You will filter traffic with Network Security Groups and steer it with user-defined routes (UDRs), including forcing traffic through a firewall appliance. By the end you will control both what is allowed and the path packets take.

Learning Objectives

  • Write priority-ordered NSG rules for least privilege.
  • Create a UDR that overrides default system routes.
  • Inspect effective rules and routes on a NIC.
  • Time: ~3 hours · Difficulty: Intermediate · Prereqs: a VNet with VMs.

Architecture Overview

Environment Setup

You will need: a VNet with at least two subnets and the Azure CLI.

Before you begin: NSG rules are evaluated by priority, lowest number first.

Step-by-Step Execution

01
Create an NSG allow rule
az network nsg create -n web-nsg && az network nsg rule create --nsg-name web-nsg -n allow-https --priority 100 --destination-port-ranges 443 --access Allow --protocol Tcp
02
Create a UDR forcing traffic via a firewall

A user-defined route overrides Azure's default routing so traffic must pass your inspection point.

az network route-table create -n rt-app && az network route-table route create --route-table-name rt-app -n to-fw --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address 10.0.3.4
03
Inspect effective rules and routes
$ az network nic show-effective-route-table -n web01VMNic -o table
Source AddressPrefix NextHopType NextHopIp User 0.0.0.0/0 VirtualAppliance 10.0.3.4

Progress So Far

Testing & Validation

az network nic show-effective-route-table -n web01VMNic --query "value[?nextHopType=='VirtualAppliance']"

You should see the appliance as the next hop for 0.0.0.0/0, confirming traffic is forced through your firewall. NSG denies should appear in flow logs.

Troubleshooting
  • Rule has no effect: a lower-priority number wins; reorder so the intended rule precedes broad denies.
  • UDR ignored: associate the route table with the subnet, not just create it.
  • Appliance drops traffic: enable IP forwarding on the appliance NIC.

Extension Ideas

Key Results

  • Enforced least-privilege inbound rules via NSG priorities.
  • Forced all egress through a firewall appliance with a UDR.
  • Verified the effective route table on the VM NIC.
  • Combined filtering and routing for defense in depth.