Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to know more details about routing in Azure VNet.
Wrt Routing,
- This is an expected behavior
- Azure selects a route based on the destination IP address, using the longest prefix match algorithm.
- If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
- User-defined route
- BGP route
- System route
- In your case, the subnet's address range has a longest prefix match as compared to 0.0.0.0/0 - hence the default route kicks in and traffic is directly forwarded.
Refer How Azure selects a route
- Should you require subnet to subnet traffic pass via the Firewall, you must define the subnet's address range in the route tables.
- Doing so, both system route and User-defined route (route table) will have the same longest prefix and by priority, User-defined route to Firewall comes into picture
Wrt NSGs,
- For management purposes, you can consider using Application Security Groups.
- With this, you may group virtual machines without manual maintenance of explicit IP addresses
- The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic
- Refer
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.