Sophos Azure XG can't route to Azure VM

Question

I have networking condition in Azure and believe I could be close based on what I've been reading. As it stands, I can ping/access the Sophos Azure XG from the Azure VM but not the reverse. Meaning I cannot ping the Azure VM from the XG. Packet cap shows the ICMP traffic exiting Port B (and not Port A). This is my configuration. (Azure support has been more helpful than Sophos) 
 Azure virtual network 
 10.2.0.0/24 
 Subnets 
 Port B 10.1.0.0/24 
 Port A 10.1.1.0/24 
 Servers 10.1.2.0/24 
 1 VM 10.1.2.4 
 
 Static Route 
 Dest. 10.1.2.0 
 Gateway 10.1.1.1 
 Interface Port A - 10.1.1.4 
 Distance: 0 
 
 I had trouble adjusting route precedence in the XG so that Static Routes are 1. 
 
 Goal: Have all traffic (in/out) route and protect the VM. SSL VPN then RDP, etc. 
 
 Any help would be appreciated!

JornLutters · Answer

Hi MSD admin, 
 Routing for Azure isn't too hard, but it can be a bit unintuitive. 
 You'll want to start by adding a static route on the XG Firewall that points the destination subnet of your traffic (even if it is inside the same vNet) at the gateway IP in the XG's LAN adapter network range (by default Azure assigns the .1 address for the gateway). 
 Next, you'll need to make sure the destination network knows how to reach the subnet used by your VPN clients. So you'll need to create a User Defined Route table in Azure, associate your destination subnet with it and then add a route that points traffic destined for the subnet used by your VPN clients at a virtual appliance - with the XG Firewall's LAN IP as the next hop. 
 From there, all that's left to do is create a firewall rule that allows the traffic (between the VPN zone and the LAN zone). 
 You can find a tutorial on how to create a UDR here: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal