https://blog.ine.com/azure-practical-peer-to-peer-transitive-routing

https://www.itinsights.org/Azure-Networking-Hub-Spoke-with-NVA-and-Azure-Firewall/

By default a virtual network gets a route for 0.0.0.0/0 that goes to the Internet and route for each address range for the VNet that goes to the VNet (to allow inter-subnet routing by default).

The first NIC in a VM gets a default gateway automatically, but additional NICs must be explicitly configured with a default route, see this documentation. #gotcha

By default Azure PaaS services are accessed by a public endpoint over the internet. The Private Link functionality provides a way to access these services over the Azure network.

https://samcogan.com/service-endpoints-and-private-link-whats-the-difference/

https://docs.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview

https://www.ciraltos.com/private-endpoints-and-dns-part-deux-azure-private-dns-zones/, handling DNS with Private Link

https://docs.microsoft.com/en-us/azure/firewall/protect-windows-virtual-desktop

The default rules in a Network Security Group allow intra-subnet and intra-VNet traffic. It is generally recommended to add a higher priority rule to deny this traffic and then add specific rules for certain ports and protocols to allow access as needed.

One option for network architecture is to make the default route for all subnets point to an Azure Firewall. This make the firewall the router for all intra-VNet and inter-VNet traffic.

https://docs.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works

https://kpatnayakuni.com/2020/07/24/copy-nsg-security-rules-from-one-nsg-to-another/