The Azure VNet infrastructure does not require virtual machines to have a network interface in each subnet. The architecture includes an internal route table (called system routes) that directly connects all virtual machines within a VNet such that traffic is automatically forwarded to a virtual machine in any subnet. For a destination IP address that isn't within the VNet, the traffic is sent to the default internet gateway or to a VPN gateway, if configured. To route traffic through the VM-Series firewall, you must create user-defined routes (UDRs) that specify the next hop for traffic leaving a subnet. This route forces traffic destined to another subnet to go to the VM-Series firewall instead of using the system routes to directly access the virtual machine in the other subnet. For example, in a two-tiered application with a web tier and a database tier, you can set up UDRs for directing traffic from the web subnet to the DB subnet through the VM-Series firewall.

The solution templates for deploying the VM-Series firewall that’s available in the Azure Marketplace, have three network interfaces. To Set up Active/Passive HA on Azure, you will need to add an additional interface for the HA2 link. If you want to customize the template, use the ARM templates that are available in the GitHub repository.