Problem
Default Azure routing allows direct internet egress from VNets, reducing inspection control. Without centralized traffic enforcement, security teams cannot monitor or filter outbound traffic.
Architecture
Hub VNet (10.0.0.0/16) with Azure Firewall in AzureFirewallSubnet. Spoke A (10.1.0.0/16) and Spoke B (10.2.0.0/16) peered to hub. UDR: 0.0.0.0/0 → Firewall Private IP forces all traffic through inspection.
Hub Vnet
Azure Firewalls
Spoke A Vnet
Routetable
Implementation
- Bidirectional VNet Peering (Gateway Transit disabled)
- Route Table associated to spoke subnets
- Application rule: Allow microsoft.com
- Network rule: Allow RDP/SSH from defined IP
- UDR: 0.0.0.0/0 → Azure Firewall private IP
Validation
- Effective Routes confirmed 0.0.0.0/0 override via CLI
- FQDN filtering worked correctly for allowed domains
- Implicit deny blocked unauthorized outbound domains
- Verified spoke-to-spoke traffic transits through firewall
App Rules
Networ Rule
Netudr
Vm
Quantified Outcomes
- Forced 100% outbound traffic through firewall
- Centralized inspection across 2 spoke VNets
- Validated routing enforcement using CLI + NIC effective route table
- Application and network rules verified with live traffic
Failure Scenarios Tested
- Removed UDR association → confirmed traffic bypass (direct internet egress resumed)
- Blocked required NSG port → validated deny precedence over allow
- Attempted access to non-allowed FQDN → firewall implicit deny blocked
- Disabled peering → confirmed complete spoke isolation
Operational Considerations
- In production: use Azure Firewall Premium for TLS inspection
- Enable Threat Intelligence mode for known-bad IP/domain blocking
- Implement Just-In-Time VM access instead of persistent RDP rules
- Store firewall logs in centralized SIEM workspace
- Apply Azure Policy initiative at management group scope
Lessons Learned
- UDR is the enforcement mechanism — without it, peering alone does not force traffic through firewall
- Application rules (Layer 7) and network rules (Layer 4) serve different purposes
- Route table association must be at subnet level, not VNet level
- Effective Routes view is the single source of truth for troubleshooting
Business Impact
Improved security posture by eliminating uncontrolled internet egress. All outbound traffic now passes through a centralized inspection point with logging and filtering.