Azure policies & Azure firewall


I recently blogged about the new Azure Firewall that gives you the possibility to control outbound traffic from resources hosted inside of a VNET. At the time of writing, although the firewall is defined at VNET level, it does not apply automatically to all resources defined in that VNET. Indeed, routing is enforced through a route table that you have to associate to some or all subnets.

However, if, for a given VNET you want to enforce every subnet to go through the firewall, you’ll have to think about it whenever you provision a new subnet. Therefore, I proposed a new Azure Policy that is aimed at enforcing the association between a route table and the subnets. The goal in this case is to specify the route table that targets Azure Firewall when creating a Policy Assignment, in order to let Azure Firewall govern the traffic of your entire VNET.

So, don’t get me wrong, the policy enforces the association of any route table, whatever it is pointing to but, if you provide the route table that targets the Azure Firewall as Assignment Parameter:


you’ll get it working.

So, the provisioning sequence should be as follows:

  • The creation of the Azure Firewall instance within its own subnet
  • The Deployment and Assignment of the policy
  • The creation of the other subnets


Happy security!

About Stephane Eyskens

Office 365, Azure PaaS and SharePoint platform expert
This entry was posted in Azure, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s