I’m trying to get up and running an AKS cluster with vNet integration in a hub-spoke environment. AKS running in a spoke, with a dedicated subnet for API. Firewall is running in one of hub’s subnets. When I configure default route 0.0.0.0/0 for API subnet with a firewall as a next hop, K8Ss stopped working. The only way how I can make this work is to use narrower route, hub’s virtual network CIDR with a firewall as a next hop. Then everything magically started to work. 0 packets dropped on firewall, basically nothing should leave spoke over peering, as those subnets are local in a routing table.