Diagnose and resolve routing issues

1.3 Design and Implement VNet Connectivity and Routing

📘Microsoft Azure Networking Solutions (AZ-700)

1. What Routing Means in Azure VNets

In Azure, routing decides how network traffic moves from:

One virtual machine (VM) to another
One subnet to another
One VNet to another
Azure to on-premises networks
Azure to the internet

Every time a packet leaves a VM, Azure checks the routing table to decide where to send it next.

If routing is incorrect, traffic may:

Go to the wrong destination
Never reach the destination
Be dropped silently

2. Common Symptoms of Routing Issues (Exam Focus)

In the exam, routing problems usually appear as:

VM cannot communicate with another VM
VM cannot reach on-premises network
VM cannot access the internet
Traffic bypasses a firewall or NVA
VPN or ExpressRoute traffic does not flow
Asymmetric routing (traffic goes one way but not back)

Understanding why traffic fails is more important than memorizing commands.

3. How Azure Decides Routing (Very Important)

Azure decides routing in this order (highest priority first):

1️⃣ User Defined Routes (UDRs)

2️⃣ BGP routes (from VPN or ExpressRoute)

3️⃣ System routes (default Azure routes)

Exam rule:
UDR > BGP > System route

If a UDR exists, Azure will always follow it.

4. System Routes (Built-in Azure Routes)

Azure automatically creates system routes for every subnet.

Common system routes:

Destination	Next Hop
Same VNet	Virtual network
Peered VNet	VNet peering
0.0.0.0/0	Internet
On-premises	VPN gateway or ExpressRoute

⚠️ System routes cannot be edited or deleted
They are overridden only by UDRs or BGP routes.

5. User Defined Routes (UDRs)

UDRs allow you to manually control traffic flow.

Common UDR next hops:

Virtual appliance – used for firewalls or NVAs
Virtual network gateway – force traffic to VPN/ER
Internet – force outbound internet traffic
None – drop traffic intentionally

Typical IT use cases:

Force traffic through a firewall
Block internet access
Control traffic between subnets
Override Azure default routing

⚠️ UDRs are applied at subnet level, not VM level.

6. Diagnosing Routing Issues (Step-by-Step)

Step 1: Identify the Source and Destination

Ask:

Which VM/subnet is sending traffic?
Where should the traffic go?

Routing is always evaluated from the source subnet.

Step 2: Check the Effective Routes (Very Important)

Azure provides Effective Routes for each network interface (NIC).

This shows:

System routes
UDRs
BGP routes
Which route is actually being used

📌 Exam Tip:
If traffic behaves unexpectedly, always check Effective Routes.

Step 3: Verify UDR Configuration

Check:

Is the UDR associated with the correct subnet?
Is the destination prefix correct?
Is the next hop correct?

Common mistakes:

UDR attached to wrong subnet
Wrong IP address of virtual appliance
Overlapping route prefixes

Step 4: Check Network Security Groups (NSGs)

Routing may be correct, but traffic still fails due to NSGs.

Verify:

Outbound rules on source subnet/NIC
Inbound rules on destination subnet/NIC

📌 Exam Tip:
Routing decides where traffic goes.
NSG decides whether traffic is allowed.

Step 5: Check VNet Peering Settings

Routing issues often occur with VNet peering.

Verify:

Allow forwarded traffic
Allow gateway transit
Use remote gateways

Incorrect peering settings can block traffic even if routes exist.

Step 6: Check VPN or ExpressRoute Routes (BGP)

If using VPN or ExpressRoute:

Verify BGP is enabled
Verify prefixes are advertised
Check learned routes in the gateway

Common issues:

Missing route advertisement
Incorrect address space
Conflicting UDR overriding BGP route

7. Diagnosing Asymmetric Routing

Asymmetric routing occurs when:

Traffic goes through one path
Return traffic uses a different path

This often breaks:

Firewalls
NVAs
Stateful inspection devices

Common causes:

UDR applied on only one subnet
Incorrect next hop
Missing route on return path

📌 Exam Tip:
Both forward and return paths must pass through the same inspection device.

8. Azure Network Watcher (Exam Tool)

Azure Network Watcher is the main troubleshooting tool.

Key features for routing issues:

✔ IP Flow Verify

Checks if NSG allows or denies traffic.

✔ Next Hop

Shows where Azure will send traffic next.

✔ Connection Troubleshoot

Tests connectivity between two endpoints.

✔ Effective Routes

Shows final routing decision.

📌 Exam Tip:
If asked which tool helps diagnose routing issues → Network Watcher

9. Diagnosing Internet Connectivity Issues

Common causes:

UDR with 0.0.0.0/0 pointing to wrong next hop
Firewall blocking outbound traffic
No default route to internet
Forced tunneling to on-premises

Forced Tunneling

All internet-bound traffic is sent to:

VPN gateway
ExpressRoute

If on-premises does not forward internet traffic → traffic fails.

10. Diagnosing Firewall / NVA Issues

When using a virtual appliance:

Ensure appliance has IP forwarding enabled
Ensure return routes exist
Ensure UDR points to correct IP

If firewall is misconfigured:

Traffic reaches firewall but never returns
Appears as routing failure

11. Most Common Exam Scenarios

You should be able to identify:

Wrong UDR next hop
UDR overriding system route
Missing gateway transit
NSG blocking traffic
Asymmetric routing
Forced tunneling issues
Incorrect peering settings

12. Key Exam Takeaways (Must Remember)

✔ Routing priority: UDR > BGP > System routes
✔ UDRs apply to subnets, not VMs
✔ Always check Effective Routes
✔ NSGs and routing are separate concepts
✔ Network Watcher is the primary troubleshooting tool
✔ Asymmetric routing breaks firewalls
✔ Peering settings affect routing behavior

13. One-Line Exam Summary

Diagnosing routing issues in Azure means understanding route priority, checking effective routes, verifying UDRs, peering, gateways, and using Network Watcher to identify where traffic is being sent or blocked.