Thanks for your detailed explanation of the environment.
To answer your query, it is not possible to filter Azure VPN Gateway Transit traffic via Azure Firewall.
As mentioned by Priya Kumar, you would require a vWAN to achieve this.
With vWAN,
- Make sure you use a Secured vHUB and enable Branch to Branch
- And configure vWAN Routing intent with Private Traffic Routing Policy
To explain why this would not work with a regular VPN Gateway, AzFW and UDR.
- Consider sites A (10.A.x.x/16) and B (10.B.x.x/16) connected to a VPN Gateway
- You attach a UDR with the below routes on GatewaySubnet
- 10.A.x.x/16 ------------> AzFW
- 10.B.x.x/16 ------------> AzFW
- No Route is required on AzureFirewallSubnet as this learns the route from system and nexHop here is VPNGw
- Now, if a packet from SiteA destined to SiteB is sent via the TunnelA,
- It hits the GatewaySubnet and because of the UDR, it goes to AzFW
- AzFW's nextHop would be VPNGw
- Now, from point 1, we know the nextHop for the GatewaySubnet is AzFW (Loop).
- The traffic keeps on going back and forth between GatewaySubnet and AzFW creating a loop until it gets dropped.
- Hence, this design would not work.
Hope this provides more clarity. Kindly let us know if this helps or you need further assistance on this issue.
Thanks, Kapil