Hello @Steve Hobbs ,
Welcome to Microsoft Q&A Platform. Thanks for posting your query.
In order to prevent unsolicited Virtual machine to Virtual machine communication, and to provide a central point for traffic inspection, you can implement UDRs on the subnet levels as below:
Vnet/subnet address range (depending upon your requirement of granularity) --> Next hop Virtual appliance.
Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. Azure automatically routes traffic between subnets using the routes created for each address range. So when you create a UDR with the Vnet/subnet address prefix and point it to a NVA, the UDR overrides the default route. And this makes sure that all traffic from one machine to another machine in the same subnet or between subnets of that Vnet is routed through the configured NVA/Firewall.
This behavior is documented here : https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#can-azure-firewall-forward-and-filter-network-traffic-between-subnets-in-the-same-virtual-network-or-peered-virtual-networks
When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. For example, a route table has two routes: One route specifies the 10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. Azure routes traffic destined for 10.0.0.5, to the next hop type specified in the route with the 10.0.0.0/24 address prefix, because 10.0.0.0/24 is a longer prefix than 10.0.0.0/16, even though 10.0.0.5 is within both address prefixes.
If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
User-defined route
BGP route
System route
Fore more inforation on Azure Routing, please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
In order to allow/block traffic to/from any address prefix on any port, you can configure NSGs.
Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.