Often, in a hub spoke architecture, one needs to leverage BOTH - a custom appliance firewall, alongside a cloud native firewall (e.g. Azure Firewall)

Advantages of PA FW over Native Cloud Firewalls

Like with the recent log4j security event, Palo alto released an immediate firewall policy (rule) to block the JNDI port on any VM running J2ee apps (that were affected). This short term fix would allow developers time to patch their apps and re-deploy with the 'safe' log4j version.

Architecture - Network Virtual Appliance - ( Palo Alto NVA ) alongside a cloud native firewall e.g. Azure FW or Cloud Armor on GCP

Hub-VNet (Core)

The Hub-Vnet is the central point for the network activity in Azure. It connects all involved components. It holds the VPN/Express Route (with disabled BGP), the NVA which creates a Site-to-Site (S2S) VPN to another site as well as the Azure Firewall. All traffic has to pass the Azure-Firewall (except for intra-stage traffic).