Centralize Azure Firewall deployment for inter-VNet traffic inspection.

Implementation Effort: Medium

User Impact: Low

Overview

Deploy Azure Firewall as the centralized segmentation and inspection enforcement point by provisioning it in the AzureFirewallSubnet of your Hub VNet. In a hub-spoke topology, all spoke VNets route traffic through the hub, ensuring your segmentation boundaries are consistently enforced. Configure user-defined routes (UDRs) in each spoke subnet’s route table to direct north–south (0.0.0.0/0) and east–west (spoke CIDRs) traffic to the firewall’s private IP address. Azure Firewall then enforces those segmentation policies, inspects and logs traffic, and filters packets according to your network and application rule collections—preventing lateral movement and unauthorized access across your environment.

Reference

• Recommendations for building a segmentation strategy
• Apply Zero Trust principles to a hub virtual network in Azure
• Hub-spoke network topology in Azure
• Deploy and configure Azure Firewall using the Azure portal
• Virtual network traffic routing