Forum Discussion
Hub spoke design with NVA firewall
- Sep 11, 2025
Even though you've set up User Defined Routes (UDRs) to point traffic through the Watchguard NVA, Azure VNet peering by default allows direct routing between peered VNets, which means:
• Azure will prefer system routes over UDRs if the destination is reachable via peering.
• So traffic between and is taking the direct peering path, bypassing your firewall.Please try to:
- Disable "Allow forwarded traffic" on the peering between spokes and hub:
- This prevents Azure from automatically forwarding traffic between spokes via peering.
- Ensure UDRs are applied to the VM subnets in both spokes:
- Set the next hop to the Trusted interface IP of the Watchguard NVA.
- Enable IP forwarding on the NVA’s NICs:
- Required for the NVA to route packets between interfaces.
- Ensure the NVA has return routes for both spoke subnets:
- These should point back to the respective source subnet via the Trusted interface.
Even though you've set up User Defined Routes (UDRs) to point traffic through the Watchguard NVA, Azure VNet peering by default allows direct routing between peered VNets, which means:
• Azure will prefer system routes over UDRs if the destination is reachable via peering.
• So traffic between and is taking the direct peering path, bypassing your firewall.
Please try to:
- Disable "Allow forwarded traffic" on the peering between spokes and hub:
- This prevents Azure from automatically forwarding traffic between spokes via peering.
- Ensure UDRs are applied to the VM subnets in both spokes:
- Set the next hop to the Trusted interface IP of the Watchguard NVA.
- Enable IP forwarding on the NVA’s NICs:
- Required for the NVA to route packets between interfaces.
- Ensure the NVA has return routes for both spoke subnets:
- These should point back to the respective source subnet via the Trusted interface.