Hello @Son ,
Below is the summary of our discussion:
You have an ExpressRoute connection from your on-premises to Azure where you have a hub-spoke model and are advertising a default route to block free internet access from all spokes and are filtering that traffic at your on-premises firewall. However, you have another site which is not connected via ExpressRoute and would most likely use a site-to-site VPN for connectivity to it's Azure spoke but you do not want the return traffic to be affected by the advertised default route (where all traffic goes back to your on-premises).
When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
User-defined route > BGP route > System route
User-defined routes are higher priority than BGP & default routes.
Refer : https://video2.skills-academy.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route
To send the Internet traffic out via your Azure Firewall, you need to:
Create a new route table and associate it to the S2S spoke subnets.
Add a UDR of 0.0.0.0/0 and have the next hop as virtual appliance and the address of the Azure Firewall RFC1918 IP address.
Regarding your Azure Firewall, since you have forced tunneling enabled on it, you can't undo the configuration and all your traffic which reaches the Azure Firewall will be forced to your ExpressRoute.
Refer : https://video2.skills-academy.com/en-us/azure/firewall/forced-tunneling
So, if you want to connect the spoke with a S2S VPN, they would have to route the traffic to the internet down your ExpressRoute, if you want to use the same Azure Firewall.
If you configure the UDR route for the S2S spoke to say "Next hop type = Internet" then, the egress traffic would not route via the Azure Firewall and will directly go to Internet.
If you decide not to use forced-tunneling and allow traffic to egress to the internet via the Azure Firewall directly, then you will have to rebuild the firewall without the forced tunneling setting enabled along with below changes:
Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity or stop advertising the default route from on-prem. Post this you can filter the outbound traffic within the Azure Firewall according to your needs by configuring network rules.
Refer : https://video2.skills-academy.com/en-us/azure/firewall/firewall-faq#is-forced-tunneling-chaining-to-a-network-virtual-appliance-supported
Hope this helps!
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.