Spoke-Hub-Hub Traffic with VPN Gateway BGP and Firewall Issue

Hello,

I’m facing a situation where I’m trying to have Azure Firewall Inspection on the VPN Gateway VNET-VNET Connectivity. It seems to work if I go from SpokeA-HubAFirewall-HubAVPN—HubBVPN-SpokeB but if I try to go from SpokeA-HubAFirewall-HubAVPN-HubBVM or Inbound Resolver it fails to route correctly according to Connectivity Troubleshooter it stops at HubAVPN with Local Error: RouteMissing but then reaches destination health so makes me believe it’s getting there but not following the route I want it to take which might be causing routing issues. What Am I missing here? This connectivity was working before introducing the Azure Firewall for Inspection with the UDR. Is what I’m trying to accomplish not possible? I’ve tried different types of UDR rules on the Gateway Subnet, and this is my most recent configuration. The reason I’m trying to accomplish this is because I’m seeing a similar error in our Hub-Spoke Hybrid environment and I’m trying to replicate the issue.

Current Configuration

2x Hubs with Spoke networks attached so example

Hub-Spoke-A Configuration:

Hub-A Contains following subnets and Resources

VPN Gateway - GateWaySubnet

Azure Firewall - AzureFirewallSubnet

Inbound Private Resolver - PrivateResolverSubnet

Virtual Machine – VM Subnet

Gateway Subnet has an attached UDR with the following routes

Propagation - True

Prefix Destination – Hub-B

Next Hop Type – Virtual Appliance

Next Hope IP – Hub-A Firewall

Prefix Destination – Spoke-B

Next Hop Type – Virtual Appliance

Next Hope IP – Hub-A Firewall

Hub-Spoke-B Configuration:

Hub-B Contains following subnets and Resources

VPN Gateway - GateWaySubnet

Azure Firewall - AzureFirewallSubnet

Inbound Private Resolver - PrivateResolverSubnet

Virtual Machine – VM Subnet

Gateway Subnet has an attached UDR with the following Routes

Propagation - True

Prefix Destination – Hub-A

Next Hop Type – Virtual Appliance

Next Hope IP – Hub-B Firewall

Prefix Destination – Spoke-A

Next Hop Type – Virtual Appliance

Next Hope IP – Hub-B Firewall

Spoke Subnets has an attached UDR with the following Routes

Propagation - True

Prefix Destination – 0.0.0.0/0

Next Hop Type – Virtual Appliance

Next Hope IP – HubA/HubB Firewall (Depending on what hub its peered to)

VPN Gateways HA VNET-VNET with BGP Enabled. I can see that it knows the routes and like I said this was working prior introducing the UDRs for force traffic through the azure firewall.