One of the big advantages to using SQL Server Availability Groups is the ability to automatically push read traffic over to a secondary server. This is particularly useful for larger queries that would take a few seconds to run and consume large amounts of resources. It's not something recommended for short, fast queries, just because the additional latency of connecting to the secondary could slow down the overall response time for the query.
The Microsoft documentation on setting up Read-Only Routing in SQL AGs is pretty solid and explains how to get this up and running.
Firewall and traffic routing
In secure environments there is usually a firewall that resides between the front end web, application or mid-tier servers and the backend database server. This firewall would block all traffic to the backend except for specific ports to specific IP addresses. This is one of the defense in depth items that helps to keep your databases secure.
When using a firewall in conjunction with SQL Server Availability Groups (AGs) it is common to just open up the firewall to the AG Listener. That way there is a single IP open for all the database servers that reside in the AG and any machine that is not acting as the AG primary is not available through the firewall (reducing attack vectors again, a nice side effect).
Given this you might well expect that when routing traffic off to a readable secondary in the AG that it would follow the flow of:
Here the client (either directly or through a web, app, or mid-tier) performs an action that does a read query against the AG Listener. The expected traffic flow would be (from what we would see IP address wise, the AG Listener would actually connect to the primary, in this case SQL1):
Client - AG Listener - Readable Secondary - AG Listener - Client
Client - SQLAG01 - SQL2 - SQLAG01 - Client
This way the primary server (in this case SQL1) would arbitrate all the traffic for the query that comes in. In fact read routing does not function this way.
In order to perform the expected task of reducing the load on the primary the primary actually tells the client to redirect to the secondary server, and so the process goes:
The correct communication is
Client - AG Listener - Secondary - AG Listener - Client - Secondary - Client
Client - SQLAGL01 - SQL2 - SQLAGL01 - Client - SQL2 - Client
When the client request comes in SQL has to check that the readable secondary is available to accept the query (otherwise it will go to the next server in the routing list, which is why you should always have the primary as the last server in the routing list, just in case every other server is out of service).
This means the query will take a little longer to execute as the arbitration and network changes will take additional milliseconds to complete (why it is not ideal for small, fast selects).
Where does the firewall come in?
Using a firewall and only opening up the IP of the Listener is the best way to handle security, but if you want to use readable secondary server and read-intent routing that's not going to work. Due to the way that the traffic is routed you would need to open up the firewall to each individual server and port that would be a secondary.
So in our above example the firewall would need to be opened to SQLAGL01, SQL1 & SQL2 in order to support client requests. If those rules aren't opened then you're client traffic will be blocked and you'll get the dreaded "Named Pipes Provider: Error 40" error, which isn't much of a help.
Testing your read-intent connections
A really useful way of testing your read-intent connections is to use a quick PowerShell script from your front end server (if running Windows) prior to putting it into rotation. Download Check-ReadRouting.PS1 and enter the AG Listener name, or IP Address and the name of a database in the AG. If things are working correctly it will return the name of the primary and first server in your read-only routing list.
If you get a timeout then you have either not set the read-intent URL correctly for your secondary, or you are having firewall issues connecting, and so should investigate further.
Read-routing can be really powerful and useful, you just have to be careful of the gotchas in getting it working correctly.