Author : MD TAREQ HASSAN | Updated : 2021/12/27

When to apply UDR

GatewaySubnet

See “Forcing On-premise Traffic Through Firewall” described below.

AzureFirewallSubnet

ApplicationGatewaySubnet

SqlManagedInstanceSubnet

AKS Subnet

To route the spoke subnet traffic through the hub firewall, you can use a User Defined route (UDR) that points to the firewall with the Virtual network gateway route propagation option disabled. The Virtual network gateway route propagation disabled option prevents route distribution to the spoke subnets. This prevents learned routes from conflicting with your UDR. If you want to keep Virtual network gateway route propagation enabled, make sure to define specific routes to the firewall to override those that are published from on-premises over BGP.

https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy#prerequisites

See “Forcing On-premise Traffic Through Firewall” described below.

PrivateEndpointSubnet

AzureBastionSubnet

DmsSubnet

No need to add UDR

DatabricksSubnet

Overriding 0.0.0.0/0 route

Forcing On-premise Traffic Through Firewall

See: Force incoming traffic to Virtual Network Gateway (from on-premise) through Firewall

Forcing inter-subnet traffic through Firewall

Traffic between directly peered VNets is routed directly even if a UDR points to Azure Firewall as the default gateway. To send subnet to subnet traffic to the firewall in this scenario, a UDR must contain the target subnet network prefix explicitly on both subnets.

Force traffic from spoke subnet to firewall