Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
To summarize your environment
- MGT VNET 10.0.0.0/16 is the Hub VNET.
- This has a VPN Gateway and the GatewaySubnet being 10.0.1.0/24
- This also has FirewallSubnet 10.0.0.0/24.
- This is peered with DEV VNET 10.10.0.0/16 (which becomes Spoke VNET)
- The DEV VNET has a DatabaseSubnet 10.10.30.0/24 where you have a private endpoint 10.10.30.4
Now, to route all traffic from OnPREM to Azure and from Azure to OnPrem via the Firewall,
- First get the Firewall's private IP and let's call it NVA IP.
- In the Peering between MGT VNET to DEV VNET, Enable "Use this virtual network's gateway or Route Server"
- In the Peering between DEV VNET to MGT VNET, Enable "Use the remote virtual network's gateway or Route Server"
- Now create two Route Tables, one to attach on GatewaySubnet and the other to attach on DatabaseSubnet (GatewayRouteTable and DatabaseRouteTable respectively)
- In the GatewayRouteTable, add a route with address of DatabaseSubnet and next Hop as NVA with NVA IP (Firewall's private IP)
- In the DatabaseRouteTable, add a route with address of OnPrem and next Hop as NVA with NVA IP (Firewall's private IP)
- Make sure you create a AllowAll Network Rule in Azure Firewall so that the traffic is allowed to and fro.
In case this does not work, please check the Azure Firewall logs to see if traffic reached the FW or not.
Cheers,
Kapil