Microsoft Public routes via Private peering
For customers who can't/won't configure Microsoft peering due to technical or administrative limitations, I think on-prem access to Public resources over Private peering would be useful. Here's how I imagine it looking:
On-prem client -> customer edge -> msee -> ExR GW -> Customer NVA/Azure FW -> Microsoft network
Workflow to enable:
1. Choose an existing Virtual Network connection to modify - VNET would need to contain an NVA or Azure Firewall.
2. Attach a route filter to this connection.
3. Specify a next hop IP, either the NVA/LB IP or the Azure firewall IP.
4. NAT/firewall rules are configured on the NVA/FW to allow outgoing access.