To use your firewall in Azure in a similar way as on-premise firewalls, you must configure routing and other networking features. Most features are available for both Azure Resource Manager (ARM) and Azure Service Manager (ASM), which is also known as "classic" deployment mode. Microsoft recommends using ARM for new deployments. Do not mix ASM and ARM resources.
Azure Route Tables (UDR) using Azure Web Portal
To use your firewall VM as the gateway for other VMs in your virtual network, you can configure a user defined routing table in Azure. Route tables can also be used to route Control Center VIP networks and S-Series networks to the correct VM. HA clusters must be configured to rewrite the Azure routing table so that the backend VMs are always using the active firewall as the gateway.
For more information, see How to Configure Azure Route Tables (UDR) using Azure Portal and ARM.
Azure Route Tables (UDR) using Azure PowerShell
Create a user defined routing table to send traffic from the VMs in the backend subnets through the firewall using PowerShell.
For more information, see How to Configure Azure Route Tables (UDR) using PowerShell and ARM.
Azure Load Balancer for High Availability Clusters
For HA clusters, you need a load balancer in front of the two firewall VMs to forward incoming traffic to the active firewall. The load balancer handles all traffic that matches the load balancer rules you defined. The service is polled by a health probe every 4 seconds. After two failed health checks, the VM is marked as inactive and traffic is redirected to the now active secondary firewall.
For more information, see How to Configure Azure Load Balancer for HA Clusters using PowerShell and ARM.