Help! - How is VNet traffic reaching vWAN/on‑prem when the VNet isn’t connected to the vWAN hub

Azure is able to route traffic to the Virtual WAN hub because the firewall’s subnet contains the appropriate route entries. In this configuration, the firewall effectively serves as the gateway for VNet‑1, ensuring that outbound traffic from the function apps can reach the hub without requiring a direct VNet‑to‑hub connection.

Why It Works Without Direct VNet‑Hub Connection

The “missing link” is that the firewall itself has connectivity into the vWAN hub. Azure networking doesn’t require every subnet to be directly attached; if you force traffic through a firewall that has the right routes, Azure will honor that path. In effect:

• Function app → Firewall (via UDR)
• Firewall → vWAN hub (via system routes / effective routes)
• vWAN hub → On‑prem (via S2S VPN)

So although VNet‑1 isn’t directly connected to the hub, the firewall is acting as the bridge.