Who rated this post

You'll need to use Encryption Domain per Community for the on-premises gateway communities with the Azure cluster (where you create a domain-based VPN per-community with the on-premises gateways), and use the empty domain/route-based VPN between Azure cluster and the AzVPNGW gateway.  This will work.  I presume you aren't using BGP across the domain-based VPN here (no need, really).

So long as a network from the left side diagram doesn't have an overlap on the Cisco vEdge and AzVPNGW VPNs, then you're ok. 

• For limitations, you still need to be mindful of the default gateway VPN domain, if you have this on any gateway in your management domain:  https://support.checkpoint.com/results/sk/sk182946
• There was also an older issue with the traffic selectors, but looks like R&D fixed this: https://support.checkpoint.com/results/sk/sk170857

If you need the walk-through, here's where to configure EDPC:  https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

You can also handle VPN-routing traffic, at the Azure cluster, with VPN Directional matching:  https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

Without directional matching, you could end up with traffic flowing, or matching, in odd places you didn't expect.  This would be most applicable on the Azure cluster.  On the Star communities, you can enable VPN Routing, then use Directional matching rules to enforce that policy.