...
When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet.
For example, you may have a default route advertised via BGP or using User Defined Route (UDR) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet.
To support this configuration, you must create Azure Firewall with Forced Tunnel configuration enabled.
You can configure Forced Tunneling during Firewall creation by enabling Forced Tunnel mode as shown below.
To support forced tunneling, Service Management traffic is separated from customer traffic.
An additional dedicated subnet named AzureFirewallManagementSubnet (minimum subnet size /26) is required with its own associated public IP address.
This public IP address is for management traffic. It is used exclusively by the Azure platform and can't be used for any other purpose.
...
...
Firewall Considerations – Windows Virtual Desktop (WVD)
Firewall Considerations – Windows Virtual Desktop (WVD)
It has information on how to allow Windows activation to work with Azure KMS servers.