Managing Routes in Virtual Networks

Effective routing is crucial for directing network traffic within your virtual network and between your virtual network and external resources. This article explores how to manage user-defined routes (UDRs) to control traffic flow.

What are Routes?

By default, Azure virtual networks use system routes to define how traffic is directed. However, you can override these system routes using user-defined routes (UDRs) to customize routing behavior. UDRs allow you to force traffic through specific network appliances or to define custom paths for outbound internet access.

Key Concepts

  • Route Table: A collection of routes that you can associate with one or more subnets in a virtual network.
  • Route: An entry within a route table that specifies a destination prefix and the next hop for traffic matching that prefix.
  • Next Hop Type: Defines where the traffic is directed. Common types include:
    • VirtualAppliance: For directing traffic to a network virtual appliance (NVA).
    • Internet: For directing traffic to the internet.
    • VirtualNetworkGateway: For directing traffic to a VPN gateway.
    • None: For dropping traffic (blackholing).
  • Destination Prefix: The IP address range in CIDR notation that the route applies to.

Creating a Route Table

You can create a route table using the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure CLI:

az network route-table create \
    --resource-group myResourceGroup \
    --name myRouteTable

Adding Routes to a Route Table

Once a route table is created, you can add individual routes to it.

Example: Forcing traffic through a Network Virtual Appliance (NVA):

az network route-table route create \
    --resource-group myResourceGroup \
    --route-table-name myRouteTable \
    --name RouteToNVA \
    --address-prefix 0.0.0.0/0 \
    --next-hop-type VirtualAppliance \
    --next-hop-ip-address 10.0.1.4

This example defines a route for all traffic (0.0.0.0/0) and directs it to an NVA at IP address 10.0.1.4.

Associating Route Tables with Subnets

To apply your custom routes, you need to associate the route table with one or more subnets.

Using Azure CLI:

az network vnet subnet update \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name mySubnet \
    --route-table myRouteTable

Best Practices

  • Specificity: Be as specific as possible with your destination prefixes to avoid unintended routing.
  • Route Propagation: Understand how routes propagate from gateways and other sources.
  • Testing: Thoroughly test your routing configurations after making changes.
  • Documentation: Keep your route tables well-documented.
Important: System routes are always evaluated before user-defined routes. If a system route matches the traffic, it will be used unless overridden by a UDR.
Diagram illustrating route flow in Azure Virtual Networks

Further Reading