This guarantees symmetric connectivity, in which response traffic from the backend tiers returns through the NVA. Otherwise, if the NVAs fail, there would be no route to the management subnet to fix them.
For higher bandwidths, consider upgrading to an ExpressRoute gateway. How do you set up a hybrid network?
Wireless is for play. For example, the web tier subnet in the reference architecture implements an NSG with a rule to ignore all requests other than those received from the on-premises network Azure diagnostics also requires that components can read and write to an Azure Storage account.
Scalability considerations The reference architecture uses a load balancer to direct on-premises network traffic to a pool of NVA devices, which route the traffic. The NVAs can only be configured from the management subnet.