Redesign default NSG rules to allow only VNET filtering
When using a hub-spoke model with an Azure Firewall in the hub vnet, we are facing the issue that too much traffic will be allowed by default NSG rules on the hub and spoke vnets.
The reason for this is the fact that the virtual network service tag "VirtualNetwork" will contain 0.0.0.0 as soon as we create a UDR 0.0.0.0 that points to the Azure Firewall.
The default NSG rule 65000 "AllowVnetInBound" will by now accept source 0.0.0.0 to destination 0.0.0.0.
The next rule (that we do need), 65001 "AllowAzureLoadBalancerInBound" will never be triggered, because rule 65000 will always trigger if no higher priority rule will trigger first.
So by default hub-spoke & NSG design, all traffic from on-premises will be allowed to all virtual machines that are located in peered vnets.
The only workaround for us at this moment is to create rules with a higher priority to allow traffic from source "AzureLoadBalancer" to any destination, just like rule 65001, allow traffic from all peered vnets and after this rule, deny traffic from all sources to all destinations.
This causes default rules 65000, 65001 and 65500 to never be triggered.
The tag "AllowVnetInbound" is deceptive.