Azure vWAN (hybrid connectivity enabled with OnPrem DC) data packet flow - inbound and outbound

Below the End-to-End Packet Flow in Azure vWAN (Hybrid Setup)

Ingress Traffic (On-Prem → Azure VMs)

1. On-Premises Gateway: Traffic originates from your on-prem DC or branch.
2. ExpressRoute Gateway (EC GW): Connects to Azure via ExpressRoute circuit.
3. vWAN Hub Router: EC terminates at the vWAN Hub, which routes traffic.
4. Azure Firewall (Secured Hub): Traffic is inspected and filtered.
5. NSG (Network Security Group): Applies subnet-level access control.
6. Destination VMs: Traffic reaches the target VM in connected VNET.

Egress Traffic (Azure VMs → On-Prem)

1. Source VMs: Initiate outbound traffic.
2. NSG: Applies outbound rules.
3. Azure Firewall: Traffic is inspected and routed.
4. vWAN Hub Router: Routes traffic to EC GW.
5. ExpressRoute Gateway (EC GW): Sends traffic to on-premises.
6. On-Prem Gateway: Receives traffic.