Virtual Network Routing
Learn how to control traffic flow within your Azure virtual network and to external networks using route tables and user-defined routes.
Understanding Azure VNet Routing
Azure virtual networks (VNets) provide a robust platform for defining your private cloud environment in Azure. Network traffic within a VNet and between VNets, on-premises networks, and the internet is routed by default. However, you can override this default behavior to control traffic flow using user-defined routes (UDRs) and route tables.
Default System Routes
By default, Azure automatically creates system routes for traffic based on the network topology. These include:
- Local VNet Traffic: Traffic between subnets within the same VNet.
- To Internet: Traffic destined for the internet.
- To Connected Networks: Traffic destined for connected on-premises networks via VPN Gateway or ExpressRoute.
You cannot modify or delete system routes, but you can add your own routes that take precedence.
User-Defined Routes (UDRs)
User-defined routes allow you to influence how traffic is routed from a subnet. You can create a route table and associate it with one or more subnets. When a route table is associated with a subnet, the routes in the table are applied to traffic originating from that subnet. UDRs can be used for various scenarios, such as:
- Forcing traffic through a Network Virtual Appliance (NVA): Directing network traffic through a firewall or other security appliance deployed in your VNet.
- Enabling traffic filtering or inspection: Routing traffic to a security service for analysis.
- Controlling access to specific services or networks.
Creating a Route Table
You can create a route table using the Azure portal, Azure CLI, or Azure PowerShell.
Azure Portal Steps:
- In the Azure portal, search for and select "Route tables".
- Click "Create".
- Provide a name, subscription, resource group, and region.
- Click "Review + create", then "Create".
Adding Routes to a Route Table
Once a route table is created, you can add routes to it:
- Navigate to your created route table.
- Under "Settings", click "Routes".
- Click "+ Add".
- Enter a route name, address prefix (CIDR block), next hop type (e.g., Virtual appliance, Internet, Virtual network gateway, None), and next hop address (if applicable).
- Click "Add".
Associating a Route Table with a Subnet
To apply the routes in your route table, you need to associate it with a subnet:
- Navigate to your created route table.
- Under "Settings", click "Subnets".
- Click "+ Associate".
- Select the virtual network and the subnet you want to associate.
- Click "OK".
Next Hop Types
The Next hop type specifies where the traffic should be sent:
| Next Hop Type | Description |
|---|---|
| Virtual appliance | Traffic is routed to a network virtual appliance (NVA) like a firewall or load balancer. You must specify the IP address of the NVA's network interface. |
| Internet | Traffic is routed to the public internet. |
| Virtual network gateway | Traffic is routed to an Azure VPN Gateway or ExpressRoute gateway for on-premises connectivity. |
| None | Traffic is dropped. Use this for security purposes to block specific traffic. |
| VNetLocal | Traffic is routed within the virtual network. This is the default behavior. |
Route Propagation
Routes can propagate from connected networks (e.g., VPN Gateway, ExpressRoute) to your VNet. This allows for dynamic route updates without manual intervention.
Troubleshooting Routing Issues
Use the IP Flow Verify and Connection Troubleshoot features in Azure Network Watcher to diagnose connectivity issues and verify routing configurations.
Best Practices
- Keep route tables focused on specific routing needs.
- Use descriptive names for routes and route tables.
- Regularly review your routing configurations.
- Leverage NVAs for advanced security and traffic management.