Forum Discussion

YuktiVerma2025's avatar
YuktiVerma2025
Copper Contributor
Feb 17, 2026

Help! - How is VNet traffic reaching vWAN/on‑prem when the VNet isn’t connected to the vWAN hub

Hello, I needed some clarity on how the following is working: Attached is a network diagram of our current setup. The function apps (in VNet-1) initiate a connection(s) to a specific IP:Port or...
azure dns
azure firewall
virtual network
virtual wan
vpn gateway
Kidd_Ip's avatar
Kidd_Ip
MVP
Feb 19, 2026

Azure is able to route traffic to the Virtual WAN hub because the firewall’s subnet contains the appropriate route entries. In this configuration, the firewall effectively serves as the gateway for VNet‑1, ensuring that outbound traffic from the function apps can reach the hub without requiring a direct VNet‑to‑hub connection.

 

Why It Works Without Direct VNet‑Hub Connection

The “missing link” is that the firewall itself has connectivity into the vWAN hub. Azure networking doesn’t require every subnet to be directly attached; if you force traffic through a firewall that has the right routes, Azure will honor that path. In effect:

  • Function app → Firewall (via UDR)
  • Firewall → vWAN hub (via system routes / effective routes)
  • vWAN hub → On‑prem (via S2S VPN)

So although VNet‑1 isn’t directly connected to the hub, the firewall is acting as the bridge.

YuktiVerma2025's avatar
YuktiVerma2025
Copper Contributor
Feb 25, 2026

Kidd_Ip​ Can you please help on where can I look for the system routes/effective routes for the firewall? I am not able to see any visible routes to the VWAN. Thank you for the detailed response :)