Azure DHCP preconfigures the interfaces as shown.
Additionally, there are also two static routes:
- Azure uses the 22.214.171.124 address for various services. Having this route in place allows the FortiGate-VM to respond.
- There is also a route out port2 (also the trusted/internal interface) with the VNET prefix as the destination. This provides a route to any additional subnets that may be created.
In the routing monitor, there are connected routes to the two subnets and a default route out port1 (the untrusted/public interface). Azure DHCP also provides this default route.
The "InsideSubnet-routes..." route table forces Internet-bound traffic to egress through the FortiGate port2 interface. If other subnets are created, add this route table to those subnets to provide the same egress filtering.