![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 18%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
674 questions
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you have a requirement to validate that every subnet in your Hub Spoke architecture (excluding FirewallSubnet, GatewaySubnet) has a Route Table with a User Defined Route to nextHop as the Firewall.
Wrt, "As far as I understood, a Route table with an entry 0.0.0.0/0 pointing to the Azure Firewall must be setup for each subnet of the spokes in order to force traffic routed to the Azure Firewall."
- The 0.0.0.0/0 route is used to force Internet Bound traffic or "default" traffic to the Azure Firewall.
- i.e., if you also want subnet to subnet traffic to go via Azure Firewall, you should define all the subnets in the Route Table and set nextHop as Azure Firewall
This includes,- Spoke1subnet1 <----> Spoke1subnet2
- Spoke1subnet1 <----> Hub1subnet1
- Spoke1subnet1 <----> OnPrem
- The above routes, do not go via Firewall if you only have 0.0.0.0/0 route.
Wrt, "Is there a better solution or how can we force this route table on every subnet connected to the hub? Is it possible to have an Azure Policy to auto-deploy the route table?"
- You can consider the preview policy : All Internet traffic should be routed via your deployed Azure Firewall
- See : Azure Policy built-in definitions for Azure Virtual Network.
Hope this helps.
Cheers,
Kapil