Palo Alto VM-Series in Azure DMZ - AVS

 Okay see if I can word this as best as possible. I made up the network IP addresses for this diagram.

We are in the progress of migrating one of our on-prem DC to the Azure public Cloud.  Obstacle we are facing is with how the DMZ will look and work specifically with DMZ network in AVS.

- Current design is using the dedicated inbound option pair with another pair for OBEW.  VM-Series in A/A (stand-alone). Azure network following the hub-spoke model.  So the firewalls are in a 'connectivity/perimeter' vnet.

 -AVS is setup in another vnet with connectivity back using express route with global reach enabled. We have within AVS a dedicated subnet for DMZ in diagram 10.1.100.0/24

-We have a gateway subnet in the connectivity vnet back to our other on-prem (secondary) datacenter. This is relevant because any traffic  coming from AVS will hit first the T1 router and then the T0 router. The T0 is fully managed by Microsoft, so any traffic coming from AVS will hit the T0 and then through Global Reach be directed directly to the express route destined for our on-prem secondary data cener. We do not want that as we want any ingress/egress DMZ traffic to use the Palos in Azure

Simple question how do we accomplish this?

We had an idea to create IPsec tunnels from each PAFW to the AVS T1 router, that way we can ensure the next hop is the Azure PAFW.  Issue with this is we want the traffic to be dynamic and able to utilize both OBEW firewalls at the same time as is the purpose of having these in A/A.  Not configuring with PM and having only one active.

Is it possible to have say 2 'remote' sites (OBEW) connected to another site (AVS) where outbound traffic from AVS can use either route equally?

or another design implementation we just didn't think of?

There is almost no guidance in any design document I've seen...other than using NSX or putting a E-W firewall in the AVS vNet.  Like to avoid for multiple reasons- cost management overhead.