Azure – XG - issue with multiple subnets

Question

We have Setup like this: 
 In Azure 
 Sophos XG &ndash; WAN 10.10.22.0 
 
 LAN 10.10.21.0 
 
 Servers 
 
 10.11.0

In Azure routing we have VNatPeering between 10.10.22-21-11.0 
 On Servers we also add route for IPSec to go over XG as Next Hop -> 192.168.0.0/16 -> Virtual Appliance | IP of Sophos XG 
 
 Issue 1 
 If I ping from PortA (LAN) ICMP is dropped. 
 If I ping from PortB (WAN) everything works, even if I SNAT IP to XG LAN IP. 
 If I ping from Server to XG Port A (LAN) IP it&rsquo;s working (:D). 
 
 Second part 
 So, we also have Azure XG <-> on-premises Sophos UTM that is working (thanks @lferrara) from Azure XG to On-premises UTM but in other way we cannot access resource inside Servers LAN. 
 With tcpdump I see traffic from On-Premises to server, but no replay back (On server I had wireshark and that traffic didn&rsquo;t reach server). 
 
 This can be because PortA cannot ping Servers LAN or some other issue. 
 Do you have some hints what can I check, do?

Idriel · Accepted Answer

I create route for Destination 10.10.11.0 over PortA imaginary GW 10.10.21.1 GW. 
 GW does not exist but looks like Azure VNetPeering then knows how to route it to 10.10.11.0 network.