Azure Firewall Outbound Flow Diagram

Understanding the Outbound Flow

This diagram illustrates the typical flow of outbound traffic originating from a virtual network (VNet) and passing through Azure Firewall for inspection and policy enforcement. It highlights the key components and decision points involved in ensuring secure and controlled internet access for your resources.

Key Stages:

• Origin: Traffic starts from resources within your Azure Virtual Network (e.g., Virtual Machines, App Services).
• Routing: User-Defined Routes (UDRs) are configured on subnets to direct outbound traffic to the Azure Firewall's private IP address.
• Azure Firewall Processing: The firewall inspects the traffic based on configured Network Rules (IP addresses, ports, protocols) and Application Rules (FQDNs, HTTP/S).
• Network Address Translation (NAT): For outbound traffic to the internet, Azure Firewall performs Source NAT (SNAT), translating the private source IP address to the firewall's public IP address or a configured outbound IP.
• Internet Egress: Once policies are satisfied and NAT is applied, traffic is allowed to egress to the internet.
• Return Traffic: Return traffic from the internet arrives at the firewall's public IP and is then routed back to the VNet, with Destination NAT (DNAT) applied if inbound traffic rules are in place (though this diagram focuses on outbound).

This diagram is crucial for designing secure network architectures in Azure, ensuring compliance, and maintaining visibility into your organization's internet-bound communications.

Example Configuration Snippet (Conceptual)

While not directly executable, this snippet represents the concept of UDRs directing traffic:

# Resource Group: MyResourceGroup
# VNet: MyVNet
# Subnet: AppSubnet

# UDR for AppSubnet directing all traffic to Azure Firewall
az network route-table create \
    --resource-group MyResourceGroup \
    --name AppSubnetRouteTable

az network route-table route create \
    --resource-group MyResourceGroup \
    --route-table-name AppSubnetRouteTable \
    --name DefaultRoute \
    --address-prefix 0.0.0.0/0 \
    --next-hop-type VirtualAppliance \
    --next-hop-ip-address 

az network vnet subnet update \
    --resource-group MyResourceGroup \
    --vnet-name MyVNet \
    --name AppSubnet \
    --route-table AppSubnetRouteTable