Can you explain a little more please, or if possible post a diagram?
Hair-pinning to security device? kindly share more info.
Yes, that is the default behavior in HCX. The default gateway for all VMs connected to the extended network remains on-prem.
As @t0mzukowski says this is the default behaviour for HCX and this is clear in the documentation.
Please can you explain if your scenario is different or clarify what your concerns are?
Hair Pinning :
Hair Pinning is a default behavior due to the L2 extension from On-Prem to VMC. Consider the example where the VMC migrated VMs in Web and App tier wants to communicate each other, the traffic traverses all the way towards On-prem router gateway and comes back to cloud gateway creating hair pinning.
This can be eliminated enabling MON feature in HCX. Routing advertisements are limited to NSX-T Tier-1 routing boundaries.