Forum Discussion

Copper Contributor

Feb 06, 2026

Solved

Help ! - Hub Spoke Architecture and Routing via NVA

I have a classic example of routing. I want to force all traffic via Fortigate firewalls. EastWest and NorthSouth. However when large Supernet of Azure Vnet is used to route and force the traffic via...

virtual network peering

Kidd_Ip
Feb 07, 2026
This behavior is not a defect but a design limitation of Azure’s routing model. System routes from VNet peering are always injected, and the only sustainable method to guarantee firewall inspection for future spokes without manual intervention is to adopt Azure Virtual WAN with a secured hub. Otherwise, ongoing maintenance of UDRs for each new spoke remains necessary.

https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva

https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-vwan-sd-wan-ngfw-deployment-guide/372408/microsoft-azure-vwan-and-nva-overview

Kidd_Ip

MVP

Feb 07, 2026

This behavior is not a defect but a design limitation of Azure’s routing model. System routes from VNet peering are always injected, and the only sustainable method to guarantee firewall inspection for future spokes without manual intervention is to adopt Azure Virtual WAN with a secured hub. Otherwise, ongoing maintenance of UDRs for each new spoke remains necessary.

https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva

https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-vwan-sd-wan-ngfw-deployment-guide/372408/microsoft-azure-vwan-and-nva-overview