The Azure VNet infrastructure does not require virtual
machines to have a network interface in each subnet. The architecture
includes an internal route table (called system routes) that directly
connects all virtual machines within a VNet such that traffic is
automatically forwarded to a virtual machine in any subnet. For
a destination IP address that is not within the VNet, the traffic
is sent to the default Internet gateway or to a VPN gateway, if
configured. In order to route traffic through the VM-Series firewall,
you must create user defined routes (UDRs) that specify the next hop
for traffic leaving a subnet. This route forces traffic destined
to another subnet to go to the VM-Series firewall instead of using
the system routes to directly access the virtual machine in the
other subnet. For example, in a two-tiered application with a web
tier and a database tier, you can set up UDRs for directing traffic
from the web subnet to the DB subnet through the VM-Series firewall.
On Azure, UDRs are for traffic leaving a subnet only. You
cannot create user defined routes to specify how traffic comes into
a subnet from the Internet or to route traffic to virtual machines
within a subnet. UDRs allow you to direct outbound traffic to an
interface on the VM-Series firewall so that you can always ensure
that the firewall secures traffic to the internet also.
The solution templates for deploying the VM-Series firewall that
are available in the Azure Marketplace, have three network interfaces.
Because the VNet infrastructure does not require virtual machines
to have a network interface in each subnet, three network interfaces
are sufficient for most deployments. If you want to customize the template,
use the ARM templates that are available in the GitHub repository.