@jeremyw I worked with a WatchGuard distributor until the recent Christmas break. I tried out their Azure appliance but, as you noted, their documentation was very weak. I did have a call with some of their product group in Seattle about it and some improvements they should make to the VNet design. If you know what to do, you can re-engineer their deployment for front-end and back-end subnets, with corrected user-defined routing, and place VMs into other subnets.
In the small/medium business world, it is hard to justify the cost of a virtual firewall appliance in Azure. That was my market before I changed jobs. Without diffing too deep, I cannot see too much that the NVAs are offering in L7. Some of them, like WatchGuard, offer a lot in their physical appliances when you add the security licensing bundle. But without that stuff, are they any better than a network security group when deployed in Azure?