Apart from firewall rules, routes are the key networking component that need to be configured for your subnets/VNET.

To build a poor man's DMZ, one could simply have an Azure VM with a FW appliance on it as the DMZ.

In this build out, the first hop for any VM in the VNET needs to be the DMZ (FW) VM.

System Routes versus User Defined Routes

When you create subnets, Azure creates system routes that enable all resources in a subnet to communicate with each other. You can override the system routes by creating UDRs. This way, you can force traffic to follow a particular route.

VNET with 2 Subnets - No traffic between subnets - just need a firewall (VM) between the two subnets.

To create UDRs and enable IP forwarding, you have to create a routing table in Azure.

Azure will always pick the custom routes over the default system routes.

Creating User Defined Routes

To create UDRs, follow these steps:

  1. Navigate to the Azure Portal by opening https://portal.azure.com/.
  2. Click on New, type Routing Table in the search bar, and create a new one
  3. All internet traffic will need to go through the firewall. Add a 0.0.0.0/0 as the Address prefix. The Next hop type is a Virtual appliance; this is the firewall.
  4. The Next hop address; is internal IP address of the firewall.
azure routes
azure routes

Summary

User Defined Routes provide a way to create DMZs   (and also VNET Service Tunneling to allow private access to Azure Services - similar to AWS Private Link or Google Private Service Access)