MSDN Documentation

Microsoft Developer Network

User-Defined Routes (UDRs) in Azure

User-defined routes allow you to override Azure's default system routes. By defining custom route tables, you can control how network traffic flows within your virtual networks and to and from your on-premises networks.

What are User-Defined Routes?

Every virtual network in Azure has a system default route table that dictates traffic flow. When you need more control over routing, such as forcing traffic through a Network Virtual Appliance (NVA) for inspection or filtering, you can create and associate user-defined route tables with subnets.

Key Concepts

  • Route Table: A collection of routes that you create. You associate a route table with one or more subnets.
  • Route: A single rule within a route table that specifies the destination prefix and the next hop for traffic matching that prefix.
  • Next Hop: The destination for traffic. This can be a virtual appliance, an Internet gateway, a virtual network gateway, or a virtual network.
  • Destination Prefix: The IP address range in CIDR notation that the route applies to.

Use Cases

UDRs are crucial for several networking scenarios:

  • Network Virtual Appliances (NVAs): Route traffic through firewalls, intrusion detection/prevention systems, or WAN optimizers deployed as NVAs.
  • Forced Tunneling: Redirect all Internet-bound traffic from subnets to an on-premises network or an NVA for inspection before it reaches the internet.
  • Custom Routing Logic: Implement specific routing requirements that differ from Azure's default behavior.
Best Practice: Always associate a route table with a subnet. If you don't associate a route table, the subnet will use the VNet's default system routes.

Creating and Managing UDRs

You can manage user-defined routes using the Azure portal, Azure PowerShell, or Azure CLI.

Example: Forcing Traffic Through a Firewall NVA

Imagine you have a subnet for your web servers and you want all outbound traffic from this subnet to go through a firewall NVA before reaching the internet.

  1. Deploy an NVA: Deploy a firewall NVA (e.g., Azure Firewall, or a third-party appliance) into your virtual network. Note its private IP address.
  2. Create a Route Table: Create a new route table.
  3. Add a Route: Add a route to the route table with the destination prefix 0.0.0.0/0 (representing all internet traffic) and set the next hop to the NVA's IP address.
  4. Associate Route Table: Associate the route table with the subnet containing your web servers.

This configuration ensures that all traffic originating from the web server subnet destined for the internet will be routed to the firewall NVA for inspection.

Azure CLI Example

# Create a route table
az network route-table create --resource-group myResourceGroup --name myRouteTable

# Add a route for internet traffic to point to a firewall NVA
az network route-table route create --resource-group myResourceGroup --route-table-name myRouteTable --name RouteToFirewall --next-hop-ip-address 10.0.1.4 --address-prefix 0.0.0.0/0

# Associate the route table with a subnet
az network vnet subnet update --resource-group myResourceGroup --vnet-name myVNet --name mySubnet --route-table myRouteTable
Important: When you associate a route table with a subnet, the UDRs take precedence over the system routes. Make sure your UDRs are correctly configured to avoid network connectivity issues.

Route Propagation

Routes are propagated from various sources:

  • System Routes: Azure's default routes.
  • User-Defined Routes: Routes you define in route tables.
  • BGP Routes: Routes learned from your on-premises network via VPN Gateway or ExpressRoute.

Azure applies a specific order of operations when determining the best route for a packet.

Conclusion

User-defined routes are a powerful feature for gaining granular control over network traffic flow in Azure. By understanding and implementing UDRs effectively, you can enhance security, optimize performance, and meet complex networking requirements.