Azure Networking

• Overview
• Virtual Networks (VNet)
  • Subnets
  • Network Security Groups (NSG)
  • User Defined Routes (UDR)
  • VNet Peering
• Load Balancer
• Application Gateway
• VPN Gateway
• Azure Firewall

User Defined Routes (UDR)

User Defined Routes (UDR) allow you to control the routing of network traffic within your Azure Virtual Network (VNet) and to or from your VNet. By default, Azure provides system routes that handle basic connectivity. UDRs override these system routes when specific routing conditions are met.

Why Use UDRs?

UDRs are essential for scenarios such as:

• Forcing Network Virtual Appliances (NVAs): Directing all traffic through a firewall, intrusion detection system (IDS), or other NVAs for inspection and control.
• Internet Traffic Control: Routing internet-bound traffic through a central point for security or monitoring.
• On-Premises Connectivity: Routing traffic to an on-premises network via a VPN gateway or ExpressRoute.
• Custom Routing Logic: Implementing specific routing policies not covered by Azure's default routes.

Key Concepts

Route Table

A route table is a collection of routes that you create. A route table is associated with a subnet. Each subnet can be associated with at most one route table. A route table can be associated with multiple subnets.

Routes

Each route in a route table consists of the following components:

• Address Prefix: The destination IP address range in CIDR notation.
• Next Hop Type: Specifies where to send the traffic. Common types include:
  • VirtualAppliance: Traffic is sent to a Network Virtual Appliance (NVA).
  • VirtualNetworkGateway: Traffic is sent to a VPN gateway or ExpressRoute gateway.
  • Internet: Traffic is sent directly to the internet.
  • None: Traffic is dropped.
  • VnetLocal: Traffic is routed to other subnets within the same VNet.
• Next Hop IP Address: The IP address of the next hop if the Next Hop Type is VirtualAppliance.

Route Table Configuration

You can create and manage route tables and their associated routes using the Azure portal, Azure PowerShell, Azure CLI, or ARM templates.

Creating a Route Table (Azure Portal Example)

1. Navigate to the Azure portal.
2. Search for and select "Route tables".
3. Click "+ Create".
4. Fill in the required details: Subscription, Resource group, Region, Name, and Propagation of gateway routes.
5. Click "Review + create" and then "Create".

Adding a Route

1. Navigate to your created route table.
2. Under "Settings", click "Routes".
3. Click "+ Add".
4. Enter a "Route name", "Address prefix", "Next hop type", and if applicable, "Next hop address".
5. Click "Add".

Associating a Route Table with a Subnet

1. Navigate to the Virtual Network containing the subnet.
2. Under "Settings", click "Subnets".
3. Click on the subnet you want to configure.
4. Under "Route table", select the route table you created.
5. Click "Save".

Route Table Propagation

When you create a route table, you can choose whether to propagate routes from:

• Virtual network gateway: Routes learned from your on-premises network via VPN or ExpressRoute.
• Virtual Network Service Endpoints: Routes associated with service endpoints.

These propagated routes are automatically added to the route table. You can also add static routes manually.

Route Hierarchy and Order of Operations

Azure follows a specific order when determining how to route traffic:

1. User Defined Routes (UDRs) in the route table associated with the subnet.
2. System Routes applied to the VNet.
3. Virtual Network Gateway Routes (if applicable and propagated).

If multiple routes match a destination IP address, the route with the most specific prefix (longest prefix match) is chosen.

Example Scenario: Forcing Internet Traffic Through an NVA Firewall

To force all internet-bound traffic from a subnet through an NVA firewall, you would:

1. Deploy an NVA firewall in your VNet.
2. Create a route table.
3. Add a route to the route table with an "Address prefix" of 0.0.0.0/0 (representing all internet traffic).
4. Set the "Next hop type" to VirtualAppliance and the "Next hop IP address" to the private IP address of your NVA firewall.
5. Associate this route table with the subnet(s) whose traffic you want to direct through the firewall.

Troubleshooting UDRs

If you encounter connectivity issues:

• Verify Route Table Associations: Ensure the correct route table is associated with the affected subnet.
• Check Route Specificity: Confirm that the most specific route is being applied as expected. Use tools like Effective Routes in the Azure portal for a VM.
• Inspect NVA Configuration: If using an NVA, verify its internal routing, firewall rules, and IP address.
• Review System Routes: Understand how system routes might interact with your UDRs.

User Defined Routes are a powerful tool for customizing network traffic flow in Azure. By understanding their configuration and behavior, you can implement robust and secure network architectures.