Virtual Networks Routes Overview

This document provides a comprehensive overview of route tables and their role in defining traffic flow within Azure Virtual Networks.

Understanding Route Tables

Route tables in Azure Virtual Networks (VNet) allow you to override the default system routes. By default, Azure automatically creates routes for subnets within a VNet. However, for more complex network topologies and traffic control, you can create custom route tables.

Key Concepts

• Route Table: A collection of routes that determine how network traffic is directed.
• Route: A rule that specifies how to route traffic destined for a particular IP address prefix.
• Next Hop: The destination where the traffic is sent next, based on a route.

How Route Tables Work

When a virtual machine (VM) or other resource within a subnet sends network traffic, Azure checks the associated route table for a matching route. If a match is found, Azure forwards the traffic to the specified next hop. If no custom route matches, Azure uses its default system routes.

Next Hop Types

The following are common next hop types you can define in a route:

• Virtual Appliance: Traffic is sent to a network virtual appliance (NVA) such as a firewall or intrusion detection system.
• Virtual Network Gateway: Traffic is sent to an Azure Virtual Network Gateway, typically for VPN or ExpressRoute connectivity.
• Internet: Traffic is sent directly to the internet.
• None: Traffic is dropped. This is often used for security purposes.
• Virtual Network: Traffic is sent to another subnet within the same VNet (default behavior).

Creating and Managing Route Tables

Route tables can be created and managed through the Azure portal, Azure PowerShell, or Azure CLI. When you create a route table, you associate it with one or more subnets.

Steps to Create a Route Table (Azure Portal)

1. Navigate to the Azure portal.
2. Search for "Route Tables" and select it.
3. Click "Create".
4. Fill in the required details: Subscription, Resource Group, Name, Region.
5. Click "Review + create" and then "Create".
6. Once created, select the route table and go to "Routes" to add custom routes.
7. Go to "Subnets" to associate the route table with your desired subnets.

Use Cases for Custom Routes

Custom routes are essential for implementing various network architectures:

• Network Virtual Appliances (NVAs): Forcing all traffic through a firewall or other security appliance.
• Hub-and-Spoke Topologies: Directing traffic between spokes and the hub network.
• ExpressRoute/VPN Gateways: Ensuring on-premises traffic is routed correctly.
• Traffic Inspection: Redirecting traffic to monitoring or logging services.

Route Table Limitations

• A VNet can have multiple route tables associated with its subnets.
• Each subnet can only be associated with one route table.
• Routes are evaluated in the following order: most specific match, longest prefix match.
• Maximum of 400 custom routes per route table.

Example: Forcing Traffic Through a Firewall

Consider a scenario where you want to inspect all inbound and outbound traffic from a specific subnet. You can achieve this by:

1. Deploying a Network Virtual Appliance (NVA) like an Azure Firewall or a third-party firewall.
2. Creating a route table.
3. Adding a route with the address prefix 0.0.0.0/0 (representing all internet traffic).
4. Setting the next hop to the NVA.
5. Associating this route table with the subnet containing your resources.

This ensures that all traffic originating from or destined for that subnet is first routed to the NVA for inspection before being sent to its final destination.