I am looking at an exiting Azure environment that has hub - spoke model. So we have a shared subscription with an NVA and another subnet with hybrid (express route) connection back to the on-prem environment. There are multiple subscriptions with mainly Azure VMs and all traffic is routed to the NVA in the shared subscription. There is now a requirement to introduce some PaaS services, such as Azure SQL and my understanding is that service endpoints will not work from a new VNet as the UDR routes setup will route the traffic to the NVA. I was wondering if anyone has had similar experiences. 

