You add a Route Table to force all internet-bound traffic ( 0.0.0.0/0 ) from your Spoke VNets into an Azure Firewall. You run terraform plan . Error: Cycle: azurerm_subnet_route_table_association.spoke_binding, azurerm_route_table.spoke_udr, azurerm_firewall.fw ... Enter fullscreen mode Exit fullscreen mode Terraform has deadlocked. And even if you fix the cycle — a plain 0.0.0.0/0 route will silently break Windows VM activation and Managed Identity authentication three days later. Here's why both happen and how to fix them cleanly. The Cycle Error Terraform can't resolve the dependency graph: The Route Table needs the Firewall's private_ip_address The Firewall needs AzureFirewallSubnet to exist first The Subnet Association tries to bind everything simultaneously The fix: directly reference azurerm_firewall.fw.ip_configuration[0].private_ip_address in the Route Table.…