Add NVA Routing sample: route APIM outbound traffic through Azure Firewall in a hub/spoke topology

[Copilot]

• Create shared/bicep/modules/network/v1/firewall.bicep — all Firewall resources (Public IP, Firewall Policy, Rule Collection Group with built-in APIM management rules, Hub VNet, Azure Firewall, VNet Peerings, Route Table, APIM subnet update); accepts additionalNetworkRules and applicationRules arrays for caller-supplied rules
• Update samples/egress-control/main.bicep to replace inline Firewall resources with a call to the new firewallModule, passing the weather.gov application rule as a parameter
• Update samples/egress-control/README.md — correct appgw-apim-pe description (Private Link, not VNet integration) and add STANDARDV2/PREMIUMV2 to appgw-apim supported SKU note

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Scenario]: Show how APIM can route outbound internet traffic through a NVA in a typical enterprise hub/spoke topology</issue_title>
<issue_description>### Describe the scenario

Many organizations will deploy a Network Virtual Application (NVA) in a hub virtual network and route all outbound internet traffic through the device for security purposes. Customers using APIM to access internet hosted backends need clear guidance showing how to route traffic through the NVA.

Improvement to Project

• Clear documentation with a diagram showing the intended networking architecture
• Cover all relevant APIM tiers (VNet)
• Links to other relevant Azure networking documents
• Maybe this scenario can be made more generic to show 'advanced networking with APIM', or something like that; I don't know what the possibilities are.

Are you able to collaborate and/or submit a pull request?

Yes</issue_description>

Comments on the Issue (you are @copilot in this section)

@simonkurtz-MSFT Submitted on behalf of @AndrewBryson. @simonkurtz-MSFT A route table would get attached to the APIM subnet to govern egress routing. In my experience, customers have done this in two ways:

1. Send everything to the NVA by way of a quad-zero (0.0.0.0) route. Depending on the customer, their industries, and their workloads, that can be applicable but comes with added pressures on a hub NVA such as Azure Firewall. I have seen this become a choke point and cripple infrastructures. Caution is advised.

2. Allow East/West traffic to bypass the NVA. This can be done broadly by sending the internal IP ranges to VNet or it may be done specifically for precise targets (e.g. "APIM may only communicate with APIs and other resources in these subnets").

I favor the second approach in some form because Network Security Groups (NSGs) typically provide adequate internal controls. This strikes a good balance. When using workload subscriptions, a peered VNet also often times employs more than one subnet (e.g. App Gateway gets its own for ingress, then APIM, then perhaps some data services, etc.). If user-defined routes (UDRs) are in those route tables per subnet that all use quad-zero routes to the NVA, a lot of subscription internal traffic now gets inspected. Subscription workloads can often remain as their own blast zones. Again, each case may differ, but we need to apply some sensible, opinionated defaults.</comment_new>
<comment_new>@simonkurtz-MSFT
A good solution approach here may be an external API that is allowed vs. one that is not.

For an allowed API, let's permit traffic to https://api.weather.gov and verify with a successful request to get Seattle's forecast: https://api.weather.gov/gridpoints/SEW/131,68/forecast

For unsuccessful requests, make the same request but to http. This should not be allowed through the firewall.
For another unsuccessful request, ensure that https://api.accuweather.com are not permitted (by virtue of not being allowed).

What's fundamentally new here is the addition of a routing table to each VNet-integrated or -injected infrastructure. That is to be done through the sample (so sample adds infrastructure). It's important that the UDRs in the table don't conflict with other sample traffic as samples are intended to function independently. Therefore, we need to ensure that VNet traffic is not sent to the firewall.

Using the lowest level of Azure Firewall is sufficient. The infrastructure templates may already have a subnet carved out for firewall.

• Fixes [Scenario]: Show how APIM can route outbound internet traffic through a NVA in a typical enterprise hub/spoke topology #179

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

🐍 Python 3.13 Results

Metric	Status	Value
Ruff	✅	0 issue(s)
Unit Tests	✅	success
Code Coverage	📊	100%

Full Workflow Logs

[github-actions]

🐍 Python 3.14 Results

Metric	Status	Value
Ruff	✅	0 issue(s)
Unit Tests	✅	success
Code Coverage	📊	100%

Full Workflow Logs

[github-actions]

Python 3.13 Detailed Test Results

1 719 tests  ±0   1 719 ✅ ±0   16s ⏱️ -2s
    1 suites ±0       0 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 814af1f. ± Comparison against base commit db0b891.

♻️ This comment has been updated with latest results.

[github-actions]

Python 3.14 Detailed Test Results

1 719 tests  ±0   1 719 ✅ ±0   12s ⏱️ -6s
    1 suites ±0       0 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 814af1f. ± Comparison against base commit db0b891.

♻️ This comment has been updated with latest results.

[github-actions]

🐍 Python 3.12 Results

Metric	Status	Value
Ruff	✅	0 issue(s)
Unit Tests	✅	success
Code Coverage	📊	100%

Full Workflow Logs

[github-actions]

Python 3.12 Detailed Test Results

1 719 tests  ±0   1 719 ✅ ±0   17s ⏱️ -1s
    1 suites ±0       0 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 814af1f. ± Comparison against base commit db0b891.

♻️ This comment has been updated with latest results.