Governance Policies Azure Networking Route Tables - Azure/az-prototype GitHub Wiki
Governance policies for Route Tables
Domain: azure-networking
| Name | Description |
|---|---|
| Forced tunneling via Azure Firewall | Route table with 0.0.0.0/0 route to Azure Firewall private IP |
| Description | Instead |
|---|---|
| Do not create overlapping routes with different next-hops | Use most-specific prefix matching and validate route precedence |
| Do not use the None next-hop type to silently drop traffic without logging | Route to a firewall that logs dropped traffic for audit purposes |
| Check | Severity | Description |
|---|---|---|
| AZ-UDR-001 | Required | Disable BGP route propagation on subnets with forced tunneling to an NVA or firewall |
| AZ-UDR-002 | Required | Define explicit routes with valid next-hop types and addresses |
| AZ-UDR-003 | Recommended | Associate route tables with subnets explicitly in the subnet resource |
| AZ-UDR-004 | Recommended | Document all custom routes and their purpose with tags |
Disable BGP route propagation on subnets with forced tunneling to an NVA or firewall
Severity: Required
Rationale: BGP propagation can override UDR next-hops and bypass security inspection
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/routeTables
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/virtualNetworks/subnets | snet-workload | Associate route table with target subnets |
| Microsoft.Network/azureFirewalls | azurefirewalls | Next-hop target for forced tunneling |
Define explicit routes with valid next-hop types and addresses
Severity: Required
Rationale: Invalid or missing next-hop addresses cause traffic black-holes
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/routeTables
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/routeTables | rt-default | Parent route table |
Associate route tables with subnets explicitly in the subnet resource
Severity: Recommended
Rationale: Unassociated route tables have no effect on traffic flow
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/routeTables
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/networkSecurityGroups | nsg-resource | Always pair UDR with NSG |
Document all custom routes and their purpose with tags
Severity: Recommended
Rationale: Route tables can create complex traffic flows that are hard to debug without documentation
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/routeTables