Thank you for reaching out.
I understand you have implemented Application Gateway and Azure Firewall in parallel.
To implement this scenario whether the firewall and AGW should reside on the same VNET?
No that is not a requirement, you can establish this connectivity using VNET peering as described here. Deploying them in the same VNET does simplify the routing because Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. More details here.
If it helps you can also go through this answer I posted a few days ago which describes the advantages of deploying an Application Gateway on the peered VNET.
I am following the below documentation but not sure where to create the route table or how to define the UDRs for the scenario, especially to implement it using terraform.
Depending on desired traffic flow.
- If Application Gateway is located in the same VNET as backend HTTP server then the system routes I mentioned above are already created, so when a request arrives at Application gateway it is forwarded to the Backend HTTP server. The response packet will use the system route and forwards the traffic to application Gateway again (This traffic flow is expressed in the image below). Now even though you have a default route for the VM's subnet 0.0.0.0/0 to NVA this route will not be selected because the system route is more specific. This section here on how azure selects a route can be helpful in understanding this scenario.
If this is the desired traffic flow then only the default route mentioned in your question is required and not additional UDRs should be added.
If this is not the desired traffic flow, then it will help if you could share network diagram of your set-up and showcasing where Application gateway, Azure Firewall and Backend servers are located and the desired traffic flow.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.