I recently blogged about the new Azure Firewall that gives you the possibility to control outbound traffic from resources hosted inside of a VNET. At the time of writing, although the firewall is defined at VNET level, it does not apply automatically to all resources defined in that VNET. Indeed, routing is enforced through a route table that you have to associate to some or all subnets.
However, if, for a given VNET you want to enforce every subnet to go through the firewall, you’ll have to think about it whenever you provision a new subnet. Therefore, I proposed a new Azure Policy that is aimed at enforcing the association between a route table and the subnets. The goal in this case is to specify the route table that targets Azure Firewall when creating a Policy Assignment, in order to let Azure Firewall govern the traffic of your entire VNET.
So, don’t get me wrong, the policy enforces the association of any route table, whatever it is pointing to but, if you provide the route table that targets the Azure Firewall as Assignment Parameter:
you’ll get it working.
So, the provisioning sequence should be as follows:
- The creation of the Azure Firewall instance within its own subnet
- The Deployment and Assignment of the policy
- The creation of the other subnets