User-Defined Routes (UDRs) in Azure Networking

Last Updated: October 26, 2023

Note: User-Defined Routes (UDRs) allow you to override Azure's default system routes and specify custom routing tables to control traffic flow within your Azure Virtual Network (VNet) and to and from on-premises networks.

Introduction

In Azure, network traffic routing is handled by the system routes by default. However, in many scenarios, you need more control over how traffic flows. User-Defined Routes (UDRs) provide this control by enabling you to define custom routes for your subnet or gateway. This is particularly useful for implementing network virtual appliances (NVAs) like firewalls, intrusion detection systems (IDS), or network monitoring solutions.

Key Concepts

Route Table: A collection of routes that you can associate with one or more subnets.
Route: An entry within a route table that specifies a destination prefix and a next hop.
Destination Prefix: The IP address range (CIDR notation) for which the route applies.
Next Hop Type: The type of resource that traffic matching the destination prefix should be directed to. Common types include:
- VirtualAppliance: For directing traffic to a network virtual appliance.
- VnetGateway: For directing traffic to an Azure VPN gateway or ExpressRoute gateway.
- VirtualNetworkGateway: For directing traffic to a Virtual Network Gateway (legacy).
- Internet: For directing traffic directly to the internet.
- None: For dropping traffic (blackholing).
Next Hop IP Address: The IP address of the next hop when the next hop type is VirtualAppliance.

How UDRs Work

When traffic leaves a virtual machine (VM) in a subnet, Azure evaluates the routing rules. It first checks for UDRs associated with the subnet. If a UDR matches the destination IP address, Azure uses that route. If no UDR matches, Azure falls back to the default system routes. The order of evaluation is crucial for ensuring correct traffic flow.

Creating and Managing UDRs

UDRs can be managed through the Azure portal, Azure PowerShell, or Azure CLI.

Using Azure Portal

Navigate to your Virtual Network.
Under "Settings", select "Subnets".
Click on the subnet you want to configure.
Under "Route table", select "Create new" or an existing route table.
To add a route:

Go to "Route tables" in the Azure portal search bar.
Create a new route table.
Under the route table, select "Routes" and click "+ Add".
Enter a name for the route, the destination prefix, the next hop type, and the next hop IP address (if applicable).

Associate the route table with your subnet.

Using Azure CLI

The following commands demonstrate how to create a route table, add a route, and associate it with a subnet:

# Create a route table
az network route-table create --resource-group MyResourceGroup --name MyRouteTable

# Add a route to the route table
az network route-table route create --resource-group MyResourceGroup --route-table-name MyRouteTable --name RouteToNVA --next-hop-type VirtualAppliance --next-hop-ip-address 10.0.1.4 --address-prefix 192.168.10.0/24

# Associate the route table with a subnet
az network vnet subnet update --resource-group MyResourceGroup --vnet-name MyVNet --name MySubnet --route-table MyRouteTable

Common Scenarios for UDRs

1. Network Virtual Appliances (NVAs)

This is the most common use case for UDRs. You can force all or specific traffic from your subnets to go through an NVA (e.g., firewall) for inspection and policy enforcement before reaching its destination.

Tip: When routing traffic to an NVA, ensure the NVA is configured to properly forward the traffic to its intended destination. Otherwise, traffic might be dropped.

2. Internet Traffic Filtering

UDRs can be used to route all outbound internet traffic to a firewall or proxy for filtering and logging.

3. On-Premises Connectivity

If you have a hybrid cloud setup, UDRs can direct traffic destined for your on-premises network to the appropriate VPN gateway or ExpressRoute circuit.

Route Propagation and BGP

When using Azure VPN Gateway or ExpressRoute with BGP (Border Gateway Protocol), routes learned via BGP are automatically propagated to the route tables associated with your subnets. UDRs can override these propagated routes.

Route Prioritization

Azure uses the following order of preference when determining the route for a given destination IP address:

User-defined routes
BGP routes
System routes

Within UDRs, the most specific prefix wins. For example, a route with a prefix of 10.1.0.0/16 is more specific than a route with 10.0.0.0/8.

Troubleshooting UDRs

If you are experiencing connectivity issues, consider the following:

Check Route Tables: Verify that the correct route tables are associated with the affected subnets.
Route Specificity: Ensure your destination prefixes are correctly defined and that the most specific route is intended.
Next Hop Configuration: Confirm that the next hop type and IP address are correctly configured and that the target resource is healthy and accessible.
Network Watcher: Utilize Azure Network Watcher's "IP Flow Verify" and "Next Hop" features to diagnose routing issues.

Important: Incorrectly configured UDRs can lead to network outages. Always test your routing changes in a non-production environment before implementing them in production.

Conclusion

User-Defined Routes are a powerful tool for customizing network traffic flow in Azure. By understanding their concepts and management, you can effectively implement advanced networking architectures, including those involving network security appliances and hybrid connectivity.