DEV Community

Cover image for Configuring Network Routing in Azure: Enforcing Firewall Policies with Custom Routes
Isaiah Izibili
Isaiah Izibili

Posted on

Configuring Network Routing in Azure: Enforcing Firewall Policies with Custom Routes

#skillch #beginners #cloud #cloudcomputing

As cloud applications grow in complexity and exposure, enforcing centralized security policies becomes essential. One of the most effective ways to do this in Azure is by routing outbound traffic through a firewall using custom route tables. This article walks you through the process of configuring network routing to ensure that all outbound traffic from your application subnets is filtered through Azure Firewall.

Scenario Overview
Your organization has deployed an application in Azure using a virtual network (app-vnet) with two subnets:

  • Frontend subnet: Hosts web servers.
  • Backend subnet: Hosts database servers.

To enforce firewall policies, all outbound traffic from these subnets must be routed through Azure Firewall using its private IP address. This requires:

  • Creating a custom route table.
  • Associating the route table with both subnets.
  • Defining a user-defined route (UDR) that redirects traffic to the firewall.

Step 1: Record the Firewall’s Private IP Address

What You Do:

  • In the Azure portal, search for Firewall.
  • Select your firewall instance (app-vnet-firewall).
  • Go to Overview and note the Private IP address.

Why It Matters:
This IP address will be used as the next hop in your custom route. It ensures that traffic is redirected to the firewall for inspection before leaving the virtual network.

Step 2: Create a Custom Route Table

  1. In the search box, enter Route tables. When Route table appears in the search results, select it.

routetabe

2. In the Route table page, select + Create and create the route table.

Property            Value
Subscription            Select your subscription
Resource group      RG1
Region                  West US 3
Name                    app-vnet-firewall-rt
Enter fullscreen mode Exit fullscreen mode

3. Select Review + create and then select Create.
4. Wait for the route table to deploy, then select Go to resource.

create table route

Why It Matters:
Azure automatically creates system route tables for each subnet, but these default routes don’t enforce firewall policies. A custom route table allows you to override system routes and direct traffic through a Network Virtual Appliance (NVA) like Azure Firewall.

Step 3: Associate the Route Table with Subnets

  1. In the portal, continue working with the route table, select app-vnet-firewall-rt.
  2. In the Settings blade, select Subnets and then + Associate.
  3. Configure an association to the frontend subnet, then select OK. 
Property                   Value
Virtual network                app-vnet (RG1)
Subnet                         frontend
Enter fullscreen mode Exit fullscreen mode

associatefront

4. Configure an association to the backend subnet, then select OK.


Property                  Value
Virtual network               app-vnet (RG1)
Subnet                        backend
Enter fullscreen mode Exit fullscreen mode

associate back

Associating the route table with both subnets ensures that all outbound traffic from these subnets follows the custom route you’ll define next. Without this association, the route won’t apply.

Step 4: Create a User-Defined Route (UDR)

  1. In the portal, continue working with the route table, select app-vnet-firewall-rt.
  2. In the Settings blade, select Routes and then + Add.
  3. Configure the route, then select Add. 
Property                        Value
Route name                      outbound-firewall
Destination type                    IP addresses
Destination IP addresses/CIDR range 0.0.0.0/0
Next hop type                       Virtual appliance
Next hop address                private IP address of the firewall
Enter fullscreen mode Exit fullscreen mode

route table

Why It Matters:
This route captures all outbound traffic (0.0.0.0/0) and redirects it to the firewall. The Virtual appliance hop type tells Azure to send traffic to a custom IP—your firewall—rather than directly to the internet.

Why This Architecture Matters
By routing traffic through Azure Firewall:

  • You enforce centralized security policies.
  • You gain visibility into outbound traffic.
  • You can apply application-level filtering, threat detection, and logging.
  • You reduce the risk of data exfiltration or unauthorized access.

This setup is especially critical for organizations using DevOps pipelines, external APIs, or internet-facing applications.

Final Thoughts
Routing in Azure isn’t just about connectivity—it’s about control. By configuring custom route tables and directing traffic through Azure Firewall, you build a secure, scalable, and compliant network architecture. Whether you're protecting sensitive data or managing complex workloads, this approach gives you the power to shape how traffic flows—and how threats are stopped.

Top comments (0)