Virtual Networks User-Defined Routes (UDR) Overview

This document provides a comprehensive overview of User-Defined Routes (UDRs) in Azure Virtual Networks. UDRs allow you to control the routing of network traffic within your virtual network and to and from your on-premises networks.

What are User-Defined Routes (UDRs)?

By default, Azure virtual networks have a system-defined route table that automatically routes traffic between subnets, to the internet, and to on-premises networks (if configured). However, for more advanced routing scenarios, you can create and associate your own route tables to subnets. These are known as User-Defined Routes (UDRs).

UDRs enable you to:

• Send network traffic through a virtual appliance, such as a firewall or network security appliance.
• Direct traffic to a network virtual appliance for network inspection or modification.
• Override Azure's default routing behavior.

How UDRs Work

When you create a UDR, you define specific rules that dictate how network packets should be forwarded. Each rule consists of:

• Address Prefix: The destination IP address range (in CIDR notation) for the traffic this route applies to.
• Next Hop Type: The type of resource to which the traffic should be forwarded. Common types include:
  • VirtualAppliance: For forwarding traffic to a virtual machine acting as a network appliance.
  • VirtualNetworkGateway: For routing traffic to a VPN Gateway or ExpressRoute gateway.
  • VNetLocal: For traffic destined for within the same virtual network.
  • Internet: For traffic destined for the internet.
  • None: For dropping traffic.
• Next Hop IP Address: The IP address of the next hop resource (required for VirtualAppliance).

A route table is a collection of UDRs. You associate a route table with one or more subnets. When a virtual machine in a subnet sends network traffic, Azure checks the associated route table for a matching route. The most specific matching route is used.

Route Table Association

You can associate a route table with a subnet. All traffic originating from that subnet will be subject to the routes defined in the associated route table.

Important Considerations:

• A subnet can only have one route table associated with it.
• A route table can be associated with multiple subnets.

Route Propagation

Routes can be propagated to subnets from:

• User-Defined Routes (UDRs): Routes you explicitly define.
• Virtual Network Peering: Routes learned from peered virtual networks.
• Virtual Network Gateway: Routes learned from on-premises networks via a VPN Gateway or ExpressRoute.

Example Scenario: Forcing Traffic Through a Firewall

Imagine you have a virtual network with a web tier subnet and a database tier subnet. You want to ensure all traffic from the web tier to the database tier is inspected by a firewall deployed in a separate DMZ subnet. You would:

1. Deploy a virtual machine configured as a firewall in the DMZ subnet.
2. Create a UDR in a route table and associate it with the web tier subnet.
3. Add a route to this table with an address prefix of the database subnet's CIDR block, a next hop type of VirtualAppliance, and the private IP address of your firewall VM as the next hop IP address.

This configuration forces all traffic from the web tier to the database tier through the firewall.

Related Articles

• Azure Virtual Networks Overview
• Network Security Groups (NSGs)
• Virtual Network Peering
• Azure Firewall Overview