Deploy Azure Firewall and route all outbound and inbound traffic through it
Implementation Effort: High
User Impact: Medium
Overview
Deploy Azure Firewall as your centralized inspection and enforcement point by first creating an AzureFirewallSubnet in a Hub VNet and provisioning the firewall there. In a multi-hub-spoke topology, you can place additional firewalls in regional hubs closer to specific workloads—while still maintaining a central policy via Firewall Manager . Next, in each spoke VNet’s route table, define user-defined routes (UDRs) that direct all north–south traffic (0.0.0.0/0) and all east–west CIDR blocks for spokes to the firewall’s private IP. This ensures that every packet—whether destined for the internet or another subnet, flows through your Azure Firewall for inspection, logging, and policy enforcement, preventing any bypass of your security controls .