Forum Discussion
Help! - How is VNet traffic reaching vWAN/on‑prem when the VNet isn’t connected to the vWAN hub
Azure Firewall will not by itself create a route to vWAN or on-premises. If traffic is reaching on-prem, there is a route or indirect path somewhere.
I would check the effective routes on:
1. The source subnet/NIC.
2. The Azure Firewall subnet.
3. Any peered hub/spoke VNets.
4. Any route tables with propagated BGP routes.
5. Any peering settings such as gateway transit or use remote gateway.
Also confirm whether the Function/App path is using a private endpoint, DNS override, proxy, or another integration path that sends traffic through a connected hub.
The quickest proof is to inspect effective routes for the source NIC/subnet and identify the next hop for the on-prem prefix. If the next hop points to a virtual network gateway, virtual appliance, or peering path, that is the explanation.