Forum Discussion

YuktiVerma2025's avatar
YuktiVerma2025
Copper Contributor
Feb 17, 2026

Help! - How is VNet traffic reaching vWAN/on‑prem when the VNet isn’t connected to the vWAN hub

Hello,

I needed some clarity on how the following is working:

Attached is a network diagram of our current setup. The function apps (in VNet-1) initiate a connection(s) to a specific IP:Port or FQDN:Port in the on-premises network(s). A Private DNS zone ensures that any FQDN is resolved to the correct internal IP address of the on-prem endpoint. In our setup, both the function app and the external firewall reside in the same VNet. This firewall is described as “Unattached” because it is not the built-in firewall of a secured vWAN hub, but rather an independent Azure Firewall deployed in that VNet. The VNet has a user-defined default route (0.0.0.0/0) directing all outbound traffic to the firewall’s IP. The firewall then filters the traffic, allowing only traffic destined to whitelisted on-premises IP: Port or FQDN: Port combinations (using IP Groups), and blocking everything else.

The critical question and the part that I am unable to figure out is: Once the firewall permits a packet, how does Azure know to route it to the vWAN hub and on to the site-to-site VPN?

Because VNet-1 truly has no connection at all to the vWAN hub (no direct attachment, no peering, no VPN from the NVA). But the traffic is still reaching the on-prem sites. Unable to figure out how this is happening. Am I missing something obvious?

Any help on this would be appreciated.

Thank you!

azure dns
azure firewall
virtual network
virtual wan
vpn gateway

1 Reply

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Feb 19, 2026

    Azure is able to route traffic to the Virtual WAN hub because the firewall’s subnet contains the appropriate route entries. In this configuration, the firewall effectively serves as the gateway for VNet‑1, ensuring that outbound traffic from the function apps can reach the hub without requiring a direct VNet‑to‑hub connection.

     

    Why It Works Without Direct VNet‑Hub Connection

    The “missing link” is that the firewall itself has connectivity into the vWAN hub. Azure networking doesn’t require every subnet to be directly attached; if you force traffic through a firewall that has the right routes, Azure will honor that path. In effect:

    • Function app → Firewall (via UDR)
    • Firewall → vWAN hub (via system routes / effective routes)
    • vWAN hub → On‑prem (via S2S VPN)

    So although VNet‑1 isn’t directly connected to the hub, the firewall is acting as the bridge.