagate Gateway Routes was set to NO for the UDR on my GatewaySubnet and on my AzureFirewallSubnet.  My AzureFirewallSubnet (the private side) default route was 0.0.0.0/0 to Virtual Network Gateway.  The UDR used on the subnets on my peered VNETs would route all traffic 0.0.0.0/0 to AzureFirewall-privateIP. 

We use one primary VNET as the hub or transit vnet.  Everything was peered to this.  In short ensure that there is a UDR on the gateway subnet, and that the route propagation is turned on that UDR, and the route propagation is turned on the AzureFirewallSubnet.   It took Microsoft 4 months to close this ticket on my azure subscription with essentially "unsupported configuration" after reviewing with the product group at least 4 times.  Their only statement of "supported configuration" is found here.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#border-gateway-protocol 

"Connectivity with VPN connections is achieved using custom routes  with a next hop type of Virtual network gateway. Route propagation should not be disabled on the GatewaySubnet. The gateway will not function with this setting disabled."

Routes tell interfaces where to send packets.  Packets need an IP address, route tables deal with IP addresses.  When I attempt to reach 10.1.1.1 with a browser, it sends that traffic on port 80 to 10.1.1.1 when I use MSTSC it sends that traffic on 3389.  It doesn't change the route based on the port??? AND this configuration works when there's no Azure Firewall between the source and the destination.  Only when there is an Azure Firewall between the source and destination will the traffic disappear (and report in the logs that it has been accepted and forwarded), if that traffic is travelling over port 53.