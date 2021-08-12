We have deployed Hub and Spoke technology in Azure. All VM traffic is going through the FW. Settings of Spoke VM is same as Hub VM. NSG set to allow all traffic. FW is configured with 3 VR static routes (one route to the internet, one from Hub to Trusted Interface of PA and another route from Spoke to Trusted interface of PA), SNAT and DNAT rule and one Allow All policy. Using 8.8.8.8 and 4.4.2.2 as Primary and secondary DNS servers. Service route Config is via Management interface. No drop seen in packet capture.