1.3 Design and Implement VNet Connectivity and Routing
📘Microsoft Azure Networking Solutions (AZ-700)
1. What are User-Defined Routes (UDRs)?
In Azure, User-Defined Routes (UDRs) allow you to manually control how network traffic flows inside a Virtual Network (VNet).
By default, Azure automatically creates system routes that decide how traffic moves between:
- Subnets
- VNets
- On-premises networks
- The internet
UDRs override or add to these default routes so you can force traffic to go through specific network devices or paths.
👉 In short:
UDRs = custom routing rules created by you
2. Why Do We Need UDRs?
UDRs are used when default Azure routing is not enough.
Common IT reasons:
- Send all internet traffic through a firewall
- Force traffic through a Network Virtual Appliance (NVA) such as:
- Firewall
- IDS/IPS
- Proxy server
- Control traffic flow between subnets
- Block traffic from going directly to the internet
- Control hybrid traffic paths (Azure ↔ on-premises)
💡 Without UDRs, Azure always chooses the shortest and default path, which may bypass security devices.
3. What Is a Route Table?
A route table is a collection of one or more routes.
Each route defines:
- Where traffic is going
- Which next hop to use
Route Table Key Points
- A route table is a separate Azure resource
- It must be associated with a subnet
- It cannot be associated directly with a VM
- All VMs in the subnet follow the same route table
4. Where Are UDRs Applied?
UDRs are applied at the subnet level.
Important Exam Rule
- ❌ You cannot apply a UDR to:
- Individual VM
- Network Interface (NIC)
- ✅ You can apply a UDR to:
- Subnet only
5. Components of a User-Defined Route
Each route has three main parts:
1️⃣ Address Prefix (Destination)
This defines where the traffic is going.
Examples:
0.0.0.0/0→ All IPv4 traffic10.0.0.0/8→ Private network range192.168.1.0/24→ Specific subnet
2️⃣ Next Hop Type
This defines where the traffic should go next.
Azure supports the following next hop types (VERY IMPORTANT FOR EXAM):
| Next Hop Type | Meaning |
|---|---|
| Virtual appliance | Send traffic to an NVA (firewall, proxy) |
| Internet | Send traffic directly to the internet |
| VNet peering | Route traffic to a peered VNet |
| Virtual network gateway | Route traffic to VPN or ExpressRoute |
| None | Drop traffic (blackhole route) |
3️⃣ Next Hop Address
- Used only when the next hop type is Virtual appliance
- This is the private IP address of the NVA
6. Common UDR Scenarios (Exam-Focused)
Scenario 1: Force Internet Traffic Through Firewall
- Destination:
0.0.0.0/0 - Next hop: Virtual appliance
- Next hop address: Firewall private IP
Result:
- All outbound internet traffic passes through the firewall
Scenario 2: Block Internet Access
- Destination:
0.0.0.0/0 - Next hop: None
Result:
- Traffic is dropped
- VM has no internet access
Scenario 3: Route Traffic to On-Premises Network
- Destination: On-premises IP range
- Next hop: Virtual network gateway
Used in:
- Site-to-Site VPN
- ExpressRoute
Scenario 4: Control Traffic Between Subnets
- Destination: Another subnet range
- Next hop: Virtual appliance
Used when:
- East-West traffic inspection is required
7. System Routes vs User-Defined Routes
Azure uses route priority rules.
Route Priority (Very Important for Exam)
- User-Defined Routes (UDRs) – Highest priority
- BGP routes
- System routes – Lowest priority
👉 If a UDR exists, Azure will always use it, even if a system route is available.
8. Default System Routes (Know This)
Azure automatically creates system routes such as:
- VNet local routes
- Internet routes
- Peered VNet routes
- Gateway routes
You cannot delete system routes, but you can override them using UDRs.
9. UDRs and Network Security Groups (NSGs)
UDRs and NSGs serve different purposes:
| Feature | UDR | NSG |
|---|---|---|
| Controls traffic path | ✅ | ❌ |
| Controls allow/deny | ❌ | ✅ |
| Applied to subnet | ✅ | ✅ |
| Applied to NIC | ❌ | ✅ |
📌 UDRs decide WHERE traffic goes
📌 NSGs decide IF traffic is allowed
Both work together, not as replacements.
10. UDRs with Virtual Network Gateways
Important Rules:
- You cannot use UDRs to override gateway routes on the gateway subnet
- Gateway subnet must not have a UDR
- UDRs can be used on other subnets to send traffic to the gateway
11. UDRs and Service Endpoints
- UDRs do not affect Azure service endpoints
- Traffic to Azure services still uses the Azure backbone
- UDRs mainly affect IP-based routing
12. Limitations of UDRs (Exam Notes)
- Applied only at subnet level
- No conditional routing (no port-based routing)
- No application-aware routing
- Works only with IP prefixes
- Maximum routes per route table: 400
13. Step-by-Step: How to Create a UDR (Conceptual)
- Create a Route Table
- Add one or more routes
- Choose:
- Address prefix
- Next hop type
- Next hop address (if needed)
- Associate the route table with a subnet
14. Key Exam Tips (Very Important)
✅ UDRs override system routes
✅ UDRs are applied at subnet level only
✅ 0.0.0.0/0 is used for default routing
✅ “None” next hop means drop traffic
✅ Virtual appliance requires private IP
✅ UDR ≠ NSG (routing vs security)
15. One-Line Summary (For Revision)
User-Defined Routes allow Azure administrators to manually control traffic flow inside a VNet by defining custom routes in a route table and associating them with subnets.
