1.3 Design and Implement VNet Connectivity and Routing
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Routing Means in Azure VNets
In Azure, routing decides how network traffic moves from:
- One virtual machine (VM) to another
- One subnet to another
- One VNet to another
- Azure to on-premises networks
- Azure to the internet
Every time a packet leaves a VM, Azure checks the routing table to decide where to send it next.
If routing is incorrect, traffic may:
- Go to the wrong destination
- Never reach the destination
- Be dropped silently
2. Common Symptoms of Routing Issues (Exam Focus)
In the exam, routing problems usually appear as:
- VM cannot communicate with another VM
- VM cannot reach on-premises network
- VM cannot access the internet
- Traffic bypasses a firewall or NVA
- VPN or ExpressRoute traffic does not flow
- Asymmetric routing (traffic goes one way but not back)
Understanding why traffic fails is more important than memorizing commands.
3. How Azure Decides Routing (Very Important)
Azure decides routing in this order (highest priority first):
1️⃣ User Defined Routes (UDRs)
2️⃣ BGP routes (from VPN or ExpressRoute)
3️⃣ System routes (default Azure routes)
Exam rule:
UDR > BGP > System route
If a UDR exists, Azure will always follow it.
4. System Routes (Built-in Azure Routes)
Azure automatically creates system routes for every subnet.
Common system routes:
| Destination | Next Hop |
|---|---|
| Same VNet | Virtual network |
| Peered VNet | VNet peering |
| 0.0.0.0/0 | Internet |
| On-premises | VPN gateway or ExpressRoute |
⚠️ System routes cannot be edited or deleted
They are overridden only by UDRs or BGP routes.
5. User Defined Routes (UDRs)
UDRs allow you to manually control traffic flow.
Common UDR next hops:
- Virtual appliance – used for firewalls or NVAs
- Virtual network gateway – force traffic to VPN/ER
- Internet – force outbound internet traffic
- None – drop traffic intentionally
Typical IT use cases:
- Force traffic through a firewall
- Block internet access
- Control traffic between subnets
- Override Azure default routing
⚠️ UDRs are applied at subnet level, not VM level.
6. Diagnosing Routing Issues (Step-by-Step)
Step 1: Identify the Source and Destination
Ask:
- Which VM/subnet is sending traffic?
- Where should the traffic go?
Routing is always evaluated from the source subnet.
Step 2: Check the Effective Routes (Very Important)
Azure provides Effective Routes for each network interface (NIC).
This shows:
- System routes
- UDRs
- BGP routes
- Which route is actually being used
📌 Exam Tip:
If traffic behaves unexpectedly, always check Effective Routes.
Step 3: Verify UDR Configuration
Check:
- Is the UDR associated with the correct subnet?
- Is the destination prefix correct?
- Is the next hop correct?
Common mistakes:
- UDR attached to wrong subnet
- Wrong IP address of virtual appliance
- Overlapping route prefixes
Step 4: Check Network Security Groups (NSGs)
Routing may be correct, but traffic still fails due to NSGs.
Verify:
- Outbound rules on source subnet/NIC
- Inbound rules on destination subnet/NIC
📌 Exam Tip:
Routing decides where traffic goes.
NSG decides whether traffic is allowed.
Step 5: Check VNet Peering Settings
Routing issues often occur with VNet peering.
Verify:
- Allow forwarded traffic
- Allow gateway transit
- Use remote gateways
Incorrect peering settings can block traffic even if routes exist.
Step 6: Check VPN or ExpressRoute Routes (BGP)
If using VPN or ExpressRoute:
- Verify BGP is enabled
- Verify prefixes are advertised
- Check learned routes in the gateway
Common issues:
- Missing route advertisement
- Incorrect address space
- Conflicting UDR overriding BGP route
7. Diagnosing Asymmetric Routing
Asymmetric routing occurs when:
- Traffic goes through one path
- Return traffic uses a different path
This often breaks:
- Firewalls
- NVAs
- Stateful inspection devices
Common causes:
- UDR applied on only one subnet
- Incorrect next hop
- Missing route on return path
📌 Exam Tip:
Both forward and return paths must pass through the same inspection device.
8. Azure Network Watcher (Exam Tool)
Azure Network Watcher is the main troubleshooting tool.
Key features for routing issues:
✔ IP Flow Verify
Checks if NSG allows or denies traffic.
✔ Next Hop
Shows where Azure will send traffic next.
✔ Connection Troubleshoot
Tests connectivity between two endpoints.
✔ Effective Routes
Shows final routing decision.
📌 Exam Tip:
If asked which tool helps diagnose routing issues → Network Watcher
9. Diagnosing Internet Connectivity Issues
Common causes:
- UDR with
0.0.0.0/0pointing to wrong next hop - Firewall blocking outbound traffic
- No default route to internet
- Forced tunneling to on-premises
Forced Tunneling
All internet-bound traffic is sent to:
- VPN gateway
- ExpressRoute
If on-premises does not forward internet traffic → traffic fails.
10. Diagnosing Firewall / NVA Issues
When using a virtual appliance:
- Ensure appliance has IP forwarding enabled
- Ensure return routes exist
- Ensure UDR points to correct IP
If firewall is misconfigured:
- Traffic reaches firewall but never returns
- Appears as routing failure
11. Most Common Exam Scenarios
You should be able to identify:
- Wrong UDR next hop
- UDR overriding system route
- Missing gateway transit
- NSG blocking traffic
- Asymmetric routing
- Forced tunneling issues
- Incorrect peering settings
12. Key Exam Takeaways (Must Remember)
✔ Routing priority: UDR > BGP > System routes
✔ UDRs apply to subnets, not VMs
✔ Always check Effective Routes
✔ NSGs and routing are separate concepts
✔ Network Watcher is the primary troubleshooting tool
✔ Asymmetric routing breaks firewalls
✔ Peering settings affect routing behavior
13. One-Line Exam Summary
Diagnosing routing issues in Azure means understanding route priority, checking effective routes, verifying UDRs, peering, gateways, and using Network Watcher to identify where traffic is being sent or blocked.
